(This presentation was shown as a support while giving some demos at BlackHat Arsenal 2014 in Las Vegas https://www.blackhat.com/us-14/arsenal.html#Hernandez)
Melkor is a hybrid fuzzer (mutation-based and generation-based). It mutates the existing data in an ELF sample given to create orcs (malformed ELFs), however, it doesn't change values randomly (dumb fuzzing), instead, it fuzzes certain metadata with semi-valid values through the use of fuzzing rules (knowledge base). Written in C, Melkor is a very intuitive and easy-to-use fuzzer to find functional (and security) bugs in ELF parsers.
Symbolic Execution of Malicious Software: Countering Sandbox Evasion TechniquesFabio Rosato
Slides for the thesis defense for the M.Sc. in Engineering in Computer Science at the Sapienza University of Rome (a.y. 2016-17).
Related project repo: https://github.com/fabros/angr-antievasion
The LLDB Debugger in FreeBSD by Ed Masteeurobsdcon
Abstract
LLDB is a modern, high-performance debugger in the LLVM family of projects, and is built as a modular and reusable set of components on top of the Clang/LLVM foundation. It was originally developed for Mac OS X, but now supports FreeBSD and Linux as well, with ongoing work for Windows support.
This presentation will provide an overview of the design of LLDB, compare it with the existing GNU debugger in the FreeBSD base system, and present the path to importing LLDB as FreeBSD's debugger.
Speaker bio
Ed Maste manages project development for the FreeBSD Foundation and works in an engineering support role with Robert Watson's research group at the University of Cambridge Computer Laboratory. He has been a FreeBSD committer since 2005.
Snapshots, Replication, and Boot-Environments by Kris Moore eurobsdcon
Abstract
In early 2013 the PC-BSD project decided to re-focus and fully embrace ZFS as its default and only file-system for both desktop and server deployments. This decision immediately spawned development of a new class of tools and utilities which assist users in unlocking the vast potential that ZFS brings to their system. In this talk we will take a look at ZFS Boot-Environments and the new Life-Preserver utility which assists users in ZFS management, including snapshots, replication, mirroring, bare-metal restores and more.
Speaker bio
Kris Moore is the founder and lead developer of the PC-BSD project. He is also the co-host of the popular BSDNow video podcast. When not at home programming, he travels around the world giving talks and tutorials on various BSD related topics at Linux and BSD conferences alike. He currently lives in Tennessee (USA) with his wife and five children and enjoys playing bass guitar / video gaming in his (very limited) spare time.
Brain Waves Surfing - (In)security in EEG (Electroencephalography) TechnologiesAlejandro Hernández
Electroencephalography (EEG) is a non-invasive method for the recording and the study of electrical activity of the brain taken from the scalp. The source of these brain signals is mostly the synapic activity between brain cells (neurons). EEG activity is represented by different waveforms per second (frequencies) that can be used to diagnose or monitor different health conditions such as epilepsy, sleeping disorders, seizures, Alzheimer disease, among other clinical uses. On the other hand, brain signals are used for many other research and entertainment purposes, such as neurofeedback, arts and neurogaming. Nowadays, this technology is being adopted more and more in different industries.
A brief introduction of BCIs (Brain-Computer Interfaces) and EEG will be given in order to understand the risks involved in our brain signals processing, storage and transmission.
Live demos include the visualization of live brain activity, the sniffing of brain signals over TCP/IP as well as flaws in well-known EEG applications when dealing with some corrupted samples of the most widely used EEG file formats (e.g. EDF). These demos are a first approach to demonstrate that many EEG technologies are prone to common network and application attacks.
Finally, best practices and regulatory compliance on digital EEG will be discussed.
Symbolic Execution of Malicious Software: Countering Sandbox Evasion TechniquesFabio Rosato
Slides for the thesis defense for the M.Sc. in Engineering in Computer Science at the Sapienza University of Rome (a.y. 2016-17).
