SlideShare ist ein Scribd-Unternehmen logo

The Fuzzing Project - 32C3

H
hannob

Talk about Fuzzing at the Chaos Communication Congress 2015 (32C3). The talk was part of the Free Software Foundation Europe Assembly.

Technologie
1 von 35
Downloaden Sie, um offline zu lesen
1 THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Böck https://hboeck.de/
2 WHO AM I? Hanno Böck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2014 Since May 2015: Supported by Linux Foundation's Core Infrastructure Initiative
3 FUZZING? Throw garbage at software
4
5 FUZZING BINUTILS Hundreds of bugs
6 THE C PROBLEM C/C++ responsible for many common bug classes (Buffer overflows, use after free etc.) Replacing C is good, but we'll have to live with it for a while Mitigation: Good, but incomplete.
7 THE PAST Dumb fuzzing: Only finds the easy bugs Template-based fuzzing: a lot of work for each target
8 AMERICAN FUZZY LOP
9 AMERICAN FUZZY LOP (AFL) Smart fuzzing, quick and easy Code instrumentation Watches for new code paths
10
11 AFL SUCCESS STORIES Bash Shellshock variants (CVE-2014-{6277,6278}) Stagefright vulnerabilities (CVE-2015- {1538,3824,3827,3829,3864,3876,6602}) GnuPG (CVE-2015-{1606,1607,9087}) OpenSSH out-of-bounds in handshake OpenSSL (CVE-2015-{0288,0289,1788,1789,1790,3193}) BIND remote crashes (CVE-2015-{5477,2015,5986}) NTPD remote crash (CVE-2015-7855) Libreoffice GUI interaction crashes
12 FUZZING MATH 0x0505 05050505 ² mod 0x41 41414141 41414141 41412741 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41418000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000005 = 0x19324B 647D967D 644B3219 ? = 0x34 34343434 34343434 34341F67 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676774 74747474 74747474 74746F41 41414141 41417373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73738000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0019324B 647D967D 644B321D ?
13
0x0F FFFFFFFF FFFFFFFF^0 mod 1 = 0 or 1 ?
14 15 NETTLE ECC / NIST P256 point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF 001C2C00, 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A) * 1 != point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFE FFFFFFFF 001C2C00 , 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A )
16 ADDRESS SANITIZER (ASAN) If you only take away one thing from this talk: Use Address Sanitizer! -fsanitize=address in gcc/clang
17 SPOT THE BUG! int main() { int a[2] = {1, 0}; printf("%i", a[2]); }
18
19 ADDRESS SANITIZER HELPS Finds lots of hidden memory access bugs like out of bounds read/write (Stack, Heap, Global), use-after-free etc.
20
21 FINDING HEARTBLEED WITH AFL+ASAN Small OpenSSL handshake wrapper AFL finds Heartbleed within 6 hours LibFuzzer needs just 5 Minutes
22 ADDRESS SANITIZER If ASAN catches all these typical C bugs... ... can we just use it in production?
23 ASAN IN PRODUCTION Yes, but not for free 50 - 100 % CPU and memory overhead Example: Hardened Tor Browser
24 GENTOO LINUX WITH ASAN Everything compiled with ASAN except a few core packages (gcc, glibc, dependencies)
25 FIXING PACKAGES Memory access bugs in normal operation. These need to be fixed. bash, shred, python, syslog-ng, nasm, screen, monit, nano, dovecot, courier, proftpd, claws-mail, hexchat, ...
26 PROBLEMS / CHALLENGES ASAN executable + non-ASAN library: fine ASAN library + non-ASAN executable: breaks Build system issues (mostly libtool) Custom memory management (boehm-gc, jemalloc, tcmalloc)
27 IT WORKS Running server with real webpages. But: More bugs need to be fixed.
28 OTHER TOOLS
29 KASAN AND SYZCKALLER KASAN: ASAN for the Linux Kernel. syzkaller: syscall fuzzing similar to afl
30 UNDEFINED BEHAVIOR SANITIZER (UBSAN) Finds code that is undefined in C Invalid shifts, int overflows, unaligned memory access, ... Problem: Just too many bugs, problems rare There's also TSAN (Thread sanitizer, race conditions) and MSAN (Memory Sanitizer, uninitialized memory)
31 AFL AND NETWORKING Fuzzing network connections, experimental code by Doug Birdwell Usually a bit more brittle than file fuzzing Not widely used yet
32 AFL AND ANDROID Implementation from Intel just released Promising (Stagefright) Android Security desperately needs it
33 WHAT HAS THIS TO DO WITH FREE SOFTWARE? Remember the many eyes principle? "Free software is secure - because everyone can look at the source and find the bugs." We have to actually *do* that.
34 QUESTION TO THE AUDIENCE Do you develop / maintain software? In C? Do you know / use Fuzzing and Address Sanitizer? If not: Why not?
35 THANKS FOR LISTENING Use Address Sanitizer! Fuzz your software. Questions? https://fuzzing-project.org/

Empfohlen

Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Security Session
 
Inspector - Node.js : Notes
Inspector - Node.js : NotesInspector - Node.js : Notes
Inspector - Node.js : NotesSubhajit Sahu
 
Of tutorials v1612+
Of tutorials v1612+Of tutorials v1612+
Of tutorials v1612+Etsuji Nomura
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_worldfantasy zheng
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)hannob
 
Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Hajime Tazaki
 
May2010 hex-core-opt
May2010 hex-core-optMay2010 hex-core-opt
May2010 hex-core-optJeff Larkin
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 

Empfohlen

Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Security Session
 
Inspector - Node.js : Notes
Inspector - Node.js : NotesInspector - Node.js : Notes
Inspector - Node.js : NotesSubhajit Sahu
 
Of tutorials v1612+
Of tutorials v1612+Of tutorials v1612+
Of tutorials v1612+Etsuji Nomura
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_worldfantasy zheng
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)hannob
 
Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Hajime Tazaki
 
May2010 hex-core-opt
May2010 hex-core-optMay2010 hex-core-opt
May2010 hex-core-optJeff Larkin
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
ooc - A hybrid language experiment
ooc - A hybrid language experimentooc - A hybrid language experiment
ooc - A hybrid language experimentAmos Wenger
 
ooc - A hybrid language experiment
ooc - A hybrid language experimentooc - A hybrid language experiment
ooc - A hybrid language experimentAmos Wenger
 
Cray XT Porting, Scaling, and Optimization Best Practices
Cray XT Porting, Scaling, and Optimization Best PracticesCray XT Porting, Scaling, and Optimization Best Practices
Cray XT Porting, Scaling, and Optimization Best PracticesJeff Larkin
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Systems@Scale 2021 BPF Performance Getting Started
Systems@Scale 2021 BPF Performance Getting StartedSystems@Scale 2021 BPF Performance Getting Started
Systems@Scale 2021 BPF Performance Getting StartedBrendan Gregg
 
Parallelism in a NumPy-based program
Parallelism in a NumPy-based programParallelism in a NumPy-based program
Parallelism in a NumPy-based programRalf Gommers
 
Surge2012
Surge2012Surge2012
Surge2012davidapacheco
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXLLinaro
 
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Daniel Lemire
 
x86 & PE
x86 & PEx86 & PE
x86 & PEAnge Albertini
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?OpenFest team
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017Andrey Karpov
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
Raising the Bar on Robotics Code Quality
Raising the Bar on Robotics Code QualityRaising the Bar on Robotics Code Quality
Raising the Bar on Robotics Code QualityThomas Moulard
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLShannob
 
Crypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfCrypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfhannob
 

Weitere ähnliche Inhalte

Ähnlich wie The Fuzzing Project - 32C3

Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
ooc - A hybrid language experiment
ooc - A hybrid language experimentooc - A hybrid language experiment
ooc - A hybrid language experimentAmos Wenger
 
ooc - A hybrid language experiment
ooc - A hybrid language experimentooc - A hybrid language experiment
ooc - A hybrid language experimentAmos Wenger
 
