SlideShare ist ein Scribd-Unternehmen logo

FUZZING & SOFTWARE SECURITY TESTING

•
•
M
MuH4f1Z

BILKENT UNIVERSITY COMPUTER ENGINEERING DEPARTMENT

Software
1 von 43
Downloaden Sie, um offline zu lesen
VEYSEL HATAĹž vhatas@gmail.com 09.05.2014 BILKENT UNIVERSITY COMPUTER ENGINEERING DEPARTMENT FUZZING & SOFTWARE SECURITY TESTING
PROLOGUE • 0x00401001 what_is_fuzzing ( ) • 0x00401002 history ( ) • 0x00401003 fuzzing_tools ( ) • 0x00401004 fuzzing_phases ( ) • 0x00401005 fuzing_framework ( ) • 0x00401006 fuzzing_methodes ( ) • 0x00401007 questions ( ) push ebp mov ebp, esp call what_is_fuzzing
WHAT IS FUZZING? «Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.» «The purpose of fuzzing relies on the assumption that there are bugs within every program, which are waiting to be discovered. Therefore, a systematical approach should find them sooner or later.» -- http://www.owasp.org/index.php/Fuzzing «Fuzzing is the process of sending intentionally invalid data to a product in the hopes of triggering an error condition or fault. These error conditions can lead to exploitable vulnerabilities.» HD Moore “The degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.” IEEE
HISTORY • Professor Barton Miller • Developed fuzz testing with his students at the University of Wisconsin-Madison in 1988/89 • GOAL: improve UNIX applications • Millers fuzzer was pretty basic: It sent random strings of data to the application • 1999 brought PROTOS from University of Oulu • 2004 Browser Fuzzing (Fuzzed HTML to find browser bugs) • 2004 File Format Fuzzing (MS04-028 Buffer Overun ~ Remote Code Execution) • 2006 ActiveX Fuzzing • 2007 Man-in-the-middle Fuzzing (ProxyFuzz)
SOME FUZZING TOOLS • Peach Fuzz • BFF • Sulley • Spike • TAOF • COMRaider
SOME HELPFUL DEFINITIONS • BUG • The Harvard Mark II (1947) Real BUG ! • Security BUGs (Memory Corruptions, Overflow, Injections, Memory Leaks) • BUG Hunting • Source Code Analysis (White Box) • Binary Analysis • Static Analysis (Reverse Engineering) • Dynamic Analysis (Fuzzing, Debugging/Tracing, Taint Analysis) • In Memory Fuzzing «In memory fuzzing is a technique that allows the analyst to bypass parsers; network-related limitations such as max connections, buit in IDS or flooding protection; encrypted or unknown (poorly documented) protocol in order to fuzz the actual underlying assembly routines that are potentially vulnerable.» CORELAN TEAM
FUZZING PHASES 1. IDENTIFY THE TARGET • Applications (players, readers, web apps…) • Platforms (Linux, Windows, OSX) • Devices (arm, phones, modems ..) • … 2. IDENTIFY THE INPUTS • File Formats (swf, pdf, png, jpeg, m3u …) • Network Protocols (ftp, http, arp, ssl …) • Reg keys, env variables, headers …
FUZZING PHASES 3. GENERATE FUZZ DATA • Mutation • Generation 4. EXECUTE FUZZ DATA • Semi-valid input to the target application 5. MONITOR FUZZ DATA
THE PROCESS OF FUZZING FRAMEWORK Identify Targets & Platform Identify Input vectors Generate Fuzz Data • minimizing Execute Fuzzed Data Monitor for Exceptions Determine Exploitability • Unique crash logs
CERT - FUZZING FRAMEWORK • Basic Fuzzing Framework (BFF) • Linux and Mac OS X platforms • Failure Observation Engine (FOE) • Windows platform
BFF - BASIC FUZZING FRAMEWORK • The CERT Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in applications. BFF performs mutational fuzzing on software that consumes file input. • The BFF automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. • The goal of BFF is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
BFF - BASIC FUZZING FRAMEWORK Features that are available in BFF • Uniqueness determination is handled through intelligent backtrace analysis. • Automated test-case minimization reduces the effort required to analyze results. This is achieved by distilling the test case to the minimal changes to the input data required to induce a specific crash. • Online machine learning is applied to fuzzing parameter and input file selection to improve the efficacy of the campaign. • Crash severity/exploitability triage is provided.
BFF - BASIC FUZZING FRAMEWORK ZZUF It is a transparent application input fuzzer, whose purpose is to find bugs in applications by corrupting their user-contributed data, changing the random-bits in the input. Zzuf is one of the most common fuzzers available for bit flipping fuzzing. CERT Triage Tools The CERT Triage Tools include a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity and a wrapper script for batch execution.
BFF - TOOLS BFF minimizes crashers (tools/minimizer_plot.py) • Each crashing test case will have a number of bytes that have been modified from the seed file. • When a crasher is minimized, a test case is generated with a minimal number of bytes that have changed from the seed file.
BFF - TOOLS BFF crash analyzer (tools/bff_stats.py) • Generates a concise summary of the fuzz run results so far, including how many times each unique crash was seen, the first seed number it was seen at, the most recent seed number it was seen, and the bitwise and byte wise Hamming Distance from the original seed file for the minimized test case.
