the fuzzing project https fuzzing project org
play

The Fuzzing Project https://fuzzing-project.org/ Hanno B ock 1 / - PowerPoint PPT Presentation

Dec 11, 2023 •109 likes •303 views

Introduction Examples Tools Objections Conclusions The Fuzzing Project https://fuzzing-project.org/ Hanno B ock 1 / 18 Introduction Motivation Examples Fuzzing Tools C Memory Bugs Objections Invalid memory access example

  1. Introduction Examples Tools Objections Conclusions The Fuzzing Project https://fuzzing-project.org/ Hanno B¨ ock 1 / 18

  2. Introduction Motivation Examples Fuzzing Tools C Memory Bugs Objections Invalid memory access example Conclusions Motivation Do you use tools like strings, less, file, convert, ldd, unzip, ...? Would you use these tools on untrusted input? 2 / 18

  3. Introduction Motivation Examples Fuzzing Tools C Memory Bugs Objections Invalid memory access example Conclusions Fuzzing 3 / 18

  4. Introduction Motivation Examples Fuzzing Tools C Memory Bugs Objections Invalid memory access example Conclusions C Memory Bugs Buffer Overflow, Stack Overflow, Heap Overflow, Use-after-Free, Out-of-bounds, Memory Corruption, Off-by-1, ... Summarize: Software reads or writes the wrong memory Many security vulnerabilities are bugs in C memory handling 4 / 18

  5. Introduction Motivation Examples Fuzzing Tools C Memory Bugs Objections Invalid memory access example Conclusions Invalid memory access example int main() { int a[2] = { 3, 1 } ; int b = a[2]; } 5 / 18

  6. Introduction Examples Binutils Tools less Objections Let’s start fuzzing Conclusions Example: binutils October 2014: Michal Zalewski reports a crash in strings strings is part of binutils and parses executables (ELF, PE and others) - did you know that? Followup: Various people started fuzzing binutils (nm, ld, objdump, readelf, ...) and found hundreds of memory corruption issues - and we’re still not done binutils 2.25: strings doesn’t parse executables by default any more 6 / 18

  7. Introduction Examples Binutils Tools less Objections Let’s start fuzzing Conclusions Example: less less pipes input through lesspipe, a script that calls other applications depending on the filetype unzip, cpio, lha, antiword, catdoc, unrtf, rpm, msgunfmt, dpkg, identify (ImageMagick), cabextract, readelf (binutils!), isoinfo, ... Many of these tools have or had memory corruption bugs that are trivial to find via fuzzing less itself has unfixed memory access issues (CVE-2014-9488) 7 / 18

  8. Introduction Examples Binutils Tools less Objections Let’s start fuzzing Conclusions Let’s start fuzzing Fuzzing finds real security vulnerabilities It’s easy! If you take a random piece of software that parses complex data chances are very high that you will find crashes within minutes We should just fuzz everything and fix this 8 / 18

  9. Introduction Examples American Fuzzy Lop (afl) Tools Address Sanitizer (asan) Objections Make fuzzing part of development Conclusions American Fuzzy Lop (afl) 9 / 18

  10. Introduction Examples American Fuzzy Lop (afl) Tools Address Sanitizer (asan) Objections Make fuzzing part of development Conclusions American Fuzzy Lop (afl) Currently most powerful free tool for fuzzing Adds compile time instrumentation and identifies promising code paths Developed by Michal Zalewski (lcamtuf), found some of the post Shellshock Bash bugs and issues in gnupg, openssh, libjpg, libpng, ... 10 / 18

  11. Introduction Examples American Fuzzy Lop (afl) Tools Address Sanitizer (asan) Objections Make fuzzing part of development Conclusions Address Sanitizer (asan) Not every invalid memory access causes a crash Addressf Sanitizer: Compile time feature to add additional bounds checks (clang, gcc - CFLAGS=”-fsanitize=address”) afl/asan combination is currently the gold standard of fuzzing 11 / 18

  12. Introduction Examples American Fuzzy Lop (afl) Tools Address Sanitizer (asan) Objections Make fuzzing part of development Conclusions Make fuzzing part of development Ideally free software projects should integrate fuzzing into their development process Make software fuzzing friendly! Should not break with Address Sanitizer Provide simple command line tools with libraries to expose parsers 12 / 18

  13. Introduction Examples Deprecate C Tools Fix C Objections Conclusions Deprecate C Shouldn’t we deprecate C and rewrite everything in [some other programming language]? Answer: Moving away from C is good for new projects Projects like miTLS, Servo (browser engine), MirageOS are valuable But: We won’t deprecate C any time soon 13 / 18

  14. Introduction Examples Deprecate C Tools Fix C Objections Conclusions Fix C Shouldn’t we use mitigations like ASLR because we can’t fix all buffer overflows? Answer: Yes! Unfortunately state right now is sad. Most Linux distributions don’t enable position independent executables by default and have weak ASLR. Better exploit mitigations (Levee) are coming. Exploit mitigations are either incomplete or too expensive for real applications - fixing bugs still reduces attack surface http://oss-security.openwall.org/wiki/ exploit-mitigation 14 / 18

  15. Introduction Not everything is bad! Examples Hall of shame Tools The Fuzzing Project Objections Takeaway messages Conclusions Not everything is bad! In most cases upstream developers were happy about reports and fixed them quickly, many start fuzzing themselves Many people right now flood upstream devs with fuzzing-related bug reports Some projects that didn’t have releases for a long time were revived (unrtf, cabextract) bc/dc had last stable release in 200x, will soon have a new release with fixes for fuzzing-related bugs 15 / 18

