PRE2Fuzz is for bridging protocol reverse engineering and protocol fuzzing. It includes a suite of representative open-source network servers for popular protocols (e.g., FTP), and tools to automate experimentation.
pre2fuzz
├── subjects: contains different protocol implementations
│ └── FTP
│ └── lightftp
│ └── Dockerfile: for building the Docker image specific to the target server
│ └── run.sh: main script to run the experiment inside a Docker container
│ └── other necessary files
└── scripts: contains all scripts for running experiments and analyzing results
├── execution
│ └── prefuzzbench_pre.sh: main script to run reverse experiments
│ └── transform.py: main script to run transform experiments
│ └── prefuzzbench_fuzz.sh: main script to run fuzzing experiments
│ ...
└── analysis
└── profuzzbench_plot.py: sample script for plotting the results
└── config.ini: configuration file
└── README.md: this file
Follow the steps below to run and collect experimental results for LightFTP, which is a lightweight File Transfer Protocol (FTP) server. The similar steps should be followed to run experiments on other subjects.
git clone https://github.com/csu-wingmate/pre2fuzz.git
cd pre2fuzz
sudo mkdir in
sudo mkdir pits
export PFBENCH=$(pwd)
export PATH=$PATH:$PFBENCH/scripts/execution:$PFBENCH/scripts/analysis
cd $PFBENCH
cd fuzzers/Peach
docker build . -t peachcd $PFBENCH
cd subjects/FTP/lightftp
docker build . -t lightftpdocker pull netplier:outRun prefuzzbench_pre.sh script to start an experiment. The script takes 3 arguments as listed below.
- 1st argument (PROTOCOL) : name of the protocol implementation
- 2th argument (PRE) : reverse tool name (e.g., netplier)
- 3th argument (TIMEOUT) : time for fuzzing in seconds The following commands run an instance of Peach to fuzz LightFTP for 5 minutes.
cd $PFBENCH/scripts
sudo chmod +x prefuzzbench_pre.sh
./prefuzzbench_pre.sh lightftp netplier:out 300A successful script execution will produce output similar to this:
NETPLIER:OUT: Collecting results from container and save them to $PFBENCH/in
NETPLIER:OUT: I am done!
The following commands transform the reverse result to a Pit file. Before running the script, you should edit the config.ini as your wish.
cd $PFBENCH/scripts
sudo python transform.py- 1st argument (PROTOCOL) : name of the protocol Implementation
- 2rd argument (SAVETO) : path to a folder keeping the results
- 3th argument (FUZZER) : fuzzer name (e.g., peach)
- 4th argument (TIMEOUT) : time for fuzzing in seconds The following commands run an instances of Peach to fuzz LightFTP for 5 minutes.
cd $PFBENCH
sudo mkdir results-lightftp
cd scripts
sudo chmod +x prefuzzbench_fuzz.sh
sudo ./prefuzzbench_fuzz.sh lightftp results-lightftp peach 300All results are stored in tar files within the folder created in Step-2 (results-lightftp). This includes directories named similarly to peach-1-branch and peach-1-logs, where peach-1-branch contains the collected branch coverage data and peach-1-logs contains the log files from the Peach testing process, including the number of test runs and potential bug reports.
The branch coverage data collected in Step 3 can be used for plotting. We provide a sample Python script profuzzbench_plot.py to visualize code coverage over time. Use the following command to plot the results and save them to a file.
cd $PFBENCH/results-lightftp
profuzzbench_plot.py -i <input_data> -o <output_plot_file>Replace <input_data> with the path to your coverage data and <output_plot_file> with the desired filename for your plot.
You can also run the prefuzzbench_common script for the full process excution.
cd $PFBENCH
sudo mkdir results-lightftp
cd scripts
sudo chmod +x prefuzzbench_common.sh
sudo ./prefuzzbench_common.sh lightftp results-lightftp netplier:out peach 300