SlideShare une entreprise Scribd logo

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for deeper code coverage

Télécharger en tant que PPTX, PDF
A
Alexandre Moneger

This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing. Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached. The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.

Ingénierie
1  sur  44
Beyond the Tip of the IceBerg Fuzzing Binary Protocol for Deeper Code Coverage Mrityunjay Gautam .Alex Moneger
Who we are? • Security Engineers at Citrix Systems, Inc. • Interest in low level topics (crypto, fuzzing, exploit dev) Disclaimer The views expressed herein are personal and stated in our individual capacity and in no way a statement or position of Citrix Systems, Inc.
Agenda 1. State of Fuzzers and Fuzzing Technology 2. Code Coverage based Fuzzers – AFL, et al 3. Binary Code Tracing: Gate Function 4. Applications to fuzzing – Feedback Loop 5. PoC Demo – Toy Example 6. Heuristic based Protocol Analysis
FUZZING AS WE KNEW IT
Fuzzing: Myths Vs Reality • Myth: “fuzzing is easy”: – flip some bits – Collect bugs • Reality: “fuzzing is complex”: – Identifying target functions & writing wrapper code – Building and minimizing a corpus – Minimizing test-cases – Instrumentation: • Is input X better then Y? • Did my application crash on input X or Y?
File format fuzzing • Lots of focus on parsers: – American Fuzzy Lop – Honggfuzz • Handling network code with them is tricky
Network fuzzing • Still stuck modeling protocols • Still slow • Still requires some sort of agent to detect crashes • We’re still blind fuzzing • Yet, network stack is a target of choice • We need more balance
Historically… • 2 approaches: – Mutate data forever (randomly, byte flip, …) – Model data, mutate fields separately (Spike, Peach, Codenomicon, …): Anyone written a complex Peach pit? • Run for some iterations or until all states are modeled • Hope for the best • Claim that you have covered 10n iterations and feel good about it 
FUZZING TODAY
Today Genetic algorithms => retain only best input for further ‘mutation’ 1. Mutate best input 2. Send to target 3. Measure fitness() based on Heuristics 4. Discard or prioritize input, back to 1. We know how inputs affect target!
Fitness Heuristic: Code coverage • Code coverage is the most used metric • Tells you if an input has triggered new code paths • All tools try to measure code coverage one way or another • Can be achieved : – Binary instrumentation (PIN, DynamoRIO) – Static rewriting (Dyninst) – Kernel probing (perf) – HW (intel BTS => branch trace store)
How does it work • Model control flow using basic blocks: • Discard unconditional edges (JMPs) • Retain edge count • Provides an unordered code coverage map • Code coverage are sets which can be compared: – 0x08040302 => 08040301 : 1 – 0x0804030b => 08040404 : 5 0x08040302 0x08040301
Thanks AFL • AFL revolutionized fuzzing • “Batteries included” fuzzer • Perfect balance between: – Using build systems – Speed – Functionality • Caveat: compares traces across runs: – Target has to exit – Has to get data off stdin
PROBLEM???
Limitations • If you have source code, get AFL to work on packets • Write wrappers, handle state, exit, … not pretty, but kind of works • Tight coupling may force to stub out function – using LD_PRELOAD (see preeny) – using linker -Wl,-wrap
Network daemons • A solution could be to change the model a bit • Keep successful AFL concepts: – Code coverage – Genetic algorithm • But avoid restarting the target • This breaks the deterministic nature of AFL
Requirements • Improve traditional fuzzers: – Get rid of the “try single input then check” cycle • By borrowing from feedback driven fuzzers: – Code coverage – Genetic algorithm • Do this during runtime • Without re-spawning the target between inputs
OUR APPROACH
Observations • Network daemon operations: 1. Do startup stuff, 2. Wait for connection 1. Connection establishment 2. Wait for input (read) 3. Process input packet 4. Send something based on input (write) 5. Loop from 2.2 till connection closes 3. Close (close) and go to 2. • What code coverage do we care about? • Trace code between first read (2.2) and last write (2.4)? Startup Read Write Close Parse
Gate functions • Here read()/write() can be considered gates • When you enter a gate, trace • When you exit a gate, stop trace • Transfer code coverage to decision maker
Generalized approach • Trigger code coverage collection at runtime • Based on defined “gate” syscalls, say X and Y • When syscall X is triggered, start recording edge transitions • When syscall Y is triggered, stop recording • Dump trace • Repeat
1000 feet view • Track only network file descriptors • Ignore I/O FDs • Generate a hitmap at runtime through “gate” syscalls • Dump it to fuzzer for analysis • Fuzzer elects best input
