This document summarizes information about fuzzing and discusses bugs found through fuzzing browsers like Chromium and Firefox in 2012. It describes AddressSanitizer output that reveals crashes, mentions 50 duplicate bugs found by two fuzzing groups, and outlines tips for smarter fuzzing like generating inputs based on specifications and minimizing reproducible test cases.
Your website just went down. As you try to understand what has gone wrong, you quickly realize something is different this time. There’s no clear reason why your site should be down, but indeed it is.
This talk is about the story of our team’s first unprepared fight against a DDoS attack.
How to make a large C++-code base manageablecorehard_by
My talk will cover how to work with a large C++ code base professionally. How to write code for debuggability, how to work effectively even due the long C++ compilation times, how and why to utilize the STL algorithms, how and why to keep interfaces clean. In addition, general convenience methods like making wrappers to make the code less error prone (for example ranged integers, listeners, concurrent values). Also a little bit about common architecture patterns to avoid (virtual classes), and patterns to encourage (pure functions), and how std::function/lambda functions can be used to make virtual classes copyable.
Your website just went down. As you try to understand what has gone wrong, you quickly realize something is different this time. There’s no clear reason why your site should be down, but indeed it is.
This talk is about the story of our team’s first unprepared fight against a DDoS attack.
How to make a large C++-code base manageablecorehard_by
My talk will cover how to work with a large C++ code base professionally. How to write code for debuggability, how to work effectively even due the long C++ compilation times, how and why to utilize the STL algorithms, how and why to keep interfaces clean. In addition, general convenience methods like making wrappers to make the code less error prone (for example ranged integers, listeners, concurrent values). Also a little bit about common architecture patterns to avoid (virtual classes), and patterns to encourage (pure functions), and how std::function/lambda functions can be used to make virtual classes copyable.
DevConf 2016
"Развитие ветки PHP-7", Дмитрий Стогов (Zend Technologies)
Я расскажу о внутреннем устройстве PHP-7.0, изменениях готовящихся в PHP-7.1 и планах на PHP-7.2.
The next generation JavaScript doesn't need to dependent on browser, that's just like other programming language. Node.js is it, no need browser, based on fastest V8 JavaScript Engine and provides many APIs for system integration. It can be used to server-side and system, even more purpose.
syzbot and the tale of million kernel bugsDmitry Vyukov
The root cause of most software exploits is bugs. Hardening, mitigations and containers are important, but they can't protect a system with thousands of bugs. In this presentation, Dmitry Vyukov will review the current [sad] situation with Linux kernel bugs and security implications based on their experience testing kernel for the past 3 years; overview a set of bug finding tools they are developing (syzbot, syzkaller, KASAN, KMSAN, KTSAN); and discuss problems and areas that require community help to improve the situation.
Как мы сделали PHP 7 в два раза быстрее PHP 5 / Дмитрий Стогов (Zend Technolo...Ontico
PHP 7.0 вышел год назад и уже используется многими крупными компаниями. Почти все они отмечают, что переход с PHP 5 дал приблизительно двукратное увеличение производительности на своих реальных задачах, позволив сократить количество серверов.
Я расскажу о том, как мы пришли к идеям, легшим в основу PHP 7; о внутреннем устройстве PHP, изменениях в базовых структурах данных и алгоритмах, определивших успех; новых идеях, реализуемых в еще не вышедших версиях.
Talking about future of NodeJS, from Node 7 to Node 10.
NPM 5. N-API, async_hooks, util.promisify().
A big part on the ESM vs CommonJS module loader, and all the problem NodeJS is facing to implement ESM.
연구자 및 교육자를 위한 계산 및 분석 플랫폼 설계 - PyCon KR 2015Jeongkyu Shin
현대 과학 연구에는 컴퓨터를 이용한 계산 및 분석 작업이 필수적입니다. 그러나 거대 스케일의 계산 및 분석 작업을 수행할 경우 컴퓨팅 리소스의 적절한 관리 및 확장 용이성을 확보하는 것은 많은 리소스를 필요로 합니다. 우리는 컴퓨터 계산 작업 및 분석 작업을 표준화하고 클라우드에서 처리하는 파이썬3 기반의 오픈소스 플랫폼을 설계 및 개발하고 있습니다. 또한 이 플랫폼 위에서 돌아가는 교육 / 연구 플랫폼을 함께 설계하고 있습니다.
