SlideShare a Scribd company logo

DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing

Felipe Prado
Felipe Prado

DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing

Technology
1 of 39
Download to read offline
Saif El-Sherei & Etienne Stalmans
What is Fuzzing?? Fuzzing is feeding an Application with malformed input in hope to find errors and faults in the application code and with a bit of luck these faults can lead to exploitable vulnerabilities
Basic History of Fuzzing • 1988-199: • Boris Beizer Syntax Testing. • Barton Miller Fuzz: An Emprical Study of Robustness. • 1999 – 2001 OUSPG PROTOS SNMP, HTTP, SIP, H.323, LDAP, etc … • 2002 Dave Aitel SPIKE block based fuzzing. Codnemicon first commercial fuzzer. • 2004 Browser Fuzzing start lcamtuf‟s MangleMe. • 2005 FileFuzz , SPIKEfile NotSPIKEfile File format fuzzing. • 2006 Month of Browser Bugs (MoBB) HD Moore relases a browser bug every day for a month release of CSSDIE, COMRaider and Axman and hamachi. • 2011 Lcamtuf decided to revolutionize Browser fuzzing in 2011 by releasing cross_fuzz. In his own words "a surprisingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market - many of said bugs exploitable - and is still finding more." it is based on ref_fuzz which he developed in 2008. • 2014 lcamtuf‟s introduces American Fuzzy lop (Afl) Evolutionary fuzzer.
Fuzzing Types And Techniques
Fuzzing methodology Monitor for Memory corruption Errors. Fuzz target Generate Data Identify Inputs Identify Target
Fuzzing Types • Mutation/Non-Intelligent Fuzzing Randomly apply mutation algorithms to the supplied input to generate several test cases without any concern to the target format. • Generation/Intelligent Fuzzing Utilize grammar to model a certain format specification and randomly generate semi-valid test cases. to minimize fault conditions and generate test cases that are accepted by the target.
Fuzzing Types Contd.. • Evolutionary Fuzzing Combining either types of fuzzing with code and binary instrumentation tools, to monitor code paths and generate test cases based on the results of the instrumentation to achieve least number of test cases with highest amount of code coverage and branches explored. In Fewer words lcamtuf‟s American fuzzy lop.
Tools of the Trade - Memory Error Detectors Memory Error Detectors poisons memory areas after memory allocations and after the memory is free-ed. It monitors access to these parts in memory and returns detailed error information. Windows: • PageHeap which is part of Gflags part of windows debugging toolkit can be applied on some windows processes. Linux and OSX: • Google's Address Sanitizer (Asan) is a clang compiler plugin that can be implemented during compilation time of any linux or OSX application.
Tools of the Trade - Fuzzing Harnesses Fuzzing harnesses are not themselves fuzzers but they are tools that run the target process feed it the generated test case and monitor the process for crashes. Windows: • Grinder by Stephen Fewer. Linux and Mac OSX: • Node Fuzz by Atte Kettunen of OUSPG.
Introducing
Wadi – Fuzzing Harness Atte Kettunen's of OUSPG NodeFuzz: • Nodefuzz is a fuzzing framework that works on Linux, And Mac OSX. • It is coded by Atte Kettunen of OUSPG using Nodejs. • It works by instrumenting the browser using ASan. and a test case generation module to feed the browser the test case through web sockets. • The modules are not provided as part of NodeFuzz you can code your own. it is a pretty simple process. • NodeFuzz is what we are currently using. with our own custom modules.
Wadi – Memory Error Detector Google's AddressSanitizer (ASan): • AddressSanitizer (ASan) is a clang compiler plugin Developed By Google which allows fast memory error detection. • The run-time library replaces the malloc and free functions. The memory around malloc-ed regions (red zones) is poisoned. The free-ed memory is placed in quarantine and also poisoned. Every memory access is monitored and if address is poisoned a detailed error is returned. • It Helps find use-after-free and heap,stack,global}-buffer overflow bugs in C/C++ programs. For Linux and mac OSX • Google and Mozilla both releases ASan pre built binaries for testing.
What is Wadi? • Exploring new tributaries in browser fuzzing. • Grammars are used to describe how browsers should process web content, Wadi turns that around and uses grammars to break browsers. • Wadi already responsible for a handful of high severity bugs in browsers.
Why Wadi? • From Chrome, to IE, Wadi identifies exploitable bugs in new and existing web APIs. • The talk introduces Wadi and walks the audience through the steps taken to go from LL(1) grammar to fuzz test cases and browser crashes
A simple Intro to The DOM Interfaces are types of objects that allow web applications and web browsers to programmatically access and interact with them to access their members. The Document Object Model (DOM): The Document Object Model provides a standard set of objects for representing HTML and XML documents, a standard model of how these objects can be combined, and a standard interface for accessing and manipulating them. Web API: When writing code for the Web using JavaScript, there are great many APIs available. that you may be able to use developing Web applications. ex: speech, webaudio, gamepad, canvas, webgl, animation, etc..
Wadi Architecture • Wadi is 3538 lines of code. • 2932 of these are grammar for test case generation. • Wadi works as a NodeFuzz Module and it is used to fuzz Chromium and Firefox Asan builds. • Already responsible for a number of bugs.
What is Grammar ? Grammar in English explains how a sentence is constructed. The same can be said about Grammars in compilers it describes how the language syntax is constructed the input is parsed based on a set rules “Productions” and tokens defined in the grammar definitions. In fuzzing grammar is used to help the fuzzer generate valid test cases. w3c have provided us with a nice interface definition language(IDL) that defines browser technology interfaces this is utilized by the fuzzer to be able to create and fuzz all attributes and methods used by them.
