├── 02-intro-to-fuzzing.md ├── 03-fuzzing-libraries.md ├── 04-writing-harnesses.md ├── 05-coverage-analysis.md ├── LICENSE ├── README.md ├── fuzzing-server-instructions.md ├── project.md └── server ├── mkgroup ├── mkuser └── setup.md /02-intro-to-fuzzing.md: -------------------------------------------------------------------------------- 1 | # Week 2: Intro to Fuzzing 2 | 3 | Fuzzing is a software testing technique that involves repeatedly executing a program with many randomized inputs. 4 | This quarter, we will dive into the world of fuzzing and learn how to use it to find bugs in software. 5 | We will be learning how to use [Honggfuzz](https://honggfuzz.dev), an easy-to-use, security-oriented fuzzer developed by Google which has found [many vulnerabilities](https://github.com/google/honggfuzz#trophies). 6 | You do not need to install Honggfuzz since all of the tools needed for this lab are already installed on the server for you! 7 | 8 | This week, we will be using Honggfuzz to rediscover an **infinite recursion denial-of-service vulnerability** in [Xpdf](https://www.xpdfreader.com), an open-source PDF reader. 9 | 10 | **The best way to learn is by doing!** 11 | We recommend that you type out the commands in this exercise (except for URLs) instead of copying and pasting them, since this will help you remember them. 12 | You should try to understand what each part of the command does rather than memorize the whole command. 13 | We have left some guiding questions to help you with this. 14 | If you have any questions, feel free to ask one of the officers running the lab. 15 | 16 | > [!NOTE] 17 | > There will be many friendly questions in this format that will help you learn more about fuzzing and computers in general. 18 | > Please try to think about these questions as you work on the activity, and feel free to ask us for help if you don't know the answer. 19 | 20 | ## Setup 21 | 22 | All of the exercises for this lab should be done on our fuzzing server. 23 | If you haven't done so already, follow the [instructions](fuzzing-server-instructions.md) to set up access to the server. 24 | Log into the server with SSH and run all of the commands for this lab on the server. 25 | 26 | ## Xpdf Instrumentation 27 | 28 | To fuzz effectively, the fuzzer needs a way to monitor the execution of the target program so that it knows which test cases generate interesting new behavior. 29 | We will compile the target with a special compiler which inserts instrumentation code that allows Honggfuzz to track which parts of the code is executed. 30 | 31 | After connecting to the server, we will start by making a directory for fuzzing Xpdf. 32 | Use the `mkdir` and `cd` commands to create an `xpdf` directory and move into it: 33 | 34 | ```sh 35 | mkdir xpdf 36 | cd xpdf 37 | ``` 38 | 39 | You can verify that you are in the correct directory by running `pwd`, which will print the absolute path to the current working directory. 40 | This should output `/home//xpdf`. 41 | Your current directory is also shown in the blue part of your shell prompt, where `~` represents your home directory. 42 | 43 | Next, download the Xpdf source code using the `curl` utiliy by running the following command: 44 | 45 | ```sh 46 | curl -LO 'https://dl.xpdfreader.com/old/xpdf-3.02.tar.gz' 47 | ``` 48 | 49 | The `-L` flag tells curl to follow redirects, and the `-O` flag makes curl automatically determine the output file name. 50 | `-LO` is a shorthand that's equivalent to `-L -O`. 51 | 52 | The downloaded file is a tar archive compressed using gzip, and it can be extracted with the `tar` command: 53 | 54 | ```sh 55 | tar -xvzf xpdf-3.02.tar.gz 56 | ``` 57 | 58 | Here, `x` means extract, `v` means verbose (print out file names while extracting), `z` means the file is compressed with gzip, and `f` means read from the archive file named in the next argument instead of stdin. 59 | You can learn more about these commands by running `man curl` and `man tar`. 60 | 61 | `cd` into the resulting `xpdf-3.02` directory: 62 | 63 | ```sh 64 | cd xpdf-3.02 65 | ``` 66 | 67 | Now we will build Xpdf using the GNU build system. 68 | First, we will use the `configure` script provided by Xpdf to set some compile-time options: 69 | 70 | ```sh 71 | CC=hfuzz-clang CXX=hfuzz-clang++ ./configure --prefix="$HOME/xpdf/install" 72 | ``` 73 | 74 | This generates a file called a Makefile which contains the compiler commands that need to be executed in order to compile Xpdf. 75 | `CC=hfuzz-clang CXX=hfuzz-clang++` sets the C and C++ compilers to the Honggfuzz compilers which will instrument the program. 76 | The `--prefix` option sets the directory where Xpdf will be installed after it is built, and `$HOME` is a shell variable which expands to the absolute path of your home directory (`/home/`). 77 | You can learn more about the options provided by the `configure` script by running `./configure --help`. 78 | 79 | Next, run the `make` command, which will read the Makefile and execute the compiler commands in the right order: 80 | 81 | ```sh 82 | make -j 16 83 | ``` 84 | 85 | The `-j` option tells Make how many jobs to run in parallel. 86 | Our server has 16 CPU cores, so we tell Make to run up to 16 jobs in parallel in order to fully utilize the CPU. 87 | 88 | Lastly, we run `make` again to install Xpdf in to the directory we specified in the `./configure` command earlier: 89 | 90 | ```sh 91 | make install 92 | ``` 93 | 94 | Go back to our `xpdf` directory with `cd ..`. 95 | If you run `ls install/bin`, you should see several executables including `pdftotext`, which is the one that we will fuzz. 96 | 97 | > [!NOTE] 98 | > What would happen if we removed `CC=hfuzz-clang CXX=hfuzz-clang++` from the commands? 99 | > Would the fuzzing work? 100 | > Would it be more efficient? 101 | 102 | ## Building a Seed Corpus 103 | 104 | To help Honggfuzz find interesting test cases, we will give it a few small examples of valid PDF files as part of the **seed corpus**. 105 | Create a directory to hold these files and move into it: 106 | 107 | ```sh 108 | mkdir pdf_examples 109 | cd pdf_examples 110 | ``` 111 | 112 | Search online for some small sample PDF files to include in the seed corpus. 113 | The files should be at most 100 KB so that they can be processed quickly. 114 | You can try search terms such as `pdf test files`. 115 | Once you find a PDF file, copy the URL and download it on the server with `curl`. 116 | For example, run the following command to download a test PDF file from the Mozilla PDF.js project: 117 | 118 | ```sh 119 | curl -LO 'https://github.com/mozilla/pdf.js-sample-files/raw/master/helloworld.pdf' 120 | ``` 121 | 122 | When you download a file, make sure you're using the direct URL to the PDF file, not the URL of a web page that contains or links to the PDF file. 123 | Once you've downloaded two to three more PDFs, use the `ls` command to print out their sizes and check that they are at most 100 KB: 124 | 125 | ```sh 126 | ls -lh 127 | ``` 128 | 129 | Also use the `file` command to check that the files are actually PDFs: 130 | 131 | ```sh 132 | file * 133 | ``` 134 | 135 | Once you have the files, return to the `xpdf` directory: 136 | 137 | ```sh 138 | cd .. 139 | ``` 140 | 141 | You can try running the `pdftotext` program from Xpdf on one of the PDF files: 142 | 143 | ```shell 144 | install/bin/pdftotext pdf_examples/helloworld.pdf - 145 | ``` 146 | 147 | `pdftotext` converts PDF files to plain text. 148 | The first argument is the input PDF file, and the second argument is the output text file. 149 | Specifying `-` for the output file tells the program to output to stdout, which is displayed to our terminal in this case. 150 | This should print `Hello, world!` followed by a few blank lines. 151 | 152 | > [!NOTE] 153 | > How does the size of the seed corpus affect the fuzzing process? 154 | 155 | ### Dictionary 156 | 157 | Another way that we can help Honggfuzz is use a dictionary, which is a list of common byte sequences for the file format that we're fuzzing. 158 | Honggfuzz will try inserting these sequences into the input data and it will have a higher chance of creating partially-valid files that trigger new behavior in our target. 159 | We'll use a PDF dictionary from AFL++, another popular fuzzer. 