How boofuzz detect crashes and log crashed test cases

Question

We are using boofuzz for fuzzing remote service with tcp protocol. The fuzzer script is as follows.

session = Session(target = Target(connection = SocketConnection(host, port, proto='tcp')))
s_initialize("Test")
s_string("Fuzz", fuzzable = True)
session.connect(s_get("Test"))
session.fuzz()

After a while, we noticed the remote service is crashed but the fuzzer just repeatly tried to restart. The fuzzer did not detect the remote service is closed and the crashed test case is not stored.

[2022-02-02 04:18:42,231]    Test Step: Restarting target
[2022-02-02 04:18:42,231]     Info: Restarting target process using CallbackMonitor
[2022-02-02 04:18:42,231]    Test Step: Cleaning up connections from callbacks
[2022-02-02 04:18:42,231]     Info: Closing target connection...
[2022-02-02 04:18:42,231]     Info: Connection closed.
[2022-02-02 04:18:42,231]     Info: No reset handler available... sleeping for 5 seconds
[2022-02-02 04:18:47,236]     Info: Opening target connection (xxx)...
[2022-02-02 04:18:47,237]     Info: Cannot connect to target; retrying. Note: This likely indicates a failure caused by the previous test case, or a target that is slow to restart.
[2022-02-02 04:18:47,237]    Test Step: Restarting target
[2022-02-02 04:18:47,237]     Info: Restarting target process using CallbackMonitor
[2022-02-02 04:18:47,237]    Test Step: Cleaning up connections from callbacks
[2022-02-02 04:18:47,237]     Info: Closing target connection...
[2022-02-02 04:18:47,237]     Info: Connection closed.
[2022-02-02 04:18:47,237]     Info: No reset handler available... sleeping for 5 seconds
[2022-02-02 04:18:52,243]     Info: Opening target connection (xxx)...
[2022-02-02 04:18:52,244]     Info: Cannot connect to target; retrying. Note: This likely indicates a failure caused by the previous test case, or a target that is slow to restart.

How can we customize the boofuzz script so that:

1. we can detect the remote service is closed (e.g., try tcp connect)?
2. we can store the untruncated crashed test case to disk?

Answer 1

If you are not using the monitors, you could add a post_test_case_callbacks that check if the server is alive. This function will be called after each test case.

post_test_case_callbacks (list of method) – The registered method will be called after each fuzz test case. Default None.

e.g.

logger = FuzzLoggerText()
def target_alive(target, fuzz_data_logger, session, sock, *args, **kwargs):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((host, port))
        logger.log_pass(description="alive")
    except ConnectionRefusedError:
        logger.log_fail(description="Server down")

session = Session(target=Target(SocketConnection(host, int(port))), post_test_case_callbacks=[target_alive])