Commit 1e9d19dd authored by Guillaume BIENKOWSKI's avatar Guillaume BIENKOWSKI

Add documentation about AFL fuzzing and seed SIP messages

parent 7ec48ad6
# Using the afl-fuzz to look for bugs in the belle-sip parser
This guide expects that you have installed the afl-fuzz package for your distribution, or on Mac using Homebrew or port.
Windows is not supported right now.
Then follow these steps:
1. Configure belle-sip with the afl instrumentation tools as CC and OBJC, and with static linking:
# Linux
CC=`which afl-gcc` ./configure --disable-shared
# Mac
CC=`which afl-clang` OBJC=`which afl-clang` ./configure --disable-shared
2. Compile and make sure the testers are build. You should have an executable file named testers/belle_sip_parser
make clean && make
3. You can now run the afl fuzzy tester in the tester/ directory to test the parser for SDP, HTTP or SIP.
afl-fuzz -i afl/sip -o afl_sip_results -- ./belle_sip_parser --protocol sip @@
With this command:
- It will show you a screen with informations on the current state of the fuzzing steps.
- The `afl/sip` directory contains valid SIP messages that the fuzzer will use as a base for its investigations. You can add
- The results of the investigations will be placed in a directory named `afl_sip_results/`. You will have access to the SIP messages that provoked a crash in the `crashes/` directory.
# Notes
The afl directory contains test messages that will be the base for mutation with the afl fuzzer. They are saved using the CRLF line endings. This is important since the parser expects two "\r\n\r\n" at the end of a message.
## TODO:
1. add HTTP and SDP fuzzy tests
2. add a dictionary of keywords to help the fuzzer generate some valid messages (instead of bitflipping randomly) (see `afl-fuzz -x` option)
\ No newline at end of file
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.0.109:49949;alias;branch=z9hG4bK.gWH~ix41h;rport=49949;received=82.216.250.246
From: <sip:gbi@sip.linphone.org>;tag=5exJTQayL
To: <sip:gbi@sip.linphone.org>;tag=jv0pZ0cH8ejaF
Call-ID: PkUb7A2nxg
CSeq: 20 REGISTER
Server: Flexisip/1.0.2 (sofia-sip-nta/2.0)
WWW-Authenticate: Digest realm="sip.linphone.org", nonce="WR5i2QAAAAA9uY8IAADQ03f3p94AAAAA", opaque="+GNywA==", algorithm=MD5, qop="auth"
Content-Length: 0
REGISTER sip:sip.linphone.org SIP/2.0
Via: SIP/2.0/TLS 192.168.0.109:49949;alias;branch=z9hG4bK.gdQJOpBN5;rport
From: <sip:gbi@sip.linphone.org>;tag=5exJTQayL
To: sip:gbi@sip.linphone.org
CSeq: 21 REGISTER
Call-ID: PkUb7A2nxg
Max-Forwards: 70
Supported: outbound
Accept: application/sdp, text/plain, application/vnd.gsma.rcs-ft-http+xml
Contact: <sip:gbi@82.216.250.246:49949;transport=tls>;+sip.instance="<urn:uuid:21cd159b-12cf-4b8b-b653-282bb811da23>"
Expires: 3600
User-Agent: Linphone/3.8.5 (belle-sip/1.4.1)
Content-Length: 0
Authorization: Digest realm="sip.linphone.org", nonce="WR5i2QAAAAA9uY8IAADQ03f3p94AAAAA", algorithm=MD5, opaque="+GNywA==", username="gbi", uri="sip:sip.linphone.org", response="124f0c0ea212786c9f8b5b6f1de92b43", cnonce="faaac8d5", nc=00000001, qop=auth
SIP/2.0 200 Registration successful
Via: SIP/2.0/TLS 192.168.0.109:49949;alias;branch=z9hG4bK.gdQJOpBN5;rport=49949;received=82.216.250.246
From: <sip:gbi@sip.linphone.org>;tag=5exJTQayL
To: <sip:gbi@sip.linphone.org>;tag=K5SF1UXm5Q8va
Call-ID: PkUb7A2nxg
CSeq: 21 REGISTER
Contact: <sip:gbi@82.216.250.246:49949;transport=tls>;expires=3600;q=0.00
Contact: <sip:gbi@82.216.250.246:62954;app-id=org.linphone.phone.dev;pn-type=apple;pn-tok=1FDA61D1A73B5C6307699D89DFDB83BD8DC970C481FE4D9D356E80FD19D3240E;pn-msg-str=IM_MSG;pn-call-str=IC_MSG;pn-call-snd=ring.caf;pn-msg-snd=msg.caf;transport=tls>;expires=604442;q=0.00
Server: Flexisip/1.0.2 (sofia-sip-nta/2.0)
Content-Length: 0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment