SlideShare une entreprise Scribd logo

Fuzzing underestimated method of finding hidden bugs

Pawel Rzepa
Pawel Rzepa

A brief introduction to fuzzing and how to start using it.

Logiciels
1  sur  47
Télécharger pour lire hors ligne
FUZZING UNDERESTIMATED METHOD OF FINDING HIDDEN BUGS by Pawel Rzepa
AGENDA • What is fuzzing? • Mutation based (dumb) fuzzing • Instrumented fuzzing • Generation based (smart) fuzzing • Fuzzing web application • What is the future of fuzzing?
BEFORE WE START… WHO AM I? • Security engineer in Intive (Wroclaw) • Former developer of advanced fuzzing module in Spirent’s CyberFlood device • Contributor in OWASP MSTG (Mobile Security Testing Guide) • Supporter of Wroclaw OWASP meetings
— “Fuzzing: Brute Force Vulnerability Discovery” FUZZING IS A METHOD FOR DISCOVERING FAULTS IN SOFTWARE BY PROVIDING UNEXPECTED INPUT AND MONITORING FOR EXCEPTIONS. ” “ WHAT FUZZING REALLY IS?
IN OTHER WORDS… A child noticed unwatched dad’s phone… A child has found a chain of instructions to crash a phone.
HISTORY OF FUZZING In 1988 a professor Barton Miller from University of Winsconsin observed that when he was logged to a modem during a storm, there was a lot of line noise generating junk characters and those characters caused programs to crash.
MUTATION / BRUTEFORCE / DUMB FUZZING sample data fuzzed data - bitflipping - byteflipping - chunkspew -… program input
MUTATION IN PRACTICE more about Radamsa: https://github.com/aoh/radamsa
LET’S FUZZ - DUMB FUZZING Testing robustness of Android AV to APK bombs Target: Android AV winner at av-test.org (July 2016)
CREATING SAMPLE DATA • Create fuzzed data from sample: $> radamsa -o fuzz_sample_%n.apk -n 3000 > com.appsec.appuse.apk • Move fuzzed data to SD card $> for i in {1..3000}; do adb push > fuzz_sample_$i.apk /sdcard/Download; done • Capture logs $> adb logcat -v long > logs.txt
DUMB FUZZING - V3 AV
DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
DUMB FUZZING - TCPDUMP $> radamsa -o fuzz_sample_%n.pcap -n 3000 > small_capture.pcap $> for i in {1..3000}; do tcpdump -nr > fuzz_sample_%i.pcap >> radamsa_pcap.logs; done
LET’S FUZZ - INSTRUMENTED FUZZING • Generates samples, which cover subsets of all code paths • Requires a dedicated compiler, which detects possible code paths • Much more effective • Let’s take a closer look on American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/)
INSTRUMENTED FUZZING - PREPARATIONS • Compile sources with afl-gcc/afl-g++ $> CC=/path_to_AFL/afl-gcc ./configure $> make • Prepare valid sample (the best if <100 KB) • Create folders for input, output and (optionally) garbage, e.g.
INSTRUMENTED FUZZING IN PRACTICE $> /path_to_AFL/afl-fuzz -i ./fuzz-input/ -o >./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@
INSTRUMENTED FUZZING IN PRACTICE
INSTRUMENTED FUZZING IN PRACTICE
COOL STORY BRO, BUT MY PROGRAM ISN’T WRITTEN IN C… • AFL is so good that the community has created many implementations of AFL supporