moved advanced examples out to a new directory

Author: PBetzler

CMakeLists.txt

@@ -17,5 +17,6 @@ include(googletest)
 find_package(cifuzz NO_SYSTEM_ENVIRONMENT_PATH)
 enable_fuzz_testing()
 
-add_subdirectory(src/explore_me)
+add_subdirectory(src/simple_examples)
 add_subdirectory(src/automotive)
+add_subdirectory(src/advanced_examples)

README.md

@@ -16,10 +16,10 @@ issues in large code bases such as Google Chrome.
 In this example, we demonstrate how you can use CI Fuzz to integrate fuzz testing into your 
 C/C++ projects. The example project uses [CMake](https://cmake.org/) as the build system and contains
 the following three use cases:
-* [Simple Checks Example](src/explore_me/explore_me.cpp#L10): 
+* [Simple Checks Example](src/simple_examples/explore_me.cpp#L10): 
 A simple example that triggers a buffer over when the input parameters satisfy certain criteria.
 We show that CI Fuzz can quickly generate a test case that trigger this bug.
-* [Complex Checks Example](src/explore_me/explore_me.cpp#L22):
+* [Complex Checks Example](src/simple_examples/explore_me.cpp#L22):
 A more complex example that triggers a use-after-free bug when the input parameters satisfy 
 certain criteria. In this example, the checks are more complex and involve Base64 encoding 
 and XORing with constant value, making it more challenging to find the correct combination of

src/advanced_examples/CMakeLists.txt

@@ -0,0 +1,45 @@
+set(OPENSSL_USE_STATIC_LIBS TRUE)
+find_package(OpenSSL REQUIRED)
+
+add_library(explore_me_advanced
+    explore_me.cpp
+)
+
+target_include_directories(explore_me_advanced PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${OpenSSL_INCLUDE_DIR}
+)
+
+target_link_libraries(explore_me_advanced
+    OpenSSL::Crypto
+)
+
+foreach(TestType IN ITEMS
+    structured_input_checks
+    custom_mutator_example_checks
+)
+
+    add_executable(${TestType}_test
+        ${TestType}_test.cpp
+    )
+
+    target_include_directories(${TestType}_test PRIVATE
+        ${CIFUZZ_INCLUDE_DIR}
+    )
+
+    target_link_libraries(${TestType}_test
+        explore_me_advanced
+        ${GTEST_BOTH_LIBRARIES}
+    )
+
+    add_test(explore_me.${TestType} ${TestType}_test)
+
+    add_fuzz_test(${TestType}_fuzz_test
+        ${TestType}_test.cpp
+    )
+
+    target_link_libraries(${TestType}_fuzz_test
+        explore_me_advanced
+        ${GTEST_BOTH_LIBRARIES}
+    )
+endforeach(TestType )

…e/custom_mutator_example_checks_test.cpp …s/custom_mutator_example_checks_test.cppsrc/explore_me/custom_mutator_example_checks_test.cpp renamed to src/advanced_examples/custom_mutator_example_checks_test.cpp src/explore_me/custom_mutator_example_checks_test.cpp renamed to src/advanced_examples/custom_mutator_example_checks_test.cpp

@@ -31,34 +31,28 @@ FUZZ_TEST(const uint8_t *data, size_t size) {
 }
 
 
-extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size,
-                                          size_t maxSize, unsigned int seed) {
+extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
+                                          size_t MaxSize, unsigned int Seed) {
     std::cout << "In custom mutator.\n";
 
-    FuzzedDataProvider fdp(data, size);
+    FuzzedDataProvider fdp(Data, Size);
     long a = fdp.ConsumeIntegral<long>();
     long b = fdp.ConsumeIntegral<long>();
     std::string tempC = fdp.ConsumeRemainingBytesAsString();
-    size_t c_size= strlen(tempC.c_str()) +1;
+    size_t c_size = strlen(tempC.c_str()) +1;
     char* c = (char*) malloc(c_size);
     strncpy(c, tempC.c_str(), c_size);
     SpecialRequirementsStruct specialRequirementsStruct = (SpecialRequirementsStruct) {
         .a= a, .b=b, .c_size=c_size, .c= c
     };
     size_t size1 = sizeof(specialRequirementsStruct);
 