Grammar – IDL Interface According to the IDL definitions an interface is an object with a set of interface members these can be constants, attributes, or functions. Each interface has a unique identifier and inherits from a parent interface if needed. • LL(1) Interface Definition Grammar: "interface" identifier Inheritance "{" InterfaceMembers "}" ";“
Grammar – IDL Interface Example • Identifier: Text • Inheritance: CharacterData interface Text : CharacterData { Text splitText(in unsigned long offset) raises(DOMException); Text replaceWholeText(in DOMString content) raises(DOMException); readonly attribute boolean isElementContentWhitespace; attribute DOMString wholeText; };
Grammar – IDL Interface Members An interface member can be a constant, attribute or function as mentioned before. What we are interested in are the attributes and functions of an interface object. Taking a closer look at how interface members are defined in the IDL specification. • InterfaceMembers: Attributes: isElementContentWhitespace, wholeText Functions: splitText(), replaceWholeText() LL(1) Grammar Interface Member Definition: InterfaceMember → Const | AttributeOrOperation AttributeOrOperation → "stringifier" StringifierAttributeOrOperation | Attribute | Operation
Grammar – IDL Attributes An attribute is a declared interface member with an identifier whose value can be retrieved and in some cases changed. LL(1) Grammar Attribute Definition: Attribute → Inherit ReadOnly "attribute" Type identifier ";" Attributes of Example Interface: readonly attribute boolean isElementContentWhitespace; attribute DOMString wholeText; Identifier Input Type ReadOnly isElementContentWhitespace boolean True wholeText DOMString False Example Interface Attributes:
Grammar – IDL Functions Functions in the IDL specification is referred to as operations. A function is an interface member that defines behavior that can be invoked on objects implementing the interface. LL(1) Grammar Attribute Definition: Functions of Example Interface: Example Interface Functions: Operation → Qualifiers OperationRest OperationRest → ReturnType OptionalIdentifier "(" ArgumentList ")" ";" Text replaceWholeText(in DOMString content) Text splitText(in unsigned long offset) Identifier Number of Args Arg Identifier Arg Type Return Value replaceWholeText One content DOMString Text splitText One offset unsigned long Text
Grammar – Fuzzing Grammar Using the gathered information we can parse the Interface objects in any given IDL to a JavaScript object containing information about the interface members to be used by the fuzzer. There are some main pieces of information gathered from the example interface mainly the interface identifier (Name), inherited parent interface, interface members (methods, attributes). For Attributes and Methods an array of arrays is created with each child array containing information about a single Attribute or method members of the respective interface. A single Attribute array will have three members: *The Attribute Identifier, *function(s) to generate the expected value type+,’readOnly flag’+ A single Method array will have three members: *The Method Identifier, *function(s) to generate method parameters and values+,’high flag’+
Grammar – Fuzzing Grammar Contd. You can code your own functions to generate attribute values and method parameters. Or use the already available helper functions in NodeFuzz „randoms.js‟ file. The main Attributes and Methods arrays are concatenated to the parent interface object attributes and methods arrays to simulate inheritance. Example Interface as defined in the Fuzzing grammar: TextInterface = { 'Name': 'text', 'Attributes': [ ['isElementContentWhitespace',[GenerateExpectedValue()],'readonly'], ['wholeText',[ GenerateExpectedValue()+,’’+ ].concat(CharacterDataInterface.Attributes), 'Methods':[ ['replaceWholeText',[ GenerateExpectedParameters()],'high'], ['splitText',[ GenerateExpectedParameters()],'high'] ].concat(CharacterDataInterface.Methods), 'tagName':'Text', 'style':CSS2PropertiesInterface };
Helper Functions These are some of the helper functions that are implemented in NodeFuzz „randoms.js‟ we can implement our own or tweak the ones already available to our needs these functions are used in generating attributes values, method parameters and all through the test case generation. Name Description randoms() return random number, float value or hex number rint(num) return a random number limited by parameter. ra(array) return a random element an array. arrayWalk(array) return a random element from array if it is a function execute it and retrurn the return value. if it is a string or an int return the value. string(num) return a random length string with length based on a random number limited by the input parameter. randbool() returns random Boolean. floatValue(num) return a random float value. getRandomColor() returns a random color in either hex, hsl, rgbint formats distanceValue() return a random number or float with distance suffixes like px,%,cm, etc ... retURI(num) return a random length URL returnRandomElement() returns a random element from the list of created elements and either try to reference a near by object like 'firstChild','nextSibling',etc ... or just return the element object itself.
Fuzzing Module Wadi works on grammar created from the IDL that mapped interfaces to javascript objects using these objects to be able to generate valid JS statements into a string array. Then output an HTML document with a script containing the generated test case. The flow of the Wadi is as follows
Test Case generation – Element Creation These are the main and first functions executed by Wadi. It generates JS statements to randomly create elements from the available HTML interfaces and inserts random child text nodes. Name Description createElement() creates a random element from the list of interfaces and saves a reference to the object both in fuzzer space and browser space createTextNode() creates random length text nodes and attach them to random elements in the DOM. mangleElements() randomly mangles element positions within the document. Wadi Output: try { HTML0=document.createElement("EMBED")} catch(e) {} try { HTML0.id="HTML0"} catch(e) {} try { createdElements['HTML0']=HTML0} catch(e) {} try { document.body.appendChild(HTML0)} catch(e) {}
