AFL that you (probably) do not know discusses the American Fuzzy Lop (AFL) fuzzer. The presentation aims to dispel myths about AFL and encourage its use. It addresses that AFL can be used for languages beyond C/C++ through sister projects, does not require source code, and finds bugs beyond just memory issues. While AFL's interface is dense, it has visualization tools and can leverage multiple CPUs. True, AFL will not automatically report or request CVEs for found issues, and using it can be fun.
As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
American Fuzzy Lop (AFL) is a security-oriented fuzz testing tool.
In this talk, I demonstrate how dead-simple AFL is to use. I show how I used it to fuzz a Python library, discovering a subtle bug in the process.
As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
American Fuzzy Lop (AFL) is a security-oriented fuzz testing tool.
In this talk, I demonstrate how dead-simple AFL is to use. I show how I used it to fuzz a Python library, discovering a subtle bug in the process.
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
Embedded device security is an issue of global importance, and one that has grown exponentially over the last few years. Because of their slow patch cycles and the increasing difficulty of exploiting other,more traditional platforms, they have quickly become a favorite target for researchers and attackers alike. While deeply fragmented, each country has its own unique “footprint” of these devices on the Internet, based largely on the embedded devices distributed by major ISPs. We will use our survey of Japanese devices as an example of how, by fingerprinting and examining popular devices on a given country's networks, it is possible for an attacker to very quickly go from zero knowledge to widespread remote code execution.
During this talk, we provide an in-depth analysis of various routers and modems provided by popular Japanese ISPs, devices which we had never heard of on networks we had never used . We discuss how we approached surveying approximate market usage, reverse engineering obfuscated and encrypted firmware images, performing vulnerability analysis on the recovered binaries, and developing of proof-of-concept exploits for discovered vulnerabilities, all from the United States. In addition, we provide recommendations as to how ISPs and countries might begin to address the serious problems introduced by these small but important pieces of the Internet.
All vulnerabilities discovered were promptly and responsibly disclosed to affected parties.
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
Graphic drivers and their related code are an essential component in every modern operating system. This particular component involves especially complex logic and a huge amount of code, simply because it must handle equally complex tasks.
As we know from history and experience huge and complex code is often also a security risk. Last but not least, in almost all the popular modern operating system, graphics code and logic is running in a highly privileged context such as the kernel, or even in a higher context, such as VMWare graphics component, which essentially implements your graphic card outside the guest into a host process.
Any mistake made into this highly privileged code can lead to a fatal outcome, especially considering that it is often reachable from interesting sandboxes, such as the browser ones. We will go through the internals for various graphic systems, to show similarities and differences, such as windows heart of graphics aka win32k, then OSX/iOS IOKit, and finally, WMWare emulated GPU graphic subsystem. We can then switch gear and showcase some vulnerabilities in these scenarios, discuss effective fuzzing methodologies both specific to a particular target and generic principles of fuzzing graphic subsystems as well.
DEFCON 25 presentation. An overview of the basis for needing memory integrity validation (secure hash) checks of a running VM. Edit memory through python scripting. Enhance timeline assurances that you have not missed events with multiple complementary event sources.
OSMC 2016 - DNS Monitoring from Several Vantage Points by Stéphane Bortzmeyer NETWAYS
Stephane Bortzmeyer arbeitet für AFNIC (Domain Name registriert in Frankreich) und kennt sich mit DNS aus. Er ist Teilnehmer von IETF, und hat zwei RFC geschrieben (über DNS privatssphäre). Er überwacht seine Maschinen mit Icinga auf einem Rasberry Pi, und ist ein großer Fan von RIPE Atlas (weitere Artikel unter labs.ripe.net)
Unpack your troubles*: .NET packer tricks and countermeasuresESET
Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.
