# SWEN90006 Tutorial 7

**NOTE** You are expected to prepare for this tutorial by sketching
answers to the tasks and questions before attending the tutorial.

## Introduction
The aim of this tutorial is to get you thinking about software security
and vulnerabilities, and the applicability of different kinds of
security testing.

As a first step, think about what security testing is, and why we would
want to perform security testing on our software.

## The Bitmap File Format

BMP is an historical image file format that we will use in this
tutorial. We will consider a simple class of BMP files whose format is
as follows. (Specifically, we consider here BMP files with no
compression, and in which each pixel is 32-bits wide in order to avoid
issues of padding; see
<http://www.fastgraph.com/help/bmp_header_format.html> and
<https://en.wikipedia.org/wiki/BMP_file_format> for more details.)

| Offset | Size (in bytes)              | Description                                                        |
|--------|------------------------------|--------------------------------------------------------------------|
| 0      | 1                            | first byte of signature, must be 0x42 (the ASCII character 'B')    |
| 1      | 1                            | second byte of signature, must be 0x4D (the ASCII character 'M')   |
| 2      | 4                            | size of the BMP file in bytes (unreliable, ignored)                |
| 6      | 2                            | Must be zero                                                       |
| 8      | 2                            | Must be zero                                                       |
| 10     | 4                            | Must be the value 54 (i.e. 0x00000036)                            |
| 14     | 4                            | Must be the value 40 (i.e. 0x00000028)                            |
| 18     | 4                            | *Width* (image width in pixels, as signed integer)            |
| 22     | 4                            | *Height* (image height in pixels, as signed integer)          |
| 26     | 2                            | Must be one                                                        |
| 28     | 2                            | Number of bits per pixel (must be 32)                              |
| 30     | 4                            | Compression type (must be 0 = no compression)                      |
| 34     | 4                            | Size of image data in bytes (must be 4\**Width*\**Height*) |
| 38     | 4                            | unreliable (ignored)                                               |
| 42     | 4                            | unreliable (ignored)                                               |
| 46     | 4                            | Must be zero                                                       |
| 50     | 4                            | Must be zero                                                       |
| 54     | 4\**Width*\**Height* | Pixel data, laid out in rows                                       |

The first byte (offset 0) of a valid BMP file is the character 'B'; the
second byte (offset 1) is the character 'M'. The 3rd to 6th bytes
(offsets 2 to 5 inclusive) indicate the total length of the BMP file but
are unreliable in practice and so let us assume that they are ignored by
all BMP parsing code. The 7th and 8th bytes (offsets 6 and 7) are
interpreted as a 2-byte integer that must be zero, i.e. each of these
bytes must be zero. The same is true for the 9th and 10th bytes (offsets
8 and 9), and so on.

## Your Tasks


### Question 1
Imagine you are choosing a value for each of the fields in the table
above *in order*, i.e. you first choose a value for the first byte of
the file, then choose a value for the second byte of the file, then for
following 4-bytes, and so on. For each field, identify the total number
of valid values there are to choose from, assuming you have already
chosen values for all fields that have come before.

### Question 2
The BMP header (i.e. everything excluding the pixel data) as described
above has a fixed length of 54 bytes. Using the answer from the previous
question or otherwise, what is the probability that a (uniformly)
randomly generated string of 54 bytes is a valid BMP header?

### Question 3
Suppose you have a valid 54-byte header and you mutate an arbitrary
(uniformly randomly chosen) byte in the header to a new value (different
from its original value). What is the probability of producing a valid
header?

### Question 4
Imagine you had to write a fuzzer to fuzz some BMP processing code that
processed BMP files of the format described above. If you had to choose
between generating completely random inputs vs. using random mutation on
existing BMP files, which strategy would you choose?