160 | Download it with this command: 161 | 162 | ```sh 163 | curl -LO 'https://github.com/AFLplusplus/AFLplusplus/raw/stable/dictionaries/pdf.dict' 164 | ``` 165 | 166 | ### Fuzzing 167 | 168 | Here's the fun part! 169 | To start fuzzing, run the following command: 170 | 171 | ```sh 172 | honggfuzz -i pdf_examples -o corpus -w pdf.dict --exit_upon_crash -- install/bin/pdftotext ___FILE___ /dev/null 173 | ``` 174 | 175 | We give Honggfuzz the `pdf_examples` directory as the initial seed corpus and tell it to store new interesting test cases in the `corpus` directory. 176 | We also provide the dictionary with `-w pdf.dict`, and the `--exit_upon_crash` option tells Honggfuzz to automatically stop once it finds a test case that crashes the target program. 177 | The target program is specified after the `--`, and any arguments after that are forwarded to it. 178 | `___FILE___` is a placeholder which Honggfuzz will replace with the name of the file containing the test case (note that this has **three** underscores on each side of `FILE`, not two). 179 | We don't care about the output of `pdftotext`, so we make it output to `/dev/null`, a special file that discards any data written to it. 180 | 181 | You should now see a fancy status panel, and it should take at most a few minutes for Honggfuzz to find a crash. 182 | If you need to stop Honggfuzz early, press CTRL+C. 183 | While Honggfuzz is running, you should see the corpus size increase and lines should keep appearing in the log. 184 | The "Cov Update" value indicates how long it has been since the fuzzer found a new interesting test case. 185 | If the fuzzer isn't finding new test cases or the speed is below 100, then something is probably wrong. 186 | 187 | > [!NOTE] 188 | > You can experiment a bit to see how different factors affect how long it takes Honggfuzz to find the crash. 189 | > For example, you can try using less files in the seed corpus, or not using the dictionary by removing the `-w pdf.dict` arguments. 190 | > Please don't leave the fuzzer running for more than a few minutes at a time during the meeting to avoid taking up all the server resources. 191 | > Feel free to run it for longer after the meeting though. 192 | 193 | ## Triaging the Crash 194 | 195 | Run `ls` after Honggfuzz finds a crash and you should see a file named something like `SIGSEGV.PC.57605a.STACK.1976259487.CODE.1.ADDR.7fff4d888ff8.INSTR.call___0xffffffffffe904c6.fuzz`. 196 | This contains the test case that caused the crash, and you can run `pdftotext` on the file to verify that it crashes. 197 | The file name might have special characters in it, so it should be surrounded by single quotes. 198 | To avoid typing the whole thing, you can type the first few characters and press the Tab key which should auto-complete the rest. 199 | 200 | There should also be a file named `HONGGFUZZ.REPORT.TXT`, and you can print it out using `cat`: 201 | 202 | ```sh 203 | cat HONGGFUZZ.REPORT.TXT 204 | ``` 205 | 206 | Alternatively, you can read the file with VS Code, which you can open in your browser by running this command: 207 | 208 | ```sh 209 | code tunnel 210 | ``` 211 | 212 | This file contains some details of the crash, including the backtrace which lists the function calls that lead to the crash. 213 | You'll see a few lines repeating over and over again because the crash was due to infinite recursion. 214 | If you were investigating a new bug that you just found, the next step would be to figure out the root cause using tools such as GDB. 215 | This requires a lot more knowledge that we don't have time to cover and being familiar with the code that we're fuzzing, so we will stop here. 216 | 217 | > [!NOTE] 218 | > What information about the crash is contained in the file name of the test case? 219 | 220 | > [!NOTE] 221 | > What would happen if you tried to open the test case file in a PDF viewer? 222 | 223 | ## Acknowledgments 224 | 225 | This activity is based on [Fuzzing101 Exercise 1](https://github.com/antonio-morales/Fuzzing101/tree/main/Exercise%201). 226 | -------------------------------------------------------------------------------- /03-fuzzing-libraries.md: -------------------------------------------------------------------------------- 1 | # Week 3: Fuzzing Libraries 2 | 3 | This activity will give you more practice with the basic concepts that we've learned so far. 4 | You will also learn how to compile your target with AddressSanitizer, which can help catch bugs that don't immediately cause a crash. 5 | 6 | The vulnerability that we will be reproducing is in the [libexif](https://libexif.github.io/) library, which parses Exif image metadata. 7 | A library can't be executed on its own, so we will also compile the [exif](https://github.com/libexif/exif) program which uses libexif. 8 | 9 | > [!NOTE] 10 | > This week's activity will have less commands provided so you can get a chance to try and figure things out yourself in preparation for the project! 11 | > If you forgot how to run a command or need an explanation of a fuzzing concept, you can try searching for information online, running `man `, running a command with the `--help` option, or refering back to [last week's activity](02-intro-to-fuzzing.md). 12 | > Please ask for help if you're stuck, we're here to help! 13 | 14 | ## Enabling AddressSanitizer 15 | 16 | As we've explained, AddressSanitizer can help us catch more bugs while fuzzing, at the cost of making the target slower. 17 | To enable it, set the `HFUZZ_CC_ASAN` environment variable like this: 18 | 19 | ```sh 20 | export HFUZZ_CC_ASAN=1 21 | ``` 22 | 23 | This tells the Honggfuzz compiler to compile programs with AddressSanitizer. 24 | The environment variable is a property of your current shell session, so it will be gone when you close your terminal or log out of the server. 25 | Setting the environment variable in one terminal also won't affect other terminals that you have open. 26 | If you're not sure whether you have the environment variable set in your current terminal, you can run this command: 27 | 28 | ```sh 29 | echo "$HFUZZ_CC_ASAN" 30 | ``` 31 | 32 | This will output `1` if it's set and nothing otherwise. 33 | 34 | The memory leak detector in AddressSanitizer might report some leaks in `libexif` that aren't relevant to this activity, so disable it by running the following command: 35 | 36 | ```sh 37 | export ASAN_OPTIONS=detect_leaks=0 38 | ``` 39 | 40 | ## Building libexif 41 | 42 | On the server, create a new directory called `libexif` in your home directory and move into it. 43 | This is where we will store the files for this activity. 44 | If you need a refresher on how to do this, see [last week's slides](https://l.acmcyber.com/fuzzing-lab-1). 45 | 46 | Use `curl` to download libexif from , extract the archive with `tar`, and move into the resulting directory. 47 | 48 | Unlike Xpdf from last week, libexif doesn't include a `configure` script inside its repository, so we have to generate one using a program called `autoreconf`: 49 | 50 | ```sh 51 | autoreconf -fvi 52 | ``` 53 | 54 | You don't need to understand the options for this command, but if you're interested you can run `man autoreconf`. 55 | 56 | As discussed in the presentation, we always want to use static linking instead of dynamic linking for the library that we're fuzzing. 57 | Note that dynamically linked libraries are also known as shared libraries. 58 | Run the following command to see the available options for the `configure` script: 59 | 60 | ```sh 61 | ./configure --help 62 | ``` 63 | 64 | Find the option to disable building shared libraries. 65 | Hint: The option has `shared` in its name. 66 | 67 | Run the `configure` script with the appropriate arguments, including the option that you just found. 68 | Remember to set `CC` and `CXX` to the Honggfuzz compilers, and use the `--prefix` option to set the appropriate installation directory. 69 | You can refer to last week's activity, but if you copy and paste the commands without changing anything it will not work. 70 | Use `make` to compile libexif and install it to the directory you specified. 71 | 72 | Go back to your `libexif` directory (the one you created at the very beginning of this activity). 73 | List the contents of `install/lib`, and you should see the following: 74 | 75 | ``` 76 | libexif.a libexif.la pkgconfig 77 | ``` 78 | 79 | ## Building exif 80 | 81 | After we build libexif, we now need to build the `exif` program that uses the libexif library. 