part 2 step 0

2024-06-07 23:03:33 -07:00 · 2024-06-07 23:03:33 -07:00 · 0920367ba9
commit 0920367ba9
parent c39e782ffc
8 changed files with 99 additions and 138 deletions
--- a/hw5/hw5.md
+++ b/hw5/hw5.md
@ -45,12 +45,12 @@ As understood in the Step 0 instructions, we have already applied the `ceeb4f4`
 ## Step-3 Fuzzing
-We begin the fuzzing process running the supplied command
+We begin the fuzzing process running the supplied command.
 ```
 afl-fuzz -d -i $AFLNET/tutorials/live555/in-rtsp -o out-live555 -N tcp://127.0.0.1/8554 -x $AFLNET/tutorials/live555/rtsp.dict -P RTSP -D 10000 -q 3 -s 3 -E -K -R ./testOnDemandRTSPServer 8554
 ```
-It seems off to a good start, and I will let this run for some time and check back later. In this case, I will use the provided seed corpus.
+It seems off to a good start, and I will let this run for some time and check back later. Due to the time investment of this fuzzing effort, I will use the provided seed corpus and not the one I generted in step 1. Though I am mostly confident I followed step 1 correctly, I do not wish to find out in a day that I may have made a mistake.
 ![begin-fuzz](./part1/step3/begin-fuzz.png)
@ -76,11 +76,103 @@ Here is another example of performing and `aflnet-replay` with one of the replay
 # Part 2 - Our own example
-I will run through this exercise again choosing my own example. In this case, I have chosen to follow the [OpenSSH Example](https://github.com/profuzzbench/profuzzbench/tree/master/subjects/SSH/OpenSSH)
+I will run through this exercise again choosing my own example from the other provided tutorials in this container. In the `$AFLNET/tutorials` directory, we see some options
 ![tutorials](./part2/tutorials.png)
 I will choose to focus on the ippsample, which seems to be a fuzzing exercise for the Internet Printing Protocol (IPP). Included in this tutorial is a README, so I now will show my progress following along the steps provided there.
 ## Step-0. Server compilation & setup
 I'll run the following bash commands to ensure I am fuzzing the correct version
 ```bash
 export WORKDIR=$(pwd)
 cd $WORKDIR
 # Install requirements
 sudo apt-get -qq update
 sudo apt-get install -y build-essential autoconf avahi-daemon avahi-utils cura-engine libavahi-client-dev libfreetype6-dev libgnutls28-dev libharfbuzz-dev libjbig2dec0-dev libjpeg-dev libmupdf-dev libnss-mdns libopenjp2-7-dev libpng-dev zlib1g-dev net-tools iputils-ping vim avahi-daemon tcpdump man curl git
 # Clone ippsample repository
 git clone https://github.com/istopwg/ippsample.git ippsample
 # Move to the folder
 cd ippsample
 # Checkout a specific version
 git checkout 1ee7bcd4d0ed0e1e49b434c0ab296bb0c9499c0d
 # Compile source
 CC=$AFLNET/afl-clang ./configure
 make clean all
 ```
 At this point, I've installed the packages, cloned the repository, and checked out the designated commit
 ![checkout](./part2/step0/checkout.png)
 Running the make command has also worked
 ![make](./part2/step0/make.png)
 I can also see the server directory is populated as expected
 ![server](./part2/step0/server.png)
 Once ippsample source code has been successfully compiled, we should see the server under test (ippserver) in the server folder. We can test the server by running the following commands using the client ipptool (tools folder).
 I strongly suggest you to create a RAM disk for the printing spooler.
 I now will run the following commands to create the RAM disk, and test the ipp server.
