Network namespaces support (aflnet#70)

* Add network namespaces support; a tutorial is included
* This feature is experimental

Author: ol-imorozko

Makefile

@@ -33,7 +33,7 @@ CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -Wno-unused-result
 	      -DBIN_PATH=\"$(BIN_PATH)\"
 
 ifneq "$(filter Linux GNU%,$(shell uname))" ""
-  LDFLAGS  += -ldl -lgvc -lcgraph -lm
+  LDFLAGS  += -ldl -lgvc -lcgraph -lm -lcap
 endif
 
 ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""

README.md

@@ -69,6 +69,8 @@ AFLNet adds the following options to AFL. Run ```afl-fuzz --help``` to see all o
 
 - ***-D usec***: (optional) waiting time (in microseconds) for the server to complete its initialization 
 
+- ***-e netnsname***: (optional) network namespace name to run the server in
+
 - ***-K*** : (optional) send SIGTERM signal to gracefully terminate the server after consuming all request messages
 
 - ***-E*** : (optional) enable state aware mode

afl-fuzz.c

@@ -66,6 +66,7 @@
 #include <sys/mman.h>
 #include <sys/ioctl.h>
 #include <sys/file.h>
+#include <sys/capability.h>
 
 #include "aflnet.h"
 #include <graphviz/gvc.h>
@@ -372,6 +373,7 @@ u32 state_cycles = 0;
 u32 messages_sent = 0;
 EXP_ST u8 session_virgin_bits[MAP_SIZE];     /* Regions yet untouched while the SUT is still running */
 EXP_ST u8 *cleanup_script; /* script to clean up the environment of the SUT -- make fuzzing more deterministic */
+EXP_ST u8 *netns_name; /* network namespace name to run server in */
 char **was_fuzzed_map = NULL; /* A 2D array keeping state-specific was_fuzzed information */
 u32 fuzzed_map_states = 0;
 u32 fuzzed_map_qentries = 0;
@@ -2827,6 +2829,25 @@ static void destroy_extras(void) {
 
 }
 
+/* Move process to the network namespace "netns_name" */
+
+static void move_process_to_netns() {
+  const char *netns_path_fmt = "/var/run/netns/%s";
+  char netns_path[272]; /* 15 for "/var/.." + 256 for netns name + 1 '\0' */
+  int netns_fd;
+
+  if (strlen(netns_name) > 256)
+    FATAL("Network namespace name \"%s\" is too long", netns_name);
+
+  sprintf(netns_path, netns_path_fmt, netns_name);
+
+  netns_fd = open(netns_path, O_RDONLY);
+  if (netns_fd == -1)
+    PFATAL("Unable to open %s", netns_path);
+
+  if (setns(netns_fd, CLONE_NEWNET) == -1)
+    PFATAL("setns failed");
+}
 
 /* Spin up fork server (instrumented mode only). The idea is explained here:
 
@@ -2893,6 +2914,11 @@ EXP_ST void init_forkserver(char** argv) {
 
     setrlimit(RLIMIT_CORE, &r); /* Ignore errors */
 
+    /* Move the process to the different namespace. */
+
+    if (netns_name)
+      move_process_to_netns();
+
     /* Isolate the process and configure standard descriptors. If out_file is
        specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */
 
@@ -3174,6 +3200,11 @@ static u8 run_target(char** argv, u32 timeout) {
 
       setrlimit(RLIMIT_CORE, &r); /* Ignore errors */
 
+      /* Move the process to the different namespace. */
+
+      if (netns_name)
+        move_process_to_netns();
+
       /* Isolate the process and configure standard descriptors. If out_file is
          specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */
 
@@ -8069,6 +8100,7 @@ static void usage(u8* argv0) {
        "  -D usec       - waiting time (in micro seconds) for the server to initialize\n"
        "  -W msec       - waiting time (in miliseconds) for receiving the first response to each input sent\n"
        "  -w usec       - waiting time (in micro seconds) for receiving follow-up responses\n"
+       "  -e netnsname  - run server in a different network namespace\n"
        "  -K            - send SIGTERM to gracefully terminate the server (see README.md)\n"
        "  -E            - enable state aware mode (see README.md)\n"
        "  -R            - enable region-level mutation operators (see README.md)\n"
@@ -8731,6 +8763,50 @@ static void save_cmdline(u32 argc, char** argv) {
 
 }
 
+/* Check that afl-fuzz (file/process) has some effective and permitted capability */
+
+static int check_ep_capability(cap_value_t cap, const char *filename) {
+  cap_t file_cap, proc_cap;
+  cap_flag_value_t cap_flag_value;
+  int no_capability = 1;
+  int pid = getpid();
+
+  file_cap = cap_get_file(filename);
+  proc_cap = cap_get_proc();
+
+  if (!file_cap && !proc_cap)
+    return no_capability;
+
+  if (file_cap) {
+    if (cap_get_flag(file_cap, cap, CAP_EFFECTIVE, &cap_flag_value))
+      PFATAL("Could not get CAP_EFFECTIVE flag value from file \"%s\"", filename);
+
+    if (cap_flag_value != CAP_SET)
+      return no_capability;
+
+    if (cap_get_flag(file_cap, cap, CAP_PERMITTED, &cap_flag_value))
+      PFATAL("Could not get CAP_PERMITTED flag value from file \"%s\"", filename);
+
+    if (cap_flag_value != CAP_SET)
+      return no_capability;
+  }
+
+  if (proc_cap) {
+    if (cap_get_flag(proc_cap, cap, CAP_EFFECTIVE, &cap_flag_value))
+      PFATAL("Could not get CAP_EFFECTIVE flag value from process id %d", pid);
+
+    if (cap_flag_value != CAP_SET)
+      return no_capability;
+
+    if (cap_get_flag(proc_cap, cap, CAP_PERMITTED, &cap_flag_value))
+      PFATAL("Could not get CAP_PERMITTED flag value from process id %d", pid);
+
+    if (cap_flag_value != CAP_SET)
+      return no_capability;
+  }
+
+  return 0;
+}
 
 #ifndef AFL_LIB
 
@@ -8756,7 +8832,7 @@ int main(int argc, char** argv) {
   gettimeofday(&tv, &tz);
   srandom(tv.tv_sec ^ tv.tv_usec ^ getpid());
 
-  while ((opt = getopt(argc, argv, "+i:o:f:m:t:T:dnCB:S:M:x:QN:D:W:w:P:KEq:s:RFc:l:")) > 0)
+  while ((opt = getopt(argc, argv, "+i:o:f:m:t:T:dnCB:S:M:x:QN:D:W:w:e:P:KEq:s:RFc:l:")) > 0)
 
     switch (opt) {
 
@@ -8952,6 +9028,12 @@ int main(int argc, char** argv) {
         socket_timeout = 1;
         break;
 
+      case 'e': /* network namespace name */
+        if (netns_name) FATAL("Multiple -e options not supported");
+
+        netns_name = optarg;
+        break;
+
       case 'P': /* protocol to be tested */
         if (protocol_selected) FATAL("Multiple -P options not supported");
 
@@ -9052,6 +9134,13 @@ int main(int argc, char** argv) {
 
   if (!protocol_selected) FATAL("Please specify the protocol to be tested using the -P option");
 
+  if (netns_name) {
+    if (check_ep_capability(CAP_SYS_ADMIN, argv[0]) != 0)
+      FATAL("Could not run the server under test in a \"%s\" network namespace "
+            "without CAP_SYS_ADMIN capability.\n You can set it by invoking "
+            "afl-fuzz with sudo or by \"$ setcap cap_sys_admin+ep /path/to/afl-fuzz\".", netns_name);
+  }
+
   setup_signal_handlers();
   check_asan_opts();
 

tutorials/network-namespace/README.md

@@ -0,0 +1,57 @@
+# Tutorial - Using network namespaces
+
+A network namespace is a logical copy of the network stack from the host system. Each namespace has its own IP addresses, network interfaces, routing tables, and so forth.
+You can ask AFLNet to run your target server inside a such namespace to isolate it from the rest of the system and operate completly independently.
+
+
+## Step-0. Network namespace setup
+
+There is a good [article](ifeanyi.co/posts/linux-namespaces-part-4/) by [Ifeanyi Ubah](https://github.com/iffyio) explaining how to work with linux namespaces.
+Here's the short version:
+
+```
+┌────────────────────────────────────────────┐
+│                                            │
+│ ┌──────────────────────┐                   │
+│ │                      │                   │
+│ │                ┌─────┤             ┌─────┤
+│ │                │     │             │     │
+│ │                │veth1│◄───────────►│veth0│
+│ │                │     │             │     │
+│ │                └─────┤             └─────┤
+│ │              nspce   │                   │
+│ └──────────────────────┘                   │
+│                                            │
+│                              Host namespace│
+└────────────────────────────────────────────┘
+```
+
+```bash
+# create network namespace
+sudo ip netns add nspce
+# Create a veth pair
+sudo ip link add veth0 type veth peer name veth1
+# Move veth1 to the new namespace
+sudo ip link set veth1 netns nspce
+# Bring loopback interface up
+sudo ip netns exec nscpe ip link set dev lo up
+# Assign ip to interface in the new namespace
+sudo ip netns exec nscpe ip addr add 10.0.0.2/24 dev veth1
+sudo ip netns exec nscpe ip link set dev veth1 up
+# Assign ip to interface in the host namespace
+sudo ip addr add 10.0.0.1/24 dev veth0
+sudo ip link set dev veth0 up
+```
+Now we should be able to do an inter-namespace communication between two processes running in both namespaces.
+
+## Step-1. Fuzzing
+
+That's all preparations required. Fuzz servers as usual.
+
+You can use `-e <netns name>` option to specify network namespace to run the server in.
+
+Considering the abovementioned setup:
+
+```bash
+./afl-fuzz -i ~/paht/to/seed -o ~/path/to/fuzzer/findings -N tcp://10.0.0.2/port -P protocol -e nspce ~/path/to/server args
+```