Fuzzing For Worms 16/06/2018. Fuzzing For Worms. AFL for Linux Network Servers

Size: px

Start display at page:

Download "Fuzzing For Worms 16/06/2018. Fuzzing For Worms. AFL for Linux Network Servers"

Tamsyn Wilkinson
5 years ago
Views:

1 1 AFL for Linux Network Servers 16/6/218 Fuzzing For Worms.

About Me 2 1 16/6/218 SSL/TLS Recommendations // OWASP Switzerland 213 Dobin Rutishauser 2 BurpSentinel - Semi Automated Web Scanner // BSides Vienna 214 3

2 About Me /6/218 SSL/TLS Recommendations // OWASP Switzerland 213 Dobin Rutishauser 2 BurpSentinel - Semi Automated Web Scanner // BSides Vienna Automated WAF Testing and XSS Detection 4 Lecturer Exploit Development & Mitigations // OWASP Switzerland 215, Barcamp // Berner Fachhochschule, 216, 217, 218

3 FFW 3 What we have 1 File Based Fuzzer What I want 2 Network Fuzzer Demo 3 Praise the Demo gods! Feedback Driven Fuzzing 4 Honggfuzz Results 5 days? 8/1/216

4 AFL cd ~/binutils-2.25 CC=afl-gcc./configure make mkdir afl_in afl_out cp /bin/ps afl_in/ afl-fuzz -i afl_in -o afl_out./binutils/readelf -a 4 16/6/218

5 AFL 5 16/6/218

6 6 Everything already fuzzed :-( 16/6/218

7 Why no fuzzing network servers? 7 16/6/218

8 Fuzzing Network Servers: ISO OSI Layer 8 16/6/218

9 Fuzzing Network Servers: MQTT Protocol 9 16/6/218

10 Fuzzing Network Servers: MQTT Protocol 1 CONNECT 2 3 SUBSCRIBE <channel> PUBLISH <channel> <msg> 1 16/6/218

11 Fuzzing Network Servers - Using File based Fuzzers 11 16/6/218 Using AFL to fuzz a MQTT server? Method 1: Wrap Method 2: Rewire Wrap packet-parsing Re-wire read(), write() function to read from files

12 Fuzzing Network Servers - Wrap Method 1: Wrap Isolate main functionality Write a wrapper // Libfuzzer // AFL Persistent Mode // WinAFL 12 16/6/218

13 Fuzzing Network Servers - Re-Wiring Program 13 16/6/218 Method 2: Re-wire Re-wire read(), write() read() 4 Socket to read from files (not from sockets)

14 Fuzzing Network Servers - Re-Wiring Program 14 16/6/218 Method 2: Re-wire Re-wire read(), write() read() 1 File to read from files (not from sockets) // AFL Style Fuzz // Preeny desock

15 Fuzzing Mongoose MQTT with AFL Case Study: Mongoose 6.8 CSNC // Manual Re-Wire for de-socking Fuzz with AFL Stack BOF RCE Exploit 15 16/6/218

16 Fuzzing Network Servers: AFL 16 16/6/218 File Based Fuzzer Problems What are packets? // CONNECT read() Target write() read() write() read() write() SUBSCRIBE PUBLISH Mutate File

17 Fuzzing Network Servers: AFL 17 16/6/218 File Based Fuzzer Problems What are packets? // CONNECT read() Target write() read() write() read() write() SUBSCRIBE PUBLISH Mutate File

18 Generators 18 A better way? Generational Fuzzers Protocol Specifications // Reproduce protocol in code as XML Specify every field, datatype, etc. 16/6/218

19 Generators Generators: Peachfuzz (XML Pits ) Spike -> Sulley -> Boofuzz (python specs) Blab Dharma Protocol Learning: Netzob (UI) Pulsar (AI) 19 16/6/218

20 Network Protocols 2 Stateless Stateful DNS, DHCP, HTTP, COAP MQTT, VNC, Teamspeak Ignore reply Responses important Packets are independant Packets dependant Use AFL Use Peach 26/6/218

21 21 I dont want to patch I dont want to XML protocols i want to fuzz! 16/6/218

22 FFW Phases 1 Intercept Replay Data Detect Crash Capture Fuzz some data Check if server is Network Data and send stil alive 16/6/218? $ 4 5??? Profit!

