Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for - - PowerPoint PPT Presentation

Fuzzing for CyberSecurity

Abe Cohen 2019-11-13

Fuzzing for CyberSecurity

• What is fuzzing/fuzz testing?
• Why AFL?
• How does it work with GNAT Pro/Ada?

• Definition: Stable Software

○ Software that is highly unlikely to enter exceptional situations that it was not designed for or tested against

• More situations tested, more stable software
• Stability via negative input testing equates to a higher level of security

Premise: Fuzz Testing

How Fuzzing Works

• Black Box Test connected to an input
• The fuzzer “fuzzes” the input data and feeds it

into the program

• If the program crashes , it logs the bug

Execute Fault? Generate new input Bugs Seed with test corpus (optional)

no yes

Fuzz Testing Benefits

• Helps you find bugs/vulnerabilities in your code

○ Not just crashing bugs when used with specific Sanitizers

• Replicates what a hacker might do to find a vulnerability
• High benefit-to-cost ratio

Fuzz Testing Limitations

• Doesn’t test software quality

○ Meant to be used in addition to other testing techniques

• Requires context/knowledge of the system to determine each found bug’s

potential danger ○ Ada mitigates this using compiler checks

American Fuzzy Lop

American Fuzzy Lop is a rabbit breed American Fuzzy Lop is also a fuzzing library

AFL Sales Pitch

Smart: input mutation based, driven by CFG instrumentation feedback Fast: fork-point optimization and in-process fuzzing loops

Fault ?

Feedbac k

Program

Init / setup phase Input processing phase

Repeat

• nly this

Not all that

AFL Bug Trophy Case

AFL Bonuses

• Chainable to other tools

○ Can sync/share test corpus with other tools

• Low complexity setup

○ No guesswork, settings to fine-tune

What We’re Working On

• Original idea came from customer blog post on AdaCore’s blog

○ Leveraging Ada Run-Time Checks with Fuzz Testing in AFL by Lionel Matias ○

https://blog.adacore.com/running-american-fuzzy-lop-on-your-ada-code

• Improve GCC instrumentation plugin
• Provide facilities to leverage AFL’s fork server & in-process abilities
• Nightly build available for beta testing on demand
• Further work underway through a research project

Fuzzing with AFL first incurs a simple wrapper :

with P; procedure P_Crash is begin P; exception when E : others => GNAT.Exception_Actions.Core_Dump (E); end; with Worker; procedure P is Filename : constant String := Command_Line.Argument (1); begin Worker.Process (Filename); end;

Assuming a program P processing an input file :

• AFL looks for crashes via signal from OS
• Ada crashes more gracefully than that

How AFL Works with GNAT Pro/Ada

PATH=<...> AFL_PATH=<...> gprbuild -Pp.gpr p_crash.adb -XDRIVER=afl-gcc-fast afl-fuzz -i inputs -o findings -- obj/p_crash @@ Then a very simple sequence of commands : Only minor project file updates to access

• The instrumenting compiler
• Facilities to leverage AFL’s fork-server

and in-process fuzzing

How AFL Works with GNAT Pro/Ada

Conclusion

• More fuzzing -> more stability -> more security
• Easy to configure and run, effective at finding bugs, and useful to other tools
• Starting to see it all over tech

○ Becoming best practice to integrate into your testing process

• Look out for GNATFuzz soon!