새로운 서비스를 변화하는 환경에 맞추어 개발하는 일은 즐거운 경험인 동시에, "무엇을" "어떻게" "왜" 로 이어지는 지뢰밭을 거니는 일이기도 합니다. "무엇을" 만들지 고민하고 토론하며 결정하고, 설계하고, 토론하고, 목표가 바뀌는 과정이 일어납니다. "어떻게" 만드느냐의 지뢰들로는 python 2에서 python 3 로의 전환, 웹 프레임웍인 Django와 프론트엔드 프레임웍들과의 충돌, 아마존 elastic computing cloud와 docker를 사용한 디플로이 시나리오 등 삽질 중에 발생하는 일들이 있습니다. "왜"에 대한 질문들은 무겁지만 피해갈 수 없습니다. "왜 하필 파이썬인가?" "왜 하필 그런 서비스를 만드려 하는가" 등의 질문은, 무엇인가를 만들기로 결심한 사람들에게 주어지는 가장 중요한 질문이자 보상이기도 합니다.
저희는 지난 2개월동안 이 과정을 통해 우리가 배운 것들을 공유하고자 합니다. 구체적으로는 개발 중인 플랫폼 구조, 설계 과정의 경험 및 python 3 기반의 플랫폼 개발시 주의할 점들에 대해 이야기하고, 그와 함께 지뢰밭을 걷게 만든 '원동력' 에 대해 함께 이야기할 수 있는 자리가 되었으면 합니다.
PostgreSQL Configuration for Humans / Alvaro Hernandez (OnGres)Ontico
HighLoad++ 2017
Зал «Кейптаун», 8 ноября, 17:00
Тезисы:
http://www.highload.ru/2017/abstracts/3096.html
PostgreSQL is the world’s most advanced open source database. Indeed! With around 270 configuration parameters in postgresql.conf, plus all the knobs in pg_hba.conf, it is definitely ADVANCED!
How many parameters do you tune? 1? 8? 32? Anyone ever tuned more than 64?
No tuning means below par performance. But how to start? Which parameters to tune? What are the appropriate values? Is there a tool --not just an editor like vim or emacs-- to help users manage the 700-line postgresql.conf file?
Join this talk to understand the performance advantages of appropriately tuning your postgresql.conf file, showcase a new free tool to make PostgreSQL configuration possible for HUMANS, and learn the best practices for tuning several relevant postgresql.conf parameters.
DevConf 2016
"Развитие ветки PHP-7", Дмитрий Стогов (Zend Technologies)
Я расскажу о внутреннем устройстве PHP-7.0, изменениях готовящихся в PHP-7.1 и планах на PHP-7.2.
The next generation JavaScript doesn't need to dependent on browser, that's just like other programming language. Node.js is it, no need browser, based on fastest V8 JavaScript Engine and provides many APIs for system integration. It can be used to server-side and system, even more purpose.
syzbot and the tale of million kernel bugsDmitry Vyukov
The root cause of most software exploits is bugs. Hardening, mitigations and containers are important, but they can't protect a system with thousands of bugs. In this presentation, Dmitry Vyukov will review the current [sad] situation with Linux kernel bugs and security implications based on their experience testing kernel for the past 3 years; overview a set of bug finding tools they are developing (syzbot, syzkaller, KASAN, KMSAN, KTSAN); and discuss problems and areas that require community help to improve the situation.
Как мы сделали PHP 7 в два раза быстрее PHP 5 / Дмитрий Стогов (Zend Technolo...Ontico
PHP 7.0 вышел год назад и уже используется многими крупными компаниями. Почти все они отмечают, что переход с PHP 5 дал приблизительно двукратное увеличение производительности на своих реальных задачах, позволив сократить количество серверов.
Я расскажу о том, как мы пришли к идеям, легшим в основу PHP 7; о внутреннем устройстве PHP, изменениях в базовых структурах данных и алгоритмах, определивших успех; новых идеях, реализуемых в еще не вышедших версиях.
Talking about future of NodeJS, from Node 7 to Node 10.
NPM 5. N-API, async_hooks, util.promisify().
A big part on the ESM vs CommonJS module loader, and all the problem NodeJS is facing to implement ESM.
