Even though it was a homework presentation of review of the title paper for Ph.D. course but covered the concept of fuzzing, taint analysis and symbolic execution for beginner.
A guided fuzzing approach for security testing of network protocol software
1. A Guided Fuzzing Approach for
Security Testing of Network
Protocol Software
Hyunseok, Ji
(binishack3r@gmail.com)
2. About
How to find a bug in a network protocol SW
using fuzzing and taint analysis?
Presenting “A guided fuzzing approach”
✓ Based on fuzzing
✓ Based on taint analysis to indentify sensitive input area
✓ Hackers usually use same method to find a bug in lots of softwares
( 2 / 24 )
3. • Software vulnerability
• NIST define “vulnerability” as below,
• The root causes of network security issues
• Software security testing
• Checking whether the software is secure or not
• To see if the software is vulnerable to attacks
• Fuzzing is an effective dynamic software security testing method
• What is Fuzzing?
• Generating malformed inputs → testcases(packets)
• Feeding testcases to a target software
• Sending packets
• Monitoring the operational status of target software
• Crash? Hang? Exploitability?
• Dynamic taint analysis
• To identify the security sensitive functions of target software affected by testcases
• buffer overflow → strcpy(), strcat(), sprintf(), vsprintf(), ...
• Mutation to trigger potential vulnerabilities is the key idea!
Introduction
( 3 / 24 )
“A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally
exploited) and result in a security breach or a violation of the system's security policy.”
https://en.wikipedia.org/wiki/Vulnerability_(computing)
4. • Fuzzing categories
• File format
• Media codecs(audio, video,...), Compression(zip, tar,...), Databases(SQLite), HWP, PDF,...
• Network protocol
• HTTP, RPC, SMTP, MIME, FTP,...
• Browser
• Chrome, Javascript engine,...
• OS Kernel
• System call, Bitmap, IOCTL,...
• Fuzzing phases
• Fuzzing tools
• PROTOS, SPIKE, SNOOZE, Sulley, AutoFuzz,...
Network Protocol Fuzzing
( 4 / 24 )
Identify the
target and
input vectors
Generate
fuzzed data
Run target
software
Monitor
Crash?
✓ stack
✓ call stack
✓ regs
✓ instruction
Log dumps
Yes!
No
Kill process and generate new fuzzed data
Analyze the logs
✓ DoS(denial of service)
✓ Hang
✓ Exploitability
- Buffer/Heap overflow
- Integer overflow/underflow
- Use After Free, ...
Start
Generate new fuzzed data
5. • Target is FTP(File Transfer Protocol)
• Binding well-known-port 21(TCP)
• Commands are standardized in RFC 959 by the IETF
• USER, PASS, LIST, PWD, RETR, QUIT,...
Network Protocol Fuzzing Example
( 5 / 24 )
{cmd} {userid} {rn}
Command Data CRLF
USER binish rnSeed input
USER AAAAAAAAAAAAAAAAA....AAAAAAAAAAAAAAA rnFuzzed data input
(Overflow)
USER %8x%8x%8x%8x%8xAAAAAAAAA rnFuzzed data input
(Format String Bug)
USER 0xFFFFFFFF rnFuzzed data input
(Integer overflow)
USER NULL rnFuzzed data input
(Null pointer dereference)
USER 0x80000000 rnFuzzed data input
(Integer overflow)
USER %0d%0a rnFuzzed data input
(Line feed)
Reference: https://github.com/fuzzdb-project/fuzzdb
6. • Tracking the spread of taint sources during program execution
• What is taint?
• Treating user inputs (files, network packets, ...) as taint sources!
Taint analysis
( 6 / 24 )
USER binish rnSeed input
Fixed Command User input data CRLF
Taint!
Tracking
Tracking
12. • SwordDTA_NT
• Taint analysis to find packets affecting security sensitive functions
• Buffer overflow(strcpy, strcat, sprintf, vsprintf,...)
• Integer overflow(malloc, calloc, realloc,...)
• A guided fuzzing
• Generate testcases using taint information
Key idea
( 12 / 24 )
USER binish rnSeed input
Command Data CRLF
Taint!
Tracking strcpy(buffer, taint)
USER AAAAAAAAAAAAAAAAA....AAAAAAAAAAAAAAA rnFuzzed data input
(Overflow)
New fuzzed data generation for overflow!
current instruction
Taint (Unique ID: TEST01)
-----------------------------------------------
• Address: 0x12121212-0x12121218(‘binish’)
13. Key idea (Con’t)
( 13 / 24 )
USER AAAAAAAAAAAAAAAAA....AAAAAAAAAAAAAAA rnFuzzed data input
(Overflow)
Generate
fuzzed data
Run target
software
Monitor
Crash?
✓ stack
✓ call stack
✓ regs
✓ instruction
Log dumps
Yes!
