SlideShare a Scribd company logo

Fuzzing Janus @ IPTComm 2019

L
Lorenzo Miniero

The slides for the "Fuzzing Janus for fun and profit" paper I presented at IPTComm 2019, in Chicago. Simon (Romano) came up with the title, as a homage to the famous "Smashing the stack for fun and profit" article.

Technology
1 of 42
Download to read offline
Fuzzing Janus for Fun and Profit A. Amirante, T. Castaldi, L. Miniero, S.P. Romano, P. Saviano, A. Toppi IPTComm 2019 October 15th 2019, Chicago, IL, USA
A few words about me Lorenzo Miniero • Ph.D @ UniNA • Chairman @ Meetecho • Main author of Janus® Contacts and info • lorenzo@meetecho.com • https://twitter.com/elminiero • https://www.slideshare.net/LorenzoMiniero
Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
Introducing the Janus WebRTC server Janus General purpose, open source WebRTC server • https://github.com/meetecho/janus-gateway • Demos and documentation: https://janus.conf.meetecho.com • Community: https://groups.google.com/forum/#!forum/meetecho-janus
Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
Coverage-guided fuzzing
libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
Integrating libFuzzer in Janus // fuzz-rtcp.c #include "janus/rtcp.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 8 || size > 1472) return 0; if (!janus_is_rtcp(data, size)) return 0; /* Initialize an empty RTCP context */ janus_rtcp_context ctx; janus_rtcp_parse(ctx, (char *)data, size); GSList *list = janus_rtcp_get_nacks((char *)data, size); ... if (list) g_slist_free(list); return 0; }
Presenting the code coverage
Corpora files: a shared effort https://github.com/RTC-Cartel/webrtc-fuzzer-corpora
Scalable distributed fuzzing via OSS-Fuzz https://github.com/google/oss-fuzz/pull/2241 (Janus addition)
Scalable distributed fuzzing via OSS-Fuzz https://github.com/google/oss-fuzz/pull/2241 (Janus addition)
A detailed tutorial on how to setup all this https://webrtchacks.com/fuzzing-janus/
What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
Thanks! Questions? Comments? Get in touch! • https://twitter.com/elminiero • https://twitter.com/meetecho • https://www.meetecho.com

Recommended

Write a SocialTV app @ OpenSIPS 2021
Write a SocialTV app @ OpenSIPS 2021Write a SocialTV app @ OpenSIPS 2021
Write a SocialTV app @ OpenSIPS 2021Lorenzo Miniero
 
Janus/SIP @ OpenSIPS 2017
Janus/SIP @ OpenSIPS 2017Janus/SIP @ OpenSIPS 2017
Janus/SIP @ OpenSIPS 2017Lorenzo Miniero
 
SIP/WebRTC load testing @ KamailioWorld 2017
SIP/WebRTC load testing @ KamailioWorld 2017SIP/WebRTC load testing @ KamailioWorld 2017
SIP/WebRTC load testing @ KamailioWorld 2017Lorenzo Miniero
 
Virtual IETF meetings with WebRTC @ IETF 109 MOPS
Virtual IETF meetings with WebRTC @ IETF 109 MOPSVirtual IETF meetings with WebRTC @ IETF 109 MOPS
Virtual IETF meetings with WebRTC @ IETF 109 MOPSLorenzo Miniero
 
WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018Lorenzo Miniero
 
WebRTC, RED and Janus @ ClueCon21
WebRTC, RED and Janus @ ClueCon21WebRTC, RED and Janus @ ClueCon21
WebRTC, RED and Janus @ ClueCon21Lorenzo Miniero
 
IETF remote participation via Meetecho @ WebRTC Meetup Stockholm
IETF remote participation via Meetecho @ WebRTC Meetup StockholmIETF remote participation via Meetecho @ WebRTC Meetup Stockholm
IETF remote participation via Meetecho @ WebRTC Meetup StockholmLorenzo Miniero
 
Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Lorenzo Miniero
 

Recommended

Write a SocialTV app @ OpenSIPS 2021
Write a SocialTV app @ OpenSIPS 2021Write a SocialTV app @ OpenSIPS 2021
Write a SocialTV app @ OpenSIPS 2021Lorenzo Miniero
 
