SlideShare ist ein Scribd-Unternehmen logo

Fuzzing underestimated method of finding hidden bugs

Pawel Rzepa
Pawel Rzepa

A brief introduction to fuzzing and how to start using it.

Software
1 von 47
Downloaden Sie, um offline zu lesen
FUZZING UNDERESTIMATED METHOD OF FINDING HIDDEN BUGS by Pawel Rzepa
AGENDA • What is fuzzing? • Mutation based (dumb) fuzzing • Instrumented fuzzing • Generation based (smart) fuzzing • Fuzzing web application • What is the future of fuzzing?
BEFORE WE START… WHO AM I? • Security engineer in Intive (Wroclaw) • Former developer of advanced fuzzing module in Spirent’s CyberFlood device • Contributor in OWASP MSTG (Mobile Security Testing Guide) • Supporter of Wroclaw OWASP meetings
— “Fuzzing: Brute Force Vulnerability Discovery” FUZZING IS A METHOD FOR DISCOVERING FAULTS IN SOFTWARE BY PROVIDING UNEXPECTED INPUT AND MONITORING FOR EXCEPTIONS. ” “ WHAT FUZZING REALLY IS?
IN OTHER WORDS… A child noticed unwatched dad’s phone… A child has found a chain of instructions to crash a phone.
HISTORY OF FUZZING In 1988 a professor Barton Miller from University of Winsconsin observed that when he was logged to a modem during a storm, there was a lot of line noise generating junk characters and those characters caused programs to crash.
MUTATION / BRUTEFORCE / DUMB FUZZING sample data fuzzed data - bitflipping - byteflipping - chunkspew -… program input
MUTATION IN PRACTICE more about Radamsa: https://github.com/aoh/radamsa
LET’S FUZZ - DUMB FUZZING Testing robustness of Android AV to APK bombs Target: Android AV winner at av-test.org (July 2016)
CREATING SAMPLE DATA • Create fuzzed data from sample: $> radamsa -o fuzz_sample_%n.apk -n 3000 > com.appsec.appuse.apk • Move fuzzed data to SD card $> for i in {1..3000}; do adb push > fuzz_sample_$i.apk /sdcard/Download; done • Capture logs $> adb logcat -v long > logs.txt
DUMB FUZZING - V3 AV
DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
DUMB FUZZING - TCPDUMP $> radamsa -o fuzz_sample_%n.pcap -n 3000 > small_capture.pcap $> for i in {1..3000}; do tcpdump -nr > fuzz_sample_%i.pcap >> radamsa_pcap.logs; done
LET’S FUZZ - INSTRUMENTED FUZZING • Generates samples, which cover subsets of all code paths • Requires a dedicated compiler, which detects possible code paths • Much more effective • Let’s take a closer look on American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/)
INSTRUMENTED FUZZING - PREPARATIONS • Compile sources with afl-gcc/afl-g++ $> CC=/path_to_AFL/afl-gcc ./configure $> make • Prepare valid sample (the best if <100 KB) • Create folders for input, output and (optionally) garbage, e.g.
INSTRUMENTED FUZZING IN PRACTICE $> /path_to_AFL/afl-fuzz -i ./fuzz-input/ -o >./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@
INSTRUMENTED FUZZING IN PRACTICE
INSTRUMENTED FUZZING IN PRACTICE
COOL STORY BRO, BUT MY PROGRAM ISN’T WRITTEN IN C… • AFL is so good that the community has created many implementations of AFL supporting other languages/environments. Just check it out here: https://github.com/mirrorer/afl/blob/master/docs/ sister_projects.txt • Still doesn’t suit your needs? Then write your own fuzzer!
HOW TO FUZZ NETWORK PROTOCOLS? - Will it work??? $> while true; > do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21; > done FAIL
LIMITATIONS OF DUMB FUZZING (1) • Not compliant types
LIMITATIONS OF DUMB FUZZING (2) • Not compliant fixups (checksum, length etc.)
LIMITATIONS OF DUMB FUZZING (3) • Not supported relationships
LIMITATIONS OF DUMB FUZZING (4) • Not supported program states
GENERATION BASED FUZZING - CREATING A MODEL (1) • Fuzzing frameworks like Peach or Sulley require modelling each portion of data Peach: http://peachfuzzer.com/resources/peachcommunity
• With DataModels, you can create different states
• You can also define a monitor for tested process • Finally, put all defined parts in a Test
SMART FUZZING WITH PEACH $> sudo mono Peach.exe --debug ./samples/ftp.xml
SMART FUZZING WITH PEACH
SMART FUZZING WITH PEACH
HOMEWORK • Fuzz a “Vulnserver”. Download from: http://sites.google.com/site/lupingreycorner/ vulnserver.zip • Write a Peach model. Refer to this tutorial: http://resources.infosecinstitute.com/fuzzing- vulnserver-with-peach-part-2/
FUZZING WEB APPLICATION • Locate an input you want fuzz
• Intercept request (e.g. Burp Suite/OWASP Zap)
• Define which parameter should be fuzzed
• Select a dictionary with invalid input More sample dictionaries: https://github.com/fuzzdb- project/fuzzdb
• Find errors!
ANALYSING THE CRASH • Every crash can be treated as a pure DoS attack • Not every crash can be exploited :( • Depending on OS, use different tools to analyse a crash: - Microsoft !exploitable Crash Analyser (Windows) - CERT GDB exploitable plugin (Linux) - Apple Crash Wrangler Monitor (OSX)
WHY IT’S WORTH FUZZING? • High return on investment - machine time is cheap and human time is expensive • Human role is just to customize a fuzzer to your needs and… profit!
WHAT YOU CAN FUZZ? • Literally - every piece of software which accepts user input • All kinds of apps (mobile, desktop, web, etc.) • OS -> https://vimeo.com/129701495 • Online games -> http://bit.ly/2e0w2YO • Bluetooth -> http://bit.ly/2dQfPqM • HDMI -> http://bit.ly/2e0ynmA • Fonts -> http://bit.ly/293DKE0 • Virtualization systems -> http://bit.ly/2ernSfs …and much more!
WHAT FUZZERS CAN FIND? • Buffer overruns (remote code execution), • Deadlocks, thread hangs, unhandled exceptions (denial-of-service) • Memory leaks (Heartbleed)
WHAT’S NEXT? IMPLEMENT FUZZING IN SDLC
FUZZING AND OTHER TESTING METHODS • Fuzzing can find some type of bugs, but not all of them • That means, fuzzing should be treated as ADDITIONAL method to your security tests You still need static analysis, vulnerability assessment and penetration tests!!!
FUTURE OF FUZZING • Fuzzing as a service: project Springfield (https://www.microsoft.com/en-us/springfield)
FUTURE OF FUZZING • That reminds me DARPA Cyber Grand Challenge bots: symbolic execution (e.g. angr) + directed fuzzing (e.g. AFL)
SUMMARY • Fuzzer should contain: input generator, history of generated input and process monitor • Fuzzing discovers bugs by providing invalid input • There are 2 main types of fuzzers: • Any software can be fuzzed, so always remember about this method! - generation based (requires sample definition) - mutation based (mutates a valid sample)
THANK YOU! Contact me: pawel.rzepa@owasp.org

