SlideShare a Scribd company logo

Fuzzing: The New Unit Testing

D
Dmitry Vyukov

Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program to detect bugs. Coverage-guided fuzzing uses genetic algorithms to generate inputs that maximize code coverage. It is effective at finding security bugs like overflows, memory errors, and crashes. The presenter demonstrates finding 13 bugs in Boost regex in 30 minutes using libFuzzer. Fuzzing is widely used at Google to test critical software like browsers, libraries, and the Linux kernel due to its ability to find many bugs without requiring test cases.

Engineering
1 of 33
Download to read offline
Fuzzing: The New Unit Testing C++ Russia 2017, Moscow, Feb 25 Dmitry Vyukov, dvyukov@, Google
Agenda ● What is fuzzing ● Coverage-guided fuzzing ● Small tutorial ● How to write effective fuzzers ● Fuzzing@Google
What is Fuzzing? wikipedia.org/wiki/Fuzz_testing: Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program.
Who cares? - We are not testing/checking anything! - Random data will not trigger any bugs!
Fuzzing can find lots of bugs - With the help of sanitizers: - Use-after-free, buffer overflows - Uses of uninitialized memory - Memory leaks - Data races, deadlocks - Int/float overflows, bitwise shifts by invalid amount (other UB) - Plain crashes: - NULL dereferences, uncaught exceptions, div-by-zero - Resource usage bugs: - Memory exhaustion, hangs or infinite loops, infinite recursion (stack overflows) - Logical bugs (lots of, see below)
Data is not necessary "white noise" - There is number of tricks to generate "not so random" data - May or may not require some human help - If used correctly achieves very impressive code coverage
What can be fuzzed? Anything that consumes complex inputs: ● Parsers of any kind (xml, json, asn.1, pdf, truetype, ...) ● Media codecs (audio, video, raster & vector images, etc) ● Network protocols (HTTP, RPC, SMTP, MIME...) ● Crypto (boringssl, openssl) ● Compression (zip, gzip, bzip2, brotli, ...) ● Formatted output (sprintf, template engines) ● Compilers and interpreters (Javascript, PHP, Perl, Python, Go, Clang, ...) ● Regular expression matchers (PCRE, RE2, libc’s regcomp) ● Text/UTF processing (icu) ● Databases (SQLite) ● Browsers, text editors/processors (Chrome, vim, OpenOffice) ● OS Kernels (Linux), drivers, supervisors and VMs Must have for everything that consumes untrusted inputs, open to internet or otherwise security sensitive.
Types of Fuzzers - Grammar-based generation - Generate random inputs according to grammar rules - Peach, packetdrill, csmith, gosmith, syzkaller - Blind mutation - Requires a corpus of representative inputs, apply random mutations to them - ZZUF, Radamsa - Grammar reverse-engineering - Learn grammar from existing inputs using algorithmic approach of machine learning - Sequitur algorithm, go-fuzz - Symbolic execution + SAT solver - Synthesize inputs with maximum coverage using black magic - KLEE - Coverage-guided fuzzers - Genetic algorithm that strives to maximize code coverage - libFuzzer, AFL, honggfuzz, syzkaller - Hybrid
Coverage-guided fuzzing Build the program with code coverage instrumentation; Collect initial corpus of inputs (optional); while (true) { Choose a random input from corpus and mutate it; Run the target program on the input, collect code coverage; If the input gives new coverage, add mutation back to the corpus; }
Coverage-guiding in action if input[0] == '{' { if input[1] == 'i' && input[2] == 'f' { if input[3] == '(' { input[input[4]] = input[5]; // potential OOB write } } } Requires "{if(" input to crash, ~2^32 guesses to crack when blind. Coverage-guiding: Guess "{" in ~2^8, add to corpus. Guess "{i" in ~2^8, add to corpus. Guess "{if" in ~2^8, add to corpus. Guess "{if(" in ~2^8, add to corpus. Total: ~2^10 guesses. See: AFL: Pulling JPEGs out of thin air