*https://en.wikipedia.org/wiki/Pack_Up_Your_Troubles_in_Your_Old_Kit-Bag
Steelcon 2015 - 0wning the internet of trashinfodox
My presentation slides from Steelcon 2015 on "Owning the Internet of Trash", a presentation on exploitation of endemic vulnerabilities in the so called "internet of things", with a focus on finding vulnerabilities in, exploiting, and gaining persistent access to, routers and other such embedded devices.
This talk was recorded, a video will be linked soonish, and went over some basics of analysing firmware, hardware, and suchlike to find bugs in things and hack the planet!
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
Embedded device security is an issue of global importance, and one that has grown exponentially over the last few years. Because of their slow patch cycles and the increasing difficulty of exploiting other,more traditional platforms, they have quickly become a favorite target for researchers and attackers alike. While deeply fragmented, each country has its own unique “footprint” of these devices on the Internet, based largely on the embedded devices distributed by major ISPs. We will use our survey of Japanese devices as an example of how, by fingerprinting and examining popular devices on a given country's networks, it is possible for an attacker to very quickly go from zero knowledge to widespread remote code execution.
During this talk, we provide an in-depth analysis of various routers and modems provided by popular Japanese ISPs, devices which we had never heard of on networks we had never used . We discuss how we approached surveying approximate market usage, reverse engineering obfuscated and encrypted firmware images, performing vulnerability analysis on the recovered binaries, and developing of proof-of-concept exploits for discovered vulnerabilities, all from the United States. In addition, we provide recommendations as to how ISPs and countries might begin to address the serious problems introduced by these small but important pieces of the Internet.
All vulnerabilities discovered were promptly and responsibly disclosed to affected parties.
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
Graphic drivers and their related code are an essential component in every modern operating system. This particular component involves especially complex logic and a huge amount of code, simply because it must handle equally complex tasks.
As we know from history and experience huge and complex code is often also a security risk. Last but not least, in almost all the popular modern operating system, graphics code and logic is running in a highly privileged context such as the kernel, or even in a higher context, such as VMWare graphics component, which essentially implements your graphic card outside the guest into a host process.
Any mistake made into this highly privileged code can lead to a fatal outcome, especially considering that it is often reachable from interesting sandboxes, such as the browser ones. We will go through the internals for various graphic systems, to show similarities and differences, such as windows heart of graphics aka win32k, then OSX/iOS IOKit, and finally, WMWare emulated GPU graphic subsystem. We can then switch gear and showcase some vulnerabilities in these scenarios, discuss effective fuzzing methodologies both specific to a particular target and generic principles of fuzzing graphic subsystems as well.
DEFCON 25 presentation. An overview of the basis for needing memory integrity validation (secure hash) checks of a running VM. Edit memory through python scripting. Enhance timeline assurances that you have not missed events with multiple complementary event sources.
OSMC 2016 - DNS Monitoring from Several Vantage Points by Stéphane Bortzmeyer NETWAYS
Stephane Bortzmeyer arbeitet für AFNIC (Domain Name registriert in Frankreich) und kennt sich mit DNS aus. Er ist Teilnehmer von IETF, und hat zwei RFC geschrieben (über DNS privatssphäre). Er überwacht seine Maschinen mit Icinga auf einem Rasberry Pi, und ist ein großer Fan von RIPE Atlas (weitere Artikel unter labs.ripe.net)
Unpack your troubles*: .NET packer tricks and countermeasuresESET
Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.
*https://en.wikipedia.org/wiki/Pack_Up_Your_Troubles_in_Your_Old_Kit-Bag
Steelcon 2015 - 0wning the internet of trashinfodox
My presentation slides from Steelcon 2015 on "Owning the Internet of Trash", a presentation on exploitation of endemic vulnerabilities in the so called "internet of things", with a focus on finding vulnerabilities in, exploiting, and gaining persistent access to, routers and other such embedded devices.
This talk was recorded, a video will be linked soonish, and went over some basics of analysing firmware, hardware, and suchlike to find bugs in things and hack the planet!
