Upcoming SlideShare
×

# 0-knowledge fuzzing

763 views
682 views

Published on

0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

Views
Total views
763
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
28
0
Likes
0
Embeds 0
No embeds

No notes for slide
• babic
• ### 0-knowledge fuzzing

1. 1. 0-Knowledge Fuzzing<br />VincenzoIozzo<br />vincenzo.iozzo@zynamics.com<br />
2. 2. Disclaimer<br />In this talk you won’t see all those formulas, formal definition, code snippets and bullets. <br />From past experiences the speaker learned that all the aforementioned elements are no useful in making people understand your idea.<br />You instead will see a lot of funny pictures which the speaker hopes will convey better the understanding of the ideas explained in the talk<br />You don’t want slides like this, do you?<br />
3. 3. Motivations<br />
4. 4. Questions!<br />
5. 5. Fuzzing<br />
6. 6. How it used to be<br />
7. 7. How it is today (aka the reason of this talk)<br />
8. 8. Dumb fuzzing<br />
9. 9. Smart Fuzzing<br />
10. 10. Evolutionary Based Fuzzing<br />
11. 11. The idea<br />
12. 12. The surface<br />
13. 13. We need a filter<br />
14. 14. Cyclomatic complexity<br />
15. 15. This one<br />
16. 16. Not this one<br />
17. 17. Original formula<br /> M = E – N + 2P<br />Number of edges<br />Number of nodes<br />Connected components<br />
18. 18. Why? Cyclomatic number<br /> M = E – N + P<br />
19. 19. Simplify<br />
20. 20. Formula<br />M = E – N + 2<br />
21. 21. Problem<br />
22. 22. Loop detection<br />
23. 23. Dominator tree<br />
24. 24. Dominators<br />
25. 25. Function<br />
26. 26. Dominator tree<br />
27. 27. Dominators<br />
28. 28. Implicit loops<br />
29. 29. REIL<br />
30. 30. This one…<br />
31. 31. …to this one<br />
32. 32. Is that enough?<br />
33. 33. Not enough<br />Of course not, more heuristics needed<br />void*safe_strcpy(void*old_dest,void *src, intsize){<br />void*dst = realloc(old_dest, size +1); <br />strncpy(dst, src, size); <br />returndst;<br />}<br />
35. 35. DEMO<br />
36. 36. Questions!<br />
37. 37. Data Tainting<br />
38. 38. Example<br />Taint Source<br />Taint mark<br />movl0x4[eax], ebx<br />
39. 39. Dytan<br />
40. 40. PIN<br />
41. 41. Taint sources<br />
42. 42. Markings granularity<br />
43. 43. Propagation <br />add eax, ebx, edx<br />
44. 44. Output<br /> Registers<br /> Memory locations<br />
45. 45. DEMO<br />
46. 46. Questions!<br />
47. 47. In-memory fuzzing<br />
48. 48. Example<br />esi= 0x30f064 <br />Original loc <br />esi= 0x30f0A4 <br />Fuzzed loc <br />rep movs<br />
49. 49. Why?<br />
50. 50. Problems<br />
51. 51. Expertise and patience<br />
52. 52. Memory instability<br />
53. 53. False positives<br />
54. 54. False negatives<br />
55. 55. Mutation loop insertion<br />
56. 56. Snapshot mutation restoration<br />
57. 57. What do we do?<br />Hook image<br />Hook functions<br />Hook instructions<br />Hook <br />
58. 58. First approach<br />
59. 59. For instance…<br />30f064-30f068<br /> 0x8a Y 0x00 K<br />ABCD<br />
60. 60. Second approach<br />
61. 61. Example<br />30f064-30f068<br />30f084-30f098<br />0x89 K D F 0x96<br />0x00 J K U Y W 0xA7<br />0xB8 0x00 0x10 A T N<br />0x00 0xD3<br />ABCD<br />
62. 62. Code coverage<br />
63. 63. Score<br />BBexecuted/BBtotal<br />Basic Blocks executed<br />Total Basic Blocks <br />
64. 64. Halting<br />Cevil = Cgood + t<br />Code coverage evil sample<br />Code coverage good sample<br />User-supplied threshold<br />
65. 65. How??<br />Good sample<br />Evil sample<br />Compare<br />Score <br />Score <br />
66. 66. What do we use?<br />Code coverage<br />Faults monitor<br />
67. 67. DEMO<br />
68. 68. Future – A reasoner<br />
69. 69. Thanks<br />
70. 70. Questions!<br />