Introducing Fuzzing with Alexandre
Welcome to the first of our ‘Meet the CrabNebula Team’ series. Each installment will feature a new member of the talented CrabNebula team and cover both the person as well as the nature of their work at CrabNebula.
We sat down with Alexandre Dang, a Senior Security Engineer at CrabNebula, to find out how he found his way here. While his primary role is in developing and setting up security auditing tools specialized for Tauri, he’s been proactive in familiarizing himself with the security auditing process which plays a crucial role in our Auditing service.
Meet Alexandre
Question: How did you first find out about the position you now hold here at CrabNebula?
Alexandre: In my previous company, I worked a lot with Matthias Kandora and soon after, met Daniel Thompson-Yvetot. The feeling when working with Matthias was really good. I talked with Matthias about my situation and he told me that he had this good project for the future and introduced me to CrabNebula. At that time, CrabNebula wasn’t even a thing yet, it was still in plans. Then I had a talk with Daniel, who I had known for a month at the time, about Tauri. I had been seeing news about Tauri 1.0 on Reddit and I saw it was gaining a lot of traction so I looked into the project. The concept was really nice and after talking to the teams, I joined the company.
Question: When you’re not working at CrabNebula, what’s your favorite thing to do and why?
Alexandre: Actually, I’m a really big fan of a sport called padel. It’s a racquet sport and you play it as doubles. It’s a small tennis court with glass walls around so you can have the ball bounce on it. So it’s really fun and if you have the occasion to try it out, I definitely recommend because it’s easy to get the hang of it.
Question: You said it’s sort of like tennis, but you are allowed to bounce on the walls or not?
Alexandre: Yeah, that’s what’s really different: the point is never over because even if you let the ball pass by and it still bounces, you can still save it.
Question: When you were doing the research into Tauri 1.0 what was it specifically really attracted you about the project that made you want to be a part of it?
Alexandre: I was fed up with the current standard for apps, in terms of them being super heavy and bloated. So many applications use that standard so it uses a lot of space in your computer. I’m also biased because I’m super into Rust, especially at that time. I was still learning about it so the fact that this project could really be useful to me, and also integrate Rust, was important. You have a lot of projects that just use it because it’s Rust and it’s super-hyped, but now that was a really good use case for it and I really liked the idea.
Question: How did you first get involved in software development?
Alexandre: I think I went the classical path. It’s not like the coding geniuses you often hear about. I was studying and did engineering school because I was good at science and then that’s where there were some programming classes. I got the knack of it and really liked it and what’s really nice in engineering school is you have clubs and stuff. I met people that were passionate about it and they conveyed their passion to me. Bit by bit, I got more into it and the most important thing about your passion is who you meet, I guess.
Role at CrabNebula
Question: What have you been working on since you’ve started at CrabNebula?
Alexandre: So my background is academic-focused and the security team was being created when I joined, and we had the idea to provide security audits. We are lucky to have very good, experienced security engineers. We had trial audits to develop the current process. I learned how to do a security audit and how to do it the CrabNebula way: the whole process like first meeting customers, really defining the scope of the project, how much of working hours they want to pay for, the objectives to be fulfilled. Because we are focusing on Tauri applications and it can get really complex we can focus just on the Tauri side, but we can also dive into the Rust code or the web code. The web code has so many typical potential vulnerabilities that we can spend a lot of time on and the Rust code challenges us with logical flaws. You have to be really precise about what the customer wants.
Question: Besides participating in that audit process, what else are you doing at CrabNebula?
Alexandre: I’m really focusing on research and development of security tools. We want to develop tools that can help people at CrabNebula to detect vulnerabilities. While I said CrabNebula, I think some tools also may be shared back to the whole Tauri community, to give back to the community. But right now, during most of my research I’ve been focused on fuzzing.
Fuzzing: What and Why?
Question: What is fuzzing and what function does it serve that it’s worth looking into?
Alexandre: The goal of fuzzing is to feed pseudo-random inputs to a system and try to find out what are the behaviors of your systems. It’s like testing, but brute forcing with tons of inputs. The idea with the fuzzing at CrabNebula and in Tauri applications is to have a framework so people can just take our template of it and build a fuzzer which is specialized for their application, and then to have seamless integrations of the tool.
Question: You said fuzzing creates a bunch of pseudo-random data, what sort of specifics would you use it for in testing for vulnerabilities?
