SlideShare una empresa de Scribd logo

FUZZING & SOFTWARE SECURITY TESTING

M
MuH4f1Z

BILKENT UNIVERSITY COMPUTER ENGINEERING DEPARTMENT

Software
1 de 43
Descargar para leer sin conexión
VEYSEL HATAŞ vhatas@gmail.com 09.05.2014 BILKENT UNIVERSITY COMPUTER ENGINEERING DEPARTMENT FUZZING & SOFTWARE SECURITY TESTING
PROLOGUE • 0x00401001 what_is_fuzzing ( ) • 0x00401002 history ( ) • 0x00401003 fuzzing_tools ( ) • 0x00401004 fuzzing_phases ( ) • 0x00401005 fuzing_framework ( ) • 0x00401006 fuzzing_methodes ( ) • 0x00401007 questions ( ) push ebp mov ebp, esp call what_is_fuzzing
WHAT IS FUZZING? «Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.» «The purpose of fuzzing relies on the assumption that there are bugs within every program, which are waiting to be discovered. Therefore, a systematical approach should find them sooner or later.» -- http://www.owasp.org/index.php/Fuzzing «Fuzzing is the process of sending intentionally invalid data to a product in the hopes of triggering an error condition or fault. These error conditions can lead to exploitable vulnerabilities.» HD Moore “The degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.” IEEE
HISTORY • Professor Barton Miller • Developed fuzz testing with his students at the University of Wisconsin-Madison in 1988/89 • GOAL: improve UNIX applications • Millers fuzzer was pretty basic: It sent random strings of data to the application • 1999 brought PROTOS from University of Oulu • 2004 Browser Fuzzing (Fuzzed HTML to find browser bugs) • 2004 File Format Fuzzing (MS04-028 Buffer Overun ~ Remote Code Execution) • 2006 ActiveX Fuzzing • 2007 Man-in-the-middle Fuzzing (ProxyFuzz)
SOME FUZZING TOOLS • Peach Fuzz • BFF • Sulley • Spike • TAOF • COMRaider
SOME HELPFUL DEFINITIONS • BUG • The Harvard Mark II (1947) Real BUG ! • Security BUGs (Memory Corruptions, Overflow, Injections, Memory Leaks) • BUG Hunting • Source Code Analysis (White Box) • Binary Analysis • Static Analysis (Reverse Engineering) • Dynamic Analysis (Fuzzing, Debugging/Tracing, Taint Analysis) • In Memory Fuzzing «In memory fuzzing is a technique that allows the analyst to bypass parsers; network-related limitations such as max connections, buit in IDS or flooding protection; encrypted or unknown (poorly documented) protocol in order to fuzz the actual underlying assembly routines that are potentially vulnerable.» CORELAN TEAM
FUZZING PHASES 1. IDENTIFY THE TARGET • Applications (players, readers, web apps…) • Platforms (Linux, Windows, OSX) • Devices (arm, phones, modems ..) • … 2. IDENTIFY THE INPUTS • File Formats (swf, pdf, png, jpeg, m3u …) • Network Protocols (ftp, http, arp, ssl …) • Reg keys, env variables, headers …
FUZZING PHASES 3. GENERATE FUZZ DATA • Mutation • Generation 4. EXECUTE FUZZ DATA • Semi-valid input to the target application 5. MONITOR FUZZ DATA
THE PROCESS OF FUZZING FRAMEWORK Identify Targets & Platform Identify Input vectors Generate Fuzz Data • minimizing Execute Fuzzed Data Monitor for Exceptions Determine Exploitability • Unique crash logs
CERT - FUZZING FRAMEWORK • Basic Fuzzing Framework (BFF) • Linux and Mac OS X platforms • Failure Observation Engine (FOE) • Windows platform
BFF - BASIC FUZZING FRAMEWORK • The CERT Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in applications. BFF performs mutational fuzzing on software that consumes file input. • The BFF automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. • The goal of BFF is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
BFF - BASIC FUZZING FRAMEWORK Features that are available in BFF • Uniqueness determination is handled through intelligent backtrace analysis. • Automated test-case minimization reduces the effort required to analyze results. This is achieved by distilling the test case to the minimal changes to the input data required to induce a specific crash. • Online machine learning is applied to fuzzing parameter and input file selection to improve the efficacy of the campaign. • Crash severity/exploitability triage is provided.
BFF - BASIC FUZZING FRAMEWORK ZZUF It is a transparent application input fuzzer, whose purpose is to find bugs in applications by corrupting their user-contributed data, changing the random-bits in the input. Zzuf is one of the most common fuzzers available for bit flipping fuzzing. CERT Triage Tools The CERT Triage Tools include a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity and a wrapper script for batch execution.
BFF - TOOLS BFF minimizes crashers (tools/minimizer_plot.py) • Each crashing test case will have a number of bytes that have been modified from the seed file. • When a crasher is minimized, a test case is generated with a minimal number of bytes that have changed from the seed file.
BFF - TOOLS BFF crash analyzer (tools/bff_stats.py) • Generates a concise summary of the fuzz run results so far, including how many times each unique crash was seen, the first seed number it was seen at, the most recent seed number it was seen, and the bitwise and byte wise Hamming Distance from the original seed file for the minimized test case.
