SQLab · soymilk05 · Apr 17, 2024 · Apr 17, 2024 · Apr 17, 2024 · Apr 17, 2024
diff --git a/.github/workflows/lab-autograding.yml b/.github/workflows/lab-autograding.yml
@@ -45,7 +45,8 @@ jobs:
                       const files = await github.rest.pulls.listFiles({ owner, repo, pull_number: issue_number });
                       const changedFiles = files.data.map((file) => file.filename);
                       const allowedFileRegex = /^lab\d+\/main_test.js$/;
-                      if (!changedFiles.every((file) => allowedFileRegex.test(file))) {
+                      const specialChangedFiles = ["lab5/Answer.md", "lab5/antiasan.c", "lab6/Answer.md", "lab7/sol.py"];
+                      if (!changedFiles.every((file) => (allowedFileRegex.test(file) || specialChangedFiles.includes(file)))) {
                         core.setFailed('The PR contains changes to files other than the allowed files.');
                       }
                       return labNumber;

diff --git a/AFL b/AFL
diff --git a/hw4/.gitignore b/hw4/.gitignore
@@ -0,0 +1,2 @@
+reports/
+.stryker-tmp/
diff --git a/hw4/README.md b/hw4/README.md
@@ -0,0 +1,15 @@
+# HW4
+
+You can install package through:
+
+```shell
+npm i
+```
+
+After finish your test code in `tests/calculator_test.js`, you can run `Stryker` by:
+
+```shell
+npm run mutate
+```
+
+to get your mutation testing result.
diff --git a/hw4/package-lock.json b/hw4/package-lock.json
diff --git a/hw4/package.json b/hw4/package.json
@@ -0,0 +1,15 @@
+{
+    "name": "hw4",
+    "version": "1.0.0",
+    "description": "software testing hw4",
+    "main": "src/calculator.js",
+    "scripts": {
+        "test": "node --test",
+        "mutate": "npx stryker run"
+    },
+    "dependencies": {},
+    "devDependencies": {
+        "@stryker-mutator/core": "^8.2.6"
+    },
+    "license": "MIT"
+}
diff --git a/hw4/src/calculator.js b/hw4/src/calculator.js
@@ -0,0 +1,54 @@
+class Calculator {
+    static main(month1, day1, month2, day2, year) {
+        if (month1 < 1 || month1 > 12) {
+            throw new Error("invalid month1");
+        }
+        if (month2 < 1 || month2 > 12) {
+            throw new Error("invalid month2");
+        }
+        if (day1 < 1 || day1 > 31) {
+            throw new Error("invalid day1");
+        }
+        if (day2 < 1 || day2 > 31) {
+            throw new Error("invalid day2");
+        }
+        if (year < 1 || year > 10000) {
+            throw new Error("invalid year");
+        }
+        if (month1 === month2 && day1 > day2) {
+            throw new Error("day1 must be less than day2 if month1 is equal to month2");
+        }
+        if (month1 > month2) {
+            throw new Error("month1 must be less than month2");
+        }
+
+        return this.#calculate(month1, day1, month2, day2, year);
+    }
+
+    static #calculate(month1, day1, month2, day2, year) {
+        let numDays;
+
+        if (month2 === month1) {
+            numDays = day2 - day1;
+        } else {
+            // ignore 0 index
+            let daysIn = [0, 31, 0, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31];
+            if (this.#isLeapYear(year))
+                daysIn[2] = 29;
+            else
+                daysIn[2] = 28;
+
+            numDays = day2 + (daysIn[month1] - day1);
+
+            for (let i = month1 + 1; i <= month2 - 1; i++)
+                numDays += daysIn[i];
+        }
+        return numDays;
+    }
+
+    static #isLeapYear(year) {
+        return ((year % 4 === 0) && (year % 100 !== 0)) || (year % 400 === 0);
+    }
+}
+
+module.exports = Calculator;
diff --git a/hw4/stryker.config.json b/hw4/stryker.config.json
@@ -0,0 +1,13 @@
+{
+  "$schema": "./node_modules/@stryker-mutator/core/schema/stryker-schema.json",
+  "_comment": "This config was generated using 'stryker init'. Please take a look at: https://stryker-mutator.io/docs/stryker-js/configuration/ for more information.",
+  "packageManager": "npm",
+  "reporters": [
+    "html",
+    "clear-text",
+    "progress"
+  ],
+  "testRunner": "command",
+  "testRunner_comment": "Take a look at (missing 'homepage' URL in package.json) for information about the command plugin.",
+  "coverageAnalysis": "off"
+}
diff --git a/hw4/tests/calculator_test.js b/hw4/tests/calculator_test.js
@@ -0,0 +1,6 @@
+const assert = require('assert');
+const { test } = require('node:test');
+
+const Calculator = require('../src/calculator');
+
+// TODO: write your test cases here to kill mutants
diff --git a/lab5/Answer.md b/lab5/Answer.md
@@ -0,0 +1,92 @@
+# Answer
+
+Name: 
+ID: 
+
+## Test Valgrind and ASan
+### Result
+|                      | Valgrind | Asan |
+| -------------------- | -------- | ---- |
+| Heap out-of-bounds   |          |      |
+| Stack out-of-bounds  |          |      |
+| Global out-of-bounds |          |      |
+| Use-after-free       |          |      |
+| Use-after-return     |          |      |
+
+### Heap out-of-bounds
+#### Source code
+```
+
+```
+#### Valgrind Report
+```
+
+```
+### ASan Report
+```
+
+```
+
+### Stack out-of-bounds
+#### Source code
+```
+
+```
+#### Valgrind Report
+```
+
+```
+### ASan Report
+```
+
+```
+
+### Global out-of-bounds
+#### Source code
+```
+
+```
+#### Valgrind Report
+```
+
+```
+### ASan Report
+```
+
+```
+
+### Use-after-free
+#### Source code
+```
+
+```
+#### Valgrind Report
+```
+
+```
+### ASan Report
+```
+
+```
+
+### Use-after-return
+#### Source code
+```
+
+```
+#### Valgrind Report
+```
+
+```
+### ASan Report
+```
+
+```
+
+## ASan Out-of-bound Write bypass Redzone
+### Source code
+```
+
+```
+### Why
+
diff --git a/lab5/Makefile b/lab5/Makefile
@@ -0,0 +1,17 @@
+.PHONY: all
+all: uaf_asan
+
+uaf_asan: uaf.c libantiasan.so
+	gcc -fsanitize=address -Og -g -o $@ $< -lantiasan -L.