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
Blackhat Arsenal 2011
Collaborative Penetration Test
Vulnerability Management Platform
Integrated Multiuser Risk Environment that
maps and leverages all the knowledge you
generate in real time
A deep dive into what makes Plan 9 a unique operating system. Built as a successor to Unix at Bell Labs, Plan 9 is a distributed operating system in the true sense.
Modern Reconnaissance Phase on APT - protection layerShakacon
This presentation will show how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. This talk will mainly focus on the usage of Office documents and watering hole attacks designed to establish if the target is the intended one (we will mention campaigns against political or military organizations). The techniques and the obfuscation put in place by these actors will be described in detail (techniques based on Macro, JavaScript, PowerShell, Flash or Python). At the end of the presentation, we will show different mitigations to help attendees protect their users.
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
Presentation of OWASP Global Chairman of the Board - Martin Knobloch at OWASP Poland meeting in Warsaw on 13 November 2018. Great review of important OWASP Projects.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
1. AFL that you (probably) do not know
Jakub Botwicz
Samsung R&D Poland
W a r s a w , 1 0 . 1 0 . 2 0 1 8
OWASP
Poland Day 2018
2. s u d o – u j a k u b . b o t w i c z w h o a m i
• Principal Security Engineer
at Samsung R&D Institute in Warsaw, Poland
• Leads a team (one of many in Samsung)
of security researchers / pentesters
• PhD and MSc at Warsaw University of Technology
• 15+ years experience - previously worked as:
‒ Developer/architect for vendor of encryption devices
‒ Security advisor at credit card payment company
‒ Security consultant and manager at Big4 company
• Big enthusiast of rock climbing and active vulcanoes
3. I d e a o f t h i s ta l k
• Very small excerpt from 4 hour afl workshop
on Defcon 26 conference
• Discuss main myths or facts about afl
• Encourage you to try use afl
and develop new features or tools
Source: Wojciech Rauner using Meme GEnerator
4. F u z z i n g
• Fuzzing (fuzz testing):
‒ providing large amount of random data
as input to a computer program
• Infinite monkey theorem:
‒ a monkey hitting keys at random on a typewriter
keyboard for an infinite amount of time will
eventually type out the entire works of Shakespeare
• Monkey hitting keys on a keyboard
for ∞ time will eventually:
‒ generate all possible input data
‒ finding all bugs
‒ exiting vi text editor
Source: Early Office Museum Author: New York Zoological Society
5. A m e r i c a n F u z z y L o p
• Fuzzer created by Michał Zalewski (lcamtuf)
in past: Security Engineer / Director at Google
now: Vice President at Snap Inc.
• Name inspired by breed of fuzzy rabbit
(see photo)
• Registered list of CVEs found using AFL
GitHub afl-cve (2017: 332 CVE)
• Helped our team identyfing 60+ issues
last year in different open source
components
American Fuzzy Lop rabbit
Source: Wikipedia Author: Lithonius License: Public Domain
6. M y t h o r fa c t 1 :
a f l i s o n l y fo r C / C + + a p p s
7. M y t h o r fa c t 1 :
a f l i s o n l y fo r C / C + + a p p s
• Core project is for C/C++ applications
‒ Best support and all features
But:
• afl sister projects support
other programming languages:
‒ Go (Go-fuzz by Dmitry Vyukov)
‒ Java (afl-gcj, JQF)
‒ OCaml (ocalm-afl by KC Sivaramakrishnan)
‒ Python (Python AFL by Jakub Wilk)