Filtering file descriptors • Accept() syscall returns FD • Track FDs returned • Checked if they’re passed in to: – Read – Write • Stop tracking on close() Accept 6,7,86 Read(6) Write(6) Read(9) Write(9)
Aggregatemap Coverage map • Coverage maps are per read/write gate • You get several maps for one connection • Allows fuzzing a specific state • Can also aggregate code coverage between gate functions Accept Read(6) Write(6) Read(6) Write(6) Read(6) Close(6) Map 1 Map 2 Map 3
Ugly diagram Accept => 6 6, 7, …, fd Read(6) Write(6) Close(6) Heat Map Network FD list Do stuff
UDP • Exact same thing, but track: – Recvfrom/recvmsg – Sendto/sendmsg • Generalization is possible to any syscall sequence • Could use similar grammar to seccomp BPF
Netcov • “Simple” pintool: https://github.com/alexmgr/netcov • Generate code coverage maps at runtime • Write them to a pipe • Reverse of fuzzing talks, here fuzzing is up to you ;) • Sidekick: netcallgraph: – Generates runtime callgraph • A dummy fuzzing example: https://github.com/alexmgr/netcov-client
It’s a PoC… • Limitations: – Read hangs – Select/poll – No crash detection – No ASAN to catch memory errors – Hit map format is text based • Works well: – Multithreaded daemons – Heatmap is per FD=> allows concurrent fuzzing – Mutation independent – Source code independent • It’s a demo, not a tool
Netcov flow Netcov Daemon Client (Fuzzer, …) Coverage Protocol
Demo • Demo daemon, magic packet: “ABC1234567890i”: if (read(conn_desc, buff, sizeof(buff) - 1) > 0) { printf("Received %sn", buff); if (buff[0] == 'A') { printf("Took first branchn"); if (buff[1] == 'B') { printf("Took second branchn"); if (buff[2] == 'C') { printf("Took third branchn"); if (strncmp(buff + 3, "1234567890", 10) == 0) { printf("Good job!n"); char *num = buff + 13; printf("Got num: %dn", atoi(num)); int i = 0; for (i = 0; i < atoi(num); i++) { printf("%d..", i); } write(conn_desc, "Good job!", 10);
Example netcallgraph
Fuzzing demo • Start with an input value • Byteflip it • Measure coverage 1. If coverage increases, keep as best input 2. Mutate 3. Repeat 1.
REAL WORLD EXAMPLE – RDP PROTOCOL
RDP – Remote Desktop Protocol • TCP Protocol on port 3389 • Originally on Windows variants • Ported to most Unix Environments – XRDP • Clients available on all Linux, Mac, Windows flavors
Weaponizing the ‘netcov’ PoC Send Next Mutated Packet XRDP Server Netcov Binary Tracing /tmp/netcovmap Receive Binary Trace between (recv, send) Fitness function (Unique Code Coverage) Feedback on Packet Quality Load RDP Wireshark Trace Identify Packet to Play With Mutation Strategy – Based on Feedback Process Feedback Result Generation Synchronization Problem
XRDP Packet Analysis Results Restricting the trace to libxrdp ONLY Base Pkt: 0300002621e00000000000436f6f6b69653a206d737473686173683d0d0a0100080003000000 Baseline: write:8=libxrdp.so.0+14816->libxrdp.so.0+14840:1;libxrdp.so.0+14840- >libxrdp.so.0+14881:1;libxrdp.so.0+14881->libxrdp.so.0+47232:1;libxrdp.so.0+14904- >libxrdp.so.0+14908:1;libxrdp.so.0+14908->libxrdp.so.0+14924:1;libxrdp.so.0+14924- >libxrdp.so.0+14949:1;libxrdp.so.0+14949->libxrdp.so.0+14989:1;libxrdp.so.0+14989- >libxrdp.so.0+15369:1;libxrdp.so.0+15348->libxrdp.so.0+15352:1;libxrdp.so.0+15352- >libxrdp.so.0+14816:1;libxrdp.so.0+15369->libxrdp.so.0+15424:1;libxrdp.so.0+15424- >libxrdp.so.0+15434:1;libxrdp.so.0+15434->libxrdp.so.0+47152:1;libxrdp.so.0+15446- >libxrdp.so.0+15450:1;libxrdp.so.0+15450->libxrdp.so.0+47344:1;libxrdp.so.0+47152- >libxrdp.so.0+47165:1;libxrdp.so.0+47165->libxrdp.so.0+15446:1;libxrdp.so.0+47232- >libxrdp.so.0+47249:1;libxrdp.so.0+47249->libxrdp.so.0+47280:1;libxrdp.so.0+47280- >libxrdp.so.0+14904:1;libxrdp.so.0+47280->libxrdp.so.0+15348:1;
Results Packet 0: (To RDP Server) [(0, 0, 'CONTROL'), (1, 1, 'DATA'), (2, 3, 'MAGIC'), (4, 4, 'DATA'), (5, 5, 'CONTROL'), (6, 37, 'DATA')]
Results Packet 0: (To RDP Server) [(0, 0, 'CONTROL'), (1, 1, 'DATA'), (2, 3, 'MAGIC'), (4, 4, 'DATA'), (5, 5, 'CONTROL'), (6, 37, 'DATA')]
Results Packet 0: (To RDP Server) [(0, 0, 'CONTROL'), (1, 1, 'DATA'), (2, 3, 'MAGIC'), (4, 4, 'DATA'), (5, 5, 'CONTROL'), (6, 37, 'DATA')]
XRDP Implementation Analysis • Analysis of the 1st Packet: – Byte (1) mutation leads to control flow change – Bytes (3,4) are length of the packet. Verified before further processing. – Byte (5) is length of x224CRQ Header. Not verified before processing or may lead to over-read. – Byte (6) mutation leads to control flow change – Bytes (7,38) is DATA. Fuzzable with different Control Flow bits.
Who in the room cannot write a fuzzer now ?
CONCLUSION
Conclusion • Much to do in the world of network fuzzing • Still stuck with: – Dumb mutation fuzzers – Model based fuzzers – Slowness • We present “just” a glimpse of what CAN be achieved
Thank You 

