レベルを上げて物理で殴れ、Fuzzing入門 #pyfes

4,718 views
4,616 views

Published on

0 Comments
10 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,718
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
16
Comments
0
Likes
10
Embeds 0
No embeds

No notes for slide

レベルを上げて物理で殴れ、Fuzzing入門 #pyfes

  1. 1. レベルを上げて物理で殴れ Fuzzing入門編 ところてん @tokoroten
  2. 2. 自己紹介• 元:中島飛行機跡地、不発弾処理係• 現:ソーシャルゲーム屋の裏方• Railsの会社でPythonを書いてる• セキュリティ、自然言語処理、機械学習• Python100%でゲーム作ってコミケで頒布 – http://www.pygame.org/project-Howitzer-1925-.html
  3. 3. Fuzzingとは!• レベルを上げて、物理で殴 る• 計算力を上げて、テストで 殴る
  4. 4. 具体的には• わずかな時間を見つけて デバッグレボリューション• うれしくて感動でコードが パーン• ┗(^o^ )┓三
  5. 5. 簡単に言うと?• プログラムに• ランダムなデータを食わせ て• クラッシュさせる
  6. 6. Fuzzingはテストの裏返し• ユニットテスト –正常に動くことの保障• Fuzzing –バグが出ないことの安心
  7. 7. メリット• バグや脆弱性を叩きつぶせる –人間の考慮の範囲外を攻められる• Fuzzingは並列化により高速化可能 –クラウド上で全力で殴れる
  8. 8. ファジングの種類• ダムファジング – ガチでランダムなデータを入力 – 作るのは簡単、効率は悪い• ミューテーションファジング – 正常なデータを元に突然変異させて入力 – 作るのはある程度簡単、効率はそこそこ• スマートファジング – プロトコルを元にしてデータを生成 – 作るのは超大変、効率はものすごく良い
  9. 9. ファジングのレイヤー• プロトコルレイヤー – HTTP、FTP、SIP、XML、etc...• 関数単位 – ユニットテストを改造すると簡単• ファイル単位 – Officeとか、Firefoxのデバッグ
  10. 10. 研究レベルのもの• GA Fuzzing – Fuzzingしながらコードカバレッジを計測 – よりコードカバレッジが高いテストデータほ ど評価 – テストデータをGA交配してテストを作り出す – より深い場所のコードに対して攻撃できる• 再実装してみたが性能はいまひとつ – 深いところに到達するが、境界を攻撃しづら い http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4682289
  11. 11. Fuzzingの例• Firefox – Alexaを元に100万のサイトからHTMLを取得 – デイリーでサブセットを食わせる – 週末に全部のデータを食わせる• マイクロソフト – Fuzzingで自社プロダクトを攻撃 – Office2010は1800個のバグを発見 – 他にもVistaはFuzzingでXPよりバグを減らせた – 社内でFuzzingコンテストをしている
  12. 12. 今回作ったモノ• 正規表現を入力すると、 受理可能な文字列を返す、Fuzzer• 実装 – pythonのreモジュールの内部で利用されてい る sre_parseモジュールを利用 – sre_parseは正規表現をパース、木構造に変換 – 正規表現のオートマトンをランダムウォーク して、 受理可能な文字列を出力 https://github.com/tokoroten/acceptableRegex
  13. 13. sre_parseの利用• 正規表現 "(fuga{4,10})+"• sre_parseでパース後の構造 – [(max_repeat, (1, 65535, [(subpattern, (1, [(liter al, 102), (literal, 117), (literal, 103), (max_repea t, (4, 10, [(literal, 97)]))]))]))]• あとはがんばってランダムウォーク
  14. 14. 実験• URLの正規表現 – http://(?:(?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][-a-zA-Z0-9]*[a- zA-Z0-9]).)*(?:[a-zA-Z]|[a-zA-Z][-a-zA-Z0-9]*[a-zA-Z0- 9]).?|[0-9]+.[0-9]+.[0-9]+.[0-9]+)(?::[0- 9]*)?(?:/(?:[-_.!~*()a-zA-Z0-9:@&=+$,]|%[0-9A-Fa- f][0-9A-Fa-f])*(?:;(?:[-_.!~*()a-zA-Z0-9:@&=+$,]|%[0- 9A-Fa-f][0-9A-Fa-f])*)*(?:/(?:[-_.!~*()a-zA-Z0- 9:@&=+$,]|%[0-9A-Fa-f][0-9A-Fa-f])*(?:;(?:[-_.!~*()a- zA-Z0-9:@&=+$,]|%[0-9A-Fa-f][0-9A-Fa- f])*)*)*(?:?(?:[-_.!~*()a-zA-Z0-9;/?:@&=+$,]|%[0-9A- Fa-f][0-9A-Fa-f])*)?)? http://www.din.or.jp/~ohzaki/perl.htm
