Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source...
Transcript of Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source...
![Page 1: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/1.jpg)
![Page 2: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/2.jpg)
Zero Bugs Found? Hold My Beer AFL! How to Improve Coverage-guided Fuzzing and Find New Zero-days in Tough
Targets
Maksim Shudrak Security Researcher
Salesforce
DEF CON 27
![Page 3: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/3.jpg)
About me
● Offensive Security Researcher at Salesforce Red Team ● Projects:
○ EAOS: Extremely Abstract Operating System for Malware Analysis (at IBM Research 2015-2017)
○ drAFL: AFL + DynamoRIO = fuzzing binaries with no source code on Linux (spare time) https://github.com/mxmssh/drAFL
○ Contributions: drltrace, winAFL, DynamoRIO, DrMemory, Ponce ○ PhD on vulnerability research in machine code
● Speaker:
3
![Page 4: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/4.jpg)
Outline
I. Introduction
II. What is coverage-guided fuzzing ?
III. Downsides of AFL and similar fuzzers
IV. Introducing Manul
V. DEMO
VI. Case Studies + Vulnerabilities
VII. Conclusion & Future Work
4
![Page 5: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/5.jpg)
What is Fuzzing?
5
AAAAA
![Page 6: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/6.jpg)
What is Fuzzing?
6
AAAAA
![Page 7: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/7.jpg)
What is Fuzzing?
7
BAAAA
![Page 8: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/8.jpg)
What is Fuzzing?
8
CAAAA
![Page 9: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/9.jpg)
What is Fuzzing?
9
PAAAA
![Page 10: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/10.jpg)
What is Fuzzing?
10
PWNIT
![Page 11: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/11.jpg)
What is Fuzzing?
11
PWNIT
Very unlikely!
![Page 12: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/12.jpg)
What is Coverage-Guided Fuzzing?
12
AAAAA
![Page 13: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/13.jpg)
What is Coverage-Guided Fuzzing?
13
AAAAA
![Page 14: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/14.jpg)
What is Coverage-Guided Fuzzing?
14
BAAAA
![Page 15: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/15.jpg)
What is Coverage-Guided Fuzzing?
15
CAAAA
![Page 16: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/16.jpg)
What is Coverage-Guided Fuzzing?
16
PAAAA
![Page 17: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/17.jpg)
What is Coverage-Guided Fuzzing?
17
AAAAA PAAAA
Input queue
![Page 18: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/18.jpg)
What is Coverage-Guided Fuzzing?
18
AAAAA PBAAA
Input queue
![Page 19: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/19.jpg)
What is Coverage-Guided Fuzzing?
19
AAAAA PCAAA
Input queue
![Page 20: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/20.jpg)
What is Coverage-Guided Fuzzing?
20
AAAAA PWAAA
Input queue
![Page 21: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/21.jpg)
What is Coverage-Guided Fuzzing?
21
AAAAA PAAAA
Input queue
PWAAA
![Page 22: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/22.jpg)
What is Coverage-Guided Fuzzing?
22
AAAAA PAAAA
Input queue
PWBAA
![Page 23: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/23.jpg)
What is Coverage-Guided Fuzzing?
23
AAAAA PAAAA
Input queue
PWNAA
![Page 24: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/24.jpg)
What is Coverage-Guided Fuzzing?
24
AAAAA PAAAA
Input queue
PWNAA PWNBA
![Page 25: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/25.jpg)
What is Coverage-Guided Fuzzing?
25
AAAAA PAAAA
Input queue
PWNAA PWNIA
![Page 26: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/26.jpg)
What is Coverage-Guided Fuzzing?
26
AAAAA PAAAA
Input queue
PWNAA PWNIA PWNIB
![Page 27: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/27.jpg)
What is Coverage-Guided Fuzzing?
27
AAAAA PAAAA
Input queue
PWNAA PWNIA PWNIC
![Page 28: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/28.jpg)
What is Coverage-Guided Fuzzing?
