FuzzTesting

Edit | View | Diffs | Info | Raw | Print

Recent Pages:

User

Login

Pages

FrontPage
RecentChanges
FindPage
HelpContents

Actions

Attach File
Check Spelling
Delete Cache
Like Pages
Local Site Map
Print View
Raw Text

Introduction

Fuzz testing Ethereal will create random or semi-random capture files, fed them into Ethereal/Tethereal and observes the "response".

Why would you do this? The vast majority of Ethereal's code base handles data that has been read directly from a live network or a capture file. It's important to make sure that it handles this data safely. One convenient way to do this is through [WWW]fuzz testing.

Get involved!

We need as many people fuzz testing as possible. Everyone has its own valuable set of capture files and preferences. If possible, please use a [WWW]SVN version of Ethereal for the fuzz testing and [WWW]report any bug(s) you find. Please include the fuzzed capture file to the bug report, so the bug can be easily reproduced by others.

Available Tools

Ethereal comes with three tools that let you perform fuzz testing:

  • [WWW]fuzz-test.sh fuzzes a set of capture files using editcap, and runs Tethereal on them

  • [WWW]randpkt creates capture files with completely random data payloads

  • [WWW]editcap can be used to introduce errors into normal capture files

fuzz-test.sh

A convenient and effective way to do fuzz tests is to run fuzz-test.sh on your personal collection of capture files.

fuzz-test.sh is a bash script which can be used for large-scale batch processing. Running 

        ./tools/fuzz-test.sh ~/captures/*

would test all of the files in ~/captures/. The script uses editcap to create errors in each capture file (described below), and runs Tethereal on the file. It assumes that you're running it from the Ethereal source directory. This behavior can be changed by modifying a few variables at the top of the script.

The script will check all the specified capture files on and on until a bug is found.

If a bug is found, the script will stop and the file causing trouble will be in the directory where you've started fuzz-test.sh, named something like: editcap.out.1234567890. Please attach this file if you [WWW]report the bug. If this file is large (> 1MB) you may try to reduce the file size by removing packets (e.g. using editcap) and see if the problem still remains.

You can directly get [WWW]fuzz-test.sh from the SVN repository, it's also shipped together with the Ethereal sources.

fuzz-test.sh on CygWin (Win32)

Edit the fuzz-test.sh script (in the tools directory), and edit the line defining TMP_DIR. It should read: 

# Temporary file directory and names.
# (had problems with this on cygwin, tried TMP_DIR=./ which worked)
### Edit for CygWin (Win32) ### TMP_DIR=/tmp
TMP_DIR=tmp

Open a CygWin shell, and move to the directory containing the installed Ethereal binaries, and create a temporary directory (name it tmp): 

~$ cd /cygdrive/c/Program\ Files/Ethereal
/cygdrive/c/Program Files/Ethereal$ mkdir tmp

Now run fuzz-test.sh from within the directory containing the installed Ethereal binaries: 

/cygdrive/c/Program Files/Ethereal$ /cygwin/path/to/Ethereal/tools/fuzz-test.sh Windows\path\to\capture\file1.cap ...

/!\ Please note the UNIX path used for accessing fuzz-test.sh, and the Windows path for accessign the capture files that will be used as input for fuzzing.

Do not worry about the warning about ulimit on CygWin.

randpkt

randpkt creates capture files containing random data. It uses the following arguments: 

        randpkt [-b maxbytes] [-c count] [-t type] filename

where 'maxbytes' is the maximum packet size, 'count' is the number of packets to create, and 'type' is the payload type, which can be one of: 

        arp     Address Resolution Protocol
        bgp     Border Gateway Protocol
        bvlc    BACnet Virtual Link Control
        dns     Domain Name Service
        eth     Ethernet
        fddi    Fiber Distributed Data Interface
        giop    General Inter-ORB Protocol
        icmp    Internet Control Message Protocol
        ip      Internet Protocol
        llc     Logical Link Control
        megaco  MEGACO
        nbns    NetBIOS-over-TCP Name Service
        ncp2222 NetWare Core Protocol
        sctp    Stream Control Transmission Protocol
        syslog  Syslog message
        tds     TDS NetLib
        tcp     Transmission Control Protocol
        tr      Token-Ring
        udp     User Datagram Protocol

If you want to test a protocol that's not listed above, you can force decoding using the -d flag, e.g. 

    ./randpkt -c 5000 -t dns /tmp/port53.pcap
    ./tethereal -nVr /tmp/port53.pcap -d udp.port==53,radius

When randpkt is run with "-t dns" it generates UDP packets with a destination port 53, and with a random payload. Aside from the port number they aren't specific to DNS in any way. Running Tethereal with "-d udp.port==53,radius" forces the packets to be decoded as RADIUS.

editcap

editcap can be used to "fuzz" a capture file using the '-E' flag. For example, 

        editcap -E 0.02 infile.pcap fuzzfile.pcap

would read infile.pcap and fuzz its contents, writing them to fuzzfile.pcap. There would be a 2% chance that any given payload byte would be fuzzed. There are four different fuzzing methods, chosen at random:

  • The byte can be replaced with a random byte value

  • The byte can be replaced with a random letter or number

  • The byte and the succeeding byte can be replaced with "%s"

  • The rest of the packet can be filled with 0xAA

editcap is built together with Ethereal and is also shipped with the releases.

Discussion