[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
-
Upload
owasp -
Category
Technology
-
view
64 -
download
1
Transcript of [Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
FUZZING UNDERESTIMATED METHOD OF FINDING
HIDDEN BUGS
by Pawel Rzepa
AGENDA
• What fuzzing really is?
• Mutation based (dumb) fuzzing
• Instrumented fuzzing
• Generation based (smart) fuzzing
• Fuzzing in Software Development Life Cycle
• Fuzzing web application
— “Fuzzing: Brute Force Vulnerability Discovery”
FUZZING IS A METHOD FOR DISCOVERING FAULTS IN SOFTWARE BY PROVIDING
UNEXPECTED INPUT AND MONITORING FOR EXCEPTIONS.
”
“WHAT FUZZING REALLY IS?
IN OTHER WORDS…
A child noticed unwatched dad’s phone…
A child has found a chain of instructions to crash a phone.
HISTORY OF FUZZINGIn 1988 a professor Barton Miller from University of Winsconsin observed that when he was logged to a modem during a storm, there was a lot of line noise generating junk characters and those characters caused programs to crash.
THE MOST BASIC FUZZER (RANDOM TESTING)
…but what is missing?• information about what exactly causes a crash (how to reproduce it?)• information about the program state (how do we know that an input caused any crash?)
$> while true;\ > do [tested_program] `head -c 100 /dev/urandom;\ > done
• in most cases such random input will be ignored
WHY IT’S WORTH FUZZING?
• High return on investment - machine time is cheap and human time is expensive• Human role is just to customize a fuzzer to your needs and… profit!
WHAT YOU CAN FUZZ?• Literally - every piece of software which accepts user input
• All kinds of apps (mobile, desktop, web, etc.)• OS -> https://vimeo.com/129701495
• Online games -> http://bit.ly/2e0w2YO
• Bluetooth -> http://bit.ly/2dQfPqM
• HDMI -> http://bit.ly/2e0ynmA
• Fonts -> http://bit.ly/293DKE0• Virtualization systems -> http://bit.ly/2ernSfs…and much more!
WHAT FUZZERS CAN FIND?
• Buffer overruns (remote code execution),
• Deadlocks, thread hangs, unhandled exceptions (denial-of-service),
• Memory leaks (Heartbleed)
“(…) yeah it sometimes happen. Just restart
and don’t give a f@%k about it.”
MUTATION /
BRUTEFORCE/
DUMB FUZZING
sample data fuzzed
data
- bitflipping - byteflipping - chunkspew -…
program input
MUTATION IN PRACTICE
LET’S FUZZ - DUMB FUZZING (1)Testing robustness of Android AV to APK bombs
Target: Android AV winner at av-test.org (July 2016)
CREATING SAMPLE DATA• Create fuzzed data from sample:
$> radamsa -o fuzz_sample_%n.apk -n 3000 com.appsec.appuse.apk
• Move fuzzed data to SD card
$> for i in {1..3000}; do adb push fuzz_sample_$i.apk /sdcard/Download; done
• Capture logs
$> adb logcat -v long > logs.txt
DUMB FUZZING - V3 AV
DUMB FUZZING - WHY NOT PERFECT?
IF (VERY_RARE_CONDITION) { //VULNERABLE CODE
}ELSE { …
}
DUMB FUZZING - TCPDUMP$> radamsa -o fuzz_sample_%n.pcap -n 3000 small_capture.pcap
$> for i in {1..3000}; do tcpdump -nr fuzz_sample_%i.pcap >> radamsa_pcap.logs; done
LET’S FUZZ - INSTRUMENTED FUZZING
• Generates samples, which cover subsets of all code paths
• Requires a dedicated compiler, which detects possible code paths
• Much more effective
INSTRUMENTED FUZZING - PREPARATIONS
• Compile sources with afl-gcc/afl-clang
$> CC=/path_to_AFL/afl-gcc ./configure $> make
• Prepare valid sample (the best if <100 KB)
• Create folders for input, output and (optionally) garbage
INSTRUMENTED FUZZING IN PRACTICE
$> /path_to_AFL/afl-fuzz -i ./fuzz-input/ -o \ >./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@
INSTRUMENTED FUZZING IN PRACTICE
INSTRUMENTED FUZZING IN PRACTICE
INSTRUMENTED FUZZING IN PRACTICE
INSTRUMENTED FUZZING IN PRACTICE
COOL STORY BRO, BUT MY PROGRAM ISN’T WRITTEN IN C…
• AFL is so good that the community has created many implementations of AFL supporting other languages/environments. Just check it out here:
https://github.com/mirrorer/afl/blob/master/docs/sister_projects.txt
• Still doesn’t suit your needs?
Then write your own fuzzer!
HOW TO FUZZ NETWORK PROTOCOLS?
- Will it work???
$> while true;\ $> do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21;\ $> done
FAIL
LIMITATIONS OF DUMB FUZZING (1)
• Not compliant types
LIMITATIONS OF DUMB FUZZING (2)
• Not compliant fixups (checksum, length etc.)
LIMITATIONS OF DUMB FUZZING (3)
• Not supported relationships
LIMITATIONS OF DUMB FUZZING (4)
• Not supported program states
GENERATION BASED FUZZING - CREATING A MODEL
• Fuzzing frameworks like Peach or Sulley require modelling each portion of data
• With DataModels, you can create different states
• You can also define a monitor for tested process
• Finally, put all defined parts in a Test
SMART FUZZING WITH PEACH
$> sudo mono Peach.exe —debug ./samples/ftp.xml
SMART FUZZING WITH PEACH
HOMEWORK• Fuzz a “Vulnserver”. Download from: http://sites.google.com/site/lupingreycorner/vulnserver.zip
• Write a Peach model. Refer to this tutorial: http://resources.infosecinstitute.com/fuzzing-vulnserver-with-peach-part-2/
FUZZING WEB APPLICATION
• Locate an input you want fuzz
• Intercept request (e.g. Burp Suite/OWASP Zap)
• Define which parameter should be fuzzed
• Select a dictionary with invalid input
More sample dictionaries: https://github.com/fuzzdb-
project/fuzzdb
• Find errors!
ANALYSING THE CRASH• Every crash can be treated as a pure DoS attack • Not every crash can be exploited :(• Depending on OS, use different tools to analyse a crash:
- Microsoft !exploitable Crash Analyser (Windows)
- CERT GDB exploitable plugin (Linux)
- Apple Crash Wrangler Monitor (OSX)
WHAT’S NEXT? IMPLEMENT FUZZING IN SDLC
FUZZING AND OTHER TESTING METHODS
• Fuzzing can find some type of bugs, but not all of them
• That means, fuzzing should be treated as ADDITIONAL method to your security tests
You still need static analysis, vulnerability assessment and
penetration tests!!!
SUMMARY
• Fuzzer should contain: input generator, history of generated input and process monitor
• Fuzzing discovers bugs by providing invalid input
• There are 2 main types of fuzzers:
• Fuzzing should be a part of SDLC process as additional method of security tests
- generation based (requires sample definition) - mutation based (mutates a valid sample)
QUESTIONS???
THANK YOU!
Contact me: [email protected]