82 | This will act as a target program for our fuzzer so we can find vulnerabilities in the library. 83 | 84 | Download the exif source code from , extract the archive, and move into the resulting directory. 85 | Build and install exif using the same commands that you used for libexif, except that when you run the `configure` script, append `PKG_CONFIG_PATH="$HOME/libexif/install/lib/pkgconfig"` to the end of the command. 86 | This tells the build system where to find the libexif library that you built and installed earlier. 87 | 88 | Return to the `libexif` directory and run the `exif` program that you just built: 89 | 90 | ```sh 91 | install/bin/exif 92 | ``` 93 | 94 | This should print a help message. 95 | 96 | ## Fuzzing exif 97 | 98 | For our seed corpus, download some samples of images with Exif metadata and extract them: 99 | 100 | ```sh 101 | curl -LO https://github.com/ianare/exif-samples/archive/refs/heads/master.zip 102 | unzip master.zip 103 | ``` 104 | 105 | Try running `exif` on one of the images in the resulting directory: 106 | 107 | ```sh 108 | install/bin/exif exif-samples-master/jpg/Canon_40D.jpg 109 | ``` 110 | 111 | This should print out some information about the image. 112 | 113 | Now run Honggfuzz using the files in the `exif-samples-master/jpg` directory as the seed corpus. 114 | The only argument to the target program should be the input file generated by the fuzzer. 115 | 116 | Hint: You should set the `-i`, `-o`, and `--exit_upon_crash` options. 117 | You don't need `-w` since we're not using a dictionary for this activity. 118 | For the options that take a value, it's up to you to figure out what value you need to pass. 119 | Recall that after the Honggfuzz options, you should put `--` followed by the target program and its arguments. 120 | If you don't remember what the Honggfuzz options do, run `honggfuzz --help`. 121 | You can also look at [last week's activity](02-intro-to-fuzzing.md), but copying the whole command won't be sufficient here. 122 | 123 | > [!NOTE] 124 | > Honggfuzz's `___FILE___` placeholder has **three** underscores on each side (commonly mistaken for two). 125 | 126 | After you get the crash, you can examine `HONGGFUZZ.REPORT.TXT` and try to understand what caused the crash. 127 | Replicate the crash using the `exif` program and the test case found by Honggfuzz and you should see some colorful output from AddressSanitizer when it detects the bug. 128 | 129 | > [!NOTE] 130 | > The AddressSanitizer report contains a lot of useful information that can be used to diagnose the bug. 131 | > Try reading the output and see if you can figure out what type of vulnerability AddressSanitizer detected. 132 | > Was the invalid memory access on the stack or the heap? 133 | > Was it a read operation or a write operation? 134 | 135 | ## Acknowledgements 136 | 137 | This activity is based on [Fuzzing101 Exercise 2](https://github.com/antonio-morales/Fuzzing101/tree/main/Exercise%202). 138 | -------------------------------------------------------------------------------- /04-writing-harnesses.md: -------------------------------------------------------------------------------- 1 | # Week 4: Writing Harnesses 2 | 3 | In previous weeks, we fuzzed libraries by using existing programs that link to the libraries as fuzz targets. 4 | This time, we will be **writing our own harness programs**. 5 | 6 | Using a custom harness has two primary benefits: 7 | 1. **Persistant Mode:** 8 | To avoid the overhead of spawning a new process for every input, one process can be used to test multiple inputs. 9 | 2. **Shared Memory:** 10 | Inputs can be passed to the target process using shared memory instead of temporary files, which further improves performance. 11 | 12 | These two improvements will make our fuzzing over **30x faster**! 13 | In more advanced fuzzing, custom harnesses can also be used to transform the input in order to increase coverage. 14 | 15 | The library that we will fuzz today is [libcue](https://github.com/lipnitsk/libcue), which parses CUE files that describe tracks on CDs. 16 | A vulnerability in libcue discovered last year made it possible to hack anyone using the popular GNOME desktop environment for Linux by tricking them into downloading one malicious file with no further interaction required. 17 | 18 | ## Building libcue 19 | 20 | Create a new directory for fuzzing libcue called `fuzz-libcue` and move into it. 21 | Download and extract the libcue source code from . 22 | 23 | The commands for building libcue are a bit different from what we did previously, since libcue uses a program called CMake to generate Makefiles instead of a `configure` script. 24 | Inside the `libcue-2.2.1` directory with the source code, create a directory called `build` and move into it. 25 | This is where the files generated during the build will be stored. 26 | 27 | Then run this command inside the `build` directory to generate the Makefile: 28 | 29 | ```sh 30 | CC=hfuzz-clang CXX=hfuzz-clang++ cmake -DCMAKE_INSTALL_PREFIX="$HOME/fuzz-libcue/install" -DCMAKE_BUILD_TYPE=Release .. 31 | ``` 32 | 33 | The `-DCMAKE_INSTALL_PREFIX="$HOME/fuzz-libcue/install"` option sets the installation directory like the `--prefix` option that we used previously. 34 | The `-DCMAKE_BUILD_TYPE=Release` option enables compiler optimizations so that the compiled code will be faster. 35 | The `..` at the end specifies the directory with the source code, which is the parent of the current directory in this case. 36 | Use `make` to build and install libcue. 37 | 38 | > [!NOTE] 39 | > You can optionally run `make test` after building libcue. 40 | > What does this command do? 41 | 42 | ## Writing a Harness 43 | 44 | Now we will write a C program which takes input from the fuzzer and passes it to libcue. 45 | In the `fuzz-libcue` directory, use the following command to open Visual Studio Code in your browser: 46 | 47 | ```sh 48 | code tunnel 49 | ``` 50 | 51 | Follow the instructions from this command to sign in with either a Microsoft or GitHub account. 52 | 53 | Our fuzz target will follow a common style that originated from [libFuzzer](https://llvm.org/docs/LibFuzzer.html). 54 | This means that we can use the same code for other fuzzers like [AFL++](https://aflplus.plus/). 55 | Create a file named `harness.c` with VS Code. 56 | You'll need to write a C function with the following signature: 57 | 58 | ```c 59 | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); 60 | ``` 61 | 62 | The first argument is a pointer to an array of bytes containing the input data, and the second argument is the length of the input. 63 | If we want to reject an input and tell the fuzzer not to add it to the corpus regardless of the coverage feedback, the function should return -1. 64 | For example, you might return -1 if the code that you're fuzzing requires the input to be at least a certain size and the input from the fuzzer is too short. 65 | In all other cases, the function should return 0. 66 | 67 | > [!NOTE] 68 | > You should not return -1 if the code being fuzzed returns an error due to the input being invalid, because we want to test the code's ability to handle all inputs regardless of whether they are valid. 69 | 70 | You should include `stdint.h` for the definition of `uint8_t`. 71 | 72 | You can use the following starter code for `harness.c`: 73 | 74 | ```c 75 | #include 76 | #include 77 | #include 78 | 79 | #include 80 | 81 | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 82 | // TODO: Add your fuzzing code here 83 | 84 | return 0; 85 | } 86 | 87 | ``` 88 | 89 | The function in libcue that we will be calling has this signature: 90 | 91 | ```c 92 | Cd* cue_parse_string(const char*); 93 | ``` 94 | 95 | It takes a pointer to a null-terminated string and returns a pointer to a struct containing information parsed from the CUE data. 96 | The input that we get from the fuzzer is a sequence of arbitrary bytes which is not necessarily null-terminated, so we'll need to copy it to a bigger buffer and add a null byte to the end. 97 | 98 | Use the [`malloc`](https://en.cppreference.com/w/c/memory/malloc) function from the C standard library to allocate a buffer that is one byte bigger than the input. 