Janus/SIP @ OpenSIPS 2017
Janus/SIP @ OpenSIPS 2017Janus/SIP @ OpenSIPS 2017
Janus/SIP @ OpenSIPS 2017Lorenzo Miniero
 
SIP/WebRTC load testing @ KamailioWorld 2017
SIP/WebRTC load testing @ KamailioWorld 2017SIP/WebRTC load testing @ KamailioWorld 2017
SIP/WebRTC load testing @ KamailioWorld 2017Lorenzo Miniero
 
Virtual IETF meetings with WebRTC @ IETF 109 MOPS
Virtual IETF meetings with WebRTC @ IETF 109 MOPSVirtual IETF meetings with WebRTC @ IETF 109 MOPS
Virtual IETF meetings with WebRTC @ IETF 109 MOPSLorenzo Miniero
 
WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018Lorenzo Miniero
 
WebRTC, RED and Janus @ ClueCon21
WebRTC, RED and Janus @ ClueCon21WebRTC, RED and Janus @ ClueCon21
WebRTC, RED and Janus @ ClueCon21Lorenzo Miniero
 
IETF remote participation via Meetecho @ WebRTC Meetup Stockholm
IETF remote participation via Meetecho @ WebRTC Meetup StockholmIETF remote participation via Meetecho @ WebRTC Meetup Stockholm
IETF remote participation via Meetecho @ WebRTC Meetup StockholmLorenzo Miniero
 
Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Lorenzo Miniero
 
Janus Workshop pt.2 @ ClueCon 2021
Janus Workshop pt.2 @ ClueCon 2021Janus Workshop pt.2 @ ClueCon 2021
Janus Workshop pt.2 @ ClueCon 2021Lorenzo Miniero
 
Janus + Audio @ Open Source World
Janus + Audio @ Open Source WorldJanus + Audio @ Open Source World
Janus + Audio @ Open Source WorldLorenzo Miniero
 
Janus/HOMER/HEPIC @ OpenSIPS18
Janus/HOMER/HEPIC @ OpenSIPS18Janus/HOMER/HEPIC @ OpenSIPS18
Janus/HOMER/HEPIC @ OpenSIPS18Lorenzo Miniero
 
Janus/SIP @ OpenSIPS 2019
Janus/SIP @ OpenSIPS 2019Janus/SIP @ OpenSIPS 2019
Janus/SIP @ OpenSIPS 2019Lorenzo Miniero
 
Can WebRTC help musicians? @ FOSDEM 2021
Can WebRTC help musicians? @ FOSDEM 2021Can WebRTC help musicians? @ FOSDEM 2021
Can WebRTC help musicians? @ FOSDEM 2021Lorenzo Miniero
 
Scaling WebRTC applications with Janus
Scaling WebRTC applications with JanusScaling WebRTC applications with Janus
Scaling WebRTC applications with JanusLorenzo Miniero
 
Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020Lorenzo Miniero
 
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Paolo Saviano
 
Insertable Streams and E2EE @ ClueCon2020
Insertable Streams and E2EE @ ClueCon2020Insertable Streams and E2EE @ ClueCon2020
Insertable Streams and E2EE @ ClueCon2020Lorenzo Miniero
 
Janus @ WebRTC Meetup Stockholm
Janus @ WebRTC Meetup StockholmJanus @ WebRTC Meetup Stockholm
Janus @ WebRTC Meetup StockholmLorenzo Miniero
 
Janus + NDI @ ClueCon 2021
Janus + NDI @ ClueCon 2021Janus + NDI @ ClueCon 2021
Janus + NDI @ ClueCon 2021Lorenzo Miniero
 
WHIP and Janus @ IIT-RTC 2021
WHIP and Janus @ IIT-RTC 2021WHIP and Janus @ IIT-RTC 2021
WHIP and Janus @ IIT-RTC 2021Lorenzo Miniero
 
Janus Workshop @ ClueCon 2020
Janus Workshop @ ClueCon 2020Janus Workshop @ ClueCon 2020
Janus Workshop @ ClueCon 2020Lorenzo Miniero
 
FOSDEM2018 Janus Lua plugin presentation
FOSDEM2018 Janus Lua plugin presentationFOSDEM2018 Janus Lua plugin presentation
FOSDEM2018 Janus Lua plugin presentationLorenzo Miniero
 
