Peach::Engine::ppaction::PpAction Class Reference

PpAction(object). More...

List of all members.

Public Member Functions

def __init__
 Constructor.
def __del__
 Destructor.
def identifyIterationFinishMethod
 Identifies how should be end of iteration indicated.
def initialize
 Does some additional initialization.
def initAction
 Contains Peach Action initialization.
def getNumOfSpecificAction
 Counts number of actions in the state with the same value as the given action.
def getNumOfCloseActions
 Counts number of close actions.
def handleDataModelElement
 Performs final translation of an element into a Peach structure.
def decodeHexValuesAndFixPosition
 Decodes hexadecimal values and fixes position.
def buildDataModel
 Requests data analysis and creates Peach Data Model.
def applyHeuristics
 Applies additional heuristics on the elements in the Data Model.
def findMutableElement
 Identifies if there is any mutable element in the Data Model.
def processDataModel
 Identifies and sets mutable elements in fuzzed data.
def getFuzzedData
 Perfrom mutation on data in the Data Model and get result value of the Data Model as single string.
def storeFuzzingValues
 Stores fuzzing values for logging purposes.
def reachedInputOutputActionsLimit
 Tests if numbers of input and output actions have reached recorded numbers of input and output actions.
def runAction
 Runs single action during the process of fuzzing.
def runTcpState
 Runs TCP proxy in a fuzzing mode.
def runUdpState
 Runs UDP proxy in a fuzzing mode.
def runState
 Starts proxy in a fuzzing mode.
def raiseIterationFinishWhenClosed
 Checks if iteration should be terminated based on connection close.
def recordAction
 Records single action during the process of recording.
def recordSimpleAction
 Records simple action during the process of recording.
def connectToServer
 Tries to connect to the target multiple times.
def recordTcpState
 Runs TCP proxy in a recording mode.
def recordUdpState
 Runs UDP proxy in a recording mode.
def recordState
 Starts proxy in a recording mode.
def processRecordedData
 Aggregates mutiple data models into single one.
def isNumericalString
 Tests if the input element is a Numerical String.
def outputDataModelBlock
 Writes Data Model block into configuration file.
def outputRecordedData
 Creates configuration file based on recorded data.
def applyDefaultRules
def compareModelsIsomorphism
 Compares template tree structure (number of children for every node) of the current data to a data model.
def compareModelsNames
 Compares element names (assigned according to the protocol by the dissector) of the current data to a data model.
def compareModelsTypes
 Compares element value types of the current data to a data model.
def compareModelsValues
 Compares element values of the current data to a data model.
def maxModelsValues
 Indicates maximum number of elements eglible for value comparison in current data.
def compareModelsLengths
 Compares string element lengths of the current data to a data model.
def maxModelsLengths
 Indicates maximum number of elements eglible for length comparison in current data.
def compareDataModels
 Compares diffrent aspects of template tree structure of the current data to a data model.
def findMatchingAction
 Interface to find the best match for the current data from the set of recorded data models.
def compareTerminationActions
 Compares diffrent aspects of template tree structure of two given actions against given match ratio.
def applyTemplateSettings
 Applies mutable flags to elements of current data based on matched data model.
def guiCommunicator
 Extension for GUI Communication thread.