99 | `malloc` is declared in `stdlib.h`, so you'll need to include this header. 100 | Store the pointer that `malloc` returns in a `char` pointer variable. 101 | It's good practice to check if the returned pointer is null, which indicates that the allocation failed. 102 | If `malloc` returned a null pointer, then your function should return -1 since we can't pass this input to libcue. 103 | 104 | > [!NOTE] 105 | > `nullptr` doesn't exist in C, so you have to use `NULL` instead. 106 | 107 | Next, use [`memcpy`](https://en.cppreference.com/w/c/string/byte/memcpy) from `string.h` to copy the input data into the newly-allocated buffer, and then set the last byte of the buffer to a null character. 108 | Call `cue_parse_string` from `libcue.h` with a pointer to the buffer and save the return value in a `Cd` pointer variable. 109 | If the result is not null, free it with the `cd_delete` function to avoid leaking memory. 110 | Here's the signature of `cd_delete`: 111 | 112 | ```c 113 | void cd_delete(Cd* cd); 114 | ``` 115 | 116 | Make sure to also free the buffer where we copied the input using the [`free`](https://en.cppreference.com/w/c/memory/free) function, and don't forget to return 0. 117 | 118 | ## Compiling the Harness 119 | 120 | Use this command to compile the harness: 121 | 122 | ```sh 123 | hfuzz-clang harness.c -o harness -Wall -Wextra -pedantic -O3 -fsanitize=fuzzer -I install/include -L install/lib -lcue 124 | ``` 125 | 126 | We run `hfuzz-clang` and give it our `harness.c` file. 127 | Here's what all of the options do: 128 | * `-o harness` tells the compiler to output the program to a file named `harness`. 129 | * `-Wall -Wextra -pedantic` enables compiler warnings that catch some bugs. 130 | * `-O3` enables optimizations that make the code faster. 131 | * `-fsanitize=fuzzer` tells the compiler that we're using a libFuzzer-style harness. 132 | The compiler will automatically insert code that repeatedly reads input from the fuzzer and calls our `LLVMFuzzerTestOneInput` function. 133 | * `-I install/include` adds the directory with the libcue header files to the preprocessor's search path so that it can find `libcue.h`. 134 | * `-L install/lib` adds the directory where the compiled libcue files are stored to the linker's search path so that the linker knows where to find the library. 135 | * `-lcue` tells the linker to link our harness with libcue. 136 | This option has to go after `harness.c` because of the way the linker loads the files. 137 | 138 | You should now have a `harness` program in your current directory. 139 | You can run it with an input file as the argument, and the code inserted by the compiler will automatically call `LLVMFuzzerTestOneInput` with the contents of the file. 140 | 141 | ## Fuzzing 142 | 143 | Create a directory named `seed` where we'll store our seed corpus and run the following command to copy a test file from libcue into the directory: 144 | 145 | ```sh 146 | cp libcue-2.2.1/t/issue10.cue seed 147 | ``` 148 | 149 | Run Honggfuzz with the usual options on the `harness` program, but don't give any arguments to the harness (i.e. don't add anything like `___FILE___`). 150 | Honggfuzz will automatically detect that we are using persistent mode. 151 | The speed should be tens of thousands of executions per second, and you should get a crash in less than a minute. 152 | 153 | ## Triaging the Crash 154 | 155 | If you have time, we encourage you to try to find the root cause of the crash using `gdb`. 156 | Note that there are some other bugs in this version of libcue; the one that caused the vulnerability is in a function named `track_set_index`. 157 | 158 | > [!NOTE] 159 | > After reaching the crash in `gdb`, what does the output of `bt` (backtrace) show you? 160 | 161 | ## Acknowledgements 162 | 163 | This vulnerability was discovered by Kevin Backhouse from the GitHub Security Lab. 164 | We highly recommend reading his blog posts [explaining the vulnerability](https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/) and [how he exploited it](https://github.blog/2023-12-06-cueing-up-a-calculator-an-introduction-to-exploit-development-on-linux/) if you're interested in learning more! 165 | -------------------------------------------------------------------------------- /05-coverage-analysis.md: -------------------------------------------------------------------------------- 1 | # Week 5: Coverage Analysis 2 | 3 | In last week's activity, we wrote a custom harness to fuzz `libcue`. 4 | This activity will build upon that by showing you how to collect and analyze the **code coverage** achieved by the fuzzer. 5 | 6 | Coverage tells us which parts of code in the target are actually executed upon running the target with certain test cases. 7 | While many fuzzers, including Honggfuzz, use some metric of coverage to guide their mutations, this coverage is not directly exposed to us for further analysis. 8 | 9 | We will be using LLVM's [SanitizerCoverage](https://clang.llvm.org/docs/SanitizerCoverage.html) interface and associated tooling to collect and view the coverage of our fuzzing corpus. 10 | 11 | ## Rebuilding libcue and the harness 12 | 13 | We will need to rebuild `libcue` and the harness with coverage instrumentation enabled. 14 | I recommend creating a new directory under your home directory called `cov-libcue` for this. 15 | 16 | Download libcue from . 17 | Last week, we fuzzed an old version of libcue that had a vulnerability, but this time we're using the latest version where the vulnerability has been fixed since we don't want crashes when we're trying to measure coverage. 18 | 19 | We will build and install libcue using a similar process as last week, but we will use the `clang` compiler instead of `hfuzz-clang` since we don't want the Honggfuzz instrumentation. 20 | To enable SanitizerCoverage, we'll have to add the compiler flags `-fprofile-instr-generate` and `-fcoverage-mapping`, which can be done by setting the `CFLAGS` environment variable when running CMake. 21 | We will also use a debug build instead of a release build by changing `-DCMAKE_BUILD_TYPE=Release` to `-DCMAKE_BUILD_TYPE=Debug`. 22 | This disables optimizations which might make the compiled code not directly correspond to the source code. 23 | Here's the new CMake command: 24 | 25 | ```sh 26 | CC=clang CFLAGS='-fprofile-instr-generate -fcoverage-mapping' cmake -DCMAKE_INSTALL_PREFIX="$HOME/cov-libcue/install" -DCMAKE_BUILD_TYPE=Debug .. 27 | ``` 28 | 29 | > [!NOTE] 30 | > You might have noticed that we didn't set the `CXX` environment variable this time. 31 | > `CC` sets the C compiler, while `CXX` sets the C++ compiler. 32 | > Similarly, `CFLAGS` sets the C compiler flags and `CXXFLAGS` sets the C++ compiler flags. 33 | > Since libcue is written in C, we only have to set `CC` and `CFLAGS`. 34 | > For C++ projects, you should set `CXX` and `CXXFLAGS` instead. 35 | > If the project uses both C and C++ or you're not sure, then you can set the environment variables for both languages like what we've been doing previously. 36 | 37 | Remember to create a build directory before running CMake. 38 | After running CMake, use `make` to build and install libcue like we did previously. 39 | 40 | Last week we compiled our harness with `hfuzz-clang`, which provided code that calls the `LLVMFuzzerTestOneInput` function. 41 | This week we're using `clang` without the Honggfuzz wrapper, so we'll need to have our own code that reads input from files and passes the data to our harness. 