tools and techniques to automate the discovery of zero
play

Tools and Techniques to automate the discovery of Zero Day - PowerPoint PPT Presentation

Jan 27, 2023 •308 likes •825 views

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

  1. Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A – Fuzzing 101

  2. Agenda • GEEKZONE • Overview of fuzzing techniques • Tutorials on specific open-source fuzzers • Demonstrations • DIY fuzzing!

  3. Who are we? • Mark Rowe, Joe Moore • IT Security Consultants and Researchers • Pentest Limited • Independent IT Security Consultancy

  4. Software Security Assessment • Information Gathering • Decomposition of application • Information Analysis and Planning • Testing of application components • Analysis and Reporting

  5. Information Gathering • Design documentation • RFC’s • Security requirement specifications • Data flows • Source code • Reverse Engineering • Informal interviews with key personnel (e.g. developers / product managers) • Runtime analysis • Goal is to obtain a detailed picture of the product’s composition, which technologies it uses, how it is typically deployed and how it integrates into its environment

  6. Decomposition of an application • Produce a list of interfaces and features • Understand how end users and other systems interact with the application • Identify the application’s attack surface

  7. Information Analysis and Planning • Develop security test scenarios (thinking like an attacker) • Understanding of how vulnerabilities get into an application • Threat/Risk modelling – Is the component security critical? – Ease of attack. – Impact. – Is the component or feature enabled by default? – Known vulnerabilities in similar products, technologies or components. – How potential attackers are likely to view the product. • Prioritise based on risk

  8. Testing of application components • Use knowledge obtained from previous phases • Uncover design and implementation flaws • Regular progress meetings • Discuss findings with developers

  9. Analysis and Reporting • Bug reports throughout the assessment • Final written report – Details of discovered problems – Highlighting possible solutions – Prioritised issues • Presentation – Senior management – Architects/Developers • Or sell your 0days ☺

  10. Which box is it in? • White Box • Black Box • Grey Box • Fuzzing complements more traditional testing

  11. CERT statistics • Vulnerabilities identified and cataloged • 2000-2007

  12. Fault Injection • Understand how the application works • Enumerate all inputs – “Attack Surface” • Design tests with input that the application may struggle to handle • Prioritise tests

  13. What is Fuzzing? • Sending invalid data to inputs of a program with the purpose of highlighting software defects • Based on fault injection • Often automated • Barton Miller, University of Wisconsin- Madison first person credited with carrying out a rudimentary form of fuzzing (1990)

  14. What can fuzzers discover? • Buffer overflows • Integer overflows • Format string vulnerabilities • Race condition vulnerabilities • SQL injection • Cross Site Scripting (XSS) • Remote command execution • Filesystem attacks (reverse traversal, etc) • Information leaking vulnerabilities • Memory/Resource exhaustion (DoS) • Null pointer dereferences

  15. Who uses Fuzzers? • Security researchers (0days, exploit dev.) • Software QA • Developers • Has gained in popularity over the last few years • Vendors such as Microsoft have adopted fuzz testing as part of their SDL http://msdn2.microsoft.com/en- us/library/ms995349.aspx

  16. What can you Fuzz? • Network protocols • Files • IPC methods • Command line arguments • Environment variables • APIs • Network stacks • Anything that uses a structured data format

  17. Fuzzing process • Choose your target • Identify inputs (attack surface) • Prioritise • Develop fuzzer or fuzz test cases • Supply to inputs • Monitor for exceptions • Determine exploitability (optional)

  18. Deciding what to Fuzz • You can’t test everything at once • Need to be systematic • Decide which areas to mutate with fuzz data • Still relies on human expertise!

