Fuzzgrind: an automatic fuzzing tool

Size: px

Start display at page:

Download "Fuzzgrind: an automatic fuzzing tool"

Naomi Watson
5 years ago
Views:

1 Fuzzgrind: an automatic fuzzing tool 1/55 Fuzzgrind: an automatic fuzzing tool Gabriel Campana Sogeti / ESEC gabriel.campana(at)sogeti.com

2 Fuzzgrind: an automatic fuzzing tool 2/55 Plan

3 Fuzzgrind: an automatic fuzzing tool 3/55 Roadmap

4 Fuzzgrind: an automatic fuzzing tool 4/55 Roadmap

5 Fuzzgrind: an automatic fuzzing tool 5/55 Fuzzing Technique to search for software implementation errors by injecting invalid data. Test generation: random, input mutation, model-based. Several fuzzing software programs. Endless process: study of specifications, reverse engineering of protocols, new development for each target, etc. Innovative theories: Autodafe, Flayer, Sage, etc.

6 Fuzzgrind: an automatic fuzzing tool 6/55 Roadmap

7 Fuzzgrind: an automatic fuzzing tool 7/55 Let fuzzing be completely automatic. Give a target program and an input file, New inputs generated automatically, Wait for crashes.

8 Fuzzgrind: an automatic fuzzing tool 8/55 Roadmap

9 Fuzzgrind: an automatic fuzzing tool 9/55 Symbolic execution Use of algebraic expressions to represent the variable values throughout the execution of the program. 1 Symbolically execute the target program on a given input, 2 Analyze execution path and extract path conditions depending on the input, 3 Negate each path condition, 4 Solve constraints and generate new test inputs. 5 This algorithm is repeated until all executions path are (ideally) covered. = Increase code coverage to discover new bugs.

10 Fuzzgrind: an automatic fuzzing tool 10/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"

11 Fuzzgrind: an automatic fuzzing tool 11/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"

12 Fuzzgrind: an automatic fuzzing tool 12/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"

13 Fuzzgrind: an automatic fuzzing tool 13/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"

14 Fuzzgrind: an automatic fuzzing tool 14/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"

15 Fuzzgrind: an automatic fuzzing tool 15/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"

16 Fuzzgrind: an automatic fuzzing tool 16/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"

17 Fuzzgrind: an automatic fuzzing tool 17/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"

18 Fuzzgrind: an automatic fuzzing tool 18/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"

19 Fuzzgrind: an automatic fuzzing tool 19/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"

20 Fuzzgrind: an automatic fuzzing tool 20/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"

21 Fuzzgrind: an automatic fuzzing tool 21/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"

22 Fuzzgrind: an automatic fuzzing tool 22/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"

23 Fuzzgrind: an automatic fuzzing tool 23/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"

24 Fuzzgrind: an automatic fuzzing tool 24/55 Symbolic execution: example input = "\x28\x00\x00\x00\x21\x00\x00\x00"

25 Fuzzgrind: an automatic fuzzing tool 25/55 Symbolic execution: example input = "\x28\x00\x00\x00\x21\x00\x00\x00"

26 Fuzzgrind: an automatic fuzzing tool 26/55 Roadmap Valgrind STP 1 2 Valgrind STP 3 4

27 Fuzzgrind: an automatic fuzzing tool 27/55 Roadmap Valgrind STP 1 2 Valgrind STP 3 4

Fuzzgrind: an automatic fuzzing tool 28/55 Valgrind Valgrind STP Framework for Dynamic Binary Instrumentation. Multiple architectures supported.

28 Fuzzgrind: an automatic fuzzing tool 28/55 Valgrind Valgrind STP Framework for Dynamic Binary Instrumentation. Multiple architectures supported. Generic framework for creating program analysis tools (e.g.: Memcheck). Machine-code interpreter: just-in-time instruction recompilation. Nothing from the original program ever gets run directly.

29 Fuzzgrind: an automatic fuzzing tool 29/55 Overall view Valgrind STP 1 Disassembly and translation from machine code (x86) into Intermediate Representation (VEX), 2 IR optimization, 3 IR instrumentation by the plugin, 4 Conversion of the instrumented IR into machine code (x86) and register allocation, 5 Instrumented code execution.

30 Fuzzgrind: an automatic fuzzing tool 30/55 IR and instrumentation Valgrind STP 0x4000A99 : movl %eax,% ecx #----- IMark(0x4000A99, 2) PUT(4) = GET: I32 (0) # copy of EAX into ECX 0x4000A9B : l e a l 0x2C(%ebx ), %esi #----- IMark(0x4000A9B, 6) PUT(60) = 0x4000A9B : I32 t0 = Add32(GET: I32 (12),0x2C : I32 ) PUT(24) = t0 # EIP update # addition of EBX content with 0x2C # result copy into ESI

31 Fuzzgrind: an automatic fuzzing tool 31/55 System calls Valgrind STP 1 copy virtual registers into real registers (apart EIP), 2 do the system call, 3 copy real registers into virtual registers (apart EIP), 4 restore stack pointer.

32 Fuzzgrind: an automatic fuzzing tool 32/55 Roadmap Valgrind STP 1 2 Valgrind STP 3 4

33 Fuzzgrind: an automatic fuzzing tool 33/55 STP A Fast Prover Valgrind STP Constraint solver, generated by static and dynamic analysis programs. Especially fast. Used in Automatic Patch-Based Exploit Generation paper. Take in input a request set of one or multiples constraints. Constraints composed of a set of functions and predicates. Output tells if request is satisfiable or not. Counter-example display.

