Date: prev next · Thread: first prev next last
2011 Archives by date, by thread · List index


Hi everyone,

Before I start writing code, I wanted to get the input of more
experienced developers.

Why bother about this? Why not use what's available out there? Well...
 - Fuzzgrind isn't well documented and won't work out of the box,
 - zzuf has too many bells and whistles, and won't guarantee that every
byte has been messed up with. I used it to generate a lot of cases, and
it fills a disk quickly enough
 - Peachfuzz and others that rely on a specification: well, we have file
formats with hundreds of pages specified.

Here is the idea:
One process if the fuzzer process, it does the following (pseudocode):

  spawn "valgrind test-program"
  for (i = 0; i < file.length; i++)
    fuzzed = memcpy(file)
    fuzzed[i] = 0xFF (or whatever)
    write(temp-dir/random-name, fuzzed)
    read output from the spawned process until the marker is read
    if valgrind output is more than the expected valgrind start/end markers
      then copy valgrind output to results directory
      then copy fuzzed to results directory
    if spawned program crashed then restart it

The other process would do as follows:
  while(forever)
    check if a new file is in temp-dir
    if the file name is "terminate-yourself", then exit
    try to load the file with the filter
    output a marker like "-------- Done trying to load ---------"

With this design, we avoid a lot of process creation overhead.
We can probably generalize it enough that we can put pretty much any
filter in there.

What do you think of this idea? What improvements we can add?

Regards,

-- 
Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.