Pawel Rzepa, profile picture
Uploaded byPawel Rzepa
1,887 views

Fuzzing underestimated method of finding hidden bugs

Fuzzing is a method of discovering software faults by providing unexpected input and monitoring for exceptions. There are two main types of fuzzers: mutation-based fuzzers which mutate valid samples, and generation-based fuzzers which require samples to be defined. Fuzzing discovers bugs by providing invalid input to any software, so it should always be considered as a testing method. A fuzzer contains an input generator, history of generated inputs, and a process monitor.

Embed presentation

Downloaded 114 times
FUZZING UNDERESTIMATED METHOD OF FINDING HIDDEN BUGS by Pawel Rzepa
AGENDA • What is fuzzing? • Mutation based (dumb) fuzzing • Instrumented fuzzing • Generation based (smart) fuzzing • Fuzzing web application • What is the future of fuzzing?
BEFORE WE START… WHO AM I? • Security engineer in Intive (Wroclaw) • Former developer of advanced fuzzing module in Spirent’s CyberFlood device • Contributor in OWASP MSTG (Mobile Security Testing Guide) • Supporter of Wroclaw OWASP meetings
— “Fuzzing: Brute Force Vulnerability Discovery” FUZZING IS A METHOD FOR DISCOVERING FAULTS IN SOFTWARE BY PROVIDING UNEXPECTED INPUT AND MONITORING FOR EXCEPTIONS. ” “ WHAT FUZZING REALLY IS?
IN OTHER WORDS… A child noticed unwatched dad’s phone… A child has found a chain of instructions to crash a phone.
HISTORY OF FUZZING In 1988 a professor Barton Miller from University of Winsconsin observed that when he was logged to a modem during a storm, there was a lot of line noise generating junk characters and those characters caused programs to crash.
MUTATION / BRUTEFORCE / DUMB FUZZING sample data fuzzed data - bitflipping - byteflipping - chunkspew -… program input
MUTATION IN PRACTICE more about Radamsa: https://github.com/aoh/radamsa
LET’S FUZZ - DUMB FUZZING Testing robustness of Android AV to APK bombs Target: Android AV winner at av-test.org (July 2016)
CREATING SAMPLE DATA • Create fuzzed data from sample: $> radamsa -o fuzz_sample_%n.apk -n 3000 > com.appsec.appuse.apk • Move fuzzed data to SD card $> for i in {1..3000}; do adb push > fuzz_sample_$i.apk /sdcard/Download; done • Capture logs $> adb logcat -v long > logs.txt
DUMB FUZZING - V3 AV
DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
DUMB FUZZING - TCPDUMP $> radamsa -o fuzz_sample_%n.pcap -n 3000 > small_capture.pcap $> for i in {1..3000}; do tcpdump -nr > fuzz_sample_%i.pcap >> radamsa_pcap.logs; done
LET’S FUZZ - INSTRUMENTED FUZZING • Generates samples, which cover subsets of all code paths • Requires a dedicated compiler, which detects possible code paths • Much more effective • Let’s take a closer look on American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/)
INSTRUMENTED FUZZING - PREPARATIONS • Compile sources with afl-gcc/afl-g++ $> CC=/path_to_AFL/afl-gcc ./configure $> make • Prepare valid sample (the best if <100 KB) • Create folders for input, output and (optionally) garbage, e.g.
INSTRUMENTED FUZZING IN PRACTICE $> /path_to_AFL/afl-fuzz -i ./fuzz-input/ -o >./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@
INSTRUMENTED FUZZING IN PRACTICE
INSTRUMENTED FUZZING IN PRACTICE
COOL STORY BRO, BUT MY PROGRAM ISN’T WRITTEN IN C… • AFL is so good that the community has created many implementations of AFL supporting other languages/environments. Just check it out here: https://github.com/mirrorer/afl/blob/master/docs/ sister_projects.txt • Still doesn’t suit your needs? Then write your own fuzzer!
HOW TO FUZZ NETWORK PROTOCOLS? - Will it work??? $> while true; > do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21; > done FAIL
LIMITATIONS OF DUMB FUZZING (1) • Not compliant types
LIMITATIONS OF DUMB FUZZING (2) • Not compliant fixups (checksum, length etc.)
LIMITATIONS OF DUMB FUZZING (3) • Not supported relationships
LIMITATIONS OF DUMB FUZZING (4) • Not supported program states
GENERATION BASED FUZZING - CREATING A MODEL (1) • Fuzzing frameworks like Peach or Sulley require modelling each portion of data Peach: http://peachfuzzer.com/resources/peachcommunity
• With DataModels, you can create different states
• You can also define a monitor for tested process • Finally, put all defined parts in a Test
SMART FUZZING WITH PEACH $> sudo mono Peach.exe --debug ./samples/ftp.xml
SMART FUZZING WITH PEACH
SMART FUZZING WITH PEACH
HOMEWORK • Fuzz a “Vulnserver”. Download from: http://sites.google.com/site/lupingreycorner/ vulnserver.zip • Write a Peach model. Refer to this tutorial: http://resources.infosecinstitute.com/fuzzing- vulnserver-with-peach-part-2/
FUZZING WEB APPLICATION • Locate an input you want fuzz
• Intercept request (e.g. Burp Suite/OWASP Zap)
• Define which parameter should be fuzzed
• Select a dictionary with invalid input More sample dictionaries: https://github.com/fuzzdb- project/fuzzdb
• Find errors!
ANALYSING THE CRASH • Every crash can be treated as a pure DoS attack • Not every crash can be exploited :( • Depending on OS, use different tools to analyse a crash: - Microsoft !exploitable Crash Analyser (Windows) - CERT GDB exploitable plugin (Linux) - Apple Crash Wrangler Monitor (OSX)
WHY IT’S WORTH FUZZING? • High return on investment - machine time is cheap and human time is expensive • Human role is just to customize a fuzzer to your needs and… profit!
WHAT YOU CAN FUZZ? • Literally - every piece of software which accepts user input • All kinds of apps (mobile, desktop, web, etc.) • OS -> https://vimeo.com/129701495 • Online games -> http://bit.ly/2e0w2YO • Bluetooth -> http://bit.ly/2dQfPqM • HDMI -> http://bit.ly/2e0ynmA • Fonts -> http://bit.ly/293DKE0 • Virtualization systems -> http://bit.ly/2ernSfs …and much more!
WHAT FUZZERS CAN FIND? • Buffer overruns (remote code execution), • Deadlocks, thread hangs, unhandled exceptions (denial-of-service) • Memory leaks (Heartbleed)
WHAT’S NEXT? IMPLEMENT FUZZING IN SDLC
FUZZING AND OTHER TESTING METHODS • Fuzzing can find some type of bugs, but not all of them • That means, fuzzing should be treated as ADDITIONAL method to your security tests You still need static analysis, vulnerability assessment and penetration tests!!!
FUTURE OF FUZZING • Fuzzing as a service: project Springfield (https://www.microsoft.com/en-us/springfield)
FUTURE OF FUZZING • That reminds me DARPA Cyber Grand Challenge bots: symbolic execution (e.g. angr) + directed fuzzing (e.g. AFL)
SUMMARY • Fuzzer should contain: input generator, history of generated input and process monitor • Fuzzing discovers bugs by providing invalid input • There are 2 main types of fuzzers: • Any software can be fuzzed, so always remember about this method! - generation based (requires sample definition) - mutation based (mutates a valid sample)
THANK YOU! Contact me: pawel.rzepa@owasp.org

