diff --git a/fuzzer/Fuzzer.java b/fuzzer/Fuzzer.java
index 1fc8dbebd1207a7fd030df1f221da6bc3a59eb5d..9ae09334c63f1fe2deecc2e5dd0463e730ca375b 100644
--- a/fuzzer/Fuzzer.java
+++ b/fuzzer/Fuzzer.java
@@ -1,25 +1,31 @@
import java.io.IOException;
import java.io.FileOutputStream;
import java.io.PrintWriter;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Random;
/* a stub for your team's fuzzer */
public class Fuzzer {
private static final String OUTPUT_FILE = "fuzz.s";
-
+ private static final List<String> validOpcodes = new ArrayList<String>(Arrays.asList("ADD","SUB","MUL","DIV","RET","LDR","STR","MOV","JMP","JZ"));
+ private static final int maxRegistry = 32;
+ private static final int maxMemory = 65536;
public static void main(String[] args) throws IOException {
FileOutputStream out = null;
PrintWriter pw = null;
try {
out = new FileOutputStream(OUTPUT_FILE);
pw = new PrintWriter(out);
-
- pw.println("RET R0");
-
- }catch (Exception e){
+ Random rg = new Random();
+
+
+ }catch (Exception e){s
e.printStackTrace(System.err);
- System.exit(1);
+ System.exit(1);
}finally{
if (pw != null){
pw.flush();
@@ -30,5 +36,135 @@ public class Fuzzer {
}
}
+ public String generateMemoryOverflow() {
+ return null;
+ }
+ public String generateMemoryUnderflow() {
+ return null;
+ }
+ public String generateRegOverflow() {
+ return null;
+ }
+ public String generateRegUnderflow() {
+ return null;
+ }
+ public String generateLineOverFlow() {
+ return null;
+ }
+ public String generateInstructionOverflow() {
+ return null;
+ }
+ public String generateDivideByZero(){
+ return null;
+ }
+ public String generateDirtyRegistyRead() {
+ return null;
+ }
+ public String generateDirtyMemoryRead() {
+ return null;
+ }
+
+ public String jmpOverflow() {
+ return null;
+ }
+ public String jmpUnderflow() {
+ return null;
+ }
+ public String jzOverflow() {
+ return null;
+ }
+ public String jzUnderflow() {
+ return null;
+ }
+ public String intOverflow() {
+ return null;
+ }
+ public String intUnderflow() {
+ return null;
+ }
+ public String generateInvalidString() {
+ return null;
+ }
+ public String generateInstructionComment() {
+ return null;
+ }
+ public String generateValidString(Random rg,int programLength,int lineNumber){
+ int index = rg.nextInt(validOpcodes.size());
+ String opcode = validOpcodes.get(index);
+ int numregs = 0;
+ Integer offset = null;
+ String line = new String();
+ switch(opcode){
+ case("ADD"):
+ numregs = 3;
+ break;
+ case("SUB"):
+ numregs = 3;
+ break;
+ case("MUL"):
+ numregs = 3;
+ break;
+ case("DIV"):
+ numregs = 3;
+ break;
+ case("RET"):
+ numregs = 1;
+ break;
+ case("LDR"):
+ numregs = 2;
+ offset = (rg.nextInt(2*maxMemory))-maxMemory;
+ break;
+ case("STR"):
+ //special case - form <REGISTER VALUE REGISTER>
+ offset = (rg.nextInt(2*maxMemory))-maxMemory;
+ line.concat(opcode);
+ line.concat(" R"+rg.nextInt(maxRegistry));
+ line.concat(" "+offset);
+ line.concat(" R"+rg.nextInt(maxRegistry));
+ return line;
+ case("MOV"):
+ numregs = 1;
+ offset = rg.nextInt();
+ Boolean positive = rg.nextBoolean();
+ if(!positive) {
+ offset = -offset;
+ }
+ break;
+ case("JMP"):
+ //special case - avoid looping infinitly
+ numregs = 0;
+ offset = (rg.nextInt(programLength));
+ offset = offset - lineNumber;
+ if(offset<0) {
+ offset = offset-1;
+ line.concat("JMP 2%n");
+ } else if(offset == 0) {
+ offset = offset+1;
+ }
+
+ break;
+ case("JZ"):
+ //special case - avoid looping infinitly
+ numregs = 1;
+ offset = (rg.nextInt(programLength));
+ offset = offset - lineNumber;
+ if(offset<0) {
+ offset = offset-1;
+ line.concat("JMP 2%n");
+ } else if(offset == 0) {
+ offset = offset+1;
+ }
+ break;
+ }
+ line.concat(opcode);
+ int x;
+ for(x=0;x<numregs;x++){
+ line.concat(" R"+rg.nextInt(maxRegistry));
+ }
+ if(offset!=null){
+ line.concat(" "+offset);
+ }
+ return line;
+ }
}
diff --git a/src/machine-vuln1.c b/src/machine-vuln1.c
index 916c9f6ed43469855e6f477af7110dec840c9726..aada30dc82ae029b2401c1ecd9af677ab6e49d70 100644
--- a/src/machine-vuln1.c
