Fuzzing JSMN a JSON parse library written in c

[Luca Canuzzi]

I'm a new user of afl from italy. 

Sorry for my english.

For ma bachelor thesis i have to fuzz a JSMN https://github.com/zserge/jsmn with afl-fuzz.

I choose as harness the jsondump.c file example https://github.com/zserge/jsmn/blob/master/example/jsondump.c.

then i choose as input file simple json file like this string {"a":"b"}.

I have compiled a library and source code with afl-gcc.

I'm not sure I've done the right steps, I hope you can help me.

[☣Adam]

It sounds like you are doing well so far. If you are not familiar with http://seriot.ch/parsing_json.php already, you will want to give that a read. It also contains some good seed values.

There other thing to read about are custom dictionaries. You can read more about them in dictionaries/README. dictionaries in your AFL directory. The docs/ folder also has outstanding information which will likely help you.

Good luck.

--
You received this message because you are subscribed to the Google Groups "afl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Luca Canuzzi]

I launch another istance of afl with -x option with path of json dictionaries and same input dir. this is right?

is the fuzzing procedure followed by me the right one?

Thanks for the reply adam.

To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+...@googlegroups.com.

[Luca Canuzzi]

I downloaded the folder with the tests contained in: https://github.com/nst/JSONTestSuite/tree/master/test_parsing then i use afl-cmin for minimize the corpus but afl return me that some files are too big.

[Luca Canuzzi]

my doubt is also on the harness is the right one?

[Vegard Nossum]

On 7 February 2018 at 17:35, Luca Canuzzi <luca.c...@gmail.com> wrote:
> For ma bachelor thesis i have to fuzz a JSMN https://github.com/zserge/jsmn
> with afl-fuzz.
>
> I choose as harness the jsondump.c file example
> https://github.com/zserge/jsmn/blob/master/example/jsondump.c.
>
> then i choose as input file simple json file like this string {"a":"b"}.

I would suggest also adding a slightly more complicated (but still
short) file, maybe add the library.json file that is part of jsmn to
your input directory.

> I have compiled a library and source code with afl-gcc.

My tip for JSMN is to use ASAN as well. It will find some bugs that
don't crash the program outright. For example:

echo '{[]}' | ./jsondump # doesn't give any errors, but
echo '{[]}' | valgrind ./jsondump # gives "Invalid read" error

and

echo '{{x"},:0,0}' | ./jsondump # doesn't give any errors, but
echo '{{x"},:0,0}' | valgrind ./jsondump # gives two "Conditional jump
or move" errors


Vegard

[Luca Canuzzi]

would you recommend me to try with a new harness?

could you recommend me one?

[Vegard Nossum]

On 16 February 2018 at 10:12, Luca Canuzzi <luca.c...@gmail.com> wrote:
> would you recommend me to try with a new harness?
> could you recommend me one?

I would recommend that you read the code and try to understand whether
the bug is in the harness or the library.

You can also try to fix the bug and submit a patch for it :-) Good luck.


Vegard

[Luca Canuzzi]

I understood that the bug is in the function of dump, but my goal is to find some bugs in the library if there are any.

I'm writing the bachelor thesis on fuzzing techniques and I wanted to bring some interesting results and finding bugs on a library that could potentially be used in multiple projects would be the best. :)

thanks