Test Case generation – Element Creation Contd. The creation functions will save a references to the created Element objects to the local fuzzer space objects array 'CreatedElements' to be able to access properties and methods of the created element. As well as save a reference to the created object to the browser space to be able to manipulate the saved references. The saved object in fuzzer space will have the following structure for the previous example: { 'objName':HTML0, 'type':'object name', 'object':Embed interface object reference };
Test Case generation – Fuzzing Interfaces Functions Function Description fuzzWindowAttribs, randomly set the 'window' interface object attributes. fuzzWindowMethods, randomly call the 'window' interface object methods. fuzzStyle, Pick a random element and set a random style property using element.style. fuzzStyle1, pick a random style sheet with random reference to element and set random style properties using insertRule. fuzzDocumentAttribs, randomly set the 'document' interface object attributes. fuzzDocumentMethods, randomly call the 'window' interface object methods. deleteRandomKey, deletes a random refence to the created objects saved in the 'createdElements' object in browser space. fuzzPLayerMethods, if no animation player found call the createPlayer() function to create a new animation player and add reference to it in the createElements object array. if a player exist call a random method from the animation interface object. fuzzPlayerAttribs, if no animation player found call the createPlayer() function to create a new animation player and add reference to it in the createElements object array. if a player exist set a random attribute from the animation interface object. Wadi will then call the function fuzz(num) num being the number of rounds to execute fuzzer functions. Simply the fuzz() function picks a random function name from the below list and executes it and return the output JavaScript statement to our string array.
Test Case generation – Wadi Interfaces contd. Function Description MutationObserve, creates a random mutation observer and add reference to it in the createElements object array. fuzzMutationObserve, if no mutation observer have been created, call () function if one exists call or set random method or attribute from the Mutation observer interface object. createRangeTraversal, creates a random treeWalker or nodeIterator and add reference to them in the createElements object array. fuzzRangeTraversal, if no range has been created call createRangeTraversal() function. else call or set random method or attribute from the respective NodeIterator Interface or TreeWalker Interface objects. fuzzElementsMethods, randomly set the attributes of a randomly selected element from the list of created elements. fuzzElementsAttribs, randomly call the methods of a randomly selected element from the list of created elements. addLoop, add a random loop function around js block loops are (for, while, setTimeout, setInterval) crossRef, try to set object references to a random other ex: HTML0 = HTML1.firstChild AddEvent, attach a random event to one of the created elements. creates an event object using createEvent directive and add reference to the created event object to a list for later use. dispatchEvt, randomly fires one of the created events. intfuzz return random function name for use ass callbacks for certain operations GarColl, force garbage collection.
Test Case generation – preparing the output script • Creating Internal callbacks based on the number of function names returned by intfuzz() • Insert the element creation JS block. • Insert all other object create JS statements. • Randomly insert JS statements returned by fuzz() function.
Sample Wadi Output <html><head><style></style></head><body></body> <script> var createdElements={} var createdElements={} function func0(arg) { try {window.addEventListener("select",func0,0)} catch(e) {} try {document.styleSheets[0].insertRule("FONT,FONT {outline-offset: initial; }",0)} catch(e) {} try {delete HTML0} catch(e) {} try {window.status=""} catch(e) {} } try { HTML0=document.createElement("FONT")} catch(e) {} try { HTML0.id="HTML0"} catch(e) {} try { createdElements['HTML0']=HTML0} catch(e) {} try { document.body.appendChild(HTML0)} catch(e) {} try { TXT0=document.createTextNode('ä¤쭅4ዽB£x ]ဒ00fcihF‰f꡴{½-嘖j蹅a2z2墯6')} catch(e) {} try { createdElements['TXT0']=TXT0} catch(e) {} try { HTML0.appendChild(TXT0)} catch(e) {} try { var EVT0= new Event("select",{"bubbles":0, "cacelable":0})} catch(e) {} try { var ni0 = document.createNodeIterator(HTML0.firstChild,32,NodeFilter.FILTER_REJECT,1); createdElements['ni0']=ni0} catch(e) {} try {TXT0.lastChild=""} catch(e) {} try {gc()} catch(e) {} try {createdElements[HTML0].style.imageRendering="pixelated"} catch(e) {} try {delete HTML0} catch(e) {} try {window.status=""} catch(e) {} </script> </html>
Results • Using Wadi we were able to find And report 4 confirmed bugs in latest Chromium ASan. version • 2 Were Duplicates. • Issue No: 446517 Duplicate With issue 383777 • Issue No: 445772 Duplicate with Issue: 445638 • 2 were confirmed with security severity high and affecting all OS. Fixed awaiting Release and hopefully reward :D • Issue No: 445332 • Issue No: 453279
BUG#1 Issue No:446517
BUG#2 Issue No:445772
BUG#3 Issue No:445332
BUG#4 Issue No:453279
References • http://www.w3.org/DOM/ • http://www.w3.org/TR/WebIDL/ • Fuzzing Brute Force Vulnerability Discovery: Michael Sutton, Adam Greene, Michael Pedram Amini. • Fuzzing for Software Security Testing and Quality Assurance: Ari Takanen, Jared D. Demott, Charlie Miller. • Browser bug hunting - Memoirs of a last man standing: Atte Kettunen 44con talk.
Q&A

