Upload File

fuzzing your favorite interpreter -...

  • Home
  • Documents
  • Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different
34
Fuzzing Your Favorite Interpreter EMMANUEL LAW AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Upload: vohanh

Post on 16-Mar-2018

214 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

Fuzzing Your Favorite InterpreterEMMANUEL LAW

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Page 2: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Background

• PrincipalSecurityConsultant@AuraInfoSec• Pentesting forliving• @libnex• FoundsomePHPbugs…

Page 3: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

Bugs bug bounty

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Page 4: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Fuzzing Interpreters

BuildFromScratch Off-The-Shelf

Page 5: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Writing a Custom Fuzzer from Scratch

• CustomStrategies• FindUniq Bugs

Pros

Cons

• Time+Effort• Portabilitytootherlanguages

Page 6: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

Off The Shelf

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

• Speed• PoweroftheOpenSourceCommunity

Pros

Cons

• Lesscustomization• Competition....lotsofthem

Page 7: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Fuzzing Interpreters

BuildFromScratch Off-The-Shelf

VS

Page 8: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

AttackPlan Fuzzing Triage RCA

Page 9: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Battle Plan

Page 10: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

What are we fuzzing?

• AttackSurfaceArea

ParserRuntime

Unserialize FilesParser

ZendEngine

Page 11: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

BattlePlan : Attacking Files Parsers

• Examples:Zip,Images,Phar,PYZ• Taketheroadlesstravelled• Patch-outChecksumverification

ZIPProcessor

ValidateChecksum

ProcessZIP

Page 12: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

BattlePlan: Fuzzing Corpus

Mutator Fuzzer

12345678

31625551

Page 13: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

BattlePlan: Fuzzing Corpus

• MoreUnique=>Betterchanceoffindingacrash• Exercisesasmanycodepathaspossible• HarnessRegressionTestcases:

• Testedgecases• Don’tforgettestcasesfromsisterprojects

Page 14: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

Fuzzing

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

ChoosingaFuzzer

Page 15: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Choosing a Fuzzer

• 101Fuzzers outthere• Thingstoconsider:

• Speed• Popularity• Easyofuse• Constrains:Sourcecode?• Buzzwords:EvolutionaryFuzzing,In-memory

fuzzing

Page 16: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Fuzzing: American Fuzzy Lop (AFL)

• GoldStandard• EVERYONEisusingthisL• Feedbackdriven

Page 17: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Feedback Driven/Evolutionary/Genetic Fuzzing

12345678ABCD

1X345678ABCD

12345618ABCD

1X345678AZCD

1X345670ABCD

1X3456780BCD

1X345678AB#D

Page 18: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Radamsa

• GeneralPurposeFuzzer• Language/Dataagnostic• Semi-Smart• Extremelyeasytouse

Page 19: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Other Fuzzers

• honggfuzz• Choronzon• zzuf• Somanymanymore..

DifferentFuzzers willfinddifferentbugs

Page 20: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Fuzzing: Getting better Mileage

• AddressSanitizer(akaASAN):• Compileintoyourinterpreter• Memoryerrordetector• Minimaloverhead

Page 21: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Soyouhavefoundsomecrashes…..

Page 22: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Triage

• Purpose• Groupingofsimilarcrashes• Prioritizeyourcrashes

Page 23: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Triage• ComesfreewithAddressSanitizer

StackTrace

VisualMem-map

Page 24: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Triage: Exploitability

• !exploitable

Page 25: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Triage: Test case minization

• Fuzzdiff,Afl-minetc• Findtheminimalchangesthatcausesthecrash

12345678ABCD

OriginalFile

1X3XXX78AXCX

MutatedFile

Minization12345X78ABCX

Minized File

Page 26: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

Root Cause Analysis

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Page 27: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Root Cause Analysis

• Tryingthefindtheanswers:• WhatiscausingtheCrash• Isitexploitable

• Verytediousandtimeconsuming• Rememberyouarecompetingonspeed..