Turning live events to virtual with Janus
Turning live events to virtual with JanusTurning live events to virtual with Janus
Turning live events to virtual with JanusLorenzo Miniero
 
Janus: an open source and general purpose WebRTC (gateway) server
Janus: an open source and general purpose WebRTC (gateway) serverJanus: an open source and general purpose WebRTC (gateway) server
Janus: an open source and general purpose WebRTC (gateway) serverDevDay
 
Scaling WebRTC deployments with multicast @ IETF 110 MBONED
Scaling WebRTC deployments with multicast @ IETF 110 MBONEDScaling WebRTC deployments with multicast @ IETF 110 MBONED
Scaling WebRTC deployments with multicast @ IETF 110 MBONEDLorenzo Miniero
 
WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022Lorenzo Miniero
 
Janus @ ClueCon 2019
Janus @ ClueCon 2019Janus @ ClueCon 2019
Janus @ ClueCon 2019Lorenzo Miniero
 
Simulcast/SVC @ IIT-RTC 2019
Simulcast/SVC @ IIT-RTC 2019Simulcast/SVC @ IIT-RTC 2019
Simulcast/SVC @ IIT-RTC 2019Lorenzo Miniero
 
Janus/Asterisk @ Astricon 2017
Janus/Asterisk @ Astricon 2017Janus/Asterisk @ Astricon 2017
Janus/Asterisk @ Astricon 2017Lorenzo Miniero
 
Janus workshop @ RTC2019 Beijing
Janus workshop @ RTC2019 BeijingJanus workshop @ RTC2019 Beijing
Janus workshop @ RTC2019 BeijingLorenzo Miniero
 

More Related Content

What's hot

Janus Workshop pt.2 @ ClueCon 2021
Janus Workshop pt.2 @ ClueCon 2021Janus Workshop pt.2 @ ClueCon 2021
Janus Workshop pt.2 @ ClueCon 2021Lorenzo Miniero
 
Janus + Audio @ Open Source World
Janus + Audio @ Open Source WorldJanus + Audio @ Open Source World
Janus + Audio @ Open Source WorldLorenzo Miniero
 
Janus/HOMER/HEPIC @ OpenSIPS18
Janus/HOMER/HEPIC @ OpenSIPS18Janus/HOMER/HEPIC @ OpenSIPS18
Janus/HOMER/HEPIC @ OpenSIPS18Lorenzo Miniero
 
Janus/SIP @ OpenSIPS 2019
Janus/SIP @ OpenSIPS 2019Janus/SIP @ OpenSIPS 2019
Janus/SIP @ OpenSIPS 2019Lorenzo Miniero
 
Can WebRTC help musicians? @ FOSDEM 2021
Can WebRTC help musicians? @ FOSDEM 2021Can WebRTC help musicians? @ FOSDEM 2021
Can WebRTC help musicians? @ FOSDEM 2021Lorenzo Miniero
 
Scaling WebRTC applications with Janus
Scaling WebRTC applications with JanusScaling WebRTC applications with Janus
Scaling WebRTC applications with JanusLorenzo Miniero
 
Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020Lorenzo Miniero
 
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Paolo Saviano
 
Insertable Streams and E2EE @ ClueCon2020
Insertable Streams and E2EE @ ClueCon2020Insertable Streams and E2EE @ ClueCon2020
Insertable Streams and E2EE @ ClueCon2020Lorenzo Miniero
 
Janus @ WebRTC Meetup Stockholm
Janus @ WebRTC Meetup StockholmJanus @ WebRTC Meetup Stockholm
Janus @ WebRTC Meetup StockholmLorenzo Miniero
 
Janus + NDI @ ClueCon 2021
Janus + NDI @ ClueCon 2021Janus + NDI @ ClueCon 2021
Janus + NDI @ ClueCon 2021Lorenzo Miniero
 
WHIP and Janus @ IIT-RTC 2021
WHIP and Janus @ IIT-RTC 2021WHIP and Janus @ IIT-RTC 2021
WHIP and Janus @ IIT-RTC 2021Lorenzo Miniero
 
Janus Workshop @ ClueCon 2020
Janus Workshop @ ClueCon 2020Janus Workshop @ ClueCon 2020
Janus Workshop @ ClueCon 2020Lorenzo Miniero
 