Empfohlen

American Fuzzy Lop
American Fuzzy LopAmerican Fuzzy Lop
American Fuzzy Lop
Michael Overmeyer
 
Fuzzing
FuzzingFuzzing
Fuzzing
Khalegh Salehi
 
Security Testing: Fuzzing
Security Testing: FuzzingSecurity Testing: Fuzzing
Security Testing: Fuzzing
Andrei Rubaniuk
 
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
GangSeok Lee
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Design
bannedit
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
OWASP
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 

Empfohlen

American Fuzzy Lop
American Fuzzy LopAmerican Fuzzy Lop
American Fuzzy Lop
Michael Overmeyer
 
Fuzzing
FuzzingFuzzing
Fuzzing
Khalegh Salehi
 
Security Testing: Fuzzing
Security Testing: FuzzingSecurity Testing: Fuzzing
Security Testing: Fuzzing
Andrei Rubaniuk
 
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
GangSeok Lee
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Design
bannedit
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
OWASP
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Packers
PackersPackers
Packers
Ange Albertini
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
Peter Hlavaty
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
infodox
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
Brandon Arvanaghi
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
G Prachi
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
Sunghun Kim
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensics
Shane Macaulay
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMM
intive
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTING
MuH4f1Z
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
Sunghun Kim
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE
 

Was ist angesagt? (20)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Packers
PackersPackers
Packers
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensics
 

Andere mochten auch

Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
DefconRussia
 
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кодаРазвитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
Positive Hack Days
 
Web vulnerability seminar3
Web vulnerability seminar3Web vulnerability seminar3
Web vulnerability seminar3
Sakuya Izayoi
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&Attack
Emanuela Boroș
 

Andere mochten auch (20)

OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMM
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTING
 
Wprowadzenie do CoreBluetooth
Wprowadzenie do CoreBluetoothWprowadzenie do CoreBluetooth
Wprowadzenie do CoreBluetooth
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu
[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu
[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilities
 
Ataki po stronie klienta w publicznych punktach dostępowych
Ataki po stronie klienta w publicznych punktach dostępowychAtaki po stronie klienta w publicznych punktach dostępowych
Ataki po stronie klienta w publicznych punktach dostępowych
 
What the HEC? Security implications of HDMI Ethernet Channel and other relate...
What the HEC? Security implications of HDMI Ethernet Channel and other relate...What the HEC? Security implications of HDMI Ethernet Channel and other relate...
What the HEC? Security implications of HDMI Ethernet Channel and other relate...
 
