Bitcoin Forum
December 03, 2016, 08:02:23 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Protocol-level transaction fuzzing tool  (Read 2925 times)
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 17, 2012, 11:19:14 PM
 #1

I did some work today that should be useful to stress-test transaction handling for alternative bitcoin implementations:
  https://github.com/gavinandresen/bitcoin-git/tree/fuzzer

From its README.md:

Hacked version of Bitcoin that adds a "relayfuzzed" command. Note: this only works on the testnet.

USING THIS CODE

First, create one or more transactions using the send* RPC commands, and remember their transaction IDs. This version of bitcoin is modified so 'original' wallet transactions are not announced to the network.

Then, you can generate as many "fuzzed" variations as you like using the relayfuzzed command, which takes a transaction ID and an integer to seed a random number generator.

Example usage from a bash prompt:

Code:
# Run two bitcoind's that talk to each other:
alias bc1="./bitcoind -datadir=testnet-box/1"
alias bc2="./bitcoind -datadir=testnet-box/2"
bc1 -daemon
bc2 -daemon

# Now fuzz a send-to-self:
TXID=$(bc1 -testnet sendtoaddress $(bc1 getnewaddress) 0.01)
for i in {1..100}; do bc1 relayfuzzed $TXID $i; done
The result should be a long list of fuzzed transaction ids, almost all of which are actually bad, invalid transactions. And a lot of "ConnectInputs failed" in testnet-box/2/testnet/debug.log

THINGS TO BE AWARE OF

You will trigger the denial-of-service-prevention code using this. If you are running a "testnet-in-a-box" setup (see https://sourceforge.net/projects/bitcoin/files/Bitcoin/testnet-in-a-box/) then you don't have to worry, nodes running on localhost don't disconnect each other for bad behavior. Otherwise, you can run bitcoind with -banscore=999999 to avoid being disconnected.

Running the code being tested under Valgrind or Purify or another memory-corruption detection tool is a good idea.

Types of "high-level" fuzzing done:

Insert random opcodes at the front of the transactions's scriptSig(s)

Types of "low-level" fuzzing done:

Change bit in one of the transaction's bytes
Delete one or more bytes
Insert one or more random bytes

TODO:

Generate mostly-random scriptSig/scriptPubkey pairs that validate, and generate pairs/chains of valid transactions that spend them.

How often do you get the chance to work on a potentially world-changing project?
1480795343
Hero Member
*
Offline Offline

Posts: 1480795343

View Profile Personal Message (Offline)

Ignore
1480795343
Reply with quote  #2

1480795343
Report to moderator
1480795343
Hero Member
*
Offline Offline

Posts: 1480795343

View Profile Personal Message (Offline)

Ignore
1480795343
Reply with quote  #2

1480795343
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480795343
Hero Member
*
Offline Offline

Posts: 1480795343

View Profile Personal Message (Offline)

Ignore
1480795343
Reply with quote  #2

1480795343
Report to moderator
1480795343
Hero Member
*
Offline Offline

Posts: 1480795343

View Profile Personal Message (Offline)

Ignore
1480795343
Reply with quote  #2

1480795343
Report to moderator
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
February 02, 2012, 01:54:35 AM
 #2

Have you found any cool vulnerabilities with this?

Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
February 02, 2012, 02:17:48 PM
 #3

Have you found any cool vulnerabilities with this?
No, bitcoind is solid as a rock, both with and without the BIP 16 patches applied.


How often do you get the chance to work on a potentially world-changing project?
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!