BFF - TOOLS BFF crash analyzer (tools/create_crasher_script.py) • It will generate a shell script that in turn can be used to regenerate all the test cases for a given crash id.
BFF - BASIC FUZZING FRAMEWORK Analyzing Results • When the fuzzing run encounters a crash, BFF will analyze the details of the crash • Capturing • Stderr output • Gdb output • Valgrind output • Callgrind output
BFF - BASIC FUZZING FRAMEWORK Analyzing Results • crashers: Contains a subdir for each uniquely-crashing test case and its analyzed results • seeds: Contains the original seed files as well as logs specific to that seedfile • uniquelog.txt: A log file that tracks the unique crashers found during the run • gdb output • the memory map • signal information • backtrace, registers • disassembly • CERT Triage Tools
BFF - BASIC FUZZING FRAMEWORK DEMO 1
FUZZING METHODS • Generation-based or Random-based (Smart Fuzzing) The fuzzers generate input data for applications in a random way . This type of data generation is very quick to implement but also useless in most cases. • Easy, you do not need to know any protocol or format. • Mutation-based (Dumb Fuzzing) Mutation-based fuzzers generate data by analyzing an existing set of data provided by the user and mutating some fields inside these data. • Very hard, but explores every detail of protocol • Proxy-based • Specification-based • Evolutionary-based
GENERATION BASED FUZZING • Generational fuzzers are capable of building the data being sent based on a data model provided by the fuzzer creator. Sometimes this is as simple as sending random bytes. This can be done much smarter by knowing good data values and combining them in interesting ways. • Test cases are generated from some description of the format.
MUTATION BASED (DUMB FUZZING) • Mutation-based fuzzers mutate existing data samples to create test data while generation- based fuzzers define new test data based on models of the input. • Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways, looking for cases that cause crashes. • Change Random Byte • Byte Flipping
Charlie Miller code numwrites = random.randrange (math.ceil ( ( float ( len (buf)) / FuzzFactor)))+1 for j in range (numwrites ) : rbyte = random.randrange (256) rn = random.randrange (len (buf) ) buf [rn] = "%c" %(rbyte); CHANGE RANDOM BYTE
BYTE/DWORD FLIPPING • FiveBelow is the dummy file fuzzer. It uses byte slides methode.
BYTE/DWORD FLIPPING • FiveBelow is the dummy file fuzzer. It uses byte slides methode. • ZDI-11-252 • Apple QuickTime PICT Image PnSize Opcode Remote Code Execution Vulnerability
BYTE/DWORD FLIPPING (ZDI-11-252)
DEMO 2 APPLE QUICKTIME PICT IMAGE PNSIZE OPCODE REMOTE CODE EXECUTION
BYTE/DWORD FLIPPING (ZDI-11-252)
FILE FORMAT FUZZING PDFuzzer (pdf header format fuzzer by Jeremy Brown )
PEACH FUZZER • Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing. • Peach requires the creation of Peach Pit files that define the structure, type information, and relationships in the data to be fuzzed. It additionally allows for the configuration of a fuzzing run including selecting a data transport (Publisher), logging interface, etc.
PEACHPIT FILE • DataModel A DataModel defines the structure of a data block by specifying additional child elements such as Number, Blob, or String. • StateModel The StateModel recreates the basic state machine logic needed to test a protocol. The state model defines how to send and receive data to the fuzzing target.
PEACHPIT FILE • Publishers (Network Publishers & Custom Publishers ) Publishers are the I/O interfaces used by Peach to send and receive data. • Agent and Monitor
DEMO 3
PEACH FARM (PARALLEL FUZZING) Peach Fuzzer Farm allows to build scalable and distributed fuzzing harnesses. • 88 Cores of fuzz • 100,000 files per format (doc, xls, ppt, pdf) • 5 Targets (Office 2010/2007, OpenOffice, PDF viewers) • 4 File formats • >250 GB of logs • One crash about every six seconds
PEACH FARM (SAMPLE RESULTS) • 942 Unique Major Hashes • 440 in Office • 396 in Open Office • 68 in Ghostview • 32 in Foxit • 5 in Acrobat • ! exploitable • 150 EXPLOITABLE (15%) • 188 PROBABLY_EXPLOITABLE (19%) • 16 PROBABLY_NOT_EXPLOITABLE (1.6%) • 588 UNKNOWN (62%)
ACTIVEX FUZZING COMRaider is a tool designed to fuzz COM Object Interfaces.
ACTIVEX FUZZING Target: CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) Methode: AddAttachments
ACTIVEX FUZZING Target: CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) Methode: AddAttachments
EPILOGUE • « Fuzzing will not always yield bugs that will allow you to execute code. Fuzzing does not promise to make your dreams come true. Fuzzing is an art and a software programmer's nightmare. Fuzzing will open your eyes to see that it is no longer enough to know the code backwards and forward, inside and outside, layer by layer, line by line, bit by bit. » Jeremy Brown mov esp, ebp pop ebp ret
THANK YOU FOR LISTENING • udacity: CS258 (Software Testing) • http://fuzzing.org/ • Open Source Fuzzing Tools • Fuzzing: Brute Force Vulnerability Discovery • www.corelan.be

