fuzz: improve coverage and add fuzzers for anomaly model and isolation forest algs

Author: IvanNardi

.gitignore

@@ -68,6 +68,8 @@
 /fuzz/fuzz_alg_bins
 /fuzz/fuzz_alg_hll
 /fuzz/fuzz_alg_hw_rsi_outliers_da
+/fuzz/fuzz_alg_isolationforest
+/fuzz/fuzz_alg_anomalymodel
 /fuzz/fuzz_alg_jitter
 /fuzz/fuzz_alg_crc32_md5
 /fuzz/fuzz_alg_ses_des

fuzz/Makefile.am

@@ -1,6 +1,6 @@
 bin_PROGRAMS = fuzz_process_packet fuzz_ndpi_reader fuzz_ndpi_reader_nalloc fuzz_ndpi_reader_alloc_fail fuzz_ndpi_reader_payload_analyzer fuzz_quic_get_crypto_data fuzz_config fuzz_community_id fuzz_serialization fuzz_tls_certificate fuzz_dga fuzz_is_stun_udp fuzz_is_stun_tcp fuzz_match_custom_category fuzz_tls_client_server_hello fuzz_dns_parse fuzz_http_parse fuzz_ndpi_decode_tls_blocks
 #Alghoritms
-bin_PROGRAMS += fuzz_alg_ranking fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_jitter fuzz_alg_ses_des fuzz_alg_crc32_md5 fuzz_alg_shoco fuzz_alg_memmem fuzz_alg_strnstr fuzz_alg_quick_encryption
+bin_PROGRAMS += fuzz_alg_ranking fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_jitter fuzz_alg_ses_des fuzz_alg_crc32_md5 fuzz_alg_shoco fuzz_alg_memmem fuzz_alg_strnstr fuzz_alg_quick_encryption fuzz_alg_isolationforest fuzz_alg_anomalymodel
 #Data structures
 bin_PROGRAMS += fuzz_ds_patricia fuzz_ds_ahocorasick fuzz_ds_libcache fuzz_ds_tree fuzz_ds_ptree fuzz_ds_hash fuzz_ds_cmsketch fuzz_ds_bitmap64_fuse fuzz_ds_domain_classify fuzz_ds_kdtree fuzz_ds_btree fuzz_ds_address_cache fuzz_ds_bitmap fuzz_ds_filter
 #Third party
@@ -86,6 +86,12 @@ fuzz_alg_hll_LINK = $(FUZZ_LINK_COMMAND)
 fuzz_alg_hw_rsi_outliers_da_SOURCES = fuzz_alg_hw_rsi_outliers_da.cpp fuzz_common_code.c
 fuzz_alg_hw_rsi_outliers_da_LINK = $(FUZZ_LINK_COMMAND)
 
+fuzz_alg_isolationforest_SOURCES = fuzz_alg_isolationforest.cpp
+fuzz_alg_isolationforest_LINK = $(FUZZ_LINK_COMMAND)
+
+fuzz_alg_anomalymodel_SOURCES = fuzz_alg_anomalymodel.cpp cpp fuzz_common_code.c
+fuzz_alg_anomalymodel_LINK = $(FUZZ_LINK_COMMAND)
+
 fuzz_alg_jitter_SOURCES = fuzz_alg_jitter.cpp fuzz_common_code.c
 fuzz_alg_jitter_LINK = $(FUZZ_LINK_COMMAND)
 

fuzz/fuzz_alg_anomalymodel.cpp

@@ -0,0 +1,40 @@
+#include "ndpi_api.h"
+#include "fuzz_common_code.h"
+
+#include <stdint.h>
+#include <stdio.h>
+#include "fuzzer/FuzzedDataProvider.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  FuzzedDataProvider fuzzed_data(data, size);
+  u_int32_t n_normal, n_attacks, n_features, i, j;
+  ndpi_anomaly_model *m;
+
+  /* To allow memory allocation failures */
+  fuzz_set_alloc_callbacks_and_seed(size);
+
+  n_features = fuzzed_data.ConsumeIntegralInRange<u_int32_t>(1, 8);
+  n_normal = fuzzed_data.ConsumeIntegral<u_int8_t>();
+  n_attacks = fuzzed_data.ConsumeIntegral<u_int8_t>();
+  m = ndpi_alloc_anomaly_model(n_features);
+
+  double *row = (double *)malloc(sizeof(double) * n_features); /* No failure here */
+
+  for(i = 0; i < n_normal; i++) {
+    for(j = 0; j < n_features; j++)
+      row[j] = fuzzed_data.ConsumeFloatingPoint<double>();
+
+    ndpi_train_anomaly_model(m, row);
+  }
+  for(i = 0; i < n_attacks; i++) {
+    for(j = 0; j < n_features; j++)
+      row[j] = fuzzed_data.ConsumeFloatingPoint<double>();
+
+    ndpi_compute_anomaly_score(m, row);
+  }
+
+  ndpi_free_anomaly_model(m);
+  free(row);
+
+  return 0;
+}

fuzz/fuzz_alg_hw_rsi_outliers_da.cpp

@@ -93,6 +93,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_data_min(a);
   ndpi_data_max(a);
   ndpi_data_jitter(a);
+  ndpi_data_burstiness(a);
   ndpi_data_last(a);
   ndpi_data_window_average(a);
   ndpi_data_window_variance(a);

