Description

CSE 543: Information Assurance and Security

Fuzz them all

Purpose
The purpose of this assignment is to test your understanding of fuzz testing (fuzzing) and guide you to develop your own binary fuzzer. You will learn how to develop your own simple fuzzer, monitor for crashes, generate high-quality seed input, etc.
Objectives
Students will be able to:
● Determine how fuzzers for binary programs work.
● Differentiate between types of fuzzers
● Categorize advantages of each type of fuzzer (e.g., smart fuzzers vs. dumb fuzzers and mutational vs. generative fuzzers).
● Understand the importance of seed input selection.
● Develop a simple fuzzer to fuzz binary programs when source code is available.
● Develop a simple fuzzer to fuzz binary programs when source code is not available.

Technology Requirements
Project Description
Your code should be understandable and well documented in case the instructor or the TA decides to manually grade your submission.
Directions
Here is a step-by-step description of how you will develop the fuzzer. Your fuzzer will take an initial seed and two arguments, `prng_seed` and `num_of_iterations` as input. Your fuzzer will generate *one* output in a deterministic manner, i.e., for the same combination of initial seed, `prng_seed`, and `num_of_iterations`, your fuzzer should generate the same output file. This output file will be used as input to the fuzzing target.
– Your fuzzer will be executed using the following command line:

./fuzzer prng_seed num_of_iterations

– Your fuzzer will read an initial seed file called _seed_. The _seed_ file is located under the current working directory.
– Optionally, your fuzzer will use `prng_seed` to seed any PRNG(s) that will be used during fuzzing.
2

– Your fuzzer will iterate for `num_iterations` times. In every iteration, your fuzzer should change each byte of the input to a random byte with 13% probability. Do not change or overwrite the `seed` file on the disk.
– Your fuzzer will extend the input string by adding 10 random characters to the end of the input every 500 iterations. Again, do not change or overwrite the `seed` file on the disk.
– Your fuzzer terminates.

Evaluation
Your fuzzer will be first evaluated against the three test programs with the provided `prng_seed` and `num_iterations`. You will get 10 points for crashing each of them.
Additionally, your fuzzer will be tested on a comprehensive test suite with both programs that are similar to the test targets that you have and programs that are not related to any test targets. There will be ten (10) test programs. For each test program, your fuzzer will have one (1) hour of CPU time. Crashing each target will give you 10 points.
This project accounts for 30% of your final grade of this course.
Submission Directions for Project Deliverables
Your fuzzer code. It should include a `fuzzer` executable that takes command line parameters as previously described.
For each test program, submit a text file named after the test program with the `prng_seed` and `num_iterations` for which your fuzzer generates a crashing input. If the test program is called `test`, then your test file should be named `test.txt`.
A document listing any dependencies that your fuzzer has, and detailing your input generation strategy.
3