Public Attributes

 recordIteration
 Iterations counter for recording.
 recordedStates
 Array of recorded iterations.
 tokenizer
 Instance of string tokenizer.
 relationFinder
 Instace of relations finder.
 debugDissect
 Stores information whether dissection debug output should be enabled.
 noFuzzing
 Can be used to disable fuzzing completely.
 mfile
 Initialize dissection process.
 seq_server
 Client and server sequence numbers.
 seq_client
 We calculate new client sequence number.
 isInitialized
 We will require additional initialization.
 connectionAttempts
 iterationNumber
 Iterations counter for fuzzing.
 guiCommunicatorSocket
 Socket used for communication with GUI.
 iterationFinishMethod
 How shall be the end of the iteration identified.
 totalInputActionsCount
 Numbers of recorded output and input iterations.
 totalOutputActionsCount
 inputActionsCounter
 Counters for output and input iterations.
 outputActionsCounter
 Increase output actions counter.
 hotseed
 Seed for random mutation strategy.
 addressToSendIterNum
 Where should we send number of current iteration.
 currentData
 Little helping variables used for filling in missing data from Data analysis.
 lastPosition
 Dots make trouble, we will substitude all dots in elements name with underscore.
 hotSleep
 Indications from GUI Communicator.
 detectedFault
 Send iteration number to GUI.
 nextAction
 Try to match following data model in order of last known match.
 seedCounter
 If we have a seed for random mutation strategy, then store its values.
 result
 The direction of flowing data matters.


Detailed Description

PpAction(object).

Contains central logic of HotFuzz application. Logic includes TCP/UDP proxy, recording/fuzzing, Data matching, interaction with Data analysis, final translation from Wireshark structures to Peach structures, configuration file export, part of GUI Communicator


Member Function Documentation

def Peach::Engine::ppaction::PpAction::__del__ (   self  ) 

Destructor.

def Peach::Engine::ppaction::PpAction::__init__ (   self  ) 

Constructor.

Contains initialization of variables and initialization of dissection process

def Peach::Engine::ppaction::PpAction::applyDefaultRules (   self,
  action,
  data 
)

def Peach::Engine::ppaction::PpAction::applyHeuristics (   self,
  myDataModel 
)

Applies additional heuristics on the elements in the Data Model.

Parameters:
myDataModel Input Data Model

def Peach::Engine::ppaction::PpAction::applyTemplateSettings (   self,
  dataNode,
  templateNode 
)

Applies mutable flags to elements of current data based on matched data model.

Parameters:
dataNode Root node of the current data template tree
templateNode Root node of the data model template tree

def Peach::Engine::ppaction::PpAction::buildDataModel (   self,
  action,
  stateEngine,
  data 
)

Requests data analysis and creates Peach Data Model.

Parameters:
action Action for which we are building this Data Model
stateEngine Package that stores most of our Peach structures
data Data for analysis

def Peach::Engine::ppaction::PpAction::compareDataModels (   self,
  dataNode,
  templateNode 
)

Compares diffrent aspects of template tree structure of the current data to a data model.

Parameters:
dataNode Root node of the current data template tree
templateNode Root node of the data model template tree

def Peach::Engine::ppaction::PpAction::compareModelsIsomorphism (   self,
  dataNode,
  templateNode 
)

Compares template tree structure (number of children for every node) of the current data to a data model.

Parameters:
dataNode Root node of the current data template tree
templateNode Root node of the data model template tree

def Peach::Engine::ppaction::PpAction::compareModelsLengths (   self,
  dataNode,
  templateNode 
)

Compares string element lengths of the current data to a data model.

Parameters:
dataNode Root node of the current data template tree
templateNode Root node of the data model template tree

def Peach::Engine::ppaction::PpAction::compareModelsNames (   self,
  dataNode,
  templateNode 
)

Compares element names (assigned according to the protocol by the dissector) of the current data to a data model.

Parameters:
dataNode Root node of the current data template tree
templateNode Root node of the data model template tree

def Peach::Engine::ppaction::PpAction::compareModelsTypes (   self,
  dataNode,
  templateNode 
)

Compares element value types of the current data to a data model.

Parameters:
dataNode Root node of the current data template tree
templateNode Root node of the data model template tree

def Peach::Engine::ppaction::PpAction::compareModelsValues (   self,
  dataNode,
  templateNode 
)

Compares element values of the current data to a data model.

Parameters:
dataNode Root node of the current data template tree
templateNode Root node of the data model template tree

def Peach::Engine::ppaction::PpAction::compareTerminationActions (   self,
  firstAction,
  secondAction,
  matchRatio 
)

Compares diffrent aspects of template tree structure of two given actions against given match ratio.