More Related Content

PDF
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
byOWASP
 
PPTX
Fuzzing
byKhalegh Salehi
 
PPTX
American Fuzzy Lop
byMichael Overmeyer
 
PPT
Fuzzing 101 Webinar on Zero Day Management
byCodenomicon
 
PDF
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
byCode Engn
 
PDF
Introduction to Browser Fuzzing
byn|u - The Open Security Community
 
PPTX
Security Testing: Fuzzing
byAndrei Rubaniuk
 
PDF
Distributed Fuzzing Framework Design
bybannedit
 
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
byOWASP
 
Fuzzing
byKhalegh Salehi
 
American Fuzzy Lop
byMichael Overmeyer
 
Fuzzing 101 Webinar on Zero Day Management
byCodenomicon
 
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
byCode Engn
 
Introduction to Browser Fuzzing
byn|u - The Open Security Community
 
Security Testing: Fuzzing
byAndrei Rubaniuk
 
Distributed Fuzzing Framework Design
bybannedit
 

What's hot

PPTX
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
bymidnite_runr
 
PDF
Flash security past_present_future_final_en
bySunghun Kim
 
PPTX
Steelcon 2015 - 0wning the internet of trash
byinfodox
 
PPTX
Hacking - high school intro
byPeter Hlavaty
 
PPTX
Steelcon 2014 - Process Injection with Python
byinfodox
 
PPTX
Control hijacking
byPrachi Gulihar
 
PPTX
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
PPTX
Back to the CORE
byPeter Hlavaty
 
