fuzzing suricata finding vulnerabilities in large projects
play

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko - PowerPoint PPT Presentation

Mar 28, 2024 •294 likes •598 views

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

  1. Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Höer @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  2. Special thanks ● Robert Haist, DCSO ● Victor Julien, lead developer suricata, Open Infosec Foundation (OISF) ● Henning Perl, CTO, Code Intelligence ● Sergej Dechand, CEO, Code Intelligence 2 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  3. Disclaimer ● The methodologie mentioned here reflect my experiences about fuzz-testing and are not general approaches used by the BSI ! ● All opinions about Fuzzing expressed in this presentation are my opinions only. They are not the general opinion of the BSI ! 3 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  4. Table of content Introduction ● Methodology of Fuzzing Suricata ● Example: Ethernet Decoder Heap Buffer Overflow ● Conclusion ● 4 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  5. What is suricata Facts : - about 600k lines of code - more than 600 source files Open Source IDS / IPS / NSM ● - Uses Unit Tests and AFL Fuzzing (2019) Developed by Open Information Security Foundation ● - since March 2020 integration to google oss-fuzz written in c and rust ● Buildsystem: automake ● Version 5.0.3 ● 5 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  6. Methodology of Fuzzing Projects in general Analyse, Run Fuzzers, Setup Create Fuzz-Targets, Bug investigation, Debugging Bug report 6 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  7. Methodology of Fuzzing Suricata Analyse, Run Fuzzers, Setup Create Fuzz-Targets, Bug investigation, Debugging Bug report 7 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  8. My Setup Build process How to build the project ? ● $ user@host ./autogen $ user@host ./configure $ user@host make all -j$(nproc) Build the project 8 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  9. My Setup #!/usr/bin/sh set -e export CC=clang export CXX=clang++ Build process export ASAN_OPTIONS=detect_leaks=0 ./configure --disable-rust CFLAGS="-O1 -v -g -fPIC \ How to build the project ? ● -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep \ -fsanitize= address,fuzzer-no-link ,undefined,signed-integer-overflow,bool,pointer-o Create build script with sanitzer ● verflow" \ ○ patch object file LDFLAG="-fsanitize=address,fuzzer-no-link,undefined,signed-integer-overflow,bool,p ointer-overflow \ ○ pack all together -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep" \ make -j$(nproc) … echo "patch suricata.o ..." sed -i -e 's/main/mmmm/g' suricata.o echo "patched ..." echo "generate archiv suricata_fuzz.a ..." ar rv suricata_fuzz.a *.o echo "generated ..." build_suricata.sh Build parent Create build script 9 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  10. My Setup FROM base/archlinux #install main packages RUN echo "installing basic packages ..." Build process RUN pacman -Syu --noconfirm RUN pacman -S --noconfirm \ How to build the project ? ● screen \ git \ Create build script with sanitzer ● … Build fuzzing infrastructure (Docker) ● # install dep for suricata RUN pacman -Syu --noconfirm RUN pacman -S --noconfirm \ jansson \ libnet \ libyaml \ nss ... Dockerfile Build parent Create build script Create infra. 10 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  11. My Setup FUZZERS = fuzz_app \ ... fuzz_decoder_udp ... fuzz_%: $(src_target)/fuzz_%.c $(shell mkdir -p $(build_target)/$*) clang -O1 -g \ Build process $< \ ${CFLAGS} ${LDFLAGS} \ -DCLS=64 \ How to build the project ? ● -D HAVE_MAGIC \ Create build script with sanitzer -I../src -I../libhtp \ ● -fsanitize= fuzzer,address ,undefined, \ Build fuzzing infrastructure (Docker) ● signed-integer-overflow, \ bool,pointer-overflow \ Build Makefile for fuzz-targets ● -fsanitize-coverage=trace-pc-guard \ -fsanitize-thread-memory-access \ -lstdc++ \ -lmagic -lcap-ng -lpcap -lpthread -lnet -lyaml -lpcre -lz -llzma \ ../src/suricata_fuzz.a \ ../libhtp/htp/.libs/libhtp.a \ /usr/lib/liblz4.so \ -o $(build_target)/$*/$@ ... Makefile Build parent Create build script Create infra. Makefile 11 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  12. Methodology of Fuzzing Suricata