FOSDEM2018 Janus Lua plugin presentation
FOSDEM2018 Janus Lua plugin presentationFOSDEM2018 Janus Lua plugin presentation
FOSDEM2018 Janus Lua plugin presentationLorenzo Miniero
 
Turning live events to virtual with Janus
Turning live events to virtual with JanusTurning live events to virtual with Janus
Turning live events to virtual with JanusLorenzo Miniero
 
Janus: an open source and general purpose WebRTC (gateway) server
Janus: an open source and general purpose WebRTC (gateway) serverJanus: an open source and general purpose WebRTC (gateway) server
Janus: an open source and general purpose WebRTC (gateway) serverDevDay
 
Scaling WebRTC deployments with multicast @ IETF 110 MBONED
Scaling WebRTC deployments with multicast @ IETF 110 MBONEDScaling WebRTC deployments with multicast @ IETF 110 MBONED
Scaling WebRTC deployments with multicast @ IETF 110 MBONEDLorenzo Miniero
 
WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022Lorenzo Miniero
 
Simulcast/SVC @ IIT-RTC 2019
Simulcast/SVC @ IIT-RTC 2019Simulcast/SVC @ IIT-RTC 2019
Simulcast/SVC @ IIT-RTC 2019Lorenzo Miniero
 

What's hot (20)

Janus Workshop pt.2 @ ClueCon 2021
Janus Workshop pt.2 @ ClueCon 2021Janus Workshop pt.2 @ ClueCon 2021
Janus Workshop pt.2 @ ClueCon 2021
 
Janus + Audio @ Open Source World
Janus + Audio @ Open Source WorldJanus + Audio @ Open Source World
Janus + Audio @ Open Source World
 
Janus/HOMER/HEPIC @ OpenSIPS18
Janus/HOMER/HEPIC @ OpenSIPS18Janus/HOMER/HEPIC @ OpenSIPS18
Janus/HOMER/HEPIC @ OpenSIPS18
 
Janus/SIP @ OpenSIPS 2019
Janus/SIP @ OpenSIPS 2019Janus/SIP @ OpenSIPS 2019
Janus/SIP @ OpenSIPS 2019
 
Can WebRTC help musicians? @ FOSDEM 2021
Can WebRTC help musicians? @ FOSDEM 2021Can WebRTC help musicians? @ FOSDEM 2021
Can WebRTC help musicians? @ FOSDEM 2021
 
Scaling WebRTC applications with Janus
Scaling WebRTC applications with JanusScaling WebRTC applications with Janus
Scaling WebRTC applications with Janus
 
Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020
 
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
 
Insertable Streams and E2EE @ ClueCon2020
Insertable Streams and E2EE @ ClueCon2020Insertable Streams and E2EE @ ClueCon2020
Insertable Streams and E2EE @ ClueCon2020
 
Janus @ WebRTC Meetup Stockholm
Janus @ WebRTC Meetup StockholmJanus @ WebRTC Meetup Stockholm
Janus @ WebRTC Meetup Stockholm
 
Janus + NDI @ ClueCon 2021
Janus + NDI @ ClueCon 2021Janus + NDI @ ClueCon 2021
Janus + NDI @ ClueCon 2021
 
WHIP and Janus @ IIT-RTC 2021
WHIP and Janus @ IIT-RTC 2021WHIP and Janus @ IIT-RTC 2021
WHIP and Janus @ IIT-RTC 2021
 
Janus Workshop @ ClueCon 2020
Janus Workshop @ ClueCon 2020Janus Workshop @ ClueCon 2020
Janus Workshop @ ClueCon 2020
 
FOSDEM2018 Janus Lua plugin presentation
FOSDEM2018 Janus Lua plugin presentationFOSDEM2018 Janus Lua plugin presentation
FOSDEM2018 Janus Lua plugin presentation
 
Turning live events to virtual with Janus
Turning live events to virtual with JanusTurning live events to virtual with Janus
Turning live events to virtual with Janus
 
Janus: an open source and general purpose WebRTC (gateway) server
Janus: an open source and general purpose WebRTC (gateway) serverJanus: an open source and general purpose WebRTC (gateway) server
Janus: an open source and general purpose WebRTC (gateway) server
 