42 | We'll call this code the "executor" and we can use the following implementation from the [Trail of Bits Testing Handbook](https://appsec.guide/docs/fuzzing/c-cpp/techniques/coverage-analysis/): 43 | 44 | ```c 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | 51 | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); 52 | 53 | void load_file_and_test(const char *filename) { 54 | FILE *file = fopen(filename, "rb"); 55 | if (file == NULL) { 56 | printf("Failed to open file: %s\n", filename); 57 | return; 58 | } 59 | 60 | fseek(file, 0, SEEK_END); 61 | long filesize = ftell(file); 62 | rewind(file); 63 | 64 | uint8_t *buffer = malloc(filesize); 65 | if (buffer == NULL) { 66 | printf("Failed to allocate memory for file: %s\n", filename); 67 | fclose(file); 68 | return; 69 | } 70 | 71 | long read_size = (long)fread(buffer, 1, filesize, file); 72 | if (read_size != filesize) { 73 | printf("Failed to read file: %s\n", filename); 74 | free(buffer); 75 | fclose(file); 76 | return; 77 | } 78 | 79 | LLVMFuzzerTestOneInput(buffer, filesize); 80 | 81 | free(buffer); 82 | fclose(file); 83 | } 84 | 85 | int main(int argc, char **argv) { 86 | if (argc != 2) { 87 | printf("Usage: %s \n", argv[0]); 88 | return 1; 89 | } 90 | 91 | DIR *dir = opendir(argv[1]); 92 | if (dir == NULL) { 93 | printf("Failed to open directory: %s\n", argv[1]); 94 | return 1; 95 | } 96 | 97 | struct dirent *entry; 98 | while ((entry = readdir(dir)) != NULL) { 99 | if (entry->d_type == DT_REG) { 100 | char filepath[1024]; 101 | snprintf(filepath, sizeof(filepath), "%s/%s", argv[1], entry->d_name); 102 | load_file_and_test(filepath); 103 | } 104 | } 105 | 106 | closedir(dir); 107 | return 0; 108 | } 109 | ``` 110 | 111 | Copy the code into a file named `executor.c` in your `cov-libcue` directory, and also copy the `harness.c` file that you wrote last week into this directory. 112 | Compile the harness and executor with this command: 113 | 114 | ```sh 115 | clang -fprofile-instr-generate -fcoverage-mapping harness.c executor.c -o executor -I install/include -L install/lib -lcue 116 | ``` 117 | 118 | ## Collecting coverage data 119 | 120 | The program that we just compiled will automatically write coverage information to a file specified in the `LLVM_PROFILE_FILE` environment variable when we run it. 121 | The executor takes a single argument that specifies a directory and it will run our harness on all of the files in the directory. 122 | We can run it on the corpus from last week like this: 123 | 124 | ```sh 125 | LLVM_PROFILE_FILE=fuzz.profraw ./executor ../fuzz-libcue/corpus 2>/dev/null 126 | ``` 127 | 128 | The `2>/dev/null` at the end discards the output from libcue, since it prints a lot of error messages when it reads inputs that aren't valid CUE files. 129 | 130 | This should create a `fuzz.profraw` file containing the raw coverage profile data in your current directory. 131 | We must now convert it to an indexed `.profdata` file using the following command: 132 | 133 | ```sh 134 | llvm-profdata merge fuzz.profraw -o fuzz.profdata 135 | ``` 136 | Now we'll generate an HTML report that will display the coverage data in a nice format. 137 | We've set up a web server so that you can view the HTML report in your browser without having to download it to your computer first. 138 | The web server will look for files to serve in the `public_html` directory inside your home directory. 139 | Create this directory with the following command: 140 | 141 | ```sh 142 | mkdir ~/public_html 143 | ``` 144 | 145 | Then generate the report inside the directory: 146 | 147 | ```sh 148 | llvm-cov show executor -instr-profile=fuzz.profdata -format=html -output-dir ~/public_html/libcue-report 149 | ``` 150 | 151 | Note that we have to provide both the executor program and the coverage data file. 152 | 153 | Change the file permissions of the report so that the web server can read it: 154 | 155 | ```sh 156 | chmod -R +rX ~/public_html/libcue-report 157 | ``` 158 | 159 | In your web browser, visit `https://fuzz.acmcyber.com/~username/libcue-report` where `username` is your username on the fuzzing server. 160 | You should see a page listing the source files and the coverage statistics of each file. 161 | You can click on a file name to see the coverage data for each line. 162 | In the line-by-line coverage report, the column between the line numbers and the code shows how many times each line was executed. 163 | 164 | > [!NOTE] 165 | > What do the red highlights show in the line-by-line coverage report? 166 | > Why do some lines not have execution counts? 167 | > Which parts of the code were never executed? 168 | > Why is this the case? 169 | 170 | ## Acknowledgements 171 | 172 | This activity is based on [the Coverage Analysis page from the Trail of Bits Testing Handbook](https://appsec.guide/docs/fuzzing/c-cpp/techniques/coverage-analysis/). 173 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution-ShareAlike 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution-ShareAlike 4.0 International Public 58 | License 59 | 60 | By exercising the Licensed Rights (defined below), You accept and agree 61 | to be bound by the terms and conditions of this Creative Commons 62 | Attribution-ShareAlike 4.0 International Public License ("Public 63 | License"). To the extent this Public License may be interpreted as a 64 | contract, You are granted the Licensed Rights in consideration of Your 65 | acceptance of these terms and conditions, and the Licensor grants You 66 | such rights in consideration of benefits the Licensor receives from 67 | making the Licensed Material available under these terms and 68 | conditions. 69 | 70 | 71 | Section 1 -- Definitions. 72 | 73 | a. Adapted Material means material subject to Copyright and Similar 74 | Rights that is derived from or based upon the Licensed Material 75 | and in which the Licensed Material is translated, altered, 76 | arranged, transformed, or otherwise modified in a manner requiring 77 | permission under the Copyright and Similar Rights held by the 78 | Licensor. For purposes of this Public License, where the Licensed 79 | Material is a musical work, performance, or sound recording, 80 | Adapted Material is always produced where the Licensed Material is 81 | synched in timed relation with a moving image. 82 | 83 | b. Adapter's License means the license You apply to Your Copyright 84 | and Similar Rights in Your contributions to Adapted Material in 85 | accordance with the terms and conditions of this Public License. 86 | 87 | c. BY-SA Compatible License means a license listed at 88 | creativecommons.org/compatiblelicenses, approved by Creative 89 | Commons as essentially the equivalent of this Public License. 90 | 91 | d. Copyright and Similar Rights means copyright and/or similar rights 92 | closely related to copyright including, without limitation, 93 | performance, broadcast, sound recording, and Sui Generis Database 94 | Rights, without regard to how the rights are labeled or 95 | categorized. For purposes of this Public License, the rights 96 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 97 | Rights. 98 | 99 | e. Effective Technological Measures means those measures that, in the 100 | absence of proper authority, may not be circumvented under laws 101 | fulfilling obligations under Article 11 of the WIPO Copyright 102 | Treaty adopted on December 20, 1996, and/or similar international 103 | agreements. 104 | 105 | f. Exceptions and Limitations means fair use, fair dealing, and/or 106 | any other exception or limitation to Copyright and Similar Rights 107 | that applies to Your use of the Licensed Material. 108 | 109 | g. License Elements means the license attributes listed in the name 110 | of a Creative Commons Public License. The License Elements of this 111 | Public License are Attribution and ShareAlike. 112 | 113 | h. Licensed Material means the artistic or literary work, database, 114 | or other material to which the Licensor applied this Public 115 | License. 116 | 117 | i. Licensed Rights means the rights granted to You subject to the 118 | terms and conditions of this Public License, which are limited to 119 | all Copyright and Similar Rights that apply to Your use of the 120 | Licensed Material and that the Licensor has authority to license. 121 | 122 | j. Licensor means the individual(s) or entity(ies) granting rights 123 | under this Public License. 124 | 125 | k. Share means to provide material to the public by any means or 126 | process that requires permission under the Licensed Rights, such 127 | as reproduction, public display, public performance, distribution, 128 | dissemination, communication, or importation, and to make material 129 | available to the public including in ways that members of the 130 | public may access the material from a place and at a time 131 | individually chosen by them. 132 | 133 | l. Sui Generis Database Rights means rights other than copyright 134 | resulting from Directive 96/9/EC of the European Parliament and of 135 | the Council of 11 March 1996 on the legal protection of databases, 136 | as amended and/or succeeded, as well as other essentially 137 | equivalent rights anywhere in the world. 