Analyse, Bug investigation, Setup Fuzz-Targets, Bug report Running Tests 12 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  13. Analyse Biggest challenge: Finding entry points suricata ├── contrib Look at Unit-Test ├── doc ● ... ├── libhtp Look at Fuzz-Test (if fuzz-tests are available) ● ... ├── rust Look at the Bug-Tracker ● ├── src │ ├── alert-debuglog.c │ ├── alert-fastlog.c │ ├── alert-prelude.c │ ├── alert-syslog.c │ ├── alert-unified2-alert.c │ ├── app-layer.c │ ├── app-layer-dcerpc.c │ ├── app-layer-dcerpc-udp.c │ ├── app-layer-detect-proto.c │ ├── app-layer-dhcp.c │ ├── app-layer-dnp3.c … │ ├── app-layer-parser.c … │ ├── decode-erspan.c │ ├── decode-ethernet.c │ ├── decode-events.c ... │ ├── decode-gre.c │ ├── suricata.c ... └── suricata-update 13 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  14. Analyse Biggest challenge: Finding entry points suricata ├── contrib Look at Unit-Test ├── doc ● ... ├── libhtp Look at Fuzz-Test (if fuzz-tests are available) ● ... ├── rust Look at the Bug-Tracker ● ├── src │ ├── alert-debuglog.c │ ├── alert-fastlog.c │ ├── alert-prelude.c │ ├── alert-syslog.c │ ├── alert-unified2-alert.c │ ├── app-layer.c │ ├── app-layer-dcerpc.c │ ├── app-layer-dcerpc-udp.c │ ├── app-layer-detect-proto.c │ ├── app-layer-dhcp.c │ ├── app-layer-dnp3.c In this case, I look at: … │ ├── app-layer-parser.c … │ ├── decode-erspan.c Entrypoint : src/suricata.c ● │ ├── decode-ethernet.c │ ├── decode-events.c Unit-Tests: src/tests/*.c ● ... │ ├── decode-gre.c │ ├── suricata.c ... └── suricata-update 14 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  15. Analyse Find interesting things Fuzz-targets for AFL: ... 1183 static void ParseCommandLineAFL(const char *opt_name, char *opt_arg){ 1184 #ifdef AFLFUZZ_RULES About 25 written Targets (2019) ● 1185 if(strcmp(opt_name, "afl-rules") == 0) { MpmTableSetup(); App-Layer: ● . SpmTableSetup(); . http-request / response ○ . exit(RuleParseDataFromFile(opt_arg)); } else smb-request / response ○ #endif smtp ○ #ifdef AFLFUZZ_APPLAYER Low-Level decoder ● if(strcmp(opt_name, "afl-http-request") == 0) { //printf("arg: //%s\n", opt_arg); IPv4 / IPv6 decoder ○ MpmTableSetup(); PPP-decoder ○ SpmTableSetup(); Ethernet-decoder AppLayerProtoDetectSetup(); ○ AppLayerParserSetup(); RegisterHTPParsers(); exit(AppLayerParserRequestFromFile(IPPROTO_TCP, ALPROTO_HTTP, opt_arg)); } ... 1268 suricata.c 15 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  16. Analyse Finding good Fuzz-Targets Example: ● RuleParseDataFromFile(...) int RuleParseDataFromFile(char *filename) { ● AppLayerParserRequestFromFile(...) ... SigTableSetup(); ● AppLayerParserFromFile(...) SCReferenceConfInit(); SCClassConfInit(); ● MimeParserDataFromFile(...) DetectEngineCtx *de_ctx = DetectEngineCtxInit(); ... while (__AFL_LOOP(10000)) { ● DecoderParseDataFromFile(...) ... size_t result = fread(&buffer, 1, sizeof(buffer), fp); ● DerParseDataFromFile(...) if (result < sizeof(buffer)) { buffer[result] = '\0'; ● ConfYamlLoadString(...) Signature *s = SigInit(de_ctx, buffer); if (s != NULL) { SigFree(s); } } ... DetectEngineCtxFree(de_ctx); SCClassConfDeinit(); SCReferenceConfDeinit(); decoder-afl.c } 16 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  17. The Fuzz-Target (Example) /* Include files */ … Creating Fuzz-Targets int LLVMFuzzerInitialize( int *argc, char ***argv) { MpmTableSetup(); SpmTableSetup(); AppLayerProtoDetectSetup(); ... AppLayerParserSetup(); if(strcmp(opt_name, "afl-http-request") == 0) { AppLayerParserRegisterProtocolParsers(); //printf("arg: //%s\n", opt_arg); MpmTableSetup(); /* Initialize random number generator */ SpmTableSetup(); srand(0); AppLayerProtoDetectSetup(); return 0; AppLayerParserSetup(); } RegisterHTPParsers(); exit(AppLayerParserRequestFromFile(IPPROTO_TCP, ALPROTO_HTTP, opt_arg)); AppProto AppProtoFromData() { ... } else if(strcmp(opt_name, "afl-tls") == 0) { return rand() % ALPROTO_MAX; //printf("arg: //%s\n", opt_arg); } MpmTableSetup(); ... SpmTableSetup(); AppLayerProtoDetectSetup(); AppLayerParserSetup(); RegisterSSLParsers(); exit(AppLayerParserFromFile(IPPROTO_TCP, ALPROTO_TLS, opt_arg)); ... suricata.c fuzz_app.c 17 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua University http://netsec.ccert.edu.cn/chaoz/ About Me 2004-2008-2013 2013-2016 2016-present p Hack for fun software and system security Tencent