Recommandé

Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 

Recommandé

Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide Bishop Fox
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Scapy talk
Scapy talkScapy talk
Scapy talkAshwin Patil, GCIH, GCIA, GCFE
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
Hacking Blind
Hacking BlindHacking Blind
Hacking BlindNikitaAndhale
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptorsn|u - The Open Security Community
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
Poodle
PoodlePoodle
PoodleShreyas Kothari
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 

Contenu connexe

Tendances

CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide Bishop Fox
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 

Tendances (20)

CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Scapy talk
Scapy talkScapy talk
Scapy talk
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизора
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream Ciphers
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
 
Poodle
PoodlePoodle
Poodle
 

En vedette

ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFAnthony Jose
 
The Python bites your apple
The Python bites your appleThe Python bites your apple
The Python bites your appleQidan He
 
Henrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using SwaggerHenrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using SwaggerDevSecCon
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...CODE BLUE
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Bug Hunting with Media Formats
Bug Hunting with Media FormatsBug Hunting with Media Formats
Bug Hunting with Media FormatsRussell Sanford
 
Discovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitAbhisek Datta
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesE Hacking
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsPawel Rzepa
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8PacSecJP
 

En vedette (20)

ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
 
The Python bites your apple
The Python bites your appleThe Python bites your apple
The Python bites your apple
 
What the fuzz
What the fuzzWhat the fuzz
What the fuzz
 
Henrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using SwaggerHenrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using Swagger
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
Bug Hunting with Media Formats
Bug Hunting with Media FormatsBug Hunting with Media Formats
Bug Hunting with Media Formats
 
American Fuzzy Lop
American Fuzzy LopAmerican Fuzzy Lop
American Fuzzy Lop
 
Discovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and Profit
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilities
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugs
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
 

Similaire à BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for deeper code coverage

