the fuzzing project
play

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck - PowerPoint PPT Presentation

Oct 29, 2022 •106 likes •457 views

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2014 Since May 2015: Supported by Linux

  1. THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Böck https://hboeck.de/ 1

  2. WHO AM I? Hanno Böck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2014 Since May 2015: Supported by Linux Foundation's Core Infrastructure Initiative 2

  3. FUZZING? Throw garbage at software 3

  4. 4

  5. FUZZING BINUTILS Hundreds of bugs 5

  6. THE C PROBLEM C/C++ responsible for many common bug classes (Buffer overflows, use after free etc.) Replacing C is good, but we'll have to live with it for a while Mitigation: Good, but incomplete. 6

  7. THE PAST Dumb fuzzing: Only finds the easy bugs Template-based fuzzing: a lot of work for each target 7

  8. AMERICAN FUZZY LOP 8

  9. AMERICAN FUZZY LOP (AFL) Smart fuzzing, quick and easy Code instrumentation Watches for new code paths 9

  10. 10

  11. AFL SUCCESS STORIES Bash Shellshock variants (CVE-2014-{6277,6278}) Stagefright vulnerabilities (CVE-2015- {1538,3824,3827,3829,3864,3876,6602}) GnuPG (CVE-2015-{1606,1607,9087}) OpenSSH out-of-bounds in handshake OpenSSL (CVE-2015-{0288,0289,1788,1789,1790,3193}) BIND remote crashes (CVE-2015-{5477,2015,5986}) NTPD remote crash (CVE-2015-7855) Libreoffice GUI interaction crashes 11

  12. FUZZING MATH 0x0505 05050505 ² mod 0x41 41414141 41414141 41412741 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41418000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000005 = 0x19324B 647D967D 644B3219 ? = 0x34 34343434 34343434 34341F67 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676774 74747474 74747474 74746F41 41414141 41417373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73738000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0019324B 647D967D 644B321D ? 12

  13. 13

  14. 0x0F FFFFFFFF FFFFFFFF^0 mod 1 = 0 or 1 ? 14

  15. 14 NETTLE ECC / NIST P256 point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF 001C2C00, 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A) * 1 != point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFE FFFFFFFF 001C2C00 , 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A ) 15

  16. ADDRESS SANITIZER (ASAN) If you only take away one thing from this talk: Use Address Sanitizer! -fsanitize=address in gcc/clang 16

  17. SPOT THE BUG! int main() { int a[2] = {1, 0}; printf("%i", a[2]); } 17

  18. 18

  19. ADDRESS SANITIZER HELPS Finds lots of hidden memory access bugs like out of bounds read/write (Stack, Heap, Global), use-after-free etc. 19

  20. 20

  21. FINDING HEARTBLEED WITH AFL+ASAN Small OpenSSL handshake wrapper AFL finds Heartbleed within 6 hours LibFuzzer needs just 5 Minutes 21

  22. ADDRESS SANITIZER If ASAN catches all these typical C bugs... ... can we just use it in production? 22

  23. ASAN IN PRODUCTION Yes, but not for free 50 - 100 % CPU and memory overhead Example: Hardened Tor Browser 23

  24. GENTOO LINUX WITH ASAN Everything compiled with ASAN except a few core packages (gcc, glibc, dependencies) 24

  25. FIXING PACKAGES Memory access bugs in normal operation. These need to be fixed. bash, shred, python, syslog-ng, nasm, screen, monit, nano, dovecot, courier, proftpd, claws-mail, hexchat, ... 25

  26. PROBLEMS / CHALLENGES ASAN executable + non-ASAN library: fine ASAN library + non-ASAN executable: breaks Build system issues (mostly libtool) Custom memory management (boehm-gc, jemalloc, tcmalloc) 26

  27. IT WORKS Running server with real webpages. But: More bugs need to be fixed. 27

  28. OTHER TOOLS 28

  29. KASAN AND SYZCKALLER KASAN: ASAN for the Linux Kernel. syzkaller: syscall fuzzing similar to afl 29

  30. UNDEFINED BEHAVIOR SANITIZER (UBSAN) Finds code that is undefined in C Invalid shifts, int overflows, unaligned memory access, ... Problem: Just too many bugs, problems rare There's also TSAN (Thread sanitizer, race conditions) and MSAN (Memory Sanitizer, uninitialized memory) 30

  31. AFL AND NETWORKING Fuzzing network connections, experimental code by Doug Birdwell Usually a bit more brittle than file fuzzing Not widely used yet 31

  32. AFL AND ANDROID Implementation from Intel just released Promising (Stagefright) Android Security desperately needs it 32

