A fuzzer for APDU-based smartcard interfaces
If you want to install pyAPDUFuzzer
, you will need following dependencies:
- GCC
- Python 3
- Python 3 devel
- pip3
- SWIG
- PCSC lite
- PCSC lite devel
- American fuzzy lop
You will also need modified version of python-afl
:
pip3 install git+https://github.com/ph4r05/python-afl
If you are using Fedora
, Ubuntu
or macOS
you can use our script to
install all required dependencies. Just run following line in your terminal:
curl -fsSL https://github.com/petrs/pyAPDUFuzzer/raw/master/install-dependencies.sh | sh
Finally, install latest version of pyAPDUFuzzer
from GitHub:
pip3 install git+https://github.com/petrs/pyAPDUFuzzer
Or use version from PyPI:
pip3 install apdu-fuzzer
For local development, clone this repository to your current working directory:
git clone https://github.com/petrs/pyAPDUFuzzer.git
Then install pyAPDUFuzzer
in editable mode:
cd pyAPDUFuzzer && pip3 install -e . && cd ..
AFL <-> Client <-> Server <-> Card
+----------------------------------+
| AFL |
| | | | +-------------------+
| | | +----------------+ | +------------------+ | |
| | | stdin | | | socket | | | +---+ |
| | +----------| Client |------------ Server -------- |-|-| Card |
| | | | | | | | +---+ |
| | +------+ +--------|-------+ | +------------------+ | |
| +-| SHM |------------+ | +-------------------+
| +------+ |
| |
+----------------------------------+
(ascii by https://textik.com/)
Notes:
-
Server is started first, connects to the card and listens on the socket for raw data to send to the card. Does not process input data in any way.
-
Server stores raw responses from the card to the data files.
-
Server is able to reconnect to the card if something goes wrong.
-
Client is started by AFL. AFL sends input data via STDIN, forking the client with each new fuzz input. PCSC does not like forking with AFL this server/client architecture was required.
-
Client is forked by the AFL after python is initialized. Socket can be opened either before fork or after the fork. After fork is safer as each fuzz input has a new connection but a bit slower. Opening socket before fork also works but special care needs to be done on broken pipe exception - reconnect logic is needed. This is not implemented now.
-
Client post-processes input data generated by the AFL, e.g., generates length fields, can do TLV, etc.
Communication between server/client:
-
Client sends
[0, buffer]
. Buffer is raw data structure to be sent to the card.0
is the type / status -
Server responds with:
status 1B | SW1 1B | SW2 1B | timing 2B | data 0-NB
+----+----+----+--------+------------------------+
| | | | | |
| 0 | SW | SW | timing | response data |
| | 1 | 2 | | |
+----+----+----+--------+------------------------+
Client then takes response from the socket, and uses modified [python-afl-ph4] to add trace to the shared memory segment that is later analyzed by AFL to determine whether this fuzz input lead to different execution trace than the previous one.
Currently the trace bitmap is done in the following way:
afl.trace_offset(hashxx(bytes([sw1, sw2])))
afl.trace_offset(hashxx(timing))
afl.trace_offset(hashxx(bytes(data)))
Fowler-Noll-Vo (FNV) hash function used in afl.trace_buff
is not very good with respect to the zero buffers. The timing
was usually not affecting the bitmap so we switched to very fast hash function hashxx
for the offset computation.
FNV is inappropriate for this use case as it returns the same hash for all buffers of the following format:
p | 0 | x
where p
is a fixed prefix, x
is random suffix.
afl.hash32(bytes([0,1]))
afl.hash32(bytes([0,2]))
afl.hash32(bytes([0,255]))
afl.hash32(bytes([0,255,255,255]))
# 2166136261
Start server sitting on the card:
python main_afl.py --server
Testing if the client works:
echo -n '0000' | ../venv/bin/python main_afl.py --client --output ydat.json --log ylog.txt
cat ylog.txt
AFL with forking & TCP communication with the server:
../venv/bin/py-afl-fuzz -m 500 -t 5000 -o result/ -i inputs/ -- ../venv/bin/python main_afl.py --client --output ydat.json --log ylog.txt
Payload recovery for fixed command. Command header is fixed, payload is produced by AFL. Uses templating
PYTHON_AFL_PERSISTENT=1 ../venv/bin/py-afl-fuzz -m 200 -t 3000 -o result/ -i - -- \
../venv/bin/apdu-afl-fuzz --client --output ydat3.json --log yres3.json \
--mask 00000000 --tpl 0be00100 --payload-len-b $((0x0c)) --payload-len-s $((0x1f))
- Uses fixed APDU prefix
0be00100
as mask is zero on those bytes. - Generates payload of lengths
0x0c - 0x1f
.