SlideShare ist ein Scribd-Unternehmen logo
1 von 108
Downloaden Sie, um offline zu lesen
1
In the lands of corrupted elves:
Breaking ELF software with Melkor fuzzer
Alejandro Hernández
IOActive
About me
 Senior Security Consultant [IOActive.com]
 ELF, C programming & fuzzing enthusiast
 Passionate about security. ~11 years now.
 From Chiapas, Mexico
'~~~-,
 '-,_
 / `~'~'' M E X I C O
_  /~
__  
 . 
   `~~
' . /
/   |
_  | _.----,
|  ! /
'._ _ __/ _/
_ ''--'' __/
.__ |
''.__ __.._ o<-_---- here !
'' './ `
 http://www.brainoverflow.org
 @nitr0usmx2
Agenda
 The ELF file format
 ELF parsing
 Who’s is parsing?
 Security risks in ELF parsing
 Discovered vulnerabilities in the past
 ELF parsing (mistakes) nowadays
 ELF Fuzzing
 Smart vs dumb
 Code / branch coverage
 ELF metadata dependencies
 Cont.
3
Agenda (Cont.)
 Melkor – an ELF file format fuzzer
 Who’s Melkor
 Design & Implementation
 Fuzzing rules
 ELF metadata dependencies
 Generators and test data
 Usage
 Logging
 Download
 Breaking Fuzzing ELF software
 DEMOS
 Conclusions
4
The ELF file format
 Executable and Linkable Format
 In 1999 was chosen as the standard binary
file format for Unix and Unix-like systems
on x86
 Adopted by many OS on many different
platforms
 Executables, relocatable objects (.o),
shared libraries (.so) and core dumps.
5
The ELF file format
6
The ELF file format
 Specification(s) [10]
7
The ELF file format
 Data types (/usr/include/elf.h)
8
The ELF file format
 Data structures (/usr/include/elf.h)
9
The ELF file format
10
 Relationships between metadata
for(k = 0; k < hdr.e_shnum; k++, shdr++){
if(shdr->sh_type != SHT_REL)
continue;
symtab_section = shdr_table[shdr->sh_link];
strtab_section = *(Elf64_Shdr *) (mem + hdr.e_shoff +
(symtab_section.sh_link * sizeof(Elf64_Shdr)));
symstrtab_offset = strtab_section.sh_offset;
rela = (Elf64_Rela *) (mem + shdr->sh_offset);
sym = (Elf32_Sym *) (mem + symtab_section.sh_offset);
...
The ELF file format
 Relationships between metadata
 Example:
11
The ELF file format
 Relationships between metadata
 Example:
12
SHT_REL
strtab_section
symtab_section
sh_link
sh_link
1
2
sh_offset
Section Header Table
The ELF file format
 Relationships between metadata
 Example:
13
ELF parsing
 Who’s is parsing?
 OS kernels
 Thoroughly audited over the years
 Debuggers
 gdb
 IDA Pro
 Etc.
 Reverse Engineering frameworks
 ERESI
 radare2
 Etc.
 OS utilities
 binutils
 #apt-cache search ELF14
ELF parsing
 Who’s is parsing?
 Malware
 Antivirus engines?
 Sophail by Tavis Ormandy [6]
15
ELF parsing
 Who’s is parsing?
 Google dork: “+ELF (parser|parsing)”
16
ELF parsing
 Security risks in ELF parsing
 Memory corruption / Buffer overflows
 Out of bounds array indexes or offsets
 Loops copying data more times than
expected
 Invalid memory dereferences
 Out of bounds array indexes or offsets
 Crashes / DoS
 Arithmetic / Integer wrap-arounds
 Calculations with user-controlled data
 nElements * elementSize
 nElements * sizeof()
 totalSize / elementSize
 arrayIndex * sizeof()17
ELF parsing
 Security risks in ELF parsing
 Memory corruption / Buffer overflows
 Might lead to code execution
 Undefined behaviors
 Crashes / DoS
 In the debugger / reversing tool
 Anti-reversing technique
 Binaries harder to debug
 Protection against malware infections
 Malware has parsers too
 OS kernel panic()’s
18
ELF parsing
 Security risks in ELF parsing
 Most data types are unsigned ints. Two of
them are signed ints (/usr/include/elf.h):
 typedef int32_t Elf32_Sword;
 typedef int32_t Elf64_Sword;
 typedef int64_t Elf32_Sxword;
 typedef int64_t Elf64_Sxword;
 r_addend (Relocations)
 d_tag (Dynamic information)
 Harder to trigger integer overflows
 However, when assigning values to
local signed variables, signedness
bugs might exist [1]
19
ELF parsing
 Discovered vulnerabilities in the past
 ELF, unlike PE (Portable Executable),
has been less audited
 Mostly found doing manual testing
 Code review + Binary modification
 Google dork: “site:securityfocus.com +ELF”
20
ELF parsing
 Discovered vulnerabilities in the past
21
ELF parsing
 Discovered vulnerabilities in the past
22
ELF parsing
 Discovered vulnerabilities in the past
23
ELF parsing
 Discovered vulnerabilities in the past
 Invalid pointer dereference in gdb (reported but still
unpatched) used as an anti-debugging technique [4]
24
ELF parsing
 Discovered vulnerabilities in the past
 Invalid pointer dereference in IDA Pro (patched) used
as an anti-debugging technique [4]
25
ELF parsing
 ELF parsing nowadays
 ~15 years later (adopted in 1999)
 Most ELF analysis tools rely on the SHT
(Section Header Table)
 The following bugs have been found with
Melkor
26
ELF parsing
 ELF parsing (mistakes) nowadays
 *still* blindly trust in the input:
 Offsets
 Indexes
 Sizes (total_size / struct_size)
 Addresses
 Debugging information (DWARF)
 Not part of ELF but it’s very related
27
ELF parsing
 ELF parsing (mistakes) nowadays
“The most common mistake applied by a
programmer is in trusting a field inside a
binary structure that should not be trusted.
“When dealing with sections that must have
subsections, knowing ahead of time how many
sections are embedded within the primary
section of a structure is required and again,
a value must be used to instruct the
application only to iterate x number of
times.” [7]
28
ELF parsing
 ELF parsing (mistakes) nowadays
 Example of a dummy program that executes the
for() loop based on e_shnum and size/entsize:
29
for(k = 0; k < hdr->e_shnum; k++, shdr++){
if(shdr->sh_type != SHT_SYMTAB && shdr->sh_type != SHT_DYNSYM)
continue;
...
nsyms = shdr->sh_size / shdr->sh_entsize;
sym = (Elf64_Sym *) (mem + shdr->sh_offset);
...
for(l = 0; l < nsyms; l++, sym++)
if(ELF64_ST_TYPE(sym->st_info) != STT_SECTION)
printf(“[%2d] %sn", mem + strtab + sym->st_name);
}
ELF parsing
 ELF parsing (mistakes) nowadays
30
2
31
ELF parsing
 ELF parsing (mistakes) nowadays
 Some applications validate if memory
addresses (p_vaddr, e_entry, etc.) and/or
file offsets (sh_offset, p_offset, etc.)
are inside their valid boundaries
 Some others don’t:
31 (Found with Melkor fuzzer.)
ELF parsing
 ELF parsing (mistakes) nowadays
32
src/libexec/ld.so/ldconfig/prebind.c:
elf_check_note(void *buf, Elf_Phdr *phdr)
{
u_long address;
u_int *pint;
char *osname;
address = phdr->p_offset;
pint = (u_int *)((char *)buf + address);
osname = (char *)buf + address + sizeof(*pint) * 3;
if (pint[0] == 8 /* OpenBSD0 */ && pint[1] == 4 &&
pint[2] == 1 /* type_osversion */ &&
strcmp("OpenBSD", osname) == 0)
return 1;
return 0;
}
ELF parsing
 ELF parsing (mistakes) nowadays
 Some trust in sizeof(*user_input), some
others prefer sizeof(Elfx_DataType) and
some others perform validations:
 if(sizeof(*x) != sizeof(dataType))
return ERROR;
33
ELF parsing
 ELF parsing (mistakes) nowadays
 Some do not validate the number of
elements before allocate memory:
 Allocate less memory space than needed
 Buffer overflows
 Memory exhaustion
 malloc(nElems_user_input * sizeof(Elfx_Struct));
 malloc(nElems_user_input * sizeof(*user_input));
 calloc(nElems_user_input , sizeof(Elfx_Struct));
34
ELF parsing
 ELF parsing (mistakes) nowadays
 Process memory exhaustion:
35
(Found with Melkor fuzzer.)
ELF parsing
 ELF parsing (mistakes) nowadays
 Process memory exhaustion:
36
ELF parsing
 ELF parsing (mistakes) nowadays
 More loops based on sh_size/sh_entsize running
more times than expected. (sh_size = 0xbad0c0de):
 Temporary DoS (CPU usage) in HT Editor:
 The application was killed by the OS
after ~19 secs.
37
(Found with Melkor fuzzer.)
ELF parsing
 ELF parsing (mistakes) nowadays
38
ht-2.0.22/htelfrel.cc:
rela_size = sizeof (ELF_RELA64);
relnum = elf_shared->sheaders.sheaders64[reloctab_shidx].sh_size /
(reloctab_sh_type == ELF_SHT_REL ? rel_size : rela_size);
...
for (uint i = 0; i < relnum; i++){
char *tt = t;
/* dest offset */
tt = tag_make_edit_qword(tt, tt_end, h+i*rel_size, endianness);
tt += ht_snprintf(tt, tt_end, " ");
/* symbol (table idx) */
tt = tag_make_edit_dword(tt, tt_end, h+i*rel_size+8+4,
endianness);
tt += ht_snprintf(tt, tt_end, " ");
...
}
ELF parsing
 ELF parsing (mistakes) nowadays
 A common low-hanging fruit crash is through
e_shstrndx in the ELF header. It holds a string
table index within the Section Header Table:
39
(Found with Melkor fuzzer.)
ELF fuzzing
 Fuzz testing
 Automated approach to create invalid /
semi-valid data to find bugs that would
have often been missed by human eyes
 If data is too valid, might not cause
problems
 If data is too invalid, might be quickly
rejected [9]
40
Taken from [5]
ELF fuzzing
 Smart vs dumb fuzzing
 Two approaches
 Mutation-based fuzzing (dumb)
 Takes an input and modifies it randomly
 Generation-based fuzzing (smart)
 Generates the tests with
specification knowledge
 dumb random fuzzing in most cases find
less bugs than smart fuzzing
41
ELF fuzzing
 Smart vs dumb fuzzing [2]
 All paths + all data == infinite problem
 Notion of randomness (dumbness) and
specific knowledge (intelligence)
 Semi-valid data
42
ELF fuzzing
 Code / branch coverage [8]
 Code coverage is a metric which can be
used to determine how much code has been
executed
 Branch coverage measures how many
branches in code have been taken
(conditional jmps)
 if( x > 2 )
x = 2;
 Specification based test generation
achieves better coverage testing
43
ELF fuzzing
 Code / branch coverage
 Interesting results in [9] show that
more bugs are discovered with higher
coverage:
44
ELF fuzzing
 ELF metadata dependencies
 Some data structures must be fuzzed in
the end or not fuzzed at all for higher
code / branch coverage:
45
3rd level metadata
2nd level
metadata
ELF Header
HDR
SHT
String tables
Relocation Tables,
etc. etc.
PHT Interp
CORRUPTED
Hidden bugs
ELF fuzzing
 ELF metadata dependencies
 In normal circumstances, the following
ELF metadata dependencies exist while
parsing:
46
ELF fuzzing
 Example: (SmartDec, Native code to C/C++
Decompiler for Windows)
 Normal ELF loading
47
ELF fuzzing
 Example: (SmartDec, Native code to C/C++
Decompiler for Windows)
 Trying to load the same ELF with an invalid
e_ident[EI_CLASS] (a header field), it simply
handles the error and doesn’t open:
48
ELF fuzzing
 Example: (SmartDec, Native code to C/C++
Decompiler for Windows)
 However, having an unmodified header, the basic
header validations will be bypassed and internal
bugs are reached:
49
(Found with Melkor fuzzer.)
Melkor fuzzer
 Who’s Melkor
 A fictional character
from J. R. R.
Tolkien's Middle-
earth legendarium
 Was the first Dark
Lord and master of
Sauron
50
Melkor fuzzer
 Who’s Melkor
 Mentioned briefly in The Lord of the
Rings and is known for:
"... Melkor had captured a number of ELVES before the Valar
attacked him, and he tortured and corrupted them, breeding
the first Orcs.“
"... Melkor was cunning and more filled with malice than
ever. Seeing the bliss of the ELVES and remembering that it
was for their sake that he was overthrown, Melkor desired
above all things to corrupt them.“
"Orcs...This has been so from the day they were bred by
Melkor from corrupted, tortured and
mutilated ELVES that may also have been
forced to breed with other unnatural abominations
in the dominion of the Dark Powers."
51
Melkor fuzzer
 Hybrid (Mutation-based / Generation-based)
 Mutate existing data in an ELF sample to
create orcs with knowledge of the file
format specification (fuzzing rules)
52
OrcsELF
Melkor fuzzer
Melkor fuzzer
 Design
 I’m not good at software design but...
drawing worked
53
Melkor fuzzer
 Implementation
54
numbers / rand()
generators.c
fuzz_<metatada>.c
(fuzzing rules)
logger.c
melkor.c
(main())
Melkor fuzzer
 Fuzzing rules
 Three inputs were used:
 Specification violations
 TIS ELF Specification 1.2 (May, 1995) [10]
 ELF-64 Object File Format 1.5 (May 1998)
 Misc. ideas & considerations
 Parsing patterns seen in ELF software
55
Melkor fuzzer
 Fuzzing rules
 melkor-v1.0/docs/Melkor_Fuzzing_Rules.pdf
56
Melkor fuzzer
 Fuzzing rules
 Specification violations (Example 1)
 ELF Specification:
57
Melkor fuzzer
 Fuzzing rules
 Specification violations (Example 1)
 Rule definition for that field:
58
Rule name implemented at code level
Melkor fuzzer
 Fuzzing rules
 Specification violations (Example 1)
 That rule at code level:
59
Melkor fuzzer
 Fuzzing rules
 Specification violations (Example 2)
60
Melkor fuzzer
 Fuzzing rules
 Specification violations (Example 2)
61
Melkor fuzzer
 Fuzzing rules
 More complex rules
62
Melkor fuzzer
 Fuzzing rules
 More complex rules (Example 1)
63
Melkor fuzzer
 Fuzzing rules
 More complex rules (Example 2)
64
Melkor fuzzer
 Fuzzing rules
 More complex rules (Example 3)
65
Melkor fuzzer
 Fuzzing rules execution
 To iterate through the rules an array of function
pointers is created in every fuzzing module and