Mutations ● erase/insert/change/shuffle bit/byte/bytes ● crossover/splice 2 inputs ● insert token from a dictionary ● insert magic numbers (2^10±1, 2^16±1, 2^31±1, 2^32±1) ● change an ASCII integer (e.g. "123" => "2465357635") ● ...
Coverage flavours Basic blocks: ... (A) if (...) { ... (B) } ... (C) -fsanitize-coverage=bb Edges: ... (A) if (...) { ... (B) } ... (C) -fsanitize-coverage=trace-pc-guard Gives better feedback signal. Counters: for (...) { ... (hit N times) } -fsanitize-coverage=8bit-counters Gives better feedback signal for loops and recursion.
Cracking hashes What about more complex cases? if (*(uint32_t*)input == crc32(input+4, size-4)) {...} if (*(uint64_t*)input == 0xBCEBC041BADBALL) {...}
Cracking hashes Intercept comparison operations: ● compiler intercepts int comparisons (-fsanitize-coverage=trace-cmp) ● runtime intercepts strcmp/memcmp and friends Several possibilities: ● extract int/string literals and insert them into inputs ● find one comparison operand in the input and replace with the other operand ● use PC^POPCNT(op1^op2) as "coverage" signal (Hamming distance)
Dictionaries ● User-provided ○ e.g. for HTTP: "HTTP/1.1", "Host", "Accept-Encoding" ● Automatically extracted from program ○ memcpy(input, "HTTP/1.1", 8)
Tutorial "...one of the most highly regarded and expertly designed C++ library projects in the world" boost.regex (latest version 1.63, in boost since 1.18)
Tutorial: fuzzing function As simple as: int LLVMFuzzerTestOneInput(const uint8_t * Data, size_t Size) { try { std::string str((char*)Data, Size); boost::regex e( str); boost::match_results<std::string::const_iterator> what; boost::regex_match(str, what, e, boost::match_default); } catch (const std::exception&) {} return 0; }
Tutorial: building (the hard part) 1. Build boost with coverage and AddressSanitizer: ./b2 cxxflags="-fsanitize-coverage=trace-pc-guard -fsanitize=address" toolset=clang install 2. Build fuzzer with coverage, AddressSanitizer and libFuzzer: clang++ fuzzer.cc -fsanitize-coverage=trace-pc-guard -fsanitize=address libFuzzer.a The rest is at tutorial.libfuzzer.info
Demo
30 minutes, 13 bugs (ticket/12818): AddressSanitizer: heap-buffer-overflow perl_matcher.hpp:132 in re_skip_past_null AddressSanitizer: heap-buffer-overflow basic_regex_parser.hpp:2599 in parse_perl_extension AddressSanitizer: heap-buffer-overflow perl_matcher.hpp:221 in re_is_set_member AddressSanitizer: heap-buffer-overflow perl_matcher.hpp:166 in re_is_set_member AddressSanitizer: heap-buffer-overflow interceptors.inc:278 in strlen AddressSanitizer: stack-overflow basic_regex_creator.hpp:1054 in create_startmap AddressSanitizer: SEGV on unknown address 0x0000000016e0 MemorySanitizer: use-of-uninitialized-value perl_matcher.hpp:166 in re_is_set_member basic_regex_parser.hpp:904: runtime error: shift exponent 325804978 is too large for 32-bit type 'unsigned int' basic_regex_parser.hpp:2599: runtime error: load of value 56794092, which is not a valid value for type 'syntax_element_type' a.out: perl_matcher_common.hpp:606: Assertion `r.first != r.second' failed Direct leak of 4096 byte(s) in 1 object(s) allocated in get_mem_block regex.cpp:204 ALARM: working on the last Unit for 17 seconds Will find more when these are fixed! Results
Finding logical bugs Not only security/stability - But we don't know the right result! - Use your imagination!
Finding logical bugs ● sanity checks on results ○ uncompressesed image decoder: 100 byte input -> 100 MB output? ○ function returns both error and object, or no error and no object ○ know that some substring must present in output, but it is not ○ encrypt, check that decryption with wrong key fails ● sometimes we do know the right result ○ any sorting: check that each element is present, check that it's not descending ○ building a trie: check size, all elements are present ● asserts ○ assert(a == b)