138 | 139 | m. You means the individual or entity exercising the Licensed Rights 140 | under this Public License. Your has a corresponding meaning. 141 | 142 | 143 | Section 2 -- Scope. 144 | 145 | a. License grant. 146 | 147 | 1. Subject to the terms and conditions of this Public License, 148 | the Licensor hereby grants You a worldwide, royalty-free, 149 | non-sublicensable, non-exclusive, irrevocable license to 150 | exercise the Licensed Rights in the Licensed Material to: 151 | 152 | a. reproduce and Share the Licensed Material, in whole or 153 | in part; and 154 | 155 | b. produce, reproduce, and Share Adapted Material. 156 | 157 | 2. Exceptions and Limitations. For the avoidance of doubt, where 158 | Exceptions and Limitations apply to Your use, this Public 159 | License does not apply, and You do not need to comply with 160 | its terms and conditions. 161 | 162 | 3. Term. The term of this Public License is specified in Section 163 | 6(a). 164 | 165 | 4. Media and formats; technical modifications allowed. The 166 | Licensor authorizes You to exercise the Licensed Rights in 167 | all media and formats whether now known or hereafter created, 168 | and to make technical modifications necessary to do so. The 169 | Licensor waives and/or agrees not to assert any right or 170 | authority to forbid You from making technical modifications 171 | necessary to exercise the Licensed Rights, including 172 | technical modifications necessary to circumvent Effective 173 | Technological Measures. For purposes of this Public License, 174 | simply making modifications authorized by this Section 2(a) 175 | (4) never produces Adapted Material. 176 | 177 | 5. Downstream recipients. 178 | 179 | a. Offer from the Licensor -- Licensed Material. Every 180 | recipient of the Licensed Material automatically 181 | receives an offer from the Licensor to exercise the 182 | Licensed Rights under the terms and conditions of this 183 | Public License. 184 | 185 | b. Additional offer from the Licensor -- Adapted Material. 186 | Every recipient of Adapted Material from You 187 | automatically receives an offer from the Licensor to 188 | exercise the Licensed Rights in the Adapted Material 189 | under the conditions of the Adapter's License You apply. 190 | 191 | c. No downstream restrictions. You may not offer or impose 192 | any additional or different terms or conditions on, or 193 | apply any Effective Technological Measures to, the 194 | Licensed Material if doing so restricts exercise of the 195 | Licensed Rights by any recipient of the Licensed 196 | Material. 197 | 198 | 6. No endorsement. Nothing in this Public License constitutes or 199 | may be construed as permission to assert or imply that You 200 | are, or that Your use of the Licensed Material is, connected 201 | with, or sponsored, endorsed, or granted official status by, 202 | the Licensor or others designated to receive attribution as 203 | provided in Section 3(a)(1)(A)(i). 204 | 205 | b. Other rights. 206 | 207 | 1. Moral rights, such as the right of integrity, are not 208 | licensed under this Public License, nor are publicity, 209 | privacy, and/or other similar personality rights; however, to 210 | the extent possible, the Licensor waives and/or agrees not to 211 | assert any such rights held by the Licensor to the limited 212 | extent necessary to allow You to exercise the Licensed 213 | Rights, but not otherwise. 214 | 215 | 2. Patent and trademark rights are not licensed under this 216 | Public License. 217 | 218 | 3. To the extent possible, the Licensor waives any right to 219 | collect royalties from You for the exercise of the Licensed 220 | Rights, whether directly or through a collecting society 221 | under any voluntary or waivable statutory or compulsory 222 | licensing scheme. In all other cases the Licensor expressly 223 | reserves any right to collect such royalties. 224 | 225 | 226 | Section 3 -- License Conditions. 227 | 228 | Your exercise of the Licensed Rights is expressly made subject to the 229 | following conditions. 230 | 231 | a. Attribution. 232 | 233 | 1. If You Share the Licensed Material (including in modified 234 | form), You must: 235 | 236 | a. retain the following if it is supplied by the Licensor 237 | with the Licensed Material: 238 | 239 | i. identification of the creator(s) of the Licensed 240 | Material and any others designated to receive 241 | attribution, in any reasonable manner requested by 242 | the Licensor (including by pseudonym if 243 | designated); 244 | 245 | ii. a copyright notice; 246 | 247 | iii. a notice that refers to this Public License; 248 | 249 | iv. a notice that refers to the disclaimer of 250 | warranties; 251 | 252 | v. a URI or hyperlink to the Licensed Material to the 253 | extent reasonably practicable; 254 | 255 | b. indicate if You modified the Licensed Material and 256 | retain an indication of any previous modifications; and 257 | 258 | c. indicate the Licensed Material is licensed under this 259 | Public License, and include the text of, or the URI or 260 | hyperlink to, this Public License. 261 | 262 | 2. You may satisfy the conditions in Section 3(a)(1) in any 263 | reasonable manner based on the medium, means, and context in 264 | which You Share the Licensed Material. For example, it may be 265 | reasonable to satisfy the conditions by providing a URI or 266 | hyperlink to a resource that includes the required 267 | information. 268 | 269 | 3. If requested by the Licensor, You must remove any of the 270 | information required by Section 3(a)(1)(A) to the extent 271 | reasonably practicable. 272 | 273 | b. ShareAlike. 274 | 275 | In addition to the conditions in Section 3(a), if You Share 276 | Adapted Material You produce, the following conditions also apply. 277 | 278 | 1. The Adapter's License You apply must be a Creative Commons 279 | license with the same License Elements, this version or 280 | later, or a BY-SA Compatible License. 281 | 282 | 2. You must include the text of, or the URI or hyperlink to, the 283 | Adapter's License You apply. You may satisfy this condition 284 | in any reasonable manner based on the medium, means, and 285 | context in which You Share Adapted Material. 286 | 287 | 3. You may not offer or impose any additional or different terms 288 | or conditions on, or apply any Effective Technological 289 | Measures to, Adapted Material that restrict exercise of the 290 | rights granted under the Adapter's License You apply. 291 | 292 | 293 | Section 4 -- Sui Generis Database Rights. 294 | 295 | Where the Licensed Rights include Sui Generis Database Rights that 296 | apply to Your use of the Licensed Material: 297 | 298 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 299 | to extract, reuse, reproduce, and Share all or a substantial 300 | portion of the contents of the database; 301 | 302 | b. if You include all or a substantial portion of the database 303 | contents in a database in which You have Sui Generis Database 304 | Rights, then the database in which You have Sui Generis Database 305 | Rights (but not its individual contents) is Adapted Material, 306 | including for purposes of Section 3(b); and 307 | 308 | c. You must comply with the conditions in Section 3(a) if You Share 309 | all or a substantial portion of the contents of the database. 310 | 311 | For the avoidance of doubt, this Section 4 supplements and does not 312 | replace Your obligations under this Public License where the Licensed 313 | Rights include other Copyright and Similar Rights. 314 | 315 | 316 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 317 | 318 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 319 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 320 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 321 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 322 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 323 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 324 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 325 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 326 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 327 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 328 | 329 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 330 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 331 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 332 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 333 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 334 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 335 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 336 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 337 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 338 | 339 | c. The disclaimer of warranties and limitation of liability provided 340 | above shall be interpreted in a manner that, to the extent 341 | possible, most closely approximates an absolute disclaimer and 342 | waiver of all liability. 