  15. 15. sre_parseによるパース結果• [(literal, 104), (literal, 116), (literal, 116), (literal, 112), (literal, 58), (literal, 47), (literal, 47), (subpattern, (None, [(branch, (None, [[(max_re peat, (0, 65535, [(subpattern, (None, [(subpattern, (None, [(in, [(range, (97, 122)), (range, (65, 90)), (range, (48, 57))]), (branch, (None, [[], [( max_repeat, (0, 65535, [(in, [(literal, 45), (range, (97, 122)), (range, (65, 90)), (range, (48, 57))])])), (in, [(range, (97, 122)), (range, (65, 90)), ( range, (48, 57))])]]))])), (literal, 46)]))])), (subpattern, (None, [(in, [(range, (97, 122)), (range, (65, 90))]), (branch, (None, [[], [(max_repeat, (0, 65535, [(in, [(literal, 45), (range, (97, 122)), (range, (65, 90)), (range, (48, 57))])])), (in, [(range, (97, 122)), (range, (65, 90)), (range, (48, 57))] )]]))])), (max_repeat, (0, 1, [(literal, 46)]))], [(max_repeat, (1, 65535, [(in, [(range, (48, 57))])])), (literal, 46), (max_repeat, (1, 65535, [(in, [(ra nge, (48, 57))])])), (any, None), (max_repeat, (1, 65535, [(in, [(range, (48, 57))])])), (literal, 46), (max_repeat, (1, 65535, [(in, [(range, (48, 57) )])]))]]))])), (max_repeat, (0, 1, [(subpattern, (None, [(literal, 58), (max_repeat, (0, 65535, [(in, [(range, (48, 57))])]))]))])), (max_repeat, (0, 1, [( subpattern, (None, [(literal, 47), (max_repeat, (0, 65535, [(subpattern, (None, [(branch, (None, [[(in, [(literal, 45), (literal, 95), (literal, 46), (li teral, 33), (literal, 126), (literal, 42), (literal, 39), (literal, 40), (literal, 41), (range, (97, 122)), (range, (65, 90)), (range, (48, 57)), (literal, 58), ( literal, 64), (literal, 38), (literal, 61), (literal, 43), (literal, 36), (literal, 44)])], [(literal, 37), (in, [(range, (48, 57)), (range, (65, 70)), (range, (97, 102))]), (in, [(range, (48, 57)), (range, (65, 70)), (range, (97, 102))])]]))]))])), (max_repeat, (0, 65535, [(subpattern, (None, [(literal, 59), (max_r epeat, (0, 65535, [(subpattern, (None, [(branch, (None, [[(in, [(literal, 45), (literal, 95), (literal, 46), (literal, 33), (literal, 126), (literal, 42), (lit eral, 39), (literal, 40), (literal, 41), (range, (97, 122)), (range, (65, 90)), (range, (48, 57)), (literal, 58), (literal, 64), (literal, 38), (literal, 61), (lit eral, 43), (literal, 36), (literal, 44)])], [(literal, 37), (in, [(range, (48, 57)), (range, (65, 70)), (range, (97, 102))]), (in, [(range, (48, 57)), (range, (65, 70)), (range, (97, 102))])]]))]))]))]))])), (max_repeat, (0, 65535, [(subpattern, (None, [(literal, 47), (max_repeat, (0, 65535, [(subpattern, (No ne, [(branch, (None, [[(in, [(literal, 45), (literal, 95), (literal, 46), (literal, 33), (literal, 126), (literal, 42), (literal, 39), (literal, 40), (literal, 41), (range, (97, 122)), (range, (65, 90)), (range, (48, 57)), (literal, 