The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk...
Transcript of The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk...
![Page 1: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/1.jpg)
The Aftermath of a Fuzz Run:What to do with all those crashes?
David Moore
![Page 2: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/2.jpg)
David Moore Bio
![Page 3: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/3.jpg)
NeXT, Apple, Weblogic, BEA Systems, Azul Systems
![Page 4: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/4.jpg)
![Page 5: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/5.jpg)
![Page 6: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/6.jpg)
Google, Twitter, Netflix, Optimizely, Card, kernel,
ruby, php, cpio
![Page 7: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/7.jpg)
Founder/CEO
![Page 8: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/8.jpg)
Talk Outline1> Introduce/Review Memory Corruption Bugs
2> A Post Fuzz Run Workflow
3> Real World Examples
![Page 9: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/9.jpg)
Section 1a:Introduce / Review
Memory Corruption Bugs
![Page 10: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/10.jpg)
InvalidReads/Writes
![Page 11: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/11.jpg)
Stack vs HeapCorruption
![Page 12: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/12.jpg)
int main (int argc, char **argv) { char buf[8]; strcpy(buf, argv[1]);}
./a.out AAAAAAAAAAAA
![Page 13: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/13.jpg)
Use After Free
![Page 14: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/14.jpg)
char* x = (char*)malloc(4);...
free(x);…
printf(x) // uaf
![Page 15: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/15.jpg)
Other Memory Bugs
![Page 16: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/16.jpg)
Section 1b:What is Exploitability?
![Page 17: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/17.jpg)
Reprogramming with input data
not code
![Page 18: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/18.jpg)
Reprogramming with existing code in the
process
![Page 19: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/19.jpg)
Does “exploitability”
matter?
![Page 20: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/20.jpg)
ExploitableBy Whom?
![Page 21: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/21.jpg)
GoogleProject Zero
![Page 22: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/22.jpg)
NSA
![Page 23: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/23.jpg)
hhhhh??
![Page 24: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/24.jpg)
Many modern exploits are bug
chains
![Page 25: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/25.jpg)
Surprisingly Exploitable
![Page 26: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/26.jpg)
CAres / Chrome OS Remote Code
Execution
![Page 27: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/27.jpg)
![Page 28: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/28.jpg)
![Page 29: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/29.jpg)
Triggered by a trailing escaped dot:
www.foo.com\.
![Page 30: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/30.jpg)
Section 1c:Memory Corruption
Mitigations
![Page 31: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/31.jpg)
Stack Canaries
![Page 32: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/32.jpg)
![Page 33: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/33.jpg)
![Page 34: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/34.jpg)
DEPData Execution
Prevention
![Page 35: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/35.jpg)
ASLRAddress Space Layout
Randomization
![Page 36: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/36.jpg)
![Page 37: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/37.jpg)
![Page 38: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/38.jpg)
![Page 39: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/39.jpg)
Section 2:A Post Fuzz Run Workflow
2a> Minimize crash corpus 2b> Use Memory Corruption Tools 2c> Determine Exploitability or Find the Root Cause
![Page 40: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/40.jpg)
Whyminimize?
![Page 41: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/41.jpg)
Minimize the Corpus of Crashes
![Page 42: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/42.jpg)
Minimize each crashing case individually
![Page 43: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/43.jpg)
fdupes
![Page 44: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/44.jpg)
Section 2b:Memory Corruption
Analysis Tools
![Page 45: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/45.jpg)
All Bets are Off
![Page 46: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/46.jpg)
Address Sanitizer
ASANfsanitizeaddress
![Page 47: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/47.jpg)
![Page 48: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/48.jpg)
Valgrind(memcheck)
![Page 49: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/49.jpg)
![Page 50: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/50.jpg)
Exploitable
![Page 51: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/51.jpg)
![Page 52: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/52.jpg)
![Page 53: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/53.jpg)
Section 2c:Determine
Exploitability /Find the Root Cause
![Page 54: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/54.jpg)
Disable ASLRecho 0 | sudo tee
/proc/sys/kernel/randomize_va_space
![Page 55: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/55.jpg)
Identify critical memory
locations
![Page 56: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/56.jpg)
gdbgcc g O0 target.c
![Page 57: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/57.jpg)
./target AAAA
0x41414141
![Page 58: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/58.jpg)
rr
rrproject.org
![Page 59: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/59.jpg)
![Page 60: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/60.jpg)
It is OK and normal to:
Feel lost / frustratedTake a lot of time
Feel like your wheels are spinningGet sick of staring at hex
![Page 61: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/61.jpg)
OneMore Thing:
Once the bugs are fixed -Fuzz the target again
![Page 62: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/62.jpg)
Section 3: Real World Examples
![Page 63: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/63.jpg)
PHP:Low invalid read
![Page 64: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/64.jpg)
![Page 65: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/65.jpg)
![Page 66: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/66.jpg)
![Page 67: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/67.jpg)
![Page 68: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/68.jpg)
Ruby:Heap Buffer
Overflow
![Page 69: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/69.jpg)
![Page 70: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/70.jpg)
![Page 71: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/71.jpg)
![Page 72: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/72.jpg)
![Page 73: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/73.jpg)
Netflix Dynomite: Invalid Write
![Page 74: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/74.jpg)
Netflix Dynomite:● Running in production ~2
years● 1000 Customer facing nodes● 1 Million ops/sec peak load
![Page 75: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/75.jpg)
![Page 76: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/76.jpg)
![Page 77: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/77.jpg)
![Page 78: The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3>](https://reader034.fdocuments.in/reader034/viewer/2022042211/5eb0968c58688936ca4053e7/html5/thumbnails/78.jpg)
References:● RPI Modern Binary Exploitation
GitHub: rpisec/mbe● Hacking: The Art of Exploitation Jon
Erickson● Project Zero Blog What is Good
Memory Corruption?● Sean Heelan’s Blog Tracking Down
Heap Overflows with rr