PPTX
ShinoBOT Suite
byShota Shinogi
 
PDF
Packers
byAnge Albertini
 
PDF
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
byCODE BLUE
 
PPTX
Un) fucking forensics
byShane Macaulay
 
PPTX
Software Security : From school to reality and back!
byPeter Hlavaty
 
ODP
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
byJoxean Koret
 
PPTX
BSides Hannover 2015 - Shell on Wheels
byinfodox
 
PPTX
Attack on the Core
byPeter Hlavaty
 
PDF
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
by44CON
 
PPTX
Ice Age melting down: Intel features considered usefull!
byPeter Hlavaty
 
PPTX
CheckPlease - Payload-Agnostic Implant Security
byBrandon Arvanaghi
 
PPTX
How Safe is your Link ?
byPeter Hlavaty
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
bymidnite_runr
 
Flash security past_present_future_final_en
bySunghun Kim
 
Steelcon 2015 - 0wning the internet of trash
byinfodox
 
Hacking - high school intro
byPeter Hlavaty
 
Steelcon 2014 - Process Injection with Python
byinfodox
 
Control hijacking
byPrachi Gulihar
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
Back to the CORE
byPeter Hlavaty
 
ShinoBOT Suite
byShota Shinogi
 
Packers
byAnge Albertini
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
byCODE BLUE
 
Un) fucking forensics
byShane Macaulay
 
Software Security : From school to reality and back!
byPeter Hlavaty
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
byJoxean Koret
 
BSides Hannover 2015 - Shell on Wheels
byinfodox
 
Attack on the Core
byPeter Hlavaty
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
by44CON
 
Ice Age melting down: Intel features considered usefull!
byPeter Hlavaty
 
CheckPlease - Payload-Agnostic Implant Security
byBrandon Arvanaghi
 
How Safe is your Link ?
byPeter Hlavaty
 

Viewers also liked

PDF
FUZZING & SOFTWARE SECURITY TESTING
byMuH4f1Z
 
PPTX
[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu
byPiotr Kaźmierczak
 
PPTX
Web vulnerability seminar4
bySakuya Izayoi
 
PDF
High Definition Fuzzing; Exploring HDMI vulnerabilities
byE Hacking
 
PDF
How to find_vulnerability_in_software
bysanghwan ahn
 
PDF
Kettunen, miaubiz fuzzing at scale and in style
byDefconRussia
 
PPTX
OWASP Open SAMM
byintive
 
PPTX
Variables and constants
byBSCSComputingIT
 
PDF
Drive it Like you Hacked It - New Attacks and Tools to Wireles
byE hacking
 
PDF
Software Security - Vulnerability&Attack
byEmanuela Boroș
 
PPT
Caturelli E. L'Ecografia Operativa. ASMaD 2016
byGianfranco Tammaro
 
PPTX
Ataki po stronie klienta w publicznych punktach dostępowych
byPawel Rzepa
 
PDF
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
byOWASP Turkiye
 
PDF
What the HEC? Security implications of HDMI Ethernet Channel and other relate...
by44CON
 
PDF
Wprowadzenie do CoreBluetooth
byintive
 
PPT
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
byPositive Hack Days
 
PPTX
Web vulnerability seminar3
bySakuya Izayoi
 
PPTX
0-knowledge fuzzing
byVincenzo Iozzo
 
PDF
.Net anywhere
byintive
 
PDF
REES46 – система товарных рекомендаций и онлайн-мерчандайзинга
byREES46
 
FUZZING & SOFTWARE SECURITY TESTING
byMuH4f1Z
 
[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu
byPiotr Kaźmierczak
 
Web vulnerability seminar4
bySakuya Izayoi
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
byE Hacking
 
How to find_vulnerability_in_software
bysanghwan ahn
 
Kettunen, miaubiz fuzzing at scale and in style
byDefconRussia
 
OWASP Open SAMM
byintive
 
Variables and constants
byBSCSComputingIT
 
Drive it Like you Hacked It - New Attacks and Tools to Wireles
byE hacking
 
Software Security - Vulnerability&Attack
byEmanuela Boroș
 
Caturelli E. L'Ecografia Operativa. ASMaD 2016
byGianfranco Tammaro
 
Ataki po stronie klienta w publicznych punktach dostępowych
byPawel Rzepa
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
byOWASP Turkiye
 
