Closed AndreasSpateneder closed 1 year ago
Hi, maybe you know this file: https://github.com/Montimage/5Greplay/blob/dev/rules/8.fuzz-ngap-custom.xml
For now the supported attributes are very limited. The attributes' modification are done via https://github.com/Montimage/mmt-dpi/blob/proto-s1ap/src/mmt_mobile/proto_ngap.c#L196
I went through both links and wasn't able to find update functionality for NAS. Is NAS fuzzing supported by 5Greplay?
Could the replace_data_at_protocol_id function be used to implement further fuzzing capabilities? If so, which protocols are currently supported by get_protocol_index_by_id?
Is NAS fuzzing supported by 5Greplay?
Unfortunately it is not ready yet
Could the replace_data_at_protocol_id function be used to implement further fuzzing capabilities? If so, which protocols are currently supported by get_protocol_index_by_id?
replace_data_at_protocol_id
basically replaces a segment of packet data by another one. Thus I can say that we can use it to implement a fuzzer. This implementation would be very simple for linear/simple protocols whose attributes can be accessed directly (without the need of decoding). For example, let's modify the embedded function of rule 5 to fuzz Ethernet
protocol:
static void em_replace_sll_by_ethernet( const rule_info_t *rule, int verdict, uint64_t timestamp, uint64_t counter, const mmt_array_t * const trace ){
int i;
struct ethhdr {
unsigned char dst[6], src[6];
uint16_t h_proto;
} ethernet_data;
//fuzz source address attribute
for( i=0; i<6; i++)
ethernet_data.src[i] = random();
replace_data_at_protocol_id( PROTO_SLL, sizeof(ethernet_data), ethernet_data );
forward_packet();
//fuzz proto attribute
ethernet_data.proto = random();
replace_data_at_protocol_id( PROTO_SLL, sizeof(ethernet_data), ethernet_data );
forward_packet();
}
For the complex protocols which require to decode and encode, such as NGAP
or NAS_5G
whose attributes are in Type-Length-Value, the implementation would be more complicated.
I want to use the get_numeric_value and set_numeric_value functions in an embedded function to conduct fuzz testing, but I find it hard to use the required att_id. The embedded function
produces the following output when compiled:
with only the procedure code being accepted. Is there a list of already supported attributes?