Buffer overflow and other common software vulnerabilities

Buffer overflow and other common software vulnerabilities

 

 

Buffer overflow and other common software vulnerabilities

You are free to analyze any open-source project in C/C++ (so that AFL can instrument the source
code). Any target project should contain at least 3000 lines of code and optionally include a test
suite. You may find many different projects listed on GitHub, SourceForge, GNU, or other public
repositories of open-source software. For example, just to name a few common software:
openssl, boringssl, c-ares, json, lcms, libarchive, openthread, pcre2, re2, sqlite, vorbis, woff2 and
hundreds more.
You can choose some older outdated software where it may be easier to find bugs, or some newer
up-to-date software where finding bugs may be harder but also more interesting. Moreover, the
more well-known the software is, the fewer vulnerabilities it will likely have (you aren’t the only
one looking for bugs). To keep it simple, choose some software that can take a single file as input
on the command line. Please ask if you have questions about the suitability of particular software.
Keep in mind that there is always a possibility that AFL cannot find any bug in some software or
some versions of the software. After all, the fuzzing process is probabilistic and the software may
be largely bug-free. Therefore, you may need to scan multiple software with AFL until you find
bugs. But you only need to report the software of your best attempt.

 

What are the most common software vulnerabilities?

Buffer overflow and other common software vulnerabilities
Investigate Vulnerabilities
You should investigate the crashes reported by AFL and find out if they may be vulnerable. For
each vulnerability, you should provide the following details in your report:
What is the cause of the vulnerability? (i.e. what is the fundamental bug in the code that causes it)?
You should be very specific (e.g. if it’s a buffer overflow, explain what the specific error with the use of
buffer is, and how the given input file triggers this error).
Where does the vulnerability take place (i.e. wherein the code of the target is it located)? Please
specify the source file and line number, as well as any other functions that are relevant to creating
the conditions of the bug.
How exploitable is this vulnerability? Does it just crash the program, or can the attacker take
advantage of it to do more things (inject shellcode, corrupt metadata used by memory management,
etc.)? What would an attacker need to do in order to exploit?

 

What applications are vulnerable to buffer overflow attacks?

Buffer overflow and other common software vulnerabilities
2
How would you fix this vulnerability? (i.e. how would you modify the specific code of the program to
prevent this vulnerability?)
Include at least one input file that reproduces the vulnerability. If the input is text-based, you can
include it in the appendix of the report; otherwise, submit it along with the report (your report should
provide the instruction of using the input to reproduce the vulnerability).
Please note that some vulnerabilities are more interesting and/or easier to document than others. In case
that AFL reports lots of vulnerabilities, feel free to investigate several before picking the specific ones you
want to document.
If the vulnerabilities you find are already documented where else, you must give references to previous
reports (and/or their CVE numbers if available). You must provide full evidence of how you detect the
known vulnerabilities with your own analysis (see the marking criteria below).
Exploit Vulnerabilities
For students seeking challenges, you may optionally construct a working exploit (along with instructions
on using it) that successfully leverages one of the vulnerabilities you find to exploit the software in some
manner. At a minimum, the exploit must do more than just crash the program. If you include an exploit,
please also include the following in your report:
The expected consequence of using your exploit on the software, as well as some proof showing that
the exploit works.
Detailed instructions on how to compile and run the exploit code, as well as how to verify the results.