Fuzzing techniques & software vulnerabilities

Size: px

Start display at page:

Download "Fuzzing techniques & software vulnerabilities"

Arthur Stokes
6 years ago
Views:

1 Xavier Claude Mathieu Fourcroy William Robinet Conostix S.A. 17th October 2016

2 Agenda

3 Definition Definition Origins Context Why fuzzing? Fuzzing techniques Definition Automated testing technique which provide unexpected data as input for computer program to detect unanticipated behaviour.

4 Source of fuzzing Definition Origins Context Why fuzzing? Fuzzing techniques Fuzzing is inspired by casual users who: Enter dates where money amount is expected Enter digits where names belong... This often result in segfaults, stack overflows... A fuzzing test crafts such invalid inputs in order to raise exceptions

5 Input validation Definition Origins Context Why fuzzing? Fuzzing techniques $ change_password enter new passord (max 7):

6 Input validation Definition Origins Context Why fuzzing? Fuzzing techniques #i n c l u de <s t d i o. h> #i n c l u de < s t d l i b. h> i n t main ( i n t arg, char argv [ ] ) { char new pwd [ 8 ] ; char c u r u s e r = getenv ( USER ) ; p r i n t f ( Enter new p a s s f o r %s (max 7 ) :, \ c u r u s e r ) ; s c a n f ( %s, new pwd ) ; } p r i n t f ( New password f o r u s e r %s : %s \n,\ c u r u s e r, new pwd ) ;

7 Input validation Definition Origins Context Why fuzzing? Fuzzing techniques $./a.out Enter new password for xavier (min: 5 char, max 7):12345 New password for user xavier: 12345

8 Input validation Definition Origins Context Why fuzzing? Fuzzing techniques $./a.out Enter new password for xavier (min: 5 char, max 7): New password for user rminal-emulator/ yavin_time :

9 Fuzzing benefits Definition Origins Context Why fuzzing? Fuzzing techniques Every programs contain bugs, we just don t know them yet Provide results with little effort Reveal bugs that were missed in manual audit or static analysis

10 Fuzzing limitations Definition Origins Context Why fuzzing? Fuzzing techniques Do not detect all bugs Need deeper code investigation to analyse crashing test cases Not so easy with programs requiring complex inputs

11 Fuzzing techniques Definition Origins Context Why fuzzing? Fuzzing techniques Manual Fully random Guided fuzzing

12 Manual Definition Origins Context Why fuzzing? Fuzzing techniques

13 Fully random Definition Origins Context Why fuzzing? Fuzzing techniques $ bc < /dev/urandom

14 Guided fuzzing Definition Origins Context Why fuzzing? Fuzzing techniques Analyze program behaviour to adapt fuzzing

15 What is zzuf What is zzuf Easy-to-use fuzzing software Ability to reproduce behaviour Can fuzz everything

16 What is zzuf What is zzuf input appli zzuf input appli generates test cases records test cases in order to reproduce them injects test cases intercepts file reading functions checks STDOUT and exit values detects crashes output output

17 What is zzuf Input generation Original file $ cat zzuf_demo_txt ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz Hello world!! 3% randomness $ zzuf -r0.03 cat zzuf_demo_txt ABADEFGHIJKLMVOPURSTUVUXYZ ab#d%fghihklmnopqrstuvwpyz :9 Hello world!! 20% randomness $ zzuf -r0.2 cat zzuf_demo_txt ARGEEFWHIRYHMNLPQSSTUVWXQz s(cdufghijid/nnp0n3le4wxy: 01R74=. x) *}dlo gozdf!!

18 American fuzzy lop

19 Description Focus on performance

20 Description Focus on performance Bruteforce with instrumentation guided genetic algorithm and edge coverage

21 Description Focus on performance Bruteforce with instrumentation guided genetic algorithm and edge coverage Try to minimize result

22 Instrumenting with source Use a GCC/Clang wrapper

23 Instrumenting with source Use a GCC/Clang wrapper Add a random identifier for each branch

24 Instrumenting with source Use a GCC/Clang wrapper Add a random identifier for each branch Compiler options to detect bad behaviour

25 Instrumenting with source Use a GCC/Clang wrapper Add a random identifier for each branch Compiler options to detect bad behaviour $ CC=/path/to/afl/afl-gcc./configure $ make clean all

26 Instrumenting blackbox Use a modified version of Qemu

27 Instrumenting blackbox Use a modified version of Qemu Slower than the source instrumentation

28 Instrumenting blackbox Use a modified version of Qemu Slower than the source instrumentation Doesn t require source

29 Record each branch jump with a random id cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1;

30 Record each branch jump with a random id cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1; This works well on standard program (< 10k branch)

