TNO-S3
diff --git a/‎README.md
+112 b/‎README.md
+112
diff --git a/‎coverage_agent.js
+141 b/‎coverage_agent.js
+141
diff --git a/‎coverage_agent.ts
+138 b/‎coverage_agent.ts
+138
@@ -0,0 +1,112 @@
+# WuppieFuzz
+
+TNO developed WuppieFuzz, a coverage-guided REST API fuzzer developed on top of
+LibAFL, targeting a wide audience of end-users, with a strong focus on
+ease-of-use, explainability of the discovered flaws and modularity. WuppieFuzz
+supports all three settings of testing (black box, grey box and white box).
+
+## WuppieFuzz-Javascript
+
+This is a fairly diverse environment, there are:
+
+- various flavors of JavaScript (CommonJS, ES2015==ES6, more but these are the
+  main ones)
+- NodeJS vs browser-based code.
+- async and non-async functions
+- modules and non-modules
+
+### NodeJS agents
+
+We currently supply two agents for NodeJS. You can incorporate both of these
+into your projects by adding a `require`-statement for the respective agent at
+the top of your `app.ts`, `app.js` or whatever is the entry point of your
+application. See the examples directory for concrete examples.
+
+#### Usage:
+
+```javascript
+require("./coverage_agent");
+
+// Your code
+```
+
+It's that simple. The coverage agent exposes a server that accepts commands from
+the `coverage_client`. Note that when the node process exits, the coverage
+server goes down with it. Check the examples to see the coverage agent in
+action.
+
+#### NodeJS agent 1: v8 (`coverage_agent.js`)
+
+This uses
+[node-specific built-in functionality of v8](https://v8.dev/blog/javascript-code-coverage)
+for taking coverage. It works like this:
+
+1. **Coverage tracking**: Generate coverage files with the
+   [minimal Node-API: `v8.takeCoverage()`](https://nodejs.org/api/v8.html#v8takecoverage).
+   This writes a file to disk (~100KB-10MB) for every input that we send. **No
+   customization is possible**, so the huge amount of node_modules also gets
+   instrumented and reported on. Hopefully we can circumvent both the
+   file-writing and the instrument-everything problems at some point, but it
+   seems like a daunting task to dig deeply into v8 and use/customize its
+   inspector.
+2. **Conversion into LCOV**: Read in the coverage files written so far and
+   process them into coverage reports using a c8-reporter (in particular we use
+   the `lcovonly`-reporter). At this stage we can **exclude e.g. the
+   node_modules**. Read in the LCOV coverage report
+   (`./coverage_report/lcov.info`) and return its contents to WuppieFuzz.
+
+Optional (and working): Use c8 to also create an HTML-report out of all the
+coverage files. This takes a second or so, but is extremely useful for
+identifying bottlenecks for the fuzzer. Prerequisite is a directory with
+coverage data as written by `v8.takeCoverage()` named "node_coverage" in your
+working directory. You can then generate the html report with
+`node <path-to-create_coverage_report.mjs>`, which will be written to
+`./coverage_report` just like the `lcov.info` during fuzzing. You can view the
+report by opening `index.html` in a browser.
+
+#### NodeJS Agent 2: runtime-coverage (`nodejs_agent_simple.js`)
+
+This agent can be used both in CommonJS and ES2015, is synchronous (its
+`start_coverage` and `get_coverage` functions are async, but must always be
+`await`ed on), and is a non-module.
+
+This agent uses the npm module `runtime-coverage`, with the following
+(simplified) dependency tree:
+
+- runtime-coverage
+
+  - collect-v8-coverage
+
+    - inspector
+
+  - v8-to-istanbul
+
+  - istanbul-lib-coverage
+
+  - istanbul-lib-report
+
+  - istanbul-reports
+
+This agent listens for coverage requests and has a very simple behaviour:
+
+1. On the first coverage request, start tracking coverage.
+2. On any subsequent coverage request, return coverage recorded since the last
+   coverage request.
+
+Resetting of coverage is automatic, it is up to the client to calculate total
+coverage from multiple inputs if that is desired.
+
+#### Which agent to pick
+
+For simplicity try out agent 2, and if this does not work try with agent 1.
+Agent 1 has the added complexity of requiring an environment variable and
+intermediate file-writes (also possibly impacting performance), but gives more
+accurate coverage in some scenarios (see the feathers example).
+
+#### Limitations
+
+1. Note that the agent goes down with the target, so for **microservices** that
+   live only as long as it takes to process an application request this is
+   inadequate.
+2. The agent works for CommonJS (default for nodejs), it is unclear whether and
+   how it can be used with **ES2016** modules.