Related project repo: https://github.com/fabros/angr-antievasion
The LLDB Debugger in FreeBSD by Ed Masteeurobsdcon
Abstract
LLDB is a modern, high-performance debugger in the LLVM family of projects, and is built as a modular and reusable set of components on top of the Clang/LLVM foundation. It was originally developed for Mac OS X, but now supports FreeBSD and Linux as well, with ongoing work for Windows support.
This presentation will provide an overview of the design of LLDB, compare it with the existing GNU debugger in the FreeBSD base system, and present the path to importing LLDB as FreeBSD's debugger.
Speaker bio
Ed Maste manages project development for the FreeBSD Foundation and works in an engineering support role with Robert Watson's research group at the University of Cambridge Computer Laboratory. He has been a FreeBSD committer since 2005.
Snapshots, Replication, and Boot-Environments by Kris Moore eurobsdcon
Abstract
In early 2013 the PC-BSD project decided to re-focus and fully embrace ZFS as its default and only file-system for both desktop and server deployments. This decision immediately spawned development of a new class of tools and utilities which assist users in unlocking the vast potential that ZFS brings to their system. In this talk we will take a look at ZFS Boot-Environments and the new Life-Preserver utility which assists users in ZFS management, including snapshots, replication, mirroring, bare-metal restores and more.
Speaker bio
Kris Moore is the founder and lead developer of the PC-BSD project. He is also the co-host of the popular BSDNow video podcast. When not at home programming, he travels around the world giving talks and tutorials on various BSD related topics at Linux and BSD conferences alike. He currently lives in Tennessee (USA) with his wife and five children and enjoys playing bass guitar / video gaming in his (very limited) spare time.
Brain Waves Surfing - (In)security in EEG (Electroencephalography) TechnologiesAlejandro Hernández
Electroencephalography (EEG) is a non-invasive method for the recording and the study of electrical activity of the brain taken from the scalp. The source of these brain signals is mostly the synapic activity between brain cells (neurons). EEG activity is represented by different waveforms per second (frequencies) that can be used to diagnose or monitor different health conditions such as epilepsy, sleeping disorders, seizures, Alzheimer disease, among other clinical uses. On the other hand, brain signals are used for many other research and entertainment purposes, such as neurofeedback, arts and neurogaming. Nowadays, this technology is being adopted more and more in different industries.
A brief introduction of BCIs (Brain-Computer Interfaces) and EEG will be given in order to understand the risks involved in our brain signals processing, storage and transmission.
Live demos include the visualization of live brain activity, the sniffing of brain signals over TCP/IP as well as flaws in well-known EEG applications when dealing with some corrupted samples of the most widely used EEG file formats (e.g. EDF). These demos are a first approach to demonstrate that many EEG technologies are prone to common network and application attacks.
Finally, best practices and regulatory compliance on digital EEG will be discussed.
Erlang Developments: The Good, The Bad and The Uglyenriquepazperez
A bunch of personal views about the main characteristics of Erlang, including myths and rumors.
A quick overview about what has lately been improved in the three areas.
FISL XIV - The ELF File Format and the Linux LoaderJohn Tortugo
These are the slides used in a lecture I gave in the XIV International Board on Free Software. In this lecture I gave a brief overview of the ELF specification (the ELF specification is a document describing the format of executable, shared libraries and relocatable objects files used in Linux and many others operating systems) and the Linux dynamic loader (which is a program that acts together with the OS to create and initialize a program address space among others tasks).
This talk is about architecture and programming of the Epiphany processor on the Parallella board, discussing step-by-step how to improve and optimize software kernels on such distributed DSP systems. It was held at the "Softwarekonferenz für Parallel Programming, Concurrency
und Multicore-Systeme" in Karlsruhe/Germany 2014.
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
Slides from my ROOTCON12 training. This material contains an introduction to stack-based buffer overflow. This is also helpful for those who are doing OSCP and wanted to learn exploit development.
Tips And Tricks For Bioinformatics Software Engineeringjtdudley
This is a talk I've given twice at Stanford recently. It's essentially a brain dump of my thoughts on being a Bioinformatician with lots of links to useful tools.
