|
|
@@ -130,6 +130,7 @@ command line in the opener main directory.
|
|
|
|
|
|
Fuzzing
|
|
|
--------------
|
|
|
+#### Intro
|
|
|
Fuzzing is an automated testing method that directs varying input data to a program in
|
|
|
order to monitor output. It is a way to test for overall reliability as well as identify
|
|
|
potential security bugs.
|
|
|
@@ -140,6 +141,9 @@ The fuzzer we are using is AFL, a fuzzer that uses runtime guided techniques to
|
|
|
- Feeds the fuzzed process with the test case through STDIN
|
|
|
- Monitors the execution and registers which paths are reachable
|
|
|
|
|
|
+
|
|
|
+
|
|
|
+#### Compile
|
|
|
To start fuzzing this project with AFL you'll need to compile it with AFL.
|
|
|
First make sure you have AFL installed:
|
|
|
```
|
|
|
@@ -157,16 +161,22 @@ Then, compile OpENer with AFL:
|
|
|
2. Compile OpENer with AFL ``./setup_posix_fuzz_afl.sh``
|
|
|
3. Run ``make``
|
|
|
|
|
|
+#### Fuzz
|
|
|
Finally, generate some test cases and start AFL:
|
|
|
```
|
|
|
# Generate inputs
|
|
|
mkdir inputs
|
|
|
-echo 630000000000000000000000000000000000000000000000 | xxd -r -p > ./inputs/req_list_identity
|
|
|
-# You can also use the inputs we prepared from ``fuzz/inputs``
|
|
|
+echo 630000000000000000000000000000000000000000000000 | xxd -r -p > ./inputs/enip_req_list_identity
|
|
|
+# You can also use the inputs we prepared from OpENer/fuzz/inputs
|
|
|
# Finally, let's fuzz!
|
|
|
-afl-fuzz -i inputs -o findings ./src/ports/POSIX/OpENer eth1
|
|
|
+afl-fuzz -i inputs -o findings ./src/ports/POSIX/OpENer <interface_name>
|
|
|
```
|
|
|
-
|
|
|
+
|
|
|
+#### Reproduce a crash
|
|
|
+Usually to reproduce a crash it's enough to retransmit the testcase using ``cat testcase | nc IP_ADDR 44818``
|
|
|
+However, since CIP runs over the EtherNet/IP layer, it must first register a valid session. Therefore, we need to use a dedicated script:
|
|
|
+`python2 fuzz/scripts/send_testcase.py IP testcase_path`
|
|
|
+
|
|
|
|
|
|
Porting OpENer:
|
|
|
---------------
|
Sharon Brizinov
