0
0-Knowledge Fuzzing<br />VincenzoIozzo<br />vincenzo.iozzo@zynamics.com<br />
Disclaimer<br />In this talk you won’t see all those formulas, formal definition, code snippets and bullets. <br />From pa...
Motivations<br />
Questions!<br />
Fuzzing<br />
How it used to be<br />
How it is today                               (aka the reason of this talk)<br />
Dumb fuzzing<br />
Smart Fuzzing<br />
Evolutionary Based Fuzzing<br />
The idea<br />
The surface<br />
We need a filter<br />
Cyclomatic complexity<br />
This one<br />
Not this one<br />
Original formula<br />				M = E – N + 2P<br />Number of edges<br />Number of nodes<br />Connected components<br />
Why? Cyclomatic number<br />				M = E – N + P<br />
Simplify<br />
Formula<br />M = E – N + 2<br />
Problem<br />
Loop detection<br />
Dominator tree<br />
Dominators<br />
Function<br />
Dominator tree<br />
Dominators<br />
Implicit loops<br />
REIL<br />
This one…<br />
…to this one<br />
Is that enough?<br />
Not enough<br />Of course not, more heuristics needed<br />void*safe_strcpy(void*old_dest,void *src, intsize){<br />void*d...
Add your own<br />For static analysis we use<br />
DEMO<br />
Questions!<br />
Data Tainting<br />
Example<br />Taint Source<br />Taint mark<br />movl0x4[eax], ebx<br />
Dytan<br />
PIN<br />
Taint sources<br />
Markings granularity<br />
Propagation <br />add eax, ebx, edx<br />
Output<br />				Registers<br />			Memory locations<br />
DEMO<br />
Questions!<br />
In-memory fuzzing<br />
Example<br />esi= 0x30f064 <br />Original loc <br />esi= 0x30f0A4 <br />Fuzzed loc <br />rep movs<br />
Why?<br />
Problems<br />
Expertise and patience<br />
Memory instability<br />
False positives<br />
False negatives<br />
Mutation loop insertion<br />
Snapshot mutation restoration<br />
What do we do?<br />Hook image<br />Hook functions<br />Hook instructions<br />Hook <br />
First approach<br />
For instance…<br />30f064-30f068<br />	0x8a Y 0x00 K<br />ABCD<br />
Second approach<br />
Example<br />30f064-30f068<br />30f084-30f098<br />0x89 K D F 0x96<br />0x00 J K U Y W 0xA7<br />0xB8 0x00 0x10 A T N<br /...
Code coverage<br />
Score<br />BBexecuted/BBtotal<br />Basic Blocks executed<br />Total Basic Blocks <br />
Halting<br />Cevil = Cgood + t<br />Code coverage evil sample<br />Code coverage good sample<br />User-supplied threshold<...
How??<br />Good sample<br />Evil sample<br />Compare<br />Score <br />Score <br />
What do we use?<br />Code coverage<br />Faults monitor<br />
DEMO<br />
Future – A reasoner<br />
Thanks<br />
Questions!<br />
More Info<br />viozzo.wordpress.com<br />				@_snagg<br />vincenzo.iozzo@zynamics.com<br />
Upcoming SlideShare
Loading in...5
×

0-knowledge fuzzing

2,471

Published on

Slides for the 0-knowledge fuzzing presentation given at Black Hat DC 2010 by Vincenzo Iozzo

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,471
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
38
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • babic
  • Transcript of "0-knowledge fuzzing"