Empfohlen

Understanding Unit Testing
Understanding Unit TestingUnderstanding Unit Testing
Understanding Unit Testingikhwanhayat
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Security Testing: Fuzzing
Security Testing: FuzzingSecurity Testing: Fuzzing
Security Testing: FuzzingAndrei Rubaniuk
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning Cysinfo Cyber Security Community
 

Empfohlen

Understanding Unit Testing
Understanding Unit TestingUnderstanding Unit Testing
Understanding Unit Testingikhwanhayat
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Security Testing: Fuzzing
Security Testing: FuzzingSecurity Testing: Fuzzing
Security Testing: FuzzingAndrei Rubaniuk
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning Cysinfo Cyber Security Community
 
Unit Testing And Mocking
Unit Testing And MockingUnit Testing And Mocking
Unit Testing And MockingJoe Wilson
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Client Side Exploits using PDF
Client Side Exploits using PDFClient Side Exploits using PDF
Client Side Exploits using PDFn|u - The Open Security Community
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet SecurityJFashant
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumerationVi TĂ­nh HoĂ ng Nam
 
Unit and integration Testing
Unit and integration TestingUnit and integration Testing
Unit and integration TestingDavid Berliner
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Mutation Testing
Mutation TestingMutation Testing
Mutation TestingESUG
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 

Weitere ähnliche Inhalte

Was ist angesagt?