  16. Introduction Not everything is bad! Examples Hall of shame Tools The Fuzzing Project Objections Takeaway messages Conclusions Hall of shame less: developers didn’t answer, new releases didn’t fix reported issues poppler: several unfixed open bugs, no visible activity on them unzip: Public forum has information about memory corruption issues posted several years ago, unfixed in current release Dead projects are a problem (no development but active use - e. g. procmail) 16 / 18

  17. Introduction Not everything is bad! Examples Hall of shame Tools The Fuzzing Project Objections Takeaway messages Conclusions The Fuzzing Project Tutorial for beginners (Fuzzing is easy!) Software list, the good and the bad File samples (if you want to fuzz a Microsoft Works importer and don’t have an input sample at hand) 17 / 18

  18. Introduction Not everything is bad! Examples Hall of shame Tools The Fuzzing Project Objections Takeaway messages Conclusions Takeaway messages Fuzzing is easy - everyone involved in software development should use it We have powerful free software tools (american fuzzy lop, address sanitizer) If your software is listed on the Fuzzing Project webpage and has no green ”OK” - do something about it! https://fuzzing-project.org/ http://lcamtuf.coredump.cx/afl/ https://code.google.com/p/address-sanitizer/ 18 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I?

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I?

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2014 Since May 2015: Supported by Linux

457 views • 35 slides
THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I?

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I?

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2015 Since May 2015: Supported by Linux

552 views • 31 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk WarCon 2016, Warsaw PS> whoami Project Zero @ Google Part time developer and frequent user of the fuzzing infrastructure. Dragon Sector CTF

2.26k views • 184 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black Hat Europe 2016, London PS> whoami Project Zero @ Google Part time developer and frequent user of the fuzzing infrastructure. Dragon

1.57k views • 133 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
R 2 Academy Command Line Crash Course www.r-squared.in/gi t-hub Connect With Us Rsquared

R 2 Academy Command Line Crash Course www.r-squared.in/gi t-hub Connect With Us Rsquared

R 2 Academy Command Line Crash Course www.r-squared.in/gi t-hub Connect With Us Rsquared Academy Website Free Online R Courses R Packages Shiny Apps Blog GitHub YouTube Twitter Facebook Linkedin

927 views • 47 slides
REbus Make your security tools cooperate Raphal Rigo with slides by Xavier Mehrenberger July 5

REbus Make your security tools cooperate Raphal Rigo with slides by Xavier Mehrenberger July 5

REbus Make your security tools cooperate Raphal Rigo with slides by Xavier Mehrenberger July 5 th / RMLL Sec 2016 REbus Example malware CFG analysis workflow graph img Image viewer Bin CFG July 5 th / RMLL Sec 2016 2 REbus Example

510 views • 26 slides
Peng Li UNC, Chapel Hill, NC, USA Debin Gao School of Information Systems, Singapore Management

Peng Li UNC, Chapel Hill, NC, USA Debin Gao School of Information Systems, Singapore Management

Peng Li UNC, Chapel Hill, NC, USA Debin Gao School of Information Systems, Singapore Management University, Singapore Mike Reiter UNC, Chapel Hill, NC, USA 1 Background and Introduction Overall Structure Conversion Algorithm

816 views • 25 slides
Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain access to hardware features and the shell behind the RouterOS that has no ls Who? Me? Who am I? https://twitter.com/KirilsSolovjovs

753 views • 43 slides
Studio 3 18.05 Spring 2014 Jeremy Orloff and Jonathan Bloom frequency density 4 0.4 3 0.3 2

Studio 3 18.05 Spring 2014 Jeremy Orloff and Jonathan Bloom frequency density 4 0.4 3 0.3 2

Studio 3 18.05 Spring 2014 Jeremy Orloff and Jonathan Bloom frequency density 4 0.4 3 0.3 2 0.2 1 0.1 x x .5 1.5 2.5 3.5 4.5 .5 1.5 2.5 3.5 4.5 Concept questions Suppose X is a continuous random variable. a) What is P ( a X

158 views • 12 slides
Practical Office Automation Hacking the OpenOffice.org File Format Jacob Sparre Andersen

Practical Office Automation Hacking the OpenOffice.org File Format Jacob Sparre Andersen

Practical Office Automation Hacking the OpenOffice.org File Format Jacob Sparre Andersen sparre@crs4.it LinuxDay/Cagliari 2005: Practical Office Automation http://edb.jacob-sparre.dk/foredrag/OOo/ p. 1 Ouverture Subject: This talk is

310 views • 17 slides
Budget, Finance and Facilities Committee Meeting Presided by Trustee Kimberly Moore September 2,

Budget, Finance and Facilities Committee Meeting Presided by Trustee Kimberly Moore September 2,

Budget, Finance and Facilities Committee Meeting Presided by Trustee Kimberly Moore September 2, 2020 ACTION ITEM: August 14, 2020 Minutes Trustee Kimberly Moore 2 ACTION ITEM: Carry-forward Budget Dr. Alan Robertson Vice President for

329 views • 20 slides
Ludde dden Libr Librar ary & y & Le Learn rnin ing C g Commons History of the

Ludde dden Libr Librar ary & y & Le Learn rnin ing C g Commons History of the

Project Update Ludde dden Libr Librar ary & y & Le Learn rnin ing C g Commons History of the Project Sept. 2013 Learning Commons Prospectus Completed May 2014 Level I Plan Completed/Approved March 2016 $2.5 Million

584 views • 6 slides

More recommend