-    if (maxSize >= size1) {
-        free(data);
-        data = (uint8_t*) malloc (size1);
-        std::memcpy(data, &specialRequirementsStruct, size1);
+    if (MaxSize >= size1) {
+        free(Data);
+        Data = (uint8_t*) malloc (size1);
+        std::memcpy(Data, &specialRequirementsStruct, size1);
         return sizeof(specialRequirementsStruct);
     } else {
-        return maxSize;
+        return MaxSize;
     }
-
-
-
-
-
-
 }

src/explore_me/explore_me.cpp src/advanced_examples/explore_me.cppsrc/explore_me/explore_me.cpp renamed to src/advanced_examples/explore_me.cpp

@@ -1,7 +1,6 @@
 #include <cstring>
 
 #include "explore_me.h"
-#include "utils.h"
 
 static long insecureEncrypt(long input);
 static void trigger_global_buffer_overflow(const std::string &c);
@@ -21,18 +20,8 @@ void ExploreSimpleChecks(int a, int b, std::string c) {
   }
 }
 
-void ExploreComplexChecks(long a, long b, std::string c) {
-  if (EncodeBase64(c) == "SGV5LCB3ZWw=") {
-    if (insecureEncrypt(a) == 0x4e9e91e6677cfff3L) {
-      if (insecureEncrypt(b) == 0x4f8b9fb34431d9d3L) {
-        trigger_use_after_free();
-      }
-    }
-  }
-}
-
 void ExploreStructuredInputChecks(InputStruct inputStruct){
-    if (EncodeBase64(inputStruct.c) == "SGV5LCB3ZWw=") {
+    if (inputStruct.c == "Attacker") {
         if (insecureEncrypt(inputStruct.a) == 0x4e9e91e6677cfff3L) {
             if (insecureEncrypt(inputStruct.b) == 0x4f8b9fb34431d9d3L) {
                 trigger_double_free();
@@ -42,6 +31,7 @@ void ExploreStructuredInputChecks(InputStruct inputStruct){
 }
 
 void ExploreCustomMutatorExampleChecks(SpecialRequirementsStruct* specialRequirementsStruct){
+    printf("Hello!\n");
     strncpy(specialRequirementsStruct->c, "Hello\0", specialRequirementsStruct->c_size);
 
     if (insecureEncrypt(specialRequirementsStruct->a) == 0x4e9e91e6677cfff3L) {

src/explore_me/explore_me.h src/advanced_examples/explore_me.hsrc/explore_me/explore_me.h renamed to src/advanced_examples/explore_me.h

@@ -20,10 +20,6 @@ struct SpecialRequirementsStruct {
     char* c;
 };
 
-void ExploreSimpleChecks(int a, int b, std::string c);
-
-void ExploreComplexChecks(long a, long b, std::string c);
-
 void ExploreStructuredInputChecks(InputStruct inputStrut);
 
 void ExploreCustomMutatorExampleChecks(SpecialRequirementsStruct* specialRequirementsStruct);

…lore_me/structured_input_checks_test.cpp …xamples/structured_input_checks_test.cppsrc/explore_me/structured_input_checks_test.cpp renamed to src/advanced_examples/structured_input_checks_test.cpp src/explore_me/structured_input_checks_test.cpp renamed to src/advanced_examples/structured_input_checks_test.cpp

@@ -18,8 +18,6 @@ target_link_libraries(explore_me
 foreach(TestType IN ITEMS
     simple_checks
     complex_checks
-    structured_input_checks
-    custom_mutator_example_checks
 )
 
     add_executable(${TestType}_test