  19. Runtime analysis • Processes (ps, ProcessExplorer) • Network ports (netstat, TCPView, portscanners) • Network Sniffing (Wireshark, tcpdump) • Proxies (Paros, WebScarab, ITR) • Files (Filemon, lsof) • IPC (OLEView, strace) • Registry keys (Regmon) • Debugging (gdb, ollydebug)

  20. Approaches to fuzzing • Manual • Semi-automated • Fully automated

  21. Approaches to automated Fuzzing • Generate valid inputs from scratch or work from captured inputs (e.g. RFC versus Sniffed traffic) • Insert fuzz data to produce faulty inputs • Random fuzzing • Pre-generated test cases e.g. Protos • Brute force – bit flipping, raw byte manipulation • “Intelligent” Fuzzing

  22. Fuzz data • Bit flipping, random byte changes • Varying length strings (larger than buffer) • Large integers, zero, negative integers • Format strings %n, %25n • Metacharacters • ../../../ • <script>alert(‘eek’)</script> • ‘ OR 1=1 etc. • , ‘ “ ) ] } NULL • 0x00

  23. Block based fuzzing • Originated from Dave Aitel, SPIKE • Simple and flexible (not Dave! ☺ ) • Decompose protocol into length fields and data fields • Avoids fuzz data being ignored

  24. HTTP POST POST /path/script.cgi HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 Content-Type: application/x-www-form-urlencoded Content-Length: 32 postcode=AAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA&county =cheshire

  25. Spike • <block_size><data_block><block_size><data_block>… …….. • Data blocks and sizes (Word, Halfword, Little Endian etc.) – s_block_start(), s_block_end(), – s_blocksize_halfword_bigendian(); • String data – s_string(“Hello\r\n”) • Binary data – s_binary(“41 41”) • Fuzzing – s_string_variable – s_string_repeat(“A”,30)

  26. Spike (2) • Create .spk file • Sending data – generic_send_tcp – generic_send_udp • Lots of examples in audit directory • Other useful tools like “dcedump” • Spike Proxy for web apps

  27. Bug Detection • Segmentation faults • Debuggers (can sometimes mask the presence of a bug) • Search for core dumps • Network port closure • Processes restarting • High CPU usage • Memory usage • Errors in error logs • Other activity that you wouldn’t expect during normal operation • Need to match with test case

  28. Problems you may encounter • Application becomes slow or unresponsive • Encryption, checksums, compression, obfuscation • One bug hides another bug • Combinations of tests cause problems, single test doesn’t trigger the bug! – Memory depletion/leaking – Process exhaustion – Timing issues

  29. Advantages • Allows fast detection of exploitable security bugs, often serious • Identify implementation errors not discovered during code reviews or other testing • Useful when time is limited • Reusable • You don’t need source code • Can make testing of complex environments easier • Fire and Forget

  30. Disadvantages • Modelling complex protocols can be difficult and time consuming especially if they aren’t documented • Maintaining state is often difficult • Not guaranteed to expose all bugs • Poor code coverage • Low yield, simple faults • Tedious to watch!

  31. Fun Stuff! • Putting it all together • MS07-029 RPC DNS vulnerability • Start with dnscmd.exe

  32. Fun Stuff!

  33. Fun Stuff!

  34. Fun Stuff!

  35. Fun Stuff!

  36. User supplied string DCE Bind (DNS) 05 00 0b 03 10 00 00 00 48 00 ................ 0040 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00 :............... 0050 00 00 00 00 01 00 a4 c2 ab 50 4d 57 b3 40 9d 66 .........PMW.@.f 0060 ee 4f d5 fb a0 76 05 00 00 00 04 5d 88 8a eb 1c .O...v.....].... 0070 c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00 DnssrvQuery ***a0 00*** packet size 05 00 00 03 10 00 00 00 ***a0 00*** ..._............ 0040 00 00 01 00 00 00 64 00 00 00 00 00 01 00 40 3c ......d.......@< 0050 08 00 0c 00 00 00 00 00 00 00 0c 00 00 00 31 00 ..............1. 0060 37 00 32 00 2e 00 31 00 36 00 2e 00 35 00 2e 00 7.2...1.6...5... 0070 38 00 38 00 00 00 d5 3d 26 00 10 00 00 00 00 00 8.8....=&....... 0080 00 00 10 00 00 00 61 61 61 61 61 61 61 61 61 61 ......aaaaaaaaaa 0090 61 61 61 61 61 00 e5 3d 26 00 0c 00 00 00 00 00 aaaaa..=&....... 00a0 00 00 0c 00 00 00 41 6c 6c 6f 77 55 70 64 61 74 ......AllowUpdat 00b0 65 00 ......

