checksum question

[Robert Smigielski]

I am enjoying the past week of getting boofuzz to fuzz test a custom protocol of my embedded Linux based device. I have the basics of two protocols operational including finding a fault in code my co worker produced, so YES! Fuzzing provides value!

I have a custom checksum function. I have not hooked that function into boofuzz.Checksum() yet because I do not know how to use this method in my custom protocol

The protocol I am working with sends out 14 lines of data, and one line is the result of a custom CRC16 checksum of 11 of the 14 lines. I have custom code that works properly by doing a checksum of each String object's "default_value".

My question is how do I get my custom checksum function to calculate on the fuzz-ed data not on the "default_value"? I can tell that my checksum value is always the same number which means the CRC is calculating only against the "default_value" field. Thanks for your time.

[Robert Smigielski]

Here is a sample of how I am building the Block using primitives. I clean up the code to remove non-public data.

The function getCrc16Ccitt() is the customized CRC16 function my coworker provided so I must use that function so the embedded target board accepts the message. I want to checksum the fuzzed data and not the default values only.

def define_dl_whitelist_block(session):
dl_line_1 = String(name="ab", default_value="[FILE_CONFIG_HEADER]", fuzzable=False)
dl_line_2 = String(name="cd", default_value="DL_URL=http://myurl")
dl_line_3 = String(name="ef", default_value="UUID=deadbeef")
dl_line_4 = String(name="gh", default_value="PRODUCT_TYPE=0x0A")
dl_line_5 = String(name="ij", default_value="DATA_ID=MyTherapy123")
dl_line_6 = String(name="kl", default_value="CREATION_TIME=123456789")
dl_line_7 = String(name="mn", default_value="VERSION_MAJOR=1")
dl_line_8 = String(name="op", default_value="VERSION_MINOR=0")
dl_line_9 = String(name="qr", default_value="VERSION_PATCH=0")
dl_line_10 = String(name="st", default_value="[WHITELIST_ID]", fuzzable=False)
dl_line_11 = String(name="uv", default_value="C0-C0-C0-C0-C0-C0;123456789;PUMP")
dl_line_12 = String(name="CRC_header", default_value="[CRC_CHECKSUM]", fuzzable=False)
# dl_line_13 calculated below
dl_line_14 = Static(name="CRLF", default_value="\r\n")

# Calculate crc without referencing header items 1,10,12.
crcdata = dl_line_2._default_value + \
dl_line_3._default_value + \
dl_line_4._default_value + \
dl_line_5._default_value + \
dl_line_6._default_value + \
dl_line_7._default_value + \
dl_line_8._default_value + \
dl_line_9._default_value + \
dl_line_11._default_value
calculatedcrc = getCrc16Ccitt(crcdata.encode("UTF-8"))
dl_line_13 = String(name="crc_value", default_value=str(calculatedcrc))

reqW = Request("white_list")
block = Block(request=reqW)
reqW.push(block)
block.push(dl_line_1)
block.push(dl_line_2)
block.push(dl_line_3)
block.push(dl_line_4)
block.push(dl_line_5)
block.push(dl_line_6)
block.push(dl_line_7)
block.push(dl_line_8)
block.push(dl_line_9)
block.push(dl_line_10)
block.push(dl_line_11)
block.push(dl_line_12)
block.push(dl_line_13)
block.push(dl_line_14)
reqW.pop()

session.connect(reqW)

[Robert Smigielski]

I now realize that the code is consistently using the attribute ".default_value" which is not at all what I intended. I need the String() attribute of the "fuzzed data".

so something like "dl_line_2.the_fuzzed_data".

[Robert Smigielski]

I used pycharm to help me dig into the content of the boofuzz.String class. I'm going to experiment using the _fuzz_values field 

Robert Smigielski

--
You received this message because you are subscribed to a topic in the Google Groups "boofuzz" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/boofuzz/6ntImvZMToQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to boofuzz+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/boofuzz/accc9fb0-bf6e-4cbb-a982-d16a4334a3dan%40googlegroups.com.

[joshua.t...@gmail.com]

Hi Robert. Great to hear about the fuzzing win! Check out the `Checksum` constructor's `algorithm` parameter. You should be able to set it to a function. That function should take and return bytes. If you set it up this way, your algorithm will be called while test cases are being generated. See https://boofuzz.readthedocs.io/en/latest/user/protocol-definition.html#boofuzz.Checksum

Taking a look at your sample code, this would go in the place of "dl_line_13". Let us know if this approach works out!

[Robert Smigielski]

Thanks for the hint. I have hooked in my custom crc function which was designed to return a number. That did not work as expected because the boofuzz.Checksum() class is not at all clear on expectations of a custom crc. After examining the code in checksum.py and looking at the unit_test directory I have it working.

I would be happy to enhance the comments in the class to better describe this and I can even provide an example. Let me know how to get started. I would assume 1. clone the project 2. create an issue 3. update some source 4. issue a pull request.

[joshua.t...@gmail.com]

Yep that's about right. See https://github.com/jtpereyda/boofuzz/blob/master/CONTRIBUTING.rst for the "Pull Request Checklist"-- although, you can skip some of the testing as the PR will automatically test multiple versions, formatting, etc.

[Robert Smigielski]

Hi everyone, I submitted pull request #501. I see a conflict on the CHANGELOG.rst file which seems to be a file I probably should not have changed. Let me know if I should submit a commit of the file with my changes. I suspect the team will take care of this file when necessary.

Let me know what you think.

Robert Smigielski

[Robert Smigielski]

I apologize for the long delay, work keeps me busy. I have made updates to the pull request based on the comments. I pushed the modifications to this pull request. It is ready for review.

[Robert Smigielski]

Edited the CHANGELOG.rst file due to a white space issue. Latest "tox" build has an issue with a URL in an unrelated file. When I run the make command in the documentation directory I see no issues.