Alexandre: A kind of vulnerability you can have in applications is you can do code injection. For example, if you have forms on your web application you may have issues with certain types of scripts put into the forms. Then, in a malicious way, you can exploit this and in the worst case make the server execute your script. Fuzzing can be really useful for these kind of vulnerabilities. It’s because you feed so much data into the web application and cause unexpected behavior, for example crash the server. And the fuzzer, it detects that: Okay on this input the server has crashed, which is really weird. So we save this test case for analysis in the future. And then, me as a developer, I just let the fuzzer run for, let’s say for 2 weeks, and then I just see all the different web behaviors it has detected and then I can investigate the interesting cases.
Question: Is fuzzing more common practice now across the programming and software engineering industry or is this sort of a newer tool that’s kind of just coming into fashion?
Alexandre: Fuzzing has been existing a long time now but I think also, with the fact that we have really strong computers and strong processors, it has been used extensively. If you go to security conferences or if you read blog posts about big tech companies, they really use fuzzing a lot. The only downside of fuzzing is it costs processing power and time. But for critical software, for example, browsers like Microsoft Edge, Google Chrome, Firefox, they use a lot of fuzzing to test all the potential behaviors and to try track down any vulnerabilities there could be. I know also Google has a really nice initiative, it’s called Oss-Fuzz. It’s a platform where open source projects can be fuzzed. They also have a reward program to encourage open-source projects to be fuzzed on their platform.
Question: Because fuzzing is common practice is that one of the reasons you’re developing this for the Tauri-specific software at CrabNebula?
Alexandre: Yeah, it’s a classic in security and I felt that Tauri applications have a certain structure so it could be really nice to have a framework that reads that and leverages it to build dedicated fuzzers. One of the really good points is that fuzzing is an automatic tool so, as a developer, you just have to integrate it into your workflow and then it works for you. The goal is just to make the integration process as painless as possible.
Fuzzing: From Inception to Execution, Automation, and Use Cases
Question: Would you mind walking through what’s your process of building a fuzzer?
Alexandre: Okay, when you’re writing a fuzzer the idea is to create a fuzzing component which will be giving a lot of inputs to the program to be fuzzed. You want your fuzzer to be built to call the entry points of the program. Let’s assume several things: say we have a Tauri app where I source code access, then I can check it. Additionally, in this particular case, we imagine that the attacker has control of the webview because usually in the webview it’s the frontend which is more vulnerable and easier to take control of it. But in Tauri apps, as I said, it’s more the backend side which has the critical stuff. So we operate under the assumption that we have control of the webview and we want the fuzzer to call every entry point of the backend side of the Tauri application.
For starters I will look at the Tauri project and figure out what kind of Tauri commands the webview can call, or what kind of event the webview can trigger in the backend. Then I detect all these entry points and I want my fuzzer to go: “okay, you can call all these functions and try to brute force it, feed it max inputs”. As a security researcher, one thing I want to detect is crashing but that is only one part. There are also several types of security vulnerabilities you want to look out for. For example, you want to make sure that some critical function has constant time execution. You make sure that whatever input you give to a function, they return in a certain amount of time and the time of execution doesn’t depend on the input you have fed into it. So you need to observe other metrics than just crashes.
The next step is also part of recon. Make sure what the fuzzer can call and then you tell the fuzzer “you can call all these functions and try to detect odd behaviors”. Providing just random inputs is not really useful because usually the space of potential inputs is too big. The step afterwards is to refine your fuzzing. The idea is that your initial fuzzing comes from random data, it then gets improved into pseudo-random data. For example, you want to give inputs that reach deeper into the code to be sure to go through all the different branches of the code. Maybe you have some function that only accepts a certain kind of input (for example: only accepts emails). You have to feed it inputs that are formatted emails or it won’t make any sense to fuzz it, as it will never process the data aside from structure checks. You refine the process so the fuzzing is more precise for what you want to find.
Then, in general you have a step of triaging the feedback given by the fuzzer. After the fuzzing, you have tons of interesting behaviors that the fuzzing has reported to you. Then you can check manually, but usually it’s a huge task so you also have programs to filter which kind of inputs are similar. If you just analyze one of a type then it’s usually enough and you don’t need to look into the rest. So you have a triage of results given from the fuzzer and then afterwards, manually checking what kind of odd behavior was triggered and asking: is it like a real vulnerability, just bugs, or a wrong specification of the application?
Question: I see, and so for the triaging and the reporting, is that something you would build into the whole fuzzer project, or a separate project that gets added on as an addition?
Alexandre: For triaging, I think it might sound like an option but it’s kind of a must have because if you have too many false alarms, then the developers won’t want to use it because it’s too painful to read. So the goal is to have it the most convenient as possible so it will be an option which is almost built in in the fuzzer.
Question: Now that you’ve built a fuzzer, do you need to tailor it for specific use cases? How much modification is needed to use it on a wider scale?