34 Fuzzgrind: an automatic fuzzing tool 34/55 Example Valgrind STP # cat file.c... char x, y ; i f (x y == 16)... # cat file.stp x : BITVECTOR( 8 ) ; y : BITVECTOR( 8 ) ; QUERY(NOT(BVMULT(8, x, y ) = 0h10 ) ) ; # stp -p file.stp I n v a l i d. ASSERT( y = 0hex05 ) ; ASSERT( x = 0hexD0 ) ;

35 Fuzzgrind: an automatic fuzzing tool 35/55 Softwares used Valgrind STP Valgrind: path conditions search. STP: constraints solving. Python scripts to link all of this.

36 Fuzzgrind: an automatic fuzzing tool 36/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4

37 Fuzzgrind: an automatic fuzzing tool 37/55 Overall view Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring

38 Fuzzgrind: an automatic fuzzing tool 38/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4

39 Fuzzgrind: an automatic fuzzing tool 39/55 Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 2) Valgrind plugin: search for path conditions 1 Initial tainting of data from the tainted source, 2 Propagation and display of constraints associated with tainted data. 3 Untaint data.

40 Fuzzgrind: an automatic fuzzing tool 40/55 2) Valgrind plugin: initial tainting Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Based on Flayer s implementation. Supported inputs: files and standard input. System calls monitoring. open: file descriptor monitoring, close: ends file descriptor monitoring, read, mmap: tainted data addresses. Tainted data Constraint depending on the number i from the byte read/mmaped.

41 Fuzzgrind: an automatic fuzzing tool 41/55 Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 2) Valgrind plugin: propagation and display Function of the tool in charge of the instrumentation of the IR. Tainted data: memory address and registers. Instruction doesn t depend on tainted data = ignored/result untainted, Operation on tainted data = Tainting of temporary that saves the result, Temporary associated to the constraint that is associated to the operation. t0 = Add32(GET:I32(12), 0x2C:I32) Condition depends on tainted data = associated constraint is displayed. 0x08048e0d: CmpEQ32(8Uto32(LDle:I8(input(0))),0x0:I32) => 0

42 Fuzzgrind: an automatic fuzzing tool 42/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4

43 Fuzzgrind: an automatic fuzzing tool 43/55 3) Constraint analysis Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Translation of Valgrind s IR into STP language. Constraints optimization and negation. 0x08048e0d: CmpEQ32(8Uto32(LDle:I8(input(0))),0x0:I32) => 0 x0 : BITVECTOR(8); QUERY( NOT(( IF (((0h000000@x0) = 0h )) THEN (0b1) ELSE (0b0) ENDIF) = 0b1));

44 Fuzzgrind: an automatic fuzzing tool 44/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4

45 Fuzzgrind: an automatic fuzzing tool 45/55 Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4) Constraints solving, 5) New inputs Resolution of constraints using STP../stp/stp -p /tmp/example.stp Invalid. ASSERT( x0 = 0hex00 ); If query is invalid, assign this new values, Generation of new test files.

46 Fuzzgrind: an automatic fuzzing tool 46/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4

47 Fuzzgrind: an automatic fuzzing tool 47/55 6) Detecting faults Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Ptrace, Signals: SIGSEGV, SIGKILL, SIGABRT. Crackmes, tests: search of patterns in output.

48 Fuzzgrind: an automatic fuzzing tool 48/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4

49 Fuzzgrind: an automatic fuzzing tool 49/55 7) Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind s Lackey plugin, Number of executed basic blocks.

50 Fuzzgrind: an automatic fuzzing tool 50/55 Demo Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring

51 Fuzzgrind: an automatic fuzzing tool 51/55 Roadmap

52 Fuzzgrind: an automatic fuzzing tool 52/55 Results Fuzzing completely automatic. New vulnerabilites in readelf and swfextract. Vulnerabilities found in libtiff in a few minutes (discovered by Tavis Ormandy, led to the execution of unsigned code on the PSP and the iphone). Resolution of simple crackmes.

53 Fuzzgrind: an automatic fuzzing tool 53/55 Caveats Path explosion, Loop iterations, Cryptographic functions, Data tainting can be losed: char *digits = " abcdefghijklmnopqrstuvwxyz"; if (digits[x] == 1 ) CmpEQ32(LDle(Add32(x, digits)), 0x31)

54 Fuzzgrind: an automatic fuzzing tool 54/55 Improvement Monitoring of network inputs. Scoring tool. Parallelization. Constraints caching. Fuzzgrind is licenced under GPL: contribute!

55 Fuzzgrind: an automatic fuzzing tool 55/55 Thank your for your time. Q&A?

Outline. 1 Background. 2 Symbolic Execution. 3 Whitebox Fuzzing. 4 Summary. 1 Cost of each Microsoft Security Bulletin: $Millions

Outline. 1 Background. 2 Symbolic Execution. 3 Whitebox Fuzzing. 4 Summary. 1 Cost of each Microsoft Security Bulletin: $Millions CS 6V81-05: System Security and Malicious Code Analysis and Zhiqiang Lin 1 Background 2 Department of Computer Science University of Texas at Dallas 3 April 9 th, 2012 4 Software security bugs can be very