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
Capture the Flag (CTF) are information security challenges. They are fun, but they also provide a opportunity to practise for real-world security challenges.
In this talk we present the concept of CTF. We focus on some tools used by our team, which can also be used to solve real-world problems.
Elm: frontend code without runtime exceptionsPietro Grandi
As the market started asking for more complex web-applications, the limits of a dynamic, loosely typed language like Javascript forced the developers to look for solutions like Flow and Typescript. Elm is a functional language which compiles to Javascript. It is strongly typed, has an ML syntax, and a small, yet skilled and growing, community.
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
Understanding reverse engineer using MS08-078. This presentation is an updated version of a previous series of presentations, which shows a practical methodology to perform a reverse engineering... The approach can be broader applied to any/most of the vulnerabilities targeting client-side applications.
For further details and informations, please, refer to:
- http://www.vimeo.com/nbrito
- https://www.slideshare.net/nbrito01/inception-support-slides
Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...Alejandro Hernández
En esta charla compartirá con el público interesado tips que le han funcionado personalmente sobre cómo comenzar una carrera, qué estudiar, qué hacer y qué no hacer como consultor en la industria de la seguridad informática.
Por otro lado, compartirá experiencias (buenas, graciosas, raras y malas) que ha vivido a lo largo de sus últimos cinco años de carrera profesional en la industria, mostrando los pros y contras de trabajar como consultor en esta industria.
More Related Content
Similar to In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer
Erlang Developments: The Good, The Bad and The Uglyenriquepazperez
A bunch of personal views about the main characteristics of Erlang, including myths and rumors.
A quick overview about what has lately been improved in the three areas.
FISL XIV - The ELF File Format and the Linux LoaderJohn Tortugo
These are the slides used in a lecture I gave in the XIV International Board on Free Software. In this lecture I gave a brief overview of the ELF specification (the ELF specification is a document describing the format of executable, shared libraries and relocatable objects files used in Linux and many others operating systems) and the Linux dynamic loader (which is a program that acts together with the OS to create and initialize a program address space among others tasks).
This talk is about architecture and programming of the Epiphany processor on the Parallella board, discussing step-by-step how to improve and optimize software kernels on such distributed DSP systems. It was held at the "Softwarekonferenz für Parallel Programming, Concurrency
und Multicore-Systeme" in Karlsruhe/Germany 2014.
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
Slides from my ROOTCON12 training. This material contains an introduction to stack-based buffer overflow. This is also helpful for those who are doing OSCP and wanted to learn exploit development.
Tips And Tricks For Bioinformatics Software Engineeringjtdudley
This is a talk I've given twice at Stanford recently. It's essentially a brain dump of my thoughts on being a Bioinformatician with lots of links to useful tools.
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
Capture the Flag (CTF) are information security challenges. They are fun, but they also provide a opportunity to practise for real-world security challenges.
In this talk we present the concept of CTF. We focus on some tools used by our team, which can also be used to solve real-world problems.
Elm: frontend code without runtime exceptionsPietro Grandi
As the market started asking for more complex web-applications, the limits of a dynamic, loosely typed language like Javascript forced the developers to look for solutions like Flow and Typescript. Elm is a functional language which compiles to Javascript. It is strongly typed, has an ML syntax, and a small, yet skilled and growing, community.
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
Understanding reverse engineer using MS08-078. This presentation is an updated version of a previous series of presentations, which shows a practical methodology to perform a reverse engineering... The approach can be broader applied to any/most of the vulnerabilities targeting client-side applications.
For further details and informations, please, refer to:
- http://www.vimeo.com/nbrito
- https://www.slideshare.net/nbrito01/inception-support-slides
Similar to In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer (20)
Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...Alejandro Hernández
En esta charla compartirá con el público interesado tips que le han funcionado personalmente sobre cómo comenzar una carrera, qué estudiar, qué hacer y qué no hacer como consultor en la industria de la seguridad informática.
