protocol fuzzing past, present, future - hitb - luiz... · 2 hack in the box 07 - kuala lumpur...
TRANSCRIPT
![Page 1: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/1.jpg)
Mu Security, Inc. | All Rights Reserved | Copyright © 2007
protocol fuzzingpast, present, future
luiz eduardosenior systems & security engineer
leduardo (at) musecurity.com
Hack in the Box 07 - Kuala Lumpur
![Page 2: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/2.jpg)
2 hack in the box 07 - kuala lumpur
agenda• history of fuzzing• protocol fuzzing• fuzzable or not?• non-sense fuzzing• session-based fuzzing / stateful-based fuzzing• tools | techniques• challenges• getting creative• packet fun• predictions• resources
![Page 3: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/3.jpg)
3 hack in the box 07 - kuala lumpur
fuzzing history• “born” @ university of madison in 1989 by professor barton miller and his crew• why ?• buzz word in the past few years• sorta “hope” to find 0 days• not just a http thing• file format fuzzing• application fuzzing• and…
![Page 4: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/4.jpg)
4 hack in the box 07 - kuala lumpur
(possible definition)/ terms/ keywords/ etc• malformed / semi-malformed/ invalid input• random• target• exception-handling• mutations• instrumentation• art / creativity• agents• negative-testing
changed the mentality of: “but.. … that packet doesn’t follow the rfc spec”
or“hmmmmm… but… people are not supposed to send these packets”
![Page 5: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/5.jpg)
5 hack in the box 07 - kuala lumpur
(con)fuzzable or not?
![Page 6: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/6.jpg)
6 hack in the box 07 - kuala lumpur
“mainstreaming” fuzzing• numerous bugs found in the past few years
• some of them make the news
• others probably not …
• growth in the number of specific tools
![Page 7: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/7.jpg)
7 hack in the box 07 - kuala lumpur
corporate fuzzing• again, nothing new…. but … if you don’t fuzz, someone else will
• fuzzing became a “common practice” (regardless if it’s done correctly or not)
• delivering products / services with “basic” testing is no longer acceptable
![Page 8: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/8.jpg)
8 hack in the box 07 - kuala lumpur
so… protocol fuzzing• protocol abuse• test robustness of the target• from instability to crashes (or to remote code execution)• if it’s already hard for one to follow the rfc spec, how about the “anything but… “ ?
![Page 9: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/9.jpg)
9 hack in the box 07 - kuala lumpur
ohhh
fuzzers are not va scanners!
![Page 10: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/10.jpg)
10 hack in the box 07 - kuala lumpur
what to break in a protocol?
• structure• state• semantics
• Buffer Overflow• Integer Overflow• Invalid Message• Format String• Fragmented Field• Invalid Header• Null Character• Wrong Encoding• Invalid Index
• Invalid String• Recursion• Truncated• Underflow• Missing Field• Mixed Case• Out of Order• Self-Reference• Too Many Fields• Invalid Offset
![Page 11: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/11.jpg)
11 hack in the box 07 - kuala lumpur
what protocols to fuzz?• all of them, of course
• but… what’s the buzz? what’s new? what’s not mature?
• sip• scada• ipv6• wireless• bluetooth• videogames
![Page 12: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/12.jpg)
12 hack in the box 07 - kuala lumpur
non-sense fuzzing
![Page 13: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/13.jpg)
13 hack in the box 07 - kuala lumpur
session-based fuzzing• first you establish a channel with the target and then start fuzzing at that level
![Page 14: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/14.jpg)
14 hack in the box 07 - kuala lumpur
stateful-based fuzzing• one step above establishing a session
• “on-the-fly” fuzzing
• (possible) better fault isolation
![Page 15: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/15.jpg)
15 hack in the box 07 - kuala lumpur
techniques• random• database• (mix?)
![Page 16: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/16.jpg)
16 hack in the box 07 - kuala lumpur
some of the challenges
• fault isolation
• the “bug behind the bug”
• “slow” protocol implementations
• monitor the target (memory leaks/ cpu spikes/ some type of redundancy)
![Page 17: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/17.jpg)
17 hack in the box 07 - kuala lumpur
tools• human• spike / written in c/ block-based approach• protos / java / different fuzzers• peach / python / “written while drinking beer at ph-neutral”• antiparser / python/ fuzzer and fault injection tool• dfuz / c• sulley/ parallel fuzzing capabilities /legos
![Page 18: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/18.jpg)
18 hack in the box 07 - kuala lumpur
commercial• bestorm• codenomicom• hydra• mu security• thread-x
![Page 19: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/19.jpg)
19 hack in the box 07 - kuala lumpur
getting creative• use different fuzzing tools• use the same fuzzing tool (parallel fuzzing)• use a framework to integrate other stuff (traffic gen, nmap, exploitation tools, etc)• “ “ “ to integrate agents for monitoring• well… use any tools available
![Page 20: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/20.jpg)
20 hack in the box 07 - kuala lumpur
packets
![Page 21: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/21.jpg)
21 hack in the box 07 - kuala lumpur
packets (cont)
![Page 22: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/22.jpg)
22 hack in the box 07 - kuala lumpur
packets (again)
![Page 23: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/23.jpg)
23 hack in the box 07 - kuala lumpur
packets (cont)
![Page 24: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/24.jpg)
24 hack in the box 07 - kuala lumpur
packets (last one)
![Page 25: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/25.jpg)
25 hack in the box 07 - kuala lumpur
(con)fuzzing state of the security community• “bad” security in depth implementations (dos?)• again…. lots of security is based on known attacks• critical infrastructure (?)• roi• fuzzing is just one of the tools, but certainly has helped changing the way people
think
![Page 26: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/26.jpg)
26 hack in the box 07 - kuala lumpur
predictions / crazy thoughts• most people already got fuzzing• more intelligence has to be incoporated to protocol fuzzing
– protocol/ application “adaptation”– offline protocol fuzzing/ protocol correlation– redundant system testing– fuzzing through tunnels– proxy-fuzzing (not a-la spike proxy)– fuzz through/ on/ with non-standard media types (traffic shapers, etc)
• creativity is key : use the brain, for anything• better integration with other tools
• anything is fuzzable
![Page 27: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/27.jpg)
27 hack in the box 07 - kuala lumpur
resources• fuzzing mailing list by gadi evron
http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing• book: fuzzing: brute force vulnerability discovery: pedram et al
http://fuzzing.org• http://labs.musecurity.com• http://www.hacksafe.com.au/blog/2006/08/21/fuzz-testing-tools-and-techniques/• http://www.immunitysec.com/downloads/advantages_of_block_based_analysis.pd
f
![Page 28: protocol fuzzing past, present, future - HITB - Luiz... · 2 hack in the box 07 - kuala lumpur agenda • history of fuzzing • protocol fuzzing • fuzzable or not? • non-sense](https://reader030.vdocuments.mx/reader030/viewer/2022020104/5abfcb237f8b9aa15e8e7132/html5/thumbnails/28.jpg)
28 hack in the box 07 - kuala lumpur
questions?
leduardo (at) musecurity.com