protofire/fuzzer_protocol.h at main · ridpath/protofire · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
// fuzzer_protocol.h
#ifndef FUZZER_PROTOCOL_H
#define FUZZER_PROTOCOL_H

#include <stdint.h>
#include <stddef.h>
#include <time.h>

#define BUF_SIZE 4096
#define MAX_THREADS 64
#define TIMEOUT_SEC 2
#define MODBUS_PORT 502
#define DNP3_PORT 20000
#define S7COMM_PORT 102
#define IEC104_PORT 2404
#define OPC_UA_PORT 4840

enum strategy {
    RANDOM,
    BITFLIP,
    OVERFLOW,
    DICTIONARY,
    FORMAT_STRING,
    TYPE_CONFUSION,
    TIME_BASED,
    SEQUENCE_VIOLATION,
    PROTOCOL_FUZZING,
    COMBINATORIAL,
    STRATEGY_COUNT
};

enum protocol {
    MODBUS,
    DNP3,
    S7COMM,
    IEC104,
    OPC_UA,
    PROTOCOL_COUNT
};

enum anomaly_level {
    ANOMALY_NONE = 0,
    ANOMALY_TIMEOUT = -1,
    ANOMALY_PROTOCOL_VIOLATION = 1,
    ANOMALY_LENGTH_VIOLATION = 2,
    ANOMALY_CHECKSUM_FAILURE = 3,
    ANOMALY_FUNCTION_ERROR = 4,
    ANOMALY_SEQUENCE_ERROR = 5,
    ANOMALY_STATE_ERROR = 6,
    ANOMALY_MEMORY_CORRUPTION = 7,
    ANOMALY_BUFFER_OVERFLOW = 8,
    ANOMALY_FORMAT_ERROR = 9,
    ANOMALY_TYPE_ERROR = 10,
    ANOMALY_SECURITY_ERROR = 11,
    ANOMALY_CRITICAL = 12
};

typedef struct {
    uint32_t session_id;
    uint16_t transaction_id;
    uint8_t state_machine[256];
    time_t last_response;
    uint32_t sequence_number;
    uint16_t pdu_reference;
    uint8_t security_token;
    uint32_t secure_channel_id;
    uint8_t protocol_state;
    uint64_t session_flags;
} session_context_t;

typedef struct {
    uint32_t packets_sent;
    uint32_t anomalies_detected;
    uint32_t crashes_triggered;
    uint32_t timeouts_occurred;
    uint32_t protocol_errors;
    uint32_t memory_anomalies;
    uint32_t sequence_violations;
    uint32_t checksum_failures;
    time_t session_start;
    time_t last_anomaly;
} fuzzing_stats_t;

typedef struct {
    const char *name;
    const char *description;
    float default_rate;
    int requires_state;
    int supports_readonly;
} strategy_info_t;

typedef struct {
    const char *name;
    int default_port;
    int supports_readonly;
    int requires_session;
    int has_checksum;
    int max_pdu_size;
} protocol_info_t;

typedef struct protocol_ops {
    void (*generate_packet)(uint8_t *packet, size_t *len, int is_initial, int read_only, session_context_t *session);
    void (*mutate_packet)(uint8_t *packet, size_t *len, enum strategy strat, float rate, session_context_t *session);
    int (*analyze_response)(uint8_t *response, int len, session_context_t *session);
    void (*init_session)(session_context_t *session);
    void (*cleanup_session)(session_context_t *session);
    int (*validate_packet)(const uint8_t *packet, size_t len);
    const char* (*get_strategy_name)(enum strategy strat);
    const char* (*get_anomaly_description)(int anomaly_code);
} protocol_ops_t;

extern const strategy_info_t strategy_descriptions[STRATEGY_COUNT];
extern const protocol_info_t protocol_descriptions[PROTOCOL_COUNT];

const char* strategy_to_string(enum strategy strat);
const char* protocol_to_string(enum protocol prot);
int get_protocol_port(enum protocol prot);
int validate_strategy(enum strategy strat);
int validate_protocol(enum protocol prot);

void init_session_context(session_context_t *session, enum protocol prot);
void update_fuzzing_stats(fuzzing_stats_t *stats, int anomaly_level);
void reset_fuzzing_stats(fuzzing_stats_t *stats);
void print_fuzzing_stats(const fuzzing_stats_t *stats);

#endif