SlideShare a Scribd company logo

Afl - 4fun and pr0fit

Download as PPTX, PDF
M
Muhammad Sahputra

The document discusses different techniques for fuzz testing including basic, mutational, grammar-based, and feedback-based fuzzing. It then focuses on AFL (American Fuzzy Lop), an open source fuzzing tool that is optimized and smart. The document provides instructions on installing AFL and describes AFL's workflow including compiling the target binary with AFL, finding a test corpus, running the fuzzer, and triaging any findings. It concludes with a demonstration of fuzz testing the rapidjson library using AFL.

Internet
1 of 29
AFL - 4Fun & Pr0fit Muhammad Sahputra - Chief Executive Officer @ Mahapatih.ID <rasyid /at/ mahapatih.id> Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
–Erlend Oftedal https://www.youtube.com/watch?v=DFQT1Yx vpDo&t=2109s
Basic Fuzzing • Throw garbage at an application, and see if you hit something • Sample application: PNG parser $ cat /dev/urandom | convert -in — -out data.png Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Mutational Fuzzer • Mutate valid input • flip bits • relocate data • More effective than random • May run the same thing over and over again Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Grammar Fuzzer • Define rules for how the input should be changed • Better control over input - good for structured data • Time consuming to setup - knowledge Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Feedback-based Fuzzer • Application feedback - instrumentation / coverage data • Slower, but less repetition • High effectiveness • For best result, requires source code (compile time instrumentation) Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
AFL • American Fuzzy Lop • Developed by Michal Zalewski (@lcamtuf) • Opensource: http://lcamtuf.coredump.cx/afl/ • Optimized and smart Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Installing AFL $ git clone https://github.com/google/AFL.git $ cd AFL $ make $ cd llvm_mode && make && cd .. $ cd libdislocator/ && make && sudo cp libdislocator.so /usr/local/lib && cd .. $ sudo make install Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
LLVM: Fuzzing non-x86 • Instrumentation is CPU-independent • Build afl-fuzz with AFL_NO_X86=1 Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Workflow 1. Compile the target binary with AFL 2. Find a test corpus 3. Run the fuzzer 4. Triage the findings 5. Profit..! Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Compile the target binary with AFL • CC / CXX - standard env variable for configuration with C / C++ compiler to use: - afl-gcc / afl-g++ - afl-clang / afl-clang++ - afl-clang-fast / afl-clang-fast++ • AFL_INST_RATIO - instrumentation ratio (0-100%) • AFL_HARDEN=1 - adds code hardening (includes -D_FORTIFY_SOURCE=2 and -fstack- protector-all See https://github.com/google/AFL/blob/master/docs/env_variables.txt for more Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Find a test corpus $ afl-cmin -i <in folder> -o <out folder> — <binary to run> <options to binary> @@ $ afl-tmin -i <test case file> -o <minimized file> — <binary to run> <options to binary> @@ • Files from unit / integration tests - Source code repo / github / sample folders • Optimization: Minimize the list of the cases • Optimization: Minimize each test file Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Run the Fuzzer $ screen -S <fuzzing session name> /bin/bash -c "afl-fuzz -i <input> -o <output> -M fuzzer1 -- /path/to/app“ [Master] ctrl+a-c [to create new window] $ afl-fuzz -i <input> -o <output> -S fuzzer2 -- /path/to/app [Slave] ctrl+a-c [to create new window] $ afl-fuzz -i <input> -o <output> -S fuzzer3 -- /path/to/app [Slave] … … ctrl+a “ [to list all windows of running session] Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Triage the Findings • Runt the crash files through normal binary - Compile without afl - Possibly use address sanitizer or memory sanitizer - GDB exploitable plugin: https://github.com/jfoote/exploitable - GDB exploit development plugin: https://github.com/longld/peda Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Triage the Findings • Report findings to dev team • Fix if you are part of dev team • Responsible disclosure (i.e bug bounty) • Simply keep the bug for yourself and develop reliable exploit for more $$$ ;) Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
DEMO
rapidjson 1. Compile the target binary without AFL and have an understanding of how it works 2. Compile the target binary with AFL to insert instrumentation 3. Find a test corpus 4. Run the fuzzer 5. Triage the findings 6. Profit..! Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Compile the target binary without AFL $ git clone https://github.com/Tencent/rapidjson.git $ cd rapidjson $ mkdir build && cd build && cmake .. $ make We’re going to fuzz one of these sample tool: jsonx Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
What is jsonx about? - JSON to JSONx conversion example, using SAX API. - JSONx is an IBM standard format to represent JSON as XML. - JSONx parses JSON text from stdin with validation, and convert to JSONx format to stdout. - https://www-01.ibm.com/support/knowledgecenter/SS9H2Y_7.1.0/com.ibm.dp.doc/json_jsonx.html See https://github.com/Tencent/rapidjson/blob/master/example/jsonx/jsonx.cpp for more Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Compile the target binary with AFL Research Team Sharing Session - PT Mahapatih Sibernusa
Find test corpus - Find good test data to seed fuzzing. - Test data usually readily available throughout the internet. - Even better, some repo in github already included fuzzing data we can use. - https://github.com/DaveGamble/cJSON/tree/master/tests/inputs for example - Make sure uninstrumented binary can use the test data Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Corpus minimization: afl-cmin • Minimize the list of the cases • According to AFL, only 12 of 15 test files are ‘good’ enough to seed the fuzzing Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Corpus minimization: afl-tmin • Minimize each test case file Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Run the Fuzzer - AFL utilize CPU core. Use dedicated machine (not shared hosting). - Check CPU core availability before starting - Use screen to run several fuzzing session against one target (master + slave) Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Triage the findings - We can observe further and analyze the crash without interrupting the running fuzzer. - All result availabe under “output” folder. - Folder “crashes” contains all input that causes crash on fuzzed binary app. Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Triage the findings - Use GDB and several plugins to analyse the crashes. - Exploitable plugin shows if the crash potentially security related. - PEDA plugin have several features required to help us develop reliable exploit. - $ gdb ./jsonx - $ source ~/exploitable/exploitable/exploitable.py - $ source ~/peda/peda.py - $ r < ~/mst/instr/rapidjson/build/fuzzing/output/fuzzer7/crashes/<choose one of the input file that generate crash> - use “exploitable” or “peda features” to analyse further Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Triage the findings Exploitable! Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
Profit • Fuzzing is an art, need lot of practice to sharpen your sense and skill • Again, practice makes perfect! • Tons of application in github to start, make your hand ditry right away • Fuzz your own apps (e-commerce backend system, banking apps, etc) • I will continue with more advanced topic later such as distributed fuzzing, fuzzing using libFuzzer, etc • Ping me if you’re really enjoying the art of hardcore hacking, so we can fuzz together, or develop smart fuzzer for better future ;) [twitter: @cyberheb / linkedin: https://www.linkedin.com/in/muhammadsahputra/] Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
END

