SlideShare une entreprise Scribd logo
1  sur  26
Why instrumentation is cooler then
ice
Alex Moneger
INTRODUCTION
The myth
• Fuzzing is easy
• Fuzzing is simple
• Instrumentation is left as an exercise to the
reader
The truth
• Fuzzing requires effort
• Generally requires adapting the target code
• Most of the time requires to build a corpus of inputs
• Requires minimizing the corpus
• Requires instrumentation:
– Did my target crash?
– On what input?
– Are my new inputs useful?
The hurdles
• Tool selection
• Tool integration
• Reliability
• Scale
• A bug found prevents fuzzer from reaching
further areas of code
INSTRUMENTATION
Before
• 2 approaches:
– Mutate data forever (randomly, byte flip, …)
– Model data, mutate fields separately (Spike,
Peach, Codenomicon, …)
• Run for some iterations or until all states are
modeled
• hope for the best
Today
• Genetic algorithms => retain only best inputs
for further mutation
1. Mutate best input
2. Send to target
3. Measure impact based on some metric
4. Discard or prioritize input, back to 1.
Code coverage
• Code coverage is the most used metric
• Tells you if an input has triggered new code paths
• All tools try to measure code coverage one way or another
• Can be achieved :
– binary instrumentation (PIN, DynamoRIO)
– static rewriting (Dyninst)
– kernel probing (perf)
– HW (intel BTS => branch trace store)
How does it work
• Model control flow using basic blocks
• Discard unconditional edges (JMPs)
• First approach, trace callgraph
• Hard to compare 2 callgraphs
• Best approach: retain edge count
• Provides an unordered code coverage heatmap
Example callgraph
Compare code coverage maps?
• Gained edges - lost edges > 0?
• Simple, but will crush path divergence
• Solution, keep track of interesting diverging paths
• When no new edges, check edge hitcounts
• Higher hitcounts, mean you control a loop
boundary
CORPUS MINIMIZATION
Corpus minimization
• You have collected all xml documents or IM
packets from the internet
• What is the minimal set of inputs which
achieves maximal code coverage?
• Open all inputs and record code coverage
• Keep only valuable inputs
In practice
• No open source tools to achieve this
• Notable exception, with source on Nix for files
=> afl-cmin to the rescue
• Otherwise, a good base is runtracer, drcov or
coco.cpp pintool
• Building the minset is up to you after that
WHAT NOW
An application
• You want to fuzz an application/library
• What next?
A few obvious questions first
• Do you have source code?
• Where does it take input from?
– Network
– File
– …
• Do you already have valid inputs?
– Packets
– Pdf
– …
First of all
• Turn on coredumps
• Throw whatever you have at the binary
• dd if=/dev/urandom bs=1024 count=1 | nc
localhost 1234
• Or mutate some corpus inputs with radamsa
• Keep CPU busy whilst you figure out a plan
• Now think
You have source code
• Find a way to get it to work with American
Fuzzy Lop
• AFL “batteries included”
• AFL works great:
– File input
– Amazing performance/reliability (forkserver)
– Instrumentation/stats built in (ASM instrumentation)
– Scaling (distributed fuzzing)
• Limitations:
– Network fuzzing
– Any form of daemon
Wrapping for AFL
• Target can read from stdin or argv, your good
• Otherwise, write a wrapper around your target
functions
• Read_from_stdin(char *buf) { target_func(buf);
exit() }
• Problem: complex when functions are tightly
coupled (globals, complex structs, …)
No source?
• Things start to get messy
• Options:
– Afl-qemu
– Afl-pin
– Afl-dyninst
– Honggfuzz (Linux or requires HW support)
– …
Mo problem
• Idea is always the same
• Through instrumentation, get code coverage info
• Bind it someway to AFL:
– AFL-qemu => Use Qemu userland to hook BBLs
– AFL-PIN => Use PIN to hook BBLs, no forkserver
support
– AFL-Dyninst => static rewrite to hook BBLs
TODAY’S GAPS
Gaps
• Smart fuzzing network daemons
• Corpus minimization
• Windows support
• Triaging (exploitable doesn’t work on cores)
• We need to build bricks, not solutions
Reference
• Best advice on fuzzing by Ben Nagy:
http://seclists.org/dailydave/2010/q4/47