‒ Rust (afl.rs by Keegan McAllister)
Guess the language
Source: John Menerick DEFCON-22 "Open Source Fairy Dust"
MYTH
8. M y t h o r fa c t 2 :
a f l i s fo r L i n u x / B S D / U n i x a p p s
9. M y t h o r fa c t 2 :
a f l i s fo r L i n u x / B S D / U n i x a p p s
• Core project is for OSs supporting GCC or Clang
‒ Best support and all features
But:
• afl sister projects support other environments:
‒ Android – android-afl
‒ Windows binaries – WinAFL
‒ Kernel (Linux, FreeBSD, macOS, Windows):
‒ syzkaller
‒ kAFL
‒ All other systems including embedded and IoT:
‒ QEmu emulation
Source: https://knowyourmeme.com/memes/greenochflame-wars
MYTH
10. M y t h o r fa c t 3 :
a f l r e q u i r e s s o u r c e c o d e t o f u z z
11. M y t h o r fa c t 3 :
a f l r e q u i r e s s o u r c e c o d e t o f u z z
• Instrumentation mode
‒ requires sources to be compiled with afl wrappers
‒ Is fastest of all modes
But there are 3 modes that do not requires sources:
‒ All 3 modes can emulate different CPUs (e.g. ARM)
• QEmu user-mode emulation
‒ Emulate complete execution of userland applications
• Unicorn mode
‒ Allows to start from specific stored state of CPU
‒ Requires special stubs for I/O operations
• Triforce project
‒ QEmu mode with full operating system emulation
MYTH
12. M y t h o r fa c t 4 :
a f l i s h a r m l e s s t o y o u r c o m p u t e r
13. M y t h o r fa c t 4 :
a f l i s h a r m l e s s t o y o u r c o m p u t e r
• Fuzzing increase rate of hardware
and software issues
‒ Causes disc wearing
(especially for SSD drives)
‒ Can cause overheating CPUs or power
• Fuzzed application can:
‒ Create or remove large number of files
‒ Send lots of network packets
• In pay-per-use cloud environment
costs of fuzzing can be huge!
Source: Wojciech Rauner using Meme GEnerator
MYTH
14. M y t h o r fa c t 5 :
a f l i s h a r m l e s s t o y o u r c o m p u t e r
HINTs:
• Do not use sensitive production systems for fuzzing
• Understand all functions of fuzzed program
• Run fuzzer in sandbox
‒ Isolate network sendings apps from networks
‒ Use ramdisk to protect physical drives
‒ Clean working folder after each run
• Monitor temperature of your CPUs
• Limit maximum costs in cloud environments
Licence: CC0 Creative Commons
MYTH
15. M y t h o r fa c t 5 :
a f l h a s g re at G U I ( i nte r fa c e )
16. M y t h o r fa c t 5 :
a f l h a s g re at G U I ( i nte r fa c e )
• afl interface (dashboard) is:
‒ Densly packed with information
‒ Rather unfriendly at first sight
ARGUABLE
17. M y t h o r fa c t 4 :
a f l h a s g re at G U I ( i nte r fa c e )
• afl interface (dashboard) is:
‒ Densly packed with information
‒ Rather unfriendly at first sight
But:
• afl has lots of visualization tools for:
‒ Showing progress of fuzzing (afl-plot)
ARGUABLE
18. M y t h o r fa c t 4 :
a f l h a s g re at G U I ( i nte r fa c e )
• afl interface (dashboard) is:
‒ Densly packed with information
‒ Rather unfriendly at first sight
But:
• afl has lots of additional tools for:
‒ Showing progress of fuzzing (afl-plot)
‒ Display coverage of testing (afl-cov)
ARGUABLE
19. M y t h o r fa c t 4 :
a f l h a s g re at G U I ( i nte r fa c e )
• afl interface (dashboard) is:
‒ Densly packed with information
‒ Rather unfriendly at first sight
But:
• afl has lots of additional tools for:
‒ Showing progress of fuzzing (afl-plot)
‒ Display coverage of testing (afl-cov)
‒ Analyze unknown formats (afl-analyze) Source: https://lcamtuf.blogspot.com/2016/02/say-hello-to-afl-analyze.html
ARGUABLE
20. M y t h o r fa c t 4 :
a f l h a s g re at G U I ( i nte r fa c e )
• afl interface is:
