I’ve had a few emails about fuzzing file formats consumed by GUI application, these are applications that display a window such as image viewers, movie players, etc.  Included in Peach 2.1 is good support for fuzzing these types of applications on Windows.  People on OS X and Unix are sadly out of luck for now.

The following article will walk you through an example file fuzzer.

Fuzzing file formats passed to applications on the command line have the following flow for each test iteration:

1. Create some mutated data
2. Write the data to disk
3. Launch the application
4. Close the application

To detect faults we will use Microsoft’s Application Verifier application which is able to automatically attached a debugger and set variouse memory debugging options on all processes with a specific executable name.  This is perfect for us since we will be restarting the application for each test we perform.  Peach includes a monitor called “debugger.WindowsAppVerifier” that we will use to control this tool.

Okay, so next up we need to be able to perform steps 2-4.  We will use a publisher called “file.FileWriterLauncherGui”.  This publisher will act as both a stream and call based publisher allowing us to write out a file and then launch an application.  It will wait about 5 seconds and than send a WM_CLOSE message to the application, and finally if the application does not shut down will terminate it.  If we are lucky, the WM_CLOSE message will let the application shutdown normally allowing for additional code coverage.

On with the XML!

Data Model

Nothing very interesting here.  We will have two data models, one will specify the filename for the program (this will make more sense later).  Note that one side affect of requiring the FileName data model will be some fuzzing of the filename.  There are a few mutators (the data tree set) that will not notice the “isStatic” and perform some mutations anyways.

<!-- Define our file format DDL -->
<DataModel name="FileData">
	<String value="Hello World!" />
</DataModel>

<!-- A template to hold the filename -->
<DataModel name="FileName">
	<String isStatic="true" value="fuzzedfile.txt" />
</DataModel>

State Model

Now things get more interesting.  This is were we will define steps 2-4.  There are three actions in the following state model.  The first two will create, write, and close the file after writing out data model out to it.  The third action will launch our application passing as a parameter the FileName data model (fuzzedfile.txt).

<StateModel name="State" initialState="Initial">
    <State name="Initial">
        <!-- Write out contents of file -->
        <Action name=”WriteFile” type=”output”>
            <DataModel ref=”FileData” />
        </Action>

        <!– Close file –>
        <Action type=”close” />

        <!– Launch the file consumer –>
        <Action type=”call” method=”c:\windows\system32\notepad.exe”>
            <Param type=”in” name=”filename”>
                <DataModel ref=”FileName”/>
            </Param>
        </Action>
    </State>
</StateModel>

Agent Configuration

Next up we need to configure out agent and monitor to use the debugger.WindowsAppVerifier monitor.  Notice that the parameter to the monitor specified just the executable name, not the full path.

<!-- Setup a local agent that will monitor for faults -->
<Agent name="LocalAgent" location="http://127.0.0.1:9000">
    <!-- For file fuzzing were the application will be launched and closed
        a number of times we will use Microsofts Application Verifier to
        monitor the process for faults.  -->
    <Monitor class="debugger.WindowsAppVerifier">
        <Param name=”Application” value=”notepad.exe” />
    </Monitor>
</Agent>

Test and Run Configuration

Almost done now, this is the final section were we configure the test and run.  These two sections will tie all these things together and associate our publisher.  I have bolded the two parameters for the publisher we are using.  The filename must match the one in our FileName data model or things will not work right.  Additionally the windowName parameter should be a unique (but partial) application window title.

<Test name="TheTest">
    <Agent ref="LocalAgent" />

    <StateModel ref="State"/>

    <!-- Configure our publisher with correct filename to write too -->
    <Publisher class="file.FileWriterLauncherGui">
        <Param name=”fileName” value=”fuzzedfile.txt” />
        <Param name=”windowName” value=”Notepad” />
    </Publisher>
</Test>

<Run name=”DefaultRun”>
    <Test ref=”TheTest” />
    <Logger class=”logger.Filesystem”>
        <Param name=”path” value=”c:\peach\logtest” />
    </Logger>
</Run>

Running the Fuzzer

Okay, to run this bad boy we will need to launch two command windows.  In one kick off a Peach Agent by running “peach.py -a”.  In the second window we will run our fuzzer by saying “peach.py FileFuzzerGui.xml”.  If all works well you will see notepad popup with “Hello World!” for a few seconds than go away only to be replaced with another notepad window.  If you continue watching you will see “Hello World!” start to get mutated.

The Complete File Listing

Here is the complete file listing for this fuzzer example.  I hope it made sense!

<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://phed.org/2008/Peach" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://phed.org/2008/Peach ../peach.xsd" version="1.0"
	author="Michael Eddington">

	<!-- Import defaults for Peach instance -->
	<Include ns="default" src="file:defaults.xml" />
	<Include ns="pt" src="file:PeachTypes.xml" />

	<!-- Define our file format DDL -->
	<DataModel name="FileData">
		<String value="Hello World!" />
	</DataModel>

	<!-- A template to hold the filename -->
	<DataModel name="FileName">
		<String isStatic="true" value="fuzzedfile.txt" />
	</DataModel>

	<!-- Define a simple state machine that will write the file and
		then launch a program using the FileWriterLauncher publisher -->
	<StateModel name="State" initialState="Initial">
		<State name="Initial">
			<!-- Write out contents of file -->
			<Action name="WriteFile" type="output">
				<DataModel ref="FileData" />
			</Action>

			<!-- Close file -->
			<Action type="close" />

			<!-- Launch the file consumer -->
			<Action type="call" method="c:\windows\system32\notepad.exe">
				<Param type="in" name="filename">
					<DataModel ref="FileName"/>
				</Param>
			</Action>
		</State>
	</StateModel>

	<!-- Setup a local agent that will monitor for faults -->
	<Agent name="LocalAgent" location="http://127.0.0.1:9000">
		<!-- For file fuzzing were the application will be launched and closed
			a number of times we will use Microsofts Application Verifier to
			monitor the process for faults.  -->
		<Monitor class="debugger.WindowsAppVerifier">
			<Param name="Application" value="notepad.exe" />
		</Monitor>
	</Agent>

	<Test name="TheTest">
		<Agent ref="LocalAgent" />

		<StateModel ref="State"/>

		<!-- Configure our publisher with correct filename to write too -->
		<Publisher class="file.FileWriterLauncherGui">
			<Param name="fileName" value="fuzzedfile.txt" />
			<Param name="windowName" value="Notepad" />
		</Publisher>
	</Test>

	<Run name="DefaultRun">
		<Test ref="TheTest" />
		<Logger class="logger.Filesystem">
			<Param name="path" value="c:\peach\logtest" />
		</Logger>
	</Run>

</Peach>
<!-- end -->