{"id":3270,"date":"2021-07-01T13:01:37","date_gmt":"2021-07-01T11:01:37","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3270"},"modified":"2023-12-24T12:47:14","modified_gmt":"2023-12-24T11:47:14","slug":"analyze-code-coverage-to-improve-fuzzing","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3270","title":{"rendered":"Analyze code coverage to improve fuzzing"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Bugs can only be found dur\u00adring fuzzing code, which is exe\u00adcut\u00aded. But which parts of the code of a tar\u00adget sys\u00adtem is exe\u00adcut\u00ading dur\u00ading a fuzzing ses\u00adsion? And how we can improve our fuzzer to include also tests for code blocks which weren\u2019t cov\u00adered before?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Dynamorio<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ll use now <a href=\"https:\/\/dynamorio.org\/\">Dynamor\u00adio<\/a> \u2014 a run\u00adtime code manip\u00adu\u00adla\u00adtion sys\u00adtem \u2014 to analyse which code we have exe\u00adcut\u00aded in a first run. Then, we\u2019ll analyse how we can trig\u00adger more code. We could use this infor\u00adma\u00adtion to improve our <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=998\" data-type=\"post\" data-id=\"998\">Fuzzer<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As test appli\u00adca\u00adtion, we\u2019re using a sim\u00adple Go web serv\u00ader, which deliv\u00aders a sta\u00adt\u00adic string for requests to \/foundme and a error mes\u00adsage else. Here is the&nbsp;code:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"golang\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>package main\n\nimport (\n    \"fmt\"\n    \"log\"\n    \"net\/http\"\n)\n\nfunc helloHandler(w http.ResponseWriter, r *http.Request) {\n    if r.URL.Path != \"\/foundme\" {\n        http.Error(w, \"404 not found.\", http.StatusNotFound)\n        return\n    }\n    fmt.Fprintf(w, \"You found me!\")\n}\n\n\nfunc main() {\n    http.HandleFunc(\"\/foundme\", helloHandler)\n\n    fmt.Printf(\"Starting server at port 8080\\n\")\n    if err := http.ListenAndServe(\":8080\", nil); err != nil {\n        log.Fatal(err)\n    }\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Pre\u00adreq\u00adui\u00adsites:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build the web\u00adserv\u00ader with <code>go build webserver.go<\/code> to get an executeable.<\/li>\n\n\n\n<li>Down\u00adload <a href=\"https:\/\/dynamorio.org\/page_releases.html\">Dynamor\u00adio<\/a><\/li>\n\n\n\n<li>Down\u00adload <a href=\"https:\/\/github.com\/joswr1ght\/dynapstalker\">Dynap\u00adstalk\u00ader<\/a><\/li>\n\n\n\n<li>Down\u00adload <a href=\"https:\/\/hex-rays.com\/ida-free\/\"><span class=\"caps\">IDA<\/span> free<\/a><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Ok, let\u2019s&nbsp;go:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Start drrun from Dynamor\u00adio and exe\u00adcute the pre\u00advi\u00adous\u00adly com\u00adpiled web\u00adserv\u00ader with\u00adin with<br><code>\/opt\/DynamoRIO-Linux-8.0.0-1\/bin64\/drrun -t drcov -dump_text -- webserver<\/code><br>and per\u00adform some requests. Exit the process via <span class=\"caps\">CTRL<\/span>+C.<br><img loading=\"lazy\" decoding=\"async\" width=\"700\" height=\"252\" class=\"wp-image-3280\" style=\"width: 700px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2021\/07\/Bildschirmfoto-2021-07-01-um-13.21.12.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/07\/Bildschirmfoto-2021-07-01-um-13.21.12.png 1774w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/07\/Bildschirmfoto-2021-07-01-um-13.21.12-300x108.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/07\/Bildschirmfoto-2021-07-01-um-13.21.12-1024x368.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/07\/Bildschirmfoto-2021-07-01-um-13.21.12-768x276.png 768w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/07\/Bildschirmfoto-2021-07-01-um-13.21.12-1536x552.png 1536w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\"><\/li>\n\n\n\n<li>The direc\u00adto\u00adry now con\u00adtains a log file like <code>drcov.webserver.01693.0000.proc.log<\/code>.<\/li>\n\n\n\n<li>Con\u00advert this file with Dynap\u00adstalk\u00ader into a <span class=\"caps\">IDC<\/span> script file <span class=\"caps\">IDA<\/span> can read:<br><code>python \/opt\/dynapstalker\/dynapstalker.py drcov.webserver.01693.0000.proc.log webserver webserver.idc 0x00ffff<\/code><\/li>\n\n\n\n<li> Open the exe\u00adcutable in <span class=\"caps\">IDA<\/span> and load the gen\u00ader\u00adat\u00aded <span class=\"caps\">IDC<\/span> file via <em>File -&gt; Script com\u00admand<\/em>. The blocks are now in the giv\u00aden&nbsp;color.<\/li>\n\n\n\n<li>Think how to genare input which would go into oth\u00ader code parse and repeat.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Bugs can only be found dur\u00adring fuzzing code, which is exe\u00adcut\u00aded. But which parts of the code of a tar\u00adget sys\u00adtem is exe\u00adcut\u00ading dur\u00ading a fuzzing ses\u00adsion? And how we can improve our fuzzer to include also tests for code blocks which weren\u2019t cov\u00adered before? Dynamor\u00adio We\u2019ll use now Dynamor\u00adio \u2014 a run\u00adtime code manipulation&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470],"tags":[413,412,231],"class_list":["post-3270","post","type-post","status-publish","format-standard","hentry","category-active-enum","tag-code-coverage","tag-dynamorio","tag-fuzzing"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3270"}],"version-history":[{"count":10,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3270\/revisions"}],"predecessor-version":[{"id":3787,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3270\/revisions\/3787"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}