    1. 1. 0-Knowledge Fuzzing<br />VincenzoIozzo<br />vincenzo.iozzo@zynamics.com<br />
    2. 2. Disclaimer<br />In this talk you won’t see all those formulas, formal definition, code snippets and bullets. <br />From past experiences the speaker learned that all the aforementioned elements are no useful in making people understand your idea.<br />You instead will see a lot of funny pictures which the speaker hopes will convey better the understanding of the ideas explained in the talk<br />You don’t want slides like this, do you?<br />
    3. 3. Motivations<br />
    4. 4. Questions!<br />
    5. 5. Fuzzing<br />
    6. 6. How it used to be<br />
    7. 7. How it is today (aka the reason of this talk)<br />
    8. 8. Dumb fuzzing<br />
    9. 9. Smart Fuzzing<br />
    10. 10. Evolutionary Based Fuzzing<br />
    11. 11. The idea<br />
    12. 12. The surface<br />
    13. 13. We need a filter<br />
    14. 14. Cyclomatic complexity<br />
    15. 15. This one<br />
    16. 16. Not this one<br />
    17. 17. Original formula<br /> M = E – N + 2P<br />Number of edges<br />Number of nodes<br />Connected components<br />
    18. 18. Why? Cyclomatic number<br /> M = E – N + P<br />
    19. 19. Simplify<br />
    20. 20. Formula<br />M = E – N + 2<br />
    21. 21. Problem<br />
    22. 22. Loop detection<br />
    23. 23. Dominator tree<br />
    24. 24. Dominators<br />
    25. 25. Function<br />
    26. 26. Dominator tree<br />
    27. 27. Dominators<br />
    28. 28. Implicit loops<br />
    29. 29. REIL<br />
    30. 30. This one…<br />
    31. 31. …to this one<br />
    32. 32. Is that enough?<br />
    33. 33. Not enough<br />Of course not, more heuristics needed<br />void*safe_strcpy(void*old_dest,void *src, intsize){<br />void*dst = realloc(old_dest, size +1); <br />strncpy(dst, src, size); <br />returndst;<br />}<br />
    34. 34. Add your own<br />For static analysis we use<br />
    35. 35. DEMO<br />
    36. 36. Questions!<br />
    37. 37. Data Tainting<br />
    38. 38. Example<br />Taint Source<br />Taint mark<br />movl0x4[eax], ebx<br />
    39. 39. Dytan<br />
    40. 40. PIN<br />
    41. 41. Taint sources<br />
    42. 42. Markings granularity<br />
    43. 43. Propagation <br />add eax, ebx, edx<br />
    44. 44. Output<br /> Registers<br /> Memory locations<br />
    45. 45. DEMO<br />
    46. 46. Questions!<br />
    47. 47. In-memory fuzzing<br />
    48. 48. Example<br />esi= 0x30f064 <br />Original loc <br />esi= 0x30f0A4 <br />Fuzzed loc <br />rep movs<br />
    49. 49. Why?<br />
    50. 50. Problems<br />
    51. 51. Expertise and patience<br />
    52. 52. Memory instability<br />
    53. 53. False positives<br />
    54. 54. False negatives<br />
    55. 55. Mutation loop insertion<br />
    56. 56. Snapshot mutation restoration<br />
    57. 57. What do we do?<br />Hook image<br />Hook functions<br />Hook instructions<br />Hook <br />
    58. 58. First approach<br />
    59. 59. For instance…<br />30f064-30f068<br /> 0x8a Y 0x00 K<br />ABCD<br />
    60. 60. Second approach<br />
    61. 61. Example<br />30f064-30f068<br />30f084-30f098<br />0x89 K D F 0x96<br />0x00 J K U Y W 0xA7<br />0xB8 0x00 0x10 A T N<br />0x00 0xD3<br />ABCD<br />
    62. 62. Code coverage<br />
    63. 63. Score<br />BBexecuted/BBtotal<br />Basic Blocks executed<br />Total Basic Blocks <br />
    64. 64. Halting<br />Cevil = Cgood + t<br />Code coverage evil sample<br />Code coverage good sample<br />User-supplied threshold<br />
    65. 65. How??<br />Good sample<br />Evil sample<br />Compare<br />Score <br />Score <br />
    66. 66. What do we use?<br />Code coverage<br />Faults monitor<br />
    67. 67. DEMO<br />
    68. 68. Future – A reasoner<br />
    69. 69. Thanks<br />
    70. 70. Questions!<br />
    71. 71. More Info<br />viozzo.wordpress.com<br /> @_snagg<br />vincenzo.iozzo@zynamics.com<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×