Fuzzing
-
Upload
khalegh-salehi -
Category
Software
-
view
129 -
download
8
Transcript of Fuzzing
![Page 1: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/1.jpg)
FuzzingBrute Force Vulnerability Discovery
Khalegh [email protected]
SSP, Sorena Secure Processing
A brief introduction on
![Page 2: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/2.jpg)
About me
• Khalegh Salehi• Software Security & Vulnerability Assessment • http://khalegh.net• FoxFuzzing Project
– All-In-One Full Network Protocols & File Format Fuzzing.
SSP, Sorena Secure Processing
![Page 3: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/3.jpg)
Software Security Analyzing• Static analysis:
– Approach for verifying software (including finding defects) without executing software• Source code vulnerability scanning tools, code inspections, etc.
• Dynamic analysis:– Approach for verifying software (including finding defects) by executing
software on specific inputs & checking results (“oracle”)• Functional testing, fuzz testing, etc.
• Hybrid analysis: – Combine above approaches
• Operational: – Tools in operational setting
• Minimize risks, report information back, etc.• Themselves may be static, dynamic, hybrid; often dynamic
SSP, Sorena Secure Processing
![Page 4: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/4.jpg)
Software Security Analyzing
• Static analysis: – Approach for verifying software (including finding defects) without executing software
• Source code vulnerability scanning tools, code inspections, etc.• Dynamic analysis:
– Approach for verifying software (including finding defects) by executing software on specific inputs & checking results (“oracle”)• Functional testing, fuzz testing, etc.
• Hybrid analysis: – Combine above approaches
• Operational: – Tools in operational setting
• Minimize risks, report information back, etc.• Themselves may be static, dynamic, hybrid; often dynamic
SSP, Sorena Secure Processing
Why ?
![Page 6: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/6.jpg)
SSP, Sorena Secure Processing
I see. Let's talk on business...
![Page 7: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/7.jpg)
Software Security Analyzing• Static analysis:
– Approach for verifying software (including finding defects) without executing software• Source code vulnerability scanning tools, code inspections, etc.
• Dynamic analysis:– Approach for verifying software (including finding defects) by executing
software on specific inputs & checking results (“oracle”)• Functional testing, fuzz testing, etc.
• Hybrid analysis: – Combine above approaches
• Operational: – Tools in operational setting
• Minimize risks, report information back, etc.• Themselves may be static, dynamic, hybrid; often dynamic
SSP, Sorena Secure Processing
![Page 8: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/8.jpg)
Fuzzing in Wikipedia
“Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or software”
SSP, Sorena Secure Processing
![Page 9: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/9.jpg)
SSP, Sorena Secure Processing
Fuzz testing history
• Fuzz testing concept from Barton Miller’s 1988 class project University of Wisconsin– Project created “fuzzer” to test reliability of
command-line Unix programs– Repeatedly generated random data for them until
crash/hang– Later expanded for GUIs, network protocols, etc.
• Approach quickly found a number of defects• Many tools & approach variations created since
![Page 10: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/10.jpg)
SSP, Sorena Secure Processing
Fuzzing in brief
• A form of vulnerability analysis and testing• Many slightly anomalous test cases are input
into the target application• Application is monitored for any sign of error
![Page 11: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/11.jpg)
SSP, Sorena Secure Processing
Fuzz testing process
©softScheck
![Page 12: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/12.jpg)
SSP, Sorena Secure Processing
Fuzzing Phase
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
![Page 13: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/13.jpg)
SSP, Sorena Secure Processing
Case Study
![Page 14: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/14.jpg)
14
FileFuzz• Application vs. file type
– One file type multiple targets
• Vendor history– Past vulnerabilities
• High risk targets– Default file handlers
• Windows Explorer• Windows Registry
– Commonly traded file types• Media files• Office documents• Configuration files
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
SSP, Sorena Secure Processing
![Page 15: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/15.jpg)
15
• Proprietary vs. open formats– Vendor documents– Wotsit.org– Google
• Binary files– e.g. images, video, audio, office
documents, etc.– Headers vs. data
• Text files– e.g. *.ini, *.inf, *.xml– Name/value pairs
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
SSP, Sorena Secure Processing
FileFuzz
![Page 16: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/16.jpg)
16
• Binary files– Breadth (All or Range)
• Identify potential weaknesses FF FF FF FF 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ÿÿÿÿ..Ûþ..Å...è.
