“you are only as good as your last CVE”

Parking game fuzzer notes

Libfuzzer Template

clang helper code for fuzzing

libfuzzer harness template:

#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>

#include <string>
#include <vector>
#include <fuzzer/FuzzedDataProvider.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    FuzzedDataProvider fuzz(data, size);
    // harness code here

    return 0;
}

AIxCC Team Atlanta notes from VRI (RITSEC)

Notes

OSS Fuzz introspector

https://introspector.oss-fuzz.com/

check project-wise - https://introspector.oss-fuzz.com/project-profile?project=abseil-cpp

Random Notes

https://securitylab.github.com/resources/fuzzing-sockets-FTP/

  • use preeny as a preloading library, it disables randomization. (especially useful for socket based fuzzing)
  • in case of socket based program, remove socket dependancy from software. send <-> write. accept <-> input file descriptor.
  • we can use getrandom for file upload cases
  • avoid using rmdir or unlink to minimize randomization
  • transform multi-process architecture to single process since afl coverage map doesn’t receive coverage signal from child process.
  • signals should be patched sincle AFL execution is dependant on signals. commenting calls to alarm(2) is helpful.
  • remove unnecessary delays / sleeps.
  • effective fuzzing requires detailed knowledged of internals of software
  • Manual code audit. Static analysis. Fuzzing

important features that should be present in fuzzers (regularly updated)

  • forkserver
  • some sort of persitence fuzzing workflow OR inprocess fuzzing (libafl ??)
  • good mutation algorithms
  • static analysis before fuzzing. Path constraint fuzzing ?
  • input replay functionality. Easy to say but sometimes trivial (race conditions)
  • cli args ??
  • good seed selection / harness generation using AI
  • i am speed needless to say - speed is important

Cyclomatic complexity

How many fundamentally different control-flow decisions does this function contain?

for example:

void foo(int x, int y) {
    if (x > 0)
        puts("A");

    if (y > 0)
        puts("B");
}

Cyclomatic complexity is 3 (taken x, taken y, taken neither)

Higher cyclomatic complexity means :

  • more branches
  • more paths
  • harder to achieve good coverage
  • MORE OPPURTUNITES FOR BUGS (fun fact: NASA has strict rules to keep max cyclomatic complexty to 15 or less)