Jef 20d28e80a5 Initial community commit | 1 month ago | |
---|---|---|
.. | ||
corpuses | 1 month ago | |
.gitignore | 1 month ago | |
CMakeLists.txt | 1 month ago | |
README.md | 1 month ago | |
common.c | 1 month ago | |
common.h | 1 month ago | |
fuzz_client.c | 1 month ago | |
fuzz_client.options | 1 month ago | |
fuzz_dtlsclient.c | 1 month ago | |
fuzz_dtlsclient.options | 1 month ago | |
fuzz_dtlsserver.c | 1 month ago | |
fuzz_dtlsserver.options | 1 month ago | |
fuzz_privkey.c | 1 month ago | |
fuzz_privkey.options | 1 month ago | |
fuzz_pubkey.c | 1 month ago | |
fuzz_pubkey.options | 1 month ago | |
fuzz_server.c | 1 month ago | |
fuzz_server.options | 1 month ago | |
fuzz_x509crl.c | 1 month ago | |
fuzz_x509crl.options | 1 month ago | |
fuzz_x509crt.c | 1 month ago | |
fuzz_x509crt.options | 1 month ago | |
fuzz_x509csr.c | 1 month ago | |
fuzz_x509csr.options | 1 month ago | |
onefile.c | 1 month ago |
This directory contains fuzz targets. Fuzz targets are simple codes using the library. They are used with a so-called fuzz driver, which will generate inputs, try to process them with the fuzz target, and alert in case of an unwanted behavior (such as a buffer overflow for instance).
These targets were meant to be used with oss-fuzz but can be used in other contexts.
This code was contributed by Philippe Antoine ( Catena cyber ).
To run the fuzz targets like oss-fuzz:
git clone https://github.com/google/oss-fuzz
cd oss-fuzz
python infra/helper.py build_image mbedtls
python infra/helper.py build_fuzzers --sanitizer address mbedtls
python infra/helper.py run_fuzzer mbedtls fuzz_client
You can use undefined
sanitizer as well as address
sanitizer.
And you can run any of the fuzz targets like fuzz_client
.
To run the fuzz targets without oss-fuzz, you first need to install one libFuzzingEngine (libFuzzer for instance). Then you need to compile the code with the compiler flags of the wished sanitizer.
perl scripts/config.py set MBEDTLS_PLATFORM_TIME_ALT
mkdir build
cd build
cmake ..
make
Finally, you can run the targets like ./test/fuzz/fuzz_client
.
These targets use network trafic as inputs :
They also use the last bytes as configuration options.
To generate corpus for these targets, you can do the following, not fully automated steps :
reproducible
option turned on while capturing trafic into test.pcaptshark -Tfields -e tcp.dstport -e tcp.payload -r test.pcap > test.txt
python dummy.py test.txt > test.cor
Here is an example of dummy.py for extracting payload from client to server (if we used tcp.dstport
in tshark command)
import sys
import binascii
f = open(sys.argv[1])
for l in f.readlines():
portAndPl=l.split()
if len(portAndPl) == 2:
# determine client or server based on port
if portAndPl[0] == "4433":
print(binascii.unhexlify(portAndPl[1].replace(":","")))