BFF - TOOLS BFF crash analyzer (tools/create_crasher_script.py) • It will generate a shell script that in turn can be used to regenerate all the test cases for a given crash id.
BFF - BASIC FUZZING FRAMEWORK Analyzing Results • When the fuzzing run encounters a crash, BFF will analyze the details of the crash • Capturing • Stderr output • Gdb output • Valgrind output • Callgrind output
BFF - BASIC FUZZING FRAMEWORK Analyzing Results • crashers: Contains a subdir for each uniquely-crashing test case and its analyzed results • seeds: Contains the original seed files as well as logs specific to that seedfile • uniquelog.txt: A log file that tracks the unique crashers found during the run • gdb output • the memory map • signal information • backtrace, registers • disassembly • CERT Triage Tools
BFF - BASIC FUZZING FRAMEWORK DEMO 1
FUZZING METHODS • Generation-based or Random-based (Smart Fuzzing) The fuzzers generate input data for applications in a random way . This type of data generation is very quick to implement but also useless in most cases. • Easy, you do not need to know any protocol or format. • Mutation-based (Dumb Fuzzing) Mutation-based fuzzers generate data by analyzing an existing set of data provided by the user and mutating some fields inside these data. • Very hard, but explores every detail of protocol • Proxy-based • Specification-based • Evolutionary-based
GENERATION BASED FUZZING • Generational fuzzers are capable of building the data being sent based on a data model provided by the fuzzer creator. Sometimes this is as simple as sending random bytes. This can be done much smarter by knowing good data values and combining them in interesting ways. • Test cases are generated from some description of the format.
MUTATION BASED (DUMB FUZZING) • Mutation-based fuzzers mutate existing data samples to create test data while generation- based fuzzers define new test data based on models of the input. • Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways, looking for cases that cause crashes. • Change Random Byte • Byte Flipping
Charlie Miller code numwrites = random.randrange (math.ceil ( ( float ( len (buf)) / FuzzFactor)))+1 for j in range (numwrites ) : rbyte = random.randrange (256) rn = random.randrange (len (buf) ) buf [rn] = "%c" %(rbyte); CHANGE RANDOM BYTE
BYTE/DWORD FLIPPING • FiveBelow is the dummy file fuzzer. It uses byte slides methode.
BYTE/DWORD FLIPPING • FiveBelow is the dummy file fuzzer. It uses byte slides methode. • ZDI-11-252 • Apple QuickTime PICT Image PnSize Opcode Remote Code Execution Vulnerability
BYTE/DWORD FLIPPING (ZDI-11-252)
DEMO 2 APPLE QUICKTIME PICT IMAGE PNSIZE OPCODE REMOTE CODE EXECUTION
BYTE/DWORD FLIPPING (ZDI-11-252)
FILE FORMAT FUZZING PDFuzzer (pdf header format fuzzer by Jeremy Brown )
PEACH FUZZER • Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing. • Peach requires the creation of Peach Pit files that define the structure, type information, and relationships in the data to be fuzzed. It additionally allows for the configuration of a fuzzing run including selecting a data transport (Publisher), logging interface, etc.
PEACHPIT FILE • DataModel A DataModel defines the structure of a data block by specifying additional child elements such as Number, Blob, or String. • StateModel The StateModel recreates the basic state machine logic needed to test a protocol. The state model defines how to send and receive data to the fuzzing target.
PEACHPIT FILE • Publishers (Network Publishers & Custom Publishers ) Publishers are the I/O interfaces used by Peach to send and receive data. • Agent and Monitor
DEMO 3
PEACH FARM (PARALLEL FUZZING) Peach Fuzzer Farm allows to build scalable and distributed fuzzing harnesses. • 88 Cores of fuzz • 100,000 files per format (doc, xls, ppt, pdf) • 5 Targets (Office 2010/2007, OpenOffice, PDF viewers) • 4 File formats • >250 GB of logs • One crash about every six seconds
PEACH FARM (SAMPLE RESULTS) • 942 Unique Major Hashes • 440 in Office • 396 in Open Office • 68 in Ghostview • 32 in Foxit • 5 in Acrobat • ! exploitable • 150 EXPLOITABLE (15%) • 188 PROBABLY_EXPLOITABLE (19%) • 16 PROBABLY_NOT_EXPLOITABLE (1.6%) • 588 UNKNOWN (62%)
ACTIVEX FUZZING COMRaider is a tool designed to fuzz COM Object Interfaces.
ACTIVEX FUZZING Target: CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) Methode: AddAttachments
ACTIVEX FUZZING Target: CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) Methode: AddAttachments
EPILOGUE • « Fuzzing will not always yield bugs that will allow you to execute code. Fuzzing does not promise to make your dreams come true. Fuzzing is an art and a software programmer's nightmare. Fuzzing will open your eyes to see that it is no longer enough to know the code backwards and forward, inside and outside, layer by layer, line by line, bit by bit. » Jeremy Brown mov esp, ebp pop ebp ret
THANK YOU FOR LISTENING • udacity: CS258 (Software Testing) • http://fuzzing.org/ • Open Source Fuzzing Tools • Fuzzing: Brute Force Vulnerability Discovery • www.corelan.be

