Malware and Software Vulnerability Analysis Q&A of Fuzzing Programming Project 2 Cliff Zou University of Central Florida

Manual Bugs Added Original code is a C++ code: ‘jpg2bmp.cpp’ All 8 bugs are segmentation fault (11) or illegal instruction fault (6) added manually by me with the following code: int (*foo)(void);   /* function pointer definition */ ....      fprintf(stderr, "Bug #2 triggered.\n");      int (*foo)(void) = (int (*)(void))0xbffbffff;      foo();  /* this will trigger illegal instruction fault */    They are added in places where the program processes the image parameters

Input Processing Question: I understand the concept of fuzzing and I am clear about the example program discussed in class. However the project assignment is totally different in that the input needs to be a file instead of argv[], and we need to record down modified image file that causes crash instead of simply printf() in the example. I am not clear as to how to do that !

Input Processing Answer: Your fuzzer program needs to use the given 'cross.jpg' image file to generate a mutated jpg file, say 'test.jpg‘, to feed it to jpg2bmp for execution: Open & read the 'cross.jpg' file as binary format file In C code it could be:  fin = fopen("./cross.jpg", "rb"); fout = fopen("./test.jpg", "wb");  Read the 'cross.jpg' file as byte stream into a character array variable buff[] you defined. Make sure the char array variable has enough space to hold the image file.

Input Processing Modify this character array variable buff[] in whatever way you want (mutation). You don't need to know the structure of JPEG format since we are doing mutation-based fuzzing, which does not assume you to know any format of the input Write this character array variable back to the ‘test.jpg’ file.   Execute jpg2bmp to process the ‘test.jpg’ file, such as: char comBuf[200]; sprintf(comBuf, "./jpg2bmp test.jpg temp.bmp"); ret = system(comBuf); In C code, the reading/writing file can use fread(), fwrite() functions, or any other C file operation functions.

Automatic File Name Creation Question: I am looking for a way in which I could save each input image that triggers each bug, instead of just saving the last one crashing image. So how can I read from the command prompt to check for the Bug number? Question: If I generated 10,000 mutated image files for the fuzzing test, will I need to save all of them? How do I just save image files that cause crash? How do I know which bug is triggered by each crashing image?

Automatic File Name Creation Answer: All "Bug #x triggered" messages are printed out in Stderr, which is hard to read as the fuzzer keeps running and generating Stderr output. A simpler, not intelligent way is:  keep a counter variable n to increase by 1 when a crash (segmentation fault) happens, then save the image file which causes this crash with the file name as fileName = 'crashed-n.jpg' and fprintf(stderr, "file %s is generated\n", fileName);  so that this crash number appeared right after the system output print of "Bug #x triggered“ in stderr.   So after fuzzing test produces, for example, 1000 crashes,  my fuzzer has produced 1000 crashed-x.jpg image files under the current directory. Then I can check the Stderr output (redirected and saved to a text file) to see which Bug number produces which crashed-n.jpg.

Automatic File Name Creation It is easy to generate a variable file name. Such as: char fileName[30]; int n; .... sprintf(fileName, "crashed-%d.jpg", n); fout = fopen(fileName, "wb");

Unlabeled Bugs Besides the 8 manually added bug, the original code has an additional segmentation fault bug This is a real bug in the original code! But this bug will not be counted as one of the 7 out of 8 bugs required to be discovered.

Completeness Question: Hi Professor, Can you give any hints for how to find Bugs 3 and 6? I found all others multiple times but not these two? Answer: You can modify your fuzzer code with different ways in mutating the cross.jpg file, and then test the new fuzzer code with another round of, for example, 1000 mutated image files. Mutation Ways: Change one byte at a random location to a random value. Change m consecutive bytes at a random location to all zero. Change m bytes at m random locations to value 255. …….