28
AAAAA PAAAA
Input queue
PWNAA PWNIA PWNIT
![Page 29: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/29.jpg)
American Fuzzy Lop aka AFL
29 https://habr.com/ru/company/dsec/blog/449134/
![Page 30: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/30.jpg)
30
![Page 31: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/31.jpg)
31
![Page 32: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/32.jpg)
32
![Page 33: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/33.jpg)
33
![Page 34: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/34.jpg)
Most Popular Languages in July 2019
34 https://www.tiobe.com/tiobe-index/
![Page 35: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/35.jpg)
Fuzzing is Very Hot Today!
35
# of
pub
lica
tion
s
![Page 36: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/36.jpg)
OSS-Fuzz Project
● ~160 open-source projects ● ~half-trillion test cases per week
Open Issues Count per Month
36
![Page 37: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/37.jpg)
Downsides. Volatile Paths
37
AAAAAAAAA
![Page 38: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/38.jpg)
Downsides. Volatile Paths
38
AAAAAAAAA
ABAAAAAAA
![Page 39: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/39.jpg)
Downsides. Volatile Paths
39
AAAAAAAAA
ABAAAAAAA
ABAAAAAAA
![Page 40: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/40.jpg)
Downsides. Volatile Paths
40
AAAAAAAAA
ABAAAAAAA
ABAAAAAAA
![Page 41: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/41.jpg)
Downsides. Volatile Paths
41
ABAAAAAAA
ABAAAAAAA
![Page 42: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/42.jpg)
Downsides. Volatile Paths
42
![Page 43: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/43.jpg)
Downsides. Parallelization algorithm
● Parallelization is an obvious solution to speed up fuzzing and find more bugs.
● AFL was not designed to be parallel fuzzer
43
AFL master folder AFL slave #1 AFL slave #2
![Page 44: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/44.jpg)
Downsides. Parallelization algorithm
● Parallelization is an obvious solution to speed up fuzzing and find more bugs.
● AFL was not designed to be parallel fuzzer
44
AFL master folder AFL slave #1 AFL slave #2
![Page 45: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/45.jpg)
Downsides. Parallelization algorithm
● Parallelization is an obvious solution to speed up fuzzing and find more bugs.
● AFL was not designed to be parallel fuzzer
45
AFL master folder AFL slave #1 AFL slave #2
![Page 46: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/46.jpg)
Downsides. Parallelization algorithm
● Parallelization is an obvious solution to speed up fuzzing and find more bugs.
● AFL was not designed to be parallel fuzzer
46
AFL master folder AFL slave #1 AFL slave #2
![Page 47: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/47.jpg)
Downsides. Parallelization algorithm
● Parallelization is an obvious solution to speed up fuzzing and find more bugs.
● AFL was not designed to be parallel fuzzer
47
AFL master folder AFL slave #1 AFL slave #2
![Page 48: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/48.jpg)
Network apps fuzzing. Current situation
48
● Linux: ○ AFL’s forks, honggfuzz and blind fuzzers
● Windows ○ winAFL network mode
● OS X ○ honggfuzz?
![Page 49: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/49.jpg)
Windows applications fuzzing
49
winAFL clang (libfuzzer/honggfuzz)
![Page 50: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/50.jpg)
OS X applications fuzzing
● Source code is required. Target should be able to compile with clang
● DynamoRIO has no official support of OS X ● Intel PIN has partial OS X support
50
![Page 51: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/51.jpg)
Some Related Works & Tools
● The author is not the first one who wants to improve AFL. ○ Userland: AFLSmart, AFLFast, winAFL, libfuzzer, driller, QSYM and others. ○ Kernel: syzkaller, kAFL, TriforceAFL and others.
● Systematic research on all existing fuzzers: ○ Valentin J.M. Manes, Hyung Seok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward
J. Schwartz, Maverick Woo Fuzzing: Art, Science, and Engineering. arXiv:1812.00140 preprint.
● Some Presentations at DEF CON/BlackHat: ○ Mateusz Jurczyk. Effective File Format Fuzzing - Thoughts, Techniques and
Results. BlackHat EU London. 2016. ○ Kang Li. AFL's Blindspot and How to Resist AFL Fuzzing for Arbitrary ELF
Binaries. BlackHat USA 2018. ○ Jonathan Metzman. Going Beyond Coverage-Guided Fuzzing with Structured
Fuzzing. Black Hat USA 2019.
