share your technology and add some temperature for safety

Posted by punzalan at 2020-04-05

The example of fuzzy test explains what is fuzzy test

An example of fuzzy testing

Fuzzy testing is a method to find software vulnerabilities by providing unexpected input to the target system and monitoring abnormal results. The basic idea of testing is to input a large number of random data into the program, and then observe the situation of the program after the input of these data, record the data that makes the program abnormal, so as to determine where the program is abnormal.

The implementation of fuzzy testing is a very simple process:

1. Prepare a correct document to be inserted into the program.

2. Replace some parts of the file with random data.

3. Open the file with a program.

4. Observe what's broken.

Peachfuzzer is an advanced and extensible security testing platform. This software is suitable for the security assurance team of software testers, as well as for the test laboratory to automatically discover the software vulnerability and software mutation response methods.

   Peachfuzzer is an advanced and extensible security testing platform. This software enables software testers, enterprise quality assurance teams, and testing labs to find vulnerabilities in software using automated generative and mutational methods.

The peach pit file used by peach contains the following five modules:




Agents and Monitors

Test and Run Configuration

The following describes the definition methods of these five modules, and completes a simple HelloWorld program.

Extras: before that, we need to prepare a good XML file editor. Visual studio, open XML editor or Notepad + + are all good choices. Here I use Notepad + +, which integrates syntax coloring schemes of dozens of languages, and it is only about 10MB after installation.

First, let's build an XML framework. All the elements to be written below should be included in the root element < peach >.

[XML] plain text view copy code

Among them, each attribute of the peach element is basically fixed and should not be changed easily.


Generalconf is the first part of the peach pit file that defines the basic configuration information. Specifically, it includes the following three elements.

Include: additional peach pit files to include.

Import: Python library to import.

Python path: the path to the python library to add.

Note that all the peach pit files contain the default.xml file.

In HelloWorld, the gerneralconf section simply writes the following.

[XML] plain text view copy code


The datamodel element is used to define the data model, including data structure, data relationship, etc. A peach pit file needs to contain one or more data models. Several common data types that datamodel can define are as follows.

String: string type.

Number: data type.

Blob: no specific data type.

Block: used to group data.

For example:

[XML] plain text view copy code

Note that the unit of size is bit. In the above example, the "size" of "Id" is 32, indicating that the length of "Id" is 4 bytes (1 byte = 8 bits), just like its value "riff" is also 4 bytes.

In the HelloWorld program, only one string type data with a value of "Hello world!" is defined.

[XML] plain text view copy code


The statemodel element is used to describe how to send / receive data to the target program. Statemodel consists of at least one state, and the first state is specified with initialstate; each state consists of at least one action, which is used to define various actions in statemodel, and the action type is specified by type. The action types supported by action include start, stop, open, close, input, output, call, etc. Here is an example:

[XML] plain text view copy code

In the above example, the first action describes an input type action, which means to generate data according to the data model inputmodel and take it as input data; the second action describes an output type action, which means to generate data according to the data model somedatamode and output it to the file sample.bin; the third action describes a call action, which means to call the function dostuff, and will follow the The data generated by the data model param1datamodel is used as the parameter of the function dostuff; the fourth action describes the action of closing the program.

When there are multiple actions in the code, they are executed from top to bottom.

In the HelloWorld program, we only need to receive the data in the data model "helloworldtemplate", so write the following statemodel.

[XML] plain text view copy code

(4) Agent

Agent elements are used to define agents and monitors, and can be used to call debuggers such as WinDbg to monitor the error information of program running. A peach pit file can define multiple agents, and each agent can define multiple monitors. Here is an example:

[XML] plain text view copy code

In the above example, the first monitor type is debugger.windowsdebugine, which calls WinDbg to execute the following command "notepad.exe filename". The second monitor type is process.pageheap, which means to enable page heap debugging for notepad.exe, which is very useful in most windows fuzzing.

In the HelloWorld program, we don't need to enable WinDbg debugging, so we don't need to configure the agent.

(5)Test and Run configuration

In the peach pit file, test and run configuration includes two elements: Test and run.

The test element is used to define the configuration of a test, including a statemodel and publisher, including / excluding, agent information, etc. Statemodel and publisher must be defined, and others are optional. Here is an example of a test configuration.

[XML] plain text view copy code

Let's introduce publisher first. Publisher is used to define the IO connection of peach. It can construct network data flow (such as TCP, UDP, HTTP) and file flow (such as filewriter, FileReader), etc. The publisher definition in the above example means that the generated malformed data is written to the fuzzy file file.

In the HelloWorld program, all you need to do is display the generated malformed data to the command line, so publisher uses the standard output stdout.stdout.

[XML] plain text view copy code

Now it's the last step, run configuration. The run element is used to define which tests to run, including one or more tests. In addition, the log element can be used to configure the log to capture the running results. Of course, logger is also optional.

[XML] plain text view copy code

The above example shows that the program runs the test and records the running log in the directory C: \ peach \ logtest.

In the HelloWorld program, you only need to put the previously defined helloworldtest in the run configuration.

[XML] plain text view copy code

Sample test process

Let's take the simplest test program as an example to explain the basic process of fuzzy testing with peach.

The peach pit file we used is helloworld.xml file. It will automatically generate many variant strings after printing and outputting HelloWorld strings, including super long strings and null missing illegal strings. Almost all strings that can cause program errors will be involved.

Here is the complete code:

[XML] plain text view copy code

Then run the above pit file.