Contenu connexe

Tendances

CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systemsVsevolod Stakhov
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingSam Bowne
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsSam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficSam Bowne
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 

Tendances (20)

CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systems
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
rspamd-fosdem
rspamd-fosdemrspamd-fosdem
rspamd-fosdem
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash Functions
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: Shellcode
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
 

En vedette

开化龙顶
开化龙顶开化龙顶
开化龙顶mikejiang
 
Algebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel NetworkAlgebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel Networkhellman1908
 
CyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 SniffersCyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 SniffersCyberLab
 
薏苡仁粉
薏苡仁粉薏苡仁粉
薏苡仁粉mikejiang
 
como insertar un power point
como insertar un power pointcomo insertar un power point
como insertar un power pointsdfbjkgfrfbjk
 
Formats i composicions
Formats i composicionsFormats i composicions
Formats i composicionsmartivmontoya
 
CyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer OverflowCyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer OverflowCyberLab
 
MIT 教我的七堂課
MIT 教我的七堂課MIT 教我的七堂課
MIT 教我的七堂課Xi-Zhe Lin
 
Deepak bhalla cv word format
Deepak bhalla cv word formatDeepak bhalla cv word format
Deepak bhalla cv word formatDeepak Bhalla
 
引導討論:Facilitation
引導討論:Facilitation引導討論:Facilitation
引導討論:FacilitationAudrey Tang
 
案例示範:UberX、Airbnb
案例示範:UberX、Airbnb案例示範:UberX、Airbnb
案例示範:UberX、AirbnbAudrey Tang
 
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話niceruru
 
Web cam sensing using sdk tool
Web cam sensing using sdk tool Web cam sensing using sdk tool
Web cam sensing using sdk tool eSAT Journals
 
20161222 網路工具教學與應用
20161222 網路工具教學與應用20161222 網路工具教學與應用
20161222 網路工具教學與應用小四 曾
 
山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男cettw
 

En vedette (20)

开化龙顶
开化龙顶开化龙顶
开化龙顶
 
Algebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel NetworkAlgebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel Network
 
CyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 SniffersCyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 Sniffers
 
薏苡仁粉
薏苡仁粉薏苡仁粉
薏苡仁粉
 
como insertar un power point
como insertar un power pointcomo insertar un power point
como insertar un power point
 
linkdin
linkdinlinkdin
linkdin
 
Formats i composicions
Formats i composicionsFormats i composicions
Formats i composicions
 
CyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer OverflowCyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer Overflow
 
MIT 教我的七堂課
MIT 教我的七堂課MIT 教我的七堂課
MIT 教我的七堂課
 
Deepak bhalla cv word format
Deepak bhalla cv word formatDeepak bhalla cv word format
Deepak bhalla cv word format
 
Huca marketing online
Huca marketing onlineHuca marketing online
Huca marketing online
 
引導討論:Facilitation
引導討論:Facilitation引導討論:Facilitation
引導討論:Facilitation
 
D2-4 2012里山倡議研討會-貢寮1011116
D2-4 2012里山倡議研討會-貢寮1011116D2-4 2012里山倡議研討會-貢寮1011116
D2-4 2012里山倡議研討會-貢寮1011116
 
Exploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption TechniquesExploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption Techniques
 
案例示範:UberX、Airbnb
案例示範:UberX、Airbnb案例示範:UberX、Airbnb
案例示範:UberX、Airbnb
 
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
 
Web cam sensing using sdk tool
Web cam sensing using sdk tool Web cam sensing using sdk tool
Web cam sensing using sdk tool
 
