Radamsa: A general-purpose fuzzer
Radamsa is a general-purpose, black-box oriented mutating fuzzer. It is
written in Scheme and is available on its GitHub
page under the MIT license. While the project
is not entirely abandoned (there are occasional commits on
but the last commit on the
master branch is a PR merge six months ago), there
does not seem much development to happen anymore. The project is a side result
of the research done by Oulu University Secure Programming
Group. The project has simple but
straightforward and information documentation in the repository README file.
Its documentation describes Radamsa as an “extremely black-box fuzzer”: it does not need any information about neither the input format nor the internals of the fuzzed program. The tool starts with a given sample input for an application, on which it applies a mutation while trying to keep the general format valid(-ish). The root of Radamsa was a research on the automatic analysis of communication protocols.
Radamsa claims to be applicable, without any configuration, on programs processing any format of input - binary or text. Quick experiments (see below) show that Radamsa is quite successful. Although Radamsa’s output cannot probably compare with format-specialized fuzzers (such as CSmith for C programs), the applied mutations go well beyond random garbage injection, leading to valuable testing inputs for a program.
Intuitively, I would not expect many successful bug discoveries in proven, battle-tested software, but Radamsa README file contains an impressive list of discovered CVEs, including curl, libxslt or bzip2.
Installation and usage
The instructions say building Radamsa is a simple clone-and-run-make process and I was able to build a single, dependency-free binary without any problem. Mimicking few examples from the documentation worked as expected: feeding my name to Radamsa’s standard input yielded multiple mangled variants which I imagine can cause havoc to naive string processing routines.
The next experiment I tried was running Radamsa with a simple Python program as
an input. Again, the results were interesting, the applied modifications
varied a lot but kept a general structure of Python code. I saw lines removed
or duplicated and tokens changed (for example, integer literals changed to a
different value). I also encountered quite interesting, non-trivial mutations
like replacing the whole expression in a parentheses with a recursive-ish
expression (think something like
a(a(a(a(a(b)))))). Again, several tries made
me convinced these inputs would be valuable when trying to fuzz something that
processes Python grammar.
As a last experiment, I tried an XML file. Specifically, xUnit result XML file. Again, Radamsa changed the file mostly in a way that kept the overall format, but the scale of applied mutations was similar to the Python input.
When would I use it?
Radamsa is extremely simple to start with - you only need the target system, few sample inputs and you are good to go. Set up Radamsa in a loop, feed its output to the system under test and detect bugs. Of course, the black box approach limits the rate with which Radamsa can penetrate deep into the tested system, especially compared to smart fuzzers guided by the instrumented target system, such as American Fuzzy Lop. You also need to have a reasonable way how to detect error condition in the tested system, given an unknown input (but this holds for most fuzzers). Of course, you can usually start with some simple criteria like “the target should terminate and not crash”.
I will certainly include Radamsa in my toolbelt. The fact that I can immediately, without any setup, run it for few hours against pretty much anything makes it useful in different situations, especially when instrumentation or specialized format fuzzers are not available or worth the effort to set up.