Page 28: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Root Cause Analysis

• IspendalotoftimeinGDB• PEDA*isyourfriend

*Python Exploit Development Assistance

Page 29: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Registers

ASM

Stack

Page 30: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Root Cause Analysis• Really?GDB??pffft..*scorn*

Voltron

Page 31: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

Reverse Debugging

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Theartof

Page 32: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Root Cause Analysis: Reverse Debugging

• Debuggingtendstobeverylinear

Page 33: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIALAURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Root Cause Analysis: Reverse Debugging

• Record commandinGDB• Provides:

• ReverseStep• ReverseNext• ReverseContinue

• ReverttodeterministicMemoryState

Page 34: Fuzzing Your Favorite Interpreter - research.aurainfosec.ioresearch.aurainfosec.io/assets/ChCon_HitchHiker_Guide_Fuzzing... · • Choronzon • zzuf • So many many more.. Different

LetsMakeFuzzing Great Again

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

@libnex


683 Slides Fuzzing

Choronzon Club document #3

Choronzon Club Document 1

Babysitting an Army of Monkeys - Fuzzing · Babysitting an Army of Monkeys An analysis of fuzzing 4 products with 5 lines of Python ... How hard do various vendors fuzz and how many

evolutionary fuzzing approach at knowledge-based ... · PDF fileIntroduction and motivation Related Work State of the art fuzzers A walk through Choronzon Comparison with other fuzzers

Fuzzing’– WhatTheFuzz - EurOpeneuropen.cz › Proceedings › 38 › fuzzing europen.pdf · 2017-05-04 · – An Introduction to SPIKE, the Fuzzer Creation Kit. "– MSRPC Fuzzing

Security Testing esp. Fuzzing - E. Poll, - cs.ru.nl · Overview • Testing • Abuse cases & negative tests • Fuzzing –dumb fuzzing –generational aka grammar-based fuzzing

13 Fuzzing

Choronzon Club document #4

fuzzing protocol fuzzing model-based testing automated ...erikpoll/ufrj/4_SecurityTesting.pdf · Security Testing fuzzing protocol fuzzing model-based testing automated reverse engineering

Fuzzing 101

HTTP Fuzzing: Using JBroFuzz to fuzz the web away€¦ · OWASP Alabama Chapter Presentation Overview Fuzzing in general Fuzzing in the web world HTTP Fuzzing with JBrofuzz Other

Fuzzing Sucks! - Introducing Sulley Fuzzing Framework

Choronzon Club Document 2

Fuzzing Frameworks, Fuzzing Languages?!

File Format Fuzzing in Android - DeepSec · Agenda 2 •File format fuzzing in Android •Fuzzing the Stagefright media framework •Fuzzing the Android application installer •Fuzzing

CHORONZON - Liber Psychosis Ex Machina

Logical Fuzzing

55132952 Choronzon Club Document 4

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification · Page 1ISSTA’2010 July 2010 From Blackbox Fuzzing to Whitebox Fuzzing towards Verification Patrice Godefroid Microsoft

Php Fuzzing Auditing

Gsm Fuzzing

0-knowledge fuzzing

Choronzon Club document #5

Fuzzing Android OMX HITCON v2 · • Fuzzing combined with code auditing is helpful for such modules. – Many codecs & parameters. Any Questions ? • If you prefer to ask offline,

Realizing the Fuzzing Potential: Precision and Accuracy … · Fuzzing Specialist Codenomicon Realizing ... Realizing the Fuzzing Potential: Precision and Accuracy vs. Coverage

Fuzzing Qa A.Komlev

From Blackbox Fuzzing to Whitebox Fuzzing towards Verificationsiy117527/sil765/readings/fuzzing testing.pdf · Page 1ISSTA’2010 July 2010 From Blackbox Fuzzing to Whitebox Fuzzing

Smart COM Fuzzing they were for ActiveX fuzzing, not COM

Fuzzing Frameworks

High Performance Fuzzing

0knowledge Fuzzing Slides

evolutionary fuzzing approach at knowledge-based ...2015.zeronights.org/assets/files/06-Zisis-Naziridis.pdf · Introducing Choronzon: An approach at knowledge-based evolutionary fuzzing

Grape generative fuzzing

Inc0gnito fuzzing for_fun_sweetchip