Unit Testing And Mocking
Unit Testing And MockingUnit Testing And Mocking
Unit Testing And MockingJoe Wilson
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet SecurityJFashant
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
Unit and integration Testing
Unit and integration TestingUnit and integration Testing
Unit and integration TestingDavid Berliner
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Mutation Testing
Mutation TestingMutation Testing
Mutation TestingESUG
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
 

Was ist angesagt? (20)

Unit Testing And Mocking
Unit Testing And MockingUnit Testing And Mocking
Unit Testing And Mocking
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Client Side Exploits using PDF
Client Side Exploits using PDFClient Side Exploits using PDF
Client Side Exploits using PDF
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet Security
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Security testing
Security testingSecurity testing
Security testing
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
Unit and integration Testing
Unit and integration TestingUnit and integration Testing
Unit and integration Testing
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Mutation Testing
Mutation TestingMutation Testing
Mutation Testing
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
 

Ă„hnlich wie FUZZING & SOFTWARE SECURITY TESTING

Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapFelipe Prado
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
Az4301280282
Az4301280282Az4301280282
Az4301280282IJERA Editor
 
black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...KrishnaVeni451953
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Software testing
Software testingSoftware testing
Software testingEnamul Haque
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
How to build a debuggle runtime
How to build a debuggle runtimeHow to build a debuggle runtime
How to build a debuggle runtimeTobi Ajila
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Fuzzing: The New Unit Testing
Fuzzing: The New Unit TestingFuzzing: The New Unit Testing
Fuzzing: The New Unit TestingDmitry Vyukov
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdfnitinscribd
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 

Ă„hnlich wie FUZZING & SOFTWARE SECURITY TESTING (20)

Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Az4301280282
Az4301280282Az4301280282
Az4301280282
 
black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Software testing
Software testingSoftware testing
Software testing
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
How to build a debuggle runtime
How to build a debuggle runtimeHow to build a debuggle runtime
How to build a debuggle runtime
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Fuzzing: The New Unit Testing
Fuzzing: The New Unit TestingFuzzing: The New Unit Testing
Fuzzing: The New Unit Testing
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 

KĂĽrzlich hochgeladen

How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfWilly Marroquin (WillyDevNET)
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 

KĂĽrzlich hochgeladen (20)

