Successfully reported this slideshow.
Your SlideShare is downloading. ×

Introduction to fuzzing

Loading in …3
×

Check these out next

1 of 27
1 of 27

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Introduction to fuzzing

  1. 1. Introduction to Fuzzing Hieu Nguyen
  2. 2. What is fuzzing?
  3. 3. What can be random? - parameters - time - database state - machine state - crash - ...
  4. 4. What can be random? - parameters - time - database state - machine state - crash - ...
  5. 5. Fuzzing type - Generational - Mutational
  6. 6. Random Generational Fuzzing - Completely random - Generate from scratch
  7. 7. Random Generational Fuzzing - Good for detecting parser error - Hard to get meaningful input
  8. 8. Random Generational Fuzzing - Good for detecting parser error - Hard to get meaningful input - Notable application: detect invalid memory access in C/C++ program (heartbleed)
  9. 9. Mutational Fuzzing - Generate input by adding random mutation to seed - Mutation type: - Add bytes - Delete bytes - Flip bytes - ...
  10. 10. Mutational fuzzing - Can generate more interesting input - But...
  11. 11. Coverage-based Mutational Fuzzing - Also called Greybox Fuzzing - Use coverage to find and leverage interesting input
  12. 12. AFL (American Fuzzy Lop)
  13. 13. AFL (American Fuzzy Lop)
  14. 14. Compare different fuzzing strategies
  15. 15. Coverage-based Mutational Fuzzing - Very effective - Need a bit of tuning depending on application
  16. 16. Grammar Generational Fuzzing - Generate random input based on grammar - Usually use BNF (Backus–Naur form)
  17. 17. Grammar Generational Fuzzing - Create more structured input - Hard to simulate invalid input
  18. 18. Greybox Grammar Fuzzing - Generate seed based on Grammar - Mutate input - Leverage interesting input based on coverage
  19. 19. Greybox Grammar Fuzzing - Generate seed based on Grammar - Mutate input - Leverage interesting input based on coverage
  20. 20. LangFuzz - Grammar Greybox Fuzzer - Use for testing browser JS interpreters - Found more than 2000 bugs!
  21. 21. Compare different fuzzing strategies
  22. 22. That’s not all... - Add power to seed to leverage stronger seed - Extend Grammar with EBNF and probability - Mining seed from external source - Use structured mutation - Semantical fuzzing
  23. 23. Cons - Huge learning curve - Suitable only for mature application - Slow and computational heavy
  24. 24. Summary - Fuzzing is testing with random input - Use coverage stat to increase fuzzing accuracy - Use grammar to improve seed variety - Effective to test critical & mature part of the system
  25. 25. References - https://www.fuzzingbook.org - https://www.cs.dartmouth.edu/~mckeeman/reference s/DifferentialTestingForSoftware.pdf
  26. 26. Thank you for listening

Editor's Notes

  • For the sake of simplicity, we’ll focus on text parameters only
  • The most popular fuzzer - also use coverage-based mutational fuzzing - its success motivates a lot of research in fuzzer and security
    One of the fuzzing engine behinds OSS-Fuzz
  • http://lcamtuf.coredump.cx/afl/demo/

×