Security Testing

Dear all,

the planned talk by Christian Holler this Thursday had to be cancelled on short notice.  Hence, there will be no lecture this week; feel free to spend the extra time on your final projects.

Christian will give his talk on "fuzzing in the large" later this Spring; we will send out an invite to you all as soon as the details are fixed.

We will also run a "Fuzzing lab" seminar this Summer semester, where you will have the opportunity to apply the techniques from the lecture on a large project.; Details on the seminar and how to register will be announced here as well.

Thank you very much for joining us in the course – it's been a great time for us, and we hope you had some fun, too!

Keep on fuzzing,

Andreas Zeller

We uploaded project 6. The official starting date of this project is Thursday, 2/1/2018. Nevertheless, you can start with the project from now on. Furthermore, since the exam phase is now also starting, you will receive 3 weeks of working time. If you have any questions (especially regarding the assignment), please do not hesitate to ask questions.

If you find that the memory usage of your Python program is increasing suspiciously, Python 3.4 and later has a new memory profiling API called tracemalloc. The tracemalloc module allows you to take a snapshot of your memory at various points, and compare them to determine which objects have grown.

An example from the Python documentation below:

import tracemalloc
tracemalloc.start()
# ... start your application ...

snapshot1 = tracemalloc.take_snapshot()
# ... call the function leaking memory ...
snapshot2 = tracemalloc.take_snapshot()

top_stats = snapshot2.compare_to(snapshot1, 'lineno')

print("[ Top 10 differences ]")
for stat in top_stats[:10]:
    print(stat)

 

    # TODO for STUDENTS: Change example.cgi_decode to the given function
    import example
    ffn.capture_coverage(lambda: example.cgi_decode(term))
    cov_arcs = {(i,j) for f,i,j,src,l in ffn.cdata_arcs}

Note that in `evofuzz.py` you have this TODO:

    # TODO for STUDENTS: Change example.cgi_decode to the given function
    import example
    ffn.capture_coverage(lambda: example.cgi_decode(term))
    cov_arcs = {(i,j) for f,i,j,src,l in ffn.cdata_arcs}

There are two things to notice here. The first is that you are collecting the coverage only for the `cgi_decode` or the corresponding function. However, if you trace how the branch coverage gets called, you will see that the branch coverage includes lines from evofuzz.py. Your first job is to filter that. (This is why the cov_arcs assignment is left as a statement there.) Filter the cov_arcs to contain only those lines that belong to `cgi_decode` or whichever function you are using. You can query the CFG (cfg variable) which is a hashmap with lines as keys for those lines that belong to a specific function.

Second, you do not need the sentinel node. You will get errors saying node '0' is not present in branch_cov. You can safely delete the node 0 by

del ffn.branch_cov[0]

You will need to do the same while collecting the covered/not-covered nodes. That is, choose only those nodes such that both parent and child are in cfg, and has function `cgi_decode`.

Here is another piece of the puzzle. You need to only look for uncovered nodes within the function cgi_decode and check_triangle. That is, you can safely filter out the nodes from the main when you look for un-covered nodes. The following fragment will do that for you.

    def useful(p): return ffn.cfg[p]['function'] not in ['', 'main']
    def not_covered_nodes(cfg):
        not_covered = set()
        for l in ffn.cfg:
            if not useful(l): continue
            for p in ffn.cfg[l]['parents']:
                if not useful(p): continue
                if (p, l) not in cov_arcs: not_covered.add((p, l))
        return not_covered
    not_covered = not_covered_nodes(ffn.cfg)

You are welcome to ping me or come to my office if you are completely stuck.

For those on Ubuntu 16.xx that are unable to install pygraphviz, it is possible to make do with a pure python library called pydot. Once you have installed pydot with pip3 install pydot, these are the changes in pycfg.py that can get you the dot file. Once you have the dot file created with a command such as python3 pycfg.py cgidecode.py -d -y example.cov, you can open the dotfile, and paste its contents in `http://viz-js.com/` to view the generated graph.

 

diff --git a/07-Search-Based Fuzzing/code/pycfg.py b/07-Search-Based Fuzzing/code/pycfg.py
index 298f85d..a4e6d5a 100755
--- a/07-Search-Based Fuzzing/code/pycfg.py
+++ b/07-Search-Based Fuzzing/code/pycfg.py
@@ -9,7 +9,7 @@ Use http://viz-js.com/ to view digraph output
 import ast
 import re
 import astunparse
-import pygraphviz
+import pydot

 class CFGNode(dict):
     registry = 0
@@ -68,24 +68,25 @@ class CFGNode(dict):
             for i in ['if', 'while', 'for', 'elif']:
                 v = re.sub(r'^_%s:' % i, '%s:' % i, v)
             return v
-        G = pygraphviz.AGraph(directed=True)
+        G = pydot.Graph('mygrap', graph_type='digraph')
         cov_lines = [i for i,j in arcs]
         for nid, cnode in CFGNode.cache.items():
-            G.add_node(cnode.rid)
+            node = pydot.Node(cnode.rid)
+            G.add_node(node)
             n = G.get_node(cnode.rid)
             lineno = cnode.lineno()
-            n.attr['label'] = "%d: %s" % (lineno, unhack(cnode.source()))
+            node.set('label', "%d: %s" % (lineno, unhack(cnode.source())))
             for pn in cnode.parents:
                 plineno = pn.lineno()
                 if arcs:
                     if  (plineno, lineno) in arcs:
-                        G.add_edge(pn.rid, cnode.rid, color='blue')
+                         G.add_edge(pydot.Edge(pn.rid, cnode.rid, color='blue'))
                     elif plineno == lineno and lineno in cov_lines:
-                        G.add_edge(pn.rid, cnode.rid, color='blue')
+                         G.add_edge(pydot.Edge(pn.rid, cnode.rid, color='blue'))
                     else:
-                        G.add_edge(pn.rid, cnode.rid, color='red')
+                         G.add_edge(pydot.Edge(pn.rid, cnode.rid, color='red'))
                 else:
-                    G.add_edge(pn.rid, cnode.rid)
+                    G.add_edge(pydot.Edge(pn.rid, cnode.rid))
         return G

 class PyCFG:
@@ -421,8 +422,7 @@ if __name__ == '__main__':
         cfg = PyCFG()
         cfg.gen_cfg(slurp(args.pythonfile).strip())
         g = CFGNode.to_graph(arcs)
-        g.draw('out.png', prog='dot')
-        print(g.string(), file=sys.stderr)
+        print(g.to_string(), file=sys.stderr)
     elif args.cfg:
         cfg,first,last = get_cfg(args.pythonfile)
         for i in sorted(cfg.keys()):

We fixed a small error in the JSON grammar which caused a "No Parse" for some of your generated inputs. A wrong ordering in the "$NUMBER" production rule caused the faulty behavior.

Please make sure to update to the latest version of the "project3.zip" file, in particular the newest JSON grammar file.

We found a bug in the branch distance computation and updated the slides of lecture 7 accordingly. Also, we updated the files under "Code Samples" and in project 3. 

Please update your project code accordingly (i.e. interp.py and dexpr.py).

Furthermore, we made some clarifications regarding the needed dependencies of our provided libraries in the project 3 description.