 ```bash
 # Create a RAM disk
 mkdir /tmp/afl-ramdisk
 chmod 777 /tmp/afl-ramdisk
 sudo mount -t tmpfs -o size=512M tmpfs /tmp/afl-ramdisk
 export AFL_TEMP=/tmp/afl-ramdisk
 mkdir $AFL_TEMP/spool
 # Move to the folder containing ippserver
 cd $WORKDIR/ippsample/server
 # Run ippserver on port 631 (-p), adding MIME type support for text/plain (-f), spool in RAM disk (-d), with verbose output (-vvvv)
 # You may need to run the following command with sudo
 # WARNING: if you have cups installed, you should first stop it
 ./ippserver -p 631 -f text/plain -d $AFL_TEMP/spool -vvvv printerName 
 # If you have problem starting ippserver, you should need to start following services:
 # sudo service dbus start && sudo service avahi-daemon
 # In this example we try to print a txt and to cancel the printing job
 # From another terminal, move to the folder containing ipptool (client)
 cd $WORKDIR/ippsample/tools
 # To get the URI of the printer(s), run ippfind
 ./ippfind
 # Record traffic data with tcpdump
 sudo tcpdump -i lo port 631 -w printAndCancelCurrentJobReq.pcap
 # Run client to send a print request for the txt file (-f), produce a test report (-t), verbose output (-v), followed by the URI of the printer
 ./ipptool -f ../examples/testfile.txt -t -v ipp://127.0.0.1:631/ipp/print ../examples/print-job.test 
 # Run client to send a cancel job request for the job number 1 (-d), produce a test report (-t), verbose output (-v), followed by the URI of the printer
 # You should run the following command immediately after the previus one
 # If you aren't fast enough, you can edit the ../examples/print-job.test file to print more copies, for example 100: ATTR integer copies 100
 ./ipptool -t -v -d job-id=1 ipp://127.0.0.1:631/ipp/print ../examples/cancel-job.test
 # If you get an error for job-id 1, stop the server and start it again, or change the job-id value in -d.
 ```
 At the point shown here, I have the ipp server running, and I can see an address with ipp find
 ![ippfind](./part2/step0/ippfind.png)
 Now, we've run the commands to send the print job and cancle it, along with taking a tcpdump at the time designated as [`printAndCancelCurrentJobReq.pcap`](./part2/step0/printAndCancelCurrentJobReq.pcap)
 ![capture](./part2/step0/capture.png)
 ## Step-1. Prepare message sequences as seed inputs
 We have prepared a seed corpus to fuzz ippserver. If you want to create your own seed corpus, please follow the tutorial for fuzzing Live555 RTSP server included in the main AFLNet README.md.
 In this case we have 2 seed inputs, one for the print request and one for the cancel job.
 ## Step-2. Fuzzing
 ```bash
 cd $WORKDIR/ippsample/server
 cp $AFLNET/tutorials/ippsample/ippcleanup.sh ./
 chmod +x ippcleanup.sh
 # Edit the ippcleanup.sh with the spool directory you choosed (/tmp/afl-ramdisk/spool in this case)
 # You may need to run the following command with sudo
 afl-fuzz -d -i $AFLNET/tutorials/ippsample/in-ipp/ -o out-ipp/ -N tcp://127.0.0.1/631 -x $AFLNET/tutorials/ippsample/ipp.dict -P IPP -D 100000 -t 2000 -q 3 -s 3 -E -K -R -m 150 -c ippcleanup.sh ./ippserver -p 631 -f text/plain -d /tmp/afl-ramdisk/spool printerName
 ```
 ## Step-1. Build a docker image
 ## Step-2. Run fuzzing
 ## Step-3. Collect the results
 ## Step-4. Analyze the results
--- a/hw5/part2/Dockerfile
+++ b/hw5/part2/Dockerfile
@ -1,131 +0,0 @@
 FROM ubuntu:20.04
 # Install common dependencies
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get -y update && \
    apt-get -y install sudo \ 
    apt-utils \
    build-essential \
    openssl \
    clang \
    graphviz-dev \
    git \
    autoconf \
    libgnutls28-dev \
    libssl-dev \
    llvm \
    python3-pip \
    nano \
    net-tools \
    vim \
    gdb \
    netcat \
    strace \
    wget
 # Add a new user ubuntu, pass: ubuntu
 RUN groupadd ubuntu && \