Recomendados

Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Software Testing Process
Software Testing ProcessSoftware Testing Process
Software Testing Processguest1f2740
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
TestNG
TestNGTestNG
TestNGPrabhanshu Saraswat
 
Testing strategies
Testing strategiesTesting strategies
Testing strategiesSatish Bhutawale
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Introduction to Test Automation
Introduction to Test AutomationIntroduction to Test Automation
Introduction to Test AutomationPekka Klärck
 
Golang - Overview of Go (golang) Language
Golang - Overview of Go (golang) LanguageGolang - Overview of Go (golang) Language
Golang - Overview of Go (golang) LanguageAniruddha Chakrabarti
 

Recomendados

Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Software Testing Process
Software Testing ProcessSoftware Testing Process
Software Testing Processguest1f2740
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
TestNG
TestNGTestNG
TestNGPrabhanshu Saraswat
 
Testing strategies
Testing strategiesTesting strategies
Testing strategiesSatish Bhutawale
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Introduction to Test Automation
Introduction to Test AutomationIntroduction to Test Automation
Introduction to Test AutomationPekka Klärck
 
Golang - Overview of Go (golang) Language
Golang - Overview of Go (golang) LanguageGolang - Overview of Go (golang) Language
Golang - Overview of Go (golang) LanguageAniruddha Chakrabarti
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
How To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | EdurekaHow To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | EdurekaEdureka!
 
