SLIDE 1 0‐Knowledge Fuzzing
Vincenzo Iozzo vincenzo.iozzo@zynamics.com
SLIDE 2 Disclaimer Disclaimer
In this talk you won’t see all those formulas, formal definition, code snippets and bullets and bullets. From past experiences the speaker learned that all the aforementioned elements are no useful in making people understand your idea. You instead will see a lot of funny pictures which the speaker hopes will y p p p convey better the understanding of the ideas explained in the talk
You don’t want slides like this, do you?
SLIDE 3
Motivations Motivations
SLIDE 4
Questions! Questions!
SLIDE 5
Fuzzing Fuzzing
SLIDE 6
How it used to be How it used to be
SLIDE 7
How it is today (aka the reason of this talk)
SLIDE 8
Dumb fuzzing Dumb fuzzing
SLIDE 9
Smart Fuzzing Smart Fuzzing
SLIDE 10
Evolutionary Based Fuzzing Evolutionary Based Fuzzing
SLIDE 11
The idea The idea
SLIDE 12
The surface The surface
SLIDE 13
We need a filter We need a filter
SLIDE 14
Cyclomatic complexity y p y
SLIDE 15
This one This one
SLIDE 16
Not this one Not this one
SLIDE 17 Original formula Original formula
M = E – N + 2P M E N + 2P
Number of edges Number of nodes Connected components
SLIDE 18 Why? Cyclomatic number Why? Cyclomatic number
M = E – N + P
SLIDE 19
Simplify Simplify
SLIDE 20
Formula Formula
M = E – N + 2
SLIDE 21
Problem Problem
SLIDE 22
Loop detection Loop detection
SLIDE 23
Dominator tree Dominator tree
SLIDE 24
Dominators Dominators
SLIDE 25
Function Function
SLIDE 26
Dominator tree Dominator tree
SLIDE 27
Dominators Dominators
SLIDE 28
Implicit loops Implicit loops
SLIDE 29
REIL REIL
SLIDE 30
Is that enough? Is that enough?
SLIDE 31 Not enough Not enough
Of course not more heuristics needed Of course not, more heuristics needed
void *safe_strcpy(void *old_dest, void *src, int size){ void *dst = realloc(old dest size +1); void dst realloc(old_dest, size +1); strncpy(dst, src, size); return dst; }
SLIDE 32 Add your own Add your own
For static analysis we use
SLIDE 33
DEMO DEMO
SLIDE 34
Questions! Questions!
SLIDE 35
Data Tainting Data Tainting
SLIDE 36
Dytan Dytan
SLIDE 37
PIN PIN
SLIDE 38
Taint sources Taint sources
SLIDE 39
Markings granularity Markings granularity
SLIDE 40
Propagation Propagation add eax, ebx, edx , ,
SLIDE 41
Output Output
R i t Registers Memory locations Memory locations
SLIDE 42
DEMO DEMO
SLIDE 43
Questions! Questions!
SLIDE 44
In‐memory fuzzing In memory fuzzing
SLIDE 45
Why? Why?
SLIDE 46
Problems Problems
SLIDE 47
Expertise and patience Expertise and patience
SLIDE 48
Memory instability
SLIDE 49
False positives False positives
SLIDE 50
False negatives False negatives
SLIDE 51
Mutation loop insertion Mutation loop insertion
SLIDE 52
Snapshot mutation restoration Snapshot mutation restoration
SLIDE 53 What do we do? What do we do?
Hook image
k i i
SLIDE 54
First approach First approach
SLIDE 55 For instance… For instance…
30f064‐30f067 30f064 30f067 ABCD
0x8a Y 0x00
ABCD
0x8a Y 0x00 K
SLIDE 56
Second approach Second approach
SLIDE 57 Example Example
30f064‐30f067 30f084‐30f097 30f064 30f067 30f084 30f097 ABCD
0x89 K D F 0x96 0x00 J K U Y W 0xA7 0xB8 0x00 0x10 A T N 0x00 0xD3
SLIDE 58
Code coverage Code coverage
SLIDE 59 How?? How??
Good sample Evil sample Good sample Evil sample Score Score
Compare
SLIDE 60
Score Score BBexecuted/BBtotal
Basic Blocks t d Total Basic executed Blocks
SLIDE 61 Halting Halting
C C t Cgood = Cevil + t
Code coverage Code coverage User‐supplied good sample evil sample threshold
SLIDE 62
What do we use? What do we use? Code coverage Faults monitor
SLIDE 63
DEMO DEMO
SLIDE 64
Future – A reasoner Future A reasoner
SLIDE 65
Thanks Thanks
SLIDE 66
Questions! Questions!
SLIDE 67 More Info More Info
viozzo wordpress com viozzo.wordpress.com @_snagg vincenzo.iozzo@zynamics.com