How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

FUZZING & SOFTWARE SECURITY TESTING

  • 1. VEYSEL HATAĹž vhatas@gmail.com 09.05.2014 BILKENT UNIVERSITY COMPUTER ENGINEERING DEPARTMENT FUZZING & SOFTWARE SECURITY TESTING
  • 2. PROLOGUE • 0x00401001 what_is_fuzzing ( ) • 0x00401002 history ( ) • 0x00401003 fuzzing_tools ( ) • 0x00401004 fuzzing_phases ( ) • 0x00401005 fuzing_framework ( ) • 0x00401006 fuzzing_methodes ( ) • 0x00401007 questions ( ) push ebp mov ebp, esp call what_is_fuzzing
  • 3. WHAT IS FUZZING? «Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.» «The purpose of fuzzing relies on the assumption that there are bugs within every program, which are waiting to be discovered. Therefore, a systematical approach should find them sooner or later.» -- http://www.owasp.org/index.php/Fuzzing «Fuzzing is the process of sending intentionally invalid data to a product in the hopes of triggering an error condition or fault. These error conditions can lead to exploitable vulnerabilities.» HD Moore “The degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.” IEEE
  • 4. HISTORY • Professor Barton Miller • Developed fuzz testing with his students at the University of Wisconsin-Madison in 1988/89 • GOAL: improve UNIX applications • Millers fuzzer was pretty basic: It sent random strings of data to the application • 1999 brought PROTOS from University of Oulu • 2004 Browser Fuzzing (Fuzzed HTML to find browser bugs) • 2004 File Format Fuzzing (MS04-028 Buffer Overun ~ Remote Code Execution) • 2006 ActiveX Fuzzing • 2007 Man-in-the-middle Fuzzing (ProxyFuzz)
  • 5. SOME FUZZING TOOLS • Peach Fuzz • BFF • Sulley • Spike • TAOF • COMRaider
  • 6. SOME HELPFUL DEFINITIONS • BUG • The Harvard Mark II (1947) Real BUG ! • Security BUGs (Memory Corruptions, Overflow, Injections, Memory Leaks) • BUG Hunting • Source Code Analysis (White Box) • Binary Analysis • Static Analysis (Reverse Engineering) • Dynamic Analysis (Fuzzing, Debugging/Tracing, Taint Analysis) • In Memory Fuzzing «In memory fuzzing is a technique that allows the analyst to bypass parsers; network-related limitations such as max connections, buit in IDS or flooding protection; encrypted or unknown (poorly documented) protocol in order to fuzz the actual underlying assembly routines that are potentially vulnerable.» CORELAN TEAM
  • 7. FUZZING PHASES 1. IDENTIFY THE TARGET • Applications (players, readers, web apps…) • Platforms (Linux, Windows, OSX) • Devices (arm, phones, modems ..) • … 2. IDENTIFY THE INPUTS • File Formats (swf, pdf, png, jpeg, m3u …) • Network Protocols (ftp, http, arp, ssl …) • Reg keys, env variables, headers …
  • 8. FUZZING PHASES 3. GENERATE FUZZ DATA • Mutation • Generation 4. EXECUTE FUZZ DATA • Semi-valid input to the target application 5. MONITOR FUZZ DATA
  • 9. THE PROCESS OF FUZZING FRAMEWORK Identify Targets & Platform Identify Input vectors Generate Fuzz Data • minimizing Execute Fuzzed Data Monitor for Exceptions Determine Exploitability • Unique crash logs
  • 10. CERT - FUZZING FRAMEWORK • Basic Fuzzing Framework (BFF) • Linux and Mac OS X platforms • Failure Observation Engine (FOE) • Windows platform
  • 11. BFF - BASIC FUZZING FRAMEWORK • The CERT Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in applications. BFF performs mutational fuzzing on software that consumes file input. • The BFF automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. • The goal of BFF is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
  • 12. BFF - BASIC FUZZING FRAMEWORK Features that are available in BFF • Uniqueness determination is handled through intelligent backtrace analysis. • Automated test-case minimization reduces the effort required to analyze results. This is achieved by distilling the test case to the minimal changes to the input data required to induce a specific crash. • Online machine learning is applied to fuzzing parameter and input file selection to improve the efficacy of the campaign. • Crash severity/exploitability triage is provided.
  • 13. BFF - BASIC FUZZING FRAMEWORK ZZUF It is a transparent application input fuzzer, whose purpose is to find bugs in applications by corrupting their user-contributed data, changing the random-bits in the input. Zzuf is one of the most common fuzzers available for bit flipping fuzzing. CERT Triage Tools The CERT Triage Tools include a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity and a wrapper script for batch execution.
  • 14. BFF - TOOLS BFF minimizes crashers (tools/minimizer_plot.py) • Each crashing test case will have a number of bytes that have been modified from the seed file. • When a crasher is minimized, a test case is generated with a minimal number of bytes that have changed from the seed file.
  • 15. BFF - TOOLS BFF crash analyzer (tools/bff_stats.py) • Generates a concise summary of the fuzz run results so far, including how many times each unique crash was seen, the first seed number it was seen at, the most recent seed number it was seen, and the bitwise and byte wise Hamming Distance from the original seed file for the minimized test case.