Scaling WebRTC deployments with multicast @ IETF 110 MBONED
Scaling WebRTC deployments with multicast @ IETF 110 MBONEDScaling WebRTC deployments with multicast @ IETF 110 MBONED
Scaling WebRTC deployments with multicast @ IETF 110 MBONED
 
WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022
 
Janus @ ClueCon 2019
Janus @ ClueCon 2019Janus @ ClueCon 2019
Janus @ ClueCon 2019
 
Simulcast/SVC @ IIT-RTC 2019
Simulcast/SVC @ IIT-RTC 2019Simulcast/SVC @ IIT-RTC 2019
Simulcast/SVC @ IIT-RTC 2019
 

Similar to Fuzzing Janus @ IPTComm 2019

Janus/Asterisk @ Astricon 2017
Janus/Asterisk @ Astricon 2017Janus/Asterisk @ Astricon 2017
Janus/Asterisk @ Astricon 2017Lorenzo Miniero
 
Janus workshop @ RTC2019 Beijing
Janus workshop @ RTC2019 BeijingJanus workshop @ RTC2019 Beijing
Janus workshop @ RTC2019 BeijingLorenzo Miniero
 
WebRTC Broadcasting @ TADSummit 2023
WebRTC Broadcasting @ TADSummit 2023WebRTC Broadcasting @ TADSummit 2023
WebRTC Broadcasting @ TADSummit 2023Lorenzo Miniero
 
WebRTC standards update - November 2014
WebRTC standards update - November 2014WebRTC standards update - November 2014
WebRTC standards update - November 2014Victor Pascual Ávila
 
Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Lorenzo Miniero
 
Upperside Webinar - WebRTC Standards Update
Upperside Webinar - WebRTC Standards UpdateUpperside Webinar - WebRTC Standards Update
Upperside Webinar - WebRTC Standards UpdateUppersideConferences
 
From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...P. Taylor Goetz
 
IOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to CodeIOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to CodeAndy Robinson
 
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...Amir Zmora
 
WebRTC Rockstars Asian Tour 2017
WebRTC Rockstars Asian Tour 2017WebRTC Rockstars Asian Tour 2017
WebRTC Rockstars Asian Tour 2017Lorenzo Miniero
 
Scaling server side web rtc applications the janus challenge by lorenzo miniero
Scaling server side web rtc applications the janus challenge by lorenzo minieroScaling server side web rtc applications the janus challenge by lorenzo miniero
Scaling server side web rtc applications the janus challenge by lorenzo minieroGreg Kawere
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...Altinity Ltd
 
What's new in web standards?
What's new in web standards?What's new in web standards?
What's new in web standards?Daniel Appelquist
 
FOSDEM 2020: How can we make WebRTC Easier?
FOSDEM 2020: How can we make WebRTC Easier?FOSDEM 2020: How can we make WebRTC Easier?
FOSDEM 2020: How can we make WebRTC Easier?SeanDuBois3
 
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...Daniel Czerwonk
 
Upperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC introUpperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC introVictor Pascual Ávila
 

Similar to Fuzzing Janus @ IPTComm 2019 (20)

Janus/Asterisk @ Astricon 2017
Janus/Asterisk @ Astricon 2017Janus/Asterisk @ Astricon 2017
Janus/Asterisk @ Astricon 2017
 
Janus workshop @ RTC2019 Beijing
Janus workshop @ RTC2019 BeijingJanus workshop @ RTC2019 Beijing
Janus workshop @ RTC2019 Beijing
 
WebRTC Broadcasting @ TADSummit 2023
WebRTC Broadcasting @ TADSummit 2023WebRTC Broadcasting @ TADSummit 2023
WebRTC Broadcasting @ TADSummit 2023
 
WebRTC standards update - November 2014
WebRTC standards update - November 2014WebRTC standards update - November 2014
WebRTC standards update - November 2014
 
Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020
 
Upperside Webinar - WebRTC Standards Update
Upperside Webinar - WebRTC Standards UpdateUpperside Webinar - WebRTC Standards Update
Upperside Webinar - WebRTC Standards Update
 
From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...
 