initialized with __attribute__((constructor)
66
Melkor fuzzer
 Fuzzing rules execution
 Chances of execution given by the –l (likelihood
parameter, default 10%) is translated to two
variables that’ll be used in ...
67
Melkor fuzzer
 Fuzzing rules execution
 ... Conjunction with rand() in the
iteration through the array of pointers
68
Melkor fuzzer
 Fuzzing rules execution
 Some fields are critical and even when
the rule is executed, inside the rule
function the likelihood is decreased.
 For example:
69
Melkor fuzzer
 ELF metadata dependencies
 These dependencies should not be
broken if you want to fuzz
deeper levels
70
Melkor fuzzer
 ELF metadata dependencies
 Translating them into specific fields:
71
Melkor fuzzer
 ELF metadata dependencies
 Translating them into specific fields:
72
Melkor fuzzer
 ELF metadata dependencies
 Translating them into specific fields:
73
Melkor fuzzer
 ELF metadata dependencies
 And at code level (Example 1):
74
Melkor fuzzer
 ELF metadata dependencies
 And at code level (Example 2):
75
Melkor fuzzer
 Generators and test data
 Semi-valid test data is used in the
rules
 Size fields: common integer bofs values
 Offsets / addresses: out of bounds values
 Indexes inside strings: common format
strings or non-printable chars
 Etc.
76
Melkor fuzzer
 Generators and test data
 numbers.h
77
Melkor fuzzer
 Generators and test data
 numbers.h
78
Melkor fuzzer
 Generators and test data
 numbers.h
79
Melkor fuzzer
 Generators and test data
 generators.c
 Functions to return test data based on
 numbers.h
 rand()
80
Melkor fuzzer
 Generators and test data
 ELF used as template
 Some provided in templates/
81
Melkor fuzzer
 Compilation
 With a simple $make
82
Melkor fuzzer
 Usage
83
Melkor fuzzer
 Usage
 Fuzzing options
84
Melkor fuzzer
 Usage
 A simple run (testing preparation):
85
Melkor fuzzer
 Usage
 Malforming ELFs:
86
Melkor fuzzer
 Usage
 Malformed ELFs (orcs):
87
Melkor fuzzer
 Usage
 Malformed ELFs (Default 10%):
88
Melkor fuzzer
 Usage
 Malformed ELFs (Aggressive 70%):
89
Melkor fuzzer
 Usage
 Testing the malformed ELFs (test_fuzzed.sh)
90
Melkor fuzzer
 Usage
 No, Melkor will not send your orcs to
the shopping mall
91 http://mashable.com/2014/06/12/orc-mall-prank/
Melkor fuzzer
 Usage
 OS kernel / dynamic loader testing:
92
Melkor fuzzer
 Usage
 OS kernel / dynamic loader testing:
93
Melkor fuzzer
 Usage
 Application testing (Example: dumpelf)
94
Melkor fuzzer
 Usage
 Application testing (Example: gcc)
95
Melkor fuzzer
 Usage
 Application testing (Example: gcc)
96
Melkor fuzzer
 Logging
 A simple logging facility implemented to
identify the fuzzed metadata in detail
97
Melkor fuzzer
 Download
http://www.brainoverflow.org/code/melkor-v1.0.tar.gz
98
Fuzzing ELF software
DEMOS
 Homework: fuzz Melkor fuzzer ;-)
 Yes, inception fuzzing
 Read BUGS.txt
 It could be used as a test subject
99
Conclusions
 ELF is just another file format where
common parsing mistakes are still used
 ELF parsers are not just in the OS
kernels, readelf and objdump. Many new
software are parsing and supporting 32
& 64-bit ELF files
100
Conclusions
 Fuzzing discover defects that normally
are harder to find in less time than
manual testing
 Fuzzing is much better having knowledge
of the semantics (specifications)
 A single crash could be an exploitable
security bug or could be used as an
anti-reversing or anti-infection
technique
101
Conclusions
 Melkor fuzzer will help you to find
functional (and security) bugs in
your ELF parsers.
102
References
[1] blexim. (2002). “Basic Integer Overflows”. PHRACK Magazine,
Release 60. Retrieved from http://phrack.org/issues/60/10.htm
[2] DeMott, J., Enbody, R. (Aug 5th, 2006). “The Evolving Art of
Fuzzing”. DEFCON 14. Retrieved from
https://www.defcon.org/images/defcon-14/dc-14-presentations/DC-14-
DeMott.pdf
[3] Dietz, W., Li, P., Regehr, J., and Adve, V. (June 2012).
“Understanding Integer Overflow in C/C++”. Proceedings of the 34th
International Conference on Software Engineering (ICSE), Zurich,
Switzerland. Retrieved from
http://www.cs.utah.edu/~regehr/papers/overflow12.pdf
[4] Hernández, A. (Dec 18th, 2012). “Striking Back GDB and IDA
debuggers through malformed ELF executables”. Retrieved from
http://blog.ioactive.com/2012/12/striking-back-gdb-and-ida-
debuggers.html
103
References
[5] Jarkko, L., Rauli, K., and Heikki, K. (2006). “Codenomicon
Robustness Testing - Handling the Infinite Space while breaking
Software”. Retrieved from
http://www.codenomicon.com/resources/whitepapers/code-whitepaper-
2006-06.pdf
[6] Ormandy, T. “Sophail: A Critical Analysis of Sophos Antivirus”.
Retrieved from https://lock.cmpxchg8b.com/sophail.pdf
[7] Padilla, O. (May 12th, 2005). “Analyzing Common Binary Parser
Mistakes”. Uninformed e-zine Vol. 3. Retrieved from
http://uninformed.org/index.cgi?v=3&a=1&t=pdf
[8] Miller, C. (Oct 20th, 2007). “Fuzzing with Code Coverage By
Example”. ToorCon 2007. Retrieved from
http://fuzzinginfo.files.wordpress.com/2012/05/cmiller_toorcon2007.
pdf
104
References
[9] Miller, C. (Mar 28th, 2008. “Fuzz By Number: More Data About
Fuzzing Than You Ever Wanted To Know”. CanSecWest 2008.
Retrieved from https://cansecwest.com/csw08/csw08-miller.pdf
[10] TIS Committee. (1995). “Executable and Linking Format (ELF)
Specification v 1.2”. Retrieved from
http://www.uclibc.org/docs/elf.pdf
[11] van Sprundel, I. (Dec 8th, 2005). “Fuzzing: Breaking software
in an automated fashion”. Retrieved from
http://events.ccc.de/congress/2005/fahrplan/attachments/582-
paper_fuzzing.pdf
[12] Wysopal, C., Nelson, L., Zovi, D. D., and Dustin, E. (2007).
“Local Fault Injection” (Ch. 11) in The Art of Software Security
Testing, pp. 201-229. Retrieved from
http://www.securityfocus.com/images/infocus/Wysopal_CH11.pdf
105
Special Thanks
 To all the researchers / coders from whom
I’ve learned cool ELF stuff and fuzzing:
Silvio Cesare, the ELF shell crew, mayhem,
scut, the grugq, Itzik Kotler, Electronic
Souls, Julien Vanegue, Andrew Griffiths,
dex, beck, Brian Raiter, Rakan El-Khalil,
Jared DeMott, skape, JunkCode, Sebastian
Krahmer, Paul Starzetz, Charlie Miller,
Ilja van Sprundel, Chris Rohlf, aczid,
Rebecca Shapiro, Sergey Bratus and some
others I forgot to mention
... Thanks !
106
Thanks !
107
/ Alejandro Hernández
/ @nitr0usmx
In Memorial †
Dedicated to the memory of one of my best friends,
Aaron Alba.
108

