Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
FUZZING
UNDERESTIMATED METHOD OF FINDING
HIDDEN BUGS
by Pawel Rzepa
AGENDA
• What is fuzzing?
• Mutation based (dumb) fuzzing
• Instrumented fuzzing
• Generation based (smart) fuzzing
• Fuzz...
BEFORE WE START…
WHO AM I?
• Security engineer in Intive (Wroclaw)
• Former developer of advanced fuzzing module in
Spiren...
— “Fuzzing: Brute Force Vulnerability Discovery”
FUZZING IS A METHOD FOR DISCOVERING
FAULTS IN SOFTWARE BY PROVIDING
UNEXP...
IN OTHER WORDS…
A child noticed
unwatched dad’s phone…
A child has found a
chain of instructions
to crash a phone.
HISTORY OF FUZZING
In 1988 a professor Barton Miller from University
of Winsconsin observed that when he was logged
to a m...
MUTATION
/
BRUTEFORCE
/
DUMB
FUZZING
sample
data
fuzzed
data
- bitflipping
- byteflipping
- chunkspew
-…
program
input
MUTATION IN PRACTICE
more about Radamsa: https://github.com/aoh/radamsa
LET’S FUZZ - DUMB FUZZING
Testing robustness of Android AV to APK bombs
Target: Android AV winner at av-test.org (July 201...
CREATING SAMPLE DATA
• Create fuzzed data from sample:
$> radamsa -o fuzz_sample_%n.apk -n 3000 
> com.appsec.appuse.apk
•...
DUMB FUZZING - V3 AV
DUMB FUZZING - WHY NOT
PERFECT?
IF (VERY_RARE_CONDITION)
{
//VULNERABLE CODE
}
ELSE
{
…
}
DUMB FUZZING - WHY NOT
PERFECT?
IF (VERY_RARE_CONDITION)
{
//VULNERABLE CODE
}
ELSE
{
…
}
DUMB FUZZING - TCPDUMP
$> radamsa -o fuzz_sample_%n.pcap -n 3000 
> small_capture.pcap
$> for i in {1..3000}; do tcpdump -...
LET’S FUZZ - INSTRUMENTED
FUZZING
• Generates samples, which cover subsets of all
code paths
• Requires a dedicated compil...
INSTRUMENTED FUZZING -
PREPARATIONS
• Compile sources with afl-gcc/afl-g++
$> CC=/path_to_AFL/afl-gcc ./configure
$> make
...
INSTRUMENTED FUZZING IN
PRACTICE
$> /path_to_AFL/afl-fuzz -i ./fuzz-input/ -o 
>./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@
INSTRUMENTED FUZZING IN
PRACTICE
INSTRUMENTED FUZZING IN
PRACTICE
COOL STORY BRO, BUT MY
PROGRAM ISN’T WRITTEN IN C…
• AFL is so good that the community has created
many implementations of...
HOW TO FUZZ NETWORK
PROTOCOLS?
- Will it work???
$> while true;
> do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21;
> done
...
LIMITATIONS OF DUMB
FUZZING (1)
• Not compliant types
LIMITATIONS OF DUMB
FUZZING (2)
• Not compliant fixups (checksum, length etc.)
LIMITATIONS OF DUMB
FUZZING (3)
• Not supported relationships
LIMITATIONS OF DUMB
FUZZING (4)
• Not supported
program states
GENERATION BASED FUZZING
- CREATING A MODEL (1)
• Fuzzing frameworks like Peach or Sulley
require modelling each portion o...
• With DataModels, you can create different states
• You can also define a monitor for tested process
• Finally, put all defined parts in a Test
SMART FUZZING WITH PEACH
$> sudo mono Peach.exe --debug ./samples/ftp.xml
SMART FUZZING WITH PEACH
SMART FUZZING WITH PEACH
HOMEWORK
• Fuzz a “Vulnserver”. Download from:
http://sites.google.com/site/lupingreycorner/
vulnserver.zip
• Write a Peac...
FUZZING WEB APPLICATION
• Locate an input you want fuzz
• Intercept request (e.g. Burp Suite/OWASP Zap)
• Define which parameter should be fuzzed
• Select a dictionary with invalid input
More sample dictionaries:
https://github.com/fuzzdb-
project/fuzzdb
• Find errors!
ANALYSING THE CRASH
• Every crash can be treated as a pure DoS attack
• Not every crash can be exploited :(
• Depending on...
WHY IT’S WORTH FUZZING?
• High return on investment - machine time is
cheap and human time is expensive
• Human role is ju...
WHAT YOU CAN FUZZ?
• Literally - every piece of software which accepts
user input
• All kinds of apps (mobile, desktop, we...
WHAT FUZZERS CAN FIND?
• Buffer overruns (remote code execution),
• Deadlocks, thread hangs, unhandled exceptions
(denial-...
WHAT’S NEXT? IMPLEMENT
FUZZING IN SDLC
FUZZING AND OTHER TESTING
METHODS
• Fuzzing can find some type of bugs, but not
all of them
• That means, fuzzing should b...
FUTURE OF FUZZING
• Fuzzing as a service: project Springfield
(https://www.microsoft.com/en-us/springfield)
FUTURE OF FUZZING
• That reminds me DARPA Cyber Grand Challenge
bots: symbolic execution (e.g. angr) + directed
fuzzing (e...
SUMMARY
• Fuzzer should contain: input generator, history of
generated input and process monitor
• Fuzzing discovers bugs ...
THANK YOU!
Contact me:
pawel.rzepa@owasp.org
Upcoming SlideShare
Loading in …5
×