1.23k views • 98 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File -&gt;

1.16k views • 78 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency

943 views • 75 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 . Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43 Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet

786 views • 59 slides
Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing antti.levomaki@forcepoint.com opi@forcepoint.com WHO? ANTTI LEVOMKI OLLI-PEKKA NIEMI Research Scientist Director of Research WHAT? NETWORK EVASIONS +

463 views • 18 slides
Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and Windows Servers About the presentation Whoami Introduction 0days and the rush for public vulnerabilities And Advanced fuzzing techniques

432 views • 31 slides
HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing

HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing

HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing William Blair Andrea Mambretti Sajjad Arshad Michael Weissbacher Boston University Northeastern University Northeastern University Northeastern

172 views • 14 slides
BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

Bro Befriends Suricata 23/09/16 20 : 23 BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski @michalpurzynski / Scripts are here - https://github.com/michalpurzynski

894 views • 47 slides
Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

3.64k views • 23 slides
HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = &quot;Joshua Smith&quot; job =

HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = &quot;Joshua Smith&quot; job =

HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = &quot;Joshua Smith&quot; job = &quot;Senior Security Researcher&quot; job += &quot;HP Zero Day Initiative&quot; irc = &quot;kernelsmith&quot; twit = &quot;@kernelsmith&quot;

577 views • 54 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes &amp; memory leaks)

417 views • 17 slides
Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels 1 July 16, 2020 The game of attack and defense Bug fi nding Exploitation Pro fi t Meng Xu

2.82k views • 173 slides
A formalization of the Quipper quantum programming language Henri Chataing, Neil J. Ross &amp;

A formalization of the Quipper quantum programming language Henri Chataing, Neil J. Ross &amp;

A formalization of the Quipper quantum programming language Henri Chataing, Neil J. Ross &amp; Peter Selinger Dalhousie University &amp; Ecole Polytechnique 2014 TYPES Meeting 1 Quantum computing is computing based on the laws of quantum

783 views • 16 slides
Case Studies for Evaluating Programming Languages Jonathan Aldrich 17-396/17-696/17-960:

Case Studies for Evaluating Programming Languages Jonathan Aldrich 17-396/17-696/17-960:

Case Studies for Evaluating Programming Languages Jonathan Aldrich 17-396/17-696/17-960: Language Design and Prototyping Carnegie Mellon University Thought Question What can we learn from trying out a language? Can this be done

670 views • 63 slides
On two tricks to make Category Theory fjt in less mental space: missing diagrams and skeletons

On two tricks to make Category Theory fjt in less mental space: missing diagrams and skeletons

On two tricks to make Category Theory fjt in less mental space: missing diagrams and skeletons of proofs A talk at the Creativity 2019 conference in honor of Newton da Costas 90th birthday Rio de Janeiro, december 11, 2019 By:

538 views • 24 slides
IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004

IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004

IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004 &lt;draft-ietf-ipfix-protocol-06.txt&gt; Benoit Claise &lt;bclaise@cisco.com&gt; Stewart Bryant &lt;stbryant@cisco.com&gt; Mark Fullmer &lt;maf@eng.oar.net&gt; Ganesh

265 views • 13 slides
Observational signatures of fragmenting protostellar disk Olga Zakhozhay Main Astronomical

Observational signatures of fragmenting protostellar disk Olga Zakhozhay Main Astronomical

Observational signatures of fragmenting protostellar disk Olga Zakhozhay Main Astronomical Observatory National Academy of Sciences of Ukraine zkholga@mail.ru in collaboration with Eduard Vorobyov 1 and Michael Dunham 2 1 Institute of

326 views • 17 slides
Teach your (micro)services speak Protocol Buffers with gRPC. Mihai Iachimovschi @mishunika

Teach your (micro)services speak Protocol Buffers with gRPC. Mihai Iachimovschi @mishunika

Teach your (micro)services speak Protocol Buffers with gRPC. Mihai Iachimovschi @mishunika mihai.iachimovschi@gmail.com Whats inside? Whats inside? Message serialization and deserialization Whats inside? Message serialization

1.96k views • 172 slides
3. Progress update Legal Challenge Hearing day 18 th March Topic 1 Highways and wider

3. Progress update Legal Challenge Hearing day 18 th March Topic 1 Highways and wider

Hollands Farm Liaison Group Workshop Powerpoint Slides Meeting 2 WDC, Committee Room 1 9:30am 12:00pm 5 th October 2020 Cllr David Johncock Cabinet Member for Planning Charlotte Morris Principal Planning Policy Officer Agenda 1.

173 views • 3 slides
Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain May 17, 2015

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain May 17, 2015

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain May 17, 2015 Modern cryptography Shannon 49 Mathematical proof of security Perfect secrecy is impossible Diffie &amp; Hellman 76

607 views • 41 slides

More recommend