‒ Densly packed with information
‒ Rather unfriendly at first sight
But:
• afl has lots of additional tools for:
‒ Showing progress of fuzzing (afl-plot)
‒ Display coverage of testing (afl-cov)
‒ Analyze unknown formats (afl-analyze)
‒ Visualize results of fuzzing
ARGUABLE
21. M y t h o r fa c t 4 :
a f l h a s g re at G U I ( i nte r fa c e )
• afl interface is:
‒ Densly packed with information
‒ Rather unfriendly at first sight
But:
• afl has lots of additional tools for:
‒ Showing progress of fuzzing (afl-plot)
‒ Display coverage of testing (afl-cov)
‒ Analyze unknown formats (afl-analyze)
‒ Visualize results of fuzzing
ARGUABLE
Results
Mutations
Test files
22. M y t h o r fa c t 4 :
a f l h a s g re at G U I ( i nte r fa c e )
ARGUABLE
Generate graph
showing how many
new files were
imported between
each fuzzers
working in parallel
23. M y t h o r fa c t 6 :
a f l f i n d s o n l y m e m o r y i s s u e s
24. M y t h o r fa c t 6 :
a f l f i n d s o n l y m e m o r y i s s u e s
• Around 80% issues for C/C++ are memory issues
• They are frequently critical – allows Remote Code Execution
But:
• afl also finds:
‒ Logical errors – infinite loops
‒ Unhandled exceptions (crash)
• Testcases generated by afl are great for regression testing!
• Differential fuzzing with another implementation
(cryptography / multimedia / packet processing)
MYTH
Source: Grasshopper shot near Miles City Mont. C.
1937 Coles Studio Glassgow Mont
25. M y t h o r fa c t 7 :
a f l c a n f u z z o n m u l t i p l e C P U s
26. M y t h o r fa c t 7 :
a f l c a n f u z z o n m u l t i p l e C P U s
• afl can run in multiple synchronizing
instances each using one CPU
And it is even better:
• Each instance can be:
‒ different afl branch: afl-fast, afl-rb
(Rare Branches)
‒ afl running binary with different Sanitizer
(Address, Leak or Memory Sanitizer)
• There are projects running afl on multiple servers:
‒ aflDFF (Distributed Fuzzing Framework)
‒ Distfuzz-afl
‒ roving
Source: Wojciech Rauner using Meme GEnerator
FACT
27. M y t h o r fa c t 8 :
a f l w i l l r e p o r t a n d r e q u e s t C V E
28. M y t h o r fa c t 8 :
a f l w i l l r e p o r t a n d r e q u e s t C V E
• Unfortunately NOT
• Analyzing crashes usually takes a lot of time
• Reporting vulnerability can take even more
time!
• Timeline for some of identified issues:
‒ 1 hour – preparation of fuzzing wrapper
‒ 1 minute – fuzzing until first critical issue
‒ 2 hours – analysis of crash
‒ 3 months – waiting for response from leader
of open source project
‒ 1 week – obtaining CVE
Source: Marcin Dominiak
MYTH
29. M y t h o r fa c t 9 :
U s i n g a f l i s f u n !
30. M y t h o r fa c t 9 :
U s i n g a f l i s f u n !
Source: https://knowyourmeme.com/memes/puking-rainbows
FACT
31. S u m ma r y
• afl is very flexible and versatile fuzzer:
• It is possible to use for wide range
of languages, operating systems
or only binaries
• Can be easily integrated
with different tools
(e.g. symbolic execution)
• If you think you can’t use it – think again
Source: Dobin Rutishauser - Fuzzing For Worms
http://area41.io/slides/2018/AREA41_18_Fuzzing%20For%20Worms.pdf
32. F u l l v e rs i o n o f a f l wo r ks h o p
• This is just a very short version of 4 hour workshop
prepared together with Wojciech Rauner for Defcon 26 conference
• Workshop slides:
• https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20wo
rkshops/DEFCON-26-Workshop-Jakub-Botwicz-and-Wojciech-Rauner-
Fuzzing-with-AFL-(American-Fuzzy-Lop).pdf
• Fuzzing sandbox and excercises:
• https://github.com/wrauner/afl-fuzzing-training