343 | 344 | 345 | Section 6 -- Term and Termination. 346 | 347 | a. This Public License applies for the term of the Copyright and 348 | Similar Rights licensed here. However, if You fail to comply with 349 | this Public License, then Your rights under this Public License 350 | terminate automatically. 351 | 352 | b. Where Your right to use the Licensed Material has terminated under 353 | Section 6(a), it reinstates: 354 | 355 | 1. automatically as of the date the violation is cured, provided 356 | it is cured within 30 days of Your discovery of the 357 | violation; or 358 | 359 | 2. upon express reinstatement by the Licensor. 360 | 361 | For the avoidance of doubt, this Section 6(b) does not affect any 362 | right the Licensor may have to seek remedies for Your violations 363 | of this Public License. 364 | 365 | c. For the avoidance of doubt, the Licensor may also offer the 366 | Licensed Material under separate terms or conditions or stop 367 | distributing the Licensed Material at any time; however, doing so 368 | will not terminate this Public License. 369 | 370 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 371 | License. 372 | 373 | 374 | Section 7 -- Other Terms and Conditions. 375 | 376 | a. The Licensor shall not be bound by any additional or different 377 | terms or conditions communicated by You unless expressly agreed. 378 | 379 | b. Any arrangements, understandings, or agreements regarding the 380 | Licensed Material not stated herein are separate from and 381 | independent of the terms and conditions of this Public License. 382 | 383 | 384 | Section 8 -- Interpretation. 385 | 386 | a. For the avoidance of doubt, this Public License does not, and 387 | shall not be interpreted to, reduce, limit, restrict, or impose 388 | conditions on any use of the Licensed Material that could lawfully 389 | be made without permission under this Public License. 390 | 391 | b. To the extent possible, if any provision of this Public License is 392 | deemed unenforceable, it shall be automatically reformed to the 393 | minimum extent necessary to make it enforceable. If the provision 394 | cannot be reformed, it shall be severed from this Public License 395 | without affecting the enforceability of the remaining terms and 396 | conditions. 397 | 398 | c. No term or condition of this Public License will be waived and no 399 | failure to comply consented to unless expressly agreed to by the 400 | Licensor. 401 | 402 | d. Nothing in this Public License constitutes or may be interpreted 403 | as a limitation upon, or waiver of, any privileges and immunities 404 | that apply to the Licensor or You, including from the legal 405 | processes of any jurisdiction or authority. 406 | 407 | 408 | ======================================================================= 409 | 410 | Creative Commons is not a party to its public 411 | licenses. Notwithstanding, Creative Commons may elect to apply one of 412 | its public licenses to material it publishes and in those instances 413 | will be considered the “Licensor.” The text of the Creative Commons 414 | public licenses is dedicated to the public domain under the CC0 Public 415 | Domain Dedication. Except for the limited purpose of indicating that 416 | material is shared under a Creative Commons public license or as 417 | otherwise permitted by the Creative Commons policies published at 418 | creativecommons.org/policies, Creative Commons does not authorize the 419 | use of the trademark "Creative Commons" or any other trademark or logo 420 | of Creative Commons without its prior written consent including, 421 | without limitation, in connection with any unauthorized modifications 422 | to any of its public licenses or any other arrangements, 423 | understandings, or agreements concerning use of licensed material. For 424 | the avoidance of doubt, this paragraph does not form part of the 425 | public licenses. 426 | 427 | Creative Commons may be contacted at creativecommons.org. 428 | 429 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Fuzzing Lab 2 |

3 | Screenshot 2024-11-29 at 7 05 13 PM 4 |

5 | 6 | This is the repository for the Introduction to Fuzzing Lab run by [ACM Cyber at UCLA](https://www.acmcyber.com/). 7 | Click on one of the links below to get started! 8 | 9 | | **Week** | **Topic** | **Slides** | **Lab** | 10 | |----------|-----------|------------|---------| 11 | | Week 2 | Intro to Fuzzing | [Slides](https://docs.google.com/presentation/d/1QS6PeITc5_jhTofA9yAa5zs9qMmfmyfHmtD1nX3y48A/edit?usp=sharing) | [Using Honggfuzz](02-intro-to-fuzzing.md) | 12 | | Week 3 | Fuzzing Libraries | [Slides](https://docs.google.com/presentation/d/1vq2N1pAApM6_64zXXM5fall6amIIfagIOEdkZ_8SQgo/edit?usp=sharing) | [Fuzzing Libraries](03-fuzzing-libraries.md) | 13 | | Week 4 | Writing Harnesses | [Slides](https://docs.google.com/presentation/d/1OM6O8aRyBaqIC0FoUJHPKUdYpwhn7LKDLArZfF7VOhA/edit?usp=sharing) | [Writing Harnesses](04-writing-harnesses.md) | 14 | | Week 5 | Coverage Analysis | [Slides](https://docs.google.com/presentation/d/1PhC4wibrJ1xZpgzF7RMtTg6ITrfjRuuOX5DQ6_LCgDY/edit?usp=sharing) | [Coverage Analysis](05-coverage-analysis.md) | 15 | | Week 6 | Structure-Aware Fuzzing | [Slides](https://docs.google.com/presentation/d/1sYVQbJrwiJvH3bfpS9J_Xu26YWBw6agfSDWhVbhJoiQ/edit?usp=sharing) | Work on Project | 16 | | Week 7 | Project Work | [Slides](https://docs.google.com/presentation/d/1XRRdNXXHEUfTTTEE4ozhfPIzaTXUSNnpU-ai-bpg99E/edit?usp=sharing) | Work on Project | 17 | | Week 8 | Wrapping Up | [Slides](https://docs.google.com/presentation/d/10VXDnbvUfAtXNlKXpqo9F5Gdn76IrxHOXgXxrSjV--8/edit?usp=sharing) | Work on Project | 18 | | Week 9 | Break for Thanksgiving | - | - | 19 | | Week 10 | Present at Symposium | - | - | 20 | 21 | Interested to see what previous groups worked on? Check out our [blog post](https://www.acmcyber.com/blog/2024-12-03-fall-2024-fuzzing-lab). 22 | 23 | ## Project 24 | As part of Fuzzing Lab, you will get to participate in a quarter-long project where you will use the skills that you've learned to fuzz a new target of your choice. 25 | For more information about the project, check out the [project description](project.md). 26 | 27 | ## License 28 | The content in this repository is licensed under [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/). 29 | 30 | ## Acknowledgements 31 | 32 | The following members of ACM Cyber contributed to the development of this lab: Alex Zhang, Ronak Badhe, Benson Liu, and Enzo Saracen. 33 | For any questions or concerns, please reach out to us at [uclacyber@gmail.com](mailto:uclacyber@gmail.com). 34 | Some activities are based on exercises from [Fuzzing101](https://github.com/antonio-morales/Fuzzing101). 35 | -------------------------------------------------------------------------------- /fuzzing-server-instructions.md: -------------------------------------------------------------------------------- 1 | # Fuzzing Server Instructions 2 | 3 | We have a Linux server for you to do your work on. 4 | It's similar to the SEASnet servers, but we will connect to it using keys instead of passwords. 5 | You can use VS Code to edit files on the server. 6 | 7 | ## SSH client 8 | 9 | We will use the SSH protocol to remotely log into the server, so you need to have an SSH client installed on your computer. 10 | macOS should have an SSH client installed by default. 11 | For Windows, go to *Settings > System > Optional Features* and install *OpenSSH Client*. 12 | You can also use the SSH client in WSL or PuTTY if you want, but if you use PuTTY you'll need to follow different steps to generate a key. 13 | If you want to use VS Code installed locally instead of in your browser, you have to use the Windows OpenSSH client. 