D7 FF FF FF FF 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÿÿÿÿ.Ûþ..Å...è.
D7 CD FF FF FF FF DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÍÿÿÿÿÛþ..Å...è.
– Depth• Determine level of control/influence
D7 CD FD 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íýš..Ûþ..Å...è.
D7 CD FE 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íþš..Ûþ..Å...è.
D7 CD FF 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íÿš..Ûþ..Å...è.
• Text Files– name = value
file_size = 10file_size = AAAAAfile_size = AAAAAAAAAA
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
SSP, Sorena Secure Processing
FileFuzz
![Page 17: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/17.jpg)
17
• Command line arguments– Windows explorer• Tools…Folder Options…File
Types
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
SSP, Sorena Secure Processing
FileFuzz
![Page 18: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/18.jpg)
18
• Visual– Error messages– Blue screen
• Event logs– System logs– Application logs
• Debuggers• Return codes• Debugging API
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
SSP, Sorena Secure Processing
FileFuzz
![Page 19: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/19.jpg)
19
• Execute– Automated and repeated
• Monitor– Library - libdasm– Capture
• Memory location• Registry values• Exception type
• Kill– Set timeout
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
[*] "crash.exe" "C:\Program Files\WordPerfect Office 12\Programs\UA120.exe" 2000 /qt c:\fuzz\ast\8.ast[*] Access Violation[*] Exception caught at 00403f06 mov eax,[eax+edi*4][*] EAX:0014b1b8 EBX:00000005 ECX:00435c00 EDX:0012fbac[*] ESI:00435c00 EDI:cccccccc ESP:0012fab8 EBP:0012fae8
SSP, Sorena Secure Processing
FileFuzz
![Page 20: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/20.jpg)
20
• Skills– Disassembly ,Debugging
• Vulnerability types– Stack, Heap overflow, Integer handling,
etc.• Overflows• Signedness
– DoS• Out of bounds reads• Infinite loops• NULL pointer dereferences
– Logic errors• Windows WMF vulnerability (MS06-001)
– Format strings, Race conditions
Identify target
Identify inputs
Generate fuzzed data
Execute fuzzed data
Monitor for exceptions
Determine exploitability
SSP, Sorena Secure Processing
FileFuzz
![Page 21: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/21.jpg)
21SSP, Sorena Secure Processing
FileFuzz
FileFuzz is a graphical, Windows based file format fuzzing tool. FileFuzz was designed to automate the creation of abnormal file formats and the execution of applications handling these files. FileFuzz also has built in debugging capabilities to detect exceptions resulting from the fuzzed file formats.
![Page 22: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/22.jpg)
SSP, Sorena Secure Processing
call your guys…
![Page 23: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/23.jpg)
SSP, Sorena Secure Processing
Type of Fuzzers• File Fuzzers As the name implies, fuzzers that target file formats only. They do
not have the ability to speak any network protocol. • Network Fuzzers And these are fuzzers that target only network protocols.
There are allot of these as the discovery of network based vulnerabilities has always attracted allot of attention.
• General Fuzzers Following with our captain obvious theme, these fuzzers that can target a wide variety of targets, typically both file and network, and also others via custom I/O interfaces. For example: COM, shared libraries, RPC, etc.
• Custom or One-off Fuzzers These are custom written fuzzers that target a specific format or network protocol. Typically these hand written, many times by testers. Custom fuzzers vary widely on how good their data mutation/generation is. For the purposes of this document we will not examine any custom or one-off fuzzers.