fuzz/fuzz_alg_isolationforest.cpp

@@ -0,0 +1,51 @@
+#include "ndpi_api.h"
+
+#include <stdint.h>
+#include <stdio.h>
+#include "fuzzer/FuzzedDataProvider.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  FuzzedDataProvider fuzzed_data(data, size);
+  u_int32_t n_normal, n_attacks, n_features, i, j;
+  double **d;
+  void *f;
+
+  /* isolationforest code doesn't handle allocation failures */
+
+  /* Data set */
+  n_features = fuzzed_data.ConsumeIntegralInRange<u_int32_t>(0, 8);
+  n_normal = fuzzed_data.ConsumeIntegral<u_int8_t>();
+  n_attacks = fuzzed_data.ConsumeIntegral<u_int8_t>();
+
+  d = (double **)ndpi_malloc(sizeof(double *) * (n_normal + n_attacks));
+
+  for(i = 0; i < n_normal; i++) {
+    u_int32_t l = sizeof(double) * n_features;
+    double *row = (double *)ndpi_malloc(l);
+
+    d[i] = row;
+    for(j = 0; j < n_features; j++)
+      row[j] = fuzzed_data.ConsumeFloatingPoint<double>();
+  }
+  for(i = 0; i < n_attacks; i++) {
+    u_int32_t l = sizeof(double) * n_features;
+    double *row = (double *)ndpi_malloc(l);
+
+    d[n_normal + i] = row;
+    for(j = 0; j < n_features; j++)
+      row[j] = fuzzed_data.ConsumeFloatingPoint<double>();
+  }
+
+  f = ndpi_alloc_iforest(d, n_normal, n_features);
+  for(i = 0; i < n_normal + n_attacks; i++) {
+    ndpi_iforest_score(f, d[i]);
+  }
+
+  ndpi_free_iforest(f);
+
+  for(i = 0; i < n_normal + n_attacks; i++)
+    ndpi_free(d[i]);
+  ndpi_free(d);
+
+  return 0;
+}

fuzz/fuzz_alg_ranking.cpp

@@ -8,7 +8,7 @@
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   FuzzedDataProvider fuzzed_data(data, size);
   u_int16_t i, j;
-  ndpi_ranking rank;
+  ndpi_ranking rank, rank2;
   u_int16_t max_num_entries, num_epochs;
   u_int32_t now, prev_epoch;
   ndpi_ranking_epoch_entry *entries;
@@ -45,9 +45,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_print_ranking(&rank);
 
   snprintf(path, sizeof(path), "/tmp/ranking.%u.test", (unsigned int)getpid());
-  if(ndpi_serialize_ranking(&rank, path)) {
-    ndpi_term_ranking(&rank);
-    ndpi_deserialize_ranking(&rank, path);
+  if(ndpi_serialize_ranking(&rank, fuzzed_data.ConsumeBool() ? path : NULL)) {
+    if(ndpi_deserialize_ranking(&rank2, fuzzed_data.ConsumeBool() ? path : NULL))
+      ndpi_term_ranking(&rank2);
     unlink(path);
   }
 

fuzz/fuzz_config.cpp

@@ -330,6 +330,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_rtp_payload_type2str(fuzzed_data.ConsumeIntegral<u_int8_t>(), fuzzed_data.ConsumeIntegral<u_int32_t>());
   ndpi_rtp_payload_type2str(127, fuzzed_data.ConsumeIntegral<u_int32_t>());
 
+  ndpi_ikev2_dh_name(fuzzed_data.ConsumeIntegral<u_int8_t>());
+  ndpi_ikev2_integ_name(fuzzed_data.ConsumeIntegral<u_int8_t>());
+  ndpi_ikev2_prf_name(fuzzed_data.ConsumeIntegral<u_int8_t>());
+  ndpi_ikev2_encr_name(fuzzed_data.ConsumeIntegral<u_int8_t>());
+
+  char unknown_curve[8];
+  ndpi_tls_elliptic_curve2str(fuzzed_data.ConsumeIntegral<u_int16_t>(), unknown_curve);
+
   char buf2[16];
   ndpi_entropy2str(fuzzed_data.ConsumeFloatingPoint<float>(), fuzzed_data.ConsumeBool() ? buf2 : NULL, sizeof(buf2));
 

src/lib/ndpi_analyze.c

@@ -2276,8 +2276,10 @@ bool ndpi_deserialize_ranking(ndpi_ranking *rank, const char *path) {
     if(rank->epochs) {
       n_read = fread(rank->epochs, rank->header.epochs_memory_len, 1, fd);
 
-      if(n_read != 1)
+      if(n_read != 1) {
+        ndpi_free(rank->epochs);
 	ret = false;
+      }
     } else
       ret = false;
   }
@@ -2464,8 +2466,10 @@ ndpi_anomaly_model* ndpi_alloc_anomaly_model(u_int16_t n_features) {
 /* *********************** */
 
 void ndpi_free_anomaly_model(ndpi_anomaly_model *m) {
-  if(m->training_data) ndpi_free(m->training_data);
-  ndpi_free(m);
+  if(m) {
+    if(m->training_data) ndpi_free(m->training_data);
+    ndpi_free(m);
+  }
 }
 
 /* *********************** */
@@ -2506,6 +2510,8 @@ static void ndpi_normalize_vector_L2(double *training_data, u_int32_t num) {
 /* *********************** */
 
 bool ndpi_train_anomaly_model(ndpi_anomaly_model *m, double *training_data) {
+  if(!m || !training_data)
+    return(false);
   u_int32_t len = sizeof(double) * m->n_features;
 
   ndpi_normalize_vector_L1(training_data, m->n_features);
@@ -2571,7 +2577,10 @@ bool ndpi_compute_anomaly_score(ndpi_anomaly_model *m,
 				double *testing_data) {
   u_int32_t i;
   double max_distance = 0;
-  
+
+  if(!m || !testing_data)
+    return(false);
+
   ndpi_normalize_vector_L1(testing_data, m->n_features);
 
   for(i=0; i<m->n_samples; i++) {