OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know

AFL that you (probably) do not know
Jakub Botwicz
Samsung R&D Poland
W a r s a w , 1 0 . 1 0 . 2 0 1 8
OWASP
Poland Day 2018

s u d o – u j a k u b . b o t w i c z w h o a m i
• Principal Security Engineer
at Samsung R&D Institute in Warsaw, Poland
• Leads a team (one of many in Samsung)
of security researchers / pentesters
• PhD and MSc at Warsaw University of Technology
• 15+ years experience - previously worked as:
‒ Developer/architect for vendor of encryption devices
‒ Security advisor at credit card payment company
‒ Security consultant and manager at Big4 company
• Big enthusiast of rock climbing and active vulcanoes

I d e a o f t h i s ta l k
• Very small excerpt from 4 hour afl workshop
on Defcon 26 conference
• Discuss main myths or facts about afl
• Encourage you to try use afl
and develop new features or tools
Source: Wojciech Rauner using Meme GEnerator

F u z z i n g
• Fuzzing (fuzz testing):
‒ providing large amount of random data
as input to a computer program
• Infinite monkey theorem:
‒ a monkey hitting keys at random on a typewriter
keyboard for an infinite amount of time will
eventually type out the entire works of Shakespeare
• Monkey hitting keys on a keyboard
for ∞ time will eventually:
‒ generate all possible input data
‒ finding all bugs
‒ exiting vi text editor 
Source: Early Office Museum Author: New York Zoological Society

A m e r i c a n F u z z y L o p
• Fuzzer created by Michał Zalewski (lcamtuf)
in past: Security Engineer / Director at Google
now: Vice President at Snap Inc.
• Name inspired by breed of fuzzy rabbit
(see photo)
• Registered list of CVEs found using AFL
GitHub afl-cve (2017: 332 CVE)
• Helped our team identyfing 60+ issues
last year in different open source
components
American Fuzzy Lop rabbit
Source: Wikipedia Author: Lithonius License: Public Domain

M y t h o r fa c t 1 :
a f l i s o n l y fo r C / C + + a p p s

a f l i s o n l y fo r C / C + + a p p s
• Core project is for C/C++ applications
‒ Best support and all features
But:
• afl sister projects support
other programming languages:
‒ Go (Go-fuzz by Dmitry Vyukov)
‒ Java (afl-gcj, JQF)
‒ OCaml (ocalm-afl by KC Sivaramakrishnan)
‒ Python (Python AFL by Jakub Wilk)
‒ Rust (afl.rs by Keegan McAllister)
Guess the language
Source: John Menerick DEFCON-22 "Open Source Fairy Dust"
MYTH

a f l i s fo r L i n u x / B S D / U n i x a p p s

a f l i s fo r L i n u x / B S D / U n i x a p p s
• Core project is for OSs supporting GCC or Clang
‒ Best support and all features
But:
• afl sister projects support other environments:
‒ Android – android-afl
‒ Windows binaries – WinAFL
‒ Kernel (Linux, FreeBSD, macOS, Windows):
‒ syzkaller
‒ kAFL
‒ All other systems including embedded and IoT:
‒ QEmu emulation
Source: https://knowyourmeme.com/memes/greenochflame-wars
MYTH

a f l r e q u i r e s s o u r c e c o d e t o f u z z

a f l r e q u i r e s s o u r c e c o d e t o f u z z
• Instrumentation mode
‒ requires sources to be compiled with afl wrappers
‒ Is fastest of all modes
But there are 3 modes that do not requires sources:
‒ All 3 modes can emulate different CPUs (e.g. ARM)
• QEmu user-mode emulation
‒ Emulate complete execution of userland applications
• Unicorn mode
‒ Allows to start from specific stored state of CPU
‒ Requires special stubs for I/O operations
• Triforce project
‒ QEmu mode with full operating system emulation
MYTH

a f l i s h a r m l e s s t o y o u r c o m p u t e r

• Fuzzing increase rate of hardware
and software issues
‒ Causes disc wearing
(especially for SSD drives)
‒ Can cause overheating CPUs or power
• Fuzzed application can:
‒ Create or remove large number of files
‒ Send lots of network packets
• In pay-per-use cloud environment
costs of fuzzing can be huge!
MYTH

HINTs:
• Do not use sensitive production systems for fuzzing
• Understand all functions of fuzzed program
• Run fuzzer in sandbox
‒ Isolate network sendings apps from networks
‒ Use ramdisk to protect physical drives
‒ Clean working folder after each run
• Monitor temperature of your CPUs
• Limit maximum costs in cloud environments
Licence: CC0 Creative Commons
MYTH

a f l h a s g re at G U I ( i nte r fa c e )

• afl interface (dashboard) is:
‒ Densly packed with information
‒ Rather unfriendly at first sight
ARGUABLE

But:
• afl has lots of visualization tools for:
‒ Showing progress of fuzzing (afl-plot)
ARGUABLE

But:
• afl has lots of additional tools for:
‒ Display coverage of testing (afl-cov)
ARGUABLE

But:
‒ Analyze unknown formats (afl-analyze) Source: https://lcamtuf.blogspot.com/2016/02/say-hello-to-afl-analyze.html
ARGUABLE

• afl interface is:
But:
‒ Analyze unknown formats (afl-analyze)
‒ Visualize results of fuzzing
ARGUABLE

• afl interface is:
But:
‒ Analyze unknown formats (afl-analyze)
‒ Visualize results of fuzzing
ARGUABLE
Results
Mutations
Test files

ARGUABLE
Generate graph
showing how many
new files were
imported between
each fuzzers
working in parallel

a f l f i n d s o n l y m e m o r y i s s u e s

a f l f i n d s o n l y m e m o r y i s s u e s
• Around 80% issues for C/C++ are memory issues
• They are frequently critical – allows Remote Code Execution
But:
• afl also finds:
‒ Logical errors – infinite loops
‒ Unhandled exceptions (crash)
• Testcases generated by afl are great for regression testing!
• Differential fuzzing with another implementation
(cryptography / multimedia / packet processing)
MYTH
Source: Grasshopper shot near Miles City Mont. C.
1937 Coles Studio Glassgow Mont

a f l c a n f u z z o n m u l t i p l e C P U s

a f l c a n f u z z o n m u l t i p l e C P U s
• afl can run in multiple synchronizing
instances each using one CPU
And it is even better:
• Each instance can be:
‒ different afl branch: afl-fast, afl-rb
(Rare Branches)
‒ afl running binary with different Sanitizer
(Address, Leak or Memory Sanitizer)
• There are projects running afl on multiple servers:
‒ aflDFF (Distributed Fuzzing Framework)
‒ Distfuzz-afl
‒ roving
FACT

a f l w i l l r e p o r t a n d r e q u e s t C V E

a f l w i l l r e p o r t a n d r e q u e s t C V E
• Unfortunately NOT 
• Analyzing crashes usually takes a lot of time
• Reporting vulnerability can take even more
time!
• Timeline for some of identified issues:
‒ 1 hour – preparation of fuzzing wrapper
‒ 1 minute – fuzzing until first critical issue
‒ 2 hours – analysis of crash
‒ 3 months – waiting for response from leader
of open source project
‒ 1 week – obtaining CVE
Source: Marcin Dominiak
MYTH

U s i n g a f l i s f u n !

U s i n g a f l i s f u n !
Source: https://knowyourmeme.com/memes/puking-rainbows
FACT

S u m ma r y
• afl is very flexible and versatile fuzzer:
• It is possible to use for wide range
of languages, operating systems
or only binaries
• Can be easily integrated
with different tools
(e.g. symbolic execution)
• If you think you can’t use it – think again 
Source: Dobin Rutishauser - Fuzzing For Worms
http://area41.io/slides/2018/AREA41_18_Fuzzing%20For%20Worms.pdf

F u l l v e rs i o n o f a f l wo r ks h o p
• This is just a very short version of 4 hour workshop
prepared together with Wojciech Rauner for Defcon 26 conference
• Workshop slides:
• https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20wo
rkshops/DEFCON-26-Workshop-Jakub-Botwicz-and-Wojciech-Rauner-
Fuzzing-with-AFL-(American-Fuzzy-Lop).pdf
• Fuzzing sandbox and excercises:
• https://github.com/wrauner/afl-fuzzing-training

OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know

Recommended

Recommended

More Related Content

What's hot

What's hot (10)

Similar to OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know

Similar to OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know (20)

More from OWASP

More from OWASP (20)

Recently uploaded

Recently uploaded (20)

OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know