Recommended

Puppet evolutions
Puppet evolutionsPuppet evolutions
Puppet evolutionsAlessandro Franceschi
 
Puppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabPuppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabAlessandro Franceschi
 
Django Deployment-in-AWS
Django Deployment-in-AWSDjango Deployment-in-AWS
Django Deployment-in-AWSMindfire Solutions
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixBrendan Gregg
 
Developing IT infrastructures with Puppet
Developing IT infrastructures with PuppetDeveloping IT infrastructures with Puppet
Developing IT infrastructures with PuppetAlessandro Franceschi
 
Puppet Systems Infrastructure Construction Kit
Puppet Systems Infrastructure Construction KitPuppet Systems Infrastructure Construction Kit
Puppet Systems Infrastructure Construction KitAlessandro Franceschi
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsJarrod Overson
 
Puppet control-repo 
to the next level
Puppet control-repo 
to the next levelPuppet control-repo 
to the next level
Puppet control-repo 
to the next levelAlessandro Franceschi
 

Recommended

Puppet evolutions
Puppet evolutionsPuppet evolutions
Puppet evolutionsAlessandro Franceschi
 
Puppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabPuppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabAlessandro Franceschi
 
Django Deployment-in-AWS
Django Deployment-in-AWSDjango Deployment-in-AWS
Django Deployment-in-AWSMindfire Solutions
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixBrendan Gregg
 
Developing IT infrastructures with Puppet
Developing IT infrastructures with PuppetDeveloping IT infrastructures with Puppet
Developing IT infrastructures with PuppetAlessandro Franceschi
 
