Fuzzing notes
“you are only as good as your last CVE”
Parking game fuzzer notes
Libfuzzer Template
libfuzzer harness template:
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string>
#include <vector>
#include <fuzzer/FuzzedDataProvider.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
FuzzedDataProvider fuzz(data, size);
// harness code here
return 0;
}AIxCC Team Atlanta notes from VRI (RITSEC)
OSS Fuzz introspector
https://introspector.oss-fuzz.com/
check project-wise - https://introspector.oss-fuzz.com/project-profile?project=abseil-cpp
links for making scripts:
- oss-fuzz coverage file list - https://storage.googleapis.com/oss-fuzz-coverage/
- project wise summary from introspector API - https://introspector.oss-fuzz.com/api/project-summary?project={project_name} (replace project name)
Random Notes
https://securitylab.github.com/resources/fuzzing-sockets-FTP/
- use preeny as a preloading library, it disables randomization. (especially useful for socket based fuzzing)
- in case of socket based program, remove socket dependancy from software.
send<->write.accept<->input file descriptor. - we can use
getrandomfor file upload cases - avoid using
rmdirorunlinkto minimize randomization - transform multi-process architecture to single process since afl coverage map doesn’t receive coverage signal from child process.
- signals should be patched sincle AFL execution is dependant on signals. commenting calls to
alarm(2)is helpful. - remove unnecessary delays / sleeps.
- effective fuzzing requires detailed knowledged of internals of software
- Manual code audit. Static analysis. Fuzzing
important features that should be present in fuzzers (regularly updated)
- forkserver
- some sort of persitence fuzzing workflow OR inprocess fuzzing (libafl ??)
- good mutation algorithms
- static analysis before fuzzing. Path constraint fuzzing ?
- input replay functionality. Easy to say but sometimes trivial (race conditions)
- cli args ??
- good seed selection / harness generation using AI
- i am speed needless to say - speed is important
Cyclomatic complexity
How many fundamentally different control-flow decisions does this function contain?
for example:
void foo(int x, int y) {
if (x > 0)
puts("A");
if (y > 0)
puts("B");
}Cyclomatic complexity is 3 (taken x, taken y, taken neither)
Higher cyclomatic complexity means :
- more branches
- more paths
- harder to achieve good coverage
- MORE OPPURTUNITES FOR BUGS (fun fact: NASA has strict rules to keep max cyclomatic complexty to 15 or less)