Cray XT Porting, Scaling, and Optimization Best Practices
Cray XT Porting, Scaling, and Optimization Best PracticesCray XT Porting, Scaling, and Optimization Best Practices
Cray XT Porting, Scaling, and Optimization Best PracticesJeff Larkin
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Systems@Scale 2021 BPF Performance Getting Started
Systems@Scale 2021 BPF Performance Getting StartedSystems@Scale 2021 BPF Performance Getting Started
Systems@Scale 2021 BPF Performance Getting StartedBrendan Gregg
 
Parallelism in a NumPy-based program
Parallelism in a NumPy-based programParallelism in a NumPy-based program
Parallelism in a NumPy-based programRalf Gommers
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXLLinaro
 
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Daniel Lemire
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?OpenFest team
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017Andrey Karpov
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
Raising the Bar on Robotics Code Quality
Raising the Bar on Robotics Code QualityRaising the Bar on Robotics Code Quality
Raising the Bar on Robotics Code QualityThomas Moulard
 

Ähnlich wie The Fuzzing Project - 32C3 (20)

Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
 
ooc - A hybrid language experiment
ooc - A hybrid language experimentooc - A hybrid language experiment
ooc - A hybrid language experiment
 
ooc - A hybrid language experiment
ooc - A hybrid language experimentooc - A hybrid language experiment
ooc - A hybrid language experiment
 
Cray XT Porting, Scaling, and Optimization Best Practices
Cray XT Porting, Scaling, and Optimization Best PracticesCray XT Porting, Scaling, and Optimization Best Practices
Cray XT Porting, Scaling, and Optimization Best Practices
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Systems@Scale 2021 BPF Performance Getting Started
Systems@Scale 2021 BPF Performance Getting StartedSystems@Scale 2021 BPF Performance Getting Started
Systems@Scale 2021 BPF Performance Getting Started
 
Parallelism in a NumPy-based program
Parallelism in a NumPy-based programParallelism in a NumPy-based program
Parallelism in a NumPy-based program
 
Surge2012
Surge2012Surge2012
Surge2012
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXL
 
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
 
x86 & PE
x86 & PEx86 & PE
x86 & PE
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
Raising the Bar on Robotics Code Quality
Raising the Bar on Robotics Code QualityRaising the Bar on Robotics Code Quality
Raising the Bar on Robotics Code Quality
 

Mehr von hannob

Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLShannob
 
Crypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfCrypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfhannob
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Cryptohannob
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?hannob
 
Papierlos
PapierlosPapierlos
Papierloshannob
 
Gehackte Webapplikationen und Malware
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malwarehannob
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
Stromsparen
StromsparenStromsparen
Stromsparenhannob
 
Wirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak OilWirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak Oilhannob
 

Mehr von hannob (9)

Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLS
 
Crypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfCrypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourself
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?
 
Papierlos
PapierlosPapierlos
Papierlos
 
Gehackte Webapplikationen und Malware
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malware
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
 
Stromsparen
StromsparenStromsparen
Stromsparen
 
Wirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak OilWirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak Oil
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Kürzlich hochgeladen (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