Parameters:
firstAction Action structure of one of compared actions
secondAction Action structure of second of compared actions
matchRatio - Ratio of matched elements compared to total elements which actions should reach in order for function to be true

def Peach::Engine::ppaction::PpAction::connectToServer (   self,
  stateEngine 
)

Tries to connect to the target multiple times.

Parameters:
stateEngine Package that stores most of our Peach structures

def Peach::Engine::ppaction::PpAction::decodeHexValuesAndFixPosition (   self,
  dataModelElement,
  positionFix 
)

Decodes hexadecimal values and fixes position.

Method does simultaneously two things:

  • decodes value from hexa format. Values need to be encoded in this form, otherwise null character would cause premature termination of some strings during the early state of translation from Wireshark structures
  • fixes position of the elements to represent position in their Data Model

Parameters:
dataModelElement Input element
positionFix Position fix

def Peach::Engine::ppaction::PpAction::findMatchingAction (   self,
  currentAction,
  templateActions 
)

Interface to find the best match for the current data from the set of recorded data models.

Parameters:
currentAction Action structure of current data
templateActions Action structures from set of recorded data models

def Peach::Engine::ppaction::PpAction::findMutableElement (   self,
  dataModel 
)

Identifies if there is any mutable element in the Data Model.

Recursivelly tests if there is any mutable element in the Data Model. If not, then it makes no sence to perform fuzzing on this Data Model

Parameters:
dataModel Input Data Model

def Peach::Engine::ppaction::PpAction::getFuzzedData (   self,
  action,
  mutator 
)

Perfrom mutation on data in the Data Model and get result value of the Data Model as single string.

Parameters:
action Action to which the desired Data Model belongs to
mutator Mutation strategy that performs the mutation

def Peach::Engine::ppaction::PpAction::getNumOfCloseActions (   self,
  myState 
)

Counts number of close actions.

Parameters:
myState Package containing all actions

def Peach::Engine::ppaction::PpAction::getNumOfSpecificAction (   self,
  action,
  state 
)

Counts number of actions in the state with the same value as the given action.

Parameters:
action Action for which matches are counted
state Set of actions withing which matches are counted

def Peach::Engine::ppaction::PpAction::guiCommunicator (   self,
  stateEngine 
)

Extension for GUI Communication thread.

Sends iteration number to GUI and checks for instructions

def Peach::Engine::ppaction::PpAction::handleDataModelElement (   self,
  dataModelElement,
  elementParent 
)

Performs final translation of an element into a Peach structure.

Parameters:
dataModelElement Input element
elementParent Peach structure that is supposed to be a parent for new element

def Peach::Engine::ppaction::PpAction::identifyIterationFinishMethod (   self,
  myState 
)

Identifies how should be end of iteration indicated.

Parameters:
myState Package containing all actions

def Peach::Engine::ppaction::PpAction::initAction (   self,
  action,
  mutator 
)

Contains Peach Action initialization.

def Peach::Engine::ppaction::PpAction::initialize (   self,
  stateEngine 
)

Does some additional initialization.

Does some additional initialization, which can not be done right at the beginning, when there is not enough information

Parameters:
stateEngine Package that stores most of our Peach structures

def Peach::Engine::ppaction::PpAction::isNumericalString (   self,
  element 
)

Tests if the input element is a Numerical String.

Parameters:
element Input Element

def Peach::Engine::ppaction::PpAction::maxModelsLengths (   self,
  dataNode,
  templateNode 
)

Indicates maximum number of elements eglible for length comparison in current data.

Parameters:
dataNode Root node of the current data template tree
templateNode Root node of the data model template tree

def Peach::Engine::ppaction::PpAction::maxModelsValues (   self,
  dataNode,
  templateNode 
)

Indicates maximum number of elements eglible for value comparison in current data.

