• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
0-knowledge fuzzing
 

0-knowledge fuzzing

on

  • 3,267 views

Slides for the 0-knowledge fuzzing presentation given at Black Hat DC 2010 by Vincenzo Iozzo

Slides for the 0-knowledge fuzzing presentation given at Black Hat DC 2010 by Vincenzo Iozzo

Statistics

Views

Total Views
3,267
Views on SlideShare
2,229
Embed Views
1,038

Actions

Likes
1
Downloads
37
Comments
0

6 Embeds 1,038

http://blog.zynamics.com 989
http://tiqad.com 32
http://www.slideshare.net 11
url_unknown 4
http://webcache.googleusercontent.com 1
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • babic

0-knowledge fuzzing 0-knowledge fuzzing Presentation Transcript

  • 0-Knowledge Fuzzing
    VincenzoIozzo
    vincenzo.iozzo@zynamics.com
  • Disclaimer
    In this talk you won’t see all those formulas, formal definition, code snippets and bullets.
    From past experiences the speaker learned that all the aforementioned elements are no useful in making people understand your idea.
    You instead will see a lot of funny pictures which the speaker hopes will convey better the understanding of the ideas explained in the talk
    You don’t want slides like this, do you?
  • Motivations
  • Questions!
  • Fuzzing
  • How it used to be
  • How it is today (aka the reason of this talk)
  • Dumb fuzzing
  • Smart Fuzzing
  • Evolutionary Based Fuzzing
  • The idea
  • The surface
  • We need a filter
  • Cyclomatic complexity
  • This one
  • Not this one
  • Original formula
    M = E – N + 2P
    Number of edges
    Number of nodes
    Connected components
  • Why? Cyclomatic number
    M = E – N + P
  • Simplify
  • Formula
    M = E – N + 2
  • Problem
  • Loop detection
  • Dominator tree
  • Dominators
  • Function
  • Dominator tree
  • Dominators
  • Implicit loops
  • REIL
  • This one…
  • …to this one
  • Is that enough?
  • Not enough
    Of course not, more heuristics needed
    void*safe_strcpy(void*old_dest,void *src, intsize){
    void*dst = realloc(old_dest, size +1);
    strncpy(dst, src, size);
    returndst;
    }
  • Add your own
    For static analysis we use
  • DEMO
  • Questions!
  • Data Tainting
  • Example
    Taint Source
    Taint mark
    movl0x4[eax], ebx
  • Dytan
  • PIN
  • Taint sources
  • Markings granularity
  • Propagation
    add eax, ebx, edx
  • Output
    Registers
    Memory locations
  • DEMO
  • Questions!
  • In-memory fuzzing
  • Example
    esi= 0x30f064
    Original loc
    esi= 0x30f0A4
    Fuzzed loc
    rep movs
  • Why?
  • Problems
  • Expertise and patience
  • Memory instability
  • False positives
  • False negatives
  • Mutation loop insertion
  • Snapshot mutation restoration
  • What do we do?
    Hook image
    Hook functions
    Hook instructions
    Hook
  • First approach
  • For instance…
    30f064-30f068
    0x8a Y 0x00 K
    ABCD
  • Second approach
  • Example
    30f064-30f068
    30f084-30f098
    0x89 K D F 0x96
    0x00 J K U Y W 0xA7
    0xB8 0x00 0x10 A T N
    0x00 0xD3
    ABCD
  • Code coverage
  • Score
    BBexecuted/BBtotal
    Basic Blocks executed
    Total Basic Blocks
  • Halting
    Cevil = Cgood + t
    Code coverage evil sample
    Code coverage good sample
    User-supplied threshold
  • How??
    Good sample
    Evil sample
    Compare
    Score
    Score
  • What do we use?
    Code coverage
    Faults monitor
  • DEMO
  • Future – A reasoner
  • Thanks
  • Questions!
  • More Info
    viozzo.wordpress.com
    @_snagg
    vincenzo.iozzo@zynamics.com