This post was originally published on 2018-01-05 on my old blog. I do not want to lose the content, so I migrated it here. The content may be more or less obsolete.
Radamsa is a general-purpose, black-box oriented mutating fuzzer. It is written in Scheme and is available on its GitHub page under the MIT license. While the project is not entirely abandoned (there are occasional commits on
develop branch, but the last commit on the
master branch is a PR merge six months ago), there does not seem much development to happen anymore. The project is a side result of the research done by Oulu University Secure Programming Group. The project has simple but straightforward and information documentation in the repository README file.
Its documentation describes Radamsa as an "extremely black-box fuzzer": it does not need any information about neither the input format nor the internals of the fuzzed program. The tool starts with a given sample input for an application, on which it applies a mutation while trying to keep the general format valid(-ish). The root of Radamsa was a research on the automatic analysis of communication protocols.
Radamsa claims to be applicable, without any configuration, on programs processing any format of input - binary or text. Quick experiments (see below) show that Radamsa is quite successful. Although Radamsa's output cannot probably compare with format-specialized fuzzers (such as CSmith for C programs), the applied mutations go well beyond random garbage injection, leading to valuable testing inputs for a program.
Intuitively, I would not expect many successful bug discoveries in proven, battle-tested software, but Radamsa README file contains an impressive list of discovered CVEs, including curl, libxslt or bzip2.
The instructions say building Radamsa is a simple clone-and-run-make process and I was able to build a single, dependency-free binary without any problem. Mimicking few examples from the documentation worked as expected: feeding my name to Radamsa's standard input yielded multiple mangled variants which I imagine can cause havoc to naive string processing routines.
The next experiment I tried was running Radamsa with a simple Python program as an input. Again, the results were interesting, the applied modifications varied a lot but kept a general structure of Python code. I saw lines removed or duplicated and tokens changed (for example, integer literals changed to a different value). I also encountered quite interesting, non-trivial mutations like replacing the whole expression in a parentheses with a recursive-ish expression (think something like
a(a(a(a(a(b)))))). Again, several tries made me convinced these inputs would be valuable when trying to fuzz something that processes Python grammar.
As a last experiment, I tried an XML file. Specifically, xUnit result XML file. Again, Radamsa changed the file mostly in a way that kept the overall format, but the scale of applied mutations was similar to the Python input.
Radamsa is extremely simple to start with - you only need the target system, few sample inputs and you are good to go. Set up Radamsa in a loop, feed its output to the system under test and detect bugs. Of course, the black box approach limits the rate with which Radamsa can penetrate deep into the tested system, especially compared to smart fuzzers guided by the instrumented target system, such as American Fuzzy Lop.
You also need to have a reasonable way how to detect error condition in the tested system, given an unknown input (but this holds for most fuzzers). Of course, you can usually start with some simple criteria like "the target should terminate and not crash".
I will certainly include Radamsa in my toolbelt. The fact that I can immediately, without any setup, run it for few hours against pretty much anything makes it useful in different situations, especially when instrumentation or specialized format fuzzers are not available or worth the effort to set up.