Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Cosmos SDK is a blockchain development framework written in Golang. The security of this system is crucial. So, they have fuzzing integrated into the framework, which the author is going to talks about. The framework has two types of fuzz tests: low level and high level.

The low level fuzzing uses a combination of AFL, go-fuzz and native Go fuzzing to test out small portions of code. These are awesome since they have code instrumentation to attempt to hit higher code coverage. For instance, the author shows a test for the function ParseCoinNormalized, which is part of the Coin implementation. Fuzzers can quickly find issues in stateless code like this but it becomes harder to find weird issues in the combined and stateful ecosystem.

For the high level, the Cosmos SDK has a Blockchain Simulator to test everything else. This tool uses random operation transactions from some genesis state. This chooses random data to see if crashes or weird states occurs.

Now, the low level uses smart fuzzing while the high level testing uses dumb fuzzing. So, the author decided to make the high level code also support smart fuzzing! To do this on every module, they had to hijack a lower level call to Rand. They found a few bugs, which is awesome. To me, you always hear I modified their fuzzer to do XYZ because different fuzzers find different bugs.

Overall, I didn't know about the Cosmos SDK fuzzing framework. I may use this for future Cosmos testing on custom modules. We'll see how effective this fuzzing ends up being. Part of the problem vs C program fuzzing is that a crash doesn't mean we have a cool bug. Many of the bugs in the Cosmos SDK that are security focused would violate invariants that aren't going to be found by this type of fuzzing.