Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The journey begins with a Discord bot posting a Solana rBPF vulnerability. This CVE was particularly interesting because it was using a BPF and a JIT compiler written in Rust. Since they had developed some heavy-duty fuzzers for Rust software in the past, they decided to tackle this.

rBPF has both a Rust Virtual Machine and a JIT compiler. This stood out to them. Two different implementations of the same program which should have the same behavior. Luckily for us, this acts as a testing oracle. By doing differential fuzzing on this, any difference is certainly a bug.

Initially, they tried a dumb JIT fuzzer with random bytes. The code coverage was bad because jumps and other things are unlikely to be hit, resulting in no bugs being found. Let's make it smarter!

Their "smart fuzzer" grammar constrained the language by only allowing for the eBPF instruction set. Importantly, the constraints are only around the data being provided and not around the values. We want to explore the space as much as possible. It's a tough line between "valid", "invalid but potential for bugs" and "invalid no bugs".

Now that we can generate the inputs, we initialize and run both in parallel. Of course, this needs to pass the rBPF verification first. After running this for a few hours, they have two crashes that are in a separate post.