README.md (2528B)
1 What is it? 2 ------ 3 4 This directory contains fuzz targets. 5 Fuzz targets are simple codes using the library. 6 They are used with a so-called fuzz driver, which will generate inputs, try to process them with the fuzz target, and alert in case of an unwanted behavior (such as a buffer overflow for instance). 7 8 These targets were meant to be used with oss-fuzz but can be used in other contexts. 9 10 This code was contributed by Philippe Antoine ( Catena cyber ). 11 12 How to run? 13 ------ 14 15 To run the fuzz targets like oss-fuzz: 16 ``` 17 git clone https://github.com/google/oss-fuzz 18 cd oss-fuzz 19 python infra/helper.py build_image mbedtls 20 python infra/helper.py build_fuzzers --sanitizer address mbedtls 21 python infra/helper.py run_fuzzer mbedtls fuzz_client 22 ``` 23 You can use `undefined` sanitizer as well as `address` sanitizer. 24 And you can run any of the fuzz targets like `fuzz_client`. 25 26 To run the fuzz targets without oss-fuzz, you first need to install one libFuzzingEngine (libFuzzer for instance). 27 Then you need to compile the code with the compiler flags of the wished sanitizer. 28 ``` 29 perl scripts/config.py set MBEDTLS_PLATFORM_TIME_ALT 30 mkdir build 31 cd build 32 cmake .. 33 make 34 ``` 35 Finally, you can run the targets like `./test/fuzz/fuzz_client`. 36 37 38 Corpus generation for network traffic targets 39 ------ 40 41 These targets use network traffic as inputs : 42 * client : simulates a client against (fuzzed) server traffic 43 * server : simulates a server against (fuzzed) client traffic 44 * dtls_client 45 * dtls_server 46 47 They also use the last bytes as configuration options. 48 49 To generate corpus for these targets, you can do the following, not fully automated steps : 50 * Build mbedtls programs ssl_server2 and ssl_client2 51 * Run them one against the other with `reproducible` option turned on while capturing traffic into test.pcap 52 * Extract tcp payloads, for instance with tshark : `tshark -Tfields -e tcp.dstport -e tcp.payload -r test.pcap > test.txt` 53 * Run a dummy python script to output either client or server corpus file like `python dummy.py test.txt > test.cor` 54 * Finally, you can add the options by appending the last bytes to the file test.cor 55 56 Here is an example of dummy.py for extracting payload from client to server (if we used `tcp.dstport` in tshark command) 57 ``` 58 import sys 59 import binascii 60 61 f = open(sys.argv[1]) 62 for l in f.readlines(): 63 portAndPl=l.split() 64 if len(portAndPl) == 2: 65 # determine client or server based on port 66 if portAndPl[0] == "4433": 67 print(binascii.unhexlify(portAndPl[1].replace(":",""))) 68 ```