WebRTC Summit November 2013 - WebRTC Interoperability (and why it is important)
WebRTC Summit November 2013 - WebRTC Interoperability (and why it is important)WebRTC Summit November 2013 - WebRTC Interoperability (and why it is important)
WebRTC Summit November 2013 - WebRTC Interoperability (and why it is important)
 
From Device to Data Center to Insights
From Device to Data Center to InsightsFrom Device to Data Center to Insights
From Device to Data Center to Insights
 
IOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to CodeIOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to Code
 
Janus @ RTC2017 Beijing
Janus @ RTC2017 BeijingJanus @ RTC2017 Beijing
Janus @ RTC2017 Beijing
 
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
 
WebRTC Rockstars Asian Tour 2017
WebRTC Rockstars Asian Tour 2017WebRTC Rockstars Asian Tour 2017
WebRTC Rockstars Asian Tour 2017
 
Workshop oracle
Workshop oracleWorkshop oracle
Workshop oracle
 
Scaling server side web rtc applications the janus challenge by lorenzo miniero
Scaling server side web rtc applications the janus challenge by lorenzo minieroScaling server side web rtc applications the janus challenge by lorenzo miniero
Scaling server side web rtc applications the janus challenge by lorenzo miniero
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
 
What's new in web standards?
What's new in web standards?What's new in web standards?
What's new in web standards?
 
FOSDEM 2020: How can we make WebRTC Easier?
FOSDEM 2020: How can we make WebRTC Easier?FOSDEM 2020: How can we make WebRTC Easier?
FOSDEM 2020: How can we make WebRTC Easier?
 
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...
 
Upperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC introUpperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC intro
 

More from Lorenzo Miniero

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Getting AV1/SVC to work in the Janus WebRTC Server
Getting AV1/SVC to work in the Janus WebRTC ServerGetting AV1/SVC to work in the Janus WebRTC Server
Getting AV1/SVC to work in the Janus WebRTC ServerLorenzo Miniero
 
The challenges of hybrid meetings @ CommCon 2023
The challenges of hybrid meetings @ CommCon 2023The challenges of hybrid meetings @ CommCon 2023
The challenges of hybrid meetings @ CommCon 2023Lorenzo Miniero
 
Real-Time Text and WebRTC @ Kamailio World 2023
Real-Time Text and WebRTC @ Kamailio World 2023Real-Time Text and WebRTC @ Kamailio World 2023
Real-Time Text and WebRTC @ Kamailio World 2023Lorenzo Miniero
 
Become a rockstar using FOSS!
Become a rockstar using FOSS!Become a rockstar using FOSS!
Become a rockstar using FOSS!Lorenzo Miniero
 
Janus SFU cascading @ IIT-RTC 2022
Janus SFU cascading @ IIT-RTC 2022Janus SFU cascading @ IIT-RTC 2022
Janus SFU cascading @ IIT-RTC 2022Lorenzo Miniero
 
SIP transfer with Janus/WebRTC @ OpenSIPS 2022
SIP transfer with Janus/WebRTC @ OpenSIPS 2022SIP transfer with Janus/WebRTC @ OpenSIPS 2022
SIP transfer with Janus/WebRTC @ OpenSIPS 2022Lorenzo Miniero
 
JamRTC @ Wonder WebRTC unConference
JamRTC @ Wonder WebRTC unConferenceJamRTC @ Wonder WebRTC unConference
JamRTC @ Wonder WebRTC unConferenceLorenzo Miniero
 
Welcome to JanusCon! -- Past, Present and Future of Janus
Welcome to JanusCon! -- Past, Present and Future of JanusWelcome to JanusCon! -- Past, Present and Future of Janus
Welcome to JanusCon! -- Past, Present and Future of JanusLorenzo Miniero
 
Multistream in Janus @ CommCon 2019
Multistream in Janus @ CommCon 2019Multistream in Janus @ CommCon 2019
Multistream in Janus @ CommCon 2019Lorenzo Miniero
 

More from Lorenzo Miniero (11)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Getting AV1/SVC to work in the Janus WebRTC Server
Getting AV1/SVC to work in the Janus WebRTC ServerGetting AV1/SVC to work in the Janus WebRTC Server
Getting AV1/SVC to work in the Janus WebRTC Server
 
BWE in Janus
BWE in JanusBWE in Janus
BWE in Janus
 
The challenges of hybrid meetings @ CommCon 2023
The challenges of hybrid meetings @ CommCon 2023The challenges of hybrid meetings @ CommCon 2023
The challenges of hybrid meetings @ CommCon 2023
 
Real-Time Text and WebRTC @ Kamailio World 2023
Real-Time Text and WebRTC @ Kamailio World 2023Real-Time Text and WebRTC @ Kamailio World 2023
Real-Time Text and WebRTC @ Kamailio World 2023
 
Become a rockstar using FOSS!
Become a rockstar using FOSS!Become a rockstar using FOSS!
Become a rockstar using FOSS!
 