  37. EIP: 62626262!

  38. Open Source Fuzzers • SPIKE • Autodafé • PEACH • And many, many more…

  39. Commercial Fuzzers • BeStorm protocol fuzzer • OULU commercial fuzzer • Codenomicon • Mu-4000 • BreakingPoint

  40. Homegrown Fuzzers • Specific purpose • Often quick, not very comprehensive • Modify other (open source) fuzzers • Not really something you could sell(!)

  41. Autodafé • An act of software “torture” • Similar to SPIKE • Block based scripts • File and Network fuzzing • Monitoring tools built in • Weighting attacks (very cool!)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Project AutoMate Squid: Decentralized Discovery Service C. Schmidt, The AutoMate Group The

Project AutoMate Squid: Decentralized Discovery Service C. Schmidt, The AutoMate Group The

Project AutoMate Squid: Decentralized Discovery Service C. Schmidt, The AutoMate Group The Applied Software Systems Laboratory Rutgers, The State University of New Jersey http://automate.rutgers.edu CAIP Autonomic Computing Workshop June,

335 views • 9 slides
CPSC 102 Build Tools Z A IN R IZ V I What Are Build Tools? Automate the compiling of

CPSC 102 Build Tools Z A IN R IZ V I What Are Build Tools? Automate the compiling of

CPSC 102 Build Tools Z A IN R IZ V I What Are Build Tools? Automate the compiling of executable applications from source code. Why is this important? Compilation Order Computer Scientists are lazy 1 2 3 4 Specify the order in

481 views • 8 slides
Watson Discovery Spring 2020 Discovery pipeline Using NLU, document conversion, and UI tools

Watson Discovery Spring 2020 Discovery pipeline Using NLU, document conversion, and UI tools

Watson Discovery Spring 2020 Discovery pipeline Using NLU, document conversion, and UI tools Watson Discovery use cases The need to search thousands of product reviews at once: Create a Discovery collection and build a UI to query the

657 views • 9 slides
Configuration Management wangth Computer Center, CS, NCTU Automate, automate, automate q

Configuration Management wangth Computer Center, CS, NCTU Automate, automate, automate q

Configuration Management wangth Computer Center, CS, NCTU Automate, automate, automate q Automated setup of new machines Not just OS installation, also includes all the additional software and local configuration necessary q Systematic

228 views • 18 slides
Tools &amp; Techniques Triage Using 99 Business Analyst Techniques to better understand

Tools &amp; Techniques Triage Using 99 Business Analyst Techniques to better understand

Tools &amp; Techniques Triage Using 99 Business Analyst Techniques to better understand your teams skills and training needs. Agenda Introduction The idea explained Round 1: Card sorting techniques Round 2: Visualising

370 views • 10 slides
Using DNA fingerprin.ng techniques for the discovery of so9ware

Using DNA fingerprin.ng techniques for the discovery of so9ware

Using DNA fingerprin.ng techniques for the discovery of so9ware code clones/siblings Thomas Shippey, David Bowes and Bruce Chris2anson Science and Technology

407 views • 16 slides
Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez

Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez

Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez Eduardo Magaa lizarrondo Daniel Morato Oses Mikel Izal Azkarate Index Introduction Existing techniques for alias resolution New techniques for

848 views • 41 slides
Automate Server Mastery Keeping Your Automate Server at Its Best Presented by Brandon Lippie

