Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing documentation how to reproduce faults #18

Closed
francescoschembri opened this issue Jun 2, 2021 · 6 comments
Closed

Missing documentation how to reproduce faults #18

francescoschembri opened this issue Jun 2, 2021 · 6 comments

Comments

@francescoschembri
Copy link

Please add the documentation (and the feature if it's missing) of how to reproduce crashes and parse the bytes to tell user which are the inputs that made the program crash.
@jchoi2022
Copy link
Collaborator

  • As stated in https://github.com/SoftSec-KAIST/Eclipser#usage, fuzzing results will be saved in <sync dir>/*/queue/ and <sync dir>/*/crashes/. You can retrieve the test cases in crashes/ and run them on the target program to reproduce the crashes.

  • I'm not sure what you mean by parse the bytes to tell user which are the inputs that made the program crash. Are you interested in which part (i.e. specific offset) of the input is actually related to the found bugs? Such analysis is out of fuzzing's scope. Please take a look at dynamic taint analysis tools and papers for such functionality.

@francescoschembri
Copy link
Author

Yes, I read that part but it's not 100% clear how can i run the crashses or the testcases with my program.
I implemented the example in the paper with an abort and I find it and it is stored in crashes. How can I read which is the input? How do I open the fuzzing results stored in queue and crashes?

@francescoschembri
Copy link
Author

To be clearer.

I implemented the example in a C program called fault.c and compiled it in fault.bin. I launch Eclipser on it and it finds the crash (implemented with abort()).

If i run ./fault.bin box/output/crashes/id\:000000 the only thing i get is Aborted (core dumped). So I understand that there is a problem but I don't get any useful information like: which is the input that made my program crash? Which is the path followed with that input that lead to an abort?

@neuromancer
Copy link
Contributor

Hi @francescoschembri. AFAIK, Eclipser is tool that could give you a crash, but it cannot show you the program path or minimize the input to know we exactly which bytes are important. If you want to understand how and why you program crashed, you should use a debugger such as gdb. You can take a look to a tutorial for debugging a crash here.

@jchoi2022
Copy link
Collaborator

  • Each file in crashes/ directory is a test case by itself, so running it like ./fault.bin box/output/crashes/id\:000000 as you did is correct. In other words, the content of box/output/crashes/id\:000000 is the exact input that makes the program crashes.
  • If you want to obtain more detailed information about the crash (e.g. 'the path of crashing execution' or 'which offset of the input led to the execution of that path'), such analysis is not the role of a fuzzer, as neuromancer has pointed out. One can implement such functionality with program instrumentation or dynamic taint analysis tools, so please take a look at such tools. Of course, a debugger is a good option, too.

@francescoschembri
Copy link
Author

Ok so it's a decision to focus just on the fuzzing and not also on the other stuffs. Thanks for the clarification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neuromancer @jchoi2022 @francescoschembri