+++ b/src/machine-vuln1.c
@@ -55,10 +55,12 @@ unsigned int count = 0; /* counts number of instructions executed so far */
static void machine_init(void){
- memory = malloc(sizeof(int32_t)*MEMORY_SIZE);
+ memory = malloc(sizeof(int32_t)*(MEMORY_SIZE));
regs = malloc(sizeof(int32_t)*NUM_REGS);
- memset(memory,0,sizeof(int32_t)*MEMORY_SIZE);
- memset(regs,0,sizeof(int32_t)*NUM_REGS);
+
+ /* memset can be vulnerable - changes to this can result in dirty memory to be read*/
+ memset(memory,0,sizeof(int32_t)*(MEMORY_SIZE));
+ memset(regs,0,sizeof(int32_t)*NUM_REGS);
count = 0;
}
@@ -437,7 +439,8 @@ static int read_program(const char *filename){
int instructionCount = 0;
while (instructionCount < MAX_INSTRUCTIONS){
- char * res = fgets(program[instructionCount],MAX_LINE_LENGTH+2,f);
+ /*VULN*/
+ char * res = fgets(program[instructionCount],(MAX_LINE_LENGTH+2)*2,f);
if (res == NULL){
if (feof(f)){
/* end of file */
@@ -449,14 +452,14 @@ static int read_program(const char *filename){
return -1;
}
}
- if (program[instructionCount][MAX_LINE_LENGTH] != '\0'){
+ /*if (program[instructionCount][MAX_LINE_LENGTH] != '\0'){
if (!(program[instructionCount][MAX_LINE_LENGTH] == '\n' && program[instructionCount][MAX_LINE_LENGTH+1] == '\0')){
debug_printf("Line %d exceeds maximum length (%d)\n",instructionCount+1,MAX_LINE_LENGTH);
debug_printf("(Expected at array index %d to find NUL but found '%c' (%d))\n",MAX_LINE_LENGTH,program[instructionCount][MAX_LINE_LENGTH],program[instructionCount][MAX_LINE_LENGTH]);
fclose(f);
return -1;
}
- }else{
+ }else{*/
/* program[instructionCount][MAX_LINE_LENGTH] == '\0', so
strlen is guaranteed to be <= MAX_LINE_LENGTH
Check if it has a newline and add it if it needs it */
@@ -467,7 +470,7 @@ static int read_program(const char *filename){
program[instructionCount][len+1] = '\0';
}
}
- }
+ /*}*/
instructionCount++;
}
diff --git a/src/machine-vuln2.c b/src/machine-vuln2.c
index 916c9f6ed43469855e6f477af7110dec840c9726..55dfe440bc1c743e8c437793c316db3f4a932dba 100644
--- a/src/machine-vuln2.c
+++ b/src/machine-vuln2.c
@@ -86,12 +86,12 @@ static void do_mult(unsigned int dest, unsigned int src1, unsigned int src2)
/* returns 0 on success, nonzero on failure */
static int do_div(unsigned int dest, unsigned int src1, unsigned int src2)
{
- if (regs[src2] == 0){
- return -1;
- }else{
+ //if (regs[src2] == 0){
+ //return -1;
+ //}else{
regs[dest] = regs[src1] / regs[src2];
return 0;
- }
+ //}
}
/* returns 0 on success, nonzero on failure */
diff --git a/src/machine-vuln3.c b/src/machine-vuln3.c
index 916c9f6ed43469855e6f477af7110dec840c9726..cdad31ece6b49af8a8ab3bc4f3f205d7cc53d4dc 100644
--- a/src/machine-vuln3.c
+++ b/src/machine-vuln3.c
@@ -38,7 +38,7 @@ const char INSTRUCTION_JUMP[] = "jmp";
const char INSTRUCTION_JZ[] = "jz";
#define NUM_REGS 32
-#define MAX_REG (NUM_REGS - 1)
+#define MAX_REG (NUM_REGS-1)
#define MEMORY_SIZE 65536 /* 4 x as much memory as a 64 */
#define MAX_ADDR (MEMORY_SIZE-1)
@@ -126,7 +126,7 @@ static void do_move(unsigned int rd, int32_t val){
regs[rd] = val;
}
-#define valid_reg(reg) (reg >= 0 && reg <= MAX_REG)
+#define valid_reg(reg) (reg <= MAX_REG)
/* returns 0 on success, nonzero on failure. puts register number into
diff --git a/src/pocs/poc1.s b/src/pocs/poc1.s
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..78bbe65f5fd3b229dda97f7f65250107bebc5fd6 100644
--- a/src/pocs/poc1.s
+++ b/src/pocs/poc1.s
@@ -0,0 +1 @@
+RET R0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
\ No newline at end of file
diff --git a/src/pocs/poc2.s b/src/pocs/poc2.s
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..99b5a2436a201b5049d9f7cb8297907780386925 100644
--- a/src/pocs/poc2.s
+++ b/src/pocs/poc2.s
@@ -0,0 +1,4 @@
+MOV R0 0
+MOV R1 1
+DIV R2 R1 R0
+RET R2
diff --git a/src/pocs/poc3.s b/src/pocs/poc3.s
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..8469c095a4c35c5656116ce51ea92be053fe2aef 100644
--- a/src/pocs/poc3.s
+++ b/src/pocs/poc3.s
@@ -0,0 +1 @@
+RET R-1
\ No newline at end of file