Finding logical bugs Round-trip: ● encode-decode ● serialize-deserialize ● compress-decompress ● encrypt-decrypt ● assemble-disassemble Checks: ● decode-encode: check that encode don't fail ● decode-encode-decode: check that second decode don't fail ● decode-encode-decode: check that decode results are equal ● encode-decode-encode: check that encode results are equal Very powerful technique.
Finding logical bugs Comparing two (or more) implementations gives phenomenal results: ● check that output is equal ● or at least check that ok/fail result is the same ○ e.g. gcc and clang both accept or reject the code But I don't want to write the second impl! ● there can be several libraries implementing the same (libxmlFoo vs libxmlBar) ● implementation in a different language (re2 vs Go's regexp) ● compare "fast but complex" with "slow but dumb" (sometimes easy to write) ● compare different functions (marshalBinary vs marshalText)
Quick Quiz: how to fuzz clang-format? clang-format: shuffles whitespaces in a source file. Let's imaging destiny of mankind depends on correctness of clang-format! How would you fuzz test it?
Quick Quiz: how to fuzz clang-format? ● run with asan/msan/ubsan ● format twice, compare results (e.g. relies on unordered_map order) ● format, then format result (must be idempotent) ● strip all whitespaces, compare before/after ● check violations of max line length ● compile before/after (formatting breaks/unbreaks code)
Regression testing Normally you run fuzzer for a long time. But any guided fuzzer accumulates corpus of inputs with max coverage. And that's perfect for regression testing! Just run it once on every change!
Fuzzing@Google Why? - faster and faster development - more and more code - correctness is important - stability is still important - security is super important - want to move fast, but keep development costs under control Traditional testing is not enough anymore!
Fuzzing@Google How? - Developers can write "fuzz tests" - picked up by automatic large-scale fuzzing system - but also work as regression unit tests - OSS-Fuzz: continuous fuzzing for OSS - 50+ projects, 190 fuzzers - libFuzzer, radamsa, AFL (coming) - 5000 cores - ClusterFuzz: automated fuzzing for Chromium - 350 fuzzers - libFuzzer, radamsa, AFL, custom fuzzers - 12000 cores - Automatically files bugs and verifies fixes - syzkaller: continuous fuzzing of Linux kernel - several upstream branches + android/chromeos - 100+ VMs + physical devices
Fuzzing@Google ~15'000bugs GLIBC MUSL LIBC pugixml PCRE ICU Freetype ffmpeg Harfbuzz SQLite Python OpenSSL BoringSSL libxml2 BPF Capstone file Radare2 gRPC WOFF2 LLVM Tensorflow libav FreeType2 Foxit libtiff Go Linux libexif libFLAC Little CMS Adobe Reader Adobe Flash Player Adobe DNG SDK ESET NOD32 ClamAV BitDefender poppler ghostscript dcraw qcms libwebp libwebm libvpx gipfeli libots Snapseed Dart VM IJG libjpeg-turbo libpng mozjpeg PHP Firefox Internet Explorer Apple Safari LibreOffice GnuTLS GnuPG OpenSSH bash tcpdump JavaScriptCore pdfium libmatroska libarchive wireshark ImageMagick lcms libbpg lame libsndfile less lesspipe strings dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn pfctl mandoc IDA Pro clamav nasm ctags mutt procmail fontconfig pdksh wavpack redis cmsgpack taglib privoxy perl libxmpradare2 SleuthKit X.Org exifprobe jhead Xerces-C metacam exiv btrfs Knot DNS curl wpa_supplicant dnsmasq imlib2 libraw libwmf uudecode MuPDF libbson libsass boost
Sales pitch ● Fuzzing is complimentary to any other testing technique ● Fuzzing is mandatory for anything security-related ● Fuzzing finds LOTS of bugs ● Fuzzing is easy to use Call to action: ● choose 1 library that uses complex inputs (important or you suspect for bugs) ● write a fuzzer ● run locally with ASAN
Thanks! Q&A http://tutorial.libfuzzer.info Dmitry Vyukov, dvyukov@
References https://en.wikipedia.org/wiki/Fuzz_testing https://github.com/google/sanitizers http://llvm.org/docs/LibFuzzer.html http://tutorial.libfuzzer.info http://lcamtuf.coredump.cx/afl/ https://github.com/google/oss-fuzz https://github.com/google/syzkaller https://github.com/dvyukov/go-fuzz