@@ -0,0 +1,141 @@
+const v8 = require('node:v8');
+const c8 = require('c8');
+
+// Coverage server
+const LCOV_HEADER = new Uint8Array([0xc1, 0xc0]);
+const BlockType = {
+  Header: 0x01,
+  SessionInfo: 0x10,
+  CoverageInfo: 0x11,
+  CmdOk: 0x20,
+  CmdDump: 0x40,
+}
+
+const fs = require('node:fs');
+
+function concatUInt8Arrays(a1, a2) {
+  // sum of individual array lengths
+  let mergedArray = new Uint8Array(a1.length + a2.length);
+  mergedArray.set(a1);
+  mergedArray.set(a2, a1.length);
+  return mergedArray;
+}
+
+class Block {
+  constructor(block_type, block_data) {
+    this.block_type = block_type;
+    this.block_data = block_data;
+  }
+
+  to_buffer() {
+    let buf
+    if (this.block_type == BlockType.CoverageInfo) {
+      buf = Buffer.alloc(1 + 4 + this.block_data.length)
+      buf.writeUInt32LE(this.block_data.length, 1);
+      buf.fill(this.block_data, 5);
+    } else if (this.block_type == BlockType.Header) {
+      buf = Buffer.alloc(1 + LCOV_HEADER.length);
+      buf.fill(this.block_data, 1);
+    }
+    buf[0] = this.block_type;
+    return buf;
+  }
+}
+
+const COVERAGE_PORT = 3001;
+let coverage_started = false;
+
+let net = require('net');
+
+let server = net.createServer();
+
+server.on('connection', function (socket) {
+  console.log('Coverage connection established.');
+
+  // The server can also receive data from the client by reading from its socket.
+  socket.on('data', async function (buf) {
+    // buf.subarray(0, 5) = REQUEST_HEADER, unused by us for the time being.
+    // buf[5] = command, we only send BLOCK_CMD_DUMP, so this is ignored.
+    // buf[6] = boolean that indicates whether or not to retrieve coverage (ignore).
+    // Read RESET PARAMETER
+    let reset_byte = buf[7];
+    if (reset_byte == 0) {
+      console.log("Warning: coverage agent does not support getting coverage without reset.");
+    }
+    let reset = true;
+    // Fetch and return coverage data
+    if (coverage_started) {
+      let cov_data = await get_coverage();
+      if (cov_data != null) {
+        let header_block = new Block(BlockType.Header, LCOV_HEADER);
+        let header_block_buf = header_block.to_buffer();
+        socket.write(header_block_buf);
+        let coverage_block = new Block(BlockType.CoverageInfo, cov_data)
+        let cov_block_buf = coverage_block.to_buffer();
+        socket.write(cov_block_buf);
+      }
+    }
+    if (reset) {
+      await start_coverage();
+    }
+    socket.write(Buffer.from([BlockType.CmdOk]));
+  });
+
+  // When the client requests to end the TCP connection with the server, the server
+  // ends the connection.
+  socket.on('end', function () {
+    console.log('Closing connection with the client');
+  });
+
+  socket.on('error', function (err) {
+    console.log(`Error: ${err}`);
+  });
+});
+
+server.on('error', (e) => {
+  if (e.code === 'EADDRINUSE') {
+    console.error('Address in use, retrying...');
+    setTimeout(() => {
+      server.close();
+      server.listen(COVERAGE_PORT, '127.0.0.1', function () {
+        console.log(`Coverage agent listening on port ${COVERAGE_PORT}`)
+      });
+    }, 1000);
+  }
+});
+server.listen(COVERAGE_PORT, '127.0.0.1', function () {
+  console.log(`Coverage agent listening on port ${COVERAGE_PORT}`)
+});
+
+async function start_coverage() {
+  if (!coverage_started) {
+    v8.takeCoverage();
+    coverage_started = true;
+    return true;
+  } else {
+    return false;
+  }
+}
+
+// Return binary-encoded coverage information
+async function get_coverage() {
+  if (!coverage_started) {
+    console.log("Getting coverage, but haven't started!");
+    return false;
+  }
+  v8.takeCoverage();
+  coverage_started = false;
+  const opts = {
+    all: true,
+    return: true,
+    reporter: ['lcovonly'],
+    deleteCoverage: false,
+    tempDirectory: "./node_coverage",
+    reportsDirectory: "./coverage_report",
+    excludeNodeModules: true
+  };
+  let myrep = c8.Report(opts);
+  await myrep.run();
+  // Return the LCOV-formatted coverage report
+  return fs.readFileSync("coverage_report/lcov.info");
+}
@@ -0,0 +1,138 @@
+
+// Coverage server
+
+import {Buffer} from 'buffer/';