Drive it Like you Hacked It - New Attacks and Tools to Wireles
Drive it Like you Hacked It - New Attacks and Tools to Wireles Drive it Like you Hacked It - New Attacks and Tools to Wireles
Drive it Like you Hacked It - New Attacks and Tools to Wireles
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
 
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кодаРазвитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
 
Caturelli E. L'Ecografia Operativa. ASMaD 2016
Caturelli E. L'Ecografia Operativa. ASMaD 2016Caturelli E. L'Ecografia Operativa. ASMaD 2016
Caturelli E. L'Ecografia Operativa. ASMaD 2016
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Web vulnerability seminar3
Web vulnerability seminar3Web vulnerability seminar3
Web vulnerability seminar3
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&Attack
 
Variables and constants
Variables and constantsVariables and constants
Variables and constants
 
REES46 – система товарных рекомендаций и онлайн-мерчандайзинга
REES46 – система товарных рекомендаций и онлайн-мерчандайзингаREES46 – система товарных рекомендаций и онлайн-мерчандайзинга
REES46 – система товарных рекомендаций и онлайн-мерчандайзинга
 
Web vulnerability seminar4
Web vulnerability seminar4Web vulnerability seminar4
Web vulnerability seminar4
 
.Net anywhere
.Net anywhere.Net anywhere
.Net anywhere
 

Ähnlich wie Fuzzing underestimated method of finding hidden bugs

D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
Stealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploitStealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploit
Nullbyte Security Conference
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
Anthony Jose
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
virtualabs
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
WSO2
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
MichaelM85042
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
Vincenzo Iozzo
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 

Ähnlich wie Fuzzing underestimated method of finding hidden bugs (20)

Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
 
مدخل برمجة صعيدي جيكس
مدخل برمجة صعيدي جيكس مدخل برمجة صعيدي جيكس
مدخل برمجة صعيدي جيكس
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandReversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
 
Stealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploitStealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploit
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
모바일 트렌드와 iOS
모바일 트렌드와 iOS모바일 트렌드와 iOS
모바일 트렌드와 iOS
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 

Kürzlich hochgeladen

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
VictorSzoltysek
 

Kürzlich hochgeladen (20)