Parameters:
dataNode Root node of the current data template tree
templateNode Root node of the data model template tree

def Peach::Engine::ppaction::PpAction::outputDataModelBlock (   self,
  writer,
  block 
)

Writes Data Model block into configuration file.

Parameters:
writer Writer used for writing into configuration file
block Input block

def Peach::Engine::ppaction::PpAction::outputRecordedData (   self,
  stateEngine 
)

Creates configuration file based on recorded data.

Parameters:
stateEngine Package that stores most of our Peach structures

def Peach::Engine::ppaction::PpAction::processDataModel (   self,
  stateEngine,
  action 
)

Identifies and sets mutable elements in fuzzed data.

Identifies and sets mutable elements in data that are being forwarded through proxy during fuzzing process

Parameters:
stateEngine State object in which previously recorded data models are stored
action Action object representing current data

def Peach::Engine::ppaction::PpAction::processRecordedData (   self  ) 

Aggregates mutiple data models into single one.

Merges and eliminates duplicities in data models produced in multiple test cases of recording process

def Peach::Engine::ppaction::PpAction::raiseIterationFinishWhenClosed (   self,
  serverClosedConnection,
  clientClosedConnection,
  numOfCloseActions 
)

Checks if iteration should be terminated based on connection close.

Needs some refactorization

def Peach::Engine::ppaction::PpAction::reachedInputOutputActionsLimit (   self  ) 

Tests if numbers of input and output actions have reached recorded numbers of input and output actions.

Used only when method Finish By Action Count is used as a termination method for iterations

def Peach::Engine::ppaction::PpAction::recordAction (   self,
  stateEngine,
  data,
  actionType 
)

Records single action during the process of recording.

Parameters:
stateEngine Package that stores most of our Peach structures
data Data to be analyzed and sent in this action
actionType Type of action (output/input)

def Peach::Engine::ppaction::PpAction::recordSimpleAction (   self,
  actionType 
)

Records simple action during the process of recording.

Records simple action without a Data Model. Used for close action

Parameters:
actionType Type of action (output/input)

def Peach::Engine::ppaction::PpAction::recordState (   self,
  stateEngine,
  mutator 
)

Starts proxy in a recording mode.

Parameters:
stateEngine Package that stores most of our Peach structures
mutator Mutation strategy

def Peach::Engine::ppaction::PpAction::recordTcpState (   self,
  stateEngine,
  mutator 
)

Runs TCP proxy in a recording mode.

Performs TCP communication and recording

Parameters:
stateEngine Package that stores most of our Peach structures
mutator Mutation strategy

def Peach::Engine::ppaction::PpAction::recordUdpState (   self,
  stateEngine,
  mutator 
)

Runs UDP proxy in a recording mode.

Performs UDP communication and recording

Parameters:
stateEngine Package that stores most of our Peach structures
mutator Mutation strategy

def Peach::Engine::ppaction::PpAction::runAction (   self,
  stateEngine,
  mutator,
  data,
  actionType,
  targetSocket 
)

Runs single action during the process of fuzzing.

Parameters:
stateEngine Package that stores most of our Peach structures
mutator Mutation strategy that performs the mutation
data Data to be analyzed and sent in this action
actionType Type of action (output/input)
targetSocket Socket to be used for sending data

def Peach::Engine::ppaction::PpAction::runState (   self,
  stateEngine,
  mutator 
)

Starts proxy in a fuzzing mode.

Parameters:
stateEngine Package that stores most of our Peach structures
mutator Mutation strategy that performs the mutation

def Peach::Engine::ppaction::PpAction::runTcpState (   self,
  stateEngine,
  mutator 
)

Runs TCP proxy in a fuzzing mode.

Performs TCP communication and fuzzing

Parameters:
stateEngine Package that stores most of our Peach structures
mutator Mutation strategy that performs the mutation

def Peach::Engine::ppaction::PpAction::runUdpState (   self,
  stateEngine,
  mutator 
)

Runs UDP proxy in a fuzzing mode.