+
+const JACOCO_HEADER = [0xc0, 0xc0];
+// const RAW_HEADER = [0xc1, 0x0];
+const RAW_HEADER = new Uint8Array([0xc1, 0xc0]);
+const REQUEST_HEADER = [0x01, 0xc0, 0xc0, 0x10, 0x07];
+const BLOCK_CMD_DUMP = 0x40;
+const FORMAT_VERSION = new Uint8Array([0x10, 0x07]);
+const BlockType = {
+  Header: 0x01,
+  SessionInfo: 0x10,
+  CoverageInfo: 0x11,
+  CmdOk: 0x20,
+  CmdDump: 0x40,
+}
+
+function concatUInt8Arrays(a1, a2) {
+  // sum of individual array lengths
+  let mergedArray = new Uint8Array(a1.length + a2.length);
+  mergedArray.set(a1);
+  mergedArray.set(a2, a1.length);
+  return mergedArray;
+}
+
+class Block {
+  block_type: any;
+  block_data: any;
+  constructor(block_type, block_data) {
+    this.block_type = block_type;
+    this.block_data = block_data;
+  }
+
+  to_buffer() {
+    let buf
+    if (this.block_type == BlockType.CoverageInfo) {
+      buf = Buffer.alloc(1 + 4 + this.block_data.length)
+      buf.writeUInt32LE(this.block_data.length, 1);
+      buf.fill(this.block_data, 5);
+    } else if (this.block_type == BlockType.Header) {
+      buf = Buffer.alloc(1 + RAW_HEADER.length + FORMAT_VERSION.length);
+      buf.fill(this.block_data, 1);
+    }
+    buf[0] = this.block_type;
+    return buf;
+  }
+}
+
+const runtimeCoverage = require('runtime-coverage');
+const COVERAGE_PORT = 3001;
+let coverage_started = false;
+
+let net = require('net');
+const { resolve } = require("path");
+const { binary } = require('@hapi/joi');
+
+
+let server = net.createServer();
+
+server.on('connection', function(socket) {
+  console.log('Coverage connection established.');
+
+  // The server can also receive data from the client by reading from its socket.
+  socket.on('data', async function(buf) {
+    // buf.subarray(0, 5) = REQUEST_HEADER, unused by us for the time being.
+    // buf[5] = command, we only send BLOCK_CMD_DUMP, so this is ignored.
+    // buf[6] = boolean that indicates whether or not to retrieve coverage (ignore).
+    // Read RESET PARAMETER
+    let reset_byte = buf[7];
+    if (reset_byte == 0) {
+      console.log("Warning: coverage agent does not support getting coverage without reset.");
+    }
+    let reset = true;
+    // Fetch and return coverage data
+    if (coverage_started) {
+      let cov_data = await get_coverage();
+      if (cov_data != null) {
+        let header_data = concatUInt8Arrays(RAW_HEADER, FORMAT_VERSION);
+        // let header_data = new Uint8Array([...RAW_HEADER, ...FORMAT_VERSION]);
+        let header_block = new Block(BlockType.Header, header_data);
+        let header_block_buf = header_block.to_buffer();
+        socket.write(header_block_buf);
+        let coverage_block = new Block(BlockType.CoverageInfo, cov_data)
+        let cov_block_buf = coverage_block.to_buffer();
+        socket.write(cov_block_buf);
+      }
+    }
+    if (reset) {
+      await start_coverage();
+    }
+    socket.write(Buffer.from([BlockType.CmdOk]));
+  });
+
+  // When the client requests to end the TCP connection with the server, the server
+  // ends the connection.
+  socket.on('end', function() {
+    console.log('Closing connection with the client');
+  });
+
+  socket.on('error', function(err) {
+    console.log(`Error: ${err}`);
+  });
+});
+
+server.listen(COVERAGE_PORT, '127.0.0.1', function() {
+  console.log(`Coverage agent listening on port ${COVERAGE_PORT}`)
+});
+
+async function start_coverage() {
+  if (!coverage_started) {
+    runtimeCoverage.startCoverage();
+    coverage_started = true;
+  }
+}
+
+// Return binary-encoded coverage information
+async function get_coverage() {
+  const options = {
+    all: true,
+    return: true,
+    reporters: ['lcovonly'],
+  };
+  coverage_started = false;  // runtime-coverage automatically reset every time you get coverage
+  let coverage_promise = runtimeCoverage.getCoverage(options)
+  .then((response) => response)
+  .catch(error => {
+    console.log(error.message);
+    start_coverage();
+    return "coverage not started";
+  });
+  let coverage = await coverage_promise;
+  if (coverage === "coverage not started") {
+    return null;
+  }
+  return coverage["lcovonly"];
+}