SlideShare a Scribd company logo

NBTC#2 - Why instrumentation is cooler then ice

A
Alexandre Moneger

This document discusses the importance of instrumentation for effective fuzzing. It notes that while fuzzing may seem simple, it actually requires significant effort, target code adaptation, and input corpus minimization. Instrumentation is key to determining code coverage, finding new paths, and prioritizing inputs that lead to crashes or new code coverage. The document provides examples of instrumentation techniques using binary rewriting and hardware features and discusses how to set up fuzzing when source code is available versus when it is not. It also outlines some current gaps in fuzzing techniques.

1 of 26
Why instrumentation is cooler then ice Alex Moneger
INTRODUCTION
The myth • Fuzzing is easy • Fuzzing is simple • Instrumentation is left as an exercise to the reader
The truth • Fuzzing requires effort • Generally requires adapting the target code • Most of the time requires to build a corpus of inputs • Requires minimizing the corpus • Requires instrumentation: – Did my target crash? – On what input? – Are my new inputs useful?
The hurdles • Tool selection • Tool integration • Reliability • Scale • A bug found prevents fuzzer from reaching further areas of code
INSTRUMENTATION
Before • 2 approaches: – Mutate data forever (randomly, byte flip, …) – Model data, mutate fields separately (Spike, Peach, Codenomicon, …) • Run for some iterations or until all states are modeled • hope for the best
Today • Genetic algorithms => retain only best inputs for further mutation 1. Mutate best input 2. Send to target 3. Measure impact based on some metric 4. Discard or prioritize input, back to 1.
Code coverage • Code coverage is the most used metric • Tells you if an input has triggered new code paths • All tools try to measure code coverage one way or another • Can be achieved : – binary instrumentation (PIN, DynamoRIO) – static rewriting (Dyninst) – kernel probing (perf) – HW (intel BTS => branch trace store)
How does it work • Model control flow using basic blocks • Discard unconditional edges (JMPs) • First approach, trace callgraph • Hard to compare 2 callgraphs • Best approach: retain edge count • Provides an unordered code coverage heatmap
Example callgraph
Compare code coverage maps? • Gained edges - lost edges > 0? • Simple, but will crush path divergence • Solution, keep track of interesting diverging paths • When no new edges, check edge hitcounts • Higher hitcounts, mean you control a loop boundary
CORPUS MINIMIZATION
Corpus minimization • You have collected all xml documents or IM packets from the internet • What is the minimal set of inputs which achieves maximal code coverage? • Open all inputs and record code coverage • Keep only valuable inputs
In practice • No open source tools to achieve this • Notable exception, with source on Nix for files => afl-cmin to the rescue • Otherwise, a good base is runtracer, drcov or coco.cpp pintool • Building the minset is up to you after that
WHAT NOW
An application • You want to fuzz an application/library • What next?
A few obvious questions first • Do you have source code? • Where does it take input from? – Network – File – … • Do you already have valid inputs? – Packets – Pdf – …
First of all • Turn on coredumps • Throw whatever you have at the binary • dd if=/dev/urandom bs=1024 count=1 | nc localhost 1234 • Or mutate some corpus inputs with radamsa • Keep CPU busy whilst you figure out a plan • Now think
You have source code • Find a way to get it to work with American Fuzzy Lop • AFL “batteries included” • AFL works great: – File input – Amazing performance/reliability (forkserver) – Instrumentation/stats built in (ASM instrumentation) – Scaling (distributed fuzzing) • Limitations: – Network fuzzing – Any form of daemon
Wrapping for AFL • Target can read from stdin or argv, your good • Otherwise, write a wrapper around your target functions • Read_from_stdin(char *buf) { target_func(buf); exit() } • Problem: complex when functions are tightly coupled (globals, complex structs, …)
No source? • Things start to get messy • Options: – Afl-qemu – Afl-pin – Afl-dyninst – Honggfuzz (Linux or requires HW support) – …
Mo problem • Idea is always the same • Through instrumentation, get code coverage info • Bind it someway to AFL: – AFL-qemu => Use Qemu userland to hook BBLs – AFL-PIN => Use PIN to hook BBLs, no forkserver support – AFL-Dyninst => static rewrite to hook BBLs
TODAY’S GAPS
Gaps • Smart fuzzing network daemons • Corpus minimization • Windows support • Triaging (exploitable doesn’t work on cores) • We need to build bricks, not solutions
Reference • Best advice on fuzzing by Ben Nagy: http://seclists.org/dailydave/2010/q4/47