Recommended

Introduction to python
Introduction to pythonIntroduction to python
Introduction to python
Jaya Kumari
 
C Course Material0209
C Course Material0209C Course Material0209
C Course Material0209
chameli devi group of institutions
 
Training python (new Updated)
Training python (new Updated)Training python (new Updated)
Training python (new Updated)
University of Technology
 
WEB PROGRAMMING UNIT VIII BY BHAVSINGH MALOTH
WEB PROGRAMMING UNIT VIII BY BHAVSINGH MALOTHWEB PROGRAMMING UNIT VIII BY BHAVSINGH MALOTH
WEB PROGRAMMING UNIT VIII BY BHAVSINGH MALOTH
Bhavsingh Maloth
 
code documentation
code documentationcode documentation
code documentation
MADUABUM NNANNA
 
GDG Helwan Introduction to python
GDG Helwan Introduction to pythonGDG Helwan Introduction to python
GDG Helwan Introduction to python
Mohamed Hegazy
 
Python final presentation kirti ppt1
Python final presentation kirti ppt1Python final presentation kirti ppt1
Python final presentation kirti ppt1
Kirti Verma
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#
Mohammad Faizan
 

Recommended

Introduction to python
Introduction to pythonIntroduction to python
Introduction to python
Jaya Kumari
 
C Course Material0209
C Course Material0209C Course Material0209
C Course Material0209
chameli devi group of institutions
 
Training python (new Updated)
Training python (new Updated)Training python (new Updated)
Training python (new Updated)
University of Technology
 
WEB PROGRAMMING UNIT VIII BY BHAVSINGH MALOTH
WEB PROGRAMMING UNIT VIII BY BHAVSINGH MALOTHWEB PROGRAMMING UNIT VIII BY BHAVSINGH MALOTH
WEB PROGRAMMING UNIT VIII BY BHAVSINGH MALOTH
Bhavsingh Maloth
 
code documentation
code documentationcode documentation
code documentation
MADUABUM NNANNA
 
GDG Helwan Introduction to python
GDG Helwan Introduction to pythonGDG Helwan Introduction to python
GDG Helwan Introduction to python
Mohamed Hegazy
 
Python final presentation kirti ppt1
Python final presentation kirti ppt1Python final presentation kirti ppt1
Python final presentation kirti ppt1
Kirti Verma
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#
Mohammad Faizan
 
Presentation of Python, Django, DockerStack
Presentation of Python, Django, DockerStackPresentation of Python, Django, DockerStack
Presentation of Python, Django, DockerStack
David Sanchez
 
Code Documentation. That ugly thing...
Code Documentation. That ugly thing...Code Documentation. That ugly thing...
Code Documentation. That ugly thing...
Christos Manios
 
1..Net Framework Architecture-(c#)
1..Net Framework Architecture-(c#)1..Net Framework Architecture-(c#)
1..Net Framework Architecture-(c#)
Shoaib Ghachi
 
2.Getting Started with C#.Net-(C#)
2.Getting Started with C#.Net-(C#)2.Getting Started with C#.Net-(C#)
2.Getting Started with C#.Net-(C#)
Shoaib Ghachi
 
C sharp
C sharpC sharp
C sharp
Satish Verma
 
Python Tutorial for Beginner
Python Tutorial for BeginnerPython Tutorial for Beginner
Python Tutorial for Beginner
rajkamaltibacademy
 
C# tutorial
C# tutorialC# tutorial
C# tutorial
sarangowtham_gunnam
 
.NET and C# introduction
.NET and C# introduction.NET and C# introduction
.NET and C# introduction
Peter Gfader
 
Object oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharpObject oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharp
Abefo
 
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
Maarten Balliauw
 
Why I Love Python
Why I Love PythonWhy I Love Python
Why I Love Python
didip
 
The .NET Platform - A Brief Overview
The .NET Platform - A Brief OverviewThe .NET Platform - A Brief Overview
The .NET Platform - A Brief Overview
Carlos Lopes
 
API workshop: Deep dive into Java
API workshop: Deep dive into JavaAPI workshop: Deep dive into Java
API workshop: Deep dive into Java
Tom Johnson
 
Introduction to c_sharp
Introduction to c_sharpIntroduction to c_sharp
Introduction to c_sharp
HEM Sothon
 
Smoothing Your Java with DSLs
Smoothing Your Java with DSLsSmoothing Your Java with DSLs
Smoothing Your Java with DSLs
intelliyole
 
Python ppt
Python pptPython ppt
Python ppt
Mohita Pandey
 
Assignment1 B 0
Assignment1 B 0Assignment1 B 0
Assignment1 B 0
Mahmoud
 
Introduction to Python Basics Programming
Introduction to Python Basics ProgrammingIntroduction to Python Basics Programming
Introduction to Python Basics Programming
Collaboration Technologies
 
Csharp
CsharpCsharp
Csharp
Swaraj Kumar
 
Basics of python
Basics of pythonBasics of python
Basics of python
Jatin Kochhar
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
SIVAJISADHANA
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
SIVAJISADHANA
 

More Related Content

What's hot

Object oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharpObject oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharp
Abefo
 
The .NET Platform - A Brief Overview
The .NET Platform - A Brief OverviewThe .NET Platform - A Brief Overview
The .NET Platform - A Brief Overview
Carlos Lopes
 
Smoothing Your Java with DSLs
Smoothing Your Java with DSLsSmoothing Your Java with DSLs
Smoothing Your Java with DSLs
intelliyole
 
Assignment1 B 0
Assignment1 B 0Assignment1 B 0
Assignment1 B 0
Mahmoud
 

What's hot (20)

Presentation of Python, Django, DockerStack
Presentation of Python, Django, DockerStackPresentation of Python, Django, DockerStack
Presentation of Python, Django, DockerStack
 
Code Documentation. That ugly thing...
Code Documentation. That ugly thing...Code Documentation. That ugly thing...
Code Documentation. That ugly thing...
 
