Versions Compared

Old Version 5

changes.mady.by.user Allen D. Householder

Saved on

compared with

New Version 6

changes.mady.by.user Allen D. Householder

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The configuration for VMWare may prevent virtual machines from utilizing shared folders by default. You may need to manually enable shared folders for the VM after opening the VMX. If you chose to unzip scripts.zip to a folder other than cthan c:\fuzz, then you will need to modify the properties of the shared folder in VMWare to point to the new location of the files. Alternatively, if you may unzip the BFF scripts into ~into ~/bff if you do not wish to use a shared folder.

The fuzzing virtual machine is preconfigured to automatically
begin automatically begin a fuzzing run on several image format decoders provided
by ImageMagick's "convert" program. An old (5.2.0) version of
ImageMagick is preloaded onto the VM. ImageMagick was built
with debug symbols as well as non-optimized. This makes gdb
provide more useful crash reports. ImageMagick was configured
using the following command:

Code Block
CFLAGS="-g -O0" ./configure --without-x

Analyzing results

When the fuzzing run encounters a crash, BFF will analyze the
details of the crash. This involves capturing stderr, gdb,
valgrind, and callgrind output. The gdb output contains
several pieces of information, including the memory map, signal
information, backtrace, registers, disassembly, as well as
output from the CERT Triage Tools, which indicates possible
exploitability of the crash. On the OS X platform,
CrashWrangler is used instead of gdb. By looking at the
backtracethe backtrace, BFF will keep track of which test cases cause
unique cause unique crashes. Each unique crash will be placed in the
configured the configured output directory.

Code Block
results/
|-- bff.cfg
|-- bff.log
|-- crashers
| |-- <crash_id>
| | |-- <crash_id>.log
| | |-- <analysis_tools>.stderr
| | |-- minimizer_log.txt
| | |-- sf_<seedfile_md5>-<zzuf_seed_number>-minimized.<seedfile_ext>
| | |-- sf_<seedfile_md5>-<zzuf_seed_number>-minimized.<seedfile_ext>.callgrind
| | |-- sf_<seedfile_md5>-<zzuf_seed_number>-minimized.<seedfile_ext>.callgrind.annotated
| | |-- sf_<seedfile_md5>-<zzuf_seed_number>-minimized.<seedfile_ext>.callgrind.calltree
| | |-- sf_<seedfile_md5>-<zzuf_seed_number>-minimized.<seedfile_ext>.gdb
| | |-- sf_<seedfile_md5>-<zzuf_seed_number>-minimized.<seedfile_ext>.stderr
| | |-- sf_<seedfile_md5>-<zzuf_seed_number>-minimized.<seedfile_ext>.valgrind
| | |-- sf_<seedfile_md5>-<zzuf_seed_number>.<seedfile_ext>
| | |-- sf_<seedfile_md5>-<zzuf_seed_number>.<seedfile_ext>.gdb
| | `-- sf_<seedfile_md5>.<seedfile_ext>
|-- seeds
| |-- <seedfile1_md5>
| | `-- zzuf_log.txt
| |-- <seedfile2_md5>
| | `-- zzuf_log.txt
| |-- seedfile_set.log
| |-- sf_<seedfile1_md5>.<seedfile1_ext>
| |-- sf_<seedfile2_md5>.<seedfile2_ext>
`-- uniquelog.txt

The UbuFuzz startup script, batch.sh, looks for the BFF code in /home/fuzz/bff, which by default is a soft link to the VMWare shared folder /mnt/hgfs/fuzz. The default results location is /home/fuzz/results, which in the UbuFuzz vm is a soft link to /home/fuzz/bff/results (thus /mnt/hgfs/fuzz/results). Either of these soft links can be changed if desired, or you can edit conf.d/bff.cfg to point BFF at a different destination.

...