Unit Test
Unit TestUnit Test
Unit Testguest45ac48
 
GUI Testing
GUI TestingGUI Testing
GUI TestingBugRaptors
 
Test NG Framework Complete Walk Through
Test NG Framework Complete Walk ThroughTest NG Framework Complete Walk Through
Test NG Framework Complete Walk ThroughNarendran Solai Sridharan
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack ProxyFadi Abdulwahab
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
How to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveHow to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveAmiq Consulting
 
testng
testngtestng
testngharithakannan
 
ELF
ELFELF
ELFKoganti Ravikumar
 
Junit
JunitJunit
JunitFAROOK Samath
 
Process Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux KernelProcess Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux KernelHaifeng Li
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Hybrid Automation Framework Development introduction
Hybrid Automation Framework Development introductionHybrid Automation Framework Development introduction
Hybrid Automation Framework Development introductionGanuka Yashantha
 
Python Automation With Gauge + Selenium + API + Jenkins
Python Automation With Gauge + Selenium + API + JenkinsPython Automation With Gauge + Selenium + API + Jenkins
Python Automation With Gauge + Selenium + API + JenkinsFagun Priyadarshi
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Test Mühendisliğine Giriş Eğitimi - Bölüm 1
Test Mühendisliğine Giriş Eğitimi - Bölüm 1Test Mühendisliğine Giriş Eğitimi - Bölüm 1
Test Mühendisliğine Giriş Eğitimi - Bölüm 1Mesut Günes
 
Software Testing Life Cycle
Software Testing Life CycleSoftware Testing Life Cycle
Software Testing Life CycleUdayakumar Sree
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 

Más contenido relacionado

La actualidad más candente

Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
How To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | EdurekaHow To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | EdurekaEdureka!
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
How to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveHow to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveAmiq Consulting
 
Process Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux KernelProcess Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux KernelHaifeng Li
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Hybrid Automation Framework Development introduction
Hybrid Automation Framework Development introductionHybrid Automation Framework Development introduction
Hybrid Automation Framework Development introductionGanuka Yashantha
 
Python Automation With Gauge + Selenium + API + Jenkins
Python Automation With Gauge + Selenium + API + JenkinsPython Automation With Gauge + Selenium + API + Jenkins
Python Automation With Gauge + Selenium + API + JenkinsFagun Priyadarshi
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Test Mühendisliğine Giriş Eğitimi - Bölüm 1
Test Mühendisliğine Giriş Eğitimi - Bölüm 1Test Mühendisliğine Giriş Eğitimi - Bölüm 1
Test Mühendisliğine Giriş Eğitimi - Bölüm 1Mesut Günes
 
Software Testing Life Cycle
Software Testing Life CycleSoftware Testing Life Cycle
Software Testing Life CycleUdayakumar Sree
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 

La actualidad más candente (20)

Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
How To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | EdurekaHow To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | Edureka
 
Unit Test
Unit TestUnit Test
Unit Test
 
GUI Testing
GUI TestingGUI Testing
GUI Testing
 
Test NG Framework Complete Walk Through
Test NG Framework Complete Walk ThroughTest NG Framework Complete Walk Through
Test NG Framework Complete Walk Through
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
How to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveHow to Connect SystemVerilog with Octave
How to Connect SystemVerilog with Octave
 
testng
testngtestng
testng
 
ELF
ELFELF
ELF
 
Junit
JunitJunit
Junit
 
Process Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux KernelProcess Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux Kernel
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Hybrid Automation Framework Development introduction
Hybrid Automation Framework Development introductionHybrid Automation Framework Development introduction
Hybrid Automation Framework Development introduction
 
Python Automation With Gauge + Selenium + API + Jenkins
Python Automation With Gauge + Selenium + API + JenkinsPython Automation With Gauge + Selenium + API + Jenkins
Python Automation With Gauge + Selenium + API + Jenkins
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
Test Mühendisliğine Giriş Eğitimi - Bölüm 1
Test Mühendisliğine Giriş Eğitimi - Bölüm 1Test Mühendisliğine Giriş Eğitimi - Bölüm 1
Test Mühendisliğine Giriş Eğitimi - Bölüm 1
 
