- Our work is based off the
p7ziprepository located at: https://github.com/jinfeihan57/p7zip
For a detailed explanation of the vulnerability analysis carried out by this repository, take a look at each of the writeup PDFs in the writeups directory.
For a TLDR, look at writeups/deck/p7zip-deck.pdf which is a short presentation of our analysis.
To build any form of the target, use the different Makefile targets.
$ make <target>The following major targets are available:
defaultdebugaflafl-asanafl-asan-dbgafl-msanafl-ubsanafl-cfisanafl-tsan
Each of these targets clone a fresh version of the p7zip repository, patch the Makefiles in the directory according to their variant, and builds the 7zz executable. The final executable of the target is available at BIN_DEFAULT/CPP/7zip/Bundles/Alone2/_o/bin/7zz
Each of these variants also have a -harness build for building a version with a harness for fuzzing the archive feature of the binary.
To experiment with the default binary, run make default and add this to your PATH variable:
PATH=$PATH:$PWD/7zz_default/CPP/7zip/Bundles/Alone2/_o/bin7zz -hcd playground
7zz a files.zip file1.txt file2.txt
7zz e files.zip -ofiles_extractedInstall american-fuzzy-lop-clang
For the sanitizer variants, you may need to install dependencies such as libasan, libtsan, devel packages etc.
Use the Makefile targets in the root of the repository to compile different flavors of instrumented AFL binaries.
For all next steps, you should be in the fuzzing directory.
Run one of the following:
make get-inputs
make get-inputs-for-archiveRun one of the following:
make minimize-afl
make minimize-afl-asancd fuzzing
mkdir -p fuzzing-work && cp Makefile fuzzing-work && cd fuzzing-work
make get-inputs
make minimize
make fuzz-afl- Installing CodeQL
cd codeql-playground
wget https://github.com/github/codeql-cli-binaries/releases/download/v2.13.0/codeql-linux64.zip
unzip codeql-linux64.zip
PATH=$PATH:$PWD/codeql- Creating a codeql database for p7zip
cd <ONE OF THE TARGET DIRS>/CPP/7zip/Bundles/Alone2
codeql database create ../../../../../codeql-playground/analysis-db.codeql -l cpp -c "make -B -f makefile.gcc" --overwrite
cd -- Analyzing database with codeql
codeql pack download codeql/cpp-queries
codeql database analyze analysis-db.codeql --format CSV --output analysis.csv- Installation requires
JDK
curl -L "https://github.com/joernio/joern/releases/latest/download/joern-install.sh" -o joern-install.sh
chmod u+x joern-install.sh
./joern-install.sh --interactive- Basic tests
importCode(inputPath="../p7zip/CPP", projectName="p7zip-dbg")
The following can be used to analyze execution of the target and produce graphs. It requires valgrind and kcachegrind to be installed.
valgrind --callgrind-out-file=callgrind_vis2 --tool=callgrind 7zz e files.zip -ofiles_extracted
kcachegrind callgrind_vis2Below are two call graphs produced for the archive and extract commands:
