0-knowledge fuzzing

0-Knowledge Fuzzing,[object Object],VincenzoIozzo,[object Object],vincenzo.iozzo@zynamics.com,[object Object]

Disclaimer,[object Object],In this talk you won’t see all those formulas, formal definition, code snippets and bullets. ,[object Object],From past experiences the speaker learned that all the aforementioned elements are no useful in making people understand your idea.,[object Object],You instead will see a lot of funny pictures which the speaker hopes will convey better the understanding of the ideas explained in the talk,[object Object],You don’t want slides like this, do you?,[object Object]

How it used to be,[object Object]

How it is today (aka the reason of this talk),[object Object]

Evolutionary Based Fuzzing,[object Object]

We need a filter,[object Object]

Cyclomatic complexity,[object Object]

Original formula,[object Object], M = E – N + 2P,[object Object],Number of edges,[object Object],Number of nodes,[object Object],Connected components,[object Object]

Why? Cyclomatic number,[object Object], M = E – N + P,[object Object]

Formula,[object Object],M = E – N + 2,[object Object]

Loop detection,[object Object]

Dominator tree,[object Object]

Implicit loops,[object Object]

…to this one,[object Object]

Is that enough?,[object Object]

Not enough,[object Object],Of course not, more heuristics needed,[object Object],void*safe_strcpy(void*old_dest,void *src, intsize){,[object Object],void*dst = realloc(old_dest, size +1); ,[object Object],strncpy(dst, src, size); ,[object Object],returndst;,[object Object],},[object Object]

Add your own,[object Object],For static analysis we use,[object Object]

Example,[object Object],Taint Source,[object Object],Taint mark,[object Object],movl0x4[eax], ebx,[object Object]

Markings granularity,[object Object]

Propagation ,[object Object],add eax, ebx, edx,[object Object]

Output,[object Object], Registers,[object Object], Memory locations,[object Object]

In-memory fuzzing,[object Object]

Example,[object Object],esi= 0x30f064 ,[object Object],Original loc ,[object Object],esi= 0x30f0A4 ,[object Object],Fuzzed loc ,[object Object],rep movs,[object Object]

Expertise and patience,[object Object]

Memory instability,[object Object]

False positives,[object Object]

False negatives,[object Object]

Mutation loop insertion,[object Object]

Snapshot mutation restoration,[object Object]

What do we do?,[object Object],Hook image,[object Object],Hook functions,[object Object],Hook instructions,[object Object],Hook ,[object Object]

First approach,[object Object]

For instance…,[object Object],30f064-30f068,[object Object], 0x8a Y 0x00 K,[object Object],ABCD,[object Object]

Second approach,[object Object]

Example,[object Object],30f064-30f068,[object Object],30f084-30f098,[object Object],0x89 K D F 0x96,[object Object],0x00 J K U Y W 0xA7,[object Object],0xB8 0x00 0x10 A T N,[object Object],0x00 0xD3,[object Object],ABCD,[object Object]

Score,[object Object],BBexecuted/BBtotal,[object Object],Basic Blocks executed,[object Object],Total Basic Blocks ,[object Object]

Halting,[object Object],Cevil = Cgood + t,[object Object],Code coverage evil sample,[object Object],Code coverage good sample,[object Object],User-supplied threshold,[object Object]

How??,[object Object],Good sample,[object Object],Evil sample,[object Object],Compare,[object Object],Score ,[object Object],Score ,[object Object]

What do we use?,[object Object],Code coverage,[object Object],Faults monitor,[object Object]

Future – A reasoner,[object Object]

More Info,[object Object],viozzo.wordpress.com,[object Object], @_snagg,[object Object],vincenzo.iozzo@zynamics.com,[object Object]

0-knowledge fuzzing

0-knowledge fuzzing

Recommended

More Related Content

Similar to 0-knowledge fuzzing

Similar to 0-knowledge fuzzing(20)

More from zynamics GmbH

More from zynamics GmbH(10)

0-knowledge fuzzing

Editor's Notes