Overview

Most of my time this week was spent optimizing the gossipd-connectd fuzzer and following up on received feedback. In addition, I also explored a few new fuzz target ideas.

Goals accomplished

  • Improved the gossipd-connectd test: As part of my ongoing effort to revisit and improve existing fuzz targets, I chose to start with the gossipd-connectd interface fuzzer, since it’s the first inter-daemon fuzz target I developed. Although it took considerable time to get this target to a meaningful coverage level, I believe the effort has paid off—it has already uncovered a memory leak that appears to be a genuine bug. I plan to report this to Matt early next week.

    That said, the work on this target isn’t fully complete yet. I’m currently unsure about the correct sequence of messages that should be parsed by the receiving peer (in this case, us). I plan to consult Matt on this point and rework the target accordingly. I’m optimistic that this will further increase the coverage and potentially help surface more vulnerabilities.

  • Fixed the codex32 target: I received extensive feedback on the codex32 target that I pushed upstream last week, which led to a significant amount of rework. I had to make several modifications to get the target into a more acceptable state, and the feedback–improvement loop continued right up to the end of the week. I’ve just pushed the latest set of changes upstream, and I believe the target is now nearly finalized.

  • Addressed received feedback: Other than the feedback on the codex32 target, I also received substantial feedback on the tlv_invoice_request target that I pushed upstream last week. This required a number of changes, and I had to ensure that the improvements I made were also reflected in the related target, fuzz-wire-offer-decode, which I modeled after it. I wrapped up the work on both targets and, following Matt’s last feedback, optimized the corpus at the end of the week. With that, I believe the work for this target is now complete.

  • Started working on commit_tx fuzzer: commit_tx() in channeld/commit_tx.{c, h} is responsible for creating (unsigned) commitment transactions that spend the funding transaction output. Since there’s already an existing unit test for this function, I decided it would be worthwhile to convert that test into a fuzz target. I began working on this towards the end of the week, and the target is nearly complete, with only a few remaining bugs to address. I plan to wrap up the work on this target in the upcoming week.

Next week’s goals

Here are some of my immediate goals for the next week:

  • Add a target for channeld-connectd interface: peer_in() in channeld/channeld.c is responsible for handling connectd messages such as UPDATE_ADD_HTLC and REVOKE_AND_ACK. Given its stateful structure, I planned to add a stateful fuzz test simulating this function in this week but couldn’t find the time to do it, so I plan on tackling this in the upcoming week.

  • Address the feedback on the opem_channel fuzzer: I pushed the working version of the open_channel fuzzer upstream last week, and while it did succeed in reproducing the crash I was targeting, Matt’s feedback revealed that the bug was only triggered because developer_options were enabled in the fuzz target. Since the goal of fuzzing is to uncover bugs in production code paths, using developer-only code paths isn’t ideal. I also received some additional feedback toward the end of the week, which I plan to address in the upcoming one.

  • Revisit the initial_channel fuzzer: Since it’s now clear that the assertion failure in this target occurs due to a code path enabled by developer_options, I plan to revisit the target and disable those options to see if that resolves the issue. If the test continues to function correctly with developer_options turned off and no further issues arise, then the target should be in a mergeable state.

  • Make the opem_channel2 fuzzer stateful: had completed the work on this target in one of the previous weeks, but there’s potential to make it stateful, which I believe is worth pursuing. The statefulness arises from its interaction with the peer, and if a vulnerability can be triggered through such interactions, it would directly indicate a critical issue. Given the implications, I think it’s well worth revisiting this target and investing the extra time to rework it into a stateful fuzzer.

  • Revisit the finished targets: The plan to revisit and enhance my newer fuzz targets to improve coverage is well underway, and I intend to continue this effort into the upcoming week. The goal is to ensure each target explores as much of its respective code path as possible, especially for complex or security-critical components.

  • Update Matt on the gossipd-connectd target: Since the gossipd–connectd fuzz target is already substantially developed and has even uncovered a vulnerability, I believe this is a good time to get Matt involved for feedback. His insights could help validate the approach and suggest refinements early on. Given that I plan to follow a similar structure for the upcoming channeld–connectd target, getting his input now would also help avoid repeating any design or implementation missteps in the new target.

Challenges

The gossipd-connectd fuzzer ended up taking significantly more time than I initially anticipated, but in hindsight, the effort was well worth it—it successfully uncovered an actual vulnerability. Beyond the bug discovery, the experience of working through the entire setup and debugging process was extremely valuable. I now have a much clearer understanding of what kind of timeframe to expect when developing similar inter-daemon fuzzers and how to efficiently handle the technical challenges involved.

Week 9 of SoB wraps up with the midterm evaluation results finally coming in—and I’m happy to report that I passed! Along with the results came 40% of the stipend, plus instructions on how to claim the swag and the hardware wallet that’s part of the program.

It felt great to see some tangible rewards for the work I’ve put in over the past few months. But with a bit of introspection, I’ve come to realize that the experience and learning I’m taking away from this project will probably outweigh the value of any stipend or swag. This has genuinely been the most fun and fulfilling internship experience I’ve had so far.

That said, there are still a few more weeks to go, and the work is far from over. I’m as motivated as ever to keep pushing forward and uncover as many vulnerabilities as I can before the project concludes.

Till next time,

Chandra.

<
Previous Post
SoB: Week 8
>
Next Post
SoB: Week 10