Software Testing Life Cycle
Software Testing Life CycleSoftware Testing Life Cycle
Software Testing Life Cycle
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 

Similar a FUZZING & SOFTWARE SECURITY TESTING

Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapFelipe Prado
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...KrishnaVeni451953
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
How to build a debuggle runtime
How to build a debuggle runtimeHow to build a debuggle runtime
How to build a debuggle runtimeTobi Ajila
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Fuzzing: The New Unit Testing
Fuzzing: The New Unit TestingFuzzing: The New Unit Testing
Fuzzing: The New Unit TestingDmitry Vyukov
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 

Similar a FUZZING & SOFTWARE SECURITY TESTING (20)

Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Az4301280282
Az4301280282Az4301280282
Az4301280282
 
black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Software testing
Software testingSoftware testing
Software testing
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
How to build a debuggle runtime
How to build a debuggle runtimeHow to build a debuggle runtime
How to build a debuggle runtime
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Fuzzing: The New Unit Testing
Fuzzing: The New Unit TestingFuzzing: The New Unit Testing
Fuzzing: The New Unit Testing
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 

Último

SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineeringssuserb3a23b
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 

Último (20)

SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineering
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 

FUZZING & SOFTWARE SECURITY TESTING

  • 1. VEYSEL HATAŞ vhatas@gmail.com 09.05.2014 BILKENT UNIVERSITY COMPUTER ENGINEERING DEPARTMENT FUZZING & SOFTWARE SECURITY TESTING
  • 2. PROLOGUE • 0x00401001 what_is_fuzzing ( ) • 0x00401002 history ( ) • 0x00401003 fuzzing_tools ( ) • 0x00401004 fuzzing_phases ( ) • 0x00401005 fuzing_framework ( ) • 0x00401006 fuzzing_methodes ( ) • 0x00401007 questions ( ) push ebp mov ebp, esp call what_is_fuzzing
  • 3. WHAT IS FUZZING? «Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.» «The purpose of fuzzing relies on the assumption that there are bugs within every program, which are waiting to be discovered. Therefore, a systematical approach should find them sooner or later.» -- http://www.owasp.org/index.php/Fuzzing «Fuzzing is the process of sending intentionally invalid data to a product in the hopes of triggering an error condition or fault. These error conditions can lead to exploitable vulnerabilities.» HD Moore “The degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.” IEEE
  • 4. HISTORY • Professor Barton Miller • Developed fuzz testing with his students at the University of Wisconsin-Madison in 1988/89 • GOAL: improve UNIX applications • Millers fuzzer was pretty basic: It sent random strings of data to the application • 1999 brought PROTOS from University of Oulu • 2004 Browser Fuzzing (Fuzzed HTML to find browser bugs) • 2004 File Format Fuzzing (MS04-028 Buffer Overun ~ Remote Code Execution) • 2006 ActiveX Fuzzing • 2007 Man-in-the-middle Fuzzing (ProxyFuzz)
  • 5. SOME FUZZING TOOLS • Peach Fuzz • BFF • Sulley • Spike • TAOF • COMRaider
  • 6. SOME HELPFUL DEFINITIONS • BUG • The Harvard Mark II (1947) Real BUG ! • Security BUGs (Memory Corruptions, Overflow, Injections, Memory Leaks) • BUG Hunting • Source Code Analysis (White Box) • Binary Analysis • Static Analysis (Reverse Engineering) • Dynamic Analysis (Fuzzing, Debugging/Tracing, Taint Analysis) • In Memory Fuzzing «In memory fuzzing is a technique that allows the analyst to bypass parsers; network-related limitations such as max connections, buit in IDS or flooding protection; encrypted or unknown (poorly documented) protocol in order to fuzz the actual underlying assembly routines that are potentially vulnerable.» CORELAN TEAM