    useradd -rm -d /home/ubuntu -s /bin/bash -g ubuntu -G sudo -u 1000 ubuntu -p "$(openssl passwd -1 ubuntu)"
 RUN chmod 777 /tmp
 RUN pip3 install gcovr==4.2
 # Use ubuntu as default username
 USER ubuntu
 WORKDIR /home/ubuntu
 # Import environment variable to pass as parameter to make (e.g., to make parallel builds with -j)
 ARG MAKE_OPT
 # Set up fuzzers
 RUN git clone https://github.com/profuzzbench/aflnet.git && \
    cd aflnet && \
    make clean all $MAKE_OPT && \
    cd llvm_mode && make $MAKE_OPT
 RUN git clone https://github.com/profuzzbench/aflnwe.git && \
    cd aflnwe && \
    make clean all $MAKE_OPT && \
    cd llvm_mode && make $MAKE_OPT
 # Set up environment variables for AFLNet
 ENV WORKDIR="/home/ubuntu/experiments"
 ENV AFLNET="/home/ubuntu/aflnet"
 ENV PATH="${PATH}:${AFLNET}:/home/ubuntu/.local/bin:${WORKDIR}"
 ENV AFL_PATH="${AFLNET}"
 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 \
    AFL_SKIP_CPUFREQ=1 \
    AFL_NO_AFFINITY=1
 RUN mkdir $WORKDIR
 USER root
 RUN apt-get -y install sshpass
 COPY --chown=ubuntu:ubuntu rand.patch ${WORKDIR}/rand.patch
 COPY --chown=ubuntu:ubuntu rand.inc ${WORKDIR}/rand.inc
 # Set up environment variables for ASAN
 env ASAN_OPTIONS='abort_on_error=1:symbolize=0:detect_leaks=0:detect_stack_use_after_return=1:detect_container_overflow=0:poison_array_cookie=0:malloc_fill_byte=0:max_malloc_fill_size=16777216'
 # Download and compile OpenSSL 1.0.2
 # (for compatibility with older OpenSSH used in this benchmark)
 RUN cd ${WORKDIR} && \
    git clone https://github.com/openssl/openssl openssl && \
    cd openssl && \
    git checkout 12ad22d && \
    ./Configure linux-x86_64-clang shared --prefix=$WORKDIR/openssl-install && \
    make $MAKE_OPT && \
    make install
 ENV LD_LIBRARY_PATH="${WORKDIR}/openssl-install/lib"
 # Download and compile OpenSSH for fuzzing
 RUN cd ${WORKDIR} && \
    git clone https://github.com/vegard/openssh-portable.git openssh && \
    cd openssh && \
    git checkout 7cfea58 && \
    cp ${WORKDIR}/rand.inc . && \
    patch -p1 < ${WORKDIR}/rand.patch && \
    autoreconf && \
    ./configure \
    CC="afl-clang-fast" \
    CFLAGS="-g -O3 -I$WORKDIR/openssl-install/include" \
    --prefix=$PWD/install \
    --with-openssl=$WORKDIR/openssl-install \
    --with-ldflags="-L$WORKDIR/openssl-install/lib" \
    --with-privsep-path=$PWD/var-empty \
    --with-sandbox=no \
    --with-privsep-user=ubuntu && \
    AFL_USE_ASAN=1 make $MAKE_OPT && \
    make install
 # Download and compile OpenSSH for coverage analysis
 RUN cd ${WORKDIR} && \
    git clone https://github.com/vegard/openssh-portable.git openssh-gcov && \
    cd openssh-gcov && \
    git checkout 7cfea58 && \
    cp ${WORKDIR}/rand.inc . && \
    patch -p1 < ${WORKDIR}/rand.patch && \
    autoreconf && \
    ./configure \
    CC="gcc" \
    CFLAGS="-g -O3 -fprofile-arcs -ftest-coverage -I$WORKDIR/openssl-install/include" \
    LDFLAGS="-fprofile-arcs -ftest-coverage" \
    --with-openssl=$WORKDIR/openssl-install \
    --with-ldflags="-L$WORKDIR/openssl-install/lib" \
    --prefix=$PWD/install \
    --with-privsep-path=$PWD/var-empty \
    --with-sandbox=no \
    --with-privsep-user=ubuntu && \
    make $MAKE_OPT && \
    make install
 COPY --chown=ubuntu:ubuntu in-ssh ${WORKDIR}/in-ssh
 COPY --chown=ubuntu:ubuntu ssh.dict ${WORKDIR}/ssh.dict
 COPY --chown=ubuntu:ubuntu cov_script.sh ${WORKDIR}/cov_script
 COPY --chown=ubuntu:ubuntu run.sh ${WORKDIR}/run
--- a/hw5/part2/step0/capture.png
+++ b/hw5/part2/step0/capture.png
--- a/hw5/part2/step0/checkout.png
+++ b/hw5/part2/step0/checkout.png
--- a/hw5/part2/step0/ippfind.png
+++ b/hw5/part2/step0/ippfind.png
--- a/hw5/part2/step0/make.png
+++ b/hw5/part2/step0/make.png
--- a/hw5/part2/step0/server.png
+++ b/hw5/part2/step0/server.png
--- a/hw5/part2/tutorials.png
+++ b/hw5/part2/tutorials.png