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Digital Bond
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Network-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQNetwork-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQICS
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Marcus Tarquinio
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for MiddlewareManuel Brugnoli
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Jakub Botwicz
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
"Making Computer Vision Software Run Fast on Your Embedded Platform," a Prese...
"Making Computer Vision Software Run Fast on Your Embedded Platform," a Prese..."Making Computer Vision Software Run Fast on Your Embedded Platform," a Prese...
"Making Computer Vision Software Run Fast on Your Embedded Platform," a Prese...Edge AI and Vision Alliance
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixCodemotion Tel Aviv
 

Similaire à BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for deeper code coverage (20)

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Network-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQNetwork-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQ
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for Middleware
 
Tos tutorial
Tos tutorialTos tutorial
Tos tutorial
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
Introduction to multicore .ppt
Introduction to multicore .pptIntroduction to multicore .ppt
Introduction to multicore .ppt
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Chap 1 Network Theory & Java Overview
Chap 1 Network Theory & Java OverviewChap 1 Network Theory & Java Overview
Chap 1 Network Theory & Java Overview
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
"Making Computer Vision Software Run Fast on Your Embedded Platform," a Prese...
"Making Computer Vision Software Run Fast on Your Embedded Platform," a Prese..."Making Computer Vision Software Run Fast on Your Embedded Platform," a Prese...
"Making Computer Vision Software Run Fast on Your Embedded Platform," a Prese...
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, Wix
 

Plus de Alexandre Moneger

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 

Plus de Alexandre Moneger (8)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 

Dernier

Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction managementMariconPadriquez1
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the weldingMuhammadUzairLiaqat
 
Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringJuanCarlosMorales19600
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 

Dernier (20)

young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction management
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the welding
 
Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineering
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for deeper code coverage

  • 1. Beyond the Tip of the IceBerg Fuzzing Binary Protocol for Deeper Code Coverage Mrityunjay Gautam .Alex Moneger
  • 2. Who we are? • Security Engineers at Citrix Systems, Inc. • Interest in low level topics (crypto, fuzzing, exploit dev) Disclaimer The views expressed herein are personal and stated in our individual capacity and in no way a statement or position of Citrix Systems, Inc.
  • 3. Agenda 1. State of Fuzzers and Fuzzing Technology 2. Code Coverage based Fuzzers – AFL, et al 3. Binary Code Tracing: Gate Function 4. Applications to fuzzing – Feedback Loop 5. PoC Demo – Toy Example 6. Heuristic based Protocol Analysis
  • 4. FUZZING AS WE KNEW IT
  • 5. Fuzzing: Myths Vs Reality • Myth: “fuzzing is easy”: – flip some bits – Collect bugs • Reality: “fuzzing is complex”: – Identifying target functions & writing wrapper code – Building and minimizing a corpus – Minimizing test-cases – Instrumentation: • Is input X better then Y? • Did my application crash on input X or Y?
  • 6. File format fuzzing • Lots of focus on parsers: – American Fuzzy Lop – Honggfuzz • Handling network code with them is tricky
  • 7. Network fuzzing • Still stuck modeling protocols • Still slow • Still requires some sort of agent to detect crashes • We’re still blind fuzzing • Yet, network stack is a target of choice • We need more balance
  • 8. Historically… • 2 approaches: – Mutate data forever (randomly, byte flip, …) – Model data, mutate fields separately (Spike, Peach, Codenomicon, …): Anyone written a complex Peach pit? • Run for some iterations or until all states are modeled • Hope for the best • Claim that you have covered 10n iterations and feel good about it 
  • 10. Today Genetic algorithms => retain only best input for further ‘mutation’ 1. Mutate best input 2. Send to target 3. Measure fitness() based on Heuristics 4. Discard or prioritize input, back to 1. We know how inputs affect target!
  • 11. Fitness Heuristic: Code coverage • Code coverage is the most used metric • Tells you if an input has triggered new code paths • All tools try to measure code coverage one way or another • Can be achieved : – Binary instrumentation (PIN, DynamoRIO) – Static rewriting (Dyninst) – Kernel probing (perf) – HW (intel BTS => branch trace store)
  • 12. How does it work • Model control flow using basic blocks: • Discard unconditional edges (JMPs) • Retain edge count • Provides an unordered code coverage map • Code coverage are sets which can be compared: – 0x08040302 => 08040301 : 1 – 0x0804030b => 08040404 : 5 0x08040302 0x08040301
  • 13. Thanks AFL • AFL revolutionized fuzzing • “Batteries included” fuzzer • Perfect balance between: – Using build systems – Speed – Functionality • Caveat: compares traces across runs: – Target has to exit – Has to get data off stdin
  • 15. Limitations • If you have source code, get AFL to work on packets • Write wrappers, handle state, exit, … not pretty, but kind of works • Tight coupling may force to stub out function – using LD_PRELOAD (see preeny) – using linker -Wl,-wrap
  • 16. Network daemons • A solution could be to change the model a bit • Keep successful AFL concepts: – Code coverage – Genetic algorithm • But avoid restarting the target • This breaks the deterministic nature of AFL
  • 17. Requirements • Improve traditional fuzzers: – Get rid of the “try single input then check” cycle • By borrowing from feedback driven fuzzers: – Code coverage – Genetic algorithm • Do this during runtime • Without re-spawning the target between inputs
  • 19. Observations • Network daemon operations: 1. Do startup stuff, 2. Wait for connection 1. Connection establishment 2. Wait for input (read) 3. Process input packet 4. Send something based on input (write) 5. Loop from 2.2 till connection closes 3. Close (close) and go to 2. • What code coverage do we care about? • Trace code between first read (2.2) and last write (2.4)? Startup Read Write Close Parse
  • 20. Gate functions • Here read()/write() can be considered gates • When you enter a gate, trace • When you exit a gate, stop trace • Transfer code coverage to decision maker
  • 21. Generalized approach • Trigger code coverage collection at runtime • Based on defined “gate” syscalls, say X and Y • When syscall X is triggered, start recording edge transitions • When syscall Y is triggered, stop recording • Dump trace • Repeat
  • 22. 1000 feet view • Track only network file descriptors • Ignore I/O FDs • Generate a hitmap at runtime through “gate” syscalls • Dump it to fuzzer for analysis • Fuzzer elects best input
  • 23. Filtering file descriptors • Accept() syscall returns FD • Track FDs returned • Checked if they’re passed in to: – Read – Write • Stop tracking on close() Accept 6,7,86 Read(6) Write(6) Read(9) Write(9)