Performs UDP communication and fuzzing

Parameters:
stateEngine Package that stores most of our Peach structures
mutator Mutation strategy that performs the mutation

def Peach::Engine::ppaction::PpAction::storeFuzzingValues (   self,
  stateEngine,
  action 
)

Stores fuzzing values for logging purposes.

Parameters:
stateEngine Package that stores most of our Peach structures
action Input Action


Member Data Documentation

Where should we send number of current iteration.

Little helping variables used for filling in missing data from Data analysis.

Data comming from Wireshark are sometimes split into mutliple large blocks.

We need the elements in the blocks to have position relative to that block. For this purpose we will use positionFix variable First position fix is related to protocol headers. We are not interested in them, so we start counting our positions at the end of them Now go through all our large blocks (usually there is only one) Some blocks are returned from Wireshark as a result of previous segmentation. We are not interested into these blocks Decode hex values and fix positions We store whole value of this block globaly, so we can easilly identify data missing in the structure

Stores information whether dissection debug output should be enabled.

Send iteration number to GUI.

Socket used for communication with GUI.

Seed for random mutation strategy.

Indications from GUI Communicator.

Counters for output and input iterations.

Create fresh Peach Action.

If we are performing no fuzzing, then just forward the data.

Create fresh Peach Action Request Data analysis and build a Data Model for this Action from the data that we have Request Data matching. Returned value is used to identify whether this is the last action in this iteration Test whether it makes sence to fuzz this action Initialize this Action If we are fuzzing this action Perform fuzzing and get fuzzed data that are supposed to be sent Otherwise use original data Increase input actions counter

Request Data analysis and build a Data Model for this Action from the data that we have Store recorded action

We will require additional initialization.

Indicate that this method was already runned.

How shall be the end of the iteration identified.

Set proxy timeout to initial timeout.

Change the working directory for the application to the root directory of this application.

Identify how will be the end of an iteration indicated

Bind client listening socket Initialize client socket status Initialize server socket status Request PublisherCall on Client Agent Run while you should or you still have something to send Initialize list of sockets for reading If communication is completely Idle, append client listening socket to the input list If client socket is opened for reading and server has not just closed connection, append client socket to the input list If server socket is opened for reading and client has not just closed connection, append server socket to the input list Initialize list of sockets for writing If client socket is opened for writing and we have some information to send via this socket, append the socket to the output list If server socket is opened for writing and we have some information to send via this socket, append the socket to the output list We first try to read as much data as is possible in very short time If no data arrived to any socket, then we switch to sending If we have nothing to send, then switch back to reading If we received connection on client listening socket If server socket is closed for writing, then connect to the server Try to connect to the server multiple times If we failed to connect, then something wrong is going on and we just skip this iteration Successfuly connected If we are successfuly connected, then accept connection from the client If we received data on the client socket Get data form the socket Store data for server Client closed connection Close connection to client for reading Propagate close connection to the server There was some error in communication Close connection to client Propagate close connection to the server If we received data on the server socket Get data form the socket Store data for client Close connection to server for reading Propagate close connection to the client There was some error in communication Close connection to server Propagate close connection to the client If we are ready to send something to the client If we have any data to send Run this action If this action terminates the iteration, then we can stop the iteration NeedMoreDataException was not thrown, so obviously there were enough data Data analysis require more data Either way we have processed our data If we need to propagate close connection instead Close connection to client for write We have successfuly propagated close connection to the client If we are ready to send something to the server If we have any data to send Run this action If this action terminates the iteration, then we can stop the iteration NeedMoreDataException was not thrown, so obviously there were enough data Data analysis require more data Either way we have processed our data If we need to propagate close connection instead Close connection to server for write We have successfuly propagated close connection to the server Otherwise has communication timed out If the communication timed out and we are still processing some data, then something wrong happened Check if iteration was ended in a controlled way

