413380 - (fuzz-JSFF) [meta] JSFF, a javascript file fuzzer

Status: RESOLVED FIXED

(Core :: Fuzzing, defect)

Description

[Paul Nickerson]

Attachment: JSFF version 1.0

I attached a simple javascript-based file fuzzer. It uses the following ways of fuzzing files:
- Moves a block of data to another area of val, deleting the old block instance
- Copies a block of data to another area of original val, leaving old instance
- Overwrites data in original val with a block of code in val
- Inserts a random-sized block of the same character into a random position of val
- Inserts a random-sized block of garbage into a random position of val
- Inserts a random-sized block of the same character into a random position of val, overwriting old data
- Inserts a random-sized block of garbage into a random position of val, overwriting old data

Getting started:
1. Place the files you want to fuzz into the templates folder. Every iteration, a file will be chosen at random from this folder to be fuzzed.
2. Edit ff.htm and change fuzzFolderPath to an existing folder where the testcases will be placed and templateFolderPath to the path of the template folder. It is important that these paths end in a slash.
3. If the files that are being fuzzed are not images, change the displayFile function to reflect loading procedures for your filetype.
4. Load ff.htm

Note: The file fuzzer must be loaded locally to work.

The file fuzzer will place all testcases in a unique folder within the fuzz directory. It will loop until a crash is found and the browser dies. To generate unlimited crashes, just have ff.htm load in an infinite loop.

Comment 1

[Paul Nickerson]

I actually copied the fuzzing method descriptions from the comments in the fuzzer, so "val" refers to the parameter supplied to the function (the file contents). Just thought I'd clear that up.

Comment 2

[Martijn Wargers (dead)]

Paul, thanks for that, it seems a really useful tool.
Maybe this is something you find handy, I have some code that that can handle the files in the same place as where the current file is downloaded in.
It's clumsy code, but I find it convenient (no need to have files/directories at a specific place).

var activedir = window.location.href;
activedir=activedir.substr(0,activedir.lastIndexOf('/')+1).substr(8).replace(/\%20/g,' ');
//linux does it differently
if (navigator.platform.toLowerCase().indexOf('linux')>=0)
 activedir = '/'+activedir;
else  {
  activedir=activedir.replace(/\//g,'\\');
}
 activedir = activedir.replace('%7B', '{');
 activedir = activedir.replace('%7D', '}');

var dirsep = '\\';
if (navigator.platform.toLowerCase().indexOf('linux')>=0)
  dirsep = '/';

And then change this:
			var templateFolderPath = activedir + dirsep + "templates" + dirsep;
			var fuzzFolderPath = activedir + dirsep + "fuzz" + dirsep;

(btw, I just filed bug 413931, a similar crash as bug 413373, I first thought I found it with your tool, but I actually already had it stored on your computer)

Comment 3

[Martijn Wargers (dead)]

(In reply to comment #2)
> (btw, I just filed bug 413931, a similar crash as bug 413373, I first thought I
> found it with your tool, but I actually already had it stored on your computer)

But I just found the same crash with your file fuzzer, so that's good news!

Comment 4

[Martijn Wargers (dead)]

I added some code to try and fuzz certificates, I found bug 414003 with it.
If you're interested, I can attach the code, but it is really hacky, and the certificate code is annoying, because it keeps popping up alert dialogs (which I don't know how to avoid).

Btw, I think you had this:
var fPath = "file://" + filePath.replace(/\\/,"/");
I added a g modifier after the regexp, to replace it globablly, which I think is more correct.

Comment 5

[Paul Nickerson]

Attachment: JSFF version 1.1

Here's a new version. Martijn, can you add your updates to this?

Changes:
-added template cache so you can run several instances of the fuzzer at once
-fixed a bug in the operation selection
-added delete random data
-added Martijn's active directory code
-fixed regexp bug

Comment 6

[Paul Nickerson]

Btw, I changed the pause variable to half a second for something I was doing and forgot to change it back. 

Comment 7

[Martijn Wargers (dead)]

Attachment: mutated form of jsff

I added this code in a not really orderly way. You might some parts of it useful (or not).

Comment 8

[Paul Nickerson]

Attachment: JSFF version 1.2

-Fixed some bugs
-Added some of Martijn's code for some file extensions
-Most extensions are now supported
-New JAR archive display technique crawls the archive and displays a random file source

Comment 9

[Paul Nickerson]

Comment on attachment 299526 [details]
mutated form of jsff

Code segments included in 1.2. I didn't use printpdf, but it doesn't look like you were having much luck with it either

Comment 10

[Martijn Wargers (dead)]

No, indeed, printpdf doesn't really find anything in this case.

Comment 11

[Martijn Wargers (dead)]

Thanks for including my code. That new version didn't work for me. I had to change this line:
activedir = activedir.substr(0,activedir.lastIndexOf('/')+1).substr(8).replace(/\%20/g,'');
into this:
activedir = activedir.substr(0,activedir.lastIndexOf('/')+1).substr(8).replace(/\%20/g,' ');
and then it worked nicely.

Comment 12

[Martijn Wargers (dead)]

Attachment: with zip reading capability

This adds zip reading capability. It found a testcase for bug 422118 really quickly (once I fixed a stupid mistake).

Comment 13

[Paul Nickerson]

Attachment: JSFF version 1.3

I was using Martijn's zip-reading code, but I commented it out and replaced it with code that works for jar and zip. It opens as many files in the top directory as it can fit in a bunch of frames. The code is very slow, but it catches the bug that Martijn filed, and it should catch file-decompressing bugs, which it hasn't yet :)

Also added the ability to retest a file that crashes. Just do ff.htm#location_of_testcase.

Btw, does anybody have any ideas for more file extensions?

Comment 14

[Paul Nickerson]

(In reply to John Daggett from bug 453225)
> Paul, do you just need javascript code to fixup the checksums?  If so, I can
> probably write that for you, the code is relatively simple as long as the data
> provided is unstructured, i.e. just a sequence of bytes:
> 
>   function fixupFontChecksums(fontBytes) {
> 
>   }
> 
> What exactly is the type of the return value of readContents?  An array?
> 
> Do you have a quick example of how your fuzzer works?
> 
> I think fuzzing randomly may catch some errors but fuzzing within particular
> font tables will probably provide more interesting results, especially for
> tables that contain data which we use a lot, metrics info for example.

Everything just uses javascript variables. I read the files like this:
var bytes = bstream.readBytes(bstream.available());
then unintelligently fuzz and save it. If you could write the code to fix the font checksums, I would appreciate it.

Comment 15

[Paul Nickerson]

Attachment: JSFF version 2.0

Here's the file fuzzer rewritten to intelligently fuzz font files. Right now, the font fuzzer only works with windows and requires ttx. If anyone is interested in helping me port this to nonwindows (shouldn't be too hard) please let me know.

Thanks to John Daggett for his checksum recalculation code.

Comment 16

[Paul Nickerson]

Here's a list of some of the other changes I made since the last version:
-Fixed an iteration bug in fuzzContents
-Fixed the way files are displayed to make it faster and more reliable
-Added ogg support
-Started implementing a way to allow bypassing file access security checks (incomplete)

Comment 17

[Paul Nickerson]

Attachment: C++ version

Does the same thing faster, except needs more work for testcase handling. Copied from bug 486221.

Comment 18

[Paul Nickerson]

Attachment: JSFF version 2.1

Fixed the way that random data block sizes are determined

Comment 19

[Sylvestre Ledru [:Sylvestre]]

No activity for 11 years, closing