58), (literal, 64), (literal, 38), (literal, 61), (literal, 43), (literal, 36), (literal, 44)]) ], [(literal, 37), (in, [(range, (48, 57)), (range, (65, 70)), (range, (97, 102))]), (in, [(range, (48, 57)), (range, (65, 70)), (range, (97, 102))])]]))]))])) , (max_repeat, (0, 65535, [(subpattern, (None, [(literal, 59), (max_repeat, (0, 65535, [(subpattern, (None, [(branch, (None, [[(in, [(literal, 45), (literal, 95), (literal, 46), (literal, 33), (literal, 126), (literal, 42), (literal, 39), (literal, 40), (literal, 41), (range, (97, 122)), (range, (65, 90)), (ra nge, (48, 57)), (literal, 58), (literal, 64), (literal, 38), (literal, 61), (literal, 43), (literal, 36), (literal, 44)])], [(literal, 37), (in, [(range, (48, 57)), ( range, (65, 70)), (range, (97, 102))]), (in, [(range, (48, 57)), (range, (65, 70)), (range, (97, 102))])]]))]))]))]))]))]))])), (max_repeat, (0, 1, [(subpatt ern, (None, [(literal, 63), (max_repeat, (0, 65535, [(subpattern, (None, [(branch, (None, [[(in, [(literal, 45), (literal, 95), (literal, 46), (literal, 3 3), (literal, 126), (literal, 42), (literal, 39), (literal, 40), (literal, 41), (range, (97, 122)), (range, (65, 90)), (range, (48, 57)), (literal, 59), (literal, 47), (literal, 63), (literal, 58), (literal, 64), (literal, 38), (literal, 61), (literal, 43), (literal, 36), (literal, 44)])], [(literal, 37), (in, [(range, (48, 57)) , (range, (65, 70)), (range, (97, 102))]), (in, [(range, (48, 57)), (range, (65, 70)), (range, (97, 102))])]]))]))]))]))]))]))]))]
  16. 16. 出力結果• http://1625.33425u08104123.781417247• http://55528104.3857525588?613082112.77601072• http://35037.3542P46667.48007/%eD%ee~;-):=- :%Be;@$%D4+!;%aB,;)r%B7%68;%ed$%58:),/%31%5A%DC/%bB%e1.;&;)%AB%Db4,%e1%Ee4;%A4=%dB6%67;%Bd0%6b/;%b8%eB%4B%2e%c6%1b-• http://E--L.f.R.8.2.qj-6.pvYRV-10J8:2067715• http://235430.86635865x3304578.84274/%cB%AC;)__;%bA%E0$%31)%c3;%Aa*%bE+;!y+~=@;!)%DB:%dD%bb@;_%cE%de@%A6%cC);%BB%Dc;n %Ec%4D;=(=;%68$&%eD$--/IY-;.%aE-)&%ed%E7%71%Eb?.%AC%Db%cC%eEfl%67• http://3.044n8365426546.864:707/%65%A2,%5E,%ea%Ec%2C_%dD;;c%45&%dE~L;)%aA~=;%bC%34%d6;%0D:%Cb=_/%aA,%ab=%B1%bC:&_;,+=;%3 e=%BB%C0%34)%0b.;%5AI%eB%a1;@;%EA%c5:;%bB%4a,%c0%3D%0E%Ce;!%Ee*)%e82+;@E*%72-$$%2c;%bD%bD%De- %b0+/;$%DE%17%1E)%CB%2E-;%aB!;%24%d4$_%5d/%70@~%cb(;%4d%CA%80:;%ED%205%7d=;;*l%D8*;-@,/%D3.%eEi;(*%B3=Bc;+%aD%bA)-- +%D8%bA;=~%Ad%67%30;%aD*%45%c4(*;%36%E6$!=(;_%Ab%ED%db+U%aA%0B;!%DB:(A%e76%AB*;=%8e%d7!%AD%2dS~;+%Da%cC%2BT%BE) _%dDy?%CA%aE• http://11285763.087w614.4257718562/%AB$%Cd*;*,%be%E3:%5B)%aa%8Ba;%d3_+%E6%E6*%ca;.,;,!%7E~%ee%a8%AB;%5DB8;%Ae%CA%4A(+;*- %2c%d3@*;%26.%6D:@%C6/@;%8A%BA%D4%be%E8%E3,;.%Cb+%cD/!