51
![Page 52: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/52.jpg)
State-of-the-art Userland Fuzzers
52
AFL winAFL
HongFuzz libFuzzer Desired fuzzer
Network fuzzing No (Unix) Yes (Windows)
Yes No Yes (all platforms)
Volatile Paths No No No Yes
Multiple Mutation Strategies
No No No Yes
Share over network Partial No No Yes
Supported Platform Linux Windows
Open/NetBSD GNU/Linux
Windows/Cygwin Android OS X
Anywhere where LLVM exist
Anywhere where Python exist
Language C C C Python
![Page 53: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/53.jpg)
● Manul - an open-source fuzzer written in pure Python. ○ Easy-to-use, pull and run concept.
○ Coverage-guided fuzzing using AFL-GCC or DBI (Intel Pin or DynamoRIO).
○ Parallel fuzzing is a basic feature.
○ Default mutators.
○ Third-party data mutators (Radamsa + AFL currently supported).
○ Network fuzzing is supported by default.
○ Blackbox binaries fuzzing.
○ Supported: Linux, MacOS (beta) and Windows or any other OS where Python exist.
Manul Overview
53
![Page 54: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/54.jpg)
Why Manul?
54 Pallas’s Cat (lat. Otocolobus Manul)
![Page 55: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/55.jpg)
Manul Architecture
55
Mutators (plugins)
Target
Instrumentation module
User Interface Core Module
Code Coverage Analysis Module
Manul Network Module
Shared Memory
Fuzzer
![Page 56: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/56.jpg)
Volatile Paths Detection
56
Run & Calibrate ABAAAAAAA
![Page 57: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/57.jpg)
Volatile Paths Detection
57
Run & Calibrate ABAAAAAAA
![Page 58: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/58.jpg)
Volatile Paths Detection
58
Run & Calibrate ACAAAAAAA
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schumilo.pdf
![Page 59: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/59.jpg)
Parallel fuzzing. Python Multiprocessing
59
Main Process
Corpus:
![Page 60: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/60.jpg)
Parallel fuzzing. Python Multiprocessing
60
Main Process
Corpus:
Instance #1 Instance #2 Instance #3
![Page 61: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/61.jpg)
Parallel fuzzing. Python Multiprocessing
61
Main Process
Instance #1 Instance #2 Instance #3
Corpus:
![Page 62: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/62.jpg)
Parallel fuzzing. Python Multiprocessing
62
Main Process
Instance #1 Instance #2 Instance #3
Corpus:
![Page 63: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/63.jpg)
Parallel fuzzing. Python Multiprocessing
63
Main Process
Instance #1 Instance #2 Instance #3 Remote Instance (Main Process)
Remote Instance #1
Remote Instance #2
![Page 64: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/64.jpg)
Parallel fuzzing. Python Multiprocessing
64
Main Process
Instance #1 Instance #2 Instance #3 Remote Instance (Main Process)
Remote Instance #1
Remote Instance #2
![Page 65: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/65.jpg)
65
Main Process
Instance #1 Instance #2 Instance #3 Remote Instance (Main Process)
Remote Instance #1
Remote Instance #2
Target Target Target
Target Target
SHM SHM SHM
SHM SHM
Global shared memory
![Page 66: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/66.jpg)
66
Main Process
Instance #1 Instance #2 Instance #3 Remote Instance (Main Process)
Remote Instance #1
Remote Instance #2
Target Target Target
Target Target
SHM SHM SHM
SHM SHM
Global shared memory
![Page 67: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/67.jpg)
Third Party Mutators
● AFL strategy (ported to Python) and Radamsa (as a shared library)
Custom Python Mutator:
● def init(fuzzer_id) ● def mutate(data_to_mutate)
67
![Page 68: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/68.jpg)
Network Application Fuzzing (Experimental)
68
Manul Target TCP|UDP
Manul Target
Test case (TCP|UDP)
Connect
Client mode
Server mode
![Page 69: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/69.jpg)
Blackbox Binaries Fuzzing
Windows: DynamoRIO: ~x30 overhead Linux: Intel Pin: ~x45 overhead DynamoRIO: ~x20 overhead
