This document provides an overview of fuzzing techniques. It discusses fuzzing targets such as applications, inventory methods, classification criteria, fuzzing models including mutation and generation, understanding the target being fuzzed such as file formats or network protocols, common problems encountered, testing stages, and improvements that can be made including parallel processing and in-memory fuzzing.

1. Show me your Kung FuzzNo Con Name2011@virtualminds_es / irodriguez at virtualminds.es

2. Whoisthisguy?Iñaki RodríguezCISSP, CEHSecurity Manager at Ackstorm S.L.

3. AboutfuzzingAttempting to cause a program or network to fail by feeding it randomly (or not so) generated data.Generate a lot of craptocrashanapplication.

4. TargetsUnderstandthemostbasicconcepts of fuzzingComplexity vs KnoweldgeNotyourbussinesReal vulnerabilitiesCommonissues

5. WhyweFuzzWedon’t trust our softwareWedon’t trust ourproviders software$$$ or €€€ CorporateImage

6. SDL (securitydevelopmentlifecycle)

7. THE lab (I)Virtual ServersLot of memoryFasthard disk (SSD)Snapshotshelpstorevert

8. THE lab (II)Physical ServersOld HardwareMore isbetterYoulostsnapshotsButyouhavedeepfreezeand fssnapshots

9. SoftwareUnpackers (upx, aspack, *lordpe, *importRec, PeID …)(Un)Compressors (7zip)Sysinternal suiteApi MonitorInterpretedLanguages (perl y python)Debuggers(gdb, radare, ImmunityDebugger, Olly, …)Decompilers (Ida Free, Ida Pro $$$ y theother)

10. Some FUZZERS

11. process

12. Choosingtheapplication

13. inventoryCMDBNmap (-sV)OcsInventoryRepositories

14. AutomatinginventoryDatabaseCPE NormalizationStats (use, vulnerabilities, …)Informationfromoutside (securitylists, osvdb, nvd, …)Scripting isyourfriend

15. ClasificationcriteriaQualitativeVulnerabilitiesimpactComplexityWidelyusedPersonal preferencesCuantitativeNumber of installationsNumber of knownvulnerabilitiesAssetvalueVisibility (local, remote)Number of threats (none, few, many)

16. modeling

17. FuzzingModelsMutation (Dumbfuzzing)Generation (Smart fuzzing)

18. Mutationmodel

19. Generationmodel

20. Generationmodel

21. KnowyourenemyWhatkind of applicationis?Network ServicesWeb ApplicationsLibrariesActiveXWhatkind of inputs?Command LineFilesNetworkFormsEnvironment VariablesUrl…

22. Files (I)Ifwe are lucky, previouslydocumentedwww.wotsit.orgwww.fileformat.info010 Editor / Hexedit / Others.IfnotdocumentedThroughvalid files repositoryGoogle – ext:svgBing – type:svgReverse engineering

23. Files (II)SomeinterestingAPIsCreateFile / CloseHandle / open / closeLseekWriteFile / ReadFile / write / read

24. Files (III)eax=00000000cmpwordptr [eax+edx*2],0ffffh

25. Network services (I)Open protocols (RFC)Sniffingtrafficbetweenclient and serverWhataboutclients?Frompcaptomodel

26. Network services (II)

27. DEMO I – Network ServicesACTFAX FTP SERVER

28. Video: http://www.youtube.com/watch?v=yOKVIgZso4M

29. Python

30. Sulley

31. PaimeiLibraries (I)Probablywelldocumented“Hidden” apiExported symbolsArgumentsguessing

32. Libraries (II)

33. DEMO II – LIBRARYASPEMAIL

34. Video: http://www.youtube.com/watch?v=7DxXiChy_Oc

35. Perl

36. Vbscript

37. Do ityourself

38. WindbgActive x (I)ProbablywelldocumentedInternet Explorer onlyActiveX InterfacesAxMan / Comraider

39. Active X (II)

40. Web applications (I) Lot of documentationNotonlyurl (Headers, cookies, methods,…)Ajax / Javascript / ApptestingOWASP

41. Web applications (II)

42. CommonproblemsEncryptionChecksumUnknownformat/protocol/whateverRelationsConditionsCodecoverage

43. Testing

44. fuzzingstages

45. AND nowwhat?ResponsibledisclosureSellitExploitPatch (binaryorsource)Full disclosureIDS signature

46. ImprovementsParallelprocessingModifiedapplicationIn-memoryfuzzingReversingskillsneededCodecoverage

47. In memoryfuzzingBreakpointsub_0xC0FF33TakesnapshotChange inputInput interactionException?JumptosnapshotRestoresnapshotEnd subJumptosnapshot

48. QUESTIONS?

49. Thanks (ackstormteam)Juan CarlosFerJoan CarlesMeJoan PauXaviJordiGonzaloToniVictor