What the HEC? Security implications of HDMI Ethernet Channel and other relate...
by44CON
 
Wprowadzenie do CoreBluetooth
byintive
 
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
byPositive Hack Days
 
Web vulnerability seminar3
bySakuya Izayoi
 
0-knowledge fuzzing
byVincenzo Iozzo
 
.Net anywhere
byintive
 
REES46 – система товарных рекомендаций и онлайн-мерчандайзинга
byREES46
 

Similar to Fuzzing underestimated method of finding hidden bugs

PDF
Fuzzing: The New Unit Testing
byDmitry Vyukov
 
PPTX
Fuzzing.pptx
byAbhik Roychoudhury
 
PPTX
IFIP2023-Abhik.pptx
byAbhik Roychoudhury
 
PDF
Fuzzing: Challenges and Reflections
bymboehme
 
PDF
Crash Analysis with Reverse Taint
bymarekzmyslowski
 
PPTX
Blaze Information Security: Slaying bugs and improving software security thro...
byBlaze Information Security
 
PDF
AI-Powered Fuzz Testing: The Future of QA
byShubham Joshi
 
PPTX
Binary Analysis - Luxembourg
byAbhik Roychoudhury
 
PDF
Democratizing Fuzzing at Scale by Abhishek Arya
byabh.arya
 
PPTX
Dagstuhl2021
byAbhik Roychoudhury
 
PDF
Fuzzing: An introduction to Sulley Framework
byHigh-Tech Bridge SA (HTBridge)
 
PDF
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
byCodemotion
 
PPTX
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
byOWASP
 
PDF
Az4301280282
byIJERA Editor
 
PPT
Perform fuzz on appplications web interface
byIndicThreads
 
PDF
Fuzzing softwares for bugs - OWASP Seasides
byOWASPSeasides
 
PPTX
Fault Models and Fuzzing
byShmuel Gershon
 
PDF
Fuzzing sucks!
byYury Chemerkin
 
PDF
0-knowledge fuzzing white paper
byVincenzo Iozzo
 
PDF
0-knowledge fuzzing white paper
byzynamics GmbH
 
Fuzzing: The New Unit Testing
byDmitry Vyukov
 
Fuzzing.pptx
byAbhik Roychoudhury
 
IFIP2023-Abhik.pptx
byAbhik Roychoudhury
 
Fuzzing: Challenges and Reflections
bymboehme
 
Crash Analysis with Reverse Taint
bymarekzmyslowski
 
Blaze Information Security: Slaying bugs and improving software security thro...
byBlaze Information Security
 
AI-Powered Fuzz Testing: The Future of QA
byShubham Joshi
 
Binary Analysis - Luxembourg
byAbhik Roychoudhury
 
Democratizing Fuzzing at Scale by Abhishek Arya
byabh.arya
 
Dagstuhl2021
byAbhik Roychoudhury
 
Fuzzing: An introduction to Sulley Framework
byHigh-Tech Bridge SA (HTBridge)
 
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
byCodemotion
 
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
byOWASP
 
Az4301280282
byIJERA Editor
 
Perform fuzz on appplications web interface
byIndicThreads
 
Fuzzing softwares for bugs - OWASP Seasides
byOWASPSeasides
 
Fault Models and Fuzzing
byShmuel Gershon
 
Fuzzing sucks!
byYury Chemerkin
 
0-knowledge fuzzing white paper
byVincenzo Iozzo
 
0-knowledge fuzzing white paper
byzynamics GmbH
 

Recently uploaded

PDF
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
PDF
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
PDF
DSD-INT 2025 DevOps - Automated testing and delivery of Delft3D FM - van West...
byDeltares
 
PPTX
CRM Development Company | Custom CRM Development Services
byyugababu033
 
PPTX
Future of Software Testing: AI-Powered Open Source Testing Tools
bySophie Lane
 
PPTX
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
PDF
Bring AI and build AI agents into your Jakarta EE Apps with LangChain4J-CDI
byBuhake Sindi
 
PDF
DSD-INT 2025 Modernizing Hydrodynamics in Large Flood Forecasting System - Mi...
byDeltares
 
PPTX
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
PDF
Custom MGA Software Development: Better Apporach
byOpenkoda
 
PPTX
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
PPTX
wAIred_LearnwithoutAI_KotlinDevDay_27112025.pptx
bySimonedeGijt
 