연구자 및 교육자를 위한 계산 및 분석 플랫폼 설계 - PyCon KR 2015Jeongkyu Shin
현대 과학 연구에는 컴퓨터를 이용한 계산 및 분석 작업이 필수적입니다. 그러나 거대 스케일의 계산 및 분석 작업을 수행할 경우 컴퓨팅 리소스의 적절한 관리 및 확장 용이성을 확보하는 것은 많은 리소스를 필요로 합니다. 우리는 컴퓨터 계산 작업 및 분석 작업을 표준화하고 클라우드에서 처리하는 파이썬3 기반의 오픈소스 플랫폼을 설계 및 개발하고 있습니다. 또한 이 플랫폼 위에서 돌아가는 교육 / 연구 플랫폼을 함께 설계하고 있습니다.
새로운 서비스를 변화하는 환경에 맞추어 개발하는 일은 즐거운 경험인 동시에, "무엇을" "어떻게" "왜" 로 이어지는 지뢰밭을 거니는 일이기도 합니다. "무엇을" 만들지 고민하고 토론하며 결정하고, 설계하고, 토론하고, 목표가 바뀌는 과정이 일어납니다. "어떻게" 만드느냐의 지뢰들로는 python 2에서 python 3 로의 전환, 웹 프레임웍인 Django와 프론트엔드 프레임웍들과의 충돌, 아마존 elastic computing cloud와 docker를 사용한 디플로이 시나리오 등 삽질 중에 발생하는 일들이 있습니다. "왜"에 대한 질문들은 무겁지만 피해갈 수 없습니다. "왜 하필 파이썬인가?" "왜 하필 그런 서비스를 만드려 하는가" 등의 질문은, 무엇인가를 만들기로 결심한 사람들에게 주어지는 가장 중요한 질문이자 보상이기도 합니다.
저희는 지난 2개월동안 이 과정을 통해 우리가 배운 것들을 공유하고자 합니다. 구체적으로는 개발 중인 플랫폼 구조, 설계 과정의 경험 및 python 3 기반의 플랫폼 개발시 주의할 점들에 대해 이야기하고, 그와 함께 지뢰밭을 걷게 만든 '원동력' 에 대해 함께 이야기할 수 있는 자리가 되었으면 합니다.
PostgreSQL Configuration for Humans / Alvaro Hernandez (OnGres)Ontico
HighLoad++ 2017
Зал «Кейптаун», 8 ноября, 17:00
Тезисы:
http://www.highload.ru/2017/abstracts/3096.html
PostgreSQL is the world’s most advanced open source database. Indeed! With around 270 configuration parameters in postgresql.conf, plus all the knobs in pg_hba.conf, it is definitely ADVANCED!
How many parameters do you tune? 1? 8? 32? Anyone ever tuned more than 64?
No tuning means below par performance. But how to start? Which parameters to tune? What are the appropriate values? Is there a tool --not just an editor like vim or emacs-- to help users manage the 700-line postgresql.conf file?
Join this talk to understand the performance advantages of appropriately tuning your postgresql.conf file, showcase a new free tool to make PostgreSQL configuration possible for HUMANS, and learn the best practices for tuning several relevant postgresql.conf parameters.
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...Yandex
Lightweight virtualization", also called "OS-level virtualization", is not new. On Linux it evolved from VServer to OpenVZ, and, more recently, to Linux Containers (LXC). It is not Linux-specific; on FreeBSD it's called "Jails", while on Solaris it’s "Zones". Some of those have been available for a decade and are widely used to provide VPS (Virtual Private Servers), cheaper alternatives to virtual machines or physical servers. But containers have other purposes and are increasingly popular as the core components of public and private Platform-as-a-Service (PAAS), among others.
Just like a virtual machine, a Linux Container can run (almost) anywhere. But containers have many advantages over VMs: they are lightweight and easier to manage. After operating a large-scale PAAS for a few years, dotCloud realized that with those advantages, containers could become the perfect format for software delivery, since that is how dotCloud delivers from their build system to their hosts. To make it happen everywhere, dotCloud open-sourced Docker, the next generation of the containers engine powering its PAAS. Docker has been extremely successful so far, being adopted by many projects in various fields: PAAS, of course, but also continuous integration, testing, and more.
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON
Just like drinking is not a game in Finland; neither is browser bug hunting - it’s serious business! Browser bugs have been supporting Atte Kettunen (@attekett) traditional Finnish way of living since late 2011 and he’s going to tell you all about how he has been living the dream browser bug hunting - focusing on one of the most secure browser around, Google Chrome!