Puppet Systems Infrastructure Construction Kit
Puppet Systems Infrastructure Construction KitPuppet Systems Infrastructure Construction Kit
Puppet Systems Infrastructure Construction KitAlessandro Franceschi
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsJarrod Overson
 
Puppet control-repo 
to the next level
Puppet control-repo 
to the next levelPuppet control-repo 
to the next level
Puppet control-repo 
to the next levelAlessandro Franceschi
 
How to inspect a RUNNING perl process
How to inspect a RUNNING perl processHow to inspect a RUNNING perl process
How to inspect a RUNNING perl processMasaaki HIROSE
 
Python Debugging Fundamentals
Python Debugging FundamentalsPython Debugging Fundamentals
Python Debugging Fundamentalscbcunc
 
Debugging PHP with Xdebug - PHPUK 2018
Debugging PHP with Xdebug - PHPUK 2018Debugging PHP with Xdebug - PHPUK 2018
Debugging PHP with Xdebug - PHPUK 2018Mark Niebergall
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsemBO_Conference
 
Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)
Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)
Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)Mark Niebergall
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)James Titcumb
 
Javascript TDD with Jasmine, Karma, and Gulp
Javascript TDD with Jasmine, Karma, and GulpJavascript TDD with Jasmine, Karma, and Gulp
Javascript TDD with Jasmine, Karma, and GulpAll Things Open
 
Nginx pres
Nginx presNginx pres
Nginx presJames Fuller
 
What you need to remember when you upload to CPAN
What you need to remember when you upload to CPANWhat you need to remember when you upload to CPAN
What you need to remember when you upload to CPANcharsbar
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.informatik Universität Basel
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
Puppet modules: An Holistic Approach
Puppet modules: An Holistic ApproachPuppet modules: An Holistic Approach
Puppet modules: An Holistic ApproachAlessandro Franceschi
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode masteringPositive Hack Days
 
Can you upgrade to Puppet 4.x?
Can you upgrade to Puppet 4.x?Can you upgrade to Puppet 4.x?
Can you upgrade to Puppet 4.x?Martin Alfke
 
Troubleshooting Puppet
Troubleshooting PuppetTroubleshooting Puppet
Troubleshooting PuppetThomas Howard Uphill
 
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Tim Bunce
 
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...Michael Lee
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
Puppet Camp Paris 2016 Data in Modules
Puppet Camp Paris 2016 Data in ModulesPuppet Camp Paris 2016 Data in Modules
Puppet Camp Paris 2016 Data in ModulesMartin Alfke
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using PythonAyun Park
 
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...NETWAYS
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShellBoulos Dib
 

More Related Content

What's hot

How to inspect a RUNNING perl process
How to inspect a RUNNING perl processHow to inspect a RUNNING perl process
How to inspect a RUNNING perl processMasaaki HIROSE
 
Python Debugging Fundamentals
Python Debugging FundamentalsPython Debugging Fundamentals
Python Debugging Fundamentalscbcunc
 
Debugging PHP with Xdebug - PHPUK 2018
Debugging PHP with Xdebug - PHPUK 2018Debugging PHP with Xdebug - PHPUK 2018
Debugging PHP with Xdebug - PHPUK 2018Mark Niebergall
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsemBO_Conference
 
Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)
Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)
Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)Mark Niebergall
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)James Titcumb
 
Javascript TDD with Jasmine, Karma, and Gulp
Javascript TDD with Jasmine, Karma, and GulpJavascript TDD with Jasmine, Karma, and Gulp
Javascript TDD with Jasmine, Karma, and GulpAll Things Open
 
What you need to remember when you upload to CPAN
What you need to remember when you upload to CPANWhat you need to remember when you upload to CPAN
What you need to remember when you upload to CPANcharsbar
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
Puppet modules: An Holistic Approach
Puppet modules: An Holistic ApproachPuppet modules: An Holistic Approach
Puppet modules: An Holistic ApproachAlessandro Franceschi
 
Can you upgrade to Puppet 4.x?
Can you upgrade to Puppet 4.x?Can you upgrade to Puppet 4.x?
Can you upgrade to Puppet 4.x?Martin Alfke
 
