Developer's Guide
Content
1. Adding a new abstraction function 2. Adding a new fuzzing function 3. Using AutoFuzz logging facility 4. AutoFuzz packages description 4.1 AutoFuzzMain 4.2 BioinfoFieldExtractor 4.3 FuzzingEngine 4.4 ProtocolLearner 4.5 ProxyServer 4.6 socks 4.7 socks.server 1. Adding a new abstraction function 1. You will usually need two abstraction functions: one for input messages, another for output messages (You can also use the same abstraction function for both input and output messages). Each abstraction function must implement the AbstractionFunct interface. Name them as [ProtocolName]\AbstractionFunction.java 2. Copy two *.java files into [MainDrive]:\[ProgramFiles]\AutoFuzz\AbstractionFuncs\ 3. Compile both files using 'javac'. (Please run cmd.exe as an administrator, otherwise windows will give "access denied error" when trying to compile the files)4. Modify [MainDrive]:\[ProgramFiles]\AutoFuzz\abstractionSource.txt by adding a name of the newly added function. abstractionSource.txt:
5. You can now run AutoFuzz and it will load the new abstraction functions at the start up 2. Adding a new fuzzing function Any fuzzing function must implement FuzzingFunctionInterface or FuzzingFunctionInterface2. The parameters of the FuzzingFunction interface are a GenericMessage object (GMS) and a current input message represented as an array list of ASCII decimals. The parameters of the FuzzingFunctionInterface2 are a GenericMessage object (GMS), current input message, the protocol's FSA and the current state ID. Please note that FuzzingFunctionInterface2 is richer than the FuzzingFunctionInterface, but should be used with caution not to affect the fuzzing engine. We decribe the FuzzingFunctionInterface in more details below. 1. A fuzzing function can operate on the generic or the actual input message. GenericMessage object consists of an array list of message blocks. A message block can be either static or variable data field. Variable message blocks have also an associated type information. See more about the (GMS). 2. Name the new fuzzing function as FuzzingFunction[ArbitraryName].java 3. Copy *.java files into [MainDrive]:\[ProgramFiles]\AutoFuzz\FuzzingFunctions 4. Compile *.java file using "javac". Please note that the classpath should be set to the location of AutoFuzz[Version].jar
5. Modify [MainDrive]:\[ProgramFiles]\AutoFuzz\fuzzingSource.txt by adding a the name of the new fuzzing function. fuzzingSource.txt:
3. Using AutoFuzz logging facility AutoFuzz has built-in logging functionality that allows to record messages from anywhere within the application. To create a new type of a log file perform the following steps: 1. Add a new static log file in system Configuration Variables with set/get methods. For example:
2. Call instantiateNewSystemLogFile method of the LoggingFacility class specifying the suffix for the log file. All log files begin with AutoFuzzLog prefix.
3. Set the static File object in configuration variables to the newly created log file.
4. Use writeLogMessage method of the LoggingFacility to record messages into the log file. The parameters are: log file object, severity level and the message itself. The following severity levels are available through the configuration variables: Info, Warning, Error and Severe.
4. AutoFuzz packages description 4.1 AutoFuzzMain - The main class for AutoFuzz contains here alogn with the GUI classes, global system variables, logging facility and functions for the graphical construction of a finite state automaton. Finite state automaton builder is based on Java JUNG graph library. 4.2 BioinfoFieldExtraction - The main algorithms for extracting syntax information from the individual messages and associating it with the finite state automaton are done here. The main steps are: Step 1: Similar messages are clustered together using a new clustering technique. Step 2: Multiple sequence alignment algorithm is performed on each message cluster. Step 3: GMS is constructed for each message cluster. Step 4: Each transition in the protocol's FSA is associated with the corresponding GMS. 4.3 FuzzingEngine - The package is responsible for all fuzzing operations of AutoFuzz. The fuzzing engine contains a copy of the minimized finite state automaton and sequentially performs fuzzing functions on each transition. Each transition has a StringFuzzerEngine object associated with it, which keeps information about what fuzzing functions have been performed at this particular transition. The fuzzing engine is reinitialized every time user click on "Init. Fuzzing Engine" under the Proxy Server window. 4.4 ProtocolLearner - This package constructs the finite state automaton from a collection of network traces. The initial construction algorithm is based on the passive learning approach proposed in "A Model-based Approach to Security Flaw Detection of Network Protocol Implementations" by Yating Hsu, Guoqiang Shu and David Lee but has been slightly modified. In our implementation a input message can be mapped to a list of output messages. Therefore, each transition is uniquly identified by a state ID and an input messages associated with a list of output messages. ----------------------------------------------------------------------------------------------------------- Finite State Automaton Construction Algorithm Overview: Input: A list of message traces, Input abstraction Func, Output abstraction Func Output: Finite State Automaton Object Instantiate FSA for each trace: reset current state to the root state for each message in the trace: abstract input message abstract output messages if there is no transition from the current state with the given abstracted input message: add a new transition from the current state associate input messages and a list of output messages with it else if one or more output messages are not a part of the transition: associate all new output messages with the transition change current state to the new state associated with the abstracted input message return FSA object ----------------------------------------------------------------------------------------------------------- 4.5 ProxyServer - this package instantiates a modified version of Java SOCKS Server as a separate thread and uses it to record and modify the traffic. 4.6, 4.7 socks and socks.server - These packages are takes from java SOCKS server implementation and have been modified to support recording and modification of the network traffic.