Using Code Coverage to Select Fuzzing Sample Files
Note: This article covers features in Peach 2.3.7 which is currently in SVN.
Selecting good sample files to use when performing file fuzzing can make all the difference. However, simply tossing several thousand files into a folder and calling it a day doesn’t make allot of sense. Instead we can use code coverage to select the minimum number of files to get the most coverage from our target. Peach includes a tool called “minset” to perform this task for us.
The minset tool is located in “c:\peach\tools\minset” and contains a test setup that can be run by saying “test.bat”.
Minset has several modes of operation, from simple to more complex. We will first cover the simplest usage.
Simple Usage Example
Syntax:
minset [-k] –s samples -m minset command.exe %s
- -k Optional argument when using graphical programs that do not automatically close
- -s samples This is the folder containing sample files to get coverage of
- -m minset This is the folder to place the minimum set of files into
- command.exe The target executable to run
- %s Any arguments and also a placeholder for the filename (%s)
This usage will try all files specified by “samples” and place the minimum set of them into the folder “minset”. The target command will get run as “command.exe filename”.
Example Usage – Command Line Target:
minset -s samples\*.png -m minset bin\pngcheck.exe %s
Example Usage – Graphical Target:
minset –k -s docs\*.doc -m minset "C:\Program Files (x86)\Microsoft Office
Office14\winword.exe" %s
Depending on the complexity of the target program, this type of code coverage can take a while.
Separated Tracing and Coverage Analysis
For complex programs, or when performing coverage on a large set of files you may want to distribute the task across several machines. To support this minset is able to run just the coverage trace separate from the analysis portion. This allows running coverage traces on multiple machines then running the analysis on the results.
Running Minset in Coverage Trace Mode
minset [-k] –s samples –t traces command.exe args %s
This command line will perform coverage traces using the sample files in “samples” and place the resulting traces into the folder “traces”. This is the part you will want to distribute.
Running Minset in Analysis Mode
minset –s samples –t traces –m minset
All of your generated traces must be in “traces” and all of the sample files in “samples”. Minset will perform the coverage analysis and place the minimum set of files into “minset”.
Normally the analysis process is not distributed, however for especially large sets of sample files you may wan to run the analysis after collecting traces on every node then combining the resulting minsets for a final pass.
I received an error “No such file or directory: ‘bblocks.txt”
What is the parameter required for bb.bat to create bblocks.txt ?
Make sure your using the SVN version of Peach until 2.3.7 hits the download page.
I received an error “No such file or directory: ‘bblocks.txt”
What is the parameter required for bb.bat to create bblocks.txt ?
Make sure your using the SVN version of Peach until 2.3.7 hits the download page.
The -k option does not seem to work for me, I get the error:
getProcessCpuTimeWindows threw exception!
(, error(-2147481643, ‘CollectQueryData’, ‘No data to
return.’), )
CPU IS None!
(Im running inside a VM if it makes any difference).
Thanks
John
Thanks for the feedback, but please post any questions/problems on the Peach list (http://groups.google.com/group/peachfuzz).
@John Cobb, i have same issue and i’ve opened an case on google groups. I hope that i can get a solution
I have not running on VM…
I have a fix that just passed my own testing. Will be checked in tonight.
Michael did you add your changes to the SVN?
Im still getting the same problem?
(If it makes any difference im running inside VMWare)
John – Please use the Peach list (http://groups.google.com/group/peachfuzz), blog comments are not really the best place for support questions.