The goal of this exercise is to give you experience with the basics of fuzz random testing. Fuzzing, as this kind of testing is often called, is a simple type of testing. Its goal is to cause failures in the form of crashes or hangs. These failures typically indicate that you have owned bits in the program that you were not intended to own.
More specifically, your goals are:
You will use the classic fuzz generator to test a program written in C.
The basic steps are to:
The test program is named report; it supports queries on a
database of flight log entries.
You run report by typing a command of the form:
report logfile1 logfile2 ...The input log files have one entry per line.
Two sample log files are provided, named log1
and log2.
report starts by processing the log files and then reads
query commands from standard input.
You can see a summary of the commands for report by typing
> helpFor this assignment you will use the VM image provided for the course.
Note that if at some time you need the original files, you can find the
tar file using the file path /p/mist/public/html/fuzz-639.tar
on any of the CompSci Linux systems or download from here.
In the virtual machine image you will focus on two subdirectories:
| Subdirectory | Purpose | |
|---|---|---|
| fuzz: | Contains the fuzz generator tool, with its Makefile | |
| report: | Contains the log query test program files with its Makefile |
To start, you should cd into each of these two
directories and run make.
Both fuzz and report should build with no
errors (though there may be one or two warnings).
cd /home/user/Desktop/EXERCISES/fuzzing_exercises/log_exercise/fuzzmake
cd /home/user/Desktop/EXERCISES/fuzzing_exercises/log_exercise/reportmake
Since fuzz and report are not in the same
directory, you'll have to explicitly name the path to the executable
file.
For fuzz, you can look inside the source (.c) file in
the comments to see a descriptions of the options supported by the
program.
Try out several of these to see how it works.
For report, you can start the program using one or both of
the sample log files, such as:
report log1 log2Some sample commands to try are:
> select dte sel act hdd f/t lng
> range dte start 1/1/1989
> listThere are two ways to run report with fuzz input.
The basic way is to pipe the output of the fuzz generator directly
into the test program with a command like:
fuzz 100000 | report log1fuzz uses a random seed to decide what
characters to generate.
There are couple of way to make the test data streams reproducible.
The easiest way is to run fuzz separately and have it
store the random streams in a file, such as this example that stores
the random characters into file "f1":
fuzz -o f1 100000Then you can repeated run report like this:
report log1 log2 < f1A second way to do this is to choose a random seed when you run
fuzz, which will produce the same output stream each time:
fuzz -s 12345 100000 | report log1fuzz and report until
report crashes or hangs.
Once that happens, you should debug the program to determine the cause of the crash, and then fix the bug. Of course, you need to re-run the same test to make sure that the crash no longer happens.
After you fix the first problem, repeat this whole test/debug/fix
cycle.
You should be able to find two (2) different problems in
report.
report program.
In the extra challenge, you will fuzz the input from the log files.
Since the input files are specified as parameters to the
report command, you cannot pipe the output of
fuzz directly into the program.
So, you will have to store the output of the fuzz program to a file and
then use that file as a parameter when running report,
such as:
As with the regular assignment, you will try to crash or hang thefuzz -o f1 100000report f1
report program.
If you are able to crash the program, then you will debug the cause of the
crash, develop a remediation for the crash, check to see if this
remediation works and then write a report on this new crash.