Por otro lado, compartirá experiencias (buenas, graciosas, raras y malas) que ha vivido a lo largo de sus últimos cinco años de carrera profesional en la industria, mostrando los pros y contras de trabajar como consultor en esta industria.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer
1. 1
In the lands of corrupted elves:
Breaking ELF software with Melkor fuzzer
Alejandro Hernández
IOActive
2. About me
Senior Security Consultant [IOActive.com]
ELF, C programming & fuzzing enthusiast
Passionate about security. ~11 years now.
From Chiapas, Mexico
'~~~-,
'-,_
/ `~'~'' M E X I C O
_ /~
__
.
`~~
' . /
/ |
_ | _.----,
| ! /
'._ _ __/ _/
_ ''--'' __/
.__ |
''.__ __.._ o<-_---- here !
'' './ `
http://www.brainoverflow.org
@nitr0usmx2
3. Agenda
The ELF file format
ELF parsing
Who’s is parsing?
Security risks in ELF parsing
Discovered vulnerabilities in the past
ELF parsing (mistakes) nowadays
ELF Fuzzing
Smart vs dumb
Code / branch coverage
ELF metadata dependencies
Cont.
3
4. Agenda (Cont.)
Melkor – an ELF file format fuzzer
Who’s Melkor
Design & Implementation
Fuzzing rules
ELF metadata dependencies
Generators and test data
Usage
Logging
Download
Breaking Fuzzing ELF software
DEMOS
Conclusions
4
5. The ELF file format
Executable and Linkable Format
In 1999 was chosen as the standard binary
file format for Unix and Unix-like systems
on x86
Adopted by many OS on many different
platforms
Executables, relocatable objects (.o),
shared libraries (.so) and core dumps.
5
12. The ELF file format
Relationships between metadata
Example:
12
SHT_REL
strtab_section
symtab_section
sh_link
sh_link
1
2
sh_offset
Section Header Table
13. The ELF file format
Relationships between metadata
Example:
13
14. ELF parsing
Who’s is parsing?
OS kernels
Thoroughly audited over the years
Debuggers
gdb
IDA Pro
Etc.
Reverse Engineering frameworks
ERESI
radare2
Etc.
OS utilities
binutils
#apt-cache search ELF14
15. ELF parsing
Who’s is parsing?
Malware
Antivirus engines?
Sophail by Tavis Ormandy [6]
15
17. ELF parsing
Security risks in ELF parsing
Memory corruption / Buffer overflows
Out of bounds array indexes or offsets
Loops copying data more times than
expected
Invalid memory dereferences
Out of bounds array indexes or offsets
Crashes / DoS
Arithmetic / Integer wrap-arounds
Calculations with user-controlled data
nElements * elementSize
nElements * sizeof()
totalSize / elementSize
arrayIndex * sizeof()17
18. ELF parsing
Security risks in ELF parsing
Memory corruption / Buffer overflows
Might lead to code execution
Undefined behaviors
Crashes / DoS
In the debugger / reversing tool
Anti-reversing technique
Binaries harder to debug
Protection against malware infections
Malware has parsers too
OS kernel panic()’s
18
19. ELF parsing
Security risks in ELF parsing
Most data types are unsigned ints. Two of
them are signed ints (/usr/include/elf.h):
typedef int32_t Elf32_Sword;
typedef int32_t Elf64_Sword;
typedef int64_t Elf32_Sxword;
typedef int64_t Elf64_Sxword;
r_addend (Relocations)
d_tag (Dynamic information)
Harder to trigger integer overflows
However, when assigning values to
local signed variables, signedness
bugs might exist [1]
19
20. ELF parsing
Discovered vulnerabilities in the past
ELF, unlike PE (Portable Executable),
has been less audited
Mostly found doing manual testing
Code review + Binary modification
Google dork: “site:securityfocus.com +ELF”
20
24. ELF parsing
Discovered vulnerabilities in the past
Invalid pointer dereference in gdb (reported but still
unpatched) used as an anti-debugging technique [4]
24
25. ELF parsing
Discovered vulnerabilities in the past
Invalid pointer dereference in IDA Pro (patched) used
as an anti-debugging technique [4]
25
26. ELF parsing
ELF parsing nowadays
~15 years later (adopted in 1999)
Most ELF analysis tools rely on the SHT
(Section Header Table)
The following bugs have been found with
Melkor
26
27. ELF parsing
ELF parsing (mistakes) nowadays
*still* blindly trust in the input:
Offsets
Indexes
Sizes (total_size / struct_size)
Addresses
Debugging information (DWARF)
Not part of ELF but it’s very related
27
28. ELF parsing
ELF parsing (mistakes) nowadays
“The most common mistake applied by a
programmer is in trusting a field inside a
binary structure that should not be trusted.