  • 7. FUZZING PHASES 1. IDENTIFY THE TARGET • Applications (players, readers, web apps…) • Platforms (Linux, Windows, OSX) • Devices (arm, phones, modems ..) • … 2. IDENTIFY THE INPUTS • File Formats (swf, pdf, png, jpeg, m3u …) • Network Protocols (ftp, http, arp, ssl …) • Reg keys, env variables, headers …
  • 8. FUZZING PHASES 3. GENERATE FUZZ DATA • Mutation • Generation 4. EXECUTE FUZZ DATA • Semi-valid input to the target application 5. MONITOR FUZZ DATA
  • 9. THE PROCESS OF FUZZING FRAMEWORK Identify Targets & Platform Identify Input vectors Generate Fuzz Data • minimizing Execute Fuzzed Data Monitor for Exceptions Determine Exploitability • Unique crash logs
  • 10. CERT - FUZZING FRAMEWORK • Basic Fuzzing Framework (BFF) • Linux and Mac OS X platforms • Failure Observation Engine (FOE) • Windows platform
  • 11. BFF - BASIC FUZZING FRAMEWORK • The CERT Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in applications. BFF performs mutational fuzzing on software that consumes file input. • The BFF automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. • The goal of BFF is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
  • 12. BFF - BASIC FUZZING FRAMEWORK Features that are available in BFF • Uniqueness determination is handled through intelligent backtrace analysis. • Automated test-case minimization reduces the effort required to analyze results. This is achieved by distilling the test case to the minimal changes to the input data required to induce a specific crash. • Online machine learning is applied to fuzzing parameter and input file selection to improve the efficacy of the campaign. • Crash severity/exploitability triage is provided.
  • 13. BFF - BASIC FUZZING FRAMEWORK ZZUF It is a transparent application input fuzzer, whose purpose is to find bugs in applications by corrupting their user-contributed data, changing the random-bits in the input. Zzuf is one of the most common fuzzers available for bit flipping fuzzing. CERT Triage Tools The CERT Triage Tools include a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity and a wrapper script for batch execution.
  • 14. BFF - TOOLS BFF minimizes crashers (tools/minimizer_plot.py) • Each crashing test case will have a number of bytes that have been modified from the seed file. • When a crasher is minimized, a test case is generated with a minimal number of bytes that have changed from the seed file.
  • 15. BFF - TOOLS BFF crash analyzer (tools/bff_stats.py) • Generates a concise summary of the fuzz run results so far, including how many times each unique crash was seen, the first seed number it was seen at, the most recent seed number it was seen, and the bitwise and byte wise Hamming Distance from the original seed file for the minimized test case.
  • 16. BFF - TOOLS BFF crash analyzer (tools/create_crasher_script.py) • It will generate a shell script that in turn can be used to regenerate all the test cases for a given crash id.
  • 17. BFF - BASIC FUZZING FRAMEWORK Analyzing Results • When the fuzzing run encounters a crash, BFF will analyze the details of the crash • Capturing • Stderr output • Gdb output • Valgrind output • Callgrind output
  • 18. BFF - BASIC FUZZING FRAMEWORK Analyzing Results • crashers: Contains a subdir for each uniquely-crashing test case and its analyzed results • seeds: Contains the original seed files as well as logs specific to that seedfile • uniquelog.txt: A log file that tracks the unique crashers found during the run • gdb output • the memory map • signal information • backtrace, registers • disassembly • CERT Triage Tools
  • 19. BFF - BASIC FUZZING FRAMEWORK DEMO 1
  • 20. FUZZING METHODS • Generation-based or Random-based (Smart Fuzzing) The fuzzers generate input data for applications in a random way . This type of data generation is very quick to implement but also useless in most cases. • Easy, you do not need to know any protocol or format. • Mutation-based (Dumb Fuzzing) Mutation-based fuzzers generate data by analyzing an existing set of data provided by the user and mutating some fields inside these data. • Very hard, but explores every detail of protocol • Proxy-based • Specification-based • Evolutionary-based