  • 24. Aggregatemap Coverage map • Coverage maps are per read/write gate • You get several maps for one connection • Allows fuzzing a specific state • Can also aggregate code coverage between gate functions Accept Read(6) Write(6) Read(6) Write(6) Read(6) Close(6) Map 1 Map 2 Map 3
  • 25. Ugly diagram Accept => 6 6, 7, …, fd Read(6) Write(6) Close(6) Heat Map Network FD list Do stuff
  • 26. UDP • Exact same thing, but track: – Recvfrom/recvmsg – Sendto/sendmsg • Generalization is possible to any syscall sequence • Could use similar grammar to seccomp BPF
  • 27. Netcov • “Simple” pintool: https://github.com/alexmgr/netcov • Generate code coverage maps at runtime • Write them to a pipe • Reverse of fuzzing talks, here fuzzing is up to you ;) • Sidekick: netcallgraph: – Generates runtime callgraph • A dummy fuzzing example: https://github.com/alexmgr/netcov-client
  • 28. It’s a PoC… • Limitations: – Read hangs – Select/poll – No crash detection – No ASAN to catch memory errors – Hit map format is text based • Works well: – Multithreaded daemons – Heatmap is per FD=> allows concurrent fuzzing – Mutation independent – Source code independent • It’s a demo, not a tool
  • 30. Demo • Demo daemon, magic packet: “ABC1234567890i”: if (read(conn_desc, buff, sizeof(buff) - 1) > 0) { printf("Received %sn", buff); if (buff[0] == 'A') { printf("Took first branchn"); if (buff[1] == 'B') { printf("Took second branchn"); if (buff[2] == 'C') { printf("Took third branchn"); if (strncmp(buff + 3, "1234567890", 10) == 0) { printf("Good job!n"); char *num = buff + 13; printf("Got num: %dn", atoi(num)); int i = 0; for (i = 0; i < atoi(num); i++) { printf("%d..", i); } write(conn_desc, "Good job!", 10);
  • 32. Fuzzing demo • Start with an input value • Byteflip it • Measure coverage 1. If coverage increases, keep as best input 2. Mutate 3. Repeat 1.
  • 33. REAL WORLD EXAMPLE – RDP PROTOCOL
  • 34. RDP – Remote Desktop Protocol • TCP Protocol on port 3389 • Originally on Windows variants • Ported to most Unix Environments – XRDP • Clients available on all Linux, Mac, Windows flavors
  • 35. Weaponizing the ‘netcov’ PoC Send Next Mutated Packet XRDP Server Netcov Binary Tracing /tmp/netcovmap Receive Binary Trace between (recv, send) Fitness function (Unique Code Coverage) Feedback on Packet Quality Load RDP Wireshark Trace Identify Packet to Play With Mutation Strategy – Based on Feedback Process Feedback Result Generation Synchronization Problem
  • 36. XRDP Packet Analysis Results Restricting the trace to libxrdp ONLY Base Pkt: 0300002621e00000000000436f6f6b69653a206d737473686173683d0d0a0100080003000000 Baseline: write:8=libxrdp.so.0+14816->libxrdp.so.0+14840:1;libxrdp.so.0+14840- >libxrdp.so.0+14881:1;libxrdp.so.0+14881->libxrdp.so.0+47232:1;libxrdp.so.0+14904- >libxrdp.so.0+14908:1;libxrdp.so.0+14908->libxrdp.so.0+14924:1;libxrdp.so.0+14924- >libxrdp.so.0+14949:1;libxrdp.so.0+14949->libxrdp.so.0+14989:1;libxrdp.so.0+14989- >libxrdp.so.0+15369:1;libxrdp.so.0+15348->libxrdp.so.0+15352:1;libxrdp.so.0+15352- >libxrdp.so.0+14816:1;libxrdp.so.0+15369->libxrdp.so.0+15424:1;libxrdp.so.0+15424- >libxrdp.so.0+15434:1;libxrdp.so.0+15434->libxrdp.so.0+47152:1;libxrdp.so.0+15446- >libxrdp.so.0+15450:1;libxrdp.so.0+15450->libxrdp.so.0+47344:1;libxrdp.so.0+47152- >libxrdp.so.0+47165:1;libxrdp.so.0+47165->libxrdp.so.0+15446:1;libxrdp.so.0+47232- >libxrdp.so.0+47249:1;libxrdp.so.0+47249->libxrdp.so.0+47280:1;libxrdp.so.0+47280- >libxrdp.so.0+14904:1;libxrdp.so.0+47280->libxrdp.so.0+15348:1;
  • 37. Results Packet 0: (To RDP Server) [(0, 0, 'CONTROL'), (1, 1, 'DATA'), (2, 3, 'MAGIC'), (4, 4, 'DATA'), (5, 5, 'CONTROL'), (6, 37, 'DATA')]
  • 38. Results Packet 0: (To RDP Server) [(0, 0, 'CONTROL'), (1, 1, 'DATA'), (2, 3, 'MAGIC'), (4, 4, 'DATA'), (5, 5, 'CONTROL'), (6, 37, 'DATA')]
  • 39. Results Packet 0: (To RDP Server) [(0, 0, 'CONTROL'), (1, 1, 'DATA'), (2, 3, 'MAGIC'), (4, 4, 'DATA'), (5, 5, 'CONTROL'), (6, 37, 'DATA')]
  • 40. XRDP Implementation Analysis • Analysis of the 1st Packet: – Byte (1) mutation leads to control flow change – Bytes (3,4) are length of the packet. Verified before further processing. – Byte (5) is length of x224CRQ Header. Not verified before processing or may lead to over-read. – Byte (6) mutation leads to control flow change – Bytes (7,38) is DATA. Fuzzable with different Control Flow bits.
  • 41. Who in the room cannot write a fuzzer now ?
  • 43. Conclusion • Much to do in the world of network fuzzing • Still stuck with: – Dumb mutation fuzzers – Model based fuzzers – Slowness • We present “just” a glimpse of what CAN be achieved

Notes de l'éditeur

  1. Count the edges, and variation in the edges Example tcp+3397 => tcp+3411: Will count as 3 edges in code coverage map