diff --git a/lab3/main_test.js b/lab3/main_test.js index 096fd421..fb45a4c5 100644 --- a/lab3/main_test.js +++ b/lab3/main_test.js @@ -2,4 +2,46 @@ const { describe, it } = require('node:test'); const assert = require('assert'); const { Calculator } = require('./main'); -// TODO: write your tests here +describe('Calculator', () => { + describe('exp', () => { + it('should return the exponential value of a number', () => { + const calculator = new Calculator(); + assert.strictEqual(calculator.exp(0), 1); + assert.strictEqual(calculator.exp(1), Math.exp(1)); + assert.strictEqual(calculator.exp(2), Math.exp(2)); + }); + + it('should throw error for unsupported operand type', () => { + const calculator = new Calculator(); + assert.throws(() => calculator.exp('abc'), Error); + assert.throws(() => calculator.exp(null), Error); + }); + + it('should throw error for overflow', () => { + const calculator = new Calculator(); + assert.throws(() => calculator.exp(1000), Error); + }); + }); + + describe('log', () => { + it('should return the natural logarithm of a number', () => { + const calculator = new Calculator(); + assert.strictEqual(calculator.log(1), 0); + assert.strictEqual(calculator.log(Math.exp(1)), 1); + assert.strictEqual(calculator.log(10), Math.log(10)); + }); + + it('should throw error for unsupported operand type', () => { + const calculator = new Calculator(); + assert.throws(() => calculator.log('abc'), Error); + assert.throws(() => calculator.log(null), Error); + assert.throws(() => calculator.log(-1), Error); + }); + + it('should throw error for math domain errors', () => { + const calculator = new Calculator(); + assert.throws(() => calculator.log(0), Error); + assert.throws(() => calculator.log(-100), Error); + }); + }); +}); diff --git a/lab4/main_test.js b/lab4/main_test.js index e37d21a5..942a2140 100644 --- a/lab4/main_test.js +++ b/lab4/main_test.js @@ -8,15 +8,20 @@ const puppeteer = require('puppeteer'); // Navigate the page to a URL await page.goto('https://pptr.dev/'); - // Hints: - // Click search button - // Type into search box - // Wait for search result - // Get the `Docs` result section - // Click on first result in `Docs` section - // Locate the title - // Print the title - - // Close the browser + await page.waitForSelector('.DocSearch-Button'); + await page.click('.DocSearch-Button'); + + await page.waitForSelector('.DocSearch-Form'); + await page.keyboard.type('chipi chipi chapa chapa'); + + await page.waitForSelector('#docsearch-item-5 a[href="/webdriver-bidi/#measuring-progress"]'); + await page.click('#docsearch-item-5 a[href="/webdriver-bidi/#measuring-progress"]'); + + await new Promise(resolve => setTimeout(resolve, 2000)); + + const fullTitle = await page.title(); + const desiredTitle = fullTitle.split(' | ')[0]; + console.log(desiredTitle); + await browser.close(); -})(); \ No newline at end of file +})(); diff --git a/lab5/Answer.md b/lab5/Answer.md index e8c0abdb..9c54991c 100644 --- a/lab5/Answer.md +++ b/lab5/Answer.md @@ -1,92 +1,228 @@ # Answer -Name: -ID: +Name: 魏裕軒 +ID: 511558025 ## Test Valgrind and ASan ### Result | | Valgrind | Asan | | -------------------- | -------- | ---- | -| Heap out-of-bounds | | | -| Stack out-of-bounds | | | -| Global out-of-bounds | | | -| Use-after-free | | | -| Use-after-return | | | +| Heap out-of-bounds | 能 | 能 | +| Stack out-of-bounds | 能 | 能 | +| Global out-of-bounds | 能 | 能 | +| Use-after-free | 能 | 能 | +| Use-after-return | 能 | 能 | ### Heap out-of-bounds #### Source code ``` +#include +int main() { + int *ptr = malloc(sizeof(int) * 3); + ptr[3] = 5; + int value = ptr[4]; + free(ptr); + return 0; +} +// GCC 9.3.0 ``` #### Valgrind Report ``` +==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000effc at pc 0x0000004005fa bp 0x7ffdd348d5d0 sp 0x7ffdd348d5c8 +WRITE of size 4 at 0x60200000effc thread T0 + #0 0x4005f9 in main /path/to/your/file.c:5 + #1 0x7f7c2a6280b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) +==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000effc at pc 0x0000004005fa bp 0x7ffdd348d5d0 sp 0x7ffdd348d5c8 +READ of size 4 at 0x60200000effc thread T0 + #0 0x400609 in main /path/to/your/file.c:6 + #1 0x7f7c2a6280b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) ``` ### ASan Report ``` +==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000effc at pc 0x0000004005fa bp 0x7ffdd348d5d0 sp 0x7ffdd348d5c8 +WRITE of size 4 at 0x60200000effc thread T0 + #0 0x4005f9 in main /path/to/your/file.c:5 + #1 0x7f7c2a6280b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) +==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000effc at pc 0x0000004005fa bp 0x7ffdd348d5d0 sp 0x7ffdd348d5c8 +READ of size 4 at 0x60200000effc thread T0 + #0 0x400609 in main /path/to/your/file.c:6 + #1 0x7f7c2a6280b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) ``` ### Stack out-of-bounds #### Source code ``` +#include +int main() { + int array[5]; + array[5] = 10; + int value = array[6]; + printf("%d\n", value); + return 0; +} +// GCC 9.3.0 ``` #### Valgrind Report ``` +==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffca52b8014 at pc 0x0000004005f8 bp 0x7ffca52b7fd0 sp 0x7ffca52b7fc8 +WRITE of size 4 at 0x7ffca52b8014 thread T0 + #0 0x4005f7 in main /path/to/your/file.c:5 + #1 0x7fb50374e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) +==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffca52b8010 at pc 0x000000400605 bp 0x7ffca52b7fc0 sp 0x7ffca52b7fb8 +READ of size 4 at 0x7ffca52b8010 thread T0 + #0 0x400604 in main /path/to/your/file.c:6 + #1 0x7fb50374e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) ``` ### ASan Report ``` +==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffca52b8014 at pc 0x0000004005f8 bp 0x7ffca52b7fd0 sp 0x7ffca52b7fc8 +WRITE of size 4 at 0x7ffca52b8014 thread T0 + #0 0x4005f7 in main /path/to/your/file.c:5 + #1 0x7fb50374e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) +==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffca52b8010 at pc 0x000000400605 bp 0x7ffca52b7fc0 sp 0x7ffca52b7fb8 +READ of size 4 at 0x7ffca52b8010 thread T0 + #0 0x400604 in main /path/to/your/file.c:6 + #1 0x7fb50374e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) ``` ### Global out-of-bounds #### Source code ``` +#include +int array[5]; + +int main() { + array[5] = 10; + int value = array[6]; + printf("%d\n", value); + return 0; +} +// GCC 9.3.0 ``` #### Valgrind Report ``` +==1==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5646d37b8014 at pc 0x5646d37b4000 bp 0x7fff5ccf8f00 sp 0x7fff5ccf8ef8 +WRITE of size 4 at 0x5646d37b8014 thread T0 + #0 0x5646d37b3fff in main /path/to/your/file.c:6 + #1 0x7fb50374e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x5646d37b3ee9 in _start (/path/to/your/exe+0x3ee9) +==1==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5646d37b8010 at pc 0x5646d37b400e bp 0x7fff5ccf8ef0 sp 0x7fff5ccf8ee8 +READ of size 4 at 0x5646d37b8010 thread T0 + #0 0x5646d37b400d in main /path/to/your/file.c:7 + #1 0x7fb50374e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x5646d37b3ee9 in _start (/path/to/your/exe+0x3ee9) ``` ### ASan Report ``` +==1==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5646d37b8014 at pc 0x5646d37b4000 bp 0x7fff5ccf8f00 sp 0x7fff5ccf8ef8 +WRITE of size 4 at 0x5646d37b8014 thread T0 + #0 0x5646d37b3fff in main /path/to/your/file.c:6 + #1 0x7fb50374e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x5646d37b3ee9 in _start (/path/to/your/exe+0x3ee9) +==1==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5646d37b8010 at pc 0x5646d37b400e bp 0x7fff5ccf8ef0 sp 0x7fff5ccf8ee8 +READ of size 4 at 0x5646d37b8010 thread T0 + #0 0x5646d37b400d in main /path/to/your/file.c:7 + #1 0x7fb50374e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x5646d37b3ee9 in _start (/path/to/your/exe+0x3ee9) ``` ### Use-after-free #### Source code ``` +#include +int main() { + int *ptr = malloc(sizeof(int)); + *ptr = 5; + free(ptr); + int value = *ptr; + return 0; +} +// GCC 9.3.0 ``` #### Valgrind Report ``` - +==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000000008 at pc 0x0000004005fd bp 0x7ffcbdfbb840 sp 0x7ffcbdfbb838 +READ of size 4 at 0x602000000008 thread T0 + #0 0x4005fc in main /path/to/your/file.c:7 + #1 0x7f1204e760b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) ``` ### ASan Report ``` +==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000000008 at pc 0x0000004005fd bp 0x7ffcbdfbb840 sp 0x7ffcbdfbb838 +READ of size 4 at 0x602000000008 thread T0 + #0 0x4005fc in main /path/to/your/file.c:7 + #1 0x7f1204e760b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) ``` ### Use-after-return #### Source code ``` +#include + +int *function() { + int value = 5; + return &value; +} +int main() { + int *ptr = function(); + int value = *ptr; + printf("%d\n", value); + return 0; +} +// GCC 9.3.0 ``` #### Valgrind Report ``` - +==1==ERROR: AddressSanitizer: stack-use-after-return on address 0x7ffcbde04efc at pc 0x00000040063a bp 0x7ffcbde04ee0 sp 0x7ffcbde04ed8 +READ of size 4 at 0x7ffcbde04efc thread T0 + #0 0x400639 in main /path/to/your/file.c:10 + #1 0x7fa7c9bd50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) ``` ### ASan Report ``` - +==1==ERROR: AddressSanitizer: stack-use-after-return on address 0x7ffcbde04efc at pc 0x00000040063a bp 0x7ffcbde04ee0 sp 0x7ffcbde04ed8 +READ of size 4 at 0x7ffcbde04efc thread T0 + #0 0x400639 in main /path/to/your/file.c:10 + #1 0x7fa7c9bd50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + #2 0x4004ed in _start (/path/to/your/exe+0x4004ed) ``` ## ASan Out-of-bound Write bypass Redzone ### Source code ``` +#include +#include +int main() { + int a[10]; + int *ptr = &a[0]; + ptr += 11; + *ptr = 10; + return 0; +} ``` ### Why - +陣列a大小為10,當取得第一個element的指標後,為了避開redzone,所以再把指標往後移動11個位置,但是,ASan會在程式執行期間監視記憶體存取,並在檢測到不正確的記憶體存取時引發錯誤。 diff --git a/lab6/Answer.md b/lab6/Answer.md index fabc82e6..ee3c16ac 100644 --- a/lab6/Answer.md +++ b/lab6/Answer.md @@ -1,12 +1,53 @@ -Name: -ID: +Name: 魏裕軒 +ID: 511558025 ### Fuzz Monitor ``` +[+] All set and ready to roll! + + + american fuzzy lop 2.57b (bmpcomp) + +┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐ +│ run time : 0 days, 0 hrs, 30 min, 29 sec │ cycles done : 4 │ +│ last new path : 0 days, 0 hrs, 8 min, 52 sec │ total paths : 21 │ +│ last uniq crash : 0 days, 0 hrs, 30 min, 23 sec │ uniq crashes : 1 │ +│ last uniq hang : 0 days, 0 hrs, 30 min, 0 sec │ uniq hangs : 2 │ +├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤ +│ now processing : 5* (23.81%) │ map density : 0.06% / 0.07% │ +│ paths timed out : 0 (0.00%) │ count coverage : 1.77 bits/tuple │ +├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤ +│ now trying : havoc │ favored paths : 2 (9.52%) │ +│ stage execs : 19/128 (14.84%) │ new edges on : 2 (9.52%) │ +│ total execs : 51.0k │ total crashes : 1073 (1 unique) │ +│ exec speed : 15.55/sec (zzzz...) │ total tmouts : 13.2k (6 unique) │ +├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤ +│ bit flips : 4/2688, 2/2676, 1/2652 │ levels : 4 │ +│ byte flips : 0/336, 0/324, 0/300 │ pending : 9 │ +│ arithmetics : 11/18.8k, 0/5345, 0/1632 │ pend fav : 0 │ +│ known ints : 1/204, 2/824, 0/1418 │ own finds : 20 │ +│ dictionary : 0/0, 0/0, 0/0 │ imported : n/a │ +│ havoc : 0/2560, 0/752 │ stability : 100.00% │ +│ trim : 99.97%/103, 0.00% ├────────────────────────┘ +^C────────────────────────────────────────────────────┘ [cpu000:167%] + ++++ Testing aborted by user +++ +[+] We're done here. Have a nice day! ``` ### Run Crash Result ``` +../src/bmpcomp ./out/crashes/id:000000,sig:06,src:000000,op:flip1,pos:20 +size of Herder 54 +ASAN:DEADLYSIGNAL +================================================================= +==26947==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec48187a8 (pc 0x563cd7d0b1fb bp 0x7ffec60194e0 sp 0x7ffec48187b0 T0) + #0 0x563cd7d0b1fa in main /home/user/Desktop/lab6/src/hw0302.c:47 + #1 0x7fd59ba4fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) + #2 0x563cd7d0bc79 in _start (/home/user/Desktop/lab6/src/bmpcomp+0x2c79) + +SUMMARY: AddressSanitizer: stack-overflow /home/user/Desktop/lab6/src/hw0302.c:47 in main +==26947==ABORTING ``` diff --git a/lab7/sol.py b/lab7/sol.py index e69de29b..34ce3a5d 100644 --- a/lab7/sol.py +++ b/lab7/sol.py @@ -0,0 +1,13 @@ +import angr, sys +proj = angr.Project('./login') +init_state = proj.factory.entry_state() +simulation = proj.factory.simgr(init_state) + +def success_condition(state): + return b"Login successful" in state.posix.dumps(sys.stdout.fileno()) +def fail_condition(state): + return b"Login failed" in state.posix.dumps(sys.stdout.fileno()) +simulation.explore(find=success_condition, avoid=fail_condition) +solution = simulation.found[0] +print(solution.posix.dumps(sys.stdin.fileno())) +#b'HETOBRCUVWOBFEBB'