The Fuzzing Project - 32C3

  • 1. 1 THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Böck https://hboeck.de/
  • 2. 2 WHO AM I? Hanno Böck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2014 Since May 2015: Supported by Linux Foundation's Core Infrastructure Initiative
  • 4. 4
  • 6. 6 THE C PROBLEM C/C++ responsible for many common bug classes (Buffer overflows, use after free etc.) Replacing C is good, but we'll have to live with it for a while Mitigation: Good, but incomplete.
  • 7. 7 THE PAST Dumb fuzzing: Only finds the easy bugs Template-based fuzzing: a lot of work for each target
  • 9. 9 AMERICAN FUZZY LOP (AFL) Smart fuzzing, quick and easy Code instrumentation Watches for new code paths
  • 10. 10
  • 11. 11 AFL SUCCESS STORIES Bash Shellshock variants (CVE-2014-{6277,6278}) Stagefright vulnerabilities (CVE-2015- {1538,3824,3827,3829,3864,3876,6602}) GnuPG (CVE-2015-{1606,1607,9087}) OpenSSH out-of-bounds in handshake OpenSSL (CVE-2015-{0288,0289,1788,1789,1790,3193}) BIND remote crashes (CVE-2015-{5477,2015,5986}) NTPD remote crash (CVE-2015-7855) Libreoffice GUI interaction crashes
  • 12. 12 FUZZING MATH 0x0505 05050505 ² mod 0x41 41414141 41414141 41412741 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41418000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000005 = 0x19324B 647D967D 644B3219 ? = 0x34 34343434 34343434 34341F67 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676774 74747474 74747474 74746F41 41414141 41417373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73738000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0019324B 647D967D 644B321D ?
  • 13. 13
  • 14. 0x0F FFFFFFFF FFFFFFFF^0 mod 1 = 0 or 1 ?
  • 15. 14 15 NETTLE ECC / NIST P256 point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF 001C2C00, 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A) * 1 != point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFE FFFFFFFF 001C2C00 , 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A )
  • 16. 16 ADDRESS SANITIZER (ASAN) If you only take away one thing from this talk: Use Address Sanitizer! -fsanitize=address in gcc/clang
  • 17. 17 SPOT THE BUG! int main() { int a[2] = {1, 0}; printf("%i", a[2]); }
  • 18. 18
  • 19. 19 ADDRESS SANITIZER HELPS Finds lots of hidden memory access bugs like out of bounds read/write (Stack, Heap, Global), use-after-free etc.
  • 20. 20
  • 21. 21 FINDING HEARTBLEED WITH AFL+ASAN Small OpenSSL handshake wrapper AFL finds Heartbleed within 6 hours LibFuzzer needs just 5 Minutes
  • 22. 22 ADDRESS SANITIZER If ASAN catches all these typical C bugs... ... can we just use it in production?
  • 23. 23 ASAN IN PRODUCTION Yes, but not for free 50 - 100 % CPU and memory overhead Example: Hardened Tor Browser
  • 24. 24 GENTOO LINUX WITH ASAN Everything compiled with ASAN except a few core packages (gcc, glibc, dependencies)
  • 25. 25 FIXING PACKAGES Memory access bugs in normal operation. These need to be fixed. bash, shred, python, syslog-ng, nasm, screen, monit, nano, dovecot, courier, proftpd, claws-mail, hexchat, ...
  • 26. 26 PROBLEMS / CHALLENGES ASAN executable + non-ASAN library: fine ASAN library + non-ASAN executable: breaks Build system issues (mostly libtool) Custom memory management (boehm-gc, jemalloc, tcmalloc)
  • 27. 27 IT WORKS Running server with real webpages. But: More bugs need to be fixed.
  • 29. 29 KASAN AND SYZCKALLER KASAN: ASAN for the Linux Kernel. syzkaller: syscall fuzzing similar to afl
  • 30. 30 UNDEFINED BEHAVIOR SANITIZER (UBSAN) Finds code that is undefined in C Invalid shifts, int overflows, unaligned memory access, ... Problem: Just too many bugs, problems rare There's also TSAN (Thread sanitizer, race conditions) and MSAN (Memory Sanitizer, uninitialized memory)
  • 31. 31 AFL AND NETWORKING Fuzzing network connections, experimental code by Doug Birdwell Usually a bit more brittle than file fuzzing Not widely used yet
  • 32. 32 AFL AND ANDROID Implementation from Intel just released Promising (Stagefright) Android Security desperately needs it
  • 33. 33 WHAT HAS THIS TO DO WITH FREE SOFTWARE? Remember the many eyes principle? "Free software is secure - because everyone can look at the source and find the bugs." We have to actually *do* that.
  • 34. 34 QUESTION TO THE AUDIENCE Do you develop / maintain software? In C? Do you know / use Fuzzing and Address Sanitizer? If not: Why not?
  • 35. 35 THANKS FOR LISTENING Use Address Sanitizer! Fuzz your software. Questions? https://fuzzing-project.org/