2

Share

Download to read offline

Fuzzing underestimated method of finding hidden bugs

Download to read offline

A brief introduction to fuzzing and how to start using it.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Fuzzing underestimated method of finding hidden bugs

  1. 1. FUZZING UNDERESTIMATED METHOD OF FINDING HIDDEN BUGS by Pawel Rzepa
  2. 2. AGENDA • What is fuzzing? • Mutation based (dumb) fuzzing • Instrumented fuzzing • Generation based (smart) fuzzing • Fuzzing web application • What is the future of fuzzing?
  3. 3. BEFORE WE START… WHO AM I? • Security engineer in Intive (Wroclaw) • Former developer of advanced fuzzing module in Spirent’s CyberFlood device • Contributor in OWASP MSTG (Mobile Security Testing Guide) • Supporter of Wroclaw OWASP meetings
  4. 4. — “Fuzzing: Brute Force Vulnerability Discovery” FUZZING IS A METHOD FOR DISCOVERING FAULTS IN SOFTWARE BY PROVIDING UNEXPECTED INPUT AND MONITORING FOR EXCEPTIONS. ” “ WHAT FUZZING REALLY IS?
  5. 5. IN OTHER WORDS… A child noticed unwatched dad’s phone… A child has found a chain of instructions to crash a phone.
  6. 6. HISTORY OF FUZZING In 1988 a professor Barton Miller from University of Winsconsin observed that when he was logged to a modem during a storm, there was a lot of line noise generating junk characters and those characters caused programs to crash.
  7. 7. MUTATION / BRUTEFORCE / DUMB FUZZING sample data fuzzed data - bitflipping - byteflipping - chunkspew -… program input
  8. 8. MUTATION IN PRACTICE more about Radamsa: https://github.com/aoh/radamsa
  9. 9. LET’S FUZZ - DUMB FUZZING Testing robustness of Android AV to APK bombs Target: Android AV winner at av-test.org (July 2016)
  10. 10. CREATING SAMPLE DATA • Create fuzzed data from sample: $> radamsa -o fuzz_sample_%n.apk -n 3000 > com.appsec.appuse.apk • Move fuzzed data to SD card $> for i in {1..3000}; do adb push > fuzz_sample_$i.apk /sdcard/Download; done • Capture logs $> adb logcat -v long > logs.txt
  11. 11. DUMB FUZZING - V3 AV
  12. 12. DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
  13. 13. DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
  14. 14. DUMB FUZZING - TCPDUMP $> radamsa -o fuzz_sample_%n.pcap -n 3000 > small_capture.pcap $> for i in {1..3000}; do tcpdump -nr > fuzz_sample_%i.pcap >> radamsa_pcap.logs; done
  15. 15. LET’S FUZZ - INSTRUMENTED FUZZING • Generates samples, which cover subsets of all code paths • Requires a dedicated compiler, which detects possible code paths • Much more effective • Let’s take a closer look on American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/)
  16. 16. INSTRUMENTED FUZZING - PREPARATIONS • Compile sources with afl-gcc/afl-g++ $> CC=/path_to_AFL/afl-gcc ./configure $> make • Prepare valid sample (the best if <100 KB) • Create folders for input, output and (optionally) garbage, e.g.
  17. 17. INSTRUMENTED FUZZING IN PRACTICE $> /path_to_AFL/afl-fuzz -i ./fuzz-input/ -o >./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@
  18. 18. INSTRUMENTED FUZZING IN PRACTICE
  19. 19. INSTRUMENTED FUZZING IN PRACTICE
  20. 20. COOL STORY BRO, BUT MY PROGRAM ISN’T WRITTEN IN C… • AFL is so good that the community has created many implementations of AFL supporting other languages/environments. Just check it out here: https://github.com/mirrorer/afl/blob/master/docs/ sister_projects.txt • Still doesn’t suit your needs? Then write your own fuzzer!
  21. 21. HOW TO FUZZ NETWORK PROTOCOLS? - Will it work??? $> while true; > do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21; > done FAIL
  22. 22. LIMITATIONS OF DUMB FUZZING (1) • Not compliant types
