[457] | 1 |
|
---|
| 2 | Fuzzing the lwIP stack (afl-fuzz requires linux/unix or similar)
|
---|
| 3 |
|
---|
| 4 | This directory contains a small app that reads Ethernet frames from stdin and
|
---|
| 5 | processes them. It is used together with the 'american fuzzy lop' tool (found
|
---|
| 6 | at http://lcamtuf.coredump.cx/afl/) and the sample inputs to test how
|
---|
| 7 | unexpected inputs are handled. The afl tool will read the known inputs, and
|
---|
| 8 | try to modify them to exercise as many code paths as possible, by instrumenting
|
---|
| 9 | the code and keeping track of which code is executed.
|
---|
| 10 |
|
---|
| 11 | Just running make will produce the test program.
|
---|
| 12 |
|
---|
| 13 | Running make with parameter 'D=-DLWIP_FUZZ_MULTI_PACKET' will produce a binary
|
---|
| 14 | that parses the input data as multiple packets (experimental!).
|
---|
| 15 |
|
---|
| 16 | Then run afl with:
|
---|
| 17 |
|
---|
| 18 | afl-fuzz -i inputs/<INPUT> -o output ./lwip_fuzz
|
---|
| 19 |
|
---|
| 20 | and it should start working. It will probably complain about CPU scheduler,
|
---|
| 21 | set AFL_SKIP_CPUFREQ=1 to ignore it.
|
---|
| 22 | If it complains about invalid "/proc/sys/kernel/core_pattern" setting, try
|
---|
| 23 | executing "sudo bash -c 'echo core > /proc/sys/kernel/core_pattern'".
|
---|
| 24 |
|
---|
| 25 | The input is split into different subdirectories since they test different
|
---|
| 26 | parts of the code, and since you want to run one instance of afl-fuzz on each
|
---|
| 27 | core.
|
---|
| 28 |
|
---|
| 29 | When afl finds a crash or a hang, the input that caused it will be placed in
|
---|
| 30 | the output directory. If you have hexdump and text2pcap tools installed,
|
---|
| 31 | running output_to_pcap.sh <outputdir> will create pcap files for each input
|
---|
| 32 | file to simplify viewing in wireshark.
|
---|
| 33 |
|
---|
| 34 | The lwipopts.h file needs to have checksum checking off, otherwise almost every
|
---|
| 35 | packet will be discarded because of that. The other options can be tuned to
|
---|
| 36 | expose different parts of the code.
|
---|
| 37 |
|
---|