Monero Node RPC Codebase Gets Improved Fuzzing Coverage

The Monero node codebase now has greatly improved fuzzing coverage over its most vulnerable component, its RPC server, including 100% coverage of RPC endpoint functions, and 84% coverage of the core RPC server. This improvement is thanks to work by ADA Logics, which was funded and contracted through MAGIC Grants' Monero Fund.

"Fuzzing" is an automated code testing technique which involves providing random or unexpected data as the inputs of a computer program, then monitoring that program for crashes, potential memory leaks, or other anomalies. Often, good fuzzing tools can create inputs which are valid enough to be accepted by a program, but are invalid enough to cause problems in corner cases that are not properly dealt with.

This technique is used extensively by organizations developing security-critical applications. In 2019, Google discovered over 20,000 vulnerabilities in Chromium via internal fuzz testing. It's a useful technique because it not only proves a bug exists without false positives, but it can show developers the exact cause of the problem. It is also fully automated, so with enough compute resources developers can continuously run fuzzing tests without intervention.

The RPC (remote procedure call) server is the part of the program which interacts with other software. For example, a Monero wallet program would make an RPC connection to a Monero daemon in order to access the blockchain. Some Monero nodes also expose public RPC endpoints to the web for others to utilize. This makes the RPC server a valuable target for hackers, and the most likely receiver of untrustworthy external data.

ADA Logics' deliverable to MAGIC Grants included the development of a fuzzing tool which could target a live monerod instance targeting its server component, adding support to Monero via a PR, and publishing a report detailing their findings. The central goal was for their tool to cover "over 75% of Monero’s RPC handler entrypoints."

MAGIC Grant's press release on this project noted that during the development process, ADA Logics discovered three vulnerabilities in Monero which were responsibly reported via HackerOne: One which triggered a stack-based buffer overflow, one which could cause the Monero daemon to crash when receiving a certain request, and one which triggered a soft restart of the daemon. These vulnerabilities have since been fixed.

Monero has had access to free compute resources for fuzzing via Google's OSS-Fuzz project since June 2020, but the suite of tests was limited to only 10% of Monero's codebase, and did not cover Monero's RPC endpoints at all prior to this change. The improvements to the tests developed by ADA Logics increased the total codebase coverage of Monero to 22%, a significant improvement.

In their report, ADA Logics notes that they "consider it likely that further issues [in Monero's codebase] will be reported" once the code is being run by OSS-Fuzz, and that they would monitor the fuzzer in the future in case there are necessary adjustments required.

ADA Logics has a long history of experience integrating continuous fuzzing into open-source projects: In 2021 they had already integrated OSS-Fuzz support into over 100 projects, resulting in over 1,300 issues being verified and fixed.

In a tweet, MAGIC Grants said that "the MAGIC Monero Fund intends to fundraise in the near future for a second fuzzing project focused on P2P, FCMP++, and other important code." They have a newsletter where you can stay up to date with announcements like this if you are interested in following along.

Update: This article was updated to include a paragraph on what the RPC server component of Monero is.