1..Net Framework Architecture-(c#)
1..Net Framework Architecture-(c#)1..Net Framework Architecture-(c#)
1..Net Framework Architecture-(c#)
 
2.Getting Started with C#.Net-(C#)
2.Getting Started with C#.Net-(C#)2.Getting Started with C#.Net-(C#)
2.Getting Started with C#.Net-(C#)
 
C sharp
C sharpC sharp
C sharp
 
Python Tutorial for Beginner
Python Tutorial for BeginnerPython Tutorial for Beginner
Python Tutorial for Beginner
 
C# tutorial
C# tutorialC# tutorial
C# tutorial
 
.NET and C# introduction
.NET and C# introduction.NET and C# introduction
.NET and C# introduction
 
Object oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharpObject oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharp
 
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
 
Why I Love Python
Why I Love PythonWhy I Love Python
Why I Love Python
 
The .NET Platform - A Brief Overview
The .NET Platform - A Brief OverviewThe .NET Platform - A Brief Overview
The .NET Platform - A Brief Overview
 
API workshop: Deep dive into Java
API workshop: Deep dive into JavaAPI workshop: Deep dive into Java
API workshop: Deep dive into Java
 
Introduction to c_sharp
Introduction to c_sharpIntroduction to c_sharp
Introduction to c_sharp
 
Smoothing Your Java with DSLs
Smoothing Your Java with DSLsSmoothing Your Java with DSLs
Smoothing Your Java with DSLs
 
Python ppt
Python pptPython ppt
Python ppt
 
Assignment1 B 0
Assignment1 B 0Assignment1 B 0
Assignment1 B 0
 
Introduction to Python Basics Programming
Introduction to Python Basics ProgrammingIntroduction to Python Basics Programming
Introduction to Python Basics Programming
 
Csharp
CsharpCsharp
Csharp
 
Basics of python
Basics of pythonBasics of python
Basics of python
 

Similar to DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing

New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
SIVAJISADHANA
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
SIVAJISADHANA
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
SIVAJISADHANA
 
Net framework
Net frameworkNet framework
Net framework
jhsri
 
BUD17-104: Scripting Languages in IoT: Challenges and Approaches
BUD17-104: Scripting Languages in IoT: Challenges and ApproachesBUD17-104: Scripting Languages in IoT: Challenges and Approaches
BUD17-104: Scripting Languages in IoT: Challenges and Approaches
Linaro
 
.Net framework interview questions
.Net framework interview questions.Net framework interview questions
.Net framework interview questions
Mir Majid
 
Cara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang RamadhanCara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
DicodingEvent
 
c#.pptx
c#.pptxc#.pptx
c#.pptx
GokulPadmakumar3
 

Similar to DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing (20)

New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
 
.Net Session Overview
.Net Session Overview.Net Session Overview
.Net Session Overview
 
Programming
Programming Programming
Programming
 
dot NET Framework
dot NET Frameworkdot NET Framework
dot NET Framework
 
Introduction to .net
Introduction to .netIntroduction to .net
Introduction to .net
 
Lecture 1 introduction to language processors
Lecture 1 introduction to language processorsLecture 1 introduction to language processors
Lecture 1 introduction to language processors
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to java
 
Net framework
Net frameworkNet framework
Net framework
 
Online lg prodect
Online lg prodectOnline lg prodect
Online lg prodect
 
BUD17-104: Scripting Languages in IoT: Challenges and Approaches
BUD17-104: Scripting Languages in IoT: Challenges and ApproachesBUD17-104: Scripting Languages in IoT: Challenges and Approaches
BUD17-104: Scripting Languages in IoT: Challenges and Approaches
 
.Net framework interview questions
.Net framework interview questions.Net framework interview questions
.Net framework interview questions
 
UNIT 3.1 INTRODUCTON TO IDA.ppt
UNIT 3.1 INTRODUCTON TO IDA.pptUNIT 3.1 INTRODUCTON TO IDA.ppt
UNIT 3.1 INTRODUCTON TO IDA.ppt
 
Building scalable and language independent java services using apache thrift
Building scalable and language independent java services using apache thriftBuilding scalable and language independent java services using apache thrift
Building scalable and language independent java services using apache thrift
 
Cara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang RamadhanCara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
 
Intro To AOP
Intro To AOPIntro To AOP
Intro To AOP
 
Building scalable and language-independent Java services using Apache Thrift ...
Building scalable and language-independent Java services using Apache Thrift ...Building scalable and language-independent Java services using Apache Thrift ...
Building scalable and language-independent Java services using Apache Thrift ...
 
c#.pptx
c#.pptxc#.pptx
c#.pptx
 
Copmuter Languages
Copmuter LanguagesCopmuter Languages
Copmuter Languages
 

More from Felipe Prado

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing

  • 1. Saif El-Sherei & Etienne Stalmans
  • 2. What is Fuzzing?? Fuzzing is feeding an Application with malformed input in hope to find errors and faults in the application code and with a bit of luck these faults can lead to exploitable vulnerabilities
  • 3. Basic History of Fuzzing • 1988-199: • Boris Beizer Syntax Testing. • Barton Miller Fuzz: An Emprical Study of Robustness. • 1999 – 2001 OUSPG PROTOS SNMP, HTTP, SIP, H.323, LDAP, etc … • 2002 Dave Aitel SPIKE block based fuzzing. Codnemicon first commercial fuzzer. • 2004 Browser Fuzzing start lcamtuf‟s MangleMe. • 2005 FileFuzz , SPIKEfile NotSPIKEfile File format fuzzing. • 2006 Month of Browser Bugs (MoBB) HD Moore relases a browser bug every day for a month release of CSSDIE, COMRaider and Axman and hamachi. • 2011 Lcamtuf decided to revolutionize Browser fuzzing in 2011 by releasing cross_fuzz. In his own words "a surprisingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market - many of said bugs exploitable - and is still finding more." it is based on ref_fuzz which he developed in 2008. • 2014 lcamtuf‟s introduces American Fuzzy lop (Afl) Evolutionary fuzzer.
  • 4. Fuzzing Types And Techniques
  • 5. Fuzzing methodology Monitor for Memory corruption Errors. Fuzz target Generate Data Identify Inputs Identify Target
  • 6. Fuzzing Types • Mutation/Non-Intelligent Fuzzing Randomly apply mutation algorithms to the supplied input to generate several test cases without any concern to the target format. • Generation/Intelligent Fuzzing Utilize grammar to model a certain format specification and randomly generate semi-valid test cases. to minimize fault conditions and generate test cases that are accepted by the target.
  • 7. Fuzzing Types Contd.. • Evolutionary Fuzzing Combining either types of fuzzing with code and binary instrumentation tools, to monitor code paths and generate test cases based on the results of the instrumentation to achieve least number of test cases with highest amount of code coverage and branches explored. In Fewer words lcamtuf‟s American fuzzy lop.
  • 8. Tools of the Trade - Memory Error Detectors Memory Error Detectors poisons memory areas after memory allocations and after the memory is free-ed. It monitors access to these parts in memory and returns detailed error information. Windows: • PageHeap which is part of Gflags part of windows debugging toolkit can be applied on some windows processes. Linux and OSX: • Google's Address Sanitizer (Asan) is a clang compiler plugin that can be implemented during compilation time of any linux or OSX application.
  • 9. Tools of the Trade - Fuzzing Harnesses Fuzzing harnesses are not themselves fuzzers but they are tools that run the target process feed it the generated test case and monitor the process for crashes. Windows: • Grinder by Stephen Fewer. Linux and Mac OSX: • Node Fuzz by Atte Kettunen of OUSPG.
  • 11. Wadi – Fuzzing Harness Atte Kettunen's of OUSPG NodeFuzz: • Nodefuzz is a fuzzing framework that works on Linux, And Mac OSX. • It is coded by Atte Kettunen of OUSPG using Nodejs. • It works by instrumenting the browser using ASan. and a test case generation module to feed the browser the test case through web sockets. • The modules are not provided as part of NodeFuzz you can code your own. it is a pretty simple process. • NodeFuzz is what we are currently using. with our own custom modules.
  • 12. Wadi – Memory Error Detector Google's AddressSanitizer (ASan): • AddressSanitizer (ASan) is a clang compiler plugin Developed By Google which allows fast memory error detection. • The run-time library replaces the malloc and free functions. The memory around malloc-ed regions (red zones) is poisoned. The free-ed memory is placed in quarantine and also poisoned. Every memory access is monitored and if address is poisoned a detailed error is returned. • It Helps find use-after-free and heap,stack,global}-buffer overflow bugs in C/C++ programs. For Linux and mac OSX • Google and Mozilla both releases ASan pre built binaries for testing.
  • 13. What is Wadi? • Exploring new tributaries in browser fuzzing. • Grammars are used to describe how browsers should process web content, Wadi turns that around and uses grammars to break browsers. • Wadi already responsible for a handful of high severity bugs in browsers.
  • 14. Why Wadi? • From Chrome, to IE, Wadi identifies exploitable bugs in new and existing web APIs. • The talk introduces Wadi and walks the audience through the steps taken to go from LL(1) grammar to fuzz test cases and browser crashes
  • 15. A simple Intro to The DOM Interfaces are types of objects that allow web applications and web browsers to programmatically access and interact with them to access their members. The Document Object Model (DOM): The Document Object Model provides a standard set of objects for representing HTML and XML documents, a standard model of how these objects can be combined, and a standard interface for accessing and manipulating them. Web API: When writing code for the Web using JavaScript, there are great many APIs available. that you may be able to use developing Web applications. ex: speech, webaudio, gamepad, canvas, webgl, animation, etc..
  • 16. Wadi Architecture • Wadi is 3538 lines of code. • 2932 of these are grammar for test case generation. • Wadi works as a NodeFuzz Module and it is used to fuzz Chromium and Firefox Asan builds. • Already responsible for a number of bugs.
  • 17. What is Grammar ? Grammar in English explains how a sentence is constructed. The same can be said about Grammars in compilers it describes how the language syntax is constructed the input is parsed based on a set rules “Productions” and tokens defined in the grammar definitions. In fuzzing grammar is used to help the fuzzer generate valid test cases. w3c have provided us with a nice interface definition language(IDL) that defines browser technology interfaces this is utilized by the fuzzer to be able to create and fuzz all attributes and methods used by them.
