att_id for get_numeric_value and set_numeric_value functions

[AndreasSpateneder]

I want to use the get_numeric_value and set_numeric_value functions in an embedded function to conduct fuzz testing, but I find it hard to use the required att_id. The embedded function

static inline void em_testing( const rule_info_t *rule, int verdict, uint64_t timestamp,
    uint64_t counter, const mmt_array_t * const trace ) {

    uint64_t procedure_code = get_numeric_value( PROTO_NGAP, NGAP_ATT_PROCEDURE_CODE, 1, trace );

    uint64_t p_hdr = get_numeric_value( PROTO_NGAP, NGAP_ATT_P_HDR, 1, trace );

    uint64_t p_data = get_numeric_value( PROTO_NGAP, NGAP_ATT_P_DATA, 1, trace );

    uint64_t p_payload = get_numeric_value( PROTO_NGAP, NGAP_ATT_P_PAYLOAD, 1, trace );

    uint64_t payload_count = get_numeric_value( PROTO_NGAP, NGAP_ATT_PAYLOAD_COUNT, 1, trace );

    uint64_t stats = get_numeric_value( PROTO_NGAP, NGAP_ATT_STATS, 1, trace );

}

produces the following output when compiled:

mmt-5greplay: 5Greplay v0.0.4-7e7c4c6 using DPI v1.7.0.0 (a8ad3c2) is running on pid 5627 rules/NGSetupResponse.so.c: In function ‘em_testing’: rules/NGSetupResponse.so.c:33:53: error: ‘NGAP_ATT_P_HDR’ undeclared (first use in this function); did you mean ‘S1AP_ATT_UE_ID’? uint64_t p_hdr = get_numeric_value( PROTO_NGAP, NGAP_ATT_P_HDR, 1, trace ); ^~~~~~ S1AP_ATT_UE_ID rules/NGSetupResponse.so.c:33:53: note: each undeclared identifier is reported only once for each function it appears in rules/NGSetupResponse.so.c:35:54: error: ‘NGAP_ATT_P_DATA’ undeclared (first use in this function); did you mean ‘NGAP_ATT_P_HDR’? uint64_t p_data = get_numeric_value( PROTO_NGAP, NGAP_ATT_P_DATA, 1, trace ); ^~~~~~~ NGAP_ATT_P_HDR rules/NGSetupResponse.so.c:37:57: error: ‘NGAP_ATT_P_PAYLOAD’ undeclared (first use in this function); did you mean ‘NGAP_ATT_P_DATA’? uint64_t p_payload = get_numeric_value( PROTO_NGAP, NGAP_ATT_P_PAYLOAD, 1, trace ); ^~~~~~ NGAP_ATT_P_DATA rules/NGSetupResponse.so.c:39:61: error: ‘NGAP_ATT_PAYLOAD_COUNT’ undeclared (first use in this function); did you mean ‘NGAP_ATT_P_PAYLOAD’? uint64_t payload_count = get_numeric_value( PROTO_NGAP, NGAP_ATT_PAYLOAD_COUNT, 1, trace ); ^~~~~~ NGAP_ATT_P_PAYLOAD rules/NGSetupResponse.so.c:41:53: error: ‘NGAP_ATT_STATS’ undeclared (first use in this function); did you mean ‘NGAP_ATT_P_DATA’? uint64_t stats = get_numeric_value( PROTO_NGAP, NGAP_ATT_STATS, 1, trace ); ^~~~~~ NGAP_ATT_P_DATA mmt-5greplay: Cannot encode rule "rules/NGSetupResponse.xml". Check options.

with only the procedure code being accepted. Is there a list of already supported attributes?

[nhnghia]

Hi, maybe you know this file: https://github.com/Montimage/5Greplay/blob/dev/rules/8.fuzz-ngap-custom.xml

For now the supported attributes are very limited. The attributes' modification are done via https://github.com/Montimage/mmt-dpi/blob/proto-s1ap/src/mmt_mobile/proto_ngap.c#L196

[AndreasSpateneder]

I went through both links and wasn't able to find update functionality for NAS. Is NAS fuzzing supported by 5Greplay?

Could the replace_data_at_protocol_id function be used to implement further fuzzing capabilities? If so, which protocols are currently supported by get_protocol_index_by_id?

[nhnghia]

Is NAS fuzzing supported by 5Greplay?

Unfortunately it is not ready yet

Could the replace_data_at_protocol_id function be used to implement further fuzzing capabilities? If so, which protocols are currently supported by get_protocol_index_by_id?

replace_data_at_protocol_id basically replaces a segment of packet data by another one. Thus I can say that we can use it to implement a fuzzer. This implementation would be very simple for linear/simple protocols whose attributes can be accessed directly (without the need of decoding). For example, let's modify the embedded function of rule 5 to fuzz Ethernet protocol:

static void em_replace_sll_by_ethernet( const rule_info_t *rule, int verdict, uint64_t timestamp,  uint64_t counter, const mmt_array_t * const trace ){
  int i; 
  struct ethhdr {
        unsigned char dst[6], src[6];
        uint16_t h_proto;
    } ethernet_data;
   //fuzz source address attribute
   for( i=0; i<6; i++)
      ethernet_data.src[i] = random(); 
   replace_data_at_protocol_id( PROTO_SLL, sizeof(ethernet_data), ethernet_data );
   forward_packet();
   //fuzz proto attribute
   ethernet_data.proto = random(); 
   replace_data_at_protocol_id( PROTO_SLL, sizeof(ethernet_data), ethernet_data );
   forward_packet();
}

For the complex protocols which require to decode and encode, such as NGAP or NAS_5G whose attributes are in Type-Length-Value, the implementation would be more complicated.