Skip to content
Snippets Groups Projects

Home

Last edited by Anh Nguyen-Tuong

Introduction

Turbo is a fast, effective fuzzer that is designed from the ground up for easy integration into your DevOps pipeline. Basically DevOps -> DevSecOps at your fingertips! What separates Turbo from other security tools? Turbo has many unique qualities:

  • Turbo, over time, builds up a suite of program inputs that cause your program to behaving in an interesting manner. These are ways you might not have intended! Will future versions of your program handle these behaviors properly? Turbo will tell you!
  • Turbo is designed to easily integrate into existing DevOps pipelines and give immediate results. Minimal integration is required!
  • Turbo automatically generates inputs that cause your program to fail. There are no "false positives" that security scanners may give you. Each report is a concrete, actionable bug.
  • Turbo operates directly on executable binary programs and requires no integration with your source. C, C++, Go, Rust, Ada, Fortran, Assembly? No problem, Turbo does not care. (Note: Currently interpreted languages like Java, JavaScript, and Python are not supported. Stay tuned, exciting stuff is happening to support these types of programs!)

Demo

We hope to have a video demo of how to install and use Turbo. For now, it is unavailable.

Requirements

  • Turbo currently works on X86-64 Linux programs. We currently support RHEL, CentOS 7.*, Ubuntu, though it likely can work on other Linux platforms as well.

  • Turbo needs a box, called the Turbo Server to hold its databases and prepare software for fuzzing (i.e., the Turbo Service). It needs to be an x86-64 Linux machine. This box can be your testing box, a development box, or a completely separate box. It can be native hardware, a VM, or hosted in a cloud infrastructure. Zephyr can help! Turbo as a service (TAAS) is available. Contact Zephyr Software at jwd@zephyr-software.com for pricing detail for your needs.

    • This box must have Docker installed. See the docker installation proceedure for additional details.
    • This box is recommended to have ample disk space and memory. Minimum requirements are 8gb RAM and 40gb disk space, though more may be desirable in some deployments.

  • A machine capable of running your software, which we call the Turbo fuzzing box. The most likely candidate for such a box is your existing testing infrastructure, though any VM, cloud instance, or hardware that can run your software is acceptable. Turbo is designed to be minimally intrusive and easily integrate into your existing testing infrastructure.

    • AFL must run on this box. Turbo relies on AFL's input generation to help detect bugs.
    • The Turbo command line interface (CLI) needs to be installed. The Turbo CLI is a single program with no dependencies, so you can drop the file on your testing box with minimal hassle or dependency management.
    • The testing box needs to make network connections the Turbo service.

Note: A common use case is to re-use the same box for the Turbo Server and Turbo Fuzzing components.

Installing Turbo

THE CURRENT TURBO IMPLEMENTATION REQUIRES THE TURBO SERVER AND FUZZING BOX TO BE ON THE SAME HOST

On the Turbo server box

Ensure the Turbo server box has access to the docker registry that contains Turbo. For this tutorial, we'll use Zephyr's docker repository which hosts Turbo at git.zephyr-software.com:4567/opensrc/turbo/turbo:latest. You may need to login to the docker registery using docker login <hostname> and provide access credentials.

Once you've ensured access, stand up the Turbo Service with docker:

docker run -p 55155:55155 git.zephyr-software.com:4567/opensrc/turbo/turbo:latest

Note that the -p 55155:55155 parameter tells Docker to expose the Turbo port so that the Turbo CLI can connect. You may always want to use --restart unless-stopped flag to ensure that the container is restarted in the event that your system restarts (e.g., due to a power loss). You may also wish to use -d to detach your shell from the docker instance. For example:

docker run -d --restart unless-stopped -p 55155:55155 git.zephyr-software.com:4567/opensrc/turbo/turbo:latest

On the fuzzing box

  • If not already installed, AFL will be automatically installed in the next step. However, power users may wish use a custom AFL (not recommended). AFL can be installed from source by following the directions on the AFL website, or by a package management system (e.g., apt or yum)

  • Install the Turbo CLI:

sudo bash -c "$(curl -fsSL opensrc.pages.zephyr-software.com/turbo/cli-install.sh)"

Follow the prompts provided by the script.

If you wish to force (re-)install the entire package without user interaction, you can:

yes | sudo bash -c "$(curl -fsSL opensrc.pages.zephyr-software.com/turbo/cli-install.sh)"
  • Get started by running turbo-cli --help to examine the help screen.

And that's it! Turbo is up and ready to use. Check out our page for how to create and use a Boost, Turbo's unit of fuzzing.

Comments

    Please register or sign in to add a comment.