Dobin 0x71_Fuzzing.pdf
Dobin 0x71_Fuzzing.pdf
Dobin 0x71_Fuzzing.pdf
Kartei Details
Karten | 11 |
---|---|
Sprache | English |
Kategorie | Religion/Ethik |
Stufe | Universität |
Erstellt / Aktualisiert | 25.06.2019 / 25.06.2019 |
Lizenzierung | Keine Angabe |
Weblink |
https://card2brain.ch/box/20190625_dobin_0x71fuzzing_pdf
|
Einbinden |
<iframe src="https://card2brain.ch/box/20190625_dobin_0x71fuzzing_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What is fuzzing?
"Finding bugs by bombarding target with nonconform data"
Think: Flip a few bits in a PDF, then start Acrobat with that PDF
Just mor automated
What is a fuzzer?
Fuzzer:
A program which generates new "random" inputs, and feeds it to the target program.
What 3 types of fuzzing are there?
Types of Fuzzing:
- Mutation based
- Grammar based
- Feedback based
What is mutation based fuzzing and what steps are involved?
Mutation based fuzzing:
Take an input file, modify it a bit, continue
Steps:
- Create input corpus
- Select an input
- Modify input file ("fuzz it")
- Start program with input file
- Identify crashes
What is grammar based fuzzing?
Grammar based fuzzing
used for: eg. javaScript, HTML, FTP, HTTP, ...
Cannot just flip bits etc, as it is not a binary protocol
alert(1); -> is valid
alfrt(1); -> is garbage
Steps:
- Create a random input file based on grammar
- Start program wiht input file
- Identify crashes
What is the problem with traditional fuzzing?
Tarditional fuzzing - dumb, inefficient, brute force
What is feedback based fuzzing
Example of Feedback Fuzzer:
AFL (American Fuzzy Lop): employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the target binary.
Concept of feedback based Fuzzing:
- "Observe: the program to see if a new input (mutated from corpus) reaches new code path
- This is being done by adding code in the compile process which tracks which functions get called in what order.
What are the problems with fuzzing?
- "Bit flips" only get you this far
- AFL:
- Sequential bit flips with varying lengths and stepovers,
- Sequential addition and subtraction of small integers,
- Seguential insertion of known intersting integer (0, 1, INT_MAX, UNIT_MAX, 127, 129, etc...)
- With deterministic fuzzing out of the way, the non-deterministic steps includ:
- stacked bit flips, insertions, deletions, arithmetics, and splicing of different test cases.
- Low Probability of catching:
- if a == 0x31337
- if a == "CONNECT"