Automate Server Mastery Keeping Your Automate Server at Its Best Presented by Brandon Lippie

Automate Server Mastery Keeping Your Automate Server at Its Best Presented by Brandon Lippie &amp; William Smalley Who Are We? Ive worked with Automate going on 7 years with 5 years working for ConnectWise in Automate Support (3 years) and

365 views • 32 slides
Project AutoMate Enabling Autonomic Applications M. Parashar, The AutoMate Group The Applied

Project AutoMate Enabling Autonomic Applications M. Parashar, The AutoMate Group The Applied

Project AutoMate Enabling Autonomic Applications M. Parashar, The AutoMate Group The Applied Software Systems Laboratory Rutgers, The State University of New Jersey http://automate.rutgers.edu Ack: NSF (CAREER, KDI, ITR, NGS), DoE (ASCI, CIT)

574 views • 16 slides
Project AutoMate SESAME: Dynamic Context Aware Access Control G. Zhang, The AutoMate Group The

Project AutoMate SESAME: Dynamic Context Aware Access Control G. Zhang, The AutoMate Group The

Project AutoMate SESAME: Dynamic Context Aware Access Control G. Zhang, The AutoMate Group The Applied Software Systems Laboratory Rutgers, The State University of New Jersey http://automate.rutgers.edu CAIP Autonomic Computing

380 views • 6 slides
DOTS Server(s) Discovery https://tools.ietf.org/html/draft-boucadair-dots-server-discovery

DOTS Server(s) Discovery https://tools.ietf.org/html/draft-boucadair-dots-server-discovery

DOTS Server(s) Discovery https://tools.ietf.org/html/draft-boucadair-dots-server-discovery Prague, July 2017 M. Boucadair (Orange) T. Reddy (McAfee) P. Patil (Cisco) 1 Context &amp; Motivation A DOTS client needs to learn the IP

306 views • 14 slides
Customizing STAR-CCM+ to Automate a Virtual Port Flow Test Thomas Walker Manager, Custom Tools

Customizing STAR-CCM+ to Automate a Virtual Port Flow Test Thomas Walker Manager, Custom Tools

Your CAE Partner for Success www.cd-adapco.com Customizing STAR-CCM+ to Automate a Virtual Port Flow Test Thomas Walker Manager, Custom Tools Engineering Services CD-adapco Why Automation? When you get beyond Validation, you need to be

360 views • 11 slides
Why was Discovery Developed? Flow Assurance Needs: There are no reliable subsea detection tools

Why was Discovery Developed? Flow Assurance Needs: There are no reliable subsea detection tools

Why was Discovery Developed? Flow Assurance Needs: There are no reliable subsea detection tools to accurately detect and characterise hydrate, wax, and asphaltene blockages 2 Why was Discovery Developed? Pipeline Integrity Needs: One

825 views • 48 slides
Automate your workflows with Kotlin Fosdem - 2020 1 Automate your workflows with Kotlin

Automate your workflows with Kotlin Fosdem - 2020 1 Automate your workflows with Kotlin

Automate your workflows with Kotlin Fosdem - 2020 1 Automate your workflows with Kotlin @martinbonnin @mgauzins 2 A daily work... 1. Assign a ticket 2. Create a branch 3. Code... 4. Create a pull request But also... 5. Move

996 views • 32 slides
Ti e Voice of Reason We have all of these tools and techniques, but are we any better?

Ti e Voice of Reason We have all of these tools and techniques, but are we any better?