20161222 網路工具教學與應用
20161222 網路工具教學與應用20161222 網路工具教學與應用
20161222 網路工具教學與應用
 
山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男
 
la OCDE
la OCDEla OCDE
la OCDE
 

Similaire à NBTC#2 - Why instrumentation is cooler then ice

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Ch 18: Source Code Auditing
Ch 18: Source Code AuditingCh 18: Source Code Auditing
Ch 18: Source Code AuditingSam Bowne
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Building Big Data Streaming Architectures
Building Big Data Streaming ArchitecturesBuilding Big Data Streaming Architectures
Building Big Data Streaming ArchitecturesDavid Martínez Rego
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingSam Bowne
 
EuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPIEuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPIDan Holmes
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Danny Mulligan
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Nikolay Savvinov
 
2.4 Optimizing your Visual COBOL Applications
2.4   Optimizing your Visual COBOL Applications2.4   Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL ApplicationsMicro Focus
 
Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)AllineaSoftware
 
Storm presentation
Storm presentationStorm presentation
Storm presentationShyam Raj
 
Reading Notes : the practice of programming
Reading Notes : the practice of programmingReading Notes : the practice of programming
Reading Notes : the practice of programmingJuggernaut Liu
 
Taming the resource tiger
Taming the resource tigerTaming the resource tiger
Taming the resource tigerElizabeth Smith
 
Preventing Complexity in Game Programming
Preventing Complexity in Game ProgrammingPreventing Complexity in Game Programming
Preventing Complexity in Game ProgrammingYaser Zhian
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginSam Bowne
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010idsecconf
 

Similaire à NBTC#2 - Why instrumentation is cooler then ice (20)

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Ch 18: Source Code Auditing
Ch 18: Source Code AuditingCh 18: Source Code Auditing
Ch 18: Source Code Auditing
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Introduction to multicore .ppt
Introduction to multicore .pptIntroduction to multicore .ppt
Introduction to multicore .ppt
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Server Tips
Server TipsServer Tips
Server Tips
 
Building Big Data Streaming Architectures
Building Big Data Streaming ArchitecturesBuilding Big Data Streaming Architectures
Building Big Data Streaming Architectures
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
 
EuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPIEuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPI
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...
 
2.4 Optimizing your Visual COBOL Applications
2.4   Optimizing your Visual COBOL Applications2.4   Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications
 
Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)
 
Storm presentation
Storm presentationStorm presentation
Storm presentation
 
Reading Notes : the practice of programming
Reading Notes : the practice of programmingReading Notes : the practice of programming
Reading Notes : the practice of programming
 
Taming the resource tiger
Taming the resource tigerTaming the resource tiger
Taming the resource tiger
 
Preventing Complexity in Game Programming
Preventing Complexity in Game ProgrammingPreventing Complexity in Game Programming
Preventing Complexity in Game Programming
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010
 

Plus de Alexandre Moneger

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 

Plus de Alexandre Moneger (10)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 

Dernier

Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 

Dernier (20)

Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 

NBTC#2 - Why instrumentation is cooler then ice

  • 1. Why instrumentation is cooler then ice Alex Moneger
  • 3. The myth • Fuzzing is easy • Fuzzing is simple • Instrumentation is left as an exercise to the reader
  • 4. The truth • Fuzzing requires effort • Generally requires adapting the target code • Most of the time requires to build a corpus of inputs • Requires minimizing the corpus • Requires instrumentation: – Did my target crash? – On what input? – Are my new inputs useful?
  • 5. The hurdles • Tool selection • Tool integration • Reliability • Scale • A bug found prevents fuzzer from reaching further areas of code
  • 7. Before • 2 approaches: – Mutate data forever (randomly, byte flip, …) – Model data, mutate fields separately (Spike, Peach, Codenomicon, …) • Run for some iterations or until all states are modeled • hope for the best
  • 8. Today • Genetic algorithms => retain only best inputs for further mutation 1. Mutate best input 2. Send to target 3. Measure impact based on some metric 4. Discard or prioritize input, back to 1.
  • 9. Code coverage • Code coverage is the most used metric • Tells you if an input has triggered new code paths • All tools try to measure code coverage one way or another • Can be achieved : – binary instrumentation (PIN, DynamoRIO) – static rewriting (Dyninst) – kernel probing (perf) – HW (intel BTS => branch trace store)
  • 10. How does it work • Model control flow using basic blocks • Discard unconditional edges (JMPs) • First approach, trace callgraph • Hard to compare 2 callgraphs • Best approach: retain edge count • Provides an unordered code coverage heatmap
  • 12. Compare code coverage maps? • Gained edges - lost edges > 0? • Simple, but will crush path divergence • Solution, keep track of interesting diverging paths • When no new edges, check edge hitcounts • Higher hitcounts, mean you control a loop boundary
  • 14. Corpus minimization • You have collected all xml documents or IM packets from the internet • What is the minimal set of inputs which achieves maximal code coverage? • Open all inputs and record code coverage • Keep only valuable inputs
  • 15. In practice • No open source tools to achieve this • Notable exception, with source on Nix for files => afl-cmin to the rescue • Otherwise, a good base is runtracer, drcov or coco.cpp pintool • Building the minset is up to you after that
  • 17. An application • You want to fuzz an application/library • What next?
  • 18. A few obvious questions first • Do you have source code? • Where does it take input from? – Network – File – … • Do you already have valid inputs? – Packets – Pdf – …
  • 19. First of all • Turn on coredumps • Throw whatever you have at the binary • dd if=/dev/urandom bs=1024 count=1 | nc localhost 1234 • Or mutate some corpus inputs with radamsa • Keep CPU busy whilst you figure out a plan • Now think
  • 20. You have source code • Find a way to get it to work with American Fuzzy Lop • AFL “batteries included” • AFL works great: – File input – Amazing performance/reliability (forkserver) – Instrumentation/stats built in (ASM instrumentation) – Scaling (distributed fuzzing) • Limitations: – Network fuzzing – Any form of daemon
  • 21. Wrapping for AFL • Target can read from stdin or argv, your good • Otherwise, write a wrapper around your target functions • Read_from_stdin(char *buf) { target_func(buf); exit() } • Problem: complex when functions are tightly coupled (globals, complex structs, …)
  • 22. No source? • Things start to get messy • Options: – Afl-qemu – Afl-pin – Afl-dyninst – Honggfuzz (Linux or requires HW support) – …
  • 23. Mo problem • Idea is always the same • Through instrumentation, get code coverage info • Bind it someway to AFL: – AFL-qemu => Use Qemu userland to hook BBLs – AFL-PIN => Use PIN to hook BBLs, no forkserver support – AFL-Dyninst => static rewrite to hook BBLs
  • 25. Gaps • Smart fuzzing network daemons • Corpus minimization • Windows support • Triaging (exploitable doesn’t work on cores) • We need to build bricks, not solutions
  • 26. Reference • Best advice on fuzzing by Ben Nagy: http://seclists.org/dailydave/2010/q4/47

Notes de l'éditeur

  1. What tool does the job (Peach, AFL, libFuzzer, …) ? How do I collect crashes, triage them, instrument? My fuzzer crashed after a 2 weeks run How do I synchronize my fuzzers/targets? Stagefright talk at Defcon. Audience hadn’t heard about AFL. Presenter had to fix a ton of bugs for the fuzzer to make progress.
  2. Count the edges, and variation in the edges Example tcp+3397 => tcp+3411: Will count as 3 edges in code coverage map
  3. AFL is an impressive tool. Check out how it works for
  4. Building a product for fuzzing is very similar to building a product for Q&A. You need to make loosely coupled modules which can be unit tested. This makes fuzzing jobs way easier Having a ball of code of 5M LOC with a trail of dependencies makes it very hard to fuzz.