Lab-2

Due Date: November 4, 2014, 5pm

Part 1: Black-Box Fuzzing

Goal

The goal of this lab is to gain hands-on experience with black-box fuzzing. The target for fuzzing is a server located at http://128.208.1.214. For this assignment, you will need to interact with the server by sending it requests of the form

                     http://128.208.1.214/fuzz-me{X}.php?id={YOUR-CSE-ID}&input={NUMBER}
         

where X will be different for differents parts of this assignment, YOUR-CSE-ID is your actual CSE ID such as johndoe and, lastly, NUMBER is the number that you need to figure out.

The server will provide you with feedback. For most of the numbers you provide, the output will be try again! However, you should figure out an input number that outputs success! . You should give this a try by visiting a URL such as this: http://128.208.1.214/fuzz-me2.php?id=adrsham&input=123456.

This assigmment consists of fuzzing fuzz-me1.php, fuzz-me2.php, and fuzz-me3.php.

Deliverables

Hints

Grading

Part 2: Static Analysis

For this part of the lab, you will need to use a freely available static analysis tool called FlawFinder. You can read more about it here. FlawFinder is available on many platforms and you are welcome to use whichever machine you want, such as one of CSE machines, etc. On Debian or Ubuntu, you should be able to install FlawFinder with apt-get install flawfinder or, alternatively, yum install flawfinder. You may need to sudo for these commands to work. On a Windows machine, you can try this. On a Mac, you may benefit from this.

For this assignment, you will need to apply FlawFinder to a relatively small piece of C++ code which can be found here.

If you run flawfinder function.cpp from the command line, you should get output that begins as follows:

         Flawfinder version 1.27, (C) 2001-2004 David A. Wheeler.
         Number of dangerous functions in C/C++ ruleset: 160
         Examining function.cpp
         function.cpp:2:  [2] (buffer) char:
           Statically-sized arrays can be overflowed. Perform bounds checking,
           use functions that limit length, or ensure that the size is larger than
           the maximum possible length.
         function.cpp:3:  [2] (buffer) char:
           Statically-sized arrays can be overflowed. Perform bounds checking,
           use functions that limit length, or ensure that the size is larger than
           the maximum possible length.
         function.cpp:37:  [2] (buffer) strcat:
           Does not check for buffer overflows when concatenating to destination.
           Consider using strncat or strlcat (warning, strncat is easily misused).
           Risk is low because the source is a constant string.
      

You should see a total of 9 warnings. As you can tell, this is not a tool that's been updated recently, so perhaps the analysis is does is not particularly sophisticated.

Goal

For every warning, you will need to think about it carefully to decide if it is a true positive or a false positive. To do so, you will need to reason about array bounds for each of the arrays or buffers the code uses.

To decide whether something is a true positive, you need to take a conservative stance, i.e. if ther a combination of conditions that may make a particular warning signify a true problem, it is a true positive. To get you started with the task of deciding the bounds, we have annotated lines 9 to 12 of function.cpp.

Deliverables

Since we did the first several for you, you should submit your answers for exactly 5 warnings, corresponding to the warnngs we haven't already addressed in comments in function.cpp. Please make sure sort your results by line number. Your submission should be done via Catalyst.

You will be required to provide bounds, which you should express in the format (initial-character-number, lenght). For example, (0, LL_MAX_PATH - 1) means up to LL_MAX_PATH-1 characters, starting from character 0.

Grading

You get 4 points for every FlawFinder warning, adding up to a total of 20 points.