Home

Awesome

CorbFuzz

DOI

CorbFuzz is a state-aware fuzzer for generating as much reponses from a web application as possible without need of setting up database, etc.

Obtaining Source Code

Download from this git repo...

git clone https://github.com/shouc/corbfuzz.git

Building (Docker)

Make sure docker has been installed on your computer and you are running as root. This would take ~10 minutes on our computer (P.S. to optimize performance, you can update line 51 in build.sh make -j30 to make -j{how many processors you have}).

Notice that you must add --shm-size=6g so that there is enough memory for the fuzzer.

docker build . -t corbfuzz
docker run  --shm-size=6g --name corbfuzz1 -ti corbfuzz # tapping into docker container

If you instead want to use our pre-built docker image, you can replace previous procedure with

docker run  --shm-size=6g --name corbfuzz1 -ti shouc/corbfuzz:latest

Building (Ubuntu)

The setup script has been tested on Ubuntu 20.10, make sure you are running as root.

If you don't have Chromium & chromedriver on your computer, following script downloads Chromium and setup it up:

./install_chrome.sh

Following script installs all dependency required by the fuzzer, build the instrumented PHP, and setup the environment.

./build.sh

Running

Start the redis server required by the fuzzer (You don't need to set this for dry run)

service redis-server start

Run the fake_mysql first:

cd /corbfuzz/fake_mysql
nvm use --lts # switch to nodejs 14
rm -f /tmp/rand.sock # remove the existing unix socket
node main.js & # start the fake MySQL server

Run instrumented PHP server on port 1194 (the fuzzer defaults to use port 1194):

cd [Fuzzing Target Location] # for testing, you can use /corbfuzz/test
mkdir cov # if cov directory does not exist
php -dextension=/corbfuzz/hsfuzz.so -S 0.0.0.0:1194 &

Run fuzzer at /corbfuzz directory in Python console:

cd /corbfuzz
python3

Inside the console, type:

import main
main.main(0)

As for when to terminate the fuzzer, the paper uses coverage growth. If its growth is 0 over 1 minute, we terminate it manually. The following automation script intead simply gives fuzzer 7 minute to run.

You can also run multiple fuzzers, of which the coverage information is synchronized through Redis. To do so, you need to start multiple PHP servers with ports starting from 1194 (e.g., 1194, 1195, 1196). Then, start fuzzer for each PHP server by running following Python code asynchroneously:

main.main(1)
main.main(2)
main.main(3)
...
main.main([PORT] - 1194)

An example is shown in start.py, which starts 10 fuzzers that fuzz port 1194-1214. To run it, you have to start 10 PHP runtimes. You can refer to Reproduce Data Synthesis Effectiveness Figures Section for automation.

Project Organization

Reproduce Data Synthesis Effectiveness Figures

If you are not using the Docker container, you have to modify the paths in run.py accordingly.

Setup

service redis-server start
cd /corbfuzz/benchmark/

Crawl Web Apps from GitHub

Create a GitHub access token with full access to repo here: https://github.com/settings/tokens/new, the token should be a string starting with ghp_...

vim main.py # put your GitHub access token to the specified location
python3 main.py # crawl recent PHP related repos
# Inspect repos.txt, if there is no data inside or limited data (file < 800 bytes) inside, you should run previous script at a different time. 
mkdir /repos

# if you have trouble making a valid repos.txt, you can rename repos_test.txt to repos.txt under benchmark directory.
# repos_test.txt contains PHP repos crawled on Aug 23, 2021.
python3 get.py /repos # clone the repos

In case GitHub no longer works / API has changed, you can also replace previous process by requiring the dataset from us and download them directly.

wget [DATASET URL]
unzip application.zip
mkdir /repos
mv repos_ok2/* /repos

The repos folder contains subfolders with name as a UUID. Each subfolder is a GitHub repo.

Start fuzzing

A lot of error may be outputed but it is safe to ignore them.

The script would exit when fuzzing is done. It would take (repo amount) x (7 minutes) time. You can also kill everything at the middle by using CTRL-C then pkill -f python3 command. The unfuzzed repos' benchmarking result would simply be 0.

pwd # => /corbfuzz/benchmark/
python3 run.py /repos

Benchmarking

For following scripts, if the count printed is 0, you can safely ignore them (what we did in the paper) because that indicates the fuzzer could not find PHP code inside.

Get branch coverage count for each app. Each line outputs the (repo id, edge count)

python3 count_edge.py /repos/

Get comparison type violation for each app. Each line outputs the (repo id, type violation count, sample size)

python3 count_violation_comp.py /repos/

Get internal function type violation for each app. Each line outputs the (repo id, type violation count, sample size)

python3 count_violation_internal.py /repos/

We process the data using Google Docs.

CORB Oracle

Will release.