Security and Stability

Besides being fast, security and stability are high priorities for FlashMQ. While C++ as a programming language can be regarded as (memory) unsafe, we believe clean and safe code can be written in modern C++. FlashMQ’s C++ code aims to be simple and straight-forward, keeping to C++ best practices. For instance, this was the conclusion of an audit and fuzzing analysis done by Radically Open Security:

C++ is usually quite difficult to review, however flashmq was refreshingly easy. The code lacks any kind of virtual classes or functions, RTTI is not used, and there is no possibility for type confusion, which is one of the most prevalent bug classes when it comes to C++. Even operator overloading is used rarely. There is only one allocation of memory on the heap and only very few free calls that can lead to use-after-frees – of which we found one during static analysis. All the buffers and operations on them seem well bounded. There are very few instances of new, and even fewer delete operators used, and every object creation is done according to RAII. The code is clean, and it was really difficult to find anything worth mentioning in a security audit report.

FlashMQ has subsequently been subjected to various other fuzzing campaigns. Furthermore, compiler address sanitation is used in development and testing, further reducing the risk of memory related bugs.

Running a fuzzer

To test protocol stability and memory safety, FlashMQ debug builds include a fuzzing mode. For that, use the --fuzz-file option to feed a client buffer with a packet and parse it. See –help.

Fuzzing not only helps test memory safety, but also the programmer’s assumptions with good use of assert() calls.

Here’s afl-fuzz fuzzing the FlashMQ binary:

Because the communication between American Fuzzy Lop and FlashMQ is not through a socket, the scope of what’s tested is a bit limited. But, it’s a great tool, and having the fuzz option is an open invitation for others to attempt fuzzing as well.

You have to compile FlashMQ with the AFL helpers (See AFL documentation), and then run the binary like:

afl-fuzz -m 200 -M primary -i "$INPUTDIR" -o "$OUTPUTDIR" FlashMQ --fuzz-file '@@'
afl-fuzz -m 200 -S secondary01 -i "$INPUTDIR" -o "$OUTPUTDIR" FlashMQ --fuzz-file '@@'
afl-fuzz -m 200 -S secondary02 -i "$INPUTDIR" -o "$OUTPUTDIR" FlashMQ --fuzz-file '@@'

For “$INPUTDIR“, FlashMQ contains these fuzz tests.

There’s also a fuzz-helper.sh. It’s set up to fuzz on four CPU cores.