search

ossf / fuzz-introspector

Fuzz Introspector -- introspect, extend and optimise fuzzers
https://fuzz-introspector.readthedocs.io
Apache License 2.0
378 stars 54 forks source link

angus-mail failing to extract relevant data in java frontend analysis #683

Open DavidKorczynski opened 1 year ago

DavidKorczynski commented 1 year ago

Migrated from https://github.com/ossf/fuzz-introspector/pull/680#issuecomment-1347330552

The angus-mail java project is missing data when analysed by the jvm frontend. For example the calltree for the BASE64EncoderStreamFuzzer we get is:

Call tree
fuzzerTestOneInput(com.code_intelligence.jazzer.api.FuzzedDataProvider) BASE64EncoderStreamFuzzer linenumber=-1
  consumeRemainingAsBytes() com.code_intelligence.jazzer.api.FuzzedDataProvider linenumber=29
  write(byte[]) com.sun.mail.util.BASE64EncoderStream linenumber=29

This is a call to https://github.com/eclipse-ee4j/angus-mail/blob/46518aad79259d12a115937894ff8f32b86a1a17/core/src/main/java/com/sun/mail/util/BASE64EncoderStream.java#L141-L144

which should be a call to: https://github.com/eclipse-ee4j/angus-mail/blob/46518aad79259d12a115937894ff8f32b86a1a17/core/src/main/java/com/sun/mail/util/BASE64EncoderStream.java#L93

So we ideally would have more calls in the callgraph. It seems like there is no analysis of the code in the angus-core.jar file but the analysis is limited to the .jar files for the fuzzer classes.

DavidKorczynski commented 1 year ago

With the changes in https://github.com/ossf/fuzz-introspector/pull/684 the logging output I get from a OSS-Fuzz run is the following:

Running introspector frontend on ASCIIUtilityFuzzer.class :: {'ASCIIUtilityFuzzer.jar', 'BASE64EncoderStreamFuzzer.jar', 'angus-core.jar'}
Running command: [java -Xmx6144M -cp /fuzz-introspector/frontends/java/target/ossf.fuzz.introspector.soot-1.0.jar ossf.fuzz.introspector.soot.CallGraphGenerator ASCIIUtilityFuzzer.jar:BASE64EncoderStreamFuzzer.jar:angus-core.jar ASCIIUtilityFuzzer fuzzerTestOneInput jdk.:java.:javax.:sun.:sunw.:com.sun.:com.ibm.:com.apple.:apple.awt.]
[Callgraph] Running callgraph plugin
[Callgraph] Jar files used for analysis: [ASCIIUtilityFuzzer.jar, BASE64EncoderStreamFuzzer.jar, angus-core.jar]
[Callgraph] Internal transform init
[Callgraph] Determining classes to use for analysis.
[Callgraph] [USE] class: ASCIIUtilityFuzzer
[Callgraph] [USE] class: BASE64EncoderStreamFuzzer
[Callgraph] [USE] class: module-info
[Callgraph] Finished going through classes
Inspecting class: ASCIIUtilityFuzzer
[Callgraph] Skipping method: <init>
[Callgraph] Analysing method: fuzzerTestOneInput
Inspecting class: BASE64EncoderStreamFuzzer
[Callgraph] Skipping method: <init>
[Callgraph] Analysing method: fuzzerTestOneInput
Inspecting class: module-info
Running introspector frontend on BASE64EncoderStreamFuzzer.class :: {'ASCIIUtilityFuzzer.jar', 'BASE64EncoderStreamFuzzer.jar', 'angus-core.jar'}
Running command: [java -Xmx6144M -cp /fuzz-introspector/frontends/java/target/ossf.fuzz.introspector.soot-1.0.jar ossf.fuzz.introspector.soot.CallGraphGenerator ASCIIUtilityFuzzer.jar:BASE64EncoderStreamFuzzer.jar:angus-core.jar BASE64EncoderStreamFuzzer fuzzerTestOneInput jdk.:java.:javax.:sun.:sunw.:com.sun.:com.ibm.:com.apple.:apple.awt.]
[Callgraph] Running callgraph plugin
[Callgraph] Jar files used for analysis: [ASCIIUtilityFuzzer.jar, BASE64EncoderStreamFuzzer.jar, angus-core.jar]
[Callgraph] Internal transform init
[Callgraph] Determining classes to use for analysis.
[Callgraph] [USE] class: BASE64EncoderStreamFuzzer
[Callgraph] [USE] class: ASCIIUtilityFuzzer
[Callgraph] [USE] class: module-info
[Callgraph] Finished going through classes
Inspecting class: ASCIIUtilityFuzzer
[Callgraph] Skipping method: <init>
[Callgraph] Analysing method: fuzzerTestOneInput
Inspecting class: BASE64EncoderStreamFuzzer
[Callgraph] Skipping method: <init>
[Callgraph] Analysing method: fuzzerTestOneInput

It seems like the angus-core.jar is not being involved?

arthurscchan commented 1 year ago

Two reason lead to this error. 1) Angus-mail project code uses package name that has prefix commonly considered as native code and java standard libraries. 2) Soot has a default list of package prefix which are considered as standard library and are ignored by default.

Solution: Alter the soot code to include all those prefix, then use exclude option to manually exclude those not matching the project package prefix, aka com.sun.*

DavidKorczynski commented 1 year ago

I can confirm it works following https://github.com/ossf/fuzz-introspector/pull/688 as well as removing the necessary com.sun. exclusion prefix from https://github.com/ossf/fuzz-introspector/blob/a3c1037b0e25824c86c866538c5e85cc908ff590/frontends/java/oss-fuzz-main.py#L107

Screenshot: angus-mail

DavidKorczynski commented 1 year ago

Is this solved @arthurscchan ?