23 Demo 23 FFW Basic Mongoose 6.8 Demo Praise the Demo Gods 16/6/218

24 24 16/6/218 FFW Internals

25 Architecture 25 16/6/218 Interceptor Fuzzer Verifier Minimizer MITM to capture network messages Send mutated messages Re-send messages which crash server Find unique crashes Test Uploader identify failures when sending capture Upload all data to teh cloud

26 Interceptor 26 16/6/218 FFW Hello 1: cli Hello there! 2: srv Client Server Subscribe 3: cli Sure 4: srv 1: 2: 3: 4: cli: srv: cli: srv: data: data: data: data: Hello Hello there! Subscribe Sure

27 Fuzzer 27 16/6/218 FFW 1: cli 2: srv Server 3: cli 4: srv Corpus 1: 2: 3: 4: cli: srv: cli: srv: data: data: data: data: Hello Hello there! Subscribe%../../ Sure

28 Mutator: Radamsa 28 16/6/218

29 Crash Detection: TCP Connection Disconnect 29 26/6/218 TCP Handshake Crashed by Previous Input Pre-Mutated Packet FFW Mutated Packet Post-Mutated Packet Server Crashed by Current Input

30 Crash Details Crash Details: Stack Trace /6/218 PTRACE // Bad, Unreliable ASAN // Non-Stack BoF only GDB // Need Parser...

31 31 Fuzzing Hardware What I have // Xeon E5 267 (from 212) 2mb Cache! 8 cores, 16 threads! 32 GB RAM! 2.6ghz! x2! rawr! 777$, natex.us 16/6/218

32 32 16/6/218

33 Fuzzing Hardware What I really need // 33 16/6/218

34 34 16/6/218 Puppet Master - Sentient Hacking AI, created by Intelligence Unit Section 6 (Ghost in the Shell, 1995)

35 35 Feedback Driven Fuzzing 16/6/218

36 Feedback Driven Fuzzing - Function Level 36 16/6/218 Fuzzer Corpus: 1. X Function X Function 1 Function A Function Y Function 2 Function B Function

37 Feedback Driven Fuzzing - Function Level 37 16/6/218 Fuzzer Corpus: 1. X 2. X2 Function X Function 1 Function A Function Y Function 2 Function B Function

38 Feedback Driven Fuzzing - Function Level 38 16/6/218 Fuzzer Corpus: 1. X 2. X2 3. X2A Function X Function 1 Function A Function Y Function 2 Function B Function

39 Feedback Driven Fuzzing - Function Level 39 16/6/218 Fuzzer Corpus: 1. X 2. X2 3. X2A 4. X2B Function X Function 1 Function A Function Y Function 2 Function B Function

40 Feedback Driven Fuzzing - Basic Block Level 4 16/6/218

41 Fix all the bugs American Fuzzy Lop and Address Sanitizer, Hanno Böck 41 16/6/218

42 Feedback Driven Fuzzing - Basic Block Level - Bloom Filter 42 16/6/218 if input[] == x41 if input[1] == x42 if input[2] == x43 if input[3] == x44 CRASH 1

43 Feedback Driven Fuzzing - Basic Block Level Compiler Inserts 43 16/6/218 At each basic block, add: cur_location = (block_address >> 4) ^ (block_address << 8); shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1;

44 Feedback Driven Fuzzing - Basic Block Level - Bloom Filter 44 16/6/218 if input[] == x41 if input[1] == x42 if input[2] == x43 if input[3] == x44 CRASH 1 1

45 Feedback Driven Fuzzing - Basic Block Level - Bloom Filter 45 16/6/218 if input[] == x41 if input[1] == x42 if input[2] == x43 if input[3] == x44 CRASH

46 Feedback Driven Fuzzing - Code Coverage 46 16/6/218 Picture Source: Circumventing Fuzzing Roadblocks with Compiler Transformations, lafintel