Recommended

AFLGo: Directed Greybox Fuzzing
AFLGo: Directed Greybox FuzzingAFLGo: Directed Greybox Fuzzing
AFLGo: Directed Greybox Fuzzingmboehme
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ NisraOrange Tsai
 

Recommended

AFLGo: Directed Greybox Fuzzing
AFLGo: Directed Greybox FuzzingAFLGo: Directed Greybox Fuzzing
AFLGo: Directed Greybox Fuzzingmboehme
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ NisraOrange Tsai
 
Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...Lucas Leong
 
Back to the future with C++ and Seastar
Back to the future with C++ and SeastarBack to the future with C++ and Seastar
Back to the future with C++ and SeastarTzach Livyatan
 
Signature verification of kernel module and kexec
Signature verification of kernel module and kexecSignature verification of kernel module and kexec
Signature verification of kernel module and kexecjoeylikernel
 
Arm v8 instruction overview android 64 bit briefing
Arm v8 instruction overview android 64 bit briefingArm v8 instruction overview android 64 bit briefing
Arm v8 instruction overview android 64 bit briefingMerck Hung
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
cpu scheduling in os
cpu scheduling in oscpu scheduling in os
cpu scheduling in osKiran Kumar Thota
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Combine Spring Data Neo4j and Spring Boot to quickl
Combine Spring Data Neo4j and Spring Boot to quicklCombine Spring Data Neo4j and Spring Boot to quickl
Combine Spring Data Neo4j and Spring Boot to quicklNeo4j
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
SQL Server Performance Tuning Baseline
SQL Server Performance Tuning BaselineSQL Server Performance Tuning Baseline
SQL Server Performance Tuning Baseline► Supreme Mandal ◄
 
Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBshimosawa
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
JVM: A Platform for Multiple Languages
JVM: A Platform for Multiple LanguagesJVM: A Platform for Multiple Languages
JVM: A Platform for Multiple LanguagesKris Mok
 
LibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverityLibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverityCaolán McNamara
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 

More Related Content

What's hot

Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...Lucas Leong
 
Back to the future with C++ and Seastar
Back to the future with C++ and SeastarBack to the future with C++ and Seastar
Back to the future with C++ and SeastarTzach Livyatan
 
Signature verification of kernel module and kexec
Signature verification of kernel module and kexecSignature verification of kernel module and kexec
Signature verification of kernel module and kexecjoeylikernel
 
Arm v8 instruction overview android 64 bit briefing
Arm v8 instruction overview android 64 bit briefingArm v8 instruction overview android 64 bit briefing
Arm v8 instruction overview android 64 bit briefingMerck Hung
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Combine Spring Data Neo4j and Spring Boot to quickl
Combine Spring Data Neo4j and Spring Boot to quicklCombine Spring Data Neo4j and Spring Boot to quickl
Combine Spring Data Neo4j and Spring Boot to quicklNeo4j
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
SQL Server Performance Tuning Baseline
SQL Server Performance Tuning BaselineSQL Server Performance Tuning Baseline
SQL Server Performance Tuning Baseline► Supreme Mandal ◄
 
Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBshimosawa
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
JVM: A Platform for Multiple Languages
JVM: A Platform for Multiple LanguagesJVM: A Platform for Multiple Languages
JVM: A Platform for Multiple LanguagesKris Mok
 

What's hot (20)

Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...
 