  • 16. BFF - TOOLS BFF crash analyzer (tools/create_crasher_script.py) • It will generate a shell script that in turn can be used to regenerate all the test cases for a given crash id.
  • 17. BFF - BASIC FUZZING FRAMEWORK Analyzing Results • When the fuzzing run encounters a crash, BFF will analyze the details of the crash • Capturing • Stderr output • Gdb output • Valgrind output • Callgrind output
  • 18. BFF - BASIC FUZZING FRAMEWORK Analyzing Results • crashers: Contains a subdir for each uniquely-crashing test case and its analyzed results • seeds: Contains the original seed files as well as logs specific to that seedfile • uniquelog.txt: A log file that tracks the unique crashers found during the run • gdb output • the memory map • signal information • backtrace, registers • disassembly • CERT Triage Tools
  • 19. BFF - BASIC FUZZING FRAMEWORK DEMO 1
  • 20. FUZZING METHODS • Generation-based or Random-based (Smart Fuzzing) The fuzzers generate input data for applications in a random way . This type of data generation is very quick to implement but also useless in most cases. • Easy, you do not need to know any protocol or format. • Mutation-based (Dumb Fuzzing) Mutation-based fuzzers generate data by analyzing an existing set of data provided by the user and mutating some fields inside these data. • Very hard, but explores every detail of protocol • Proxy-based • Specification-based • Evolutionary-based
  • 21. GENERATION BASED FUZZING • Generational fuzzers are capable of building the data being sent based on a data model provided by the fuzzer creator. Sometimes this is as simple as sending random bytes. This can be done much smarter by knowing good data values and combining them in interesting ways. • Test cases are generated from some description of the format.
  • 22. MUTATION BASED (DUMB FUZZING) • Mutation-based fuzzers mutate existing data samples to create test data while generation- based fuzzers define new test data based on models of the input. • Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways, looking for cases that cause crashes. • Change Random Byte • Byte Flipping
  • 23. Charlie Miller code numwrites = random.randrange (math.ceil ( ( float ( len (buf)) / FuzzFactor)))+1 for j in range (numwrites ) : rbyte = random.randrange (256) rn = random.randrange (len (buf) ) buf [rn] = "%c" %(rbyte); CHANGE RANDOM BYTE
  • 24.
  • 25. BYTE/DWORD FLIPPING • FiveBelow is the dummy file fuzzer. It uses byte slides methode.
  • 26. BYTE/DWORD FLIPPING • FiveBelow is the dummy file fuzzer. It uses byte slides methode. • ZDI-11-252 • Apple QuickTime PICT Image PnSize Opcode Remote Code Execution Vulnerability
  • 28. DEMO 2 APPLE QUICKTIME PICT IMAGE PNSIZE OPCODE REMOTE CODE EXECUTION
  • 30.
  • 31.
  • 32. FILE FORMAT FUZZING PDFuzzer (pdf header format fuzzer by Jeremy Brown )
  • 33. PEACH FUZZER • Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing. • Peach requires the creation of Peach Pit files that define the structure, type information, and relationships in the data to be fuzzed. It additionally allows for the configuration of a fuzzing run including selecting a data transport (Publisher), logging interface, etc.
  • 34. PEACHPIT FILE • DataModel A DataModel defines the structure of a data block by specifying additional child elements such as Number, Blob, or String. • StateModel The StateModel recreates the basic state machine logic needed to test a protocol. The state model defines how to send and receive data to the fuzzing target.
  • 35. PEACHPIT FILE • Publishers (Network Publishers & Custom Publishers ) Publishers are the I/O interfaces used by Peach to send and receive data. • Agent and Monitor
  • 37. PEACH FARM (PARALLEL FUZZING) Peach Fuzzer Farm allows to build scalable and distributed fuzzing harnesses. • 88 Cores of fuzz • 100,000 files per format (doc, xls, ppt, pdf) • 5 Targets (Office 2010/2007, OpenOffice, PDF viewers) • 4 File formats • >250 GB of logs • One crash about every six seconds
  • 38. PEACH FARM (SAMPLE RESULTS) • 942 Unique Major Hashes • 440 in Office • 396 in Open Office • 68 in Ghostview • 32 in Foxit • 5 in Acrobat • ! exploitable • 150 EXPLOITABLE (15%) • 188 PROBABLY_EXPLOITABLE (19%) • 16 PROBABLY_NOT_EXPLOITABLE (1.6%) • 588 UNKNOWN (62%)
  • 39. ACTIVEX FUZZING COMRaider is a tool designed to fuzz COM Object Interfaces.
  • 40. ACTIVEX FUZZING Target: CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) Methode: AddAttachments
  • 41. ACTIVEX FUZZING Target: CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) Methode: AddAttachments
  • 42. EPILOGUE • « Fuzzing will not always yield bugs that will allow you to execute code. Fuzzing does not promise to make your dreams come true. Fuzzing is an art and a software programmer's nightmare. Fuzzing will open your eyes to see that it is no longer enough to know the code backwards and forward, inside and outside, layer by layer, line by line, bit by bit. » Jeremy Brown mov esp, ebp pop ebp ret
  • 43. THANK YOU FOR LISTENING • udacity: CS258 (Software Testing) • http://fuzzing.org/ • Open Source Fuzzing Tools • Fuzzing: Brute Force Vulnerability Discovery • www.corelan.be