Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

0-knowledge fuzzing

3,098 views

Published on

Slides for the 0-knowledge fuzzing presentation given at Black Hat DC 2010 by Vincenzo Iozzo

Published in: Technology
  • Be the first to comment

0-knowledge fuzzing

  1. 1. 0-Knowledge Fuzzing<br />VincenzoIozzo<br />vincenzo.iozzo@zynamics.com<br />
  2. 2. Disclaimer<br />In this talk you won’t see all those formulas, formal definition, code snippets and bullets. <br />From past experiences the speaker learned that all the aforementioned elements are no useful in making people understand your idea.<br />You instead will see a lot of funny pictures which the speaker hopes will convey better the understanding of the ideas explained in the talk<br />You don’t want slides like this, do you?<br />
  3. 3. Motivations<br />
  4. 4. Questions!<br />
  5. 5. Fuzzing<br />
  6. 6. How it used to be<br />
  7. 7. How it is today (aka the reason of this talk)<br />
  8. 8. Dumb fuzzing<br />
  9. 9. Smart Fuzzing<br />
  10. 10. Evolutionary Based Fuzzing<br />
  11. 11. The idea<br />
  12. 12. The surface<br />
  13. 13. We need a filter<br />
  14. 14. Cyclomatic complexity<br />
  15. 15. This one<br />
  16. 16. Not this one<br />
  17. 17. Original formula<br /> M = E – N + 2P<br />Number of edges<br />Number of nodes<br />Connected components<br />
  18. 18. Why? Cyclomatic number<br /> M = E – N + P<br />
  19. 19. Simplify<br />
  20. 20. Formula<br />M = E – N + 2<br />
  21. 21. Problem<br />
  22. 22. Loop detection<br />
  23. 23. Dominator tree<br />
  24. 24. Dominators<br />
  25. 25. Function<br />
  26. 26. Dominator tree<br />
  27. 27. Dominators<br />
  28. 28. Implicit loops<br />
  29. 29. REIL<br />
  30. 30. This one…<br />
  31. 31. …to this one<br />
  32. 32. Is that enough?<br />
  33. 33. Not enough<br />Of course not, more heuristics needed<br />void*safe_strcpy(void*old_dest,void *src, intsize){<br />void*dst = realloc(old_dest, size +1); <br />strncpy(dst, src, size); <br />returndst;<br />}<br />
  34. 34. Add your own<br />For static analysis we use<br />
  35. 35. DEMO<br />
  36. 36. Questions!<br />
  37. 37. Data Tainting<br />
  38. 38. Example<br />Taint Source<br />Taint mark<br />movl0x4[eax], ebx<br />
  39. 39. Dytan<br />
  40. 40. PIN<br />
  41. 41. Taint sources<br />
  42. 42. Markings granularity<br />
  43. 43. Propagation <br />add eax, ebx, edx<br />
  44. 44. Output<br /> Registers<br /> Memory locations<br />
  45. 45. DEMO<br />
  46. 46. Questions!<br />
  47. 47. In-memory fuzzing<br />
  48. 48. Example<br />esi= 0x30f064 <br />Original loc <br />esi= 0x30f0A4 <br />Fuzzed loc <br />rep movs<br />
  49. 49. Why?<br />
  50. 50. Problems<br />
  51. 51. Expertise and patience<br />
  52. 52. Memory instability<br />
  53. 53. False positives<br />
  54. 54. False negatives<br />
  55. 55. Mutation loop insertion<br />
  56. 56. Snapshot mutation restoration<br />
  57. 57. What do we do?<br />Hook image<br />Hook functions<br />Hook instructions<br />Hook <br />
  58. 58. First approach<br />
  59. 59. For instance…<br />30f064-30f068<br /> 0x8a Y 0x00 K<br />ABCD<br />
  60. 60. Second approach<br />
  61. 61. Example<br />30f064-30f068<br />30f084-30f098<br />0x89 K D F 0x96<br />0x00 J K U Y W 0xA7<br />0xB8 0x00 0x10 A T N<br />0x00 0xD3<br />ABCD<br />
  62. 62. Code coverage<br />
  63. 63. Score<br />BBexecuted/BBtotal<br />Basic Blocks executed<br />Total Basic Blocks <br />
  64. 64. Halting<br />Cevil = Cgood + t<br />Code coverage evil sample<br />Code coverage good sample<br />User-supplied threshold<br />
  65. 65. How??<br />Good sample<br />Evil sample<br />Compare<br />Score <br />Score <br />
  66. 66. What do we use?<br />Code coverage<br />Faults monitor<br />
  67. 67. DEMO<br />
  68. 68. Future – A reasoner<br />
  69. 69. Thanks<br />
  70. 70. Questions!<br />
  71. 71. More Info<br />viozzo.wordpress.com<br /> @_snagg<br />vincenzo.iozzo@zynamics.com<br />

×