Developer's Guide



Content


   1.	Adding a new abstraction function
   2.	Adding a new fuzzing function
   3.	Using AutoFuzz logging facility
   4.	AutoFuzz packages description
      4.1 AutoFuzzMain
      4.2 BioinfoFieldExtractor
      4.3 FuzzingEngine
      4.4 ProtocolLearner
      4.5 ProxyServer
      4.6 socks
      4.7 socks.server
	  
	  
   1.	Adding a new abstraction function
   
      1. You will usually need two abstraction functions: one for input messages, another for output messages 
	  (You can also use the same abstraction function for both input and output messages). Each abstraction 
	  function must implement the AbstractionFunct interface. Name them as [ProtocolName]\AbstractionFunction.java
      2. Copy two *.java files into [MainDrive]:\[ProgramFiles]\AutoFuzz\AbstractionFuncs\
      3. Compile both files using 'javac'. (Please run cmd.exe as an administrator, otherwise windows will give 
	  "access denied error" when trying to compile the files) 
	  
	  
	  
	  4. Modify [MainDrive]:\[ProgramFiles]\AutoFuzz\abstractionSource.txt by adding a name of the newly added 
	  function.
	  
	  abstractionSource.txt:
	  
	  
	  5. You can now run AutoFuzz and it will load the new abstraction functions at the start up
	  
   2. Adding a new fuzzing function
   
   	  Any fuzzing function must implement FuzzingFunctionInterface or FuzzingFunctionInterface2. 
	  The parameters of the FuzzingFunction interface are a GenericMessage object (GMS) and a current input 
	  message represented as an array list of ASCII decimals. 
	  The parameters of the FuzzingFunctionInterface2 are a GenericMessage object (GMS), current input message,
	  the protocol's FSA and the current state ID. Please note that FuzzingFunctionInterface2 is
	  richer than the FuzzingFunctionInterface, but should be used with caution not to affect the fuzzing
	  engine. We decribe the FuzzingFunctionInterface in more details below. 
	  
	  1. A fuzzing function can operate on the generic or the actual input message. GenericMessage object consists 
	  of an array list of message blocks. A message block can be either static or variable data field. Variable 
	  message blocks have also an associated type information. See more about the (GMS). 
	  2. Name the new fuzzing function as FuzzingFunction[ArbitraryName].java
	  3. Copy *.java files into [MainDrive]:\[ProgramFiles]\AutoFuzz\FuzzingFunctions
	  4. Compile *.java file using "javac". Please note that the classpath should be set to the location 
	  of AutoFuzz[Version].jar
	  
  	  
	  
	  5. Modify [MainDrive]:\[ProgramFiles]\AutoFuzz\fuzzingSource.txt by adding a the name of the new fuzzing 
	  function. 
	  
	  fuzzingSource.txt:
   	  
	  
   3. Using AutoFuzz logging facility
   
   	  AutoFuzz has built-in logging functionality that allows to record messages from anywhere within the application.  
	  To create a new type of a log file perform the following steps:
	  
	  1. Add a new static log file in system Configuration Variables with set/get methods. For example:
	  
	  
	  
	  2. Call instantiateNewSystemLogFile method of the LoggingFacility class specifying the suffix for 
	  the log file. All log files begin with AutoFuzzLog prefix.
	  
	  
	  
	  3. Set the static File object in configuration variables to the newly created log file.
	  
	     
	  
	  4. Use writeLogMessage method of the LoggingFacility to record messages into the log file. The parameters 
	  are: log file object, severity level and the message itself. The following severity levels are available 
	  through the configuration variables: Info, Warning, Error and Severe.
	  
	  

   4. AutoFuzz packages description 
	  
	  4.1 AutoFuzzMain - The main class for AutoFuzz contains here alogn with the GUI classes, global system variables, 
	  logging facility and functions for the graphical construction of a finite state automaton. 
	  Finite state automaton builder is based on Java JUNG graph library.

 	  4.2 BioinfoFieldExtraction - The main algorithms for extracting syntax information from the 
	  individual messages and associating it with the finite state automaton are done here. The main
	  steps are: 
	  Step 1: Similar messages are clustered together using a new clustering technique. 
	  Step 2: Multiple sequence alignment algorithm is performed on each message cluster. 
	  Step 3: GMS is constructed for each message cluster. 
	  Step 4: Each transition in the protocol's FSA is associated with the corresponding GMS. 
	  
	  4.3 FuzzingEngine - The package is responsible for all fuzzing operations of AutoFuzz. The fuzzing engine 
	  contains a copy of the minimized finite state automaton and sequentially performs fuzzing functions 
	  on each transition. Each transition has a StringFuzzerEngine object associated with it, which keeps 
	  information about what fuzzing functions have been performed at this particular transition. 
	  The fuzzing engine is reinitialized every time user click on "Init. Fuzzing Engine" under the 
	  Proxy Server window.

	  4.4 ProtocolLearner - This package constructs the finite state automaton from a collection of network 
	  traces. The initial construction algorithm is based on the passive learning approach proposed in 
	  "A Model-based Approach to Security Flaw Detection of Network Protocol Implementations" by Yating Hsu, 
	  Guoqiang Shu and David Lee but has been slightly modified. In our implementation a input message can be 
	  mapped to a list of output messages. Therefore, each transition is uniquly identified by a state ID 
	  and an input messages associated with a list of output messages.

      -----------------------------------------------------------------------------------------------------------
 	  Finite State Automaton Construction Algorithm Overview:
	  Input: A list of message traces, Input abstraction Func, Output abstraction Func

	  Output: Finite State Automaton Object

	  Instantiate FSA

	  for each trace:
	  	  reset current state to the root state

		  for each message in the trace:
		     abstract input message
			 abstract output messages

			 if there is no transition from the current state with the given abstracted input message:
			    add a new transition from the current state
				associate input messages and a list of output messages with it
			 else if one or more output messages are not a part of the transition:
			    associate all new output messages with the transition
			 change current state to the new state associated with the abstracted input message                                 

	   return FSA object
       -----------------------------------------------------------------------------------------------------------

 	   4.5 ProxyServer - this package instantiates a modified version of Java SOCKS Server 
	   as a separate thread and uses it to record and modify the traffic.

	   4.6, 4.7 socks and socks.server - These packages are takes from java SOCKS server implementation and 
	   have been modified to support recording and modification of the network traffic.