He’ll tell you a tale of his experiences with bounty programs and how those have evolved since he started way back (vendors can show the love too!) and how he’s managed to survive in the harsh environment of browser bug hunting. He’ll impart some important bug hunting social skills by showing you how and how NOT to step on the others guys toes - very competitive cottage industry is browser bug hunting. ;)
Atte is also going to share with you how and why he selected his current target feature *(still full of bugs!), how he built his fuzzer-module(s) and the results produced. We’ll all walk a mile in a bug hunters shoes together and take a peek at the tool sets, as well as the infrastructures that are used to find browser bugs by individuals and vendors!
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQJérôme Petazzoni
Docker is the Open Source container engine. This is an introduction to Docker, what it is, how it works, and some material presenting the new features in versions 0.8 and 0.9.
Troubleshooting MySQL from a MySQL Developer PerspectiveMarcelo Altmann
Working as a MySQL Developer as part of the Bugs committee exposes you to a variety of bugs, such as server crashes, memory leaks, wrong query results, internal thread deadlocks, and others. In this talk, I will cover some of the technics we utilize to troubleshoot MySQL when things are not working as expected.
Some of the topics covered include:
Reproducible test cases
Git Bisect
Stack Traces
GDB
Record and Replay
By the end of this session, attendees will grasp how to tackle analyses of when software is not working as expected.
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
Three tricks how to understand what's happening inside of .NET Core app running on Linux: perf, lttng and lldb. As unrelated bonus, last slides have a brief intro into Google Cloud Platform
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
https://coscup.org/2021/en/session/39M73K
https://www.youtube.com/watch?v=L_Gyvdl_d_k
Engineers have plenty of debug tools for user space programs development, code tracing, debugging and analyzing. Except “printk”, do we have any other debug tools for Linux kernel development? The “KGDB” mentioned in Linux kernel document provides another possibility.
Will share how to experiment with the KGDB in a virtual machine. And, use GDB + OpenOCD + JTAG + Raspberry Pi in the real environment as the demo in this talk.
開發 user space 軟體時,工程師們有方便的 debug 工具進行查找、分析、除錯。但在 Linux kernel 的開發,除了 printk 外,還可以有哪些工具可以使用呢?從 Linux kernel document 可以看到 KGDB 相關的資訊,提供了在 kernel 除錯時的另一個可能性。
本次將分享,從建立最簡單環境的虛擬機機開始,到實際使用 GDB + OpenOCD + JTAG + Raspberry Pi 當作展示範例。
Introduction to Docker (as presented at December 2013 Global Hackathon)Jérôme Petazzoni
Not on board of the Docker ship yet? This presentation will get you up to speed, and explain everything you want to know about Linux Containers and Docker, including the new features of the latest 0.7 version (which brings support for all Linux distros and kernels).
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
Докладчик покажет, как с помощью bare-metal programming подружить Raspberry Pi с GPIO, памятью и Ethernet, и пояснит, кому и зачем это может понадобиться.
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
Intel Boot Guard — аппаратно поддержанная технология верификации подлинности BIOS, которую вендор компьютерной системы может встроить на этапе производства. Докладчик представит результаты анализа технологии, расскажет об её эволюции. Слушатели узнают, как годами клонируемая ошибка на производстве нескольких вендоров позволяет потенциальному злоумышленнику воспользоваться этой технологией для создания в системе неудаляемого (даже программатором!) скрытого руткита. Github: https://github.com/flothrone/bootguard
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
В Spring MVC есть классная фича — autobinding. Но если пользоваться ей неправильно, могут появиться «незаметные» уязвимости, иногда с серьёзным импактом. Рассмотрим пару примеров, углубимся в тонкости появления autobinding-багов. Writeup [ENG]: http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
Руткиты в мире основанных на ядре Linux операционных систем уже не являются редкостью. Рассказ будет о том, как попытки в современных реалиях определить то, скомпрометирована ли система, привели к неожиданному результату.
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса.
В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
Расскажу где и как iCloud Keychain хранит пароли, и какие потенциальные риски это несёт. Apple утверждает, что пароли надежно защищены, и даже её сотрудники не могут получить к ним доступ. Чтобы это подтвердить или опровергнуть, необходимо разобраться с внутренним устройством iCloud Keychain, чем мы и займемся.