No
Kill process and generate new fuzzed data
Analyze the logs
✓ DoS(denial of service)
✓ Hang
✓ Exploitability
- Buffer/Heap overflow
- Integer overflow/underflow
- Use After Free
Log dumps looks like,
EIP: 0x41414141
41414141 ?? ???
Stack:
41414141 41414141 41414141 41414141 AAAA AAAA AAAA AAAA
14. • Concept architecture of proposed approach
• How to implement SwordDTA_NT?
• Pin tool
• A dynamic binary instrumentation framework for the IA-32/x86-64 by Intel
Key idea (Con’t)
( 14 / 24 )
Reference: https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool
15. • Preliminary experimental results
( 15 / 24 )
Taint!
Security sensitive function
Destination stack buffer
(only 10 bytes, small size)
• Part of the server’s source code
16. • Ineffective if the target software employs “checksum” to verify the integrity of inputs!
• CRC(Cyclic Redundancy Checks), Adler-32, MD5,...
• Key reference, “TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection”
Limitation
( 16 / 24 )
0x80 AAAAAAAAAAAAAA..AAAAAAAAAA 0x7E12Fuzzed data input
FileSize Data CRLF
current instruction
rn
Checksum
0xFFFF0x100
Width Height
if(chksum_in_file != recomputed_chksum) error();
Process is terminated
Bug!
recompute checksum with filesize, width, height and data
17. • Indentify “Hot Bytes Info”
• Affect the input values used in security sensitive operations
• Checksum detector generates a bypass rule
Limitation (Con’t)
( 17 / 24 )
current instruction
if(chksum_in_file != recomputed_chksum) error();
Process is terminated
Bug!
recompute checksum with filesize, width, height and data
18. • Indentify “Hot Bytes Info”
• Affect the input values used in security sensitive operations
• Checksum detector generates a bypass rule
Limitation (Con’t)
( 18 / 24 )
current instruction
if(chksum_in_file == recomputed_chksum) error();
Process is terminated
Bug!
Yeah! Bug bounty :)
Time to make money!
recompute checksum with filesize, width, height and data
19. • Code coverage
• Solutions
• Symbolic execution, Concolic execution,...
Limitation (Con’t)
( 19 / 24 )
True
x = input()
Bug!
if x > 42
if x * x == 2500
if x < 100
False
END
TrueFalse
True
False
20. • Code coverage
• Solutions
• Symbolic execution, Concolic execution,...
Limitation (Con’t)
( 20 / 24 )
True
x = input()
Bug!
if x > 42
if x * x == 2500
if x < 100
False
END
TrueFalse
True
x can be anything
False
21. • Code coverage
• Solutions
• Symbolic execution, Concolic execution,...
Limitation (Con’t)
( 21 / 24 )
True
x = input()
Bug!
if x > 42
if x * x == 2500
if x < 100
False
END
TrueFalse
True
x can be anything
x > 42
False
22. • Code coverage
• Solutions
• Symbolic execution, Concolic execution,...
Limitation (Con’t)
( 22 / 24 )
True
x = input()
Bug!
if x > 42
if x * x == 2500
if x < 100
False
END
TrueFalse
True
x can be anything
x > 42
(x > 42) and (x*x == 2500)
False
23. • Code coverage
• Solutions
• Symbolic execution, Concolic execution,...
Limitation (Con’t)
( 23 / 24 )
True
x = input()
Bug!
if x > 42
if x * x == 2500
if x < 100
False
END
TrueFalse
True
x can be anything
x > 42
(x > 42) and (x*x == 2500)
SMT(Satisfiability Modulo Theory) Solver
x = 50
False
24. • SwordDTA_NT
• Taint analysis
• To idenfity network packets affecting the security sensitive function in target software
• To generate fuzzed data to trigger those vulnerabilities
• Fuzzing
• Limitation
• Checksum-aware
• TaintScope
• Code coverage
• Symbolic execution
• Good software security testing methods
• Fuzzing
• American fuzzy lop (http://lcamtuf.coredump.cx/afl/)
• SMT Solver
• Z3 by Microsoft (https://github.com/Z3Prover/z3)
• And
• CGC(Cyber Grand Challenge)
• The world’s first all-machine cyber hacking tournament
• On August 4, 2016 in Las Vegas
• (https://www.darpa.mil/program/cyber-grand-challenge)
Conclusion
( 24 / 24 )
26. • [1] “TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability
Detection”, T. Wang, T. Wei, G. Gu, W. Zou
• Key reference
• http://faculty.cs.tamu.edu/guofei/paper/TaintScope-Oakland10.pdf
• [2] “SAGE: whitebox fuzzing for security testing”, P. Godefroid, M.Y. Levin, D. Molnar
• https://patricegodefroid.github.io/public_psfiles/ndss2008.pdf
Reference