In previous blogs, I’ve talked about using code coverage as one metric for assessing the effectiveness of fuzzing. While protocol specifications and application definitions can be used for fuzzing, the interdependencies of fields and messages within protocols, including state, are not always obvious. For example, when looking at the telnetd source, it’s pretty obvious that you need to send 4 or 5 primary telnet options before the server will enter the main loop. Or the fact that no matter what you do with the XDISPLAYLOC telnet option, you are wasting time since the server simply passes this to setenv.
What we really need is an interactive way to look at code coverage to help us guide the development of a fuzzer. The goal here is not as much to get a concrete measurement about the coverage, but to help us better understand how the control flow works and how the protocol fields affect the control flow. It also helps us understand how some fields/messages up front affect the subsequent messages because of the dependencies in state, structure and semantics.
Various reverse engineering tools exist for compiled binaries including, IDA pro and Pai Mei. But when you have the source, why not use it? Lcov is another open source tool that generates coverage information from multiple runs of the target and it’s primary purpose is to provide top-line summaries of directories and files. However, it’s not interactive.
Rcov is a WEBrick application that uses the compile/runtime output generated by gcov, uses the browser for navigation (tested with Firefox and Safari), cross links the source using ctags and decorates the output using the runtime coverage data generated by the program under execution. You can think of this as a cross between Doxygen and lcov.
Once rcov is fired up with the root directory of the target’s source, it will first read the various gcda files generated by the compiler. It will then listen on localhost:8080 and you can point your browser to this URL. Run your fuzzer against the target and each time the target exits, the gcov compiled target will dump a bunch of gcno files. Refresh your browser window and you should see the source files updated with coverage information.
| Download | rcov-0.1.tar.gz |
| MD5 | 25d98bea9d8d33bb471df89b21a58b3b |
| License | BEER-WARE |
Screen shots:
#1 code coverage
#2 ctags lookup
More information in the README.txt included in the distribution. And yeah, the ‘r’ in rcov is for ruby.
Happy fuzzing.
Pingback: Internet Security and Programming » Blog Archive » Code coverage and fuzzing
Pingback: Using code coverage to improve fuzzing results | The Software Nook
Pingback: cool caravans
Pingback: clothing
Pingback: swivelOutdoorBarStools
Pingback: craftsman cladding email
Pingback: guaranteed rankings
Pingback: best supplements for muscle gain
Pingback: Dallas Marketing
Pingback: Siesta Key 2 Bedroom Vacation Rental
Pingback: All New Kia Picanto
Pingback: Dallas Wedding Photographers
Pingback: best seo blog
Pingback: Dallas Family Portrait Photographer
Pingback: pre workout supplements
Pingback: Vehicle Warranties
Pingback: Escort girl Paris
Pingback: Plumers Carlsbad
Pingback: Ramtha
Pingback: bodybuilding supplements
Pingback: San diego dentists
Pingback: best bcaa
Pingback: webcam chat
Pingback: simran possessed
Pingback: Phil Cannella
Pingback: Phil Cannella
Pingback: movie cast lists
Pingback: Cruises Deals
Pingback: flights to pakistan
Pingback: LED Lights
Pingback: noclegi zakopane
Pingback: womens handbags
Pingback: weight loss plan
Pingback: watch free movies online
Pingback: inkjet cartridges
Pingback: uzaktan egitim
Pingback: free apple ipad 3
Pingback: pozyczki chwilowki
Pingback: Atlanta Limo
Pingback: San Diego Luxury Rentals
Pingback: read more
Pingback: buy twitter
Pingback: Cary Leung Sun Life
Pingback: Interior Decorators Kansas City
Pingback: ingilizce kursu
Pingback: Hotel Offers
Pingback: Lucia Emiraz
Pingback: investment properties
Pingback: watch naruto
Pingback: website design
Pingback: Garden Stakes
Pingback: Arcadia Physical Therapy
Pingback: iphone
Pingback: Super Bowl Picks
Pingback: Best Treatment For Eczema
Pingback: Wedding photographers in Miami
Pingback: Credit Card Processing
Pingback: Project Payday
Pingback: eye floaters treatment
Pingback: best virgin remy hair extensions
Pingback: facebook smiley faces
Pingback: bingo game template
Pingback: touch phone
Pingback: Redlands apartments
Pingback: barmixerschule
Pingback: seo analysis
Pingback: e-cigs
Pingback: are omega 3 fish oil supplements expensive
Pingback: send flowerrs to sri lanka
Pingback: global domains international scam
Pingback: Montage Photo Gratuit
Pingback: Home Remedies for Acne
Pingback: tanie noclegi zakopane
Pingback: motels wildwood nj
Pingback: dating advice
Pingback: chest coach system
Pingback: how to start website
Pingback: lawn service marketing
Pingback: marijuana addiction
Pingback: Denver Electrician
Pingback: what is serotonin
Pingback: work at home
Pingback: hugeyields
Pingback: hobby toys
Pingback: pictures of girls
Pingback: giraffe bracing
Pingback: weight loss motivation
Pingback: coleman grills parts
Pingback: become a guy magnet by james scott
Pingback: haier portable air conditioner malaysia
Pingback: how to scrunch hair without frizz
Pingback: pain during intercourse after childbirth
Pingback: Blog filmy porno
Pingback: Online Calculators
Pingback: Home Laser Hair Removal
Pingback: los angeles property inspector
Pingback: joomla buch
Pingback: Scott Tucker Payday Loans
Pingback: Okna Pcv Mogilno
Pingback: Scott Tucker CBS
Pingback: Okna Gniezno
Pingback: BPO Companies
Pingback: check out my website
Pingback: Skirt Sports
Pingback: Coffee Packaging
Pingback: mold mitigation colorado springs
Pingback: Franchise Kids
Pingback: rack card printing
Pingback: hemi engine parts
Pingback: Website Hosting