  • 18. Grammar – IDL Interface According to the IDL definitions an interface is an object with a set of interface members these can be constants, attributes, or functions. Each interface has a unique identifier and inherits from a parent interface if needed. • LL(1) Interface Definition Grammar: "interface" identifier Inheritance "{" InterfaceMembers "}" ";“
  • 19. Grammar – IDL Interface Example • Identifier: Text • Inheritance: CharacterData interface Text : CharacterData { Text splitText(in unsigned long offset) raises(DOMException); Text replaceWholeText(in DOMString content) raises(DOMException); readonly attribute boolean isElementContentWhitespace; attribute DOMString wholeText; };
  • 20. Grammar – IDL Interface Members An interface member can be a constant, attribute or function as mentioned before. What we are interested in are the attributes and functions of an interface object. Taking a closer look at how interface members are defined in the IDL specification. • InterfaceMembers: Attributes: isElementContentWhitespace, wholeText Functions: splitText(), replaceWholeText() LL(1) Grammar Interface Member Definition: InterfaceMember → Const | AttributeOrOperation AttributeOrOperation → "stringifier" StringifierAttributeOrOperation | Attribute | Operation
  • 21. Grammar – IDL Attributes An attribute is a declared interface member with an identifier whose value can be retrieved and in some cases changed. LL(1) Grammar Attribute Definition: Attribute → Inherit ReadOnly "attribute" Type identifier ";" Attributes of Example Interface: readonly attribute boolean isElementContentWhitespace; attribute DOMString wholeText; Identifier Input Type ReadOnly isElementContentWhitespace boolean True wholeText DOMString False Example Interface Attributes:
  • 22. Grammar – IDL Functions Functions in the IDL specification is referred to as operations. A function is an interface member that defines behavior that can be invoked on objects implementing the interface. LL(1) Grammar Attribute Definition: Functions of Example Interface: Example Interface Functions: Operation → Qualifiers OperationRest OperationRest → ReturnType OptionalIdentifier "(" ArgumentList ")" ";" Text replaceWholeText(in DOMString content) Text splitText(in unsigned long offset) Identifier Number of Args Arg Identifier Arg Type Return Value replaceWholeText One content DOMString Text splitText One offset unsigned long Text
  • 23. Grammar – Fuzzing Grammar Using the gathered information we can parse the Interface objects in any given IDL to a JavaScript object containing information about the interface members to be used by the fuzzer. There are some main pieces of information gathered from the example interface mainly the interface identifier (Name), inherited parent interface, interface members (methods, attributes). For Attributes and Methods an array of arrays is created with each child array containing information about a single Attribute or method members of the respective interface. A single Attribute array will have three members: *The Attribute Identifier, *function(s) to generate the expected value type+,’readOnly flag’+ A single Method array will have three members: *The Method Identifier, *function(s) to generate method parameters and values+,’high flag’+
  • 24. Grammar – Fuzzing Grammar Contd. You can code your own functions to generate attribute values and method parameters. Or use the already available helper functions in NodeFuzz „randoms.js‟ file. The main Attributes and Methods arrays are concatenated to the parent interface object attributes and methods arrays to simulate inheritance. Example Interface as defined in the Fuzzing grammar: TextInterface = { 'Name': 'text', 'Attributes': [ ['isElementContentWhitespace',[GenerateExpectedValue()],'readonly'], ['wholeText',[ GenerateExpectedValue()+,’’+ ].concat(CharacterDataInterface.Attributes), 'Methods':[ ['replaceWholeText',[ GenerateExpectedParameters()],'high'], ['splitText',[ GenerateExpectedParameters()],'high'] ].concat(CharacterDataInterface.Methods), 'tagName':'Text', 'style':CSS2PropertiesInterface };
  • 25. Helper Functions These are some of the helper functions that are implemented in NodeFuzz „randoms.js‟ we can implement our own or tweak the ones already available to our needs these functions are used in generating attributes values, method parameters and all through the test case generation. Name Description randoms() return random number, float value or hex number rint(num) return a random number limited by parameter. ra(array) return a random element an array. arrayWalk(array) return a random element from array if it is a function execute it and retrurn the return value. if it is a string or an int return the value. string(num) return a random length string with length based on a random number limited by the input parameter. randbool() returns random Boolean. floatValue(num) return a random float value. getRandomColor() returns a random color in either hex, hsl, rgbint formats distanceValue() return a random number or float with distance suffixes like px,%,cm, etc ... retURI(num) return a random length URL returnRandomElement() returns a random element from the list of created elements and either try to reference a near by object like 'firstChild','nextSibling',etc ... or just return the element object itself.
  • 26. Fuzzing Module Wadi works on grammar created from the IDL that mapped interfaces to javascript objects using these objects to be able to generate valid JS statements into a string array. Then output an HTML document with a script containing the generated test case. The flow of the Wadi is as follows
  • 27. Test Case generation – Element Creation These are the main and first functions executed by Wadi. It generates JS statements to randomly create elements from the available HTML interfaces and inserts random child text nodes. Name Description createElement() creates a random element from the list of interfaces and saves a reference to the object both in fuzzer space and browser space createTextNode() creates random length text nodes and attach them to random elements in the DOM. mangleElements() randomly mangles element positions within the document. Wadi Output: try { HTML0=document.createElement("EMBED")} catch(e) {} try { HTML0.id="HTML0"} catch(e) {} try { createdElements['HTML0']=HTML0} catch(e) {} try { document.body.appendChild(HTML0)} catch(e) {}
  • 28. Test Case generation – Element Creation Contd. The creation functions will save a references to the created Element objects to the local fuzzer space objects array 'CreatedElements' to be able to access properties and methods of the created element. As well as save a reference to the created object to the browser space to be able to manipulate the saved references. The saved object in fuzzer space will have the following structure for the previous example: { 'objName':HTML0, 'type':'object name', 'object':Embed interface object reference };
  • 29. Test Case generation – Fuzzing Interfaces Functions Function Description fuzzWindowAttribs, randomly set the 'window' interface object attributes. fuzzWindowMethods, randomly call the 'window' interface object methods. fuzzStyle, Pick a random element and set a random style property using element.style. fuzzStyle1, pick a random style sheet with random reference to element and set random style properties using insertRule. fuzzDocumentAttribs, randomly set the 'document' interface object attributes. fuzzDocumentMethods, randomly call the 'window' interface object methods. deleteRandomKey, deletes a random refence to the created objects saved in the 'createdElements' object in browser space. fuzzPLayerMethods, if no animation player found call the createPlayer() function to create a new animation player and add reference to it in the createElements object array. if a player exist call a random method from the animation interface object. fuzzPlayerAttribs, if no animation player found call the createPlayer() function to create a new animation player and add reference to it in the createElements object array. if a player exist set a random attribute from the animation interface object. Wadi will then call the function fuzz(num) num being the number of rounds to execute fuzzer functions. Simply the fuzz() function picks a random function name from the below list and executes it and return the output JavaScript statement to our string array.
  • 30. Test Case generation – Wadi Interfaces contd. Function Description MutationObserve, creates a random mutation observer and add reference to it in the createElements object array. fuzzMutationObserve, if no mutation observer have been created, call () function if one exists call or set random method or attribute from the Mutation observer interface object. createRangeTraversal, creates a random treeWalker or nodeIterator and add reference to them in the createElements object array. fuzzRangeTraversal, if no range has been created call createRangeTraversal() function. else call or set random method or attribute from the respective NodeIterator Interface or TreeWalker Interface objects. fuzzElementsMethods, randomly set the attributes of a randomly selected element from the list of created elements. fuzzElementsAttribs, randomly call the methods of a randomly selected element from the list of created elements. addLoop, add a random loop function around js block loops are (for, while, setTimeout, setInterval) crossRef, try to set object references to a random other ex: HTML0 = HTML1.firstChild AddEvent, attach a random event to one of the created elements. creates an event object using createEvent directive and add reference to the created event object to a list for later use. dispatchEvt, randomly fires one of the created events. intfuzz return random function name for use ass callbacks for certain operations GarColl, force garbage collection.
  • 31. Test Case generation – preparing the output script • Creating Internal callbacks based on the number of function names returned by intfuzz() • Insert the element creation JS block. • Insert all other object create JS statements. • Randomly insert JS statements returned by fuzz() function.
  • 32. Sample Wadi Output <html><head><style></style></head><body></body> <script> var createdElements={} var createdElements={} function func0(arg) { try {window.addEventListener("select",func0,0)} catch(e) {} try {document.styleSheets[0].insertRule("FONT,FONT {outline-offset: initial; }",0)} catch(e) {} try {delete HTML0} catch(e) {} try {window.status=""} catch(e) {} } try { HTML0=document.createElement("FONT")} catch(e) {} try { HTML0.id="HTML0"} catch(e) {} try { createdElements['HTML0']=HTML0} catch(e) {} try { document.body.appendChild(HTML0)} catch(e) {} try { TXT0=document.createTextNode('ä¤쭅4ዽB£x ]ဒ00fcihF‰f꡴{½-嘖j蹅a2z2墯6')} catch(e) {} try { createdElements['TXT0']=TXT0} catch(e) {} try { HTML0.appendChild(TXT0)} catch(e) {} try { var EVT0= new Event("select",{"bubbles":0, "cacelable":0})} catch(e) {} try { var ni0 = document.createNodeIterator(HTML0.firstChild,32,NodeFilter.FILTER_REJECT,1); createdElements['ni0']=ni0} catch(e) {} try {TXT0.lastChild=""} catch(e) {} try {gc()} catch(e) {} try {createdElements[HTML0].style.imageRendering="pixelated"} catch(e) {} try {delete HTML0} catch(e) {} try {window.status=""} catch(e) {} </script> </html>
  • 33. Results • Using Wadi we were able to find And report 4 confirmed bugs in latest Chromium ASan. version • 2 Were Duplicates. • Issue No: 446517 Duplicate With issue 383777 • Issue No: 445772 Duplicate with Issue: 445638 • 2 were confirmed with security severity high and affecting all OS. Fixed awaiting Release and hopefully reward :D • Issue No: 445332 • Issue No: 453279
  • 38. References • http://www.w3.org/DOM/ • http://www.w3.org/TR/WebIDL/ • Fuzzing Brute Force Vulnerability Discovery: Michael Sutton, Adam Greene, Michael Pedram Amini. • Fuzzing for Software Security Testing and Quality Assurance: Ari Takanen, Jared D. Demott, Charlie Miller. • Browser bug hunting - Memoirs of a last man standing: Atte Kettunen 44con talk.
  • 39. Q&A