The document discusses different techniques for fuzz testing including basic, mutational, grammar-based, and feedback-based fuzzing. It then focuses on AFL (American Fuzzy Lop), an open source fuzzing tool that is optimized and smart. The document provides instructions on installing AFL and describes AFL's workflow including compiling the target binary with AFL, finding a test corpus, running the fuzzer, and triaging any findings. It concludes with a demonstration of fuzz testing the rapidjson library using AFL.
3. Basic Fuzzing
• Throw garbage at an application, and see if you hit
something
• Sample application: PNG parser
$ cat /dev/urandom | convert -in — -out data.png
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
4. Mutational Fuzzer
• Mutate valid input
• flip bits
• relocate data
• More effective than random
• May run the same thing over and over again
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
5. Grammar Fuzzer
• Define rules for how the input should be changed
• Better control over input - good for structured data
• Time consuming to setup - knowledge
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
6. Feedback-based Fuzzer
• Application feedback - instrumentation / coverage data
• Slower, but less repetition
• High effectiveness
• For best result, requires source code (compile time
instrumentation)
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
7. AFL
• American Fuzzy Lop
• Developed by Michal Zalewski (@lcamtuf)
• Opensource: http://lcamtuf.coredump.cx/afl/
• Optimized and smart
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
8. Installing AFL
$ git clone https://github.com/google/AFL.git
$ cd AFL
$ make
$ cd llvm_mode && make && cd ..
$ cd libdislocator/ && make && sudo cp libdislocator.so /usr/local/lib && cd
..
$ sudo make install
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
9. LLVM: Fuzzing non-x86
• Instrumentation is CPU-independent
• Build afl-fuzz with AFL_NO_X86=1
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
10. Workflow
1. Compile the target binary with AFL
2. Find a test corpus
3. Run the fuzzer
4. Triage the findings
5. Profit..!
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
11. Compile the target binary with AFL
• CC / CXX - standard env variable for configuration with C / C++ compiler to use:
- afl-gcc / afl-g++
- afl-clang / afl-clang++
- afl-clang-fast / afl-clang-fast++
• AFL_INST_RATIO - instrumentation ratio (0-100%)
• AFL_HARDEN=1 - adds code hardening (includes -D_FORTIFY_SOURCE=2 and -fstack-
protector-all
See https://github.com/google/AFL/blob/master/docs/env_variables.txt for more
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
12. Find a test corpus
$ afl-cmin -i <in folder> -o <out folder> — <binary to run> <options to binary> @@
$ afl-tmin -i <test case file> -o <minimized file> — <binary to run> <options to binary> @@
• Files from unit / integration tests
- Source code repo / github / sample folders
• Optimization: Minimize the list of the cases
• Optimization: Minimize each test file
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
13. Run the Fuzzer
$ screen -S <fuzzing session name> /bin/bash -c "afl-fuzz -i <input> -o <output> -M fuzzer1 -- /path/to/app“ [Master]
ctrl+a-c [to create new window]
$ afl-fuzz -i <input> -o <output> -S fuzzer2 -- /path/to/app [Slave]
ctrl+a-c [to create new window]
$ afl-fuzz -i <input> -o <output> -S fuzzer3 -- /path/to/app [Slave]
…
…
ctrl+a “ [to list all windows of running session]
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
14. Triage the Findings
• Runt the crash files through normal binary
- Compile without afl
- Possibly use address sanitizer or memory sanitizer
- GDB exploitable plugin: https://github.com/jfoote/exploitable
- GDB exploit development plugin: https://github.com/longld/peda
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
15. Triage the Findings
• Report findings to dev team
• Fix if you are part of dev team
• Responsible disclosure (i.e bug bounty)
• Simply keep the bug for yourself and develop reliable exploit for
more $$$ ;)
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
17. rapidjson
1. Compile the target binary without AFL and have an understanding of how it
works
2. Compile the target binary with AFL to insert instrumentation
3. Find a test corpus
4. Run the fuzzer
5. Triage the findings
6. Profit..!
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
18. Compile the target binary without AFL
$ git clone https://github.com/Tencent/rapidjson.git
$ cd rapidjson
$ mkdir build && cd build && cmake ..
$ make
We’re going to fuzz one
of these sample tool:
jsonx
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
19. What is jsonx about?
- JSON to JSONx conversion example, using SAX API.
- JSONx is an IBM standard format to represent JSON as XML.
- JSONx parses JSON text from stdin with validation, and convert to JSONx format to stdout.
- https://www-01.ibm.com/support/knowledgecenter/SS9H2Y_7.1.0/com.ibm.dp.doc/json_jsonx.html
See https://github.com/Tencent/rapidjson/blob/master/example/jsonx/jsonx.cpp for more
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
20. Compile the target binary with AFL
Research Team Sharing Session - PT Mahapatih Sibernusa
21. Find test corpus
- Find good test data to seed fuzzing.
- Test data usually readily available throughout the internet.
- Even better, some repo in github already included fuzzing data we can use.
- https://github.com/DaveGamble/cJSON/tree/master/tests/inputs for example
- Make sure uninstrumented binary can use the test data
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
22. Corpus minimization: afl-cmin
• Minimize the list of the cases
• According to AFL, only 12 of 15 test files are ‘good’ enough to
seed the fuzzing
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
23. Corpus minimization: afl-tmin
• Minimize each test case file
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
24. Run the Fuzzer
- AFL utilize CPU core. Use dedicated machine (not shared hosting).
- Check CPU core availability before starting
- Use screen to run several fuzzing session against one target (master + slave)
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
25. Triage the findings
- We can observe further and analyze the crash without interrupting the running fuzzer.
- All result availabe under “output” folder.
- Folder “crashes” contains all input that causes crash on fuzzed binary app.
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
26. Triage the findings
- Use GDB and several plugins to analyse the crashes.
- Exploitable plugin shows if the crash potentially security related.
- PEDA plugin have several features required to help us develop reliable exploit.
- $ gdb ./jsonx
- $ source ~/exploitable/exploitable/exploitable.py
- $ source ~/peda/peda.py
- $ r < ~/mst/instr/rapidjson/build/fuzzing/output/fuzzer7/crashes/<choose one of the input file that
generate crash>
- use “exploitable” or “peda features” to analyse further
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi
28. Profit
• Fuzzing is an art, need lot of practice to sharpen your sense and skill
• Again, practice makes perfect!
• Tons of application in github to start, make your hand ditry right away
• Fuzz your own apps (e-commerce backend system, banking apps, etc)
• I will continue with more advanced topic later such as distributed fuzzing, fuzzing using libFuzzer, etc
• Ping me if you’re really enjoying the art of hardcore hacking, so we can fuzz together, or develop smart
fuzzer for better future ;) [twitter: @cyberheb / linkedin:
https://www.linkedin.com/in/muhammadsahputra/]
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi