Return to Video

08-01 Fuzzer

  • 0:00 - 0:06
    Welcome to problem set 4. In this problem set, I'm going to write a random tester or fuzzer.
  • 0:06 - 0:14
    In our example, we're going to be fuzzing PDF files and our application is a couple of PDF readers.
  • 0:14 - 0:20
    This example is taken from Charlie Miller's fuzzer "Babysitting an Army of Monkeys."
  • 0:20 - 0:22
    I encourage you all to look at these sites.
  • 0:22 - 0:30
    To start this fuzzer, we begin by choosing a random file and choosing a random PDF application.
  • 0:30 - 0:35
    We then read in all the bytes from our file and store it in the buffer.
  • 0:35 - 0:39
    Next, we run a random function to determine the number of writes
  • 0:39 - 0:42
    that we are doing based on FuzzFactor.
  • 0:42 - 0:47
    Read up on this FuzzFactor to be 250, and you can see as the
  • 0:47 - 0:50
    FuzzFactor increases, the number of writes decreases.
  • 0:50 - 0:57
    Based on the number of writes, we create a byte, a random byte, and choose from our buffer
  • 0:57 - 1:00
    one of the bytes that we're going to overwrite.
  • 1:00 - 1:03
    We then overwrite that byte with a random one
  • 1:03 - 1:07
    and we continue to do that until we get to the number of writes.
  • 1:07 - 1:13
    Finally, we write all our new bytes to a file, a new file, so we don't overwrite our old one,
  • 1:13 - 1:19
    and we then uses a subprocess margin to open our application with our new file.
  • 1:19 - 1:23
    Now, when you run the script, you might see your program go crazy,
  • 1:23 - 1:25
    and if that happens, then you've done it correctly.
  • 1:25 - 1:31
    Now, there are few things I want to point out. This type of code is the heart of the fuzzer
  • 1:31 - 1:35
    This is all that you really need for this program to work.
  • 1:35 - 1:38
    A couple of other things noticed that we don't do any logging.
  • 1:38 - 1:42
    This is bad practice for all programmers.
  • 1:42 - 1:46
    We should always do logging in your applications to make the bugging easier.
  • 1:46 - 1:49
    What I want you to do is write a fuzzer
  • 1:49 - 1:53
    based on the one that we gave you for real world applications.
  • 1:53 - 1:55
    In our example, we fuzzed has a PDF files.
  • 1:55 - 2:01
    After you bring your fuzzer, I want you to go to the forums and link to your fuzzer,
  • 2:01 - 2:05
    show what you fuzzed, describe any bugs that you found,
  • 2:05 - 2:09
    and explain how you would improve your fuzzer in the future.
  • 2:09 - 2:14
    Post all these things to the forum, and when you're finish, check this box.
  • 2:14 - 2:17
    Now, of course, you can check this box
  • 2:17 - 2:22
    without actually having done the problem set, but then, what will be the point.
  • 2:22 -
    Good luck on problem set 4.
Tytuł:
08-01 Fuzzer
Team:
Udacity
Projekt:
CS258: Software Testing
Duration:
02:25
Hajnalka Geib edited angielski subtitles for cs258 hw4 01 q fuzzer
Udacity Robot edited angielski subtitles for cs258 hw4 01 q fuzzer
Amara Bot added a translation

English subtitles

Incomplete

Revisions Compare revisions