“When dealing with sections that must have
subsections, knowing ahead of time how many
sections are embedded within the primary
section of a structure is required and again,
a value must be used to instruct the
application only to iterate x number of
times.” [7]
28
29. ELF parsing
ELF parsing (mistakes) nowadays
Example of a dummy program that executes the
for() loop based on e_shnum and size/entsize:
29
for(k = 0; k < hdr->e_shnum; k++, shdr++){
if(shdr->sh_type != SHT_SYMTAB && shdr->sh_type != SHT_DYNSYM)
continue;
...
nsyms = shdr->sh_size / shdr->sh_entsize;
sym = (Elf64_Sym *) (mem + shdr->sh_offset);
...
for(l = 0; l < nsyms; l++, sym++)
if(ELF64_ST_TYPE(sym->st_info) != STT_SECTION)
printf(“[%2d] %sn", mem + strtab + sym->st_name);
}
33. ELF parsing
ELF parsing (mistakes) nowadays
Some trust in sizeof(*user_input), some
others prefer sizeof(Elfx_DataType) and
some others perform validations:
if(sizeof(*x) != sizeof(dataType))
return ERROR;
33
34. ELF parsing
ELF parsing (mistakes) nowadays
Some do not validate the number of
elements before allocate memory:
Allocate less memory space than needed
Buffer overflows
Memory exhaustion
malloc(nElems_user_input * sizeof(Elfx_Struct));
malloc(nElems_user_input * sizeof(*user_input));
calloc(nElems_user_input , sizeof(Elfx_Struct));
34
35. ELF parsing
ELF parsing (mistakes) nowadays
Process memory exhaustion:
35
(Found with Melkor fuzzer.)
37. ELF parsing
ELF parsing (mistakes) nowadays
More loops based on sh_size/sh_entsize running
more times than expected. (sh_size = 0xbad0c0de):
Temporary DoS (CPU usage) in HT Editor:
The application was killed by the OS
after ~19 secs.
37
(Found with Melkor fuzzer.)
39. ELF parsing
ELF parsing (mistakes) nowadays
A common low-hanging fruit crash is through
e_shstrndx in the ELF header. It holds a string
table index within the Section Header Table:
39
(Found with Melkor fuzzer.)
40. ELF fuzzing
Fuzz testing
Automated approach to create invalid /
semi-valid data to find bugs that would
have often been missed by human eyes
If data is too valid, might not cause
problems
If data is too invalid, might be quickly
rejected [9]
40
Taken from [5]
41. ELF fuzzing
Smart vs dumb fuzzing
Two approaches
Mutation-based fuzzing (dumb)
Takes an input and modifies it randomly
Generation-based fuzzing (smart)
Generates the tests with
specification knowledge
dumb random fuzzing in most cases find
less bugs than smart fuzzing
41
42. ELF fuzzing
Smart vs dumb fuzzing [2]
All paths + all data == infinite problem
Notion of randomness (dumbness) and
specific knowledge (intelligence)
Semi-valid data
42
43. ELF fuzzing
Code / branch coverage [8]
Code coverage is a metric which can be
used to determine how much code has been
executed
Branch coverage measures how many
branches in code have been taken
(conditional jmps)
if( x > 2 )
x = 2;
Specification based test generation
achieves better coverage testing
43
44. ELF fuzzing
Code / branch coverage
Interesting results in [9] show that
more bugs are discovered with higher
coverage:
44
45. ELF fuzzing
ELF metadata dependencies
Some data structures must be fuzzed in
the end or not fuzzed at all for higher
code / branch coverage:
45
3rd level metadata
2nd level
metadata
ELF Header
HDR
SHT
String tables
Relocation Tables,
etc. etc.
