How do you code the perfect fuzzing function for some other function?
https://stackoverflow.com//questions/24054845
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
Here is a snippet of code:
struct somedata {
char mychar;
int myint;
unsigned short myushort;
string mystring;
};
void some_func(somedata *data) {
/* does something with data */
}
How do you write a perfect fuzzing function to test the correct functionality, security, and robustness of this code?
By perfect I mean complete tests that cover all cases (if possible). Say: out of range values, different data types, etc..
You do not have source code for some_func.
解决方案 2
It seems that I got fuzzing wrong.
Fuzz testing is a simple technique that can have a profound effect on your code quality. In fuzzing we inject random bad data into an application to see what breaks
Because Fuzzing != Testing, we do not build perfect test-cases or test all possible cases, instead we just generate random bad data and insert it into the application.
A Typical fuzzing function for the mentioned code would be:
void fuzzTesting ()
{
//create somedata
somedata data;
//generate a random vector
srand(time(NULL)); //seed = current_time
//bufferOverflow
int i= 200000
while(i>=0)
{
r = rand()
data.mychar = r;
data.myint = r;
data.myushort = r;
some_func(&data);
--i;
}
//Format String
int i= 200000
while(i>=0)
{
r = rand()
data.mychar = '%s' + r;
data.myint = '%s' + r;
data.myushort = '%s' + r;
some_func(&data);
--i;
}
//Integer overflow
int i= 200000
while(i>=0)
{
r = rand()
data.mychar = r + 0xffffffff;
data.myint = r + 0xffffffff;
data.myushort = r + 0xffffffff;
some_func(&data);
--i;
}
}
for more fuzz testing vectors and details see this wikipage
其他提示
One thing that you might find interesting is using genetic fuzzers like american fuzzy lop instead of writing the fuzz tests on your own. You would have to modify your program to operate on standard input and output (or on a file that is mentioned in the command line) and compile it with a special GCC/LLVM wrapper, but for exchange you would get a way to perform fuzzing with a tool that can learn your input/output format. It learns which bits induce new code paths when modified and gives them some extra attention. Also, have a look at LLVM's LibFuzzer, which uses a similar idea.