Weitere ähnliche Inhalte

Ähnlich wie In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer

Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
 Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
2023-02-22_Tiberti_CyberX.pdf
2023-02-22_Tiberti_CyberX.pdf2023-02-22_Tiberti_CyberX.pdf
2023-02-22_Tiberti_CyberX.pdfcifoxo
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic LinkingWang Hsiangkai
 
Erlang Developments: The Good, The Bad and The Ugly
Erlang Developments: The Good, The Bad and The UglyErlang Developments: The Good, The Bad and The Ugly
Erlang Developments: The Good, The Bad and The Uglyenriquepazperez
 
FISL XIV - The ELF File Format and the Linux Loader
FISL XIV - The ELF File Format and the Linux LoaderFISL XIV - The ELF File Format and the Linux Loader
FISL XIV - The ELF File Format and the Linux LoaderJohn Tortugo
 
Parallella: Embedded HPC For Everybody
Parallella: Embedded HPC For EverybodyParallella: Embedded HPC For Everybody
Parallella: Embedded HPC For Everybodyjerlbeck
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Tips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software EngineeringTips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software Engineeringjtdudley
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...siouxhotornot
 
NDC London 2014: Erlang Patterns Matching Business Needs
NDC London 2014: Erlang Patterns Matching Business NeedsNDC London 2014: Erlang Patterns Matching Business Needs
NDC London 2014: Erlang Patterns Matching Business NeedsTorben Hoffmann
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers ToolboxStefan
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Elm: frontend code without runtime exceptions
Elm: frontend code without runtime exceptionsElm: frontend code without runtime exceptions
Elm: frontend code without runtime exceptionsPietro Grandi
 
The Ruby Guide to *nix Plumbing: Hax0R R3dux
The Ruby Guide to *nix Plumbing: Hax0R R3duxThe Ruby Guide to *nix Plumbing: Hax0R R3dux
The Ruby Guide to *nix Plumbing: Hax0R R3duxEleanor McHugh
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsFelipe Prado
 
Effective Fault-Localization Techniques for Concurrent Software
Effective Fault-Localization Techniques for Concurrent SoftwareEffective Fault-Localization Techniques for Concurrent Software
Effective Fault-Localization Techniques for Concurrent SoftwareSangmin Park
 
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011ricardomcm
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 

Ähnlich wie In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer (20)

Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Simplest-Ownage-Human-Observed… - Routers
 Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
2023-02-22_Tiberti_CyberX.pdf
2023-02-22_Tiberti_CyberX.pdf2023-02-22_Tiberti_CyberX.pdf
2023-02-22_Tiberti_CyberX.pdf
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic Linking
 
Erlang Developments: The Good, The Bad and The Ugly
Erlang Developments: The Good, The Bad and The UglyErlang Developments: The Good, The Bad and The Ugly
Erlang Developments: The Good, The Bad and The Ugly
 
FISL XIV - The ELF File Format and the Linux Loader
FISL XIV - The ELF File Format and the Linux LoaderFISL XIV - The ELF File Format and the Linux Loader
FISL XIV - The ELF File Format and the Linux Loader
 
Parallella: Embedded HPC For Everybody
Parallella: Embedded HPC For EverybodyParallella: Embedded HPC For Everybody
Parallella: Embedded HPC For Everybody
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Tips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software EngineeringTips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software Engineering
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...
 