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Kettunen, miaubiz fuzzing at scale and in style
1. О фaззинге
подробно и
со вкусом
привет Зеро Найтс -- 19.20.11.2012
атте кеттунен & мяузаебись
2. багс we found in 2012
атте кеттунен, оулу
хромиум: 25
фаерфокс: 8
мяузаебись, хельсинки
хромиум: 50
фаерфокс: 5
3. Easy to get started
Enough bugs for novices to find a proper
one before they lose interest
First bug report gets very encouraging
response from cevans and mozilla
● miaubiz started after аки хелин
presentation on radamsa at t2 '10
● Atte Kettunen started after joining
OUSPG in the summer of 2011
4. АдресcCанитаизер
● он охуенный
● Clang compiler plugin
● Similar to Valgrind
● Very fast (2x slowdown)
● Originally made by Chromium devs
● Came out May 2011
● Firefox now supported quite well
● Linux & OSX
5. АдресcCанитаизер аутпут
==79174== ERROR: AddressSanitizer heap-
buffer-overflow on address 0x1ab53c4c at pc
0x9eaf2ec bp 0xbff9a808 sp 0xbff9a804
READ of size 1 at 0x1ab53c4c thread T0
#0 0x9eaf2eb (Chromium
Framework+0x8d3f2eb)
#1 0x9f9b89e (Chromium
Framework+0x8e2b89e)
#2 0x9f9dc24 (Chromium
Framework+0x8e2dc24)
6. АдресcCанитаизер аутпут
==79269== ERROR: AddressSanitizer heap-
buffer-overflow on address 0x1ab1bc4c at
pc 0x9e792ec bp 0xbffd27e8 sp 0xbffd27e4
READ of size 1 at 0x1ab1bc4c thread T0
#0 0x9e792eb in SkA1_Blitter::blitH(int,
int, int) (in Chromium Framework) + 539
#1 0x9f6589e in sk_fill_path(SkPath
const&, SkIRect const*, SkBlitter*, int, int,
int, SkRegion const&) (in Chromium
Framework) + 3182
7. АдресcCанитаизер аутпут
0x1ab1bc4c is located 0 bytes to the right of
1637388-byte region [0x1a98c040,
0x1ab1bc4c)
allocated by thread T0 here:
#0 0x1fbbb in __asan::ASAN_OnSIGSEGV
(int, __siginfo*, void*) (in Chromium Helper)
+ 123
#1 0x93b9954a in malloc_zone_malloc (in
libsystem_c.dylib) + 74
#2 0x93b99f86 in malloc (in libsystem_c.
dylib) + 52
8. АдресcCанитаизер аутпут
==2978== ERROR: AddressSanitizer unknown-crash on
address 0x8000e033f080 at pc 0x55555f2a4310 bp
0x7fffffff7550 sp 0x7fffffff7308
READ of size 1 at 0x8000e033f080 thread T0
#0 0x55555f2a430f in __interceptor_memcpy ??:0
#1 0x7fffe95934c6 in ?? ??:0
==2978== AddressSanitizer CHECK failed:
/usr/local/google/chrome/src/third_party/llvm/project
s/compiler-rt/lib/asan/asan_report.cc:136 "((0 &&
"Address is not in memory and not in shadow?")) != (0)"
(0x0, 0x0)
#0 0x55555f2a923e in __sanitizer::CheckFailed(char
const*, int, char const*, unsigned long long, unsigned
long long) ??:0
9. АдресcCанитаизер аутпут
==21807== ERROR: AddressSanitizer heap-use-after-
free on address 0x7ffff7ecbfa0 at pc 0x555559bf1131
bp 0x7fffffff7950 sp 0x7fffffff7948
WRITE of size 8 at 0x7ffff7ecbfa0 thread T0
#0 0x555559bf1130 in WebCore::
BaseMultipleFieldsDateAndTimeInputType::
~BaseMultipleFieldsDateAndTimeInputType() ???:0
#1 0x555559bfd95d in WebCore::DateInputType::
~DateInputType() ???:0
#2 0x55555995cc6b in WebCore::
HTMLInputElement::updateType() ???:0
10. АдресcCанитаизер аутпут
0x7ffff7ecbfa0 is located 96 bytes inside of
184-byte region [0x7ffff7ecbf40,
0x7ffff7ecbff8)
freed by thread T0 here:
#0 0x55555fade730 in operator delete
(void*) ??:0
#1 0x5555589c18f5 in WebCore::
ContainerNode::removeAllChildren() ???:0
#2 0x555559a19387 in WebCore::
InputType::destroyShadowSubtree() ???:0
#3 0x555559a487bd in WebCore::
11. АдресcCанитаизер аутпут
previously allocated by thread T0 here:
#0 0x55555fade5b0 in operator new
(unsigned long) ??:0
#1 0x555559baf27d in WebCore::
SpinButtonElement::create(WebCore::
Document*, WebCore::SpinButtonElement::
SpinButtonOwner&) ???:0
#2 0x555559bf1a5d in WebCore::
BaseMultipleFieldsDateAndTimeInputType::
createShadowSubtree() ???:0
#3 0x55555995ccc4 in WebCore::
12. ейсан
● Makes this all possible
● Awesome with use-after-free
● Very good for buffer оверфлоу / out of
bounds access
● Good on type confusion
● Annoying on wild pointer
(unknown 0xffffffffebc38a68 @ pc 0x7ffff7ad9c58)