Back to the future with C++ and Seastar
Back to the future with C++ and SeastarBack to the future with C++ and Seastar
Back to the future with C++ and Seastar
 
Signature verification of kernel module and kexec
Signature verification of kernel module and kexecSignature verification of kernel module and kexec
Signature verification of kernel module and kexec
 
Arm v8 instruction overview android 64 bit briefing
Arm v8 instruction overview android 64 bit briefingArm v8 instruction overview android 64 bit briefing
Arm v8 instruction overview android 64 bit briefing
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat Sheet
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
cpu scheduling in os
cpu scheduling in oscpu scheduling in os
cpu scheduling in os
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
Sql injection
Sql injectionSql injection
Sql injection
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
 
Combine Spring Data Neo4j and Spring Boot to quickl
Combine Spring Data Neo4j and Spring Boot to quicklCombine Spring Data Neo4j and Spring Boot to quickl
Combine Spring Data Neo4j and Spring Boot to quickl
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
 
SQL Server Performance Tuning Baseline
SQL Server Performance Tuning BaselineSQL Server Performance Tuning Baseline
SQL Server Performance Tuning Baseline
 
Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKB
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Secure code
Secure codeSecure code
Secure code
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
JVM: A Platform for Multiple Languages
JVM: A Platform for Multiple LanguagesJVM: A Platform for Multiple Languages
JVM: A Platform for Multiple Languages
 

Similar to Fuzzing: The New Unit Testing

LibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverityLibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverityCaolán McNamara
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
MobileConf 2021 Slides: Let's build macOS CLI Utilities using Swift
MobileConf 2021 Slides: Let's build macOS CLI Utilities using SwiftMobileConf 2021 Slides: Let's build macOS CLI Utilities using Swift
MobileConf 2021 Slides: Let's build macOS CLI Utilities using SwiftDiego Freniche Brito
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzerGangSeok Lee
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone CivettaCocoaHeads France
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
ooc - A hybrid language experiment
ooc - A hybrid language experimentooc - A hybrid language experiment
ooc - A hybrid language experimentAmos Wenger
 
ooc - A hybrid language experiment
ooc - A hybrid language experimentooc - A hybrid language experiment
ooc - A hybrid language experimentAmos Wenger
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Peddle the Pedal to the Metal
Peddle the Pedal to the MetalPeddle the Pedal to the Metal
Peddle the Pedal to the MetalC4Media
 
Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)Igalia
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
 
Skiron - Experiments in CPU Design in D
Skiron - Experiments in CPU Design in DSkiron - Experiments in CPU Design in D
Skiron - Experiments in CPU Design in DMithun Hunsur
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniqueAndrey Karpov
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 

Similar to Fuzzing: The New Unit Testing (20)

LibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverityLibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverity
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
MobileConf 2021 Slides: Let's build macOS CLI Utilities using Swift
MobileConf 2021 Slides: Let's build macOS CLI Utilities using SwiftMobileConf 2021 Slides: Let's build macOS CLI Utilities using Swift
MobileConf 2021 Slides: Let's build macOS CLI Utilities using Swift
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone Civetta
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
ooc - A hybrid language experiment
ooc - A hybrid language experimentooc - A hybrid language experiment
ooc - A hybrid language experiment
 
ooc - A hybrid language experiment
ooc - A hybrid language experimentooc - A hybrid language experiment
ooc - A hybrid language experiment
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
Peddle the Pedal to the Metal
Peddle the Pedal to the MetalPeddle the Pedal to the Metal
Peddle the Pedal to the Metal
 
Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
 
Skiron - Experiments in CPU Design in D
Skiron - Experiments in CPU Design in DSkiron - Experiments in CPU Design in D
Skiron - Experiments in CPU Design in D
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis technique
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
 

Recently uploaded

Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfRagavanV2
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityMorshed Ahmed Rahath
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayEpec Engineered Technologies
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringmulugeta48
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.Kamal Acharya
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...soginsider
 

Recently uploaded (20)

Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 

Fuzzing: The New Unit Testing

  • 1. Fuzzing: The New Unit Testing C++ Russia 2017, Moscow, Feb 25 Dmitry Vyukov, dvyukov@, Google
  • 2. Agenda ● What is fuzzing ● Coverage-guided fuzzing ● Small tutorial ● How to write effective fuzzers ● Fuzzing@Google
  • 3. What is Fuzzing? wikipedia.org/wiki/Fuzz_testing: Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program.
  • 4. Who cares? - We are not testing/checking anything! - Random data will not trigger any bugs!
  • 5. Fuzzing can find lots of bugs - With the help of sanitizers: - Use-after-free, buffer overflows - Uses of uninitialized memory - Memory leaks - Data races, deadlocks - Int/float overflows, bitwise shifts by invalid amount (other UB) - Plain crashes: - NULL dereferences, uncaught exceptions, div-by-zero - Resource usage bugs: - Memory exhaustion, hangs or infinite loops, infinite recursion (stack overflows) - Logical bugs (lots of, see below)
  • 6. Data is not necessary "white noise" - There is number of tricks to generate "not so random" data - May or may not require some human help - If used correctly achieves very impressive code coverage
  • 7. What can be fuzzed? Anything that consumes complex inputs: ● Parsers of any kind (xml, json, asn.1, pdf, truetype, ...) ● Media codecs (audio, video, raster & vector images, etc) ● Network protocols (HTTP, RPC, SMTP, MIME...) ● Crypto (boringssl, openssl) ● Compression (zip, gzip, bzip2, brotli, ...) ● Formatted output (sprintf, template engines) ● Compilers and interpreters (Javascript, PHP, Perl, Python, Go, Clang, ...) ● Regular expression matchers (PCRE, RE2, libc’s regcomp) ● Text/UTF processing (icu) ● Databases (SQLite) ● Browsers, text editors/processors (Chrome, vim, OpenOffice) ● OS Kernels (Linux), drivers, supervisors and VMs Must have for everything that consumes untrusted inputs, open to internet or otherwise security sensitive.
  • 8. Types of Fuzzers - Grammar-based generation - Generate random inputs according to grammar rules - Peach, packetdrill, csmith, gosmith, syzkaller - Blind mutation - Requires a corpus of representative inputs, apply random mutations to them - ZZUF, Radamsa - Grammar reverse-engineering - Learn grammar from existing inputs using algorithmic approach of machine learning - Sequitur algorithm, go-fuzz - Symbolic execution + SAT solver - Synthesize inputs with maximum coverage using black magic - KLEE - Coverage-guided fuzzers - Genetic algorithm that strives to maximize code coverage - libFuzzer, AFL, honggfuzz, syzkaller - Hybrid
  • 9. Coverage-guided fuzzing Build the program with code coverage instrumentation; Collect initial corpus of inputs (optional); while (true) { Choose a random input from corpus and mutate it; Run the target program on the input, collect code coverage; If the input gives new coverage, add mutation back to the corpus; }
  • 10. Coverage-guiding in action if input[0] == '{' { if input[1] == 'i' && input[2] == 'f' { if input[3] == '(' { input[input[4]] = input[5]; // potential OOB write } } } Requires "{if(" input to crash, ~2^32 guesses to crack when blind. Coverage-guiding: Guess "{" in ~2^8, add to corpus. Guess "{i" in ~2^8, add to corpus. Guess "{if" in ~2^8, add to corpus. Guess "{if(" in ~2^8, add to corpus. Total: ~2^10 guesses. See: AFL: Pulling JPEGs out of thin air
  • 11. Mutations ● erase/insert/change/shuffle bit/byte/bytes ● crossover/splice 2 inputs ● insert token from a dictionary ● insert magic numbers (2^10±1, 2^16±1, 2^31±1, 2^32±1) ● change an ASCII integer (e.g. "123" => "2465357635") ● ...