Alexandre: With having a manual part, the thing that’s difficult to automatize is the fuzzer, as it needs to be given entry points so in Tauri apps, you can be able scan the code and look for Tauri commands and find these functions. Another part is that it’s also that these functions may require some kind of inputs too. So the formatting of inputs is at the point where I think it’s really hard to automatize this process and the users will need to say: okay on these kinds of functions you want email-formatted inputs, for example. But you could use it randomly but it won’t be as accurate so you really wouldn’t like take advantage of the power of fuzzing.
Question: You’re in the process of developing this with the CrabNebula security team currently, right? What’s the vision for this tool at CrabNebula?
Alexandre: Yeah, so right now we have a prototype for one Tauri application but the goal is to try it out on more and more Tauri applications and then understanding: okay what parts can be automatized? So we have a framework and then make people test it to see: okay is it hard to use? Do they find it useful? What are the pain points? And right now we only talked about fuzzing more for the backend, which is more critical, but into the future we could also think about whether we could also fuzz the webview to really check all the potential behaviors, even though there are already a lot of tools to fuzz the webview, but it could be future project additions.
The Future of Security and Adaptation to Emerging Technologies
Question: What do you see as the next set of tools being developed? Either with fuzzing, or any other tools you’re considering developing for the security audit team as well.
Alexandre: Fuzzing I think is only one part. In the security team, there are other projects too. There is another one which is a static analyzer for Tauri configurations. I think it’s very good because in Tauri, there is a configuration file where you allow a lot of features and the more precise your allowlist is, the more secure your application. The only issue is that in the Tauri apps we have investigated, usually with the configuration developers tend to just allow everything, so they don’t have to configure it while creating the application. I think the developers don’t see the need to dive into the details or, just for them, it’s not a priority in the beginning and maybe they plan to do it later. There are a lot of security vulnerabilities coming from this part. So this project, that analyzes Tauri configuration files and will give recommendations on how the configurations should be or could be improved, is what I am especially looking forward to.
Question: And like a fuzzer, do you see it also having a built-in reporting feature that reports and advises best practices?
Alexandre: Yeah, exactly. It will be a tool you use and tells you “okay you can improve your Tauri configuration file by adding this line, or removing this.” So it will really be a tool to help the Tauri developers.
Question: Are there any other research topics or anything else you see coming up on the horizon?
Alexandre: These are projects that are ongoing right now and I think there’s lots of topics that could be interesting for CrabNebula, but their research is postponed because we don’t have unlimited resources. One area with a lots of things going on is with isolation and unikernels, like making sure a critical code is executed in a safe way so that it cannot corrupt your whole environment. That could be like things we want to look for. For example, for Tauri applications, since you are downloading code from another source, being able to run Tauri applications in a kind of isolated layer, or sandbox, could improve security.
There is also research on webviews because in web security, it’s always evolving so we need to keep with the pace. Currently, there is a big wave regarding AI and maybe in cybersecurity it’s not talked about a lot. But there is a lot of tools that are coming up which is use AI to attack programs but also to defend against it. So it’s not yet at our doors, but I think it’s worth it to be aware of what’s coming.
Question: Is that where there’s a lot of talk about quantum computing? Is that where this plays into that as well?
Alexandre: Yes, we don’t dive in because it’s more on the cryptographic side and we don’t develop our own cryptographic libraries. But we have to be up to date on what’s the latest algorithm, because even though we don’t have quantum computers for the masses we already have to prepare for it and make sure that our current communication can’t be decrypted later. So we have to be sure to know what’s going on with the latest quantum-resistant algorithms.
Question: Thanks for the interview Alexandre. Would you like to share any tech tips or trends you found out about recently?
Alexandre: Sure. I’m currently trying out Neovim + AstroNvim as a code editor. This is super cool because it’s lightweight and packs all the needed base features to start coding immediately. If you’re a VIM user and don’t want to spend hours customizing your tools, I’d definitely recommend it.
Question: Thank you! For a final thought, what’s your favorite food?
Alexandre: My favorite food is “pho ga”, a Vietnamese noodle soup. Check it out, you won’t be disappointed!
Thank you, Alexandre, for sharing these insights on fuzzing and the broader scope of security projects at CrabNebula. We look forward to future updates on these exciting developments. Find out more here.
Author: The CrabNebula Team
Subscribe to my newsletter
Read articles from CrabNebula directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
CrabNebula
CrabNebula
CrabNebula is built on the vision of enabling individuals, entrepreneurs and businesses to sustainably build, develop and distribute their apps to the universe.