search

fdu-sec / NestFuzz

A structure-aware grey box fuzzer based on modeling the input processing logic.
Apache License 2.0
156 stars 12 forks source link

Some questions about recurrence #4

Closed zhangteng0526 closed 8 months ago

zhangteng0526 commented 8 months ago

I am a newbie in fuzz testing. I am trying to reproduce NestFuzz and follow the readme. There is no crash within 23 hours. Is this normal? It is shown in the paper that the average result of fuzz testing tiffsplit is 13. At the same time, I also want to use NestFuzz to test other programs. How to do this? Hope to get your help, thank you! 2 1

fdu-sec commented 8 months ago

In my opinion, there are two possible reasons for the lack of crashes:

Firstly, I believe there may be an issue with the Input Processing Modeling procedure. Based on your screenshot, it appears that the fuzzer is solely utilizing the havoc mutation strategy, while other strategies, such as struct havoc, struct desc, and struct aware, are not functioning. This primarily occurs because NestFuzz cannot normally infer the input structure. To verify this hypothesis, please execute the following command: /home/zt/libtiff-model/tools/tifsplit test.isi.tif The test.isi.tif is a valid tiff file. Typically, this command should generate three files: test.isi.tif.json, test.isi.tif.track, and test.isi.tif.log. Please check if test.isi.tif.json and test.isi.tif.track are valid JSON files.

Secondly, to uncover vulnerabilities in the program under test, you might need to compile it with sanitizers, such as the address sanitizer. For the libtiff example, consider compiling the binary for fuzzing with ASAN.

If you wish to fuzz other programs, please follow the steps outlined in our README. Generally, you can substitute libtiff with other libraries and fuzz them using similar steps.

zhangteng0526 commented 8 months ago

Should it be tiffsplit instead of tifsplit?I executed the command and it showed that it was not found.But I recompiled the input processing logic program. As shown in the figure, this fuzz test should have implemented other strategies (struct havoc, struct desc and struct aware). At the same time, I used ASAN for make, But unfortunately, no crash was found using NestFuzz this time. I also used the latest version of AFL++ to fuzz test it, but after 24h, it did not find any crashes. What is the reason for this? What version of tiffsplit is in the paper? The tiffsplit I downloaded according to the readme is 4.6.0. Is it possible because of the version? I feel very strange. I will use NestFuzz to test other programs, and I hope you can help me answer my questions. Thank you for your help. 1111 22222 33333

fdu-sec commented 8 months ago

Indeed, you should use tiffsplit instead of tifsplit. It appears that NestFuzz is working as expected now. If you wish to replicate our evaluation results, you can refer to the details in our paper regarding our benchmark programs and experiment setups. As for the latest version of libtiff, it seems well-tested with fuzzing techniques. However, to uncover zero-day vulnerabilities, you might need to fuzz it for an extended period, such as several days, and try different fuzz drivers.

zhangteng0526 commented 8 months ago

Thank you for your reply. I read the article again last night and found out that it was a problem with the test version. I will remember this lesson in the future. Thank you again to the Fudan University team. I will continue to pay attention to your work!