%bc;%EA$m%d830_%c8%6D;%AB@~;;;%a8;:@_%e1;%a4;%cC%db%aE%0c %A3(!$;%c4%ca~&%cdc;-)/_.%B6(%cb!;$%7D%aC~@%7b%ee,%0a;%4c;%Ce;%bb$%c7%8C:%Ee%Eb%EE%48~;%Ab*%0A/%be- EY%dC%bb(:;%45%6Cp)%55- %aA%7A;%DB%Ab%66=%Ed%db%BD&%D3/*@.%Abl=%B8_%BD@;%5B)((h%bD%e3%d7/%e0);%bB;%CB%5e;@H:%e5;~_:=%6A%0c%Da%Bb,/h:%D1 %Ea,;%43%eA%BB.%a7:%a5;-2%Cc1:./;-%Ee;%4E*.%84=~%D6&%A8;%eB%dC%cB;%db%aA%7E):,(,%2E- ;)%AEi++$;;==%ac:%C4%62X%7A/)%eb%3a%EB%4c0%aa;C-@@;- :@&5Q%eD,,;!:y,i*=%4e;%21%aa%68$,%Bc:%A2%7B;%2d@%dA%ED%6a;(%dB%2a(%35;%e7%ED(_%bD%51+1;%26%D0!%Ce;%4ap%Ea%B1;/%aC =+%a2_AN;~@%Bb%CB%b2;.%bb%cA%1B=@%Cb%c1%8Aq;v%CA%BA;@%bD=;,%1b%a2@@@;_@&@!%ac?%ce+_XS$%d8• http://s.E.x6a-Y7-W.X.lJ-S1A7.:5/%C5;%d4Q$- $!*+B/%a3@%2b,j%A1%c1@%aB;~)S%eE%01fl);+%7e%BA&%03@=U,%67;e,%0b%cc%77;(_%65%e1%AD+%e8H;&e.+!%aE%C8*%Bb!;%Da+%eB:%8c ;%32%B5%E6%CD@!%61/-+%5E%D3+:!;;1$,%cA$%ca!$%e3!/%8B%a2%C3%a3%b0~%a6%Da;%d1%D7,%88);::~@3%58_;-- @_%8b;%c5%a1%Eb6&%2b%Ae%ba;&%67@%Be%A4%4D!;%EDeD+%2d%da)%57*/&%ca%d1F)%D26w;-:;+=%44I%ede%D6%41%ee;%ee- %db@%c4,%ee;%Da;@%c3G~:6;%52p)o%Eb%AA!;$!:%DA&%C50;/%ca%ea1.;%AC%Ca:%73L;;%Aa&a)%Aa;;$~!_%ac,/)%BD.;:L%63- %54,!;%ee%cD%36%bB=!%D0;;%be%E5.;%ad%6E%38%BeI!;%dd%EC;%c6*;+%2B_%81)%58(/(%45%BC;=*:%3a%cE*%5B$;%c7%C8%74$,;$%cE%E4 %A5;;%E0%B5%AB%Cd%87m+?$:;!%DE%5b• http://J8614.C/,%D1%E3%2a@;.-%b8;=@%36=$;%Ce@;%2a_&E%AE/%0C%De%eB+;!%EE-,%5A~=_@- ;%20%BC%Bd!%Ec;%ba;%07;=%Da)S%ee.%aa%dE$;;(%Ee$;%C8%aD%ad;/;;,%7A;nY%B1;.%cE%Bd%D8/.@-%67_0%dD%2A0/%EB%ea$%CC%3a- !~t;%bc%2c%CB%d4!;%C4%a1@~%DE,%Ed%6a_;;%dA)*%2d/%1b,-%6Em%ec%01%81%bE%da;%Dd=~%0B%A1%bDo;)%Ad@%b8+%Ee~&(.;%2e%EB まさに外道!
  17. 17. アタックしてみよう URLを10万件食わせても、TeraPadとSkypeは問題なし URLパーサがヘボいとクラッシュする可能性
  18. 18. まとめ• Fuzzingはランダムデータによる攻撃• バグがないことの保証• 正規表現からランダムパターンを作っ て、 効率よくアタックするコードをPython実装• みんな自分のコードを攻撃しよう
  19. 19. 本業では使ってるの?• 「まだ」使ってないよ• これから使うよ!• 覚悟しといてね>同僚各位
  20. 20. 最後に• MSが同じものを提供していた! (∩ ゚д゚)アーアーきこえなーい
  21. 21. 参考文献• 書籍 – ビューティフルテスティング – ファジング:ブルートフォースによる脆弱性発見手法 – リバースエンジニアリング ―Pythonによるバイナリ解析技 法• 記事 – http://www.computerworld.com/s/article/9174539/Microsoft_r uns_fuzzing_botnet_finds_1_800_Office_bugs – http://www.hackingvoip.com/ – http://www.blackhat.com/presentations/bh-usa-06/BH-US-06- Endler.pdf – http://msdn.microsoft.com/en-us/library/cc162782.aspx – http://news.mynavi.jp/articles/2007/11/17/bhj3/index.html
  22. 22. 参考文献• ツール – http://peachfuzzer.com/ – http://www.microsoft.com/download/en/details.aspx ?id=21769 – http://www.microsoft.com/download/en/details.aspx ?id=20095 – http://freecode.com/projects/zzuf?branch_id=68024 &release_id=245074 – http://packetstormsecurity.org/fuzzer/ – http://www.computerdefense.org/2006/12/webfuzz- a-series-of-basically-useless-python-scripts/

×