This project is based on a simple jpeg to bmp format conversion open source code called ‘jpeg2bmp.cpp’. I modified it in the similar way as what I introduced in lecture slides ‘fuzzTest-example.ppt’ by manually adding 13 bugs that cause the program to crash. When a bug is triggered, jpeg2bmp program will crash with “segmentation fault” and print out “Triggering Bug #n !” in stderr where n is a number between 1 to 13 indicating which bug has been triggered.
I have compiled and generate the executable code ‘
jpeg2bmp
Download jpeg2bmp
’. This executable code can run under CS department Eustis Linux machine. Once you upload this jpeg2bmp binary code onto Eustis machine and the example jpg file '
cross.jpg
', you need to first change the jpeg2bmp to be ‘executable’ by running command:
$chmod u+x jpeg2bmp
Then by typing command to test:
$./jpeg2bmp cross.jpg cross.bmp
It will convert the ‘cross.jpg’ image file to the ‘cross.bmp’ image file. This example cross.jpg file is a tiny (808 bytes) jpeg format image, and you can use it to conduct mutation-based fuzzing.
You may work on your own Linux machines for testing purpose, but the final results must be generated and could be tested by our TA on Eustis Linux machine!
Fuzzing:
The goal of this project is to implement a “fuzzer”, or fuzz tester. Fuzz testing is one way of discovering security vulnerabilities in any code that processes potentially malicious input.
A mutation-based fuzzer takes a valid input (such as the included cross.jpg file) for the target program, and works by creating random mutations/changes to generate new test cases. Mutation-based fuzzers are application independent, and so you do not need to have any knowledge about input format (i.e., jpeg format) accepted by the target program.
Implementation:
You need to code a mutation-based fuzzer to discover as many bugs (among those 8 manually inserted bugs) as you can. Each student may implement his/her own fuzzer in the programming language(s) of their choice (such as C, C++, Perl, Java, Python), as long as the fuzzer can be executed on the department’s eustis machine.
Not all of the bugs will be equally easy to discover. Changing the way of mutation may help you discover additional bugs if your original fuzzer can only discover 3 or 4 bugs.
Delivery:
Submit a .zip file through UCF WebCourse. The zip file should contain:
- Source code file of your fuzzer. Your program must be programmed using a language that can be run on Eustis, such as C/C++, Java, Perl, or Python. Please explain clearly in your report how the TA can compile and run your code on Eustis machine!
- The muted jpg image files (based on the given cross.jpg) that could trigger each of the bugs you can find. For each bug, just provideone and only onemuted image file. Name the muted file as “test-x.jpg” for Bug # x where x is a number between 1 to 13. In this way, the TA can easily check whether you really found Bug #x by running jpeg2bmp on the test-x.jpg image file by himself!
- A 2-5 page project report (in PDF). The detailed requirements of this report are discussed below.
Project Report Requirement:
Please submit a project report on 2-5 pages. Consider this to be also a software engineering project and include sections such as Analysis, Design and Implementation.
Design:
Briefly explain your strategy used to implement the fuzzing test. Specifically, you should point out how you mutate the cross.jpg, including which byte or bytes you modify, what values you use, etc.
Empirical results:
In your report, you must show how many mutated image files you have tried in fuzzing, the number of bugs you have found (which bugs you have found). For each bug you found, how many times this bug has been triggered. You can either use
a Table or a figure
to show the above required statistical results.
When you find an input modified image file ‘test.jpg’ that, for example, could trigger Bug #1, rename the file as ‘test-1.jpg’, save it (for each bug, you only need to save one muted image file for final submission; of course, during fuzzing test, you may have temporarily saved many image files that generate the same bug).Show the screenshot image(s)of each bug you have triggered using the jpeg2bmp command, something like this:
Grading
(60 points) There are 13 bugs in the sample program. You need to findany 10 of those 13 bugsto receive full credit. A bug x is confirmed to be found only if you have the corresponding test-x.jpg file that triggers this bug in your submission. You must have submitted your fuzzer source code.
(10 points) Empirical results presented in the project report. Report contains clear description, including some graphs or tables showing the statistical results.
(20 points) Submitted compressed file contains image files that could trigger each of found bugs (e.g., if you found 5 bugs, you should have 5 test-x.jpg files in your submission).
(10 points) Project report contains the screenshot image(s) showing the “Triggering Bug #x !” for each found bug.