FUZZING UNDERESTIMATED METHOD OF FINDING

HIDDEN BUGS

by Pawel Rzepa

AGENDA

• What fuzzing really is?

• Mutation based (dumb) fuzzing

• Instrumented fuzzing

• Generation based (smart) fuzzing

• Fuzzing in Software Development Life Cycle

• Fuzzing web application

— “Fuzzing: Brute Force Vulnerability Discovery”

FUZZING IS A METHOD FOR DISCOVERING FAULTS IN SOFTWARE BY PROVIDING

UNEXPECTED INPUT AND MONITORING FOR EXCEPTIONS.

”

“WHAT FUZZING REALLY IS?

IN OTHER WORDS…

A child noticed unwatched dad’s phone…

A child has found a chain of instructions to crash a phone.

HISTORY OF FUZZINGIn 1988 a professor Barton Miller from University of Winsconsin observed that when he was logged to a modem during a storm, there was a lot of line noise generating junk characters and those characters caused programs to crash.

THE MOST BASIC FUZZER (RANDOM TESTING)

…but what is missing?• information about what exactly causes a crash (how to reproduce it?)• information about the program state (how do we know that an input caused any crash?)

$> while true;\ > do [tested_program] `head -c 100 /dev/urandom;\ > done

• in most cases such random input will be ignored

WHY IT’S WORTH FUZZING?

• High return on investment - machine time is cheap and human time is expensive• Human role is just to customize a fuzzer to your needs and… profit!

WHAT YOU CAN FUZZ?• Literally - every piece of software which accepts user input

• All kinds of apps (mobile, desktop, web, etc.)• OS -> https://vimeo.com/129701495

• Online games -> http://bit.ly/2e0w2YO

• Bluetooth -> http://bit.ly/2dQfPqM

• HDMI -> http://bit.ly/2e0ynmA

• Fonts -> http://bit.ly/293DKE0• Virtualization systems -> http://bit.ly/2ernSfs…and much more!

WHAT FUZZERS CAN FIND?

• Buffer overruns (remote code execution),

• Deadlocks, thread hangs, unhandled exceptions (denial-of-service),

• Memory leaks (Heartbleed)

“(…) yeah it sometimes happen. Just restart

and don’t give a f@%k about it.”

MUTATION /

BRUTEFORCE/

DUMB FUZZING

sample data fuzzed

data

- bitflipping - byteflipping - chunkspew -…

program input

MUTATION IN PRACTICE

LET’S FUZZ - DUMB FUZZING (1)Testing robustness of Android AV to APK bombs

Target: Android AV winner at av-test.org (July 2016)

CREATING SAMPLE DATA• Create fuzzed data from sample:

$> radamsa -o fuzz_sample_%n.apk -n 3000 com.appsec.appuse.apk

• Move fuzzed data to SD card

$> for i in {1..3000}; do adb push fuzz_sample_$i.apk /sdcard/Download; done

• Capture logs

$> adb logcat -v long > logs.txt

DUMB FUZZING - V3 AV

DUMB FUZZING - WHY NOT PERFECT?

IF (VERY_RARE_CONDITION) { //VULNERABLE CODE

}ELSE { …

}

DUMB FUZZING - TCPDUMP$> radamsa -o fuzz_sample_%n.pcap -n 3000 small_capture.pcap

$> for i in {1..3000}; do tcpdump -nr fuzz_sample_%i.pcap >> radamsa_pcap.logs; done

LET’S FUZZ - INSTRUMENTED FUZZING

• Generates samples, which cover subsets of all code paths

• Requires a dedicated compiler, which detects possible code paths

• Much more effective

INSTRUMENTED FUZZING - PREPARATIONS

• Compile sources with afl-gcc/afl-clang

$> CC=/path_to_AFL/afl-gcc ./configure $> make

• Prepare valid sample (the best if <100 KB)

• Create folders for input, output and (optionally) garbage

INSTRUMENTED FUZZING IN PRACTICE

$> /path_to_AFL/afl-fuzz -i ./fuzz-input/ -o \ >./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@

INSTRUMENTED FUZZING IN PRACTICE

INSTRUMENTED FUZZING IN PRACTICE

INSTRUMENTED FUZZING IN PRACTICE

INSTRUMENTED FUZZING IN PRACTICE

COOL STORY BRO, BUT MY PROGRAM ISN’T WRITTEN IN C…

• AFL is so good that the community has created many implementations of AFL supporting other languages/environments. Just check it out here:

https://github.com/mirrorer/afl/blob/master/docs/sister_projects.txt

• Still doesn’t suit your needs?

Then write your own fuzzer!

HOW TO FUZZ NETWORK PROTOCOLS?

- Will it work???

$> while true;\ $> do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21;\ $> done

FAIL

LIMITATIONS OF DUMB FUZZING (1)

• Not compliant types

LIMITATIONS OF DUMB FUZZING (2)

• Not compliant fixups (checksum, length etc.)

LIMITATIONS OF DUMB FUZZING (3)

• Not supported relationships

LIMITATIONS OF DUMB FUZZING (4)

• Not supported program states

GENERATION BASED FUZZING - CREATING A MODEL

• Fuzzing frameworks like Peach or Sulley require modelling each portion of data

• With DataModels, you can create different states

• You can also define a monitor for tested process

• Finally, put all defined parts in a Test

SMART FUZZING WITH PEACH

$> sudo mono Peach.exe —debug ./samples/ftp.xml

SMART FUZZING WITH PEACH

HOMEWORK• Fuzz a “Vulnserver”. Download from: http://sites.google.com/site/lupingreycorner/vulnserver.zip

• Write a Peach model. Refer to this tutorial: http://resources.infosecinstitute.com/fuzzing-vulnserver-with-peach-part-2/

FUZZING WEB APPLICATION

• Locate an input you want fuzz

• Intercept request (e.g. Burp Suite/OWASP Zap)

• Define which parameter should be fuzzed

• Select a dictionary with invalid input

More sample dictionaries: https://github.com/fuzzdb-

project/fuzzdb

• Find errors!

ANALYSING THE CRASH• Every crash can be treated as a pure DoS attack • Not every crash can be exploited :(• Depending on OS, use different tools to analyse a crash:

- Microsoft !exploitable Crash Analyser (Windows)

- CERT GDB exploitable plugin (Linux)

- Apple Crash Wrangler Monitor (OSX)

WHAT’S NEXT? IMPLEMENT FUZZING IN SDLC

FUZZING AND OTHER TESTING METHODS

• Fuzzing can find some type of bugs, but not all of them

• That means, fuzzing should be treated as ADDITIONAL method to your security tests

You still need static analysis, vulnerability assessment and

penetration tests!!!

SUMMARY

• Fuzzer should contain: input generator, history of generated input and process monitor

• Fuzzing discovers bugs by providing invalid input

• There are 2 main types of fuzzers:

• Fuzzing should be a part of SDLC process as additional method of security tests

- generation based (requires sample definition) - mutation based (mutates a valid sample)

QUESTIONS???

THANK YOU!

Contact me: pawel.rzepa@owasp.org