SlideShare a Scribd company logo

A guided fuzzing approach for security testing of network protocol software

B
binish_hyunseok

Even though it was a homework presentation of review of the title paper for Ph.D. course but covered the concept of fuzzing, taint analysis and symbolic execution for beginner.

Engineering
1 of 26
Download to read offline
A Guided Fuzzing Approach for Security Testing of Network Protocol Software Hyunseok, Ji (binishack3r@gmail.com)
About How to find a bug in a network protocol SW using fuzzing and taint analysis? Presenting “A guided fuzzing approach” ✓ Based on fuzzing ✓ Based on taint analysis to indentify sensitive input area ✓ Hackers usually use same method to find a bug in lots of softwares ( 2 / 24 )
• Software vulnerability • NIST define “vulnerability” as below, • The root causes of network security issues • Software security testing • Checking whether the software is secure or not • To see if the software is vulnerable to attacks • Fuzzing is an effective dynamic software security testing method • What is Fuzzing? • Generating malformed inputs → testcases(packets) • Feeding testcases to a target software • Sending packets • Monitoring the operational status of target software • Crash? Hang? Exploitability? • Dynamic taint analysis • To identify the security sensitive functions of target software affected by testcases • buffer overflow → strcpy(), strcat(), sprintf(), vsprintf(), ... • Mutation to trigger potential vulnerabilities is the key idea! Introduction ( 3 / 24 ) “A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.” https://en.wikipedia.org/wiki/Vulnerability_(computing)
• Fuzzing categories • File format • Media codecs(audio, video,...), Compression(zip, tar,...), Databases(SQLite), HWP, PDF,... • Network protocol • HTTP, RPC, SMTP, MIME, FTP,... • Browser • Chrome, Javascript engine,... • OS Kernel • System call, Bitmap, IOCTL,... • Fuzzing phases • Fuzzing tools • PROTOS, SPIKE, SNOOZE, Sulley, AutoFuzz,... Network Protocol Fuzzing ( 4 / 24 ) Identify the target and input vectors Generate fuzzed data Run target software Monitor Crash? ✓ stack ✓ call stack ✓ regs ✓ instruction Log dumps Yes! No Kill process and generate new fuzzed data Analyze the logs ✓ DoS(denial of service) ✓ Hang ✓ Exploitability - Buffer/Heap overflow - Integer overflow/underflow - Use After Free, ... Start Generate new fuzzed data
• Target is FTP(File Transfer Protocol) • Binding well-known-port 21(TCP) • Commands are standardized in RFC 959 by the IETF • USER, PASS, LIST, PWD, RETR, QUIT,... Network Protocol Fuzzing Example ( 5 / 24 ) {cmd} {userid} {rn} Command Data CRLF USER binish rnSeed input USER AAAAAAAAAAAAAAAAA....AAAAAAAAAAAAAAA rnFuzzed data input (Overflow) USER %8x%8x%8x%8x%8xAAAAAAAAA rnFuzzed data input (Format String Bug) USER 0xFFFFFFFF rnFuzzed data input (Integer overflow) USER NULL rnFuzzed data input (Null pointer dereference) USER 0x80000000 rnFuzzed data input (Integer overflow) USER %0d%0a rnFuzzed data input (Line feed) Reference: https://github.com/fuzzdb-project/fuzzdb
• Tracking the spread of taint sources during program execution • What is taint? • Treating user inputs (files, network packets, ...) as taint sources! Taint analysis ( 6 / 24 ) USER binish rnSeed input Fixed Command User input data CRLF Taint! Tracking Tracking
• Taint propagation • Data replication operations • mov, push, pop • Arithmetic operations and bit manipulation • add, sub, and, shl • Clear operations • xor eax, eax // sub eax, eax Taint analysis (Con’t) ( 7 / 24 ) Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 0x121212120x12121227
• Taint propagation • Data replication operations • mov, push, pop • Arithmetic operations and bit manipulation • add, sub, and, shl • Clear operations • xor eax, eax // sub eax, eax Taint analysis (Con’t) ( 8 / 24 ) Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 mov eax, word [0x12121212] 0x121212120x12121227
• Taint propagation • Data replication operations • mov, push, pop • Arithmetic operations and bit manipulation • add, sub, and, shl • Clear operations • xor eax, eax // sub eax, eax Taint analysis (Con’t) ( 9 / 24 ) Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 mov eax, word [0x12121212] 0x121212120x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 0x121212120x12121227 Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 • Register: EAX
• Taint propagation • Data replication operations • mov, push, pop • Arithmetic operations and bit manipulation • add, sub, and, shl • Clear operations • xor eax, eax // sub eax, eax Taint analysis (Con’t) ( 10 / 24 ) Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 mov eax, word [0x12121212] 0x121212120x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 0x121212120x12121227 Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 • Register: EAX mov byte [0x1212122A], byte [0x12121212] memory 0x12121212 is tainted!
• Taint propagation • Data replication operations • mov, push, pop • Arithmetic operations and bit manipulation • add, sub, and, shl • Clear operations • xor eax, eax // sub eax, eax Taint analysis (Con’t) ( 11 / 24 ) Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 mov eax, word [0x12121212] 0x121212120x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 0x121212120x12121227 Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 • Register: EAX 00000000 00111111 11111111 11111111 11111111 11111111 11111111 11111111 0816243248 405664 0x121212120x121212270x1212122A0x12121231 Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 • Address: 0x1212122A-0x12121231 • Register: EAX mov byte [0x1212122A], byte [0x12121212] memory 0x12121212 is tainted!
• SwordDTA_NT • Taint analysis to find packets affecting security sensitive functions • Buffer overflow(strcpy, strcat, sprintf, vsprintf,...) • Integer overflow(malloc, calloc, realloc,...) • A guided fuzzing • Generate testcases using taint information Key idea ( 12 / 24 ) USER binish rnSeed input Command Data CRLF Taint! Tracking strcpy(buffer, taint) USER AAAAAAAAAAAAAAAAA....AAAAAAAAAAAAAAA rnFuzzed data input (Overflow) New fuzzed data generation for overflow! current instruction Taint (Unique ID: TEST01) ----------------------------------------------- • Address: 0x12121212-0x12121218(‘binish’)
Key idea (Con’t) ( 13 / 24 ) USER AAAAAAAAAAAAAAAAA....AAAAAAAAAAAAAAA rnFuzzed data input (Overflow) Generate fuzzed data Run target software Monitor Crash? ✓ stack ✓ call stack ✓ regs ✓ instruction Log dumps Yes! No Kill process and generate new fuzzed data Analyze the logs ✓ DoS(denial of service) ✓ Hang ✓ Exploitability - Buffer/Heap overflow - Integer overflow/underflow - Use After Free Log dumps looks like, EIP: 0x41414141 41414141 ?? ??? Stack: 41414141 41414141 41414141 41414141 AAAA AAAA AAAA AAAA
• Concept architecture of proposed approach • How to implement SwordDTA_NT? • Pin tool • A dynamic binary instrumentation framework for the IA-32/x86-64 by Intel Key idea (Con’t) ( 14 / 24 ) Reference: https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool
• Preliminary experimental results ( 15 / 24 ) Taint! Security sensitive function Destination stack buffer (only 10 bytes, small size) • Part of the server’s source code
• Ineffective if the target software employs “checksum” to verify the integrity of inputs! • CRC(Cyclic Redundancy Checks), Adler-32, MD5,... • Key reference, “TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection” Limitation ( 16 / 24 ) 0x80 AAAAAAAAAAAAAA..AAAAAAAAAA 0x7E12Fuzzed data input FileSize Data CRLF current instruction rn Checksum 0xFFFF0x100 Width Height if(chksum_in_file != recomputed_chksum) error(); Process is terminated Bug! recompute checksum with filesize, width, height and data
• Indentify “Hot Bytes Info” • Affect the input values used in security sensitive operations • Checksum detector generates a bypass rule Limitation (Con’t) ( 17 / 24 ) current instruction if(chksum_in_file != recomputed_chksum) error(); Process is terminated Bug! recompute checksum with filesize, width, height and data
• Indentify “Hot Bytes Info” • Affect the input values used in security sensitive operations • Checksum detector generates a bypass rule Limitation (Con’t) ( 18 / 24 ) current instruction if(chksum_in_file == recomputed_chksum) error(); Process is terminated Bug! Yeah! Bug bounty :) Time to make money! recompute checksum with filesize, width, height and data
• Code coverage • Solutions • Symbolic execution, Concolic execution,... Limitation (Con’t) ( 19 / 24 ) True x = input() Bug! if x > 42 if x * x == 2500 if x < 100 False END TrueFalse True False
• Code coverage • Solutions • Symbolic execution, Concolic execution,... Limitation (Con’t) ( 20 / 24 ) True x = input() Bug! if x > 42 if x * x == 2500 if x < 100 False END TrueFalse True x can be anything False
• Code coverage • Solutions • Symbolic execution, Concolic execution,... Limitation (Con’t) ( 21 / 24 ) True x = input() Bug! if x > 42 if x * x == 2500 if x < 100 False END TrueFalse True x can be anything x > 42 False
• Code coverage • Solutions • Symbolic execution, Concolic execution,... Limitation (Con’t) ( 22 / 24 ) True x = input() Bug! if x > 42 if x * x == 2500 if x < 100 False END TrueFalse True x can be anything x > 42 (x > 42) and (x*x == 2500) False
• Code coverage • Solutions • Symbolic execution, Concolic execution,... Limitation (Con’t) ( 23 / 24 ) True x = input() Bug! if x > 42 if x * x == 2500 if x < 100 False END TrueFalse True x can be anything x > 42 (x > 42) and (x*x == 2500) SMT(Satisfiability Modulo Theory) Solver x = 50 False
• SwordDTA_NT • Taint analysis • To idenfity network packets affecting the security sensitive function in target software • To generate fuzzed data to trigger those vulnerabilities • Fuzzing • Limitation • Checksum-aware • TaintScope • Code coverage • Symbolic execution • Good software security testing methods • Fuzzing • American fuzzy lop (http://lcamtuf.coredump.cx/afl/) • SMT Solver • Z3 by Microsoft (https://github.com/Z3Prover/z3) • And • CGC(Cyber Grand Challenge) • The world’s first all-machine cyber hacking tournament • On August 4, 2016 in Las Vegas • (https://www.darpa.mil/program/cyber-grand-challenge) Conclusion ( 24 / 24 )
Thank you
• [1] “TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection”, T. Wang, T. Wei, G. Gu, W. Zou • Key reference • http://faculty.cs.tamu.edu/guofei/paper/TaintScope-Oakland10.pdf • [2] “SAGE: whitebox fuzzing for security testing”, P. Godefroid, M.Y. Levin, D. Molnar • https://patricegodefroid.github.io/public_psfiles/ndss2008.pdf Reference

Recommended

Cassandra drivers and libraries
Cassandra drivers and librariesCassandra drivers and libraries
Cassandra drivers and librariesDuyhai Doan
 
Cassandra Drivers and Tools
Cassandra Drivers and ToolsCassandra Drivers and Tools
Cassandra Drivers and ToolsDuyhai Doan
 
44Con Malware Workshop
44Con Malware Workshop44Con Malware Workshop
44Con Malware WorkshopIñaki Rodríguez
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Csw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCsw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCanSecWest
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel DebuggingThomas Roccia
 
Csw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploitCsw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploitCanSecWest
 

Recommended

Cassandra drivers and libraries
Cassandra drivers and librariesCassandra drivers and libraries
Cassandra drivers and librariesDuyhai Doan
 
Cassandra Drivers and Tools
Cassandra Drivers and ToolsCassandra Drivers and Tools
Cassandra Drivers and ToolsDuyhai Doan
 
44Con Malware Workshop
44Con Malware Workshop44Con Malware Workshop
44Con Malware WorkshopIñaki Rodríguez
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Csw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCsw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCanSecWest
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel DebuggingThomas Roccia
 
Csw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploitCsw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploitCanSecWest
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
(SACON) Dr. Phil Polstra - windows & linux forensics
(SACON) Dr. Phil Polstra - windows & linux forensics(SACON) Dr. Phil Polstra - windows & linux forensics
(SACON) Dr. Phil Polstra - windows & linux forensicsPriyanka Aash
 
SACON - Windows Forensic (Dr. Phil Polstra)
SACON - Windows Forensic (Dr. Phil Polstra)SACON - Windows Forensic (Dr. Phil Polstra)
SACON - Windows Forensic (Dr. Phil Polstra)Priyanka Aash
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devicesmark-smith
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside WinnypFFRI, Inc.
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti PolymorphismTakahiro Haruyama
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
DOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security ReloadedDOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security ReloadedLoopback.ORG
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Unix::Statgrab
Unix::StatgrabUnix::Statgrab
Unix::StatgrabJens Rehsack
 
Taint analysis
Taint analysisTaint analysis
Taint analysisEdgar Barbosa
 
Intrusion Detection System for Applications using Linux Containers
Intrusion Detection System for Applications using Linux ContainersIntrusion Detection System for Applications using Linux Containers
Intrusion Detection System for Applications using Linux ContainersAmr Abed
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 

More Related Content

What's hot

The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
(SACON) Dr. Phil Polstra - windows & linux forensics
(SACON) Dr. Phil Polstra - windows & linux forensics(SACON) Dr. Phil Polstra - windows & linux forensics
(SACON) Dr. Phil Polstra - windows & linux forensicsPriyanka Aash
 
SACON - Windows Forensic (Dr. Phil Polstra)
SACON - Windows Forensic (Dr. Phil Polstra)SACON - Windows Forensic (Dr. Phil Polstra)
SACON - Windows Forensic (Dr. Phil Polstra)Priyanka Aash
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devicesmark-smith
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
DOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security ReloadedDOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security ReloadedLoopback.ORG
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 

What's hot (19)

The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeering
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
 
(SACON) Dr. Phil Polstra - windows & linux forensics
(SACON) Dr. Phil Polstra - windows & linux forensics(SACON) Dr. Phil Polstra - windows & linux forensics
(SACON) Dr. Phil Polstra - windows & linux forensics
 
SACON - Windows Forensic (Dr. Phil Polstra)
SACON - Windows Forensic (Dr. Phil Polstra)SACON - Windows Forensic (Dr. Phil Polstra)
SACON - Windows Forensic (Dr. Phil Polstra)
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devices
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti Polymorphism
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
DOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security ReloadedDOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security Reloaded
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugX
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
 
Unix::Statgrab
Unix::StatgrabUnix::Statgrab
Unix::Statgrab
 

Similar to A guided fuzzing approach for security testing of network protocol software

Intrusion Detection System for Applications using Linux Containers
Intrusion Detection System for Applications using Linux ContainersIntrusion Detection System for Applications using Linux Containers
Intrusion Detection System for Applications using Linux ContainersAmr Abed
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Group meeting: TaintPipe - Pipelined Symbolic Taint AnalysisGroup meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Group meeting: TaintPipe - Pipelined Symbolic Taint AnalysisYu-Hsin Hung
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTraceGraeme Jenkinson
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Ruby Meditation
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer gamesMaciej Siniło
 
ImplementingCryptoSecurityARMCortex_Doin
ImplementingCryptoSecurityARMCortex_DoinImplementingCryptoSecurityARMCortex_Doin
ImplementingCryptoSecurityARMCortex_DoinJonny Doin
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 

Similar to A guided fuzzing approach for security testing of network protocol software (20)

