The goal of this exercise is to give you experience with the basics of fuzz random testing. Fuzzing, as this kind of testing is often called, is a simple type of testing. Its goal is to cause failures in the form of crashes or hangs. These failures typically indicate that you have owned bits in the program that you were not intended to own.
More specifically, your goals are:
You will use the classic fuzz generator to test a program written in C.
The basic steps are to:
The test program is named
report; it supports queries on a
database of flight log entries.
report by typing a command of the form:
report logfile1 logfile2 ...
The input log files have one entry per line.
Two sample log files are provided, named
report starts by processing the log files and then reads
query commands from standard input.
You can see a summary of the commands for
report by typing
For this assignment you will use the VM image provided for the course.
Note that if at some time you need the original files, you can find the
tar file using the file path
on any of the CompSci Linux systems or download from here.
In the virtual machine image you will focus on two subdirectories:
|fuzz:||Contains the fuzz generator tool, with its Makefile|
|report:||Contains the log query test program files with its Makefile|
To start, you should
cd into each of these two
directories and run
report should build with no
errors (though there may be one or two warnings).
report are not in the same
directory, you'll have to explicitly name the path to the executable
fuzz, you can look inside the source (.c) file in
the comments to see a descriptions of the options supported by the
Try out several of these to see how it works.
report, you can start the program using one or both of
the sample log files, such as:
Then type give the command "help". Try out several of these to see how it works.
report log1 log2
Some sample commands to try are:
> select dte sel act hdd f/t lng > range dte start 1/1/1989 > list
There are two ways to run
report with fuzz input.
The basic way is to pipe the output of the fuzz generator directly
into the test program with a command like:
This is a good way to try things out but makes it difficult to reproduce your results since
fuzz 100000 | report log1
fuzzuses a random seed to decide what characters to generate.
There are couple of way to make the test data streams reproducible.
The easiest way is to run
fuzz separately and have it
store the random streams in a file, such as this example that stores
the random characters into file "f1":
fuzz -o f1 100000
Then you can repeated run
report like this:
report log1 log2 < f1
A second way to do this is to choose a random seed when you run
fuzz, which will produce the same output stream each time:
You will run
fuzz -s 12345 100000 | report log1
reportcrashes or hangs.
Once that happens, you should debug the program to determine the cause of the crash, and then fix the bug. Of course, you need to re-run the same test to make sure that the crash no longer happens.
After you fix the first problem, repeat this whole test/debug/fix
You should be able to find two (2) different problems in
reportprogram. In the extra challenge, you will fuzz the input from the log files.
Since the input files are specified as parameters to the
report command, you cannot pipe the output of
fuzz directly into the program.
So, you will have to store the output of the fuzz program to a file and
then use that file as a parameter when running
As with the regular assignment, you will try to crash or hang the
fuzz -o f1 100000
reportprogram. If you are able to crash the program, then you will debug the cause of the crash, develop a remediation for the crash, check to see if this remediation works and then write a report on this new crash.