  23. 23. LIMITATIONS OF DUMB FUZZING (2) • Not compliant fixups (checksum, length etc.)
  24. 24. LIMITATIONS OF DUMB FUZZING (3) • Not supported relationships
  25. 25. LIMITATIONS OF DUMB FUZZING (4) • Not supported program states
  26. 26. GENERATION BASED FUZZING - CREATING A MODEL (1) • Fuzzing frameworks like Peach or Sulley require modelling each portion of data Peach: http://peachfuzzer.com/resources/peachcommunity
  27. 27. • With DataModels, you can create different states
  28. 28. • You can also define a monitor for tested process • Finally, put all defined parts in a Test
  29. 29. SMART FUZZING WITH PEACH $> sudo mono Peach.exe --debug ./samples/ftp.xml
  30. 30. SMART FUZZING WITH PEACH
  31. 31. SMART FUZZING WITH PEACH
  32. 32. HOMEWORK • Fuzz a “Vulnserver”. Download from: http://sites.google.com/site/lupingreycorner/ vulnserver.zip • Write a Peach model. Refer to this tutorial: http://resources.infosecinstitute.com/fuzzing- vulnserver-with-peach-part-2/
  33. 33. FUZZING WEB APPLICATION • Locate an input you want fuzz
  34. 34. • Intercept request (e.g. Burp Suite/OWASP Zap)
  35. 35. • Define which parameter should be fuzzed
  36. 36. • Select a dictionary with invalid input More sample dictionaries: https://github.com/fuzzdb- project/fuzzdb
  37. 37. • Find errors!
  38. 38. ANALYSING THE CRASH • Every crash can be treated as a pure DoS attack • Not every crash can be exploited :( • Depending on OS, use different tools to analyse a crash: - Microsoft !exploitable Crash Analyser (Windows) - CERT GDB exploitable plugin (Linux) - Apple Crash Wrangler Monitor (OSX)
  39. 39. WHY IT’S WORTH FUZZING? • High return on investment - machine time is cheap and human time is expensive • Human role is just to customize a fuzzer to your needs and… profit!
  40. 40. WHAT YOU CAN FUZZ? • Literally - every piece of software which accepts user input • All kinds of apps (mobile, desktop, web, etc.) • OS -> https://vimeo.com/129701495 • Online games -> http://bit.ly/2e0w2YO • Bluetooth -> http://bit.ly/2dQfPqM • HDMI -> http://bit.ly/2e0ynmA • Fonts -> http://bit.ly/293DKE0 • Virtualization systems -> http://bit.ly/2ernSfs …and much more!
  41. 41. WHAT FUZZERS CAN FIND? • Buffer overruns (remote code execution), • Deadlocks, thread hangs, unhandled exceptions (denial-of-service) • Memory leaks (Heartbleed)
  42. 42. WHAT’S NEXT? IMPLEMENT FUZZING IN SDLC
  43. 43. FUZZING AND OTHER TESTING METHODS • Fuzzing can find some type of bugs, but not all of them • That means, fuzzing should be treated as ADDITIONAL method to your security tests You still need static analysis, vulnerability assessment and penetration tests!!!
  44. 44. FUTURE OF FUZZING • Fuzzing as a service: project Springfield (https://www.microsoft.com/en-us/springfield)
  45. 45. FUTURE OF FUZZING • That reminds me DARPA Cyber Grand Challenge bots: symbolic execution (e.g. angr) + directed fuzzing (e.g. AFL)
  46. 46. SUMMARY • Fuzzer should contain: input generator, history of generated input and process monitor • Fuzzing discovers bugs by providing invalid input • There are 2 main types of fuzzers: • Any software can be fuzzed, so always remember about this method! - generation based (requires sample definition) - mutation based (mutates a valid sample)
  47. 47. THANK YOU! Contact me: pawel.rzepa@owasp.org
  • AndriyMuravallMS

    Mar. 4, 2018
  • NazarTymoshyk

    Mar. 18, 2017

A brief introduction to fuzzing and how to start using it.

Views

Total views

1,752

On Slideshare

0

From embeds

0

Number of embeds

3

Actions

Downloads

113

Shares

0

Comments

0

Likes

2

×