69
Manul Target binary
Instrumentation lib
SHM Coverage Coverage
Test
![Page 70: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/70.jpg)
70
![Page 71: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/71.jpg)
Interface & Logo
71
![Page 72: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/72.jpg)
Command Line Arguments
72
![Page 73: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/73.jpg)
DEMO (Manul)
73
![Page 74: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/74.jpg)
74
![Page 75: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/75.jpg)
Case Study I. Poppler
● Poppler is an open-source library for rendering PDF documents on GNU/Linux ● Millions of users across the world. Default package on
Ubuntu
● Integrated with Evince, LibreOffice, Inkscape and many other applications
● Written in C++ ● Participate in OSS-Fuzz program (tough target)
75
![Page 76: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/76.jpg)
Case Study I. Poppler. Fuzzing Setup
● 491 PDF files (same corpus used by OSS-Fuzz)
● 24 hours, 78 parallel jobs
● AFL ver. 2.52b & Manul ver. 0.2
● Intel Xeon CPU E5-2698 v4 @2.20GHz 1TB RAM
76
![Page 77: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/77.jpg)
Case Study I. Execution Speed
77
![Page 78: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/78.jpg)
Case Study I. Paths Found
78
![Page 79: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/79.jpg)
Case Study I. Why Manul outperformed AFL
● Manul corpus parallelization algorithm demonstrates better performance on large targets
● Radamsa + AFL is better than only AFL ● Volatile paths suppression seems to work
79
![Page 80: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/80.jpg)
Case Study I. Manul Findings
CVE-2019-9631. 9.8 Critical. Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function.
CVE-2019-7310. 8.8 High. Poppler 0.74.0. A heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document, as demonstrated by pdftocairo.
CVE-2019-9959 (X.X. High) In Poppler (latest), JPXStream::init doesn’t have a check for negative values of stream length thereby making it possible to allocate large memory chunk on heap with size controlled by an attacker.
Non-security related: 1.Division by zero in CairoRescalBox::downScaleImage 2.Null-pointer dereference in ExtGState 3.Stack-overflow (recursion) in libcairo
80
![Page 81: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/81.jpg)
Case Study I. Poppler. CVE 2019-9631
81
![Page 82: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/82.jpg)
Case Study I. Poppler. CVE 2019-9631
82
![Page 83: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/83.jpg)
Case Study I. Poppler. CVE 2019-9959
83
![Page 84: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/84.jpg)
Case Study I. Poppler. CVE 2019-9959
84
![Page 85: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/85.jpg)
Case Study I. Poppler. CVE 2019-7310
85
![Page 86: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/86.jpg)
Case Study I. Poppler. CVE 2019-7310
86
![Page 87: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/87.jpg)
Case Study II. Zeek IDS
● Zeek (former Bro) is a world’s most powerful open-source network analysis framework ○ Thousand of companies use Zeek as IDS ○ JA3 plugin for Zeek is a very powerfull tool to detect
suspicious connections of malware with C2 ● BroCon happens in Arlington, VA every October ● Written in C++, very high-quality code, fuzzing was done using
libfuzzer by development team in the past
87
![Page 88: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/88.jpg)
Zeek Fuzzing Wrapper Example
● Implemented for HTTP, IRC, KRB, DNP3, SSH, DNS, ICMP, LOGIN, FTP, IMAP
88
![Page 89: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/89.jpg)
Case Study II. Findings
CVE-2018-17019 (7.5. High). In Zeek IDS through 2.5.5, there is a DoS in IRC protocol names command parsing in analyzer/protocol/irc/IRC.cc
CVE-2018-16807 (7.5. High). In Zeek IDS through 2.5.5, there is a memory leak potentially leading to DoS in scripts/base/protocols/krb/main.bro in the Kerberos protocol parser.
