Vulnerability Assessment and

Remediation Report
Summary

This report presents the results of a comprehensive vulnerability assessment conducted on

Facibook’s software code using Valgrind and AFL++. The analysis identified multiple
vulnerabilities, including memory management issues and potential buffer overflows. This
document outlines these findings, provides remediation recommendations, and suggests
improvements for secure coding practices.

Table of Contents

1. Executive Summary
2. Introduction
3. Methodology
4. Findings
5. Remediation Suggestions
6. Conclusion

Introduction

As a cybersecurity analyst for Facibook, the objective of this project was to assess the security of
two code files (vcode0.c and vcode.c) provided by the organization. Using dynamic analysis tools
(Valgrind) and fuzzing tools (AFL++), vulnerabilities in memory allocation, memory leaks, and
buffer overflows were detected. The following sections detail the methodology, findings, and
recommendations for mitigating these vulnerabilities.
Methodology

The analysis involved two primary tools:

- Valgrind: Used for detecting memory management issues in vcode0.c. Valgrind's output
identified areas where memory was improperly allocated or leaked
.
- AFL++: Employed for fuzzing to expose buffer overflows and other input handling issues in
vcode.c. AFL++ provided insights into crash-triggering inputs and possible buffer vulnerabilities.
The analysis was conducted in a controlled environment with Valgrind and AFL++ run on Kali
Linux.

Findings
Dynamic Software Analysis with Valgrind

Two primary vulnerabilities were identified in vcode0.c using Valgrind:

1. Heap Block Overrun:

-Location: Line 6
-Type: Invalid Write of Size 4
-Description: Memory allocated for 10 integers is accessed out of bounds at x[10], causing an

invalid write error.

-Original Code:

int* x = malloc(10 * sizeof(int));

x[10] = 0;

- Improved Code:

int* x = malloc(10 * sizeof(int));

x[9] = 0;

2. Memory Leak :
 -Location: Line 8
-Description: Memory allocated to x is not freed, resulting in a memory leak.

- Original Code:

int* x = malloc(10 * sizeof(int));

x[10] = 0;

- Improved Code:

int* x = malloc(10 * sizeof(int));

x[9] = 0;
free(x);

Fuzzing with AFL++

Using AFL++ on vcode.c, one critical vulnerability was identified:

Crash due to Stack-Buffer Overflow:

Location: vcode.c, likely in the ProcessImage function at line 39.

Description: Stack-buffer overflow triggered by out-of-bounds access in the img buffer.
Crash Triggering Input: Input file X from AFL++ output.
Explanation: The overflow occurs when processing certain image inputs, potentially due to
inadequate buffer size checking.
The AFL++ analysis highlighted the need for improved input validation to avoid buffer overflow
incidents.

Remediation Suggestions

For each vulnerability identified, the following remediation actions are recommended:

- Heap Block Overrun: Adjust array indexing to ensure in-bounds access.

- Memory Leak: Free allocated memory at the end of function execution.
- Stack-Buffer Overflow: Implement bounds checking in the ProcessImage function to ensure
data does not exceed buffer limits.
Conclusion

The analysis conducted on Facibook’s code identified critical vulnerabilities related to memory
management and input handling. By addressing these issues, Facibook can strengthen its
software security, reduce the risk of exploitation, and improve system reliability. Continued
monitoring and testing are recommended to maintain a secure codebase.