Introduction

Turbo is a fast, effective fuzzer that is designed from the ground up for easy integration into your DevOps pipeline. Basically DevOps -> DevSecOps at your fingertips! What separates Turbo from other security tools? Turbo has many unique qualities:

• Turbo, over time, builds up a suite of program inputs that cause your program to behaving in an interesting manner. These are ways you might not have intended! Will future versions of your program handle these behaviors properly? Turbo will tell you!
• Turbo is designed to easily integrate into existing DevOps pipelines and give immediate results. Minimal integration is required!
• Turbo automatically generates inputs that cause your program to fail. There are no "false positives" that security scanners may give you. Each report is a concrete, actionable bug.
• Turbo operates directly on executable binary programs and requires no integration with your source. C, C++, Go, Rust, Ada, Fortran, Assembly? No problem, Turbo does not care. (Note: Currently interpreted languages like Java, JavaScript, and Python are not supported. Stay tuned, exciting stuff is happening to support these types of programs!)

Demo

We hope to have a video demo of how to install and use Turbo. For now, it is unavailable.

Requirements

• Turbo currently works on X86-64 Linux programs. We currently support RHEL, CentOS 7.*, Ubuntu, though it likely can work on other Linux platforms as well.

• An x86-64 Linux machine will be required to run the Turbo service. This box can be your testing box, a development box, or a completety separate box. It can be native hardware, a VM, or hosted in a cloud infrastructure. Zephyr can help! Turbo as a service (TAAS) is available. Contact Zephyr Software at jwd@zephyr-software.com for pricing detail for your needs.

  • This box must have Docker installed. See the docker installation proceedure for additional details.
  • This box is recommended to have ample disk space and memory. Minimum requirements are 8gb RAM and 40gb disk space, though more may be desirable in some deployments.

• A machine capable of running your software. The most likely candidate for such a box is your existing testing infrastructure, though any VM, cloud instance, or hardware that can run your software is acceptable. Turbo is designed to be minimally intrusive and easily integrate into your existing testing infrastructure.

  • AFL must be installed on this box. Turbo relies on AFL input generation. AFL can be easily installed. AFL can be installed from source by following the directions on the AFL website, but package-based installation is recommended for most systems:

# Debian, Ubuntu, etc.
sudo apt-get install afl

#CentOS, RHEL
sudo yum install afl

• The Turbo command line interface (CLI) needs to be installed. The Turbo CLI is a single program with no dependencies, so you can drop it on your testing box with minimal hassle.
• The testing box needs to be network-enabled to talk to the Turbo service.

Installing Turbo

1. Stand up the Turbo Service with docker:

docker run -p 55155:55155 git.zephyr-software.com:4567/allzp/turbo/turbo:latest

Note that the -p 55155:55155 parameter tells Docker to expose the Turbo port so that the Turbo CLI can connect. You may always want to use --restart unless-stopped flag to ensure that the container is restarted in the event that your system restarts (e.g., due to a power loss). You may also wish to use -d to detach your shell from the docker instance.

2. Install AFL as noted above.
3. Install the Turbo CLI:

sudo bash -c "$(curl -fsSL allzp.zephyr-software.io/turbo/cli-install.sh)"

If you wish to force re-install the entire package without user interaction, you can:

yes | sudo bash -c "$(curl -fsSL allzp.zephyr-software.io/turbo/cli-install.sh)"

4. Get started by running turbo-cli --help to examine the help screen. Follow the prompts provided by the script.

And that's it! Turbo is up and ready to use. Check out our page for how to create and use a Boost, Turbo's unit of fuzzing.