PDF
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
PDF
DSD-INT 2025 The Sinterklaas Storm in the Southwest of the Netherlands - Wope...
byDeltares
 
PDF
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
PDF
Internship Project Training Report-3.pdf
byPawank36
 
PDF
DSD-INT 2025 Understanding the Paraguay River Response to Hard Bottom Dredgin...
byDeltares
 
PDF
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
PDF
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
PDF
DSD-INT 2025 Reviving a Lost Meander - Deen
byDeltares
 
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
DSD-INT 2025 DevOps - Automated testing and delivery of Delft3D FM - van West...
byDeltares
 
CRM Development Company | Custom CRM Development Services
byyugababu033
 
Future of Software Testing: AI-Powered Open Source Testing Tools
bySophie Lane
 
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
Bring AI and build AI agents into your Jakarta EE Apps with LangChain4J-CDI
byBuhake Sindi
 
DSD-INT 2025 Modernizing Hydrodynamics in Large Flood Forecasting System - Mi...
byDeltares
 
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
Custom MGA Software Development: Better Apporach
byOpenkoda
 
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
wAIred_LearnwithoutAI_KotlinDevDay_27112025.pptx
bySimonedeGijt
 
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
DSD-INT 2025 The Sinterklaas Storm in the Southwest of the Netherlands - Wope...
byDeltares
 
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
Internship Project Training Report-3.pdf
byPawank36
 
DSD-INT 2025 Understanding the Paraguay River Response to Hard Bottom Dredgin...
byDeltares
 
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
DSD-INT 2025 Reviving a Lost Meander - Deen
byDeltares
 

