Fuzzing PHP for Fun and Profit

PHP is probably the single most prevalent server-side scripting language on the web. PHP has been the de facto choice for popular blog platforms like WordPress, Joomla and Drupal, which makes it a very attractive target for a wide range of attackers. It is also a very ideal system for demonstrating the power of American Fuzzy Lop (AFL) to identify memory corruption bugs within mature software.

From the AFL website:

American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary.

In other words, the AFL compiler will add instructions to monitor the binary’s execution flow, and the AFL fuzzer will use this instrumentation to recognize when a test case exercises a new state transition.

To begin, you’ll need to have a Linux server with American Fuzzy Lop (AFL) and typical build tools (e.g. make, autoconf, etc) installed. Some distros offer AFL binary packages, and the latest AFL source package is always available from Michal Zalewski’s web site: http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz. When building from source, be sure to build LLVM mode support to get the afl-clang-fast(++) compilers.

At a high-level, the steps for using AFL to fuzz a PHP function are:

1. Obtain PHP source
2. Configure and make PHP with the afl-clang-fast compiler and AddressSanitizer (ASAN)
3. Prepare a short PHP code sample to exercise the targeted function
4. Produce a few starting test cases to seed the fuzz
5. Run afl-fuzz and wait for crashes

Step 1: Obtaining the source

PHP source is available in the php-src GitHub repository, and source archives from each release or release candidate are listed in the releases section: https://github.com/php/php-src/releases

Download and extract the source on your system.

wget https://github.com/php/php-src/archive/php-7. (Read more...)