The document discusses different types of software fuzzing techniques. It provides an overview of the fuzzing process, which involves generating test cases, feeding them to the target program, monitoring for crashes, saving any crash cases, and repeating. It then describes two main types of fuzzing: mutation-based using tools like AFL, and generation-based using techniques like Domato. The document demonstrates mutation-based fuzzing on tcpdump using AFL. It provides steps to set up AFL and tcpdump, generate test cases, run AFL in parallel, and analyze any crashes found.

1. Fuzzing Softwares for Bugs
AMol NAik & Rushikesh Nandedkar

2. Agenda
● Introduction
● Fuzzing Process
● Types of Fuzzing
● Mutation-based Fuzzing - AFL
● Generation-based Fuzzing - Domato with WebKit

3. AMol NAik (@amolnaik4)
● Head of Information Security, GOJEK
○ Product Security, DevSecOps, Cloud Security
○ Data Security, Compliance
● Core member of G4H
● Fuzzing browsers since 2013
● IE 9/10/11 were my favorite

4. Rishikesh Nandedkar (@nandedkarhrishi)
● Engineer || Analyst || Researcher
● Learned last year that “./configure -h” gives customized help
● Thinks in CPU time
● Spams friends/mentors & unknowns for IEEE 802.11, Binary Analysis, Linear
Equations and Kernel
● @office/@home
○ Threat Research
○ Binary Analysis
○ Honeypots

5. Test Setup
● VM details
○ Everything setup
○ Radamsa is missing, install as per instructions given
○ Username: fuzzy
○ Password: password123
○ Download: https://drive.google.com/drive/folders/1xYjhsillIkPjuoS5Vr7lmWSFRD9XQNHU
● Hardware requirements
○ 4GB RAM
○ 40GB HDD
○ Minimum number of cores assigned: 2
○ VirtualBox 6 or above

6. What is Fuzzing
Wikipedia
Fuzzing or fuzz testing is an automated software testing technique that
involves providing invalid, unexpected, or random data as inputs to a
computer program. The program is then monitored for exceptions such as
crashes, failing built-in code assertions, or potential memory leaks.

7. Why Fuzz
● For Companies
○ Stress test
○ Security
● For Security researchers
○ Vulnerability Research
○ Exploits
○ 0-day
○ $$$$

8. Fuzzing Process
Source: https://blog.mozilla.org/security/2012/03/09/adbfuzz-a-fuzz-testing-harness-for-firefox-mobile/

9. Fuzzing Process
● Generate testcase Fuzzer Logic
● Start program & feed the testcase Any scripting
● Check Program Health Debugger/Instrumentation
● If crash, save testcase Reproduce, Reduce, Crash Analysis
● Repeat

10. Testcase Generation
● Understand the fuzz target
○ File parser
○ Protocol parser
● Methods to provide inputs
○ Servers - Protocols, HTTP/FTP requests, headers within requests
○ Browser - HTML files, PDF files, Images, Font
● Tech used within target
○ Browser - JS, SVG, DOM, WebRTC, WebAssembly

11. Testcase Generation
● Fuzzer logic
● Modify Good input
○ AFL, radamsa
● Generate input
○ Scripts with Grammar, Domato

12. Crash Detection
● Debuggers
○ Windbg, GDB, LLDB
Source: https://purehacking.com/blog/lloyd-simon/an-introduction-to-use-after-free-vulnerabilities
https://ioactive.com/striking-back-gdb-and-ida-debuggers-through-malformed-elf-executables/

13. Crash Detection
● Instrumentation
○ ASAN - Address Sanitizer
○ https://github.com/google/sanitizers/wiki/AddressSanitizer

14. Crash File Reduction

15. Crash Analysis
● Out of scope for this workshop

16. Types of Fuzzing
● Mutation Based
○ Introducing small changes to existing inputs that may still keep the input valid, yet exercise new
behavior - Fuzzingbook.org
● Generation Based
○ Generate files from structure
○ Grammar based

17. Mutation Based Fuzzing
● AFL (American Fuzzy Lop)
○ Brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided
genetic algorithm
○ https://github.com/google/AFL

18. How is AFL Better
● Compile time instrumentation
● Better coverage
● Intelligent test case trimming
● Utilities which comes handy before, during and after fuzzing

19. “When you do demos, you have to surrender to the
demo gods.” - Mikko Hypponen
Hopefully, won’t see a proof of Murphy’s law

20. Demo Setup
● Target - tcpdump
● v4.8
● Important dependency to build tcpdump - libpcap
● Preps
○ $ sudo apt install gcc make git wget

21. Setting up AFL
● $ sudo apt install afl afl-clang
● Manually building AFL
○ $ git clone https://github.com/google/AFL.git
○ $ cd AFL
○ $ make

22. Setting up tcpdump
● $ git clone -b tcpdump-4.8
https://github.com/the-tcpdump-group/tcpdump.git
● $ cd tcpdump
● $ mkdir io
● $ cd io
● $ mkdir i o_gcc cmin tmin

23. Building tcpdump with gcc
● $ cd tcpdump
● $ CC=afl-gcc ./configure
● $ make
<before every “make”, run “make clean”>

24. File map
---- tcpdump
| -- io
| -- i
| -- o_gcc
| -- cmin
| -- tmin

25. Thoughts on test files
● Keep them as small as possible
● Use afl-analyze
● Use cmin
● Manually check the time the target binary is taking to execute for test file
● # of files does not always matter

26. Running AFL
● Copy test files
○ <Add Commands here>
● Run AFL
○ $ cd tcpdump
○ $ afl-fuzz -i io/i -o io/o_gcc -m none -- ./tcpdump -r @@

27. Building tcpdump with gcc & ASAN
● $ cd tcpdump
● $ CC=afl-gcc ./configure
● $ AFL_USE_ASAN=1 make -j$(nproc)

28. radamsa
● radamsa is a test case generator
● Setting up radamsa
○ $ git clone https://github.com/akihe/radamsa.git && cd radamsa &&
make && sudo make install
● Generating test corpus for tcpdump
○ $ radamsa -n <number_of_testcase_files> -o
‘~/tcpdump/io?i/fuzz-%n.%s’ -r <valid_file_folder>/*.pcap

29. Trimming down testcases
● $ cd ~/tcpdump
● $ afl-cmin -i io/i -o io/cmin -m none -- ./tcpdump -r @@
● Fuzz
○ $ afl-fuzz -i io/cmin -o io/o_gcc -m none -- ./tcpdump -r @@

30. Parallel Fuzzing with AFL
● $ afl-gotcpu
● Utilizing multiple cores
● $ afl-fuzz -i io/cmin -o io/o_gcc -m none -M master -- ./tcpdump -r @@
● $ afl-fuzz -i io/cmin -o io/o_gcc -m none -S slave0 -- ./tcpdump -r @@
● $ afl-fuzz -i io/cmin -o io/o_gcc -m none -S slave1 -- ./tcpdump -r @@

31. I feel the need, the need for speed !

32. Did you noticed ?
● Stage Progress stats
○ stage execs
○ total execs
○ exec speed
○ <add more if relevant>

33. Building tcpdump with clang
● $ cd ~/tcpdump
● $ make clean
● $ CC=afl-clang-fast ./configure
● $ AFL_USE_ASAN=1 make -j$(nproc)
● Let’s create directory for new files
○ $ cd ~/tcpdump/io
○ $ mkdir o_clang

34. Let’s fuzz
● $ afl-fuzz -i io/cmin -o io/o_clang -m none -M master -- ./tcpdump -r @@
● $ afl-fuzz -i io/cmin -o io/o_clang -m none -S slave0 -- ./tcpdump -r @@
● $ afl-fuzz -i io/cmin -o io/o_clang -m none -S slave1 -- ./tcpdump -r @@

35. Wait for crashes

36. Reducing Crash
● $ afl-tmin -i <path_to_crash_file> -o
<path_to_tmin_output_file_with_filename> -m none --
./tcpdump -- r@@

37. Expect
● AFL instrumentation to fail at compile time
● ASAN to fail during either configure or make
● Varying count of executions/second
● Trial and error method to deduce desirable values of “-t” and “-m” in
afl-fuzz

38. Instrument in absence of “configure” or “config” file
● There are two ways broadly
○ Edit values of CC and CFLAGS in make file/reference_to_make_file
○ Append CC and CFLAGS value in make command

39. Generation Based Fuzzing
● Domato
○ Grammar for every component
■ HTML tags
■ HTML attributes
■ CSS attributes
■ JavaScript
■ SVG tags
■ SVG attributes
○ Covers DOM

40. Generation Based Fuzzing - Domato
● Generate files
○ $ generator.py --output_dir <directory> --no_of_files <number>

41. Generation Based Fuzzing
● Target - Webkit
○ Build WebKitGTK+ with ASAN on Ubuntu 18
○ Version 2.20.2
○ https://github.com/googleprojectzero/p0tools/tree/master/WebKitFuzz
● Try running webkitgtk binary
○ $ cd ~/Downloads/webkitgtk-2.20.2/build
○ $ ASAN_OPTIONS=detect_leaks=0,exitcode=42
ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-6.0/llvm-symbolizer
LD_LIBRARY_PATH=./lib ./bin/webkitfuzz /path/to/sample <timeout>

42. Generation Based Fuzzing
● Automate
○ Serve all testcases to target one-by-one (via web server)
○ Check if there is crash
○ If crash, copy the testcase to different folder
○ No need to kill as timeout is already there
○ Repeat

43. Generation Based Fuzzing
● Automate
○ One way - fuzz.sh

44. Got any crashes ??
● Navigate to ~/new_crashes
● Crashes
○ Heap-buffer-overflow
○ SEGV
■ There are different types of SEGV

45. Generation Based Fuzzers
● Publicly available fuzzers
○ Cross_fuzz
○ Nodefuzz
○ Nduja
○ Fileja

46. Fuzzing Principles
● Have Patience
○ Don’t expect to get new crashes in 1-2 days
● Don’t lose hopes
○ Fuzzing is about randomness
○ You might hit right node at right time
● Build your own fuzzers
○ Everyone uses public fuzzers
○ Target one thing at a time
○ Modify when crashes reduced

47. Thank You !!