Recommended

Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
Alexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
Alexandre Moneger
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
Alexandre Moneger
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data Encoding
Sam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated Encryption
Sam Bowne
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed Hashing
Sam Bowne
 

Recommended

Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
Alexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
Alexandre Moneger
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
Alexandre Moneger
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data Encoding
Sam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated Encryption
Sam Bowne
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed Hashing
Sam Bowne
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum
Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systems
Vsevolod Stakhov
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
rspamd-fosdem
rspamd-fosdemrspamd-fosdem
rspamd-fosdem
Vsevolod Stakhov
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
Sam Bowne
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
NikitaAndhale
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash Functions
Sam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
Sam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
Sam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
Shahriman .
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: Shellcode
Sam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
CTruncer
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
Sam Bowne
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
Sam Bowne
 
开化龙顶
开化龙顶开化龙顶
开化龙顶mikejiang
 
Algebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel NetworkAlgebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel Network
hellman1908
 

More Related Content

What's hot

CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum
Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systems
Vsevolod Stakhov
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
rspamd-fosdem
rspamd-fosdemrspamd-fosdem
rspamd-fosdem
Vsevolod Stakhov
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
Sam Bowne
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
NikitaAndhale
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash Functions
Sam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
Sam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
Sam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
Shahriman .
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: Shellcode
Sam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
Sam Bowne
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
CTruncer
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
Sam Bowne
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
Sam Bowne
 

What's hot (20)

CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systems
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
rspamd-fosdem
rspamd-fosdemrspamd-fosdem
rspamd-fosdem
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash Functions
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: Shellcode
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
 

Viewers also liked

开化龙顶
开化龙顶开化龙顶
开化龙顶mikejiang
 
Algebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel NetworkAlgebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel Network
hellman1908
 
CyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 SniffersCyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 Sniffers
CyberLab
 
薏苡仁粉
薏苡仁粉薏苡仁粉
薏苡仁粉mikejiang
 
como insertar un power point
como insertar un power pointcomo insertar un power point
como insertar un power point
sdfbjkgfrfbjk
 
linkdin
linkdinlinkdin
linkdin
Rebecca Tweedy
 
Formats i composicions
Formats i composicionsFormats i composicions
Formats i composicions
martivmontoya
 
CyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer OverflowCyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer Overflow
CyberLab
 
MIT 教我的七堂課
MIT 教我的七堂課MIT 教我的七堂課
MIT 教我的七堂課
Xi-Zhe Lin
 
Deepak bhalla cv word format
Deepak bhalla cv word formatDeepak bhalla cv word format
Deepak bhalla cv word format
Deepak Bhalla
 
Huca marketing online
Huca marketing onlineHuca marketing online
Huca marketing online
Duc Nguyen Minh
 
引導討論:Facilitation
引導討論:Facilitation引導討論:Facilitation
引導討論:Facilitation
Audrey Tang
 
Exploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption TechniquesExploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption Techniques
Cysinfo Cyber Security Community
 
案例示範:UberX、Airbnb
案例示範:UberX、Airbnb案例示範:UberX、Airbnb
案例示範:UberX、Airbnb
Audrey Tang
 
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
niceruru
 
Web cam sensing using sdk tool
Web cam sensing using sdk tool Web cam sensing using sdk tool
Web cam sensing using sdk tool
eSAT Journals
 
20161222 網路工具教學與應用
20161222 網路工具教學與應用20161222 網路工具教學與應用
20161222 網路工具教學與應用
小四 曾
 
山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男
cettw
 
la OCDE
la OCDEla OCDE
la OCDE
esthefany grey steele
 

Viewers also liked (20)

开化龙顶
开化龙顶开化龙顶
开化龙顶
 
Algebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel NetworkAlgebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel Network
 
CyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 SniffersCyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 Sniffers
 
薏苡仁粉
薏苡仁粉薏苡仁粉
薏苡仁粉
 
como insertar un power point
como insertar un power pointcomo insertar un power point
como insertar un power point
 
linkdin
linkdinlinkdin
linkdin
 
Formats i composicions
Formats i composicionsFormats i composicions
Formats i composicions
 
CyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer OverflowCyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer Overflow
 
MIT 教我的七堂課
MIT 教我的七堂課MIT 教我的七堂課
MIT 教我的七堂課
 
Deepak bhalla cv word format
Deepak bhalla cv word formatDeepak bhalla cv word format
Deepak bhalla cv word format
 
Huca marketing online
Huca marketing onlineHuca marketing online
Huca marketing online
 
引導討論:Facilitation
引導討論:Facilitation引導討論:Facilitation
引導討論:Facilitation
 
D2-4 2012里山倡議研討會-貢寮1011116
D2-4 2012里山倡議研討會-貢寮1011116D2-4 2012里山倡議研討會-貢寮1011116
D2-4 2012里山倡議研討會-貢寮1011116
 
Exploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption TechniquesExploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption Techniques
 
案例示範:UberX、Airbnb
案例示範:UberX、Airbnb案例示範:UberX、Airbnb
案例示範:UberX、Airbnb
 
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
 
Web cam sensing using sdk tool
Web cam sensing using sdk tool Web cam sensing using sdk tool
Web cam sensing using sdk tool
 
20161222 網路工具教學與應用
20161222 網路工具教學與應用20161222 網路工具教學與應用
20161222 網路工具教學與應用
 
山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男
 
la OCDE
la OCDEla OCDE
la OCDE
 

Similar to NBTC#2 - Why instrumentation is cooler then ice

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Ch 18: Source Code Auditing
Ch 18: Source Code AuditingCh 18: Source Code Auditing
Ch 18: Source Code Auditing
Sam Bowne
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Introduction to multicore .ppt
Introduction to multicore .pptIntroduction to multicore .ppt
Introduction to multicore .ppt
Rajagopal Nagarajan
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
Server Tips
Server TipsServer Tips
Server Tips
liqingfang126
 
Building Big Data Streaming Architectures
Building Big Data Streaming ArchitecturesBuilding Big Data Streaming Architectures
Building Big Data Streaming Architectures
David Martínez Rego
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
Sam Bowne
 
EuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPIEuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPI
Dan Holmes
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...
Danny Mulligan
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Nikolay Savvinov
 
2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications
Micro Focus
 
Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)
AllineaSoftware
 
Storm presentation
Storm presentationStorm presentation
Storm presentation
Shyam Raj
 
Reading Notes : the practice of programming
Reading Notes : the practice of programmingReading Notes : the practice of programming
Reading Notes : the practice of programming
Juggernaut Liu
 
Taming the resource tiger
Taming the resource tigerTaming the resource tiger
Taming the resource tiger
Elizabeth Smith
 
Preventing Complexity in Game Programming
Preventing Complexity in Game ProgrammingPreventing Complexity in Game Programming
Preventing Complexity in Game Programming
Yaser Zhian
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010
idsecconf
 

Similar to NBTC#2 - Why instrumentation is cooler then ice (20)

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Ch 18: Source Code Auditing
Ch 18: Source Code AuditingCh 18: Source Code Auditing
Ch 18: Source Code Auditing
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Introduction to multicore .ppt
Introduction to multicore .pptIntroduction to multicore .ppt
Introduction to multicore .ppt
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Server Tips
Server TipsServer Tips
Server Tips
 
Building Big Data Streaming Architectures
Building Big Data Streaming ArchitecturesBuilding Big Data Streaming Architectures
Building Big Data Streaming Architectures
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
 
EuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPIEuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPI
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...
 
2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications
 
Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)
 
Storm presentation
Storm presentationStorm presentation
Storm presentation
 
Reading Notes : the practice of programming
Reading Notes : the practice of programmingReading Notes : the practice of programming
Reading Notes : the practice of programming
 
Taming the resource tiger
Taming the resource tigerTaming the resource tiger
Taming the resource tiger
 
Preventing Complexity in Game Programming
Preventing Complexity in Game ProgrammingPreventing Complexity in Game Programming
Preventing Complexity in Game Programming
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010
 

More from Alexandre Moneger

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Alexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Alexandre Moneger
 

More from Alexandre Moneger (10)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 

Recently uploaded

SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 

Recently uploaded (20)

SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 

NBTC#2 - Why instrumentation is cooler then ice

  • 1. Why instrumentation is cooler then ice Alex Moneger
  • 3. The myth • Fuzzing is easy • Fuzzing is simple • Instrumentation is left as an exercise to the reader
  • 4. The truth • Fuzzing requires effort • Generally requires adapting the target code • Most of the time requires to build a corpus of inputs • Requires minimizing the corpus • Requires instrumentation: – Did my target crash? – On what input? – Are my new inputs useful?
  • 5. The hurdles • Tool selection • Tool integration • Reliability • Scale • A bug found prevents fuzzer from reaching further areas of code
  • 7. Before • 2 approaches: – Mutate data forever (randomly, byte flip, …) – Model data, mutate fields separately (Spike, Peach, Codenomicon, …) • Run for some iterations or until all states are modeled • hope for the best
  • 8. Today • Genetic algorithms => retain only best inputs for further mutation 1. Mutate best input 2. Send to target 3. Measure impact based on some metric 4. Discard or prioritize input, back to 1.
  • 9. Code coverage • Code coverage is the most used metric • Tells you if an input has triggered new code paths • All tools try to measure code coverage one way or another • Can be achieved : – binary instrumentation (PIN, DynamoRIO) – static rewriting (Dyninst) – kernel probing (perf) – HW (intel BTS => branch trace store)
  • 10. How does it work • Model control flow using basic blocks • Discard unconditional edges (JMPs) • First approach, trace callgraph • Hard to compare 2 callgraphs • Best approach: retain edge count • Provides an unordered code coverage heatmap
  • 12. Compare code coverage maps? • Gained edges - lost edges > 0? • Simple, but will crush path divergence • Solution, keep track of interesting diverging paths • When no new edges, check edge hitcounts • Higher hitcounts, mean you control a loop boundary
  • 14. Corpus minimization • You have collected all xml documents or IM packets from the internet • What is the minimal set of inputs which achieves maximal code coverage? • Open all inputs and record code coverage • Keep only valuable inputs
  • 15. In practice • No open source tools to achieve this • Notable exception, with source on Nix for files => afl-cmin to the rescue • Otherwise, a good base is runtracer, drcov or coco.cpp pintool • Building the minset is up to you after that
  • 17. An application • You want to fuzz an application/library • What next?
  • 18. A few obvious questions first • Do you have source code? • Where does it take input from? – Network – File – … • Do you already have valid inputs? – Packets – Pdf – …
  • 19. First of all • Turn on coredumps • Throw whatever you have at the binary • dd if=/dev/urandom bs=1024 count=1 | nc localhost 1234 • Or mutate some corpus inputs with radamsa • Keep CPU busy whilst you figure out a plan • Now think
  • 20. You have source code • Find a way to get it to work with American Fuzzy Lop • AFL “batteries included” • AFL works great: – File input – Amazing performance/reliability (forkserver) – Instrumentation/stats built in (ASM instrumentation) – Scaling (distributed fuzzing) • Limitations: – Network fuzzing – Any form of daemon
  • 21. Wrapping for AFL • Target can read from stdin or argv, your good • Otherwise, write a wrapper around your target functions • Read_from_stdin(char *buf) { target_func(buf); exit() } • Problem: complex when functions are tightly coupled (globals, complex structs, …)
  • 22. No source? • Things start to get messy • Options: – Afl-qemu – Afl-pin – Afl-dyninst – Honggfuzz (Linux or requires HW support) – …
  • 23. Mo problem • Idea is always the same • Through instrumentation, get code coverage info • Bind it someway to AFL: – AFL-qemu => Use Qemu userland to hook BBLs – AFL-PIN => Use PIN to hook BBLs, no forkserver support – AFL-Dyninst => static rewrite to hook BBLs
  • 25. Gaps • Smart fuzzing network daemons • Corpus minimization • Windows support • Triaging (exploitable doesn’t work on cores) • We need to build bricks, not solutions
  • 26. Reference • Best advice on fuzzing by Ben Nagy: http://seclists.org/dailydave/2010/q4/47

Editor's Notes

  1. What tool does the job (Peach, AFL, libFuzzer, …) ? How do I collect crashes, triage them, instrument? My fuzzer crashed after a 2 weeks run How do I synchronize my fuzzers/targets? Stagefright talk at Defcon. Audience hadn’t heard about AFL. Presenter had to fix a ton of bugs for the fuzzer to make progress.
  2. Count the edges, and variation in the edges Example tcp+3397 => tcp+3411: Will count as 3 edges in code coverage map
  3. AFL is an impressive tool. Check out how it works for
  4. Building a product for fuzzing is very similar to building a product for Q&A. You need to make loosely coupled modules which can be unit tested. This makes fuzzing jobs way easier Having a ball of code of 5M LOC with a trail of dependencies makes it very hard to fuzz.