2. AGENDA
• What is fuzzing?
• Mutation based (dumb) fuzzing
• Instrumented fuzzing
• Generation based (smart) fuzzing
• Fuzzing web application
• What is the future of fuzzing?
3. BEFORE WE START…
WHO AM I?
• Security engineer in Intive (Wroclaw)
• Former developer of advanced fuzzing module in
Spirent’s CyberFlood device
• Contributor in OWASP MSTG (Mobile Security
Testing Guide)
• Supporter of Wroclaw OWASP meetings
4. — “Fuzzing: Brute Force Vulnerability Discovery”
FUZZING IS A METHOD FOR DISCOVERING
FAULTS IN SOFTWARE BY PROVIDING
UNEXPECTED INPUT AND MONITORING FOR
EXCEPTIONS.
”
“
WHAT FUZZING REALLY IS?
5. IN OTHER WORDS…
A child noticed
unwatched dad’s phone…
A child has found a
chain of instructions
to crash a phone.
6. HISTORY OF FUZZING
In 1988 a professor Barton Miller from University
of Winsconsin observed that when he was logged
to a modem during a storm, there was a lot of
line noise generating junk characters and those
characters caused programs to crash.
9. LET’S FUZZ - DUMB FUZZING
Testing robustness of Android AV to APK bombs
Target: Android AV winner at av-test.org (July 2016)
10. CREATING SAMPLE DATA
• Create fuzzed data from sample:
$> radamsa -o fuzz_sample_%n.apk -n 3000
> com.appsec.appuse.apk
• Move fuzzed data to SD card
$> for i in {1..3000}; do adb push
> fuzz_sample_$i.apk /sdcard/Download; done
• Capture logs
$> adb logcat -v long > logs.txt
12. DUMB FUZZING - WHY NOT
PERFECT?
IF (VERY_RARE_CONDITION)
{
//VULNERABLE CODE
}
ELSE
{
…
}
13. DUMB FUZZING - WHY NOT
PERFECT?
IF (VERY_RARE_CONDITION)
{
//VULNERABLE CODE
}
ELSE
{
…
}
14. DUMB FUZZING - TCPDUMP
$> radamsa -o fuzz_sample_%n.pcap -n 3000
> small_capture.pcap
$> for i in {1..3000}; do tcpdump -nr
> fuzz_sample_%i.pcap >> radamsa_pcap.logs; done
15. LET’S FUZZ - INSTRUMENTED
FUZZING
• Generates samples, which cover subsets of all
code paths
• Requires a dedicated compiler, which detects
possible code paths
• Much more effective
• Let’s take a closer look on American Fuzzy Lop
(http://lcamtuf.coredump.cx/afl/)
16. INSTRUMENTED FUZZING -
PREPARATIONS
• Compile sources with afl-gcc/afl-g++
$> CC=/path_to_AFL/afl-gcc ./configure
$> make
• Prepare valid sample (the best if <100 KB)
• Create folders for input, output and (optionally)
garbage, e.g.
20. COOL STORY BRO, BUT MY
PROGRAM ISN’T WRITTEN IN C…
• AFL is so good that the community has created
many implementations of AFL supporting other
languages/environments. Just check it out here:
https://github.com/mirrorer/afl/blob/master/docs/
sister_projects.txt
• Still doesn’t suit your needs?
Then write your
own fuzzer!
21. HOW TO FUZZ NETWORK
PROTOCOLS?
- Will it work???
$> while true;
> do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21;
> done
FAIL
26. GENERATION BASED FUZZING
- CREATING A MODEL (1)
• Fuzzing frameworks like Peach or Sulley
require modelling each portion of data
Peach: http://peachfuzzer.com/resources/peachcommunity
38. ANALYSING THE CRASH
• Every crash can be treated as a pure DoS attack
• Not every crash can be exploited :(
• Depending on OS, use different tools to analyse
a crash:
- Microsoft !exploitable Crash Analyser (Windows)
- CERT GDB exploitable plugin (Linux)
- Apple Crash Wrangler Monitor (OSX)
39. WHY IT’S WORTH FUZZING?
• High return on investment - machine time is
cheap and human time is expensive
• Human role is just to customize a fuzzer to your
needs and… profit!
40. WHAT YOU CAN FUZZ?
• Literally - every piece of software which accepts
user input
• All kinds of apps (mobile, desktop, web, etc.)
• OS -> https://vimeo.com/129701495
• Online games -> http://bit.ly/2e0w2YO
• Bluetooth -> http://bit.ly/2dQfPqM
• HDMI -> http://bit.ly/2e0ynmA
• Fonts -> http://bit.ly/293DKE0
• Virtualization systems -> http://bit.ly/2ernSfs
…and much more!
43. FUZZING AND OTHER TESTING
METHODS
• Fuzzing can find some type of bugs, but not
all of them
• That means, fuzzing should be treated as
ADDITIONAL method to your security tests
You still need static analysis,
vulnerability assessment and
penetration tests!!!
44. FUTURE OF FUZZING
• Fuzzing as a service: project Springfield
(https://www.microsoft.com/en-us/springfield)
45. FUTURE OF FUZZING
• That reminds me DARPA Cyber Grand Challenge
bots: symbolic execution (e.g. angr) + directed
fuzzing (e.g. AFL)
46. SUMMARY
• Fuzzer should contain: input generator, history of
generated input and process monitor
• Fuzzing discovers bugs by providing invalid input
• There are 2 main types of fuzzers:
• Any software can be fuzzed, so always remember
about this method!
- generation based (requires sample definition)
- mutation based (mutates a valid sample)