• API Fuzzers, Hardware Fuzzers and dozens of Fuzzers, There is not limitations for subject… (Chapter 5, Page 161-166)
![Page 24: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/24.jpg)
SSP, Sorena Secure Processing
Type of Fuzzers…
There is no limitation of, Intuitively I have to say…
Where there is a Input, There’s Fuzz…There is an undeniable fact,
Before start your cool fuzzing, please formally let me know about your target.
![Page 25: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/25.jpg)
SSP, Sorena Secure Processing
Example
• Standard HTTP GET request– GET /index.html HTTP/1.1
• Anomalous requests– AAAAAA...AAAA /index.html HTTP/1.1– GET ///////index.html HTTP/1.1– GET %n%n%n%n%n%n.html HTTP/1.1– GET /AAAAAAAAAAAAA.html HTTP/1.1– GET /index.html HTTTTTTTTTTTTTP/1.1– GET /index.html HTTP/1.1.1.1.1.1.1.1– etc...
![Page 26: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/26.jpg)
SSP, Sorena Secure Processing
Example ofVulnerable Source Code
#include <stdio.h> int main( int argc, char *argv[] ) { char buffer[1024]; strcpy(buffer,argv[1]); printf("The string is a %s \n\n",buffer); return 0; }
![Page 27: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/27.jpg)
SSP, Sorena Secure Processing
Example ofSimple Fuzzing scheme
import subprocess,time;for i in range(1,10000): print i; subprocess.call(["./ example ","A"*i]); time.sleep(1); # figure out debugger, crash log, etc.
Go head and run the application via uninvited arguments such as and not limited to,
./example `python -c “print ‘A’*10000”`
![Page 28: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/28.jpg)
SSP, Sorena Secure Processing
The situation under controls...
![Page 29: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/29.jpg)
SSP, Sorena Secure Processing
Definition of fuzzing
“Fuzzing is a technique for intelligently and automatically generating and passing into a target system valid and invalid message sequences to see if the system breaks, and if it does, what it is that makes it break”
CODENOMICON
![Page 30: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/30.jpg)
SSP, Sorena Secure Processing
The Solution That Found Heartbleed
fuzzing(Defensics) was the primarysolution being used when theHeartbleed flaw was identified.A security research was runninga routine test of the Fuzzing(Defensics) feature, SafeGuard, identifying the flaw that had gone unidentified for over two years and impacted over 500,000 websites.
CODENOMICON
![Page 31: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/31.jpg)
SSP, Sorena Secure Processing
Fuzzing Approach
Mutation Based - “Dumb Fuzzing” Generation Based - “Smart Fuzzing” Evolutionary
![Page 32: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/32.jpg)
SSP, Sorena Secure Processing
Mutation Based - “Dumb Fuzzing”
![Page 33: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/33.jpg)
SSP, Sorena Secure Processing
Mutation Based - “Dumb Fuzzing”• Little or no knowledge of the structure of the inputs is
assumed• Anomalies are added to existing valid inputs• Anomalies may be completely random or follow some
heuristics• Requires little to no set up time• Dependent on the inputs being modified• May fail for protocols with checksums, those which depend
on challenge response, etc.Examples:• Taof, GPF, ProxyFuzz, etc.
![Page 34: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/34.jpg)
SSP, Sorena Secure Processing
Generation Based - “Smart Fuzzing”
![Page 35: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/35.jpg)
SSP, Sorena Secure Processing
Generation Based - “Smart Fuzzing”
• Test cases are generated from some description of the format: RFC, documentation, etc.
• Anomalies are added to each possible spot in the inputs
• Knowledge of protocol should give better results than random fuzzing
• Can take significant time to set up• Examples– SPIKE, Sulley, Mu-4000, Codenomicon, Bestorm
![Page 36: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/36.jpg)
SSP, Sorena Secure Processing
Evolutionary
![Page 37: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/37.jpg)
SSP, Sorena Secure Processing
Evolutionary
• Attempts to generate inputs based on the response of the program
• Autodafe– Prioritizes test cases based on which inputs have
reached dangerous API functions• EFS– Generates test cases based on code coverage
metrics (more later)• This technique is still in the alpha stage
![Page 38: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/38.jpg)
SSP, Sorena Secure Processing
Issues & Problems
Mutation based fuzzers can generate an infinite number of test cases... When has the fuzzer run long enough?