13. If you like sysadmining..
Fuzzing is a great way to justify your hobby
of configuring boxen!
miaubiz: 2x 3930k, 2700k, 3770k, 112 gigs of
ram, tons of ssds <3
attekett: 2600k, 2x 1055T, 6x dual-core
opterons, and more on the way
14. Follow the browser developers
● Follow the evolution of tools
● Follow new features that are added
● Follow build environments
● Follow testing methods
Not only to find more bugs, but to keep
your environment in a working state.
15. Where the bugs are
● юс афтер фри, invalid cast
■ DOM
■ Rendering
■ CSS
● баффер оверфлоу
■ Media formats
■ Canvas (skia)
● интежер оверфлоу
■ WebGL
16. SOME FUNNY 2012 BUGS HAHA
● wk 86531 / ff 789046 - bit flipping in gif
● CVE-2012-2806 - oob write in libjpeg-
turbo
● CVE-2012-2896 - integer overflow in
SafeAdd() and SafeMultiply()
● crbug 143761 - vulnerable code had just
been rewritten to fix previous SVG bug
17. dumb фаззинг
● бит флипинг still works in 2012
● mashup repros from old bugs together
● radamsa o/
● feed files to браузер as fast possible...
...and still identify winning inputs
18. smarter fuzzing
1. generate inputs based on something
2. process inputs
3. погладь кота
4. погладь кота, сука
5. hope to reproduce
6. hope to minimize
23. smartish fuzzing: Canvas
● take W3C specification
● group together
■ methods
■ attributes
■ properties
● replace input values with
getRandomValue()
24. radamsa
- written by Aki Helin at OUSPG
- see t2 '10 presentation
- Binary(flips, copy-paste)
- String(format-detection, more copy-paste)
- Kолмогоров-Cмирнов it just works
26. NodeFuzz
● Modules
■ e.g. canvas, gif, css
● Samples
■ 20+ filetypes supported by browsers
● Injection into browser via websocket
connected to node.js server
27. reproducibility tips
● use asan
● don't reference global state
■ body.children[5].appendChild(body.children[7])
■ impossible to minimize
● if possible, group stuff
28. stareability
Q: How do you know your fuzzer is working?
A: If it looks like what you'd expect
I tried to fuzz <path>, but I get white boxes
● wrong namespace for SVG elements
Instead of random strings I get 'undefined'
● [] instead of () in function call
30. infrastructure: first iteration
$ gzip -c /bin/bash > sample.gz
$ while true
do
radamsa sample.gz > fuzzed.gz
gzip -dc fuzzed.gz > /dev/null
test $? -gt 127 && break
done
(http://code.google.com/p/ouspg/wiki/Radamsa)
31. git, rsync, redis, 2>&1
● evolve the infrastructure
● automate as much as possible
● rsync results to master node
● repros on filesystem for easy
manipulation
● redis keeps:
■ metadata
■ input queues
■ crash logs
32. asan logs
2>&1 | grep
"inside|left|right|unknown|pc|offset|frame"
check
● page aligned EIP of crash
● offset and size reported (e.g. 8 inside 144)
● top stack frames of crash
● top stack frames of object free/allocate
33. infrastructure
● git push new fuzzers
● rsync new browser versions
● asan allows multiple browsers to run at
once, no need for VMs
● Xephyr leaks memory
● browsers crash native Xorg
● Xvfb works best for many things
● monitor throughput, load, temp..
34. Статус: Дубликат
Inferno is fuzzing the same stuff we are,
with 20 000 Google computers. (Firefox too)
fuzzing is like high frequency arbitrage
microseconds count1"#
Atte + miaubiz => over 50 dupes in 2012
35. What if we run out of bugs?
● Манул идет
● Манул идет за тобой
● Browsers are continuously adding
features
● Bounties will go up
● We will learn to write exploits