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 

Fuzzing underestimated method of finding hidden bugs

  • 1. FUZZING UNDERESTIMATED METHOD OF FINDING HIDDEN BUGS by Pawel Rzepa
  • 2. AGENDA • What is fuzzing? • Mutation based (dumb) fuzzing • Instrumented fuzzing • Generation based (smart) fuzzing • Fuzzing web application • What is the future of fuzzing?
  • 3. BEFORE WE START… WHO AM I? • Security engineer in Intive (Wroclaw) • Former developer of advanced fuzzing module in Spirent’s CyberFlood device • Contributor in OWASP MSTG (Mobile Security Testing Guide) • Supporter of Wroclaw OWASP meetings
  • 4. — “Fuzzing: Brute Force Vulnerability Discovery” FUZZING IS A METHOD FOR DISCOVERING FAULTS IN SOFTWARE BY PROVIDING UNEXPECTED INPUT AND MONITORING FOR EXCEPTIONS. ” “ WHAT FUZZING REALLY IS?
  • 5. IN OTHER WORDS… A child noticed unwatched dad’s phone… A child has found a chain of instructions to crash a phone.
  • 6. HISTORY OF FUZZING In 1988 a professor Barton Miller from University of Winsconsin observed that when he was logged to a modem during a storm, there was a lot of line noise generating junk characters and those characters caused programs to crash.
  • 8. MUTATION IN PRACTICE more about Radamsa: https://github.com/aoh/radamsa
  • 9. LET’S FUZZ - DUMB FUZZING Testing robustness of Android AV to APK bombs Target: Android AV winner at av-test.org (July 2016)
  • 10. CREATING SAMPLE DATA • Create fuzzed data from sample: $> radamsa -o fuzz_sample_%n.apk -n 3000 > com.appsec.appuse.apk • Move fuzzed data to SD card $> for i in {1..3000}; do adb push > fuzz_sample_$i.apk /sdcard/Download; done • Capture logs $> adb logcat -v long > logs.txt
  • 11. DUMB FUZZING - V3 AV
  • 12. DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
  • 13. DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
  • 14. DUMB FUZZING - TCPDUMP $> radamsa -o fuzz_sample_%n.pcap -n 3000 > small_capture.pcap $> for i in {1..3000}; do tcpdump -nr > fuzz_sample_%i.pcap >> radamsa_pcap.logs; done
  • 15. LET’S FUZZ - INSTRUMENTED FUZZING • Generates samples, which cover subsets of all code paths • Requires a dedicated compiler, which detects possible code paths • Much more effective • Let’s take a closer look on American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/)
  • 16. INSTRUMENTED FUZZING - PREPARATIONS • Compile sources with afl-gcc/afl-g++ $> CC=/path_to_AFL/afl-gcc ./configure $> make • Prepare valid sample (the best if <100 KB) • Create folders for input, output and (optionally) garbage, e.g.
  • 17. INSTRUMENTED FUZZING IN PRACTICE $> /path_to_AFL/afl-fuzz -i ./fuzz-input/ -o >./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@
  • 20. COOL STORY BRO, BUT MY PROGRAM ISN’T WRITTEN IN C… • AFL is so good that the community has created many implementations of AFL supporting other languages/environments. Just check it out here: https://github.com/mirrorer/afl/blob/master/docs/ sister_projects.txt • Still doesn’t suit your needs? Then write your own fuzzer!
  • 21. HOW TO FUZZ NETWORK PROTOCOLS? - Will it work??? $> while true; > do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21; > done FAIL
  • 22. LIMITATIONS OF DUMB FUZZING (1) • Not compliant types
  • 23. LIMITATIONS OF DUMB FUZZING (2) • Not compliant fixups (checksum, length etc.)
  • 24. LIMITATIONS OF DUMB FUZZING (3) • Not supported relationships
  • 25. LIMITATIONS OF DUMB FUZZING (4) • Not supported program states
  • 26. GENERATION BASED FUZZING - CREATING A MODEL (1) • Fuzzing frameworks like Peach or Sulley require modelling each portion of data Peach: http://peachfuzzer.com/resources/peachcommunity
  • 27. • With DataModels, you can create different states
  • 28. • You can also define a monitor for tested process • Finally, put all defined parts in a Test
  • 29. SMART FUZZING WITH PEACH $> sudo mono Peach.exe --debug ./samples/ftp.xml
  • 32. HOMEWORK • Fuzz a “Vulnserver”. Download from: http://sites.google.com/site/lupingreycorner/ vulnserver.zip • Write a Peach model. Refer to this tutorial: http://resources.infosecinstitute.com/fuzzing- vulnserver-with-peach-part-2/
  • 33. FUZZING WEB APPLICATION • Locate an input you want fuzz
  • 34. • Intercept request (e.g. Burp Suite/OWASP Zap)
  • 35. • Define which parameter should be fuzzed
  • 36. • Select a dictionary with invalid input More sample dictionaries: https://github.com/fuzzdb- project/fuzzdb
  • 38. ANALYSING THE CRASH • Every crash can be treated as a pure DoS attack • Not every crash can be exploited :( • Depending on OS, use different tools to analyse a crash: - Microsoft !exploitable Crash Analyser (Windows) - CERT GDB exploitable plugin (Linux) - Apple Crash Wrangler Monitor (OSX)
  • 39. WHY IT’S WORTH FUZZING? • High return on investment - machine time is cheap and human time is expensive • Human role is just to customize a fuzzer to your needs and… profit!
  • 40. WHAT YOU CAN FUZZ? • Literally - every piece of software which accepts user input • All kinds of apps (mobile, desktop, web, etc.) • OS -> https://vimeo.com/129701495 • Online games -> http://bit.ly/2e0w2YO • Bluetooth -> http://bit.ly/2dQfPqM • HDMI -> http://bit.ly/2e0ynmA • Fonts -> http://bit.ly/293DKE0 • Virtualization systems -> http://bit.ly/2ernSfs …and much more!
  • 41. WHAT FUZZERS CAN FIND? • Buffer overruns (remote code execution), • Deadlocks, thread hangs, unhandled exceptions (denial-of-service) • Memory leaks (Heartbleed)
  • 43. FUZZING AND OTHER TESTING METHODS • Fuzzing can find some type of bugs, but not all of them • That means, fuzzing should be treated as ADDITIONAL method to your security tests You still need static analysis, vulnerability assessment and penetration tests!!!
  • 44. FUTURE OF FUZZING • Fuzzing as a service: project Springfield (https://www.microsoft.com/en-us/springfield)
  • 45. FUTURE OF FUZZING • That reminds me DARPA Cyber Grand Challenge bots: symbolic execution (e.g. angr) + directed fuzzing (e.g. AFL)
  • 46. SUMMARY • Fuzzer should contain: input generator, history of generated input and process monitor • Fuzzing discovers bugs by providing invalid input • There are 2 main types of fuzzers: • Any software can be fuzzed, so always remember about this method! - generation based (requires sample definition) - mutation based (mutates a valid sample)