31 Record each branch jump with a random id cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1; This works well on standard program (< 10k branch) This allows a fast lookup (limit perf impact during fuzzing)

32 Path discovery start select1 step1 select2 step2 finish

33 Path discovery start Paths: 1 select1 yes step1 select2 step2 finish

34 Path discovery start Paths: 2 select1 no yes step1 select2 step2 finish

35 Path discovery start Paths: 3 select1 no select2 yes yes step1 step2 finish

36 Address sanitizer Compiler extension to find invalid memory management

37 Address sanitizer Compiler extension to find invalid memory management Lot of memory consumption (20TB)

38 Example #i n c l u d e <s t d i o. h> #i n c l u d e <s t d l i b. h> i n t main ( v o i d ) { FILE fp ; char b u f f [ 1 6 ] ; f p = f o p e n ( /tmp/ t e s t. t x t, r ) ; f s c a n f ( fp, %s, b u f f ) ; f c l o s e ( f p ) ; i f ( b u f f [ 0 ] == 0 x66 ) i f ( b u f f [ 1 ] == 0 x 6 f ) i f ( b u f f [ 2 ] == 0 x 6 f ) { p r i n t f ( Password a c c e p t e d \n ) ; a b o r t ( ) ; } i f ( b u f f [ 0 ] == 0 x00 ) p r i n t f ( Password empty\n ) ; } r e t u r n 0 ;

39 Compilation $./afl-gcc -o tests/test ~/projects/centr-conf/src/testafl.c afl-cc 2.35b by afl-as 2.35b by [+] Instrumented 7 locations (64-bit, non-hardened mode, ratio 100%

40 Compilation $./afl-gcc -o tests/test ~/projects/centr-conf/src/testafl.c afl-cc 2.35b by afl-as 2.35b by [+] Instrumented 7 locations (64-bit, non-hardened mode, ratio 100% Creating test file: $ echo a > in_test/in

41 Running $./afl-fuzz -i in_test/ -o out_test/ -f /tmp/test.txt --./tests/test

42 CVE CVE Info-ZIP UnZip - Out-of-bounds Write CVE Ghostscript - Integer overflow CVE : bdfreadproperties: property count needs range check CVE : bdfreadcharacters: bailout if a char s bitmap cannot be read CVE : bdfreadcharacters: ensure metrics fit into xcharinfo struct CVE , CVE unzoo - Buffer overflow & Infinite loop

43 CVE libtiff: Divide By Zero in the tiffdither tool CVE libtiff: Out-of-bounds Read in the thumbnail tool CVE libtiff: Out-of-bounds Read in the tiff2bw tool CVE libtiff: Out-of-bounds Read in the tiff2rgba tool CVE libtiff: Out-of-bounds Read & Write in the tiff2pdf tool

44 CVE libtiff: Out-of-bounds Read & Write in the tiff2pdf tool CVE libtiff: Out-of-bounds Write in the thumbnail tool CVE libtiff: Out-of-bounds Write in the tiffdither tool CVE libtiff: Out-of-bounds Write in the tiffdither tool CVE libtiff: Out-of-bounds Write in the tiffdither tool CVE libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools CVE libtiff: Out-of-bounds Write in the tiff2pdf tool CVE libtiff: Out-of-bounds Read in the tiff2ps and tiffdither tools CVE libtiff: Out-of-bounds Read in the tiffmedian tool CVE libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools CVE libtiff: Out-of-bounds Read in the tiffset tool CVE libtiff: Out-of-bounds Writes in the tiffdither tool

45 Upstream Submitting security flaw Helping fuzzer Some developpers welcome any bug report

46 Upstream Submitting security flaw Helping fuzzer Some developpers welcome any bug report Others doesn t like when the program is not used as intended

47 Upstream Submitting security flaw Helping fuzzer Some developpers welcome any bug report Others doesn t like when the program is not used as intended Most doesn t answer at all

48 Helping fuzzer Submitting security flaw Helping fuzzer Allow entry points everywhere in the software

49 Helping fuzzer Submitting security flaw Helping fuzzer Allow entry points everywhere in the software Allow input file/stdin for every file

50 Submitting security flaw Helping fuzzer Thank you for listening! Useful links: : The Fuzzing Project:

Writing a fuzzer. for any language with american fuzzy lop. Ariel Twistlock Labs

Writing a fuzzer. for any language with american fuzzy lop. Ariel Twistlock Labs Writing a fuzzer for any language with american fuzzy lop Ariel Zelivansky @ Twistlock Labs What is fuzzing? Technique for testing software by providing it with random, unexpected or invalid input Dumb