NDC London 2014: Erlang Patterns Matching Business Needs
NDC London 2014: Erlang Patterns Matching Business NeedsNDC London 2014: Erlang Patterns Matching Business Needs
NDC London 2014: Erlang Patterns Matching Business Needs
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Elm: frontend code without runtime exceptions
Elm: frontend code without runtime exceptionsElm: frontend code without runtime exceptions
Elm: frontend code without runtime exceptions
 
The Ruby Guide to *nix Plumbing: Hax0R R3dux
The Ruby Guide to *nix Plumbing: Hax0R R3duxThe Ruby Guide to *nix Plumbing: Hax0R R3dux
The Ruby Guide to *nix Plumbing: Hax0R R3dux
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
 
Effective Fault-Localization Techniques for Concurrent Software
Effective Fault-Localization Techniques for Concurrent SoftwareEffective Fault-Localization Techniques for Concurrent Software
Effective Fault-Localization Techniques for Concurrent Software
 
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 

Mehr von Alejandro Hernández

Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
Are You Trading Stocks Securely? Exposing Security Flaws in Trading TechnologiesAre You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
Are You Trading Stocks Securely? Exposing Security Flaws in Trading TechnologiesAlejandro Hernández
 
Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...
Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...
Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...Alejandro Hernández
 
Malware en Linux - Barcamp SE - Cali, Colombia 2013
Malware en Linux - Barcamp SE - Cali, Colombia 2013Malware en Linux - Barcamp SE - Cali, Colombia 2013
Malware en Linux - Barcamp SE - Cali, Colombia 2013Alejandro Hernández
 
Seguridad Física - Mira Mamá, como Jason Bourne - BugCON 2013
Seguridad Física - Mira Mamá, como Jason Bourne - BugCON 2013Seguridad Física - Mira Mamá, como Jason Bourne - BugCON 2013
Seguridad Física - Mira Mamá, como Jason Bourne - BugCON 2013Alejandro Hernández
 
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)Alejandro Hernández
 
Fuzzeando Snort con opciones TCP/IP
Fuzzeando Snort con opciones TCP/IPFuzzeando Snort con opciones TCP/IP
Fuzzeando Snort con opciones TCP/IPAlejandro Hernández
 

Mehr von Alejandro Hernández (9)

Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
Are You Trading Stocks Securely? Exposing Security Flaws in Trading TechnologiesAre You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
 
Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...
Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...
Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...
 
Malware en Linux - Barcamp SE - Cali, Colombia 2013
Malware en Linux - Barcamp SE - Cali, Colombia 2013Malware en Linux - Barcamp SE - Cali, Colombia 2013
Malware en Linux - Barcamp SE - Cali, Colombia 2013
 
Seguridad Física - Mira Mamá, como Jason Bourne - BugCON 2013
Seguridad Física - Mira Mamá, como Jason Bourne - BugCON 2013Seguridad Física - Mira Mamá, como Jason Bourne - BugCON 2013
Seguridad Física - Mira Mamá, como Jason Bourne - BugCON 2013
 
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
 
De Hacker a C-Level
De Hacker a C-LevelDe Hacker a C-Level
De Hacker a C-Level
 
ELF en la mira: Hacking y Defensa
ELF en la mira: Hacking y DefensaELF en la mira: Hacking y Defensa
ELF en la mira: Hacking y Defensa
 
Live Hacking : del Bug al Exploit
Live Hacking : del Bug al ExploitLive Hacking : del Bug al Exploit
Live Hacking : del Bug al Exploit
 
Fuzzeando Snort con opciones TCP/IP
Fuzzeando Snort con opciones TCP/IPFuzzeando Snort con opciones TCP/IP
Fuzzeando Snort con opciones TCP/IP
 

Kürzlich hochgeladen

Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 

Kürzlich hochgeladen (20)

Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 

In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer

  • 1. 1 In the lands of corrupted elves: Breaking ELF software with Melkor fuzzer Alejandro Hernández IOActive
  • 2. About me  Senior Security Consultant [IOActive.com]  ELF, C programming & fuzzing enthusiast  Passionate about security. ~11 years now.  From Chiapas, Mexico '~~~-, '-,_ / `~'~'' M E X I C O _ /~ __ . `~~ ' . / / | _ | _.----, | ! / '._ _ __/ _/ _ ''--'' __/ .__ | ''.__ __.._ o<-_---- here ! '' './ `  http://www.brainoverflow.org  @nitr0usmx2
  • 3. Agenda  The ELF file format  ELF parsing  Who’s is parsing?  Security risks in ELF parsing  Discovered vulnerabilities in the past  ELF parsing (mistakes) nowadays  ELF Fuzzing  Smart vs dumb  Code / branch coverage  ELF metadata dependencies  Cont. 3
  • 4. Agenda (Cont.)  Melkor – an ELF file format fuzzer  Who’s Melkor  Design & Implementation  Fuzzing rules  ELF metadata dependencies  Generators and test data  Usage  Logging  Download  Breaking Fuzzing ELF software  DEMOS  Conclusions 4
  • 5. The ELF file format  Executable and Linkable Format  In 1999 was chosen as the standard binary file format for Unix and Unix-like systems on x86  Adopted by many OS on many different platforms  Executables, relocatable objects (.o), shared libraries (.so) and core dumps. 5
  • 6. The ELF file format 6
  • 7. The ELF file format  Specification(s) [10] 7
  • 8. The ELF file format  Data types (/usr/include/elf.h) 8
  • 9. The ELF file format  Data structures (/usr/include/elf.h) 9
  • 10. The ELF file format 10  Relationships between metadata
  • 11. for(k = 0; k < hdr.e_shnum; k++, shdr++){ if(shdr->sh_type != SHT_REL) continue; symtab_section = shdr_table[shdr->sh_link]; strtab_section = *(Elf64_Shdr *) (mem + hdr.e_shoff + (symtab_section.sh_link * sizeof(Elf64_Shdr))); symstrtab_offset = strtab_section.sh_offset; rela = (Elf64_Rela *) (mem + shdr->sh_offset); sym = (Elf32_Sym *) (mem + symtab_section.sh_offset); ... The ELF file format  Relationships between metadata  Example: 11
  • 12. The ELF file format  Relationships between metadata  Example: 12 SHT_REL strtab_section symtab_section sh_link sh_link 1 2 sh_offset Section Header Table
  • 13. The ELF file format  Relationships between metadata  Example: 13
  • 14. ELF parsing  Who’s is parsing?  OS kernels  Thoroughly audited over the years  Debuggers  gdb  IDA Pro  Etc.  Reverse Engineering frameworks  ERESI  radare2  Etc.  OS utilities  binutils  #apt-cache search ELF14
  • 15. ELF parsing  Who’s is parsing?  Malware  Antivirus engines?  Sophail by Tavis Ormandy [6] 15
  • 16. ELF parsing  Who’s is parsing?  Google dork: “+ELF (parser|parsing)” 16
  • 17. ELF parsing  Security risks in ELF parsing  Memory corruption / Buffer overflows  Out of bounds array indexes or offsets  Loops copying data more times than expected  Invalid memory dereferences  Out of bounds array indexes or offsets  Crashes / DoS  Arithmetic / Integer wrap-arounds  Calculations with user-controlled data  nElements * elementSize  nElements * sizeof()  totalSize / elementSize  arrayIndex * sizeof()17
  • 18. ELF parsing  Security risks in ELF parsing  Memory corruption / Buffer overflows  Might lead to code execution  Undefined behaviors  Crashes / DoS  In the debugger / reversing tool  Anti-reversing technique  Binaries harder to debug  Protection against malware infections  Malware has parsers too  OS kernel panic()’s 18
  • 19. ELF parsing  Security risks in ELF parsing  Most data types are unsigned ints. Two of them are signed ints (/usr/include/elf.h):  typedef int32_t Elf32_Sword;  typedef int32_t Elf64_Sword;  typedef int64_t Elf32_Sxword;  typedef int64_t Elf64_Sxword;  r_addend (Relocations)  d_tag (Dynamic information)  Harder to trigger integer overflows  However, when assigning values to local signed variables, signedness bugs might exist [1] 19
  • 20. ELF parsing  Discovered vulnerabilities in the past  ELF, unlike PE (Portable Executable), has been less audited  Mostly found doing manual testing  Code review + Binary modification  Google dork: “site:securityfocus.com +ELF” 20
  • 21. ELF parsing  Discovered vulnerabilities in the past 21
  • 22. ELF parsing  Discovered vulnerabilities in the past 22
  • 23. ELF parsing  Discovered vulnerabilities in the past 23
  • 24. ELF parsing  Discovered vulnerabilities in the past  Invalid pointer dereference in gdb (reported but still unpatched) used as an anti-debugging technique [4] 24
  • 25. ELF parsing  Discovered vulnerabilities in the past  Invalid pointer dereference in IDA Pro (patched) used as an anti-debugging technique [4] 25
  • 26. ELF parsing  ELF parsing nowadays  ~15 years later (adopted in 1999)  Most ELF analysis tools rely on the SHT (Section Header Table)  The following bugs have been found with Melkor 26
  • 27. ELF parsing  ELF parsing (mistakes) nowadays  *still* blindly trust in the input:  Offsets  Indexes  Sizes (total_size / struct_size)  Addresses  Debugging information (DWARF)  Not part of ELF but it’s very related 27
  • 28. ELF parsing  ELF parsing (mistakes) nowadays “The most common mistake applied by a programmer is in trusting a field inside a binary structure that should not be trusted. “When dealing with sections that must have subsections, knowing ahead of time how many sections are embedded within the primary section of a structure is required and again, a value must be used to instruct the application only to iterate x number of times.” [7] 28
  • 29. ELF parsing  ELF parsing (mistakes) nowadays  Example of a dummy program that executes the for() loop based on e_shnum and size/entsize: 29 for(k = 0; k < hdr->e_shnum; k++, shdr++){ if(shdr->sh_type != SHT_SYMTAB && shdr->sh_type != SHT_DYNSYM) continue; ... nsyms = shdr->sh_size / shdr->sh_entsize; sym = (Elf64_Sym *) (mem + shdr->sh_offset); ... for(l = 0; l < nsyms; l++, sym++) if(ELF64_ST_TYPE(sym->st_info) != STT_SECTION) printf(“[%2d] %sn", mem + strtab + sym->st_name); }
  • 30. ELF parsing  ELF parsing (mistakes) nowadays 30 2 31
  • 31. ELF parsing  ELF parsing (mistakes) nowadays  Some applications validate if memory addresses (p_vaddr, e_entry, etc.) and/or file offsets (sh_offset, p_offset, etc.) are inside their valid boundaries  Some others don’t: 31 (Found with Melkor fuzzer.)
  • 32. ELF parsing  ELF parsing (mistakes) nowadays 32 src/libexec/ld.so/ldconfig/prebind.c: elf_check_note(void *buf, Elf_Phdr *phdr) { u_long address; u_int *pint; char *osname; address = phdr->p_offset; pint = (u_int *)((char *)buf + address); osname = (char *)buf + address + sizeof(*pint) * 3; if (pint[0] == 8 /* OpenBSD0 */ && pint[1] == 4 && pint[2] == 1 /* type_osversion */ && strcmp("OpenBSD", osname) == 0) return 1; return 0; }
