Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fuzz Testing (Fuzzing) Eng. Hector M Lugo-Cordero, MS CIS 4361 Jan 27, 2012.

Published byReynard Sutton Modified over 8 years ago

Similar presentations

Presentation on theme: "Fuzz Testing (Fuzzing) Eng. Hector M Lugo-Cordero, MS CIS 4361 Jan 27, 2012."— Presentation transcript:

1 Fuzz Testing (Fuzzing) Eng. Hector M Lugo-Cordero, MS CIS 4361 Jan 27, 2012

2 Resources The following slides are a mixture from Dr Cliff Zou’s Malware class, and personal knowledge

3 3 Review Memory-safety vulnerabilities –Buffer overflow –Format string –Integer overflow Runtime detection –Runtime bounds check Purify, Jones & kelly (string bound check) Expensive –Runtime detection of overwrite Stackguard, etc. Practical, but only cover certain types of attacks –Runtime mitigation to make attacks hard Randomization Practical, but not fool proof

4 4 IPhone Security Flaw Jul 2007: “researchers at Independent Security Evaluators, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.” Found by Charles Miller –Dr. Charlie Miller presented the details of the exploit at BlackHat in Las Vegas on August 2, 2007. The slides from this talk are also available.BlackHatavailable Details see: http://securityevaluators.com/content/case-studies/iphone/

5 5 iPhone attack iPhone Safari downloads malicious web page –Arbitrary code is run with administrative privileges –Can read SMS log, address book, call history, other data –Can perform physical actions on the phone system sound and vibrate the phone for a second could dial phone numbers, send text messages, or record audio (as a bugging device) –Can transmit any collected data over network to attacker

6 6 0days Are a Hacker Obsession An 0day is a vulnerability that’s not publicly known Modern 0days often combine multiple attack vectors & vulnerabilities into one exploit –Many of these are used only once on high value targets 0day statistics –Often open for months, sometimes years

7 7 How to Find a 0day? Step #1: obtain information –Hardware, software information –Sometimes the hardest step Step #2: bug finding –Manual audit –(semi)automated techniques/tools Fuzz testing (focus of this lecture)

8 Fuzz Testing Attempt to crash or hang a program by feeding it malformed inputs Blackbox fuzzing –Generational –Mutation

9 9 Trivial Example Standard HTTP GET request –GET /index.html HTTP/1.1 Anomalous requests –AAAAAA...AAAA /index.html HTTP/1.1 –GET ///////index.html HTTP/1.1 –GET %n%n%n%n%n%n.html HTTP/1.1 –GET /AAAAAAAAAAAAA.html HTTP/1.1 –GET /index.html HTTTTTTTTTTTTTP/1.1 –GET /index.html HTTP/1.1.1.1.1.1.1.1

10 10 Regression vs. Fuzzing Regression: Run program on many normal inputs, look for badness. –Goal: Prevent normal users from encountering errors Fuzzing: Run program on many abnormal inputs, look for badness. –Goal: Prevent attackers from encountering exploitable errors

11 Fuzz Testing: Motivation Nobody is perfect Programs may be very large and dificult to test Find bugs to fix Exploit programs for malware

12 Fuzz Testing: Challenges Random fuzzing has to cover a huge sample space –E.g. audio signal of 4s, 32k bytes 2 256,000 possible values Symbolic fuzzing can’t bypass checksum instructions

13 13 Approach I: Black-box Fuzz Testing Given a program, simply feed it random inputs, see whether it crashes Advantage: really easy Disadvantage: inefficient –Input often requires structures, random inputs are likely to be malformed –Inputs that would trigger a crash is a very small fraction, probability of getting lucky may be very low

14 14 Enhancement I: Mutation-Based Fuzzing Take a well-formed input, randomly perturb (flipping bit, etc.) Little or no knowledge of the structure of the inputs is assumed Anomalies are added to existing valid inputs Anomalies may be completely random or follow some heuristics –e.g. remove NUL, shift character forward Examples: –ZZUF, very successful at finding bugs in many real-world programs, http://sam.zoy.org/zzuf/http://sam.zoy.org/zzuf/ –Taof, GPF, ProxyFuzz, FileFuzz, Filep, etc.

15 15 Example: fuzzing a pdf viewer Google for.pdf (about 1 billion results) Crawl pages to build a corpus Use fuzzing tool (or script to) –1. Grab a file –2. Mutate that file –3. Feed it to the program –4. Record if it crashed (and input that crashed it)

16 16 Mutation-based Fuzzing In Short Strengths –Super easy to setup and automate –Little to no protocol knowledge required Weaknesses –Limited by initial corpus –May fail for protocols with checksums, those which depend on challenge response, etc.

17 17 Enhancement II: Generation-Based Fuzzing Test cases are generated from some description of the format: RFC, documentation, etc. –Using specified protocols/file format info –E.g., SPIKE by Immunity http://www.immunitysec.com/resourcesfreesoftwa re.shtml http://www.immunitysec.com/resourcesfreesoftwa re.shtml Anomalies are added to each possible spot in the inputs Knowledge of protocol should give better results than random fuzzing

18 18 Generation-Based Fuzzing In Short Strengths –completeness –Can deal with complex dependencies e.g. checksums Weaknesses –Have to have spec of protocol Often can find good tools for existing protocols e.g. http, SNMP –Writing generator can be labor intensive for complex protocols –The spec is not the code Our goal is code testing, not spec testing

19 Other Approachs White-box Fuzzing –Code is known –Can use symbolic execution –Potential inputs can be known Novelty Search (Gray-box fuzzing?) Evolutionary computation keeping track of which genes (bits) give more chance of code exploitation

Download ppt "Fuzz Testing (Fuzzing) Eng. Hector M Lugo-Cordero, MS CIS 4361 Jan 27, 2012."

Similar presentations

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
(semi)Automatic Methods for Security Bug Detection Tal Garfinkel Stanford/VMware.

(semi)Automatic Methods for Security Bug Detection Tal Garfinkel Stanford/VMware.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2011.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Similar presentations

Ads by Google