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Tim Bunce
 
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...Michael Lee
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
Puppet Camp Paris 2016 Data in Modules
Puppet Camp Paris 2016 Data in ModulesPuppet Camp Paris 2016 Data in Modules
Puppet Camp Paris 2016 Data in ModulesMartin Alfke
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using PythonAyun Park
 

What's hot (20)

How to inspect a RUNNING perl process
How to inspect a RUNNING perl processHow to inspect a RUNNING perl process
How to inspect a RUNNING perl process
 
Python Debugging Fundamentals
Python Debugging FundamentalsPython Debugging Fundamentals
Python Debugging Fundamentals
 
Debugging PHP with Xdebug - PHPUK 2018
Debugging PHP with Xdebug - PHPUK 2018Debugging PHP with Xdebug - PHPUK 2018
Debugging PHP with Xdebug - PHPUK 2018
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
 
Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)
Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)
Automatic PHP 7 Compatibility Checking Using php7cc (and PHPCompatibility)
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
 
Javascript TDD with Jasmine, Karma, and Gulp
Javascript TDD with Jasmine, Karma, and GulpJavascript TDD with Jasmine, Karma, and Gulp
Javascript TDD with Jasmine, Karma, and Gulp
 
Nginx pres
Nginx presNginx pres
Nginx pres
 
What you need to remember when you upload to CPAN
What you need to remember when you upload to CPANWhat you need to remember when you upload to CPAN
What you need to remember when you upload to CPAN
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
 
Puppet modules: An Holistic Approach
Puppet modules: An Holistic ApproachPuppet modules: An Holistic Approach
Puppet modules: An Holistic Approach
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode mastering
 
Can you upgrade to Puppet 4.x?
Can you upgrade to Puppet 4.x?Can you upgrade to Puppet 4.x?
Can you upgrade to Puppet 4.x?
 
Troubleshooting Puppet
Troubleshooting PuppetTroubleshooting Puppet
Troubleshooting Puppet
 
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
 
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
 
Puppet Camp Paris 2016 Data in Modules
Puppet Camp Paris 2016 Data in ModulesPuppet Camp Paris 2016 Data in Modules
Puppet Camp Paris 2016 Data in Modules
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using Python
 

Similar to Afl - 4fun and pr0fit

OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...NETWAYS
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShellBoulos Dib
 
Making the most of your Test Suite
Making the most of your Test SuiteMaking the most of your Test Suite
Making the most of your Test Suiteericholscher
 
Apache Submarine: Unified Machine Learning Platform
Apache Submarine: Unified Machine Learning PlatformApache Submarine: Unified Machine Learning Platform
Apache Submarine: Unified Machine Learning PlatformWangda Tan
 
GPU and Deep learning best practices
GPU and Deep learning best practicesGPU and Deep learning best practices
GPU and Deep learning best practicesLior Sidi
 
High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy StepsTim Serong
 
Load testing and performance tracing
Load testing and performance tracingLoad testing and performance tracing
Load testing and performance tracingHans Höchtl
 
Nagios Conference 2012 - Nathan Vonnahme - Writing Custom Nagios Plugins in Perl
Nagios Conference 2012 - Nathan Vonnahme - Writing Custom Nagios Plugins in PerlNagios Conference 2012 - Nathan Vonnahme - Writing Custom Nagios Plugins in Perl
Nagios Conference 2012 - Nathan Vonnahme - Writing Custom Nagios Plugins in PerlNagios
 
Automated Unit Testing
Automated Unit TestingAutomated Unit Testing
Automated Unit TestingMike Lively
 
Continuous integration / continuous delivery
Continuous integration / continuous deliveryContinuous integration / continuous delivery
Continuous integration / continuous deliveryEatDog
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Bastian Feder
 
Puppet Camp Boston 2014: Keynote
Puppet Camp Boston 2014: Keynote Puppet Camp Boston 2014: Keynote
Puppet Camp Boston 2014: Keynote Puppet
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsNational Cheng Kung University
 
php & performance
php & performance php & performance
php & performancesimon8410
 
WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202Timothy Spann
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
Go performance tooling
Go performance toolingGo performance tooling
Go performance toolingAdil Hafeez
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop AutomationRui Lapa
 

Similar to Afl - 4fun and pr0fit (20)

OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShell
 
Terraform training 🎒 - Basic
Terraform training 🎒 - BasicTerraform training 🎒 - Basic
Terraform training 🎒 - Basic
 
Making the most of your Test Suite
Making the most of your Test SuiteMaking the most of your Test Suite
Making the most of your Test Suite
 
Apache Submarine: Unified Machine Learning Platform
Apache Submarine: Unified Machine Learning PlatformApache Submarine: Unified Machine Learning Platform
Apache Submarine: Unified Machine Learning Platform
 
GPU and Deep learning best practices
GPU and Deep learning best practicesGPU and Deep learning best practices
GPU and Deep learning best practices
 
High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy Steps
 
Load testing and performance tracing
Load testing and performance tracingLoad testing and performance tracing
Load testing and performance tracing
 
Nagios Conference 2012 - Nathan Vonnahme - Writing Custom Nagios Plugins in Perl
Nagios Conference 2012 - Nathan Vonnahme - Writing Custom Nagios Plugins in PerlNagios Conference 2012 - Nathan Vonnahme - Writing Custom Nagios Plugins in Perl
Nagios Conference 2012 - Nathan Vonnahme - Writing Custom Nagios Plugins in Perl
 
Automated Unit Testing
Automated Unit TestingAutomated Unit Testing
Automated Unit Testing
 
Continuous integration / continuous delivery
Continuous integration / continuous deliveryContinuous integration / continuous delivery
Continuous integration / continuous delivery
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
 
Puppet Camp Boston 2014: Keynote
Puppet Camp Boston 2014: Keynote Puppet Camp Boston 2014: Keynote
Puppet Camp Boston 2014: Keynote
 
Hadoop Pig
Hadoop PigHadoop Pig
Hadoop Pig
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
 
php & performance
php & performance php & performance
php & performance
 
WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
Go performance tooling
Go performance toolingGo performance tooling
Go performance tooling
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop Automation
 

Recently uploaded

GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 

Recently uploaded (20)

GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 

Afl - 4fun and pr0fit

  • 1. AFL - 4Fun & Pr0fit Muhammad Sahputra - Chief Executive Officer @ Mahapatih.ID <rasyid /at/ mahapatih.id> Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 3. Basic Fuzzing • Throw garbage at an application, and see if you hit something • Sample application: PNG parser $ cat /dev/urandom | convert -in — -out data.png Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 4. Mutational Fuzzer • Mutate valid input • flip bits • relocate data • More effective than random • May run the same thing over and over again Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 5. Grammar Fuzzer • Define rules for how the input should be changed • Better control over input - good for structured data • Time consuming to setup - knowledge Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 6. Feedback-based Fuzzer • Application feedback - instrumentation / coverage data • Slower, but less repetition • High effectiveness • For best result, requires source code (compile time instrumentation) Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 7. AFL • American Fuzzy Lop • Developed by Michal Zalewski (@lcamtuf) • Opensource: http://lcamtuf.coredump.cx/afl/ • Optimized and smart Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 8. Installing AFL $ git clone https://github.com/google/AFL.git $ cd AFL $ make $ cd llvm_mode && make && cd .. $ cd libdislocator/ && make && sudo cp libdislocator.so /usr/local/lib && cd .. $ sudo make install Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 9. LLVM: Fuzzing non-x86 • Instrumentation is CPU-independent • Build afl-fuzz with AFL_NO_X86=1 Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 10. Workflow 1. Compile the target binary with AFL 2. Find a test corpus 3. Run the fuzzer 4. Triage the findings 5. Profit..! Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 11. Compile the target binary with AFL • CC / CXX - standard env variable for configuration with C / C++ compiler to use: - afl-gcc / afl-g++ - afl-clang / afl-clang++ - afl-clang-fast / afl-clang-fast++ • AFL_INST_RATIO - instrumentation ratio (0-100%) • AFL_HARDEN=1 - adds code hardening (includes -D_FORTIFY_SOURCE=2 and -fstack- protector-all See https://github.com/google/AFL/blob/master/docs/env_variables.txt for more Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 12. Find a test corpus $ afl-cmin -i <in folder> -o <out folder> — <binary to run> <options to binary> @@ $ afl-tmin -i <test case file> -o <minimized file> — <binary to run> <options to binary> @@ • Files from unit / integration tests - Source code repo / github / sample folders • Optimization: Minimize the list of the cases • Optimization: Minimize each test file Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 13. Run the Fuzzer $ screen -S <fuzzing session name> /bin/bash -c "afl-fuzz -i <input> -o <output> -M fuzzer1 -- /path/to/app“ [Master] ctrl+a-c [to create new window] $ afl-fuzz -i <input> -o <output> -S fuzzer2 -- /path/to/app [Slave] ctrl+a-c [to create new window] $ afl-fuzz -i <input> -o <output> -S fuzzer3 -- /path/to/app [Slave] … … ctrl+a “ [to list all windows of running session] Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 14. Triage the Findings • Runt the crash files through normal binary - Compile without afl - Possibly use address sanitizer or memory sanitizer - GDB exploitable plugin: https://github.com/jfoote/exploitable - GDB exploit development plugin: https://github.com/longld/peda Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 15. Triage the Findings • Report findings to dev team • Fix if you are part of dev team • Responsible disclosure (i.e bug bounty) • Simply keep the bug for yourself and develop reliable exploit for more $$$ ;) Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 16. DEMO
  • 17. rapidjson 1. Compile the target binary without AFL and have an understanding of how it works 2. Compile the target binary with AFL to insert instrumentation 3. Find a test corpus 4. Run the fuzzer 5. Triage the findings 6. Profit..! Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 18. Compile the target binary without AFL $ git clone https://github.com/Tencent/rapidjson.git $ cd rapidjson $ mkdir build && cd build && cmake .. $ make We’re going to fuzz one of these sample tool: jsonx Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 19. What is jsonx about? - JSON to JSONx conversion example, using SAX API. - JSONx is an IBM standard format to represent JSON as XML. - JSONx parses JSON text from stdin with validation, and convert to JSONx format to stdout. - https://www-01.ibm.com/support/knowledgecenter/SS9H2Y_7.1.0/com.ibm.dp.doc/json_jsonx.html See https://github.com/Tencent/rapidjson/blob/master/example/jsonx/jsonx.cpp for more Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 20. Compile the target binary with AFL Research Team Sharing Session - PT Mahapatih Sibernusa
  • 21. Find test corpus - Find good test data to seed fuzzing. - Test data usually readily available throughout the internet. - Even better, some repo in github already included fuzzing data we can use. - https://github.com/DaveGamble/cJSON/tree/master/tests/inputs for example - Make sure uninstrumented binary can use the test data Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 22. Corpus minimization: afl-cmin • Minimize the list of the cases • According to AFL, only 12 of 15 test files are ‘good’ enough to seed the fuzzing Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 23. Corpus minimization: afl-tmin • Minimize each test case file Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 24. Run the Fuzzer - AFL utilize CPU core. Use dedicated machine (not shared hosting). - Check CPU core availability before starting - Use screen to run several fuzzing session against one target (master + slave) Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 25. Triage the findings - We can observe further and analyze the crash without interrupting the running fuzzer. - All result availabe under “output” folder. - Folder “crashes” contains all input that causes crash on fuzzed binary app. Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 26. Triage the findings - Use GDB and several plugins to analyse the crashes. - Exploitable plugin shows if the crash potentially security related. - PEDA plugin have several features required to help us develop reliable exploit. - $ gdb ./jsonx - $ source ~/exploitable/exploitable/exploitable.py - $ source ~/peda/peda.py - $ r < ~/mst/instr/rapidjson/build/fuzzing/output/fuzzer7/crashes/<choose one of the input file that generate crash> - use “exploitable” or “peda features” to analyse further Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 27. Triage the findings Exploitable! Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 28. Profit • Fuzzing is an art, need lot of practice to sharpen your sense and skill • Again, practice makes perfect! • Tons of application in github to start, make your hand ditry right away • Fuzz your own apps (e-commerce backend system, banking apps, etc) • I will continue with more advanced topic later such as distributed fuzzing, fuzzing using libFuzzer, etc • Ping me if you’re really enjoying the art of hardcore hacking, so we can fuzz together, or develop smart fuzzer for better future ;) [twitter: @cyberheb / linkedin: https://www.linkedin.com/in/muhammadsahputra/] Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
  • 29. END