14 | 15 | ## SSH keys 16 | 17 | We will use SSH keys to prove our identity to the server. 18 | If you already have SSH keys, you can skip the next couple of steps. 19 | Note that the Windows SSH client, the SSH client in WSL, and PuTTY all store keys in different places, so keys generated with one SSH client won't automatically work with other SSH clients. 20 | 21 | To generate an SSH key, run `ssh-keygen -t ed25519` in a terminal (outside of WSL if you're on Windows). 22 | When prompted for the location where the key will be saved, choose the default by pressing Enter. 23 | Your keys will be stored in the `.ssh` folder of your home directory, which is hidden by default on macOS and Linux. 24 | Your public key will be stored in a file named `id_ed25519.pub` and your private key will be in `id_ed25519`. 25 | Submit this [form](https://docs.google.com/forms/d/e/1FAIpQLSc9rahtsB0_MOjaj53k9oTJRdC5wd2gsMypsINK3N8EAguQ2g/viewform?usp=sf_link) with your **public** key so that we can give you access to the server. 26 | The private key is used to prove that you own the public key and you should keep it secret. 27 | Once I tell you that I've added your key to the server, you should be able to connect by running `ssh @fuzz.acmcyber.com`. 28 | For example, if your username is `alex`, you would run `ssh alex@fuzz.acmcyber.com`. 29 | When you do this for the first time, you will be asked to verify the server's host key. 30 | Check that the displayed key fingerprint matches `SHA256:o13vb+5oIxm+EI9YBqBg6QZ7j1Cek5fOp1uulS34ucY` and then type `yes`. 31 | If everything worked, you should see a green shell prompt that looks like `@fuzzpwn:~$`. 32 | Type `exit` to disconnect from the server. 33 | 34 | ## VS Code 35 | 36 | After you log into the server, you can open VS Code in your browser by running `code tunnel` on the server. 37 | Alternatively, if you have VS Code installed locally, you can install the [Remote - SSH](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-ssh) extension and run the **Remote-SSH: Connect to Host** command. 38 | See the [documentation](https://code.visualstudio.com/docs/remote/ssh) for more details. 39 | -------------------------------------------------------------------------------- /project.md: -------------------------------------------------------------------------------- 1 | # Project 2 | 3 | As part of Fuzzing Lab, you will get to participate in a quarter-long project where you will use the skills that you've learned to fuzz a new target of your choice. 4 | For more information about the project requirements, please check out the [slides from the first week](https://l.acmcyber.com/fuzzing-lab-1). 5 | The three types of targets that you can pick from are listed below. 6 | 7 | Once you have formed a group and chosen a target, please fill out [this form](https://forms.gle/j8Qe5At51cmj1HfZ9) as part of the project proposal. 8 | Your groups should have around two to three members. 9 | 10 | ## Option 1: Fuzz for New Vulnerabilities 11 | 12 | For this option, your goal is to fuzz something that hasn't been fuzzed before, and you might find a new vulnerability if you're lucky. 13 | You will need to research an open-source library and write a fuzzing harness for it. 14 | Here's a list of targets that we recommend: 15 | 16 | - yaml-cpp: https://github.com/jbeder/yaml-cpp 17 | - libfyaml: https://github.com/pantoniou/libfyaml 18 | - xml.c: https://github.com/ooxi/xml.c 19 | - tomlc99: https://github.com/cktan/tomlc99 20 | - ctoml: https://github.com/evilncrazy/ctoml 21 | - tinyxml2: https://github.com/leethomason/tinyxml2 22 | - json-parser: https://github.com/json-parser/json-parser 23 | - jsonxx: https://github.com/hjiang/jsonxx 24 | - myhtml: https://github.com/lexborisov/myhtml 25 | - podofo: https://github.com/podofo/podofo 26 | 27 | We've chosen targets that have probably not been fuzzed before, and aren't too hard to fuzz with the skills that you will learn in this lab. 28 | Please talk to us if you want to choose something not on this list. 29 | 30 | ## Option 2: Research a Known Vulnerability 31 | 32 | Fuzzers have been used to find many vulnerabilities in the past. 33 | For this option, you will fuzz a version of the target that is known to have at least one vulnerability and your goal is to find a test case that reproduces a known vulnerability. 34 | Here's the list of targets for this option: 35 | 36 | - libiptcdata: https://github.com/ianw/libiptcdata 37 | - libraw: https://github.com/LibRaw/LibRaw 38 | - libtiff: https://gitlab.com/libtiff/libtiff 39 | 40 | Additionally, we have some targets that are standalone executables rather than libraries, so you won't need to write your own fuzzing harness. 41 | You can try to fuzz these if you want additional practice with the basic fuzzing concepts, but we strongly recommend that you choose something from the other lists since writing fuzzing harnesses is an important skill that we want you to learn. 42 | 43 | - htmldoc: https://github.com/michaelrsweet/htmldoc 44 | - md4c: https://github.com/mity/md4c 45 | - opendetex: https://github.com/pkubowicz/opendetex 46 | - xfig: https://github.com/hhoeflin/xfig 47 | - atasm: https://github.com/CycoPH/atasm 48 | 49 | ## Option 3: Propose Your Own Project 50 | 51 | Some groups may be interested in working on a project or target that is not listed above (for example, using a fuzzer other than Honggfuzz). 52 | We allow groups to work on other fuzzing-related projects, but we want to ensure that the project is feasible so that each group has the best experience! 53 | If you are interested in this option, **please contact an officer** to discuss your project idea before submitting the proposal form. 54 | -------------------------------------------------------------------------------- /server/mkgroup: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | name="$1" 6 | members="$2" 7 | proj_dir="/projects/$name" 8 | 9 | groupadd -U "$members" -- "$name" 10 | mkdir -m 2770 "$proj_dir" 11 | chgrp -- "$name" "$proj_dir" 12 | setfacl -d -m g::rwX -- "$proj_dir" 13 | -------------------------------------------------------------------------------- /server/mkuser: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | if [ "$#" -ne 2 ]; then 6 | printf '%s\n' "usage: mkuser " 7 | exit 1 8 | fi 9 | 10 | adduser --disabled-password --comment '' -- "$1" 11 | SSH_KEY="$2" runuser -- "$1" <<-'EOF' 12 | set -e 13 | 14 | mkdir -m 0700 ~/.ssh 15 | touch ~/.ssh/authorized_keys 16 | chmod 0600 ~/.ssh/authorized_keys 17 | printf '%s\n' "$SSH_KEY" > ~/.ssh/authorized_keys 18 | EOF 19 | -------------------------------------------------------------------------------- /server/setup.md: -------------------------------------------------------------------------------- 1 | # Fuzzing Server Setup Notes (For Lab Leads) 2 | 3 | ## GCP 4 | 5 | Create a project and create a GCE box. 6 | For the instance shape, core count matters the most and we don't need a lot of memory. 7 | Either x86 or Arm works. 8 | Spot instances are much cheaper but they can occasionally get shut down, which isn't a big issue in practice since it doesn't happen very often. 9 | Try all the instance shapes and regions to find the cheapest one. 10 | The physical location doesn't matter much as long as it is in the US. 11 | If the server is on another continent, there will be noticeable lag when typing in SSH. 12 | Use a big distro like Debian or Fedora. 13 | 14 | When creating the project, change the default network service tier to standard. 15 | Remove the default compute engine service account from the box since that gives it edit access to the whole project. 16 | Add admin SSH keys to the box or the project configuration. 17 | The comment fields of the keys will be used as the username on the box. 18 | Use the scripts in this directory to create unprivileged users for the lab members. 19 | 20 | ## HTTP Server 21 | 22 | Install Apache and setup the userdir module. 23 | You might have to change directory permissions so that the server can read the files since it runs as an unprivileged user. 24 | User Certbot to automatically configure certificates for HTTPS. 25 | You have to allow HTTP traffic in the GCE box configuration. 26 | --------------------------------------------------------------------------------