CVE-2019-12175. (X.X High). In Zeek IDS, there is a DoS in Kerberos protocol parser in analyzer/protocol/krb/KRB.cc
89
![Page 90: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/90.jpg)
CVE-2018-16807 #1 0x16d0f10 in binpac::KRB_TCP::proc_krb_kdc_req_arguments(binpac::KRB_TCP::KRB_KDC_REQ*, analyzer::Analyzer*) #2 0x16d0994 in binpac::KRB_TCP::KRB_Conn::proc_krb_kdc_req_msg(binpac::KRB_TCP::KRB_KDC_REQ*) #3 0x16f6038 in binpac::KRB_TCP::KRB_AS_REQ::Parse(unsigned char const*, unsigned char const*, binpac::KRB_TCP::ContextKRB_TCP*, int)
90
![Page 91: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/91.jpg)
IRC Protocol
91
![Page 92: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/92.jpg)
CVE 2018-16807. Packet Example
Send packet that contains: “353 “ on IRC port 6666
92
![Page 93: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/93.jpg)
CVE-2019-12175 ==103310==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55a797d15b75 bp 0x7ffe14590cb0 sp 0x7ffe14590330 T0) #0 0x55a797d15b74 in binpac::KRB_TCP::proc_padata(binpac::KRB_TCP::KRB_PA_Data_Sequence const*, analyzer::Analyzer*, bool) #1 0x55a797d3d36a in binpac::KRB_TCP::proc_krb_kdc_req_arguments(binpac::KRB_TCP::KRB_KDC_REQ*, analyzer::Analyzer*) #2 0x55a797d3f61b in binpac::KRB_TCP::KRB_Conn::proc_krb_kdc_req_msg(binpac::KRB_TCP::KRB_KDC_REQ*) #3 0x55a797d65032 in binpac::KRB_TCP::KRB_AS_REQ::Parse(unsigned char const*, unsigned char const*, binpac::KRB_TCP::ContextKRB_TCP*, int) #4 0x55a797d65032 in binpac::KRB_TCP::KRB_PDU::Parse(unsigned char const*, unsigned char const*, binpac::KRB_TCP::ContextKRB_TCP*) #5 0x55a797d69717 in binpac::KRB_TCP::KRB_PDU_TCP::ParseBuffer(binpac::FlowBuffer*, binpac::KRB_TCP::ContextKRB_TCP*) #6 0x55a797d69717 in binpac::KRB_TCP::KRB_Flow::NewData(unsigned char const*, unsigned char const*)
93
![Page 94: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/94.jpg)
DEMO (example of CVE 2019-12175 DoS in Zeek)
94
![Page 95: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/95.jpg)
95
![Page 96: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/96.jpg)
List of Bugs Found
96
Bugs Project
CVE-2019-6931, CVE-2019-7310, CVE-2019-9959 Poppler for Linux
CVE-2018-17019, CVE-2018-16807, CVE-2019-12175 Zeek for Linux
CVE-2019-XXXX, CVE-2019-XXXX Awaiting assignment from MITRE and fix from maintainer
7-Zip 19.00 for Windows
CVE-2019-XXXX, CVE-2019-XXXX, CVE-2019-XXXX Awaiting assignment from MITRE and fix from maintainer
p7zip 16.02 for Linux
CVE-2019-XXXX, CVE-2019-XXXX Awaiting assignment from MITRE and fix from maintainer
Unarchiver for MacOS
![Page 97: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/97.jpg)
Discussion & Future Work
● AFL’s forkserver is strongly required
● Add Intel PTrace support
● More mutation algorithms
● + structure-aware fuzzing
● Better MacOS support
● Better network fuzzing support
● CLANG-based instrumentation
97
![Page 98: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/98.jpg)
Conclusion
● Fuzzing is #1 technique for vulnerability research in memory-unsafe languages
● Manul is a fully functional tool for efficient coverage-guided fuzzing. ○ Multiple third-party mutators, volatile paths suppression,
efficient parallelization algorithm, blackbox binaries fuzzing
● 13 new bugs in 4 widely-used open-source projects.
● Pull & try! https://github.com/mxmssh/manul
● pip install psutil & git clone https://github.com/mxmssh/manul
98
![Page 99: Zero Bugs Found? Hold My Beer AFL! How to Improve … CON 27/DEF CON 27...Manul - an open-source fuzzer written in pure Python. Easy-to-use, pull and run concept. Coverage-guided fuzzing](https://reader034.fdocuments.in/reader034/viewer/2022052006/6019b0de972c114a580cf7d5/html5/thumbnails/99.jpg)
Thank you!
99
https://github.com/mxmssh/manul
Twitter: https://twitter.com/MShudrak
Linkedin: https://www.linkedin.com/in/mshudrak/