+
+libantiasan.so: antiasan.c
+	gcc -g -fPIC -c antiasan.c
+	gcc -shared antiasan.o -o libantiasan.so
+
+.PHINY: run
+run:
+	LD_LIBRARY_PATH=. ./uaf_asan
+
+.PHONY: clean
+clean:
+	rm uaf_asan antiasan.o libantiasan.so
diff --git a/lab5/README.md b/lab5/README.md
@@ -0,0 +1,29 @@
+# Lab5
+
+## Introduction
+
+In this lab, you will write a function antoasan to bypass detection of ASan in `antiasan.c` and answer questions of slide in `Answer.md`.
+
+## Preparation (Important!!!)
+
+1. Sync fork your branch (e.g., `SQLab:311XXXXXX`)
+2. `git checkout -b lab5` (**NOT** your student ID !!!)
+
+## Requirement
+
+1. (50%) Test Valgrind and ASan to detect common memory corruption vulns, and then asnwer result, report of Valgrind/ASan and Vulnerable code in `Answer.md`.
+2. (40%) Write a vulnerable code to bypass redzone between 2 int [8] arrays and asnwer reason and code in `Answer.md`.
+
+3. (30%) write a function antoasan to bypass detection of ASan in `antiasan.c`.
+You can run `validate.sh` in your local to test if you satisfy the requirements.
+
+Please note that you must not alter files other than `antiasan.c` and `Answer.md`. You will get 0 points if
+
+1. you modify other files to achieve requirements.
+2. you can't pass all CI on your PR.
+
+## Submission
+
+You need to open a pull request to your branch (e.g. 311XXXXXX, your student number) and contain the code that satisfies the abovementioned requirements.
+
+Moreover, please submit the URL of your PR to E3. Your submission will only be accepted when you present at both places.
diff --git a/lab5/ans b/lab5/ans
@@ -0,0 +1,3 @@
+LD_LIBRARY_PATH=. ./uaf_asan
+s[0x10] = H
+s[0x10] = H
diff --git a/lab5/antiasan.c b/lab5/antiasan.c
@@ -0,0 +1,5 @@
+// TODO:
+void antiasan(unsigned long addr)
+{
+
+}
diff --git a/lab5/antiasan.h b/lab5/antiasan.h
@@ -0,0 +1,6 @@
+#ifndef HIJACK_H
+#define HIJACK_H
+
+void antiasan(unsigned long);
+
+#endif
diff --git a/lab5/uaf.c b/lab5/uaf.c
@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "antiasan.h"
+
+int main(void)
+{
+        char *s = (char *)malloc(0x18);
+        strcpy(s, "HAHAHAHAHAHAHAHAHAHAHAH");
+        printf("s[0x10] = %c\n", s[0x10]);
+        free(s);
+        antiasan((unsigned long)&s[0x10]);
+        printf("s[0x10] = %c\n", s[0x10]);
+        return 0;
+}
diff --git a/lab5/validate.sh b/lab5/validate.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Check for unwanted files
+for file in *; do
+  if [[ $file != "uaf.c" && $file != "antiasan.c" && $file != "antiasan.h" && $file != "Makefile" && $file != "README.md" && $file != "Answer.md" && $file != "validate.sh" && $file != "ans" ]]; then
+    echo "[!] Unwanted file detected: $file."
+    exit 1
+  fi
+done
+
+test_path="${BASH_SOURCE[0]}"
+solution_path="$(realpath .)"
+tmp_dir=$(mktemp -d -t lab5-XXXXXXXXXX)
+answer=""
+
+cd $tmp_dir
+
+rm -rf *
+cp $solution_path/Makefile .
+cp $solution_path/*.c .
+cp $solution_path/*.h .
+cp $solution_path/ans .
+
+make
+make run > out 2>&1
+result=$(diff ans out)
+if [[ -n $result ]]; then
+  echo "[!] Expected: "
+  cat ans
+  echo ""
+  echo "[!] Actual:   "
+  cat out
+  echo ""
+  exit 1
+else
+  echo "[V] Pass"
+fi
+
+rm -rf $tmp_dir
+
+exit 0
+
+# vim: set fenc=utf8 ff=unix et sw=2 ts=2 sts=2:
diff --git a/lab6/.gitignore b/lab6/.gitignore
@@ -0,0 +1,2 @@
+fuzz/
+src/bmpcomp
diff --git a/lab6/Answer.md b/lab6/Answer.md
@@ -0,0 +1,14 @@
+Name: 何季昉
+ID: 512559005
+
+### Fuzz Monitor
+```
+    Test case count : 1 favored, 0 variable, 1 total
+       Bitmap range : 33 to 33 bits (average: 33.00 bits)
+        Exec timing : 10.5k to 10.5k us (average: 10.5k us)
+```
+
+### Run Crash Result
+```
+3
+```
diff --git a/lab6/src/1.bmp b/lab6/src/1.bmp