Generation based fuzzers generate a finite number of test cases. What happens when they’re all run and no bugs are found?
How do you monitor the target application such that you know when something “bad” has happened?
![Page 39: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/39.jpg)
SSP, Sorena Secure Processing
Issues with FuzzingWhat happens when you find too many bugs? Or
every anomalous test case triggers the same (boring) bug?
How do you figure out which test case caused the fault?
Given a crash, how do you find the actual vulnerability
After fuzzing, how do you know what changes to make to improve your fuzzer?
When do you give up on fuzzing an application?
![Page 40: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/40.jpg)
SSP, Sorena Secure Processing
Products & Frameworks
![Page 41: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/41.jpg)
SSP, Sorena Secure Processing
Products & FrameworksDozens of Open-Source Fuzzing Tools & Frameworks has been collected in FoxFuzzing, there is list of products with bit information of, are available by https://github.com/khaleghsalehi/FoxFuzzing/list.pdf
Not(A2Z)
![Page 42: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/42.jpg)
SSP, Sorena Secure Processing
?Thank you &
![Page 43: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/43.jpg)
SSP, Sorena Secure Processing
References1. SWE 681 / ISA 681,Secure Software Design & Programming, Lecture 9, Analysis Approaches & Tools,
Dr. David A. Wheeler, 2014-08-172. Real World Fuzzing, Charlie Miller, Independent Security Evaluators, ctober 19, 2007,
[email protected]. Robustness Testing, Discover unknown vulnerabilities with
Testing & QA, Ari Takanen, Codenomicon Ltd.4. Michael Eddington, Leviathan Security Group, Inc. 20095. A Study of Commercially Available Fuzzers: Identification of Undisclosed Vulnerabilities with the Aid
of Commercial Fuzzing Tools. Prof. Dr. Hartmut Pohl and Daniel Baier, B.Sc. Department of Computer Sciences, Bonn-Rhein-Sieg University of Applied Sciences
6. “Fuzzing for Software Security Testing and Quality Assurance”, Ari Takanen, Jared DeMott, Charlie Miller Fuzzing for Software Security Testing and Quality Assurance (Artech House Information Security and Privacy), 2008
7. Fuzzing: Brute Force Vulnerability Discovery Paperback – July 9, 2007 by Michael Sutton, Adam Greene, Pedram Amini
8. Michael Sutton, Director, iDefense Labs, [email protected], FuzzingBrute Force Vulnerability Discovery
9. [Slide No. 11.] A Study of Commercially Available Fuzzers: Identification of Undisclosed Vulnerabilities with the Aid of Commercial Fuzzing Tools. By: Prof. Dr. Hartmut Pohl and Daniel Baier, B.Sc. Department of Computer Sciences, Bonn-Rhein-Sieg University of Applied Sciences.
![Page 44: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/44.jpg)
SSP, Sorena Secure Processing
Awesome Books
Fuzzing: Brute Force Vulnerability Discovery Paperback – July 9, 2007by Michael Sutton (Author), Adam Greene (Author), Pedram Amini (Author)
![Page 45: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/45.jpg)
SSP, Sorena Secure Processing
Awesome Books
Fuzzing for Software Security Testing and Quality Assurance (Artech House Information Security and Privacy) Hardcover – June 30, 2008by Ari Takanen (Author), Jared DeMott (Author), Charlie Miller (Author)
![Page 46: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/46.jpg)
SSP, Sorena Secure Processing
Awesome Books
Open Source Fuzzing Tools Paperback – December 28, 2007by Noam Rathaus (Author), Gadi Evron (Author)
![Page 47: Fuzzing](https://reader036.fdocuments.in/reader036/viewer/2022062308/55cebb89bb61eb8c2f8b45d9/html5/thumbnails/47.jpg)
SSP, Sorena Secure Processing
Awesome Books
Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers Paperback – August 11, 2012
& many so many books…