The document discusses various fuzzing techniques including dumb fuzzing, smart fuzzing, evolutionary fuzzing, using cyclomatic complexity as a filter, detecting implicit loops with dominator trees, performing in-memory fuzzing by mutating memory locations and restoring snapshots, and comparing code coverage of good and mutated samples to determine when halting criteria is met. The speaker hopes to convey an understanding of these ideas through pictures rather than traditional presentation elements. Questions from the audience are also discussed.

1. 0-Knowledge FuzzingVincenzoIozzovincenzo.iozzo@zynamics.com

2. DisclaimerIn this talk you won’t see all those formulas, formal definition, code snippets and bullets. From past experiences the speaker learned that all the aforementioned elements are no useful in making people understand your idea.You instead will see a lot of funny pictures which the speaker hopes will convey better the understanding of the ideas explained in the talkYou don’t want slides like this, do you?

3. Motivations

4. Questions!

5. Fuzzing

6. How it used to be

7. How it is today (aka the reason of this talk)

8. Dumb fuzzing

9. Smart Fuzzing

10. Evolutionary Based Fuzzing

11. The idea

12. The surface

13. We need a filter

14. Cyclomatic complexity

15. This one

16. Not this one

17. Original formula M = E – N + 2PNumber of edgesNumber of nodesConnected components

18. Why? Cyclomatic number M = E – N + P

19. Simplify

20. FormulaM = E – N + 2

21. Problem

22. Loop detection

23. Dominator tree

24. Dominators

25. Function

26. Dominator tree

27. Dominators

28. Implicit loops

29. REIL

30. This one…

31. …to this one

32. Is that enough?

33. Not enoughOf course not, more heuristics neededvoid*safe_strcpy(void*old_dest,void *src, intsize){void*dst = realloc(old_dest, size +1); strncpy(dst, src, size); returndst;}

34. Add your ownFor static analysis we use

35. DEMO

36. Questions!

37. Data Tainting

38. ExampleTaint SourceTaint markmovl0x4[eax], ebx

39. Dytan

40. PIN

41. Taint sources

42. Markings granularity

43. Propagation add eax, ebx, edx

44. Output Registers Memory locations

45. DEMO

46. Questions!

47. In-memory fuzzing

48. Exampleesi= 0x30f064 Original loc esi= 0x30f0A4 Fuzzed loc rep movs

49. Why?

50. Problems

51. Expertise and patience

52. Memory instability

53. False positives

54. False negatives

55. Mutation loop insertion

56. Snapshot mutation restoration

57. What do we do?Hook imageHook functionsHook instructionsHook

58. First approach

59. For instance…30f064-30f068 0x8a Y 0x00 KABCD

60. Second approach

61. Example30f064-30f06830f084-30f0980x89 K D F 0x960x00 J K U Y W 0xA70xB8 0x00 0x10 A T N0x00 0xD3ABCD

62. Code coverage

63. ScoreBBexecuted/BBtotalBasic Blocks executedTotal Basic Blocks

64. HaltingCevil = Cgood + tCode coverage evil sampleCode coverage good sampleUser-supplied threshold

65. How??Good sampleEvil sampleCompareScore Score

66. What do we use?Code coverageFaults monitor

67. DEMO

68. Future – A reasoner

69. Thanks

70. Questions!

71. More Infoviozzo.wordpress.com @_snaggvincenzo.iozzo@zynamics.com