PHT Interp
CORRUPTED
Hidden bugs
46. ELF fuzzing
ELF metadata dependencies
In normal circumstances, the following
ELF metadata dependencies exist while
parsing:
46
47. ELF fuzzing
Example: (SmartDec, Native code to C/C++
Decompiler for Windows)
Normal ELF loading
47
48. ELF fuzzing
Example: (SmartDec, Native code to C/C++
Decompiler for Windows)
Trying to load the same ELF with an invalid
e_ident[EI_CLASS] (a header field), it simply
handles the error and doesn’t open:
48
49. ELF fuzzing
Example: (SmartDec, Native code to C/C++
Decompiler for Windows)
However, having an unmodified header, the basic
header validations will be bypassed and internal
bugs are reached:
49
(Found with Melkor fuzzer.)
50. Melkor fuzzer
Who’s Melkor
A fictional character
from J. R. R.
Tolkien's Middle-
earth legendarium
Was the first Dark
Lord and master of
Sauron
50
51. Melkor fuzzer
Who’s Melkor
Mentioned briefly in The Lord of the
Rings and is known for:
"... Melkor had captured a number of ELVES before the Valar
attacked him, and he tortured and corrupted them, breeding
the first Orcs.“
"... Melkor was cunning and more filled with malice than
ever. Seeing the bliss of the ELVES and remembering that it
was for their sake that he was overthrown, Melkor desired
above all things to corrupt them.“
"Orcs...This has been so from the day they were bred by
Melkor from corrupted, tortured and
mutilated ELVES that may also have been
forced to breed with other unnatural abominations
in the dominion of the Dark Powers."
51
52. Melkor fuzzer
Hybrid (Mutation-based / Generation-based)
Mutate existing data in an ELF sample to
create orcs with knowledge of the file
format specification (fuzzing rules)
52
OrcsELF
Melkor fuzzer
66. Melkor fuzzer
Fuzzing rules execution
To iterate through the rules an array of function
pointers is created in every fuzzing module and
initialized with __attribute__((constructor)
66
67. Melkor fuzzer
Fuzzing rules execution
Chances of execution given by the –l (likelihood
parameter, default 10%) is translated to two
variables that’ll be used in ...
67
68. Melkor fuzzer
Fuzzing rules execution
... Conjunction with rand() in the
iteration through the array of pointers
68
69. Melkor fuzzer
Fuzzing rules execution
Some fields are critical and even when
the rule is executed, inside the rule
function the likelihood is decreased.
For example:
69
70. Melkor fuzzer
ELF metadata dependencies
These dependencies should not be
broken if you want to fuzz
deeper levels
70
71. Melkor fuzzer
ELF metadata dependencies
Translating them into specific fields:
71
72. Melkor fuzzer
ELF metadata dependencies
Translating them into specific fields:
72
73. Melkor fuzzer
ELF metadata dependencies
Translating them into specific fields:
73
74. Melkor fuzzer
ELF metadata dependencies
And at code level (Example 1):
74
75. Melkor fuzzer
ELF metadata dependencies
And at code level (Example 2):
75
76. Melkor fuzzer
Generators and test data
Semi-valid test data is used in the
rules
Size fields: common integer bofs values
Offsets / addresses: out of bounds values
Indexes inside strings: common format
strings or non-printable chars
Etc.