  33. WHAT HAS THIS TO DO WITH FREE SOFTWARE? Remember the many eyes principle? "Free software is secure - because everyone can look at the source and find the bugs." We have to actually *do* that. 33

  34. QUESTION TO THE AUDIENCE Do you develop / maintain software? In C? Do you know / use Fuzzing and Address Sanitizer? If not: Why not? 34

  35. THANKS FOR LISTENING Use Address Sanitizer! Fuzz your software. Questions? https://fuzzing-project.org/ 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Fuzzing Project https://fuzzing-project.org/ Hanno B ock 1 / 18 Introduction Motivation

The Fuzzing Project https://fuzzing-project.org/ Hanno B ock 1 / 18 Introduction Motivation

Introduction Examples Tools Objections Conclusions The Fuzzing Project https://fuzzing-project.org/ Hanno B ock 1 / 18 Introduction Motivation Examples Fuzzing Tools C Memory Bugs Objections Invalid memory access example

303 views • 18 slides
THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I?

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I?

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2015 Since May 2015: Supported by Linux

552 views • 31 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk WarCon 2016, Warsaw PS> whoami Project Zero @ Google Part time developer and frequent user of the fuzzing infrastructure. Dragon Sector CTF

2.26k views • 184 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black Hat Europe 2016, London PS> whoami Project Zero @ Google Part time developer and frequent user of the fuzzing infrastructure. Dragon

1.57k views • 133 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
Constraint Satisfaction Constraint Satisfaction Problems Problems Some material from: D Lin, J

Constraint Satisfaction Constraint Satisfaction Problems Problems Some material from: D Lin, J

RN, Chapter 5 Constraint Satisfaction Constraint Satisfaction Problems Problems Some material from: D Lin, J You, JC Latombe 1 Search Overview Introduction to Search Blind Search Techniques Heuristic Search Techniques

1.09k views • 83 slides
NetKATA Formal System for the Verification of Networks Dexter Kozen Cornell University

NetKATA Formal System for the Verification of Networks Dexter Kozen Cornell University

NetKATA Formal System for the Verification of Networks Dexter Kozen Cornell University AutoMathA 2015 Leipzig 7 May 2015 NetKAT Collaborators Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, Cole

1.03k views • 56 slides
TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Find and fix security vulnerabilities and bugs in free soware (Fuzzing Project,

693 views • 44 slides
OpenFlow for QoS-Monitoring Supervisor:Prof. Dr.-Ing. Georg Carle Advisor: M.Sc. Daniel Raumer

OpenFlow for QoS-Monitoring Supervisor:Prof. Dr.-Ing. Georg Carle Advisor: M.Sc. Daniel Raumer

Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universitt Mnchen, Germany OpenFlow for QoS-Monitoring Supervisor:Prof. Dr.-Ing. Georg Carle Advisor: M.Sc. Daniel Raumer M.Sc. Lukas Schwaighofer Agenda

344 views • 18 slides
Cornwall Park Home Residents Event 1 st November 2019 St. Erme Community Centre Information

Cornwall Park Home Residents Event 1 st November 2019 St. Erme Community Centre Information

Information Classification: CONTROLLED Cornwall Park Home Residents Event 1 st November 2019 St. Erme Community Centre Information Classification: CONTROLLED Park Home Residents Survey 2019 Information Classification: CONTROLLED

522 views • 28 slides
Ian Go Gough gh Lond London on School hool of of Econ onom omics ICH ICHEM, CB CBOS OS

Ian Go Gough gh Lond London on School hool of of Econ onom omics ICH ICHEM, CB CBOS OS

Ian Go Gough gh Lond London on School hool of of Econ onom omics ICH ICHEM, CB CBOS OS A AND ND IPR PR SE SEMI MINAR Un Univ iversity ty of of Bath th 20 Feb ebruary 2 2018 What are the social impacts of climate

873 views • 49 slides
Social'balance'and'cohesion'are' core'to'successful'communities

Social'balance'and'cohesion'are' core'to'successful'communities

A ction'for B alanced C ommunities AN#INITIATIVE#FORMED#WITH#COMMUNITY#SUPPORT#FROM Chandos(Road(Community(Associa1on Cli3on(&(Hotwells(Improvement(Society Cli3on(Down(Community(Associa1on Hampton(Park(and(Cotham(Hill(Community(Group

609 views • 12 slides
The final word on the application of the statutory priority regime to insolvent corporate

The final word on the application of the statutory priority regime to insolvent corporate

The final word on the application of the statutory priority regime to insolvent corporate trustees: High Court decision in Re Amerind Christopher Caleo QC (Chair) Stewart Maiden QC Christopher Brown Liability limited by a scheme approved under

627 views • 24 slides

More recommend