  • 12. Coverage flavours Basic blocks: ... (A) if (...) { ... (B) } ... (C) -fsanitize-coverage=bb Edges: ... (A) if (...) { ... (B) } ... (C) -fsanitize-coverage=trace-pc-guard Gives better feedback signal. Counters: for (...) { ... (hit N times) } -fsanitize-coverage=8bit-counters Gives better feedback signal for loops and recursion.
  • 13. Cracking hashes What about more complex cases? if (*(uint32_t*)input == crc32(input+4, size-4)) {...} if (*(uint64_t*)input == 0xBCEBC041BADBALL) {...}
  • 14. Cracking hashes Intercept comparison operations: ● compiler intercepts int comparisons (-fsanitize-coverage=trace-cmp) ● runtime intercepts strcmp/memcmp and friends Several possibilities: ● extract int/string literals and insert them into inputs ● find one comparison operand in the input and replace with the other operand ● use PC^POPCNT(op1^op2) as "coverage" signal (Hamming distance)
  • 15. Dictionaries ● User-provided ○ e.g. for HTTP: "HTTP/1.1", "Host", "Accept-Encoding" ● Automatically extracted from program ○ memcpy(input, "HTTP/1.1", 8)
  • 16. Tutorial "...one of the most highly regarded and expertly designed C++ library projects in the world" boost.regex (latest version 1.63, in boost since 1.18)
  • 17. Tutorial: fuzzing function As simple as: int LLVMFuzzerTestOneInput(const uint8_t * Data, size_t Size) { try { std::string str((char*)Data, Size); boost::regex e( str); boost::match_results<std::string::const_iterator> what; boost::regex_match(str, what, e, boost::match_default); } catch (const std::exception&) {} return 0; }
  • 18. Tutorial: building (the hard part) 1. Build boost with coverage and AddressSanitizer: ./b2 cxxflags="-fsanitize-coverage=trace-pc-guard -fsanitize=address" toolset=clang install 2. Build fuzzer with coverage, AddressSanitizer and libFuzzer: clang++ fuzzer.cc -fsanitize-coverage=trace-pc-guard -fsanitize=address libFuzzer.a The rest is at tutorial.libfuzzer.info
  • 19. Demo
  • 20. 30 minutes, 13 bugs (ticket/12818): AddressSanitizer: heap-buffer-overflow perl_matcher.hpp:132 in re_skip_past_null AddressSanitizer: heap-buffer-overflow basic_regex_parser.hpp:2599 in parse_perl_extension AddressSanitizer: heap-buffer-overflow perl_matcher.hpp:221 in re_is_set_member AddressSanitizer: heap-buffer-overflow perl_matcher.hpp:166 in re_is_set_member AddressSanitizer: heap-buffer-overflow interceptors.inc:278 in strlen AddressSanitizer: stack-overflow basic_regex_creator.hpp:1054 in create_startmap AddressSanitizer: SEGV on unknown address 0x0000000016e0 MemorySanitizer: use-of-uninitialized-value perl_matcher.hpp:166 in re_is_set_member basic_regex_parser.hpp:904: runtime error: shift exponent 325804978 is too large for 32-bit type 'unsigned int' basic_regex_parser.hpp:2599: runtime error: load of value 56794092, which is not a valid value for type 'syntax_element_type' a.out: perl_matcher_common.hpp:606: Assertion `r.first != r.second' failed Direct leak of 4096 byte(s) in 1 object(s) allocated in get_mem_block regex.cpp:204 ALARM: working on the last Unit for 17 seconds Will find more when these are fixed! Results
  • 21. Finding logical bugs Not only security/stability - But we don't know the right result! - Use your imagination!
  • 22. Finding logical bugs ● sanity checks on results ○ uncompressesed image decoder: 100 byte input -> 100 MB output? ○ function returns both error and object, or no error and no object ○ know that some substring must present in output, but it is not ○ encrypt, check that decryption with wrong key fails ● sometimes we do know the right result ○ any sorting: check that each element is present, check that it's not descending ○ building a trie: check size, all elements are present ● asserts ○ assert(a == b)
  • 23. Finding logical bugs Round-trip: ● encode-decode ● serialize-deserialize ● compress-decompress ● encrypt-decrypt ● assemble-disassemble Checks: ● decode-encode: check that encode don't fail ● decode-encode-decode: check that second decode don't fail ● decode-encode-decode: check that decode results are equal ● encode-decode-encode: check that encode results are equal Very powerful technique.
  • 24. Finding logical bugs Comparing two (or more) implementations gives phenomenal results: ● check that output is equal ● or at least check that ok/fail result is the same ○ e.g. gcc and clang both accept or reject the code But I don't want to write the second impl! ● there can be several libraries implementing the same (libxmlFoo vs libxmlBar) ● implementation in a different language (re2 vs Go's regexp) ● compare "fast but complex" with "slow but dumb" (sometimes easy to write) ● compare different functions (marshalBinary vs marshalText)
  • 25. Quick Quiz: how to fuzz clang-format? clang-format: shuffles whitespaces in a source file. Let's imaging destiny of mankind depends on correctness of clang-format! How would you fuzz test it?
  • 26. Quick Quiz: how to fuzz clang-format? ● run with asan/msan/ubsan ● format twice, compare results (e.g. relies on unordered_map order) ● format, then format result (must be idempotent) ● strip all whitespaces, compare before/after ● check violations of max line length ● compile before/after (formatting breaks/unbreaks code)
  • 27. Regression testing Normally you run fuzzer for a long time. But any guided fuzzer accumulates corpus of inputs with max coverage. And that's perfect for regression testing! Just run it once on every change!
  • 28. Fuzzing@Google Why? - faster and faster development - more and more code - correctness is important - stability is still important - security is super important - want to move fast, but keep development costs under control Traditional testing is not enough anymore!
  • 29. Fuzzing@Google How? - Developers can write "fuzz tests" - picked up by automatic large-scale fuzzing system - but also work as regression unit tests - OSS-Fuzz: continuous fuzzing for OSS - 50+ projects, 190 fuzzers - libFuzzer, radamsa, AFL (coming) - 5000 cores - ClusterFuzz: automated fuzzing for Chromium - 350 fuzzers - libFuzzer, radamsa, AFL, custom fuzzers - 12000 cores - Automatically files bugs and verifies fixes - syzkaller: continuous fuzzing of Linux kernel - several upstream branches + android/chromeos - 100+ VMs + physical devices
  • 30. Fuzzing@Google ~15'000bugs GLIBC MUSL LIBC pugixml PCRE ICU Freetype ffmpeg Harfbuzz SQLite Python OpenSSL BoringSSL libxml2 BPF Capstone file Radare2 gRPC WOFF2 LLVM Tensorflow libav FreeType2 Foxit libtiff Go Linux libexif libFLAC Little CMS Adobe Reader Adobe Flash Player Adobe DNG SDK ESET NOD32 ClamAV BitDefender poppler ghostscript dcraw qcms libwebp libwebm libvpx gipfeli libots Snapseed Dart VM IJG libjpeg-turbo libpng mozjpeg PHP Firefox Internet Explorer Apple Safari LibreOffice GnuTLS GnuPG OpenSSH bash tcpdump JavaScriptCore pdfium libmatroska libarchive wireshark ImageMagick lcms libbpg lame libsndfile less lesspipe strings dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn pfctl mandoc IDA Pro clamav nasm ctags mutt procmail fontconfig pdksh wavpack redis cmsgpack taglib privoxy perl libxmpradare2 SleuthKit X.Org exifprobe jhead Xerces-C metacam exiv btrfs Knot DNS curl wpa_supplicant dnsmasq imlib2 libraw libwmf uudecode MuPDF libbson libsass boost
  • 31. Sales pitch ● Fuzzing is complimentary to any other testing technique ● Fuzzing is mandatory for anything security-related ● Fuzzing finds LOTS of bugs ● Fuzzing is easy to use Call to action: ● choose 1 library that uses complex inputs (important or you suspect for bugs) ● write a fuzzer ● run locally with ASAN