Hi everyone,
Before I start writing code, I wanted to get the input of more
experienced developers.
Why bother about this? Why not use what's available out there? Well...
- Fuzzgrind isn't well documented and won't work out of the box,
- zzuf has too many bells and whistles, and won't guarantee that every
byte has been messed up with. I used it to generate a lot of cases, and
it fills a disk quickly enough
- Peachfuzz and others that rely on a specification: well, we have file
formats with hundreds of pages specified.
Here is the idea:
One process if the fuzzer process, it does the following (pseudocode):
spawn "valgrind test-program"
for (i = 0; i < file.length; i++)
fuzzed = memcpy(file)
fuzzed[i] = 0xFF (or whatever)
write(temp-dir/random-name, fuzzed)
read output from the spawned process until the marker is read
if valgrind output is more than the expected valgrind start/end markers
then copy valgrind output to results directory
then copy fuzzed to results directory
if spawned program crashed then restart it
The other process would do as follows:
while(forever)
check if a new file is in temp-dir
if the file name is "terminate-yourself", then exit
try to load the file with the filter
output a marker like "-------- Done trying to load ---------"
With this design, we avoid a lot of process creation overhead.
We can probably generalize it enough that we can put pretty much any
filter in there.
What do you think of this idea? What improvements we can add?
Regards,
--
Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India
Context
- [Libreoffice] RFC: Idea for fuzz-testing filters · Marc-André Laverdière
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.