Test Cases for AFL.

[San]

Hi all,

I am a beginner in using the AFL tool. I know the basics on how AFL works. But still a bit confused about the input to the fuzzer. 

What exactly do you mean by the test case. What I mean is "What should be the contents inside the folder specified with "-i" option. What if the tool accepts some external inputs (for example a tool which can interact with the user taking in multiple inputs)

It would be great with an example like "how to fuzz the "grep" utility in Linux". 

Thanks in Advance....

[Michal Zalewski]

> What exactly do you mean by the test case. What I mean is "What should be
> the contents inside the folder specified with "-i" option.

To quote section 5 of the README:

"To operate correctly, the fuzzer requires one or more starting file that

contains a good example of the input data normally expected by the targeted
application. There are two basic rules:

- Keep the files small. Under 1 kB is ideal, although not strictly necessary.
For a discussion of why size matters, see perf_tips.txt.

- Use multiple test cases only if they are functionally different from
each other. There is no point in using fifty different vacation photos
to fuzz an image library.

You can find many good examples of starting files in the testcases/ subdirectory
that comes with this tool."

> What if the tool accepts some external inputs (for example a tool which can interact with the user taking in multiple inputs)

You need to select the input you want to test, or - for more advanced
users - some way to intelligently split one input into several data
streams.

> It would be great with an example like "how to fuzz the "grep" utility in
> Linux".

For something like grep, assuming you're interested in its ability to
cope with malformed files, you can just use -i testcases/others/text/

It probably won't find anything interesting, though.

Cheers,
/mz

[sann...@gmail.com]

Thank you for your quick reply. I had seen the folder you specified. But my actual question was different. Grep was just an example. Sorry for not being clear. 

For eg consider the afl-fuzz binary. It wont work until, we give the -i and -o options tagged with respective folder names. I have a simple sample tool like that. If those options are not given, there is no point in fuzzing at all. So my question was how would I specify such constraints into the test cases. A sample test case for testing my binary may look like "-i <input_folder> -o <output_folder>" Will the tool automatically detect such constraints or we are to  provide somethings. 

Another similar scenario is if the app is supposed to take in inputs like username and password before the actual functionality is being tested. In that case can we specify that use these inputs first and only then start fuzzing. 

[Michal Zalewski]

> For eg consider the afl-fuzz binary. It wont work until, we give the -i and
> -o options tagged with respective folder names. I have a simple sample tool
> like that. If those options are not given, there is no point in fuzzing at
> all. So my question was how would I specify such constraints into the test
> cases. A sample test case for testing my binary may look like "-i
> <input_folder> -o <output_folder>" Will the tool automatically detect such
> constraints or we are to provide somethings.

What do you actually want to fuzz in this scenario? You can structure
the command line to the target program any way you please, but the
command line is not a test case, right? (Unless you want to fuzz
command line parsing, but that's probably not very interesting, except
for setuid programs).

> Another similar scenario is if the app is supposed to take in inputs like
> username and password before the actual functionality is being tested. In
> that case can we specify that use these inputs first and only then start
> fuzzing.

What specific example do you have in mind here? What would it do after
getting the user name and password?

It really depends on the target, but if you're asking if AFL allows
you to provide a specification for the output format (akin to Peach or
so), then the short answer is "no". If you have a real-world example
where this is an issue, we can probably help you with alternative
solutions, but it's hard to speak in hypotheticals :-)

/mz

[haniz...@gmail.com]

Thank for your reply. I also have a problem that how does afl-fuzzing use testcase to fuzz? and May I create my own testcase? I have seen some testcase samples, It have nothing special, normal character with minimize size.