1. 0-Knowledge Fuzzing VincenzoIozzo vincenzo.iozzo@zynamics.com

2. Disclaimer In this talk you won’t see all those formulas, formal definition, code snippets and bullets. From past experiences the speaker learned that all the aforementioned elements are no useful in making people understand your idea. You instead will see a lot of funny pictures which the speaker hopes will convey better the understanding of the ideas explained in the talk You don’t want slides like this, do you?

3. Motivations

4. Questions!

5. Fuzzing

6. How it used to be

7. How it is today (aka the reason of this talk)

8. Dumb fuzzing

9. Smart Fuzzing

10. Evolutionary Based Fuzzing

11. The idea

12. The surface

13. We need a filter

14. Cyclomatic complexity

15. This one

16. Not this one

17. Original formula M = E – N + 2P Number of edges Number of nodes Connected components

18. Why? Cyclomatic number M = E – N + P

19. Simplify

20. Formula M = E – N + 2

21. Problem

22. Loop detection

23. Dominator tree

24. Dominators

25. Function

26. Dominator tree

27. Dominators

28. Implicit loops

29. REIL

30. This one…

31. …to this one

32. Is that enough?

33. Not enough Of course not, more heuristics needed void*safe_strcpy(void*old_dest,void *src, intsize){ void*dst = realloc(old_dest, size +1); strncpy(dst, src, size); returndst; }

34. Add your own For static analysis we use

35. DEMO

36. Questions!

37. Data Tainting

38. Example Taint Source Taint mark movl0x4[eax], ebx

39. Dytan

40. PIN

41. Taint sources

42. Markings granularity

43. Propagation add eax, ebx, edx

44. Output Registers Memory locations

45. DEMO

46. Questions!

47. In-memory fuzzing

48. Example esi= 0x30f064 Original loc esi= 0x30f0A4 Fuzzed loc rep movs

49. Why?

50. Problems

51. Expertise and patience

52. Memory instability

53. False positives

54. False negatives

55. Mutation loop insertion

56. Snapshot mutation restoration

57. What do we do? Hook image Hook functions Hook instructions Hook

58. First approach

59. For instance… 30f064-30f068 0x8a Y 0x00 K ABCD

60. Second approach

61. Example 30f064-30f068 30f084-30f098 0x89 K D F 0x96 0x00 J K U Y W 0xA7 0xB8 0x00 0x10 A T N 0x00 0xD3 ABCD

62. Code coverage

63. Score BBexecuted/BBtotal Basic Blocks executed Total Basic Blocks

64. Halting Cevil = Cgood + t Code coverage evil sample Code coverage good sample User-supplied threshold

65. How?? Good sample Evil sample Compare Score Score

66. What do we use? Code coverage Faults monitor

67. DEMO

68. Future – A reasoner

69. Thanks

70. Questions!

71. More Info viozzo.wordpress.com @_snagg vincenzo.iozzo@zynamics.com