[Announce] New Fusil fuzzer

From: Victor Stinner (victor.stinner@haypocalc.com)
Date: Tue Nov 27 2007 - 17:09:45 EST

• Next message: offset: "Re: replay captured tcpdump sessions to the screen?"
• Previous message: Christian Ehlen: "Re: replay captured tcpdump sessions to the screen?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Fusil is a fuzzing framework written in Python and distributed under GNU GPLv2
license.

It allows to easily write so-called "Fuzzing projects" from a set of functions
and the power of Python: create a process, compile C program, watch a
process, watch syslog, etc.

Available projects: gettext, clamav, libc_printf, php, linux_ioctl, mplayer,
identify, etc.

Website: http://fusil.hachoir.org/trac

Example of gettext session:

   $ ./run_fusil.sh -p project/poppler.py ~/document.pdf
   [application] Fusil version 0.5 -- GNU GPL v2
   [application] http://fusil.hachoir.org/
   [application] Load project project/poppler.py
   [session 1][project] Start session
   (...)
   [session 994][watch:process:pdftotext] Process killed by signal SIGSEGV
   [session 994][project] End of session: score=75.0%, duration=0.378 second
   [session 994][session_dir] Success: keep directory
      '/home/toady/local/scm/svn/fusil/project-0008/session-0005'
   [project] Project done: : 5 session in 0.9 second (181.6 ms per session),
      total 0.9 second
   [application] Exit Fusil

Last session (success) is stored in project-0003/session-0994/. We can
reproduce the crash with:
   
   $ evince document.pdf
   Error (0): PDF file is damaged - attempting to reconstruct xref table...
   Error (44780): Dictionary key must be a name object
   (...)
   Segmentation fault

Fusil uses small "agents" which exchange messages to launch actions. Eg.
MangleFile injects errors in valid file (PDF file, AVI movie, JPEG picture,
etc.). And then Fusil uses generated filename to run a process.

Each project session has a score between -100% (application rejects fuzzy
data) and 100% (success). Many probes exist to compute session score:
  +100% for process killed by a signal (WatchProcess)
  +100% for "segmentation fault" text pattern in process stdout (FileWatch)
  -100% if session is too fast (TimeWatch)
  etc.

For fuzzing safety, Fusil limits process memory, process priority, only copy
few environment variables, create a temporary directory used as working
directory, etc.

Victor Stinner aka haypo
http://hachoir.org/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: offset: "Re: replay captured tcpdump sessions to the screen?"
• Previous message: Christian Ehlen: "Re: replay captured tcpdump sessions to the screen?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:14 EDT