Fuzzing underestimated method of finding hidden bugs

  • 1.
    FUZZING UNDERESTIMATED METHOD OFFINDING HIDDEN BUGS by Pawel Rzepa
  • 2.
    AGENDA • What isfuzzing? • Mutation based (dumb) fuzzing • Instrumented fuzzing • Generation based (smart) fuzzing • Fuzzing web application • What is the future of fuzzing?
  • 3.
    BEFORE WE START… WHOAM I? • Security engineer in Intive (Wroclaw) • Former developer of advanced fuzzing module in Spirent’s CyberFlood device • Contributor in OWASP MSTG (Mobile Security Testing Guide) • Supporter of Wroclaw OWASP meetings
  • 4.
    — “Fuzzing: BruteForce Vulnerability Discovery” FUZZING IS A METHOD FOR DISCOVERING FAULTS IN SOFTWARE BY PROVIDING UNEXPECTED INPUT AND MONITORING FOR EXCEPTIONS. ” “ WHAT FUZZING REALLY IS?
  • 5.
    IN OTHER WORDS… Achild noticed unwatched dad’s phone… A child has found a chain of instructions to crash a phone.
  • 6.
    HISTORY OF FUZZING In1988 a professor Barton Miller from University of Winsconsin observed that when he was logged to a modem during a storm, there was a lot of line noise generating junk characters and those characters caused programs to crash.
  • 7.
  • 8.
    MUTATION IN PRACTICE moreabout Radamsa: https://github.com/aoh/radamsa
  • 9.
    LET’S FUZZ -DUMB FUZZING Testing robustness of Android AV to APK bombs Target: Android AV winner at av-test.org (July 2016)
  • 10.
    CREATING SAMPLE DATA •Create fuzzed data from sample: $> radamsa -o fuzz_sample_%n.apk -n 3000 > com.appsec.appuse.apk • Move fuzzed data to SD card $> for i in {1..3000}; do adb push > fuzz_sample_$i.apk /sdcard/Download; done • Capture logs $> adb logcat -v long > logs.txt
  • 11.
  • 12.
    DUMB FUZZING -WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
  • 13.
    DUMB FUZZING -WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
  • 14.
    DUMB FUZZING -TCPDUMP $> radamsa -o fuzz_sample_%n.pcap -n 3000 > small_capture.pcap $> for i in {1..3000}; do tcpdump -nr > fuzz_sample_%i.pcap >> radamsa_pcap.logs; done
  • 15.
    LET’S FUZZ -INSTRUMENTED FUZZING • Generates samples, which cover subsets of all code paths • Requires a dedicated compiler, which detects possible code paths • Much more effective • Let’s take a closer look on American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/)
  • 16.
    INSTRUMENTED FUZZING - PREPARATIONS •Compile sources with afl-gcc/afl-g++ $> CC=/path_to_AFL/afl-gcc ./configure $> make • Prepare valid sample (the best if <100 KB) • Create folders for input, output and (optionally) garbage, e.g.
  • 17.
    INSTRUMENTED FUZZING IN PRACTICE $>/path_to_AFL/afl-fuzz -i ./fuzz-input/ -o >./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@
  • 18.
  • 19.
  • 20.
    COOL STORY BRO,BUT MY PROGRAM ISN’T WRITTEN IN C… • AFL is so good that the community has created many implementations of AFL supporting other languages/environments. Just check it out here: https://github.com/mirrorer/afl/blob/master/docs/ sister_projects.txt • Still doesn’t suit your needs? Then write your own fuzzer!
  • 21.
    HOW TO FUZZNETWORK PROTOCOLS? - Will it work??? $> while true; > do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21; > done FAIL
  • 22.
    LIMITATIONS OF DUMB FUZZING(1) • Not compliant types
  • 23.
    LIMITATIONS OF DUMB FUZZING(2) • Not compliant fixups (checksum, length etc.)
  • 24.
    LIMITATIONS OF DUMB FUZZING(3) • Not supported relationships
  • 25.
    LIMITATIONS OF DUMB FUZZING(4) • Not supported program states
  • 26.
    GENERATION BASED FUZZING -CREATING A MODEL (1) • Fuzzing frameworks like Peach or Sulley require modelling each portion of data Peach: http://peachfuzzer.com/resources/peachcommunity
  • 27.
    • With DataModels,you can create different states
  • 28.
    • You canalso define a monitor for tested process • Finally, put all defined parts in a Test
  • 29.
    SMART FUZZING WITHPEACH $> sudo mono Peach.exe --debug ./samples/ftp.xml
  • 30.
  • 31.
  • 32.
    HOMEWORK • Fuzz a“Vulnserver”. Download from: http://sites.google.com/site/lupingreycorner/ vulnserver.zip • Write a Peach model. Refer to this tutorial: http://resources.infosecinstitute.com/fuzzing- vulnserver-with-peach-part-2/
  • 33.
    FUZZING WEB APPLICATION •Locate an input you want fuzz
  • 34.
    • Intercept request(e.g. Burp Suite/OWASP Zap)
  • 35.
    • Define whichparameter should be fuzzed
  • 36.
    • Select adictionary with invalid input More sample dictionaries: https://github.com/fuzzdb- project/fuzzdb
  • 37.
  • 38.
    ANALYSING THE CRASH •Every crash can be treated as a pure DoS attack • Not every crash can be exploited :( • Depending on OS, use different tools to analyse a crash: - Microsoft !exploitable Crash Analyser (Windows) - CERT GDB exploitable plugin (Linux) - Apple Crash Wrangler Monitor (OSX)
  • 39.
    WHY IT’S WORTHFUZZING? • High return on investment - machine time is cheap and human time is expensive • Human role is just to customize a fuzzer to your needs and… profit!
  • 40.
    WHAT YOU CANFUZZ? • Literally - every piece of software which accepts user input • All kinds of apps (mobile, desktop, web, etc.) • OS -> https://vimeo.com/129701495 • Online games -> http://bit.ly/2e0w2YO • Bluetooth -> http://bit.ly/2dQfPqM • HDMI -> http://bit.ly/2e0ynmA • Fonts -> http://bit.ly/293DKE0 • Virtualization systems -> http://bit.ly/2ernSfs …and much more!
  • 41.
    WHAT FUZZERS CANFIND? • Buffer overruns (remote code execution), • Deadlocks, thread hangs, unhandled exceptions (denial-of-service) • Memory leaks (Heartbleed)
  • 42.
  • 43.
    FUZZING AND OTHERTESTING METHODS • Fuzzing can find some type of bugs, but not all of them • That means, fuzzing should be treated as ADDITIONAL method to your security tests You still need static analysis, vulnerability assessment and penetration tests!!!
  • 44.
    FUTURE OF FUZZING •Fuzzing as a service: project Springfield (https://www.microsoft.com/en-us/springfield)
  • 45.
    FUTURE OF FUZZING •That reminds me DARPA Cyber Grand Challenge bots: symbolic execution (e.g. angr) + directed fuzzing (e.g. AFL)
  • 46.
    SUMMARY • Fuzzer shouldcontain: input generator, history of generated input and process monitor • Fuzzing discovers bugs by providing invalid input • There are 2 main types of fuzzers: • Any software can be fuzzed, so always remember about this method! - generation based (requires sample definition) - mutation based (mutates a valid sample)
  • 47.