And Ti e Voice of Reason We have all of these tools and techniques, but are we any better? PRESENT Modern Software Development Anti-Patterns Reconciliation by Scot A Harvest Note the lack of flu fg y animals in this talk - that's right

349 views • 34 slides
3 Tools &amp; 3 Techniques in PG Estate Planning Council of SW Washington (sponsored by the Clark

3 Tools &amp; 3 Techniques in PG Estate Planning Council of SW Washington (sponsored by the Clark

3 Tools &amp; 3 Techniques in PG Estate Planning Council of SW Washington (sponsored by the Clark College Foundation) October 2015 Three Main Tools in Planned Giving NUMBER #1: THE BEQUEST! Can Be a Specific Dollar Amount (not common)

456 views • 21 slides
W eb Services and the Grid W eb Services and the Grid Supercomputing, Visualization

W eb Services and the Grid W eb Services and the Grid Supercomputing, Visualization

W eb Services and the Grid W eb Services and the Grid Supercomputing, Visualization &amp; e-Science Manchester Com puting W SRF and W SRF::Lite W SRF::Lite W SRF and Mark Mc Keown WSRF: : Lite developer Formerly UK Grid Support

658 views • 32 slides
Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit Pierre et Marie Curie, Master Informatique, Spcialit STL 3 Server Technologies Vincent Simonet, 2013-2014 Universit Pierre et Marie Curie,

1.17k views • 68 slides
IRL: Live Hacking Demos! Rick Ramgattie Omer Farooq Security Analyst Senior Security Analyst

IRL: Live Hacking Demos! Rick Ramgattie Omer Farooq Security Analyst Senior Security Analyst

#RSAC SESSION ID: SESSION ID: SBX2-R3 IRL: Live Hacking Demos! Rick Ramgattie Omer Farooq Security Analyst Senior Security Analyst Independent Security Evaluators (ISE) Independent Security Evaluators (ISE) @rramgatie @omerfar23 #RSAC

924 views • 43 slides
P rocesses Recall: A pr ocess includes Address space (Code, Dat a, Heap, St ack) 4:

P rocesses Recall: A pr ocess includes Address space (Code, Dat a, Heap, St ack) 4:

P rocesses Recall: A pr ocess includes Address space (Code, Dat a, Heap, St ack) 4: Threads Regist er values (including t he P C) Resources allocat ed t o t he process Memor y, open f iles, net wor k connect ions Last Modif

411 views • 5 slides
What are scripting languages? Unix shells: sh, ksh, bash Scripting Languages job control

What are scripting languages? Unix shells: sh, ksh, bash Scripting Languages job control

10/22/08 What are scripting languages? Unix shells: sh, ksh, bash Scripting Languages job control Perl Slashdot, bioinformatics, financial data processing, cgi Python System administration at Google BitTorrent file

570 views • 7 slides
THE ROLE OF COSMIC RAY TRANSPORT IN SHAPING THE SIMULATED CIRCUMGALACTIC MEDIUM Iryna Butsky

THE ROLE OF COSMIC RAY TRANSPORT IN SHAPING THE SIMULATED CIRCUMGALACTIC MEDIUM Iryna Butsky

THE ROLE OF COSMIC RAY TRANSPORT IN SHAPING THE SIMULATED CIRCUMGALACTIC MEDIUM Iryna Butsky Blue Waters Graduate Fellow 2016-2017 University of Washington Advisor: Thomas R. Quinn MOTIVATION (KEY CHALLENGES) METHODS (WHY BLUE WATERS)

542 views • 21 slides
DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect VINCIT Working for ari-pekka.viitanen@vincit.com @apviitanen CASE BXX STACK DATA PERSISTENCE AND MULTI-TENANCY SINGLE TENANCY MULTI-TENANCY -

522 views • 28 slides
WebCGM The Choice for Technical Illustrations Presented at XML Europe 2001 Berlin, Germany May

WebCGM The Choice for Technical Illustrations Presented at XML Europe 2001 Berlin, Germany May

Air Tra ns p o rt As s n. WebCGM The Choice for Technical Illustrations Presented at XML Europe 2001 Berlin, Germany May 24, 2001 U NITED A IRLINES andy.dewild@ual.com david.w.cruikshank@boeing.com Agenda Requirements - an historical

383 views • 25 slides

More recommend