This repository contains instructions to run examples in lectures 7-12. We use Docker that allows students to build and run examples in the same way regardless of their operating systems (e.g., Linux, Windows, or macOS).

Please follow this instruction to install Docker on your machine.

First, we need to build a Docker image using the given Dockerfile. The Docker image has everything ready for our experiments. Once we make changes to the Dockerfile, we would need to rerun this command.

docker build . -t swen90006 --no-cache

If the build is successful, we should have a new Docker image named swen90006. To see all Docker images on our computer, we can run the following command.

docker image ls

Before start running an example, we need to start a Docker container using the successfully built Docker image

docker run -it swen90006 /bin/bash

Compile a buggy program named check_pin. To demonstrate the stack overflow vulnerability in check_pin, we add the '-fno-stack-protector' option letting the compiler (gcc) to disable its stack protector.

cd $WORKDIR
gcc -o check_pin check_pin.c -fno-stack-protector

Run the random fuzzer to fuzz the check_pin example

cd $WORKDIR
random_fuzzer.sh ./check_pin 20 results-random

Run the mutation-based fuzzer to fuzz the check_pin example

cd $WORKDIR
mutation_fuzzer.sh ./check_pin 1234 20 results-mutation

In this week we fuzz test LibPNG, which is the official PNG reference library.

Compile the newest version of LibPNG. Once the compilation is done, all LibPNG utilities (e.g., pngimage) should be stored in the libpng folder.

cd $WORKDIR
git clone https://github.com/glennrp/libpng.git 
cd libpng
autoreconf -f -i
./configure --disable-shared
make clean all

Fuzzing pngimage, a specific utility in LibPNG, using Peach input generator with no seed inputs i.e. inputs are generated directly from a given input model.

cd $WORKDIR
generation_fuzzer.sh libpng/pngimage png_pit_no_seeds.xml 20 results-no-seeds

Fuzzing pngimage using Peach input generator with seed inputs which are stored in a folder named 'in'.

cd $WORKDIR
mkdir in
cp libpng/*.png in/
generation_fuzzer.sh libpng/pngimage png_pit.xml 20 results-with-seeds

Compile LibPNG with AFL instrumentation pass (afl-clang-fast) so that code coverage information can be dynamically collected while the program under test is running. Note that unlike Peach fuzzer, the vanilla AFL fuzzer cannot detect and fix integrity checks like checksums so we disable the checksum checks in the LibPNG source code by applying a simple patch.

cd $WORKDIR
git clone https://github.com/glennrp/libpng.git libpng-afl
cd libpng-afl
sed -i 's/return ((int)(crc != png_ptr->crc));/return (0);/g' pngrutil.c
autoreconf -f -i
CC=afl-clang-fast ./configure --disable-shared
make clean all

Fuzzing pngimage using AFL. AFL will take the sample inputs, mutate them, and store interesting inputs into an output folder. @@ is just a placeholder and it will be replaced by an actual input file generated by AFL.

cd $WORKDIR
afl-fuzz -i in -o out -- libpng-afl/pngimage @@

To fuzz test the good_bad function, we need to wrap it into a so-called test-driver which contains a main function as an entry point. The main function reads a file as input, read first 4 bytes from that file and pass it to the good_bad function. @@ is just a placeholder and it will be replaced by an actual input file generated by AFL.

cd $WORKDIR
afl-clang-fast -o good_bad_fuzz good_bad_fuzz.c
mkdir in-afl
echo "good" > in-afl/good.txt
afl-fuzz -d -i in-afl -o out-afl -- ./good_bad_fuzz @@

The generated inputs, including the crash-triggering ones should be avaialbel inside out-afl folder.