TNO developed WuppieFuzz, a coverage-guided REST API fuzzer developed on top of LibAFL, targeting a wide audience of end-users, with a strong focus on ease-of-use, explainability of the discovered flaws and modularity. WuppieFuzz supports all three settings of testing (black box, grey box and white box).
For Java there is an existing coverage agent (Jacoco) which is available online. It can be used like this:
java -javaagent:/jacoco/jacocoagent.jar=output=tcpserver <...more arguments...>jacocoagent.jar can be downloaded here as
part of the .zip-release. The file is found in the lib directory.
Jacoco's communication protocol and format are strongly coupled, since message sizes are dynamically determined from the coverage information. Communication works as follows:
-
Receive a request for coverage. The structure of this request should be as follows:
- header byte
- array of command-type bytes; only the byte for the dump-command is used by us
- array of bytes requesting coverage dumps (or not)?
- array of bytes requesting resets (or not).
The three lists all have only one byte in our case.
-
Respond on the TCP-stream with a series of "blocks", each of which is composed of bytes in order:
- a byte indicating the block type
- depending on the block type:
- header - format version information (currently there only seems to be one format and one version, at least that we support)
- session info - info about when the Jacoco agent started and last dumped coverage
- execution data - it seems there should be one such block for each
class that has at least some coverage. It contains just three pieces
of info:
- class id: u64
- class name: String (variable length)
- boolean array of whether probes were hit or not (supplies its own size)
- no contents, for the final block.