  • 21. GENERATION BASED FUZZING • Generational fuzzers are capable of building the data being sent based on a data model provided by the fuzzer creator. Sometimes this is as simple as sending random bytes. This can be done much smarter by knowing good data values and combining them in interesting ways. • Test cases are generated from some description of the format.
  • 22. MUTATION BASED (DUMB FUZZING) • Mutation-based fuzzers mutate existing data samples to create test data while generation- based fuzzers define new test data based on models of the input. • Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways, looking for cases that cause crashes. • Change Random Byte • Byte Flipping
  • 23. Charlie Miller code numwrites = random.randrange (math.ceil ( ( float ( len (buf)) / FuzzFactor)))+1 for j in range (numwrites ) : rbyte = random.randrange (256) rn = random.randrange (len (buf) ) buf [rn] = "%c" %(rbyte); CHANGE RANDOM BYTE
  • 24.
  • 25. BYTE/DWORD FLIPPING • FiveBelow is the dummy file fuzzer. It uses byte slides methode.
  • 26. BYTE/DWORD FLIPPING • FiveBelow is the dummy file fuzzer. It uses byte slides methode. • ZDI-11-252 • Apple QuickTime PICT Image PnSize Opcode Remote Code Execution Vulnerability
  • 28. DEMO 2 APPLE QUICKTIME PICT IMAGE PNSIZE OPCODE REMOTE CODE EXECUTION
  • 30.
  • 31.
  • 32. FILE FORMAT FUZZING PDFuzzer (pdf header format fuzzer by Jeremy Brown )
  • 33. PEACH FUZZER • Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing. • Peach requires the creation of Peach Pit files that define the structure, type information, and relationships in the data to be fuzzed. It additionally allows for the configuration of a fuzzing run including selecting a data transport (Publisher), logging interface, etc.
  • 34. PEACHPIT FILE • DataModel A DataModel defines the structure of a data block by specifying additional child elements such as Number, Blob, or String. • StateModel The StateModel recreates the basic state machine logic needed to test a protocol. The state model defines how to send and receive data to the fuzzing target.
  • 35. PEACHPIT FILE • Publishers (Network Publishers & Custom Publishers ) Publishers are the I/O interfaces used by Peach to send and receive data. • Agent and Monitor
  • 37. PEACH FARM (PARALLEL FUZZING) Peach Fuzzer Farm allows to build scalable and distributed fuzzing harnesses. • 88 Cores of fuzz • 100,000 files per format (doc, xls, ppt, pdf) • 5 Targets (Office 2010/2007, OpenOffice, PDF viewers) • 4 File formats • >250 GB of logs • One crash about every six seconds
  • 38. PEACH FARM (SAMPLE RESULTS) • 942 Unique Major Hashes • 440 in Office • 396 in Open Office • 68 in Ghostview • 32 in Foxit • 5 in Acrobat • ! exploitable • 150 EXPLOITABLE (15%) • 188 PROBABLY_EXPLOITABLE (19%) • 16 PROBABLY_NOT_EXPLOITABLE (1.6%) • 588 UNKNOWN (62%)
  • 39. ACTIVEX FUZZING COMRaider is a tool designed to fuzz COM Object Interfaces.
  • 40. ACTIVEX FUZZING Target: CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) Methode: AddAttachments
  • 41. ACTIVEX FUZZING Target: CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) Methode: AddAttachments
  • 42. EPILOGUE • « Fuzzing will not always yield bugs that will allow you to execute code. Fuzzing does not promise to make your dreams come true. Fuzzing is an art and a software programmer's nightmare. Fuzzing will open your eyes to see that it is no longer enough to know the code backwards and forward, inside and outside, layer by layer, line by line, bit by bit. » Jeremy Brown mov esp, ebp pop ebp ret
  • 43. THANK YOU FOR LISTENING • udacity: CS258 (Software Testing) • http://fuzzing.org/ • Open Source Fuzzing Tools • Fuzzing: Brute Force Vulnerability Discovery • www.corelan.be