Janus SFU cascading @ IIT-RTC 2022
Janus SFU cascading @ IIT-RTC 2022Janus SFU cascading @ IIT-RTC 2022
Janus SFU cascading @ IIT-RTC 2022
 
SIP transfer with Janus/WebRTC @ OpenSIPS 2022
SIP transfer with Janus/WebRTC @ OpenSIPS 2022SIP transfer with Janus/WebRTC @ OpenSIPS 2022
SIP transfer with Janus/WebRTC @ OpenSIPS 2022
 
JamRTC @ Wonder WebRTC unConference
JamRTC @ Wonder WebRTC unConferenceJamRTC @ Wonder WebRTC unConference
JamRTC @ Wonder WebRTC unConference
 
Welcome to JanusCon! -- Past, Present and Future of Janus
Welcome to JanusCon! -- Past, Present and Future of JanusWelcome to JanusCon! -- Past, Present and Future of Janus
Welcome to JanusCon! -- Past, Present and Future of Janus
 
Multistream in Janus @ CommCon 2019
Multistream in Janus @ CommCon 2019Multistream in Janus @ CommCon 2019
Multistream in Janus @ CommCon 2019
 

Recently uploaded

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Fuzzing Janus @ IPTComm 2019

  • 1. Fuzzing Janus for Fun and Profit A. Amirante, T. Castaldi, L. Miniero, S.P. Romano, P. Saviano, A. Toppi IPTComm 2019 October 15th 2019, Chicago, IL, USA
  • 2. A few words about me Lorenzo Miniero • Ph.D @ UniNA • Chairman @ Meetecho • Main author of Janus® Contacts and info • lorenzo@meetecho.com • https://twitter.com/elminiero • https://www.slideshare.net/LorenzoMiniero
  • 3. Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
  • 4. Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
  • 5. Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
  • 6. Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
  • 7. What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
  • 8. What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
  • 9. What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
  • 10. Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
  • 11. Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
  • 12. Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
  • 13. Introducing the Janus WebRTC server Janus General purpose, open source WebRTC server • https://github.com/meetecho/janus-gateway • Demos and documentation: https://janus.conf.meetecho.com • Community: https://groups.google.com/forum/#!forum/meetecho-janus
  • 14. Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
  • 15. Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
  • 16. Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
  • 17. Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
  • 18. Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
  • 19. Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
  • 20. Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
  • 21. A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
  • 22. A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
  • 23. A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
  • 25. libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
  • 26. libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
  • 27. libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
  • 28. libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
  • 29. Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
  • 30. Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
  • 31. Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
  • 32. Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
  • 33. Integrating libFuzzer in Janus // fuzz-rtcp.c #include "janus/rtcp.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 8 || size > 1472) return 0; if (!janus_is_rtcp(data, size)) return 0; /* Initialize an empty RTCP context */ janus_rtcp_context ctx; janus_rtcp_parse(ctx, (char *)data, size); GSList *list = janus_rtcp_get_nacks((char *)data, size); ... if (list) g_slist_free(list); return 0; }
  • 35. Corpora files: a shared effort https://github.com/RTC-Cartel/webrtc-fuzzer-corpora
  • 36. Scalable distributed fuzzing via OSS-Fuzz https://github.com/google/oss-fuzz/pull/2241 (Janus addition)
  • 37. Scalable distributed fuzzing via OSS-Fuzz https://github.com/google/oss-fuzz/pull/2241 (Janus addition)
  • 38. A detailed tutorial on how to setup all this https://webrtchacks.com/fuzzing-janus/
  • 39. What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
  • 40. What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
  • 41. What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
  • 42. Thanks! Questions? Comments? Get in touch! • https://twitter.com/elminiero • https://twitter.com/meetecho • https://www.meetecho.com