47 Feedback Driven Fuzzing - Basic Block Level Efficency in AFL 47 16/6/218

48 Feedback Driven Fuzzing - Methods 48 16/6/218

49 Feedback Driven Fuzzing - How-to 49 16/6/218

50 Integrating Honggfuzz in FFW 5 16/6/218 Network TCP/UDP FFW Target Unix Domain Socket HonggFuzz observe

51 Integrating Honggfuzz in FFW 51 16/6/218 Fuzz Send the fuzz (TCP) Target FFW Okay (i m done sending) New! (new BB reached) Corpus Cras (target crashed) observe HonggFuzz

52 Demo 52 FFW Mongoose 6.9 Feedback driven fuzzing with honggfuzz Demo Praise the Demo Gods 16/6/218

53 53 16/6/218 Performa nce

54 Fuzzing Performance About 3 iterations/s per thread :-( AFL: Threads = core_count / 2 FFW: Threads = core_count * 2 3 iterations/s * 32 * 2 =~ 2 (okish) 54 16/6/218

55 Fuzzing Speed Requirements 55 16/6/218 Parallel fuzzing -> parallel processes -listen %(port) Port directly as Argument -config srvcfg-%(port).conf usenetnamespace: True Port via Config File Namespaces! yay!

56 Fuzzing Speed Requirements: Parallelization 56 16/6/218 Network Namespace 1 FFW Slave Process 1 Honggfuzz FFW Slave Process 2 Honggfuzz Target Server Port: 1337 FFW Master Process Network Namespace 2 Target Server Port: 1337

57 57 Fuzzing Results 16/6/218

58 Bugs: Mongoose MQTT 6.8 Mongoose MQTT 6.9 libcoap libiec6185 vnc4server libmodbus Check docker dobin/ffw:.2 58 No Bugs: Mongoose Web Mongoose DNS Mongoose DHCP Synergy Ngircd Inspircd unrealircd portmapper 16/6/218

59 Inspircd 59 16/6/218

60 Ngircd 6 16/6/218

61 61 16/6/218 Conclusion

62 FFW 1 INTERCEPT 2 3 RETRANSMIT (fuzzed) DETECT Crashes New Basic Blocks 62 16/6/218

63 Motivation Swat low hanging bugs Use time before real fuzzing Quick-Check of a server 63 26/6/218

64 64 16/6/218

65 65 Code: github.com/dobin/ffw Me: twitter.com/dobinrutis Blog: dobin.ch/blog/tag/ffw days: github.com/dobin/ffw-docker 16/6/218 Reddit: reddit.com/r/fuzzing Get started: docker run -ti --privileged -lxc-conf="aa_profile=unconfined" dobin/ffw:.2

66 66 Q&A 16/6/218

Not in this presentation: Taint Tracking / Analysis SMT Solvers Automated root cause identification Automated exploit generation Automated patch generation Machine Learning / AI Kernel Fuzzing

67 Not in this presentation: Taint Tracking / Analysis SMT Solvers Automated root cause identification Automated exploit generation Automated patch generation Machine Learning / AI Kernel Fuzzing Syscall Fuzzing Instruction-Set Fuzzer Structure-aware fuzzing Anti-Fuzzing Binary Instrumentation (Intel PIN, DynamoRio) Blockchain (Smart Contracts / Ethereum) Symbolic Execution / Concolic Execution (Angr, Manticore) Compiler Transformations / Deoptimization 67 16/6/218

68 Similar solutions 68 16/6/218

69 69 Future 16/6/218

70 Future: Weighting Fitness: Fuzz which damn input? [] Input Corpus 7 1 # Crashes 2 # Hangs 3 # Children 4 Latency [] Corpus Network Message 26/6/218

71 Future: Genetic mutations 71 Generic Mutation Algorithmn 1 Per InputCorpus 2 26/6/218 Crossover (copy partially to other network messages) Mutation (re-order network messages) 3 Swap (swap messages)

72 Future Crash Analysis Code Coverage in IDE Adjust network timeout dynamically Client program fuzzing 72 26/6/218

73 73 16/6/218

74 74 The reason for all this: C C++ 16/6/218

75 Feedback Driven Fuzzing - Performance Comparison 75 16/6/218

Copyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis

Copyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis Finding security vulnerabilities by fuzzing and dynamic code analysis Security Vulnerabilities Top code security vulnerabilities don t change much: Security Vulnerabilities Top code security vulnerabilities