Posted by Jonathan Knudsen on Wednesday, September 19th, 2018
This is the first of two articles that describe how to use the Defensics SDK to fuzz Bitcoin software. Specifically, you will learn how to model one of the Bitcoin protocol messages and use the Defensics SDK to perform fuzzing on the
This is an advanced technical tutorial, and you will need some background knowledge:
This article shows how to set up a test bed with the
bitcoind binaries and Wireshark. The next article describes how to model Bitcoin protocol messages using the Defensics SDK, and ultimately how to perform fuzzing on
bitcoind using the Defensics SDK.
The Defensics SDK gives you the ability to create your own test suites, which unleashes the full power of Defensics on any protocol or file format you wish. All you need to do is provide a data model. You can then create a full-fledged Defensics test suite and leverage the powerful generational test case engine as well as all the other features provided by the Defensics platform.
Bitcoin is a cryptocurrency, which means it is a currency supported by the mathematics of cryptography. Instead of being centrally managed, as government currencies are, a cryptocurrency is managed by the community, using a peer-to-peer network. Bitcoin and other cryptocurrencies are based on a blockchain, which is a list of all transactions. All peers in the network have a copy of the blockchain, which is cryptographically protected from tampering. The peers in the network use algorithms to agree on adding new transactions to the blockchain, allowing the entire network to come to a consensus about transactions without having to trust each other.
Cryptocurrencies are relatively new. Bitcoin was the first and was introduced in 2007. Despite the relatively experimental nature of these currencies, significant value is invested in them. As of mid-September 2018, the market capitalization of Bitcoin is about $112 billion.
For this article, you don’t need to know too many details about Bitcoin or any other protocol. All you really need to know is that Bitcoin peers run a process called
bitcoind. The peers in the network exchange information using the Bitcoin network protocol.
The first step in fuzzing
bitcoind is to create a test bed, a safe place where you can perform fuzzing without hurting anything. Fuzzing should never be performed on production systems, as it is likely to cause failures or trigger security alarms.
Bitcoin supports the production network (mainnet), a test network (testnet), and a regression test network (regtest). For fuzzing, I used the regtest network, as it allowed me to set up a private, isolated Bitcoin network, perfect for fuzzing.
I began by creating a virtual machine that holds my regtest peers, alice and bob. I used Ubuntu 14.04, but any Linux will do. This step was not strictly necessary—you could just create the Docker instances directly on your host OS—but I wanted the extra layer of isolation.
Through the magic of Docker, ports on the virtual machine are mapped to ports on the alice and bob containers. When it’s all up and running, it’ll look like this:
In the next article, I’ll use the Defensics SDK on a different virtual machine to fuzz one of the
Starting with the newly installed Linux machine, I first installed
jonathan@bitcoinzz:~$ sudo apt-get install -y git docker.io
To get the most up-to-date Bitcoin protocol dissector, I installed Wireshark like this:
jonathan@bitcoinzz:~$ sudo add-apt-repository ppa:wireshark-dev/stable ... jonathan@bitcoinzz:~$ sudo apt-get update ... jonathan@bitcoinzz:~$ sudo apt-get install wireshark ...
Then I followed instructions compiled by Gerald Kaszuba for creating two
bitcoind peers using
As described, you’ll need to clone Gerald’s repository, run
make build to create the container, then run
make alice_shell and
make bob_shell to spin up two container instances. Just follow the instructions in the article. Finally, in the alice and bob shells, run
bitcoind -regtest -daemon to start the
You’ll have two running
bitcoind instances. If you want to prove that they work together, run Wireshark and listen on the
docker0 interface. Then point one of the
bitcoind instances at the other using its IP address.
I found the IP address of alice using
root@alice:~# hostname -I 172.17.0.12
Then I told bob’s
bitcoind about alice like this (
rt is an alias for
root@bob:/# rt addnode 172.17.0.12 onetry
This rewarded me with a flurry of Bitcoin messages exchanged between alice’s and bob’s
Congratulations! You have your own private Bitcoin network!
Come back next time, when we’ll build a model for the Bitcoin network protocol, then use that model in the Defensics SDK to perform fuzzing on
Get the latest AppSec news and trends sent directly to you.