  • 33. ELF parsing  ELF parsing (mistakes) nowadays  Some trust in sizeof(*user_input), some others prefer sizeof(Elfx_DataType) and some others perform validations:  if(sizeof(*x) != sizeof(dataType)) return ERROR; 33
  • 34. ELF parsing  ELF parsing (mistakes) nowadays  Some do not validate the number of elements before allocate memory:  Allocate less memory space than needed  Buffer overflows  Memory exhaustion  malloc(nElems_user_input * sizeof(Elfx_Struct));  malloc(nElems_user_input * sizeof(*user_input));  calloc(nElems_user_input , sizeof(Elfx_Struct)); 34
  • 35. ELF parsing  ELF parsing (mistakes) nowadays  Process memory exhaustion: 35 (Found with Melkor fuzzer.)
  • 36. ELF parsing  ELF parsing (mistakes) nowadays  Process memory exhaustion: 36
  • 37. ELF parsing  ELF parsing (mistakes) nowadays  More loops based on sh_size/sh_entsize running more times than expected. (sh_size = 0xbad0c0de):  Temporary DoS (CPU usage) in HT Editor:  The application was killed by the OS after ~19 secs. 37 (Found with Melkor fuzzer.)
  • 38. ELF parsing  ELF parsing (mistakes) nowadays 38 ht-2.0.22/htelfrel.cc: rela_size = sizeof (ELF_RELA64); relnum = elf_shared->sheaders.sheaders64[reloctab_shidx].sh_size / (reloctab_sh_type == ELF_SHT_REL ? rel_size : rela_size); ... for (uint i = 0; i < relnum; i++){ char *tt = t; /* dest offset */ tt = tag_make_edit_qword(tt, tt_end, h+i*rel_size, endianness); tt += ht_snprintf(tt, tt_end, " "); /* symbol (table idx) */ tt = tag_make_edit_dword(tt, tt_end, h+i*rel_size+8+4, endianness); tt += ht_snprintf(tt, tt_end, " "); ... }
  • 39. ELF parsing  ELF parsing (mistakes) nowadays  A common low-hanging fruit crash is through e_shstrndx in the ELF header. It holds a string table index within the Section Header Table: 39 (Found with Melkor fuzzer.)
  • 40. ELF fuzzing  Fuzz testing  Automated approach to create invalid / semi-valid data to find bugs that would have often been missed by human eyes  If data is too valid, might not cause problems  If data is too invalid, might be quickly rejected [9] 40 Taken from [5]
  • 41. ELF fuzzing  Smart vs dumb fuzzing  Two approaches  Mutation-based fuzzing (dumb)  Takes an input and modifies it randomly  Generation-based fuzzing (smart)  Generates the tests with specification knowledge  dumb random fuzzing in most cases find less bugs than smart fuzzing 41
  • 42. ELF fuzzing  Smart vs dumb fuzzing [2]  All paths + all data == infinite problem  Notion of randomness (dumbness) and specific knowledge (intelligence)  Semi-valid data 42
  • 43. ELF fuzzing  Code / branch coverage [8]  Code coverage is a metric which can be used to determine how much code has been executed  Branch coverage measures how many branches in code have been taken (conditional jmps)  if( x > 2 ) x = 2;  Specification based test generation achieves better coverage testing 43
  • 44. ELF fuzzing  Code / branch coverage  Interesting results in [9] show that more bugs are discovered with higher coverage: 44
  • 45. ELF fuzzing  ELF metadata dependencies  Some data structures must be fuzzed in the end or not fuzzed at all for higher code / branch coverage: 45 3rd level metadata 2nd level metadata ELF Header HDR SHT String tables Relocation Tables, etc. etc. PHT Interp CORRUPTED Hidden bugs
  • 46. ELF fuzzing  ELF metadata dependencies  In normal circumstances, the following ELF metadata dependencies exist while parsing: 46
  • 47. ELF fuzzing  Example: (SmartDec, Native code to C/C++ Decompiler for Windows)  Normal ELF loading 47
  • 48. ELF fuzzing  Example: (SmartDec, Native code to C/C++ Decompiler for Windows)  Trying to load the same ELF with an invalid e_ident[EI_CLASS] (a header field), it simply handles the error and doesn’t open: 48
  • 49. ELF fuzzing  Example: (SmartDec, Native code to C/C++ Decompiler for Windows)  However, having an unmodified header, the basic header validations will be bypassed and internal bugs are reached: 49 (Found with Melkor fuzzer.)
  • 50. Melkor fuzzer  Who’s Melkor  A fictional character from J. R. R. Tolkien's Middle- earth legendarium  Was the first Dark Lord and master of Sauron 50
  • 51. Melkor fuzzer  Who’s Melkor  Mentioned briefly in The Lord of the Rings and is known for: "... Melkor had captured a number of ELVES before the Valar attacked him, and he tortured and corrupted them, breeding the first Orcs.“ "... Melkor was cunning and more filled with malice than ever. Seeing the bliss of the ELVES and remembering that it was for their sake that he was overthrown, Melkor desired above all things to corrupt them.“ "Orcs...This has been so from the day they were bred by Melkor from corrupted, tortured and mutilated ELVES that may also have been forced to breed with other unnatural abominations in the dominion of the Dark Powers." 51
  • 52. Melkor fuzzer  Hybrid (Mutation-based / Generation-based)  Mutate existing data in an ELF sample to create orcs with knowledge of the file format specification (fuzzing rules) 52 OrcsELF Melkor fuzzer
  • 53. Melkor fuzzer  Design  I’m not good at software design but... drawing worked 53
  • 54. Melkor fuzzer  Implementation 54 numbers / rand() generators.c fuzz_<metatada>.c (fuzzing rules) logger.c melkor.c (main())
  • 55. Melkor fuzzer  Fuzzing rules  Three inputs were used:  Specification violations  TIS ELF Specification 1.2 (May, 1995) [10]  ELF-64 Object File Format 1.5 (May 1998)  Misc. ideas & considerations  Parsing patterns seen in ELF software 55
  • 56. Melkor fuzzer  Fuzzing rules  melkor-v1.0/docs/Melkor_Fuzzing_Rules.pdf 56
  • 57. Melkor fuzzer  Fuzzing rules  Specification violations (Example 1)  ELF Specification: 57
  • 58. Melkor fuzzer  Fuzzing rules  Specification violations (Example 1)  Rule definition for that field: 58 Rule name implemented at code level
  • 59. Melkor fuzzer  Fuzzing rules  Specification violations (Example 1)  That rule at code level: 59
  • 60. Melkor fuzzer  Fuzzing rules  Specification violations (Example 2) 60
  • 61. Melkor fuzzer  Fuzzing rules  Specification violations (Example 2) 61
  • 62. Melkor fuzzer  Fuzzing rules  More complex rules 62
  • 63. Melkor fuzzer  Fuzzing rules  More complex rules (Example 1) 63
  • 64. Melkor fuzzer  Fuzzing rules  More complex rules (Example 2) 64
  • 65. Melkor fuzzer  Fuzzing rules  More complex rules (Example 3) 65