76
99. Fuzzing ELF software
DEMOS
Homework: fuzz Melkor fuzzer ;-)
Yes, inception fuzzing
Read BUGS.txt
It could be used as a test subject
99
100. Conclusions
ELF is just another file format where
common parsing mistakes are still used
ELF parsers are not just in the OS
kernels, readelf and objdump. Many new
software are parsing and supporting 32
& 64-bit ELF files
100
101. Conclusions
Fuzzing discover defects that normally
are harder to find in less time than
manual testing
Fuzzing is much better having knowledge
of the semantics (specifications)
A single crash could be an exploitable
security bug or could be used as an
anti-reversing or anti-infection
technique
101
103. References
[1] blexim. (2002). “Basic Integer Overflows”. PHRACK Magazine,
Release 60. Retrieved from http://phrack.org/issues/60/10.htm
[2] DeMott, J., Enbody, R. (Aug 5th, 2006). “The Evolving Art of
Fuzzing”. DEFCON 14. Retrieved from
https://www.defcon.org/images/defcon-14/dc-14-presentations/DC-14-
DeMott.pdf
[3] Dietz, W., Li, P., Regehr, J., and Adve, V. (June 2012).
“Understanding Integer Overflow in C/C++”. Proceedings of the 34th
International Conference on Software Engineering (ICSE), Zurich,
Switzerland. Retrieved from
http://www.cs.utah.edu/~regehr/papers/overflow12.pdf
[4] Hernández, A. (Dec 18th, 2012). “Striking Back GDB and IDA
debuggers through malformed ELF executables”. Retrieved from
http://blog.ioactive.com/2012/12/striking-back-gdb-and-ida-
debuggers.html
103
104. References
[5] Jarkko, L., Rauli, K., and Heikki, K. (2006). “Codenomicon
Robustness Testing - Handling the Infinite Space while breaking
Software”. Retrieved from
http://www.codenomicon.com/resources/whitepapers/code-whitepaper-
2006-06.pdf
[6] Ormandy, T. “Sophail: A Critical Analysis of Sophos Antivirus”.
Retrieved from https://lock.cmpxchg8b.com/sophail.pdf
[7] Padilla, O. (May 12th, 2005). “Analyzing Common Binary Parser
Mistakes”. Uninformed e-zine Vol. 3. Retrieved from
http://uninformed.org/index.cgi?v=3&a=1&t=pdf
[8] Miller, C. (Oct 20th, 2007). “Fuzzing with Code Coverage By
Example”. ToorCon 2007. Retrieved from
http://fuzzinginfo.files.wordpress.com/2012/05/cmiller_toorcon2007.
pdf
104
105. References
[9] Miller, C. (Mar 28th, 2008. “Fuzz By Number: More Data About
Fuzzing Than You Ever Wanted To Know”. CanSecWest 2008.
Retrieved from https://cansecwest.com/csw08/csw08-miller.pdf
[10] TIS Committee. (1995). “Executable and Linking Format (ELF)
Specification v 1.2”. Retrieved from
http://www.uclibc.org/docs/elf.pdf
[11] van Sprundel, I. (Dec 8th, 2005). “Fuzzing: Breaking software
in an automated fashion”. Retrieved from
http://events.ccc.de/congress/2005/fahrplan/attachments/582-
paper_fuzzing.pdf
[12] Wysopal, C., Nelson, L., Zovi, D. D., and Dustin, E. (2007).
“Local Fault Injection” (Ch. 11) in The Art of Software Security
Testing, pp. 201-229. Retrieved from
http://www.securityfocus.com/images/infocus/Wysopal_CH11.pdf
105
106. Special Thanks
To all the researchers / coders from whom
I’ve learned cool ELF stuff and fuzzing:
Silvio Cesare, the ELF shell crew, mayhem,
scut, the grugq, Itzik Kotler, Electronic
Souls, Julien Vanegue, Andrew Griffiths,
dex, beck, Brian Raiter, Rakan El-Khalil,
Jared DeMott, skape, JunkCode, Sebastian
Krahmer, Paul Starzetz, Charlie Miller,
Ilja van Sprundel, Chris Rohlf, aczid,
Rebecca Shapiro, Sergey Bratus and some
others I forgot to mention
... Thanks !
106