I need to know how to start the following assignment project.

Choose a Target

You are free to analyse any open

$-$

source project in C

$/$

C

$+$

$+$

$($

so that AFL can instrument the source code

$)$

$.$

$$Any target project should contain at least

$3$

$0$

$0$

$0$

$$lines of code and optionally include a test suite. You may find many different projects listed on GitHub, SourceForge, GNU, or other public repositories of opensource software. For example, just to name a few common software: openssl, boringssl, c

$-$

ares, json, lcms

$,$

$$libarchive$,$ openthread, pcre

$2$

$,$

$$re

$2$

$,$

$$sqlite$,$ vorbis, woff

$2$

$$and hundreds more. You can choose some older outdated software where it may be easier to find bugs, or some newer up

$-$

todate software where finding bugs may be harder but also more interesting. Moreover, the more wellknown the software is

$,$

$$the fewer vulnerabilities it will likely have

$($

you aren't the only one looking for bugs

$)$

$.$

$$To keep it simple, choose some software that can take a single file as input on the command line. Please ask if you have questions about the suitability of particular software. Keep in mind that there is always a possibility that AFL cannot find any bug in some software or some versions of the software. After all, the fuzzing process is probabilistic and the software may be largely bug

$-$

free. Therefore, you may need to scan multiple software with AFL until you find bugs. But you only need to report the software of your best attempt.

Investigate Vulnerabilities

You should investigate the crashes reported by AFL and find out if they may be vulnerable. For each vulnerability, you should provide the following details in your report: What is the cause of the vulnerability?

$($

i

$.$

e

$.$

$$what is the fundamental bug in the code that causes it

$)$

$?$

$$You should be very specific

$($

e

$.$

g

$.$

$$if it's a buffer overflow, explain what the specific error with the use of buffer is

$,$

$$and how the given input file triggers this error

$)$

$.$

$$Where does the vulnerability take place

$($

i

$.$

e

$.$

$$wherein the code of the target is it located

$)$

$?$

$$Please specify the source file and line number, as well as any other functions that are relevant to creating the conditions of the bug. How exploitable is this vulnerability? Does it just crash the program, or can the attacker take advantage of it to do more things

$($

inject shellcode, corrupt metadata used by memory management, etc.

$)$

$?$

$$What would an attacker need to do in order to exploit? IFN

$6$

$5$

$7$

$$Assignment

$2$

$2$

$$How would you fix this vulnerability?

$($

i

$.$

e

$.$

$$how would you modify the specific code of the program to prevent this vulnerability?

$)$

$$Include at least one input file that reproduces the vulnerability. If the input is text

$-$

based, you can include it in the appendix of the report; otherwise, submit it along with the report

$($

your report should provide the instruction of using the input to reproduce the vulnerability

$)$

$.$

$$Please note that some vulnerabilities are more interesting and

$/$

or easier to document than others. In case that AFL reports lots of vulnerabilities, feel free to investigate several before picking the specific ones you want to document. If the vulnerabilities you find are already documented where else, you must give references to previous reports

$($

and

$/$

or their CVE numbers if available

$)$

$.$

$$You must provide full evidence of how you detect the known vulnerabilities with your own analysis

$($

see the marking criteria below

$)$

$.$

Document the Process

You will document the details of your experience with fuzzing in a report. You must explain your approach and report your findings in a self

$-$

contained and understandable way. For us to understand the report better, you may include screenshots or other means

$($

e

$.$

g

$.$

$$graphs or diagrams

$)$

$$as evidence of successful fuzzing, which must be clearly visible and easy to read. If gdb is used to analyse the vulnerabilities, you may use screenshots to explain how you use gdb to find out the memory or code information. Screenshots can be either placed in the main text of the report or in the appendix

$($

in which case they should be clearly marked and referenced in the main text

$)$

$.$

$$Remember$,$ the goal of your report is to clearly show what you have done. At the beginning of your report, you must provide a completion statement for everything you have delivered in the report. If you used any help from any source

$($

e

$.$

g

$.$

$$books$,$ papers, online articles, etc.

$)$

$$in the assignment, you must provide full references to them, and in addition, you must clearly identify your own contributions to the assignment. It is plagiarism to use other people's work as your own! In the last part of your report, you should reflect on the challenges you faced during this process, as well as your approaches to overcome them. You should observe the strengths and weaknesses.