I want to know how to test with fuzzer.

[hanwool26]

Hello, I'm Hanwool lee, who is a sctp engineer in global corp which produces network products in korea.

I have been reviewing the usrsctp a lot for a few months. I think it is working well when I test the code with my local PC. So, I gonna try to commercialize usrsctp.

For that, I want to know how to use fuzzer included in this repo. Please let me know that. guide me please. or do you have the other apps to test it.

Thanks
Hanwool Lee

[hanwool26]

Please Reply, Owner of this repository, Tuexen.

[tuexen]

The SCTP code is shared with the FreeBSD kernel stack. The socket API is continuously fuzzed by syzbot. It would be possible the also fuzz there the packet input, but this needs some code in syzcaller. This is on my ToDo list, but not at the top.
Google is fuzzing the packet input path in OSS-fuzz. We also support local fuzzing via LLVM. This was implemented by @weinrank. Which one are you referring to?

[hanwool26]

Hello, @weinrank.
Thanks for answering. I want to know your intention of what to verify and validate using fuzzer ?
Actually, I don't have experienced fuzzer in the past.

In addition, Do you have a manual for using it ?

Best Regard.
Hanwool Lee.

[tuexen]

We are using a fuzzer to test the handling of arbitrary input in the incoming packet handling. The fuzzer changes the input data by using heuristics. So you can run it continuously since it will continue to try other input data.

All documentation we have is in the git repository.

[hanwool26]

Thanks for answering. @tuexen
I am wondering input data from CORPUS_LISTEN, CORPUS_FRAGMENT and CORPUS_CONNECT.
I just knew that input data from fuzzer is generated randomly. But, When I use the files in these folders, Input data is generated from the files, not randomly ?

Also, what purpose do you want using fuzzer?

Thanks
Hanwool Lee.

[tuexen]

The three CORPUS_* directories correspond to the three programs fuzzer_* used for fuzzing.
The corpus is used as a starting point for apply random changes. That way the fuzzer has not to find a starting point which is valid. These entries in the directories are generated by pcap2corpus.c, which takes a pcap file of packets and translates them in the correct format.
fuzzer_listen.c handles incoming packets on a listening socket,fuzzer_connect.c handles an incoming packet while or after performing a handshake, and finally fuzzer_fragment.c handles incoming DATA chunks.

The intention of using the fuzzer is to test if the SCTP stack can handle arbitrary packet input.

[hanwool26]

Hello, @tuexen
I appreciate for your kind answers.
I have a few question about your project.

1. Whenever you commit or release code, do you use a test app or fuzzer to verify sw logic and detect some bugs ?
   If so, Can I know the apps for tests ?
2. do you use static or dynamic analyzer tools to verify your code like svace ? I want to know how to verify and validate code by you.

[tuexen]

Hello, @tuexen I appreciate for your kind answers. I have a few question about your project.

1. Whenever you commit or release code, do you use a test app or fuzzer to verify sw logic and detect some bugs ?
   If so, Can I know the apps for tests ?

Most of the development happens for the SCTP kernel stack of FreeBSD (usrsctp is just a way of running the same code in userland). The main testtool used there is packetdrill.

2. do you use static or dynamic analyzer tools to verify your code like svace ? I want to know how to verify and validate code by you.

FreeBSD uses Coverity and usrsctp, in addition, also uses the clang code analyzer as part of the buildbot. See scanbuild.

[hanwool26]

@tuexen
Thanks for your kind answers.
Do you use these tools actually to release code ?
Or you recommended ?