Skip to content

shouc/corbfuzz

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commits

benchmark

benchmark

 
 

extension

extension

 
 

fake_mysql

fake_mysql

 
 

php

php

 
 

scripts

scripts

 
 

test

test

 
 

Dockerfile

Dockerfile

 
 

INSTALL.md

INSTALL.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

REQUIREMENTS.md

REQUIREMENTS.md

 
 

browsers.py

browsers.py

 
 

build.sh

build.sh

 
 

config.py

config.py

 
 

corbfuzz_paper.pdf

corbfuzz_paper.pdf

 
 

cov.py

cov.py

 
 

customization.py

customization.py

 
 

docker_utils.py

docker_utils.py

 
 

install_chrome.sh

install_chrome.sh

 
 

main.py

main.py

 
 

mutator.py

mutator.py

 
 

prior.py

prior.py

 
 

queue_culling.py

queue_culling.py

 
 

requirements.txt

requirements.txt

 
 

start.py

start.py

 
 

utils.py

utils.py

 
 

Repository files navigation

CorbFuzz

DOI

CorbFuzz is a state-aware fuzzer for generating as much reponses from a web application as possible without need of setting up database, etc.

Obtaining Source Code

Download from this git repo...

git clone https://github.com/shouc/corbfuzz.git

Building (Docker)

Make sure docker has been installed on your computer and you are running as root. This would take ~10 minutes on our computer (P.S. to optimize performance, you can update line 51 in build.sh make -j30 to make -j{how many processors you have}).

Notice that you must add --shm-size=6g so that there is enough memory for the fuzzer.

docker build . -t corbfuzz
docker run  --shm-size=6g --name corbfuzz1 -ti corbfuzz # tapping into docker container

If you instead want to use our pre-built docker image, you can replace previous procedure with

docker run  --shm-size=6g --name corbfuzz1 -ti shouc/corbfuzz:latest

Building (Ubuntu)

The setup script has been tested on Ubuntu 20.10, make sure you are running as root.

If you don't have Chromium & chromedriver on your computer, following script downloads Chromium and setup it up:

./install_chrome.sh

Following script installs all dependency required by the fuzzer, build the instrumented PHP, and setup the environment.

./build.sh

Running

Start the redis server required by the fuzzer (You don't need to set this for dry run)

service redis-server start

Run the fake_mysql first:

cd /corbfuzz/fake_mysql
nvm use --lts # switch to nodejs 14
rm -f /tmp/rand.sock # remove the existing unix socket
node main.js & # start the fake MySQL server

Run instrumented PHP server on port 1194 (the fuzzer defaults to use port 1194):

cd [Fuzzing Target Location] # for testing, you can use /corbfuzz/test
mkdir cov # if cov directory does not exist
php -dextension=/corbfuzz/hsfuzz.so -S 0.0.0.0:1194 &

Run fuzzer at /corbfuzz directory in Python console:

cd /corbfuzz
python3

Inside the console, type:

import main
main.main(0)

As for when to terminate the fuzzer, the paper uses coverage growth. If its growth is 0 over 1 minute, we terminate it manually. The following automation script intead simply gives fuzzer 7 minute to run.

You can also run multiple fuzzers, of which the coverage information is synchronized through Redis. To do so, you need to start multiple PHP servers with ports starting from 1194 (e.g., 1194, 1195, 1196). Then, start fuzzer for each PHP server by running following Python code asynchroneously:

main.main(1)
main.main(2)
main.main(3)
...
main.main([PORT] - 1194)

An example is shown in start.py, which starts 10 fuzzers that fuzz port 1194-1214. To run it, you have to start 10 PHP runtimes. You can refer to Reproduce Data Synthesis Effectiveness Figures Section for automation.

Project Organization

  • fake_mysql/ implements a fake MySQL server listening on port 3306. It handles queries and generate a legit MySQL response. It also listens on /tmp/rand.sock for requests on synthesizing a specific query result or notification of type information.

  • extension/ implements a PHP extension that generates the coverage information and aid the data synthesis workflow by generating session/cookies values and dumping their related constraints.

  • php/ is the PHP code base with instrumentation that implements the data synthesis workflow and interacts with fake_mysql through the unix socket. It also hijacks all MySQL connections to our fake MySQL server.

  • scripts/ contains useful scripts for running the oracles and ensuring consistency for the data synthesis workflow.

  • test/ contains a PHP code adapted from an existing PHP project for testing the fuzzer.

  • benchmark/ utils for crawling GitHub/PHP and generating the data for the plots on the paper about data synthesis.

    • main.py: Crawls potential PHP repos' URL from GitHub and save them to repos.txt
    • get.py: Clones GitHub repos specified in the repos.txt to the directory specified as argv[1] (e.g. python3 get.py /tmp/repos)
    • run.py: Fuzz through all the projects in the directory specified as argv[1] and generate intermediate benchmark information for following Python scripts to consume.
    • count_edge.py: Count all the edges from the coverage data generated by the fuzzer for each project.
    • count_violation_comp.py: Count all the comparison type violations from the data generated by the instrumented PHP for each project.
    • count_violation_internal.py: Count all the internal function type violations from the data generated by the instrumented PHP for each project.

Reproduce Data Synthesis Effectiveness Figures

If you are not using the Docker container, you have to modify the paths in run.py accordingly.

Setup

service redis-server start
cd /corbfuzz/benchmark/

Crawl Web Apps from GitHub

Create a GitHub access token with full access to repo here: https://github.com/settings/tokens/new, the token should be a string starting with ghp_...

vim main.py # put your GitHub access token to the specified location
python3 main.py # crawl recent PHP related repos
# Inspect repos.txt, if there is no data inside or limited data (file < 800 bytes) inside, you should run previous script at a different time. 
mkdir /repos

# if you have trouble making a valid repos.txt, you can rename repos_test.txt to repos.txt under benchmark directory.
# repos_test.txt contains PHP repos crawled on Aug 23, 2021.
python3 get.py /repos # clone the repos

In case GitHub no longer works / API has changed, you can also replace previous process by requiring the dataset from us and download them directly.

wget [DATASET URL]
unzip application.zip
mkdir /repos
mv repos_ok2/* /repos

The repos folder contains subfolders with name as a UUID. Each subfolder is a GitHub repo.

Start fuzzing

A lot of error may be outputed but it is safe to ignore them.

The script would exit when fuzzing is done. It would take (repo amount) x (7 minutes) time. You can also kill everything at the middle by using CTRL-C then pkill -f python3 command. The unfuzzed repos' benchmarking result would simply be 0.

pwd # => /corbfuzz/benchmark/
python3 run.py /repos

Benchmarking

For following scripts, if the count printed is 0, you can safely ignore them (what we did in the paper) because that indicates the fuzzer could not find PHP code inside.

Get branch coverage count for each app. Each line outputs the (repo id, edge count)

python3 count_edge.py /repos/

Get comparison type violation for each app. Each line outputs the (repo id, type violation count, sample size)

python3 count_violation_comp.py /repos/

Get internal function type violation for each app. Each line outputs the (repo id, type violation count, sample size)

python3 count_violation_internal.py /repos/

We process the data using Google Docs.

CORB Oracle

Will release.

About

Code for ASE'21 Paper "CorbFuzz: Checking Browser Security Policies with Fuzzing"

arxiv.org/abs/2109.00398

Topics

fuzzing concolic-execution browser-security

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages