This document provides an overview of fuzz testing and fuzzing tools. It discusses what fuzzing is, the history and evolution of fuzzing, popular fuzzing tools like Peach Fuzz and Sulley, and fuzzing methods like generation-based, mutation-based, and byte flipping fuzzing. The document also covers the phases of fuzzing like identifying targets and inputs, generating fuzzed data, executing it, and monitoring for exceptions. Key fuzzing frameworks and tools from organizations like CERT and their capabilities are described as well.

1. VEYSEL HATAŞ
vhatas@gmail.com
09.05.2014
BILKENT UNIVERSITY COMPUTER ENGINEERING DEPARTMENT
FUZZING & SOFTWARE SECURITY TESTING

2. PROLOGUE
• 0x00401001 what_is_fuzzing ( )
• 0x00401002 history ( )
• 0x00401003 fuzzing_tools ( )
• 0x00401004 fuzzing_phases ( )
• 0x00401005 fuzing_framework ( )
• 0x00401006 fuzzing_methodes ( )
• 0x00401007 questions ( )
push ebp
mov ebp, esp
call what_is_fuzzing

3. WHAT IS FUZZING?
«Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in
finding implementation bugs using malformed/semi-malformed data injection in an automated
fashion.»
«The purpose of fuzzing relies on the assumption that there are bugs within every program,
which are waiting to be discovered. Therefore, a systematical approach should find them
sooner or later.» -- http://www.owasp.org/index.php/Fuzzing
«Fuzzing is the process of sending intentionally invalid data to a product in the hopes of
triggering an error condition or fault. These error conditions can lead to exploitable
vulnerabilities.» HD Moore
“The degree to which a system or component can function correctly in the presence of invalid
inputs or stressful environmental conditions.” IEEE

4. HISTORY
• Professor Barton Miller
• Developed fuzz testing with his students at the University of Wisconsin-Madison in
1988/89
• GOAL: improve UNIX applications
• Millers fuzzer was pretty basic: It sent random strings of data to the application
• 1999 brought PROTOS from University of Oulu
• 2004 Browser Fuzzing (Fuzzed HTML to find browser bugs)
• 2004 File Format Fuzzing (MS04-028 Buffer Overun ~ Remote Code Execution)
• 2006 ActiveX Fuzzing
• 2007 Man-in-the-middle Fuzzing (ProxyFuzz)

5. SOME FUZZING TOOLS
• Peach Fuzz
• BFF
• Sulley
• Spike
• TAOF
• COMRaider

6. SOME HELPFUL DEFINITIONS
• BUG
• The Harvard Mark II (1947) Real BUG !
• Security BUGs (Memory Corruptions, Overflow, Injections, Memory Leaks)
• BUG Hunting
• Source Code Analysis (White Box)
• Binary Analysis
• Static Analysis (Reverse Engineering)
• Dynamic Analysis (Fuzzing, Debugging/Tracing, Taint Analysis)
• In Memory Fuzzing
«In memory fuzzing is a technique that allows the analyst to bypass parsers; network-related limitations such as
max connections, buit in IDS or flooding protection; encrypted or unknown (poorly documented) protocol in order
to fuzz the actual underlying assembly routines that are potentially vulnerable.»
CORELAN TEAM

7. FUZZING PHASES
1. IDENTIFY THE TARGET
• Applications (players, readers, web apps…)
• Platforms (Linux, Windows, OSX)
• Devices (arm, phones, modems ..)
• …
2. IDENTIFY THE INPUTS
• File Formats (swf, pdf, png, jpeg, m3u …)
• Network Protocols (ftp, http, arp, ssl …)
• Reg keys, env variables, headers …

8. FUZZING PHASES
3. GENERATE FUZZ DATA
• Mutation
• Generation
4. EXECUTE FUZZ DATA
• Semi-valid input to the target application
5. MONITOR FUZZ DATA

9. THE PROCESS OF FUZZING FRAMEWORK
Identify Targets
& Platform
Identify Input
vectors
Generate Fuzz
Data
• minimizing
Execute Fuzzed
Data
Monitor for
Exceptions
Determine
Exploitability
• Unique crash logs

10. CERT - FUZZING FRAMEWORK
• Basic Fuzzing Framework (BFF)
• Linux and Mac OS X platforms
• Failure Observation Engine (FOE)
• Windows platform

11. BFF - BASIC FUZZING FRAMEWORK
• The CERT Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in
applications. BFF performs mutational fuzzing on software that consumes file input.
• The BFF automatically collects test cases that cause software to crash in unique ways, as
well as debugging information associated with the crashes.
• The goal of BFF is to minimize the effort required for software vendors and security
researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.

12. BFF - BASIC FUZZING FRAMEWORK
Features that are available in BFF
• Uniqueness determination is handled through intelligent backtrace analysis.
• Automated test-case minimization reduces the effort required to analyze results. This is
achieved by distilling the test case to the minimal changes to the input data required to
induce a specific crash.
• Online machine learning is applied to fuzzing parameter and input file selection to
improve the efficacy of the campaign.
• Crash severity/exploitability triage is provided.

13. BFF - BASIC FUZZING FRAMEWORK
ZZUF
It is a transparent application input fuzzer, whose purpose is to find bugs in applications by
corrupting their user-contributed data, changing the random-bits in the input. Zzuf is one of
the most common fuzzers available for bit flipping fuzzing.
CERT Triage Tools
The CERT Triage Tools include a GNU Debugger (GDB) extension called "exploitable" that
classifies Linux application bugs by severity and a wrapper script for batch execution.

14. BFF - TOOLS
BFF minimizes crashers (tools/minimizer_plot.py)
• Each crashing test case will have a number of bytes that have been modified from the
seed file.
• When a crasher is minimized, a test case is generated with a minimal number of bytes
that have changed from the seed file.

15. BFF - TOOLS
BFF crash analyzer (tools/bff_stats.py)
• Generates a concise summary of the fuzz run results so far, including how many times
each unique crash was seen, the first seed number it was seen at, the most recent seed
number it was seen, and the bitwise and byte wise Hamming Distance from the original
seed file for the minimized test case.

16. BFF - TOOLS
BFF crash analyzer (tools/create_crasher_script.py)
• It will generate a shell script that in turn can be used to regenerate all the test cases for a
given crash id.

17. BFF - BASIC FUZZING FRAMEWORK
Analyzing Results
• When the fuzzing run encounters a crash, BFF will analyze the details of the crash
• Capturing
• Stderr output
• Gdb output
• Valgrind output
• Callgrind output

18. BFF - BASIC FUZZING FRAMEWORK
Analyzing Results
• crashers: Contains a subdir for each uniquely-crashing test case and its analyzed results
• seeds: Contains the original seed files as well as logs specific to that seedfile
• uniquelog.txt: A log file that tracks the unique crashers found during the run
• gdb output
• the memory map
• signal information
• backtrace, registers
• disassembly
• CERT Triage Tools

19. BFF - BASIC FUZZING FRAMEWORK
DEMO 1

20. FUZZING METHODS
• Generation-based or Random-based (Smart Fuzzing)
The fuzzers generate input data for applications in a random way . This type of data
generation is very quick to implement but also useless in most cases.
• Easy, you do not need to know any protocol or format.
• Mutation-based (Dumb Fuzzing)
Mutation-based fuzzers generate data by analyzing an existing set of data provided by
the user and mutating some fields inside these data.
• Very hard, but explores every detail of protocol
• Proxy-based
• Specification-based
• Evolutionary-based

21. GENERATION BASED FUZZING
• Generational fuzzers are capable of building the data being sent based on a data model
provided by the fuzzer creator. Sometimes this is as simple as sending random bytes.
This can be done much smarter by knowing good data values and combining them in
interesting ways.
• Test cases are generated from some description of the format.

22. MUTATION BASED (DUMB FUZZING)
• Mutation-based fuzzers mutate existing data samples to create test data while generation-
based fuzzers define new test data based on models of the input.
• Mutational fuzzing is the act of taking well-formed input data and corrupting it in various
ways, looking for cases that cause crashes.
• Change Random Byte
• Byte Flipping

23. Charlie Miller code
numwrites = random.randrange (math.ceil ( ( float ( len (buf)) / FuzzFactor)))+1
for j in range (numwrites ) :
rbyte = random.randrange (256)
rn = random.randrange (len (buf) )
buf [rn] = "%c" %(rbyte);
CHANGE RANDOM BYTE

25. BYTE/DWORD FLIPPING
• FiveBelow is the dummy file fuzzer. It uses byte slides methode.

26. BYTE/DWORD FLIPPING
• FiveBelow is the dummy file fuzzer. It uses byte slides methode.
• ZDI-11-252
• Apple QuickTime PICT Image PnSize Opcode Remote Code Execution Vulnerability

27. BYTE/DWORD FLIPPING (ZDI-11-252)

28. DEMO 2
APPLE QUICKTIME PICT IMAGE PNSIZE OPCODE
REMOTE CODE EXECUTION

29. BYTE/DWORD FLIPPING (ZDI-11-252)

32. FILE FORMAT FUZZING
PDFuzzer (pdf header format fuzzer by Jeremy Brown )

33. PEACH FUZZER
• Peach is a SmartFuzzer that is capable of performing both generation and mutation based
fuzzing.
• Peach requires the creation of Peach Pit files that define the structure, type information,
and relationships in the data to be fuzzed. It additionally allows for the configuration of a
fuzzing run including selecting a data transport (Publisher), logging interface, etc.

34. PEACHPIT FILE
• DataModel
A DataModel defines the structure of a data block by specifying additional child elements
such as Number, Blob, or String.
• StateModel
The StateModel recreates the basic state machine logic needed to test a protocol. The
state model defines how to send and receive data to the fuzzing target.

35. PEACHPIT FILE
• Publishers (Network Publishers & Custom Publishers )
Publishers are the I/O interfaces used by Peach to send and receive data.
• Agent and Monitor

36. DEMO 3

37. PEACH FARM (PARALLEL FUZZING)
Peach Fuzzer Farm allows to build scalable
and distributed fuzzing harnesses.
• 88 Cores of fuzz
• 100,000 files per format (doc, xls, ppt, pdf)
• 5 Targets (Office 2010/2007, OpenOffice, PDF viewers)
• 4 File formats
• >250 GB of logs
• One crash about every six seconds

38. PEACH FARM (SAMPLE RESULTS)
• 942 Unique Major Hashes
• 440 in Office
• 396 in Open Office
• 68 in Ghostview
• 32 in Foxit
• 5 in Acrobat
• ! exploitable
• 150 EXPLOITABLE (15%)
• 188 PROBABLY_EXPLOITABLE (19%)
• 16 PROBABLY_NOT_EXPLOITABLE (1.6%)
• 588 UNKNOWN (62%)

39. ACTIVEX FUZZING
COMRaider is a tool designed to fuzz COM Object Interfaces.

40. ACTIVEX FUZZING
Target: CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll)
Methode: AddAttachments

41. ACTIVEX FUZZING
Target: CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll)
Methode: AddAttachments

42. EPILOGUE
• « Fuzzing will not always yield bugs that will allow you to execute code. Fuzzing does not
promise to make your dreams come true. Fuzzing is an art and a software programmer's
nightmare. Fuzzing will open your eyes to see that it is no longer enough to know the
code backwards and forward, inside and outside, layer by layer, line by line, bit by bit. »
Jeremy Brown
mov esp, ebp
pop ebp
ret

43. THANK YOU FOR LISTENING
• udacity: CS258 (Software Testing)
• http://fuzzing.org/
• Open Source Fuzzing Tools
• Fuzzing: Brute Force Vulnerability Discovery
• www.corelan.be