Taint analysis
Taint analysisTaint analysis
Taint analysis
 
Intrusion Detection System for Applications using Linux Containers
Intrusion Detection System for Applications using Linux ContainersIntrusion Detection System for Applications using Linux Containers
Intrusion Detection System for Applications using Linux Containers
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Group meeting: TaintPipe - Pipelined Symbolic Taint AnalysisGroup meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTrace
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer games
 
ImplementingCryptoSecurityARMCortex_Doin
ImplementingCryptoSecurityARMCortex_DoinImplementingCryptoSecurityARMCortex_Doin
ImplementingCryptoSecurityARMCortex_Doin
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Unix shell scripting
Unix shell scriptingUnix shell scripting
Unix shell scripting
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 

Recently uploaded

Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Analog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog ConverterAnalog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog ConverterAbhinavSharma374939
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 

Recently uploaded (20)

Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Analog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog ConverterAnalog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog Converter
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 

A guided fuzzing approach for security testing of network protocol software

  • 1. A Guided Fuzzing Approach for Security Testing of Network Protocol Software Hyunseok, Ji (binishack3r@gmail.com)
  • 2. About How to find a bug in a network protocol SW using fuzzing and taint analysis? Presenting “A guided fuzzing approach” ✓ Based on fuzzing ✓ Based on taint analysis to indentify sensitive input area ✓ Hackers usually use same method to find a bug in lots of softwares ( 2 / 24 )
  • 3. • Software vulnerability • NIST define “vulnerability” as below, • The root causes of network security issues • Software security testing • Checking whether the software is secure or not • To see if the software is vulnerable to attacks • Fuzzing is an effective dynamic software security testing method • What is Fuzzing? • Generating malformed inputs → testcases(packets) • Feeding testcases to a target software • Sending packets • Monitoring the operational status of target software • Crash? Hang? Exploitability? • Dynamic taint analysis • To identify the security sensitive functions of target software affected by testcases • buffer overflow → strcpy(), strcat(), sprintf(), vsprintf(), ... • Mutation to trigger potential vulnerabilities is the key idea! Introduction ( 3 / 24 ) “A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.” https://en.wikipedia.org/wiki/Vulnerability_(computing)
  • 4. • Fuzzing categories • File format • Media codecs(audio, video,...), Compression(zip, tar,...), Databases(SQLite), HWP, PDF,... • Network protocol • HTTP, RPC, SMTP, MIME, FTP,... • Browser • Chrome, Javascript engine,... • OS Kernel • System call, Bitmap, IOCTL,... • Fuzzing phases • Fuzzing tools • PROTOS, SPIKE, SNOOZE, Sulley, AutoFuzz,... Network Protocol Fuzzing ( 4 / 24 ) Identify the target and input vectors Generate fuzzed data Run target software Monitor Crash? ✓ stack ✓ call stack ✓ regs ✓ instruction Log dumps Yes! No Kill process and generate new fuzzed data Analyze the logs ✓ DoS(denial of service) ✓ Hang ✓ Exploitability - Buffer/Heap overflow - Integer overflow/underflow - Use After Free, ... Start Generate new fuzzed data
  • 5. • Target is FTP(File Transfer Protocol) • Binding well-known-port 21(TCP) • Commands are standardized in RFC 959 by the IETF • USER, PASS, LIST, PWD, RETR, QUIT,... Network Protocol Fuzzing Example ( 5 / 24 ) {cmd} {userid} {rn} Command Data CRLF USER binish rnSeed input USER AAAAAAAAAAAAAAAAA....AAAAAAAAAAAAAAA rnFuzzed data input (Overflow) USER %8x%8x%8x%8x%8xAAAAAAAAA rnFuzzed data input (Format String Bug) USER 0xFFFFFFFF rnFuzzed data input (Integer overflow) USER NULL rnFuzzed data input (Null pointer dereference) USER 0x80000000 rnFuzzed data input (Integer overflow) USER %0d%0a rnFuzzed data input (Line feed) Reference: https://github.com/fuzzdb-project/fuzzdb
  • 6. • Tracking the spread of taint sources during program execution • What is taint? • Treating user inputs (files, network packets, ...) as taint sources! Taint analysis ( 6 / 24 ) USER binish rnSeed input Fixed Command User input data CRLF Taint! Tracking Tracking
  • 7. • Taint propagation • Data replication operations • mov, push, pop • Arithmetic operations and bit manipulation • add, sub, and, shl • Clear operations • xor eax, eax // sub eax, eax Taint analysis (Con’t) ( 7 / 24 ) Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 0x121212120x12121227
  • 8. • Taint propagation • Data replication operations • mov, push, pop • Arithmetic operations and bit manipulation • add, sub, and, shl • Clear operations • xor eax, eax // sub eax, eax Taint analysis (Con’t) ( 8 / 24 ) Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 mov eax, word [0x12121212] 0x121212120x12121227
  • 9. • Taint propagation • Data replication operations • mov, push, pop • Arithmetic operations and bit manipulation • add, sub, and, shl • Clear operations • xor eax, eax // sub eax, eax Taint analysis (Con’t) ( 9 / 24 ) Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 mov eax, word [0x12121212] 0x121212120x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 0x121212120x12121227 Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 • Register: EAX
  • 10. • Taint propagation • Data replication operations • mov, push, pop • Arithmetic operations and bit manipulation • add, sub, and, shl • Clear operations • xor eax, eax // sub eax, eax Taint analysis (Con’t) ( 10 / 24 ) Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 mov eax, word [0x12121212] 0x121212120x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 0x121212120x12121227 Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 • Register: EAX mov byte [0x1212122A], byte [0x12121212] memory 0x12121212 is tainted!
  • 11. • Taint propagation • Data replication operations • mov, push, pop • Arithmetic operations and bit manipulation • add, sub, and, shl • Clear operations • xor eax, eax // sub eax, eax Taint analysis (Con’t) ( 11 / 24 ) Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 mov eax, word [0x12121212] 0x121212120x12121227 00000000 00111111 11111111 01010011 11111111 11111111 11111111 11111111 0816243248 405664 0x121212120x12121227 Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 • Register: EAX 00000000 00111111 11111111 11111111 11111111 11111111 11111111 11111111 0816243248 405664 0x121212120x121212270x1212122A0x12121231 Taint (Unique ID: TEST01) -------------------------------------- • Address: 0x12121212-0x12121227 • Address: 0x1212122A-0x12121231 • Register: EAX mov byte [0x1212122A], byte [0x12121212] memory 0x12121212 is tainted!
  • 12. • SwordDTA_NT • Taint analysis to find packets affecting security sensitive functions • Buffer overflow(strcpy, strcat, sprintf, vsprintf,...) • Integer overflow(malloc, calloc, realloc,...) • A guided fuzzing • Generate testcases using taint information Key idea ( 12 / 24 ) USER binish rnSeed input Command Data CRLF Taint! Tracking strcpy(buffer, taint) USER AAAAAAAAAAAAAAAAA....AAAAAAAAAAAAAAA rnFuzzed data input (Overflow) New fuzzed data generation for overflow! current instruction Taint (Unique ID: TEST01) ----------------------------------------------- • Address: 0x12121212-0x12121218(‘binish’)
  • 13. Key idea (Con’t) ( 13 / 24 ) USER AAAAAAAAAAAAAAAAA....AAAAAAAAAAAAAAA rnFuzzed data input (Overflow) Generate fuzzed data Run target software Monitor Crash? ✓ stack ✓ call stack ✓ regs ✓ instruction Log dumps Yes! No Kill process and generate new fuzzed data Analyze the logs ✓ DoS(denial of service) ✓ Hang ✓ Exploitability - Buffer/Heap overflow - Integer overflow/underflow - Use After Free Log dumps looks like, EIP: 0x41414141 41414141 ?? ??? Stack: 41414141 41414141 41414141 41414141 AAAA AAAA AAAA AAAA
  • 14. • Concept architecture of proposed approach • How to implement SwordDTA_NT? • Pin tool • A dynamic binary instrumentation framework for the IA-32/x86-64 by Intel Key idea (Con’t) ( 14 / 24 ) Reference: https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool
  • 15. • Preliminary experimental results ( 15 / 24 ) Taint! Security sensitive function Destination stack buffer (only 10 bytes, small size) • Part of the server’s source code
  • 16. • Ineffective if the target software employs “checksum” to verify the integrity of inputs! • CRC(Cyclic Redundancy Checks), Adler-32, MD5,... • Key reference, “TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection” Limitation ( 16 / 24 ) 0x80 AAAAAAAAAAAAAA..AAAAAAAAAA 0x7E12Fuzzed data input FileSize Data CRLF current instruction rn Checksum 0xFFFF0x100 Width Height if(chksum_in_file != recomputed_chksum) error(); Process is terminated Bug! recompute checksum with filesize, width, height and data
  • 17. • Indentify “Hot Bytes Info” • Affect the input values used in security sensitive operations • Checksum detector generates a bypass rule Limitation (Con’t) ( 17 / 24 ) current instruction if(chksum_in_file != recomputed_chksum) error(); Process is terminated Bug! recompute checksum with filesize, width, height and data
  • 18. • Indentify “Hot Bytes Info” • Affect the input values used in security sensitive operations • Checksum detector generates a bypass rule Limitation (Con’t) ( 18 / 24 ) current instruction if(chksum_in_file == recomputed_chksum) error(); Process is terminated Bug! Yeah! Bug bounty :) Time to make money! recompute checksum with filesize, width, height and data
  • 19. • Code coverage • Solutions • Symbolic execution, Concolic execution,... Limitation (Con’t) ( 19 / 24 ) True x = input() Bug! if x > 42 if x * x == 2500 if x < 100 False END TrueFalse True False
  • 20. • Code coverage • Solutions • Symbolic execution, Concolic execution,... Limitation (Con’t) ( 20 / 24 ) True x = input() Bug! if x > 42 if x * x == 2500 if x < 100 False END TrueFalse True x can be anything False
  • 21. • Code coverage • Solutions • Symbolic execution, Concolic execution,... Limitation (Con’t) ( 21 / 24 ) True x = input() Bug! if x > 42 if x * x == 2500 if x < 100 False END TrueFalse True x can be anything x > 42 False
  • 22. • Code coverage • Solutions • Symbolic execution, Concolic execution,... Limitation (Con’t) ( 22 / 24 ) True x = input() Bug! if x > 42 if x * x == 2500 if x < 100 False END TrueFalse True x can be anything x > 42 (x > 42) and (x*x == 2500) False
  • 23. • Code coverage • Solutions • Symbolic execution, Concolic execution,... Limitation (Con’t) ( 23 / 24 ) True x = input() Bug! if x > 42 if x * x == 2500 if x < 100 False END TrueFalse True x can be anything x > 42 (x > 42) and (x*x == 2500) SMT(Satisfiability Modulo Theory) Solver x = 50 False
  • 24. • SwordDTA_NT • Taint analysis • To idenfity network packets affecting the security sensitive function in target software • To generate fuzzed data to trigger those vulnerabilities • Fuzzing • Limitation • Checksum-aware • TaintScope • Code coverage • Symbolic execution • Good software security testing methods • Fuzzing • American fuzzy lop (http://lcamtuf.coredump.cx/afl/) • SMT Solver • Z3 by Microsoft (https://github.com/Z3Prover/z3) • And • CGC(Cyber Grand Challenge) • The world’s first all-machine cyber hacking tournament • On August 4, 2016 in Las Vegas • (https://www.darpa.mil/program/cyber-grand-challenge) Conclusion ( 24 / 24 )
  • 26. • [1] “TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection”, T. Wang, T. Wei, G. Gu, W. Zou • Key reference • http://faculty.cs.tamu.edu/guofei/paper/TaintScope-Oakland10.pdf • [2] “SAGE: whitebox fuzzing for security testing”, P. Godefroid, M.Y. Levin, D. Molnar • https://patricegodefroid.github.io/public_psfiles/ndss2008.pdf Reference