  • 66. Melkor fuzzer  Fuzzing rules execution  To iterate through the rules an array of function pointers is created in every fuzzing module and initialized with __attribute__((constructor) 66
  • 67. Melkor fuzzer  Fuzzing rules execution  Chances of execution given by the –l (likelihood parameter, default 10%) is translated to two variables that’ll be used in ... 67
  • 68. Melkor fuzzer  Fuzzing rules execution  ... Conjunction with rand() in the iteration through the array of pointers 68
  • 69. Melkor fuzzer  Fuzzing rules execution  Some fields are critical and even when the rule is executed, inside the rule function the likelihood is decreased.  For example: 69
  • 70. Melkor fuzzer  ELF metadata dependencies  These dependencies should not be broken if you want to fuzz deeper levels 70
  • 71. Melkor fuzzer  ELF metadata dependencies  Translating them into specific fields: 71
  • 72. Melkor fuzzer  ELF metadata dependencies  Translating them into specific fields: 72
  • 73. Melkor fuzzer  ELF metadata dependencies  Translating them into specific fields: 73
  • 74. Melkor fuzzer  ELF metadata dependencies  And at code level (Example 1): 74
  • 75. Melkor fuzzer  ELF metadata dependencies  And at code level (Example 2): 75
  • 76. Melkor fuzzer  Generators and test data  Semi-valid test data is used in the rules  Size fields: common integer bofs values  Offsets / addresses: out of bounds values  Indexes inside strings: common format strings or non-printable chars  Etc. 76
  • 77. Melkor fuzzer  Generators and test data  numbers.h 77
  • 78. Melkor fuzzer  Generators and test data  numbers.h 78
  • 79. Melkor fuzzer  Generators and test data  numbers.h 79
  • 80. Melkor fuzzer  Generators and test data  generators.c  Functions to return test data based on  numbers.h  rand() 80
  • 81. Melkor fuzzer  Generators and test data  ELF used as template  Some provided in templates/ 81
  • 82. Melkor fuzzer  Compilation  With a simple $make 82
  • 84. Melkor fuzzer  Usage  Fuzzing options 84
  • 85. Melkor fuzzer  Usage  A simple run (testing preparation): 85
  • 86. Melkor fuzzer  Usage  Malforming ELFs: 86
  • 87. Melkor fuzzer  Usage  Malformed ELFs (orcs): 87
  • 88. Melkor fuzzer  Usage  Malformed ELFs (Default 10%): 88
  • 89. Melkor fuzzer  Usage  Malformed ELFs (Aggressive 70%): 89
  • 90. Melkor fuzzer  Usage  Testing the malformed ELFs (test_fuzzed.sh) 90
  • 91. Melkor fuzzer  Usage  No, Melkor will not send your orcs to the shopping mall 91 http://mashable.com/2014/06/12/orc-mall-prank/
  • 92. Melkor fuzzer  Usage  OS kernel / dynamic loader testing: 92
  • 93. Melkor fuzzer  Usage  OS kernel / dynamic loader testing: 93
  • 94. Melkor fuzzer  Usage  Application testing (Example: dumpelf) 94
  • 95. Melkor fuzzer  Usage  Application testing (Example: gcc) 95
  • 96. Melkor fuzzer  Usage  Application testing (Example: gcc) 96
  • 97. Melkor fuzzer  Logging  A simple logging facility implemented to identify the fuzzed metadata in detail 97
  • 99. Fuzzing ELF software DEMOS  Homework: fuzz Melkor fuzzer ;-)  Yes, inception fuzzing  Read BUGS.txt  It could be used as a test subject 99
  • 100. Conclusions  ELF is just another file format where common parsing mistakes are still used  ELF parsers are not just in the OS kernels, readelf and objdump. Many new software are parsing and supporting 32 & 64-bit ELF files 100
  • 101. Conclusions  Fuzzing discover defects that normally are harder to find in less time than manual testing  Fuzzing is much better having knowledge of the semantics (specifications)  A single crash could be an exploitable security bug or could be used as an anti-reversing or anti-infection technique 101
  • 102. Conclusions  Melkor fuzzer will help you to find functional (and security) bugs in your ELF parsers. 102
  • 103. References [1] blexim. (2002). “Basic Integer Overflows”. PHRACK Magazine, Release 60. Retrieved from http://phrack.org/issues/60/10.htm [2] DeMott, J., Enbody, R. (Aug 5th, 2006). “The Evolving Art of Fuzzing”. DEFCON 14. Retrieved from https://www.defcon.org/images/defcon-14/dc-14-presentations/DC-14- DeMott.pdf [3] Dietz, W., Li, P., Regehr, J., and Adve, V. (June 2012). “Understanding Integer Overflow in C/C++”. Proceedings of the 34th International Conference on Software Engineering (ICSE), Zurich, Switzerland. Retrieved from http://www.cs.utah.edu/~regehr/papers/overflow12.pdf [4] Hernández, A. (Dec 18th, 2012). “Striking Back GDB and IDA debuggers through malformed ELF executables”. Retrieved from http://blog.ioactive.com/2012/12/striking-back-gdb-and-ida- debuggers.html 103
  • 104. References [5] Jarkko, L., Rauli, K., and Heikki, K. (2006). “Codenomicon Robustness Testing - Handling the Infinite Space while breaking Software”. Retrieved from http://www.codenomicon.com/resources/whitepapers/code-whitepaper- 2006-06.pdf [6] Ormandy, T. “Sophail: A Critical Analysis of Sophos Antivirus”. Retrieved from https://lock.cmpxchg8b.com/sophail.pdf [7] Padilla, O. (May 12th, 2005). “Analyzing Common Binary Parser Mistakes”. Uninformed e-zine Vol. 3. Retrieved from http://uninformed.org/index.cgi?v=3&a=1&t=pdf [8] Miller, C. (Oct 20th, 2007). “Fuzzing with Code Coverage By Example”. ToorCon 2007. Retrieved from http://fuzzinginfo.files.wordpress.com/2012/05/cmiller_toorcon2007. pdf 104
  • 105. References [9] Miller, C. (Mar 28th, 2008. “Fuzz By Number: More Data About Fuzzing Than You Ever Wanted To Know”. CanSecWest 2008. Retrieved from https://cansecwest.com/csw08/csw08-miller.pdf [10] TIS Committee. (1995). “Executable and Linking Format (ELF) Specification v 1.2”. Retrieved from http://www.uclibc.org/docs/elf.pdf [11] van Sprundel, I. (Dec 8th, 2005). “Fuzzing: Breaking software in an automated fashion”. Retrieved from http://events.ccc.de/congress/2005/fahrplan/attachments/582- paper_fuzzing.pdf [12] Wysopal, C., Nelson, L., Zovi, D. D., and Dustin, E. (2007). “Local Fault Injection” (Ch. 11) in The Art of Software Security Testing, pp. 201-229. Retrieved from http://www.securityfocus.com/images/infocus/Wysopal_CH11.pdf 105
  • 106. Special Thanks  To all the researchers / coders from whom I’ve learned cool ELF stuff and fuzzing: Silvio Cesare, the ELF shell crew, mayhem, scut, the grugq, Itzik Kotler, Electronic Souls, Julien Vanegue, Andrew Griffiths, dex, beck, Brian Raiter, Rakan El-Khalil, Jared DeMott, skape, JunkCode, Sebastian Krahmer, Paul Starzetz, Charlie Miller, Ilja van Sprundel, Chris Rohlf, aczid, Rebecca Shapiro, Sergey Bratus and some others I forgot to mention ... Thanks ! 106
  • 107. Thanks ! 107 / Alejandro Hernández / @nitr0usmx
  • 108. In Memorial † Dedicated to the memory of one of my best friends, Aaron Alba. 108