Bind client UDP socket Initialize server UDP socket As UDP is much more simple then TCP, we will use following variables instead of SocketStatus Request PublisherCall on Client Agent Run while you should or you still have something to send We have no restrictions about reading Initialize list of sockets for writing If we have something to send via this socket, append the socket to the output list If we have something to send via this socket, append the socket to the output list We first try to read as much data as is possible in very short time If no data arrived to any socket, then we switch to sending If we have nothing to send, then switch back to reading If we received data on the client socket Some data have arrived this iteration Get data form the socket Store source address Store data for server This should never happen in UDP There was some error with the socket If we received data on the server socket Get data form the socket Store data for client This should never happen in UDP There was some error with the socket If we are ready to send something to the client If we have any data to send (we should definitely have some) Run this action NeedMoreDataException was not thrown, so obviously there were enough data If this action terminates the iteration, then we can stop the iteration Data analysis require more data Either way we have processed our data If we are ready to send something to the server If we have any data to send (we should definitely have some) Run this action NeedMoreDataException was not thrown, so obviously there were enough data If this action terminates the iteration, then we can stop the iteration Data analysis require more data Either way we have processed our data Otherwise has communication timed out If the communication timed out and we are still processing some data, then something wrong happened Check if iteration was ended in a controlled way

Iterations counter for fuzzing.

New iteration is starting.

Dots make trouble, we will substitude all dots in elements name with underscore.

Save data to pcap file for debugging purposes.

Recursivelly handle all child elements of this block.

If we are dealing with a block Create new Peach block Set size attribute of the block Set position attribute indicating position of this block in the whole model Set our current position in the whole model to the beginning of the block

Otherwise we are dealing with simple element If position of this element in the whole block differs from our position, then Wireshark skipped some data and we need to fill them back in Fill missing data as a new token ## Set our current position in the whole model to the end of the element

Request data analysis Request packet dissection Request translation into python structures If result is none, then we probably need to provide Data analysis with more data Create fresh Peach template This Action will be the parent of the new template, meaning that the template will be a Data Model for this Action Reinitialize our tokenizer We start with position 0

Initialize dissection process.

Pcap file to store flowing communication for debugging purposes

Try to match following data model in order of last known match.

Compare current data with recorded data models.

Match found, set mutable flags and appropriate termination function

Consider only communication in the same direction Match of non data Actions Compute score of the data model in order (in respect with the current fata) If the score is the highest so far, save the model as the best match

Can be used to disable fuzzing completely.

Increase output actions counter.

Array of recorded iterations.

Check for empty recorded state.

Iterations counter for recording.

Instace of relations finder.

The direction of flowing data matters.

Data flowing from server to client We merge our data with protocol headers.

Data flowing from client to server We give merge our data with protocol headers. These protocol headers are created based on protocol family,source IP address, source port, destination IP address, destination port, client sequence number and server sequence number. We provide fake IP addresses as they are not really relevant. As a target port we provide protocol port, as user might choose for his target application diferent target port than standard protocol port. That would be very confusing for Wireshark

These protocol headers are created based on protocol family,destination IP address, destination port, source IP address, source port, server sequence number and client sequence number.

If we have a seed for random mutation strategy, then store its values.

Send iteration number do GUI and check for instructions.

Calculate seed for mutation strategy for this iteration

We calculate new client sequence number.

Client and server sequence numbers.

We calculate new server sequence number.

Instance of string tokenizer.

Numbers of recorded output and input iterations.

First we look for action with attribute terminateTestCase.

If we find one, then this is the action which indicates end of iteration Next we try to test if there is only one close action from server and if it is at the end of communication. If so, we will use it to idicate end of iteration. This will obviously work only for tcp communication. If none of previous methods is applicable for our case, we will simply count input and output actions


The documentation for this class was generated from the following file:

Generated on Sat Sep 4 18:13:54 2010 for HotFuzz by  doxygen 1.5.8