Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
OWASP Open SAMM
Next
Download to read offline and view in fullscreen.

2

Share

Fuzzing underestimated method of finding hidden bugs

Download to read offline

A brief introduction to fuzzing and how to start using it.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Fuzzing underestimated method of finding hidden bugs

  1. 1. FUZZING UNDERESTIMATED METHOD OF FINDING HIDDEN BUGS by Pawel Rzepa
  2. 2. AGENDA • What is fuzzing? • Mutation based (dumb) fuzzing • Instrumented fuzzing • Generation based (smart) fuzzing • Fuzzing web application • What is the future of fuzzing?
  3. 3. BEFORE WE START… WHO AM I? • Security engineer in Intive (Wroclaw) • Former developer of advanced fuzzing module in Spirent’s CyberFlood device • Contributor in OWASP MSTG (Mobile Security Testing Guide) • Supporter of Wroclaw OWASP meetings
  4. 4. — “Fuzzing: Brute Force Vulnerability Discovery” FUZZING IS A METHOD FOR DISCOVERING FAULTS IN SOFTWARE BY PROVIDING UNEXPECTED INPUT AND MONITORING FOR EXCEPTIONS. ” “ WHAT FUZZING REALLY IS?
  5. 5. IN OTHER WORDS… A child noticed unwatched dad’s phone… A child has found a chain of instructions to crash a phone.
  6. 6. HISTORY OF FUZZING In 1988 a professor Barton Miller from University of Winsconsin observed that when he was logged to a modem during a storm, there was a lot of line noise generating junk characters and those characters caused programs to crash.
  7. 7. MUTATION / BRUTEFORCE / DUMB FUZZING sample data fuzzed data - bitflipping - byteflipping - chunkspew -… program input
  8. 8. MUTATION IN PRACTICE more about Radamsa: https://github.com/aoh/radamsa
  9. 9. LET’S FUZZ - DUMB FUZZING Testing robustness of Android AV to APK bombs Target: Android AV winner at av-test.org (July 2016)
  10. 10. CREATING SAMPLE DATA • Create fuzzed data from sample: $> radamsa -o fuzz_sample_%n.apk -n 3000 > com.appsec.appuse.apk • Move fuzzed data to SD card $> for i in {1..3000}; do adb push > fuzz_sample_$i.apk /sdcard/Download; done • Capture logs $> adb logcat -v long > logs.txt
  11. 11. DUMB FUZZING - V3 AV
  12. 12. DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
  13. 13. DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
  14. 14. DUMB FUZZING - TCPDUMP $> radamsa -o fuzz_sample_%n.pcap -n 3000 > small_capture.pcap $> for i in {1..3000}; do tcpdump -nr > fuzz_sample_%i.pcap >> radamsa_pcap.logs; done
  15. 15. LET’S FUZZ - INSTRUMENTED FUZZING • Generates samples, which cover subsets of all code paths • Requires a dedicated compiler, which detects possible code paths • Much more effective • Let’s take a closer look on American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/)
  16. 16. INSTRUMENTED FUZZING - PREPARATIONS • Compile sources with afl-gcc/afl-g++ $> CC=/path_to_AFL/afl-gcc ./configure $> make • Prepare valid sample (the best if <100 KB) • Create folders for input, output and (optionally) garbage, e.g.
  17. 17. INSTRUMENTED FUZZING IN PRACTICE $> /path_to_AFL/afl-fuzz -i ./fuzz-input/ -o >./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@
  18. 18. INSTRUMENTED FUZZING IN PRACTICE
  19. 19. INSTRUMENTED FUZZING IN PRACTICE
  20. 20. COOL STORY BRO, BUT MY PROGRAM ISN’T WRITTEN IN C… • AFL is so good that the community has created many implementations of AFL supporting other languages/environments. Just check it out here: https://github.com/mirrorer/afl/blob/master/docs/ sister_projects.txt • Still doesn’t suit your needs? Then write your own fuzzer!
  21. 21. HOW TO FUZZ NETWORK PROTOCOLS? - Will it work??? $> while true; > do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21; > done FAIL
  22. 22. LIMITATIONS OF DUMB FUZZING (1) • Not compliant types
  23. 23. LIMITATIONS OF DUMB FUZZING (2) • Not compliant fixups (checksum, length etc.)
  24. 24. LIMITATIONS OF DUMB FUZZING (3) • Not supported relationships
  25. 25. LIMITATIONS OF DUMB FUZZING (4) • Not supported program states
  26. 26. GENERATION BASED FUZZING - CREATING A MODEL (1) • Fuzzing frameworks like Peach or Sulley require modelling each portion of data Peach: http://peachfuzzer.com/resources/peachcommunity
  27. 27. • With DataModels, you can create different states
  28. 28. • You can also define a monitor for tested process • Finally, put all defined parts in a Test
  29. 29. SMART FUZZING WITH PEACH $> sudo mono Peach.exe --debug ./samples/ftp.xml
  30. 30. SMART FUZZING WITH PEACH
  31. 31. SMART FUZZING WITH PEACH
  32. 32. HOMEWORK • Fuzz a “Vulnserver”. Download from: http://sites.google.com/site/lupingreycorner/ vulnserver.zip • Write a Peach model. Refer to this tutorial: http://resources.infosecinstitute.com/fuzzing- vulnserver-with-peach-part-2/
  33. 33. FUZZING WEB APPLICATION • Locate an input you want fuzz
  34. 34. • Intercept request (e.g. Burp Suite/OWASP Zap)
  35. 35. • Define which parameter should be fuzzed
  36. 36. • Select a dictionary with invalid input More sample dictionaries: https://github.com/fuzzdb- project/fuzzdb
  37. 37. • Find errors!
  38. 38. ANALYSING THE CRASH • Every crash can be treated as a pure DoS attack • Not every crash can be exploited :( • Depending on OS, use different tools to analyse a crash: - Microsoft !exploitable Crash Analyser (Windows) - CERT GDB exploitable plugin (Linux) - Apple Crash Wrangler Monitor (OSX)
  39. 39. WHY IT’S WORTH FUZZING? • High return on investment - machine time is cheap and human time is expensive • Human role is just to customize a fuzzer to your needs and… profit!
  40. 40. WHAT YOU CAN FUZZ? • Literally - every piece of software which accepts user input • All kinds of apps (mobile, desktop, web, etc.) • OS -> https://vimeo.com/129701495 • Online games -> http://bit.ly/2e0w2YO • Bluetooth -> http://bit.ly/2dQfPqM • HDMI -> http://bit.ly/2e0ynmA • Fonts -> http://bit.ly/293DKE0 • Virtualization systems -> http://bit.ly/2ernSfs …and much more!
  41. 41. WHAT FUZZERS CAN FIND? • Buffer overruns (remote code execution), • Deadlocks, thread hangs, unhandled exceptions (denial-of-service) • Memory leaks (Heartbleed)
  42. 42. WHAT’S NEXT? IMPLEMENT FUZZING IN SDLC
  43. 43. FUZZING AND OTHER TESTING METHODS • Fuzzing can find some type of bugs, but not all of them • That means, fuzzing should be treated as ADDITIONAL method to your security tests You still need static analysis, vulnerability assessment and penetration tests!!!
  44. 44. FUTURE OF FUZZING • Fuzzing as a service: project Springfield (https://www.microsoft.com/en-us/springfield)
  45. 45. FUTURE OF FUZZING • That reminds me DARPA Cyber Grand Challenge bots: symbolic execution (e.g. angr) + directed fuzzing (e.g. AFL)
  46. 46. SUMMARY • Fuzzer should contain: input generator, history of generated input and process monitor • Fuzzing discovers bugs by providing invalid input • There are 2 main types of fuzzers: • Any software can be fuzzed, so always remember about this method! - generation based (requires sample definition) - mutation based (mutates a valid sample)
  47. 47. THANK YOU! Contact me: pawel.rzepa@owasp.org
  • AndriyMuravallMS

    Mar. 4, 2018
  • NazarTymoshyk

    Mar. 18, 2017

A brief introduction to fuzzing and how to start using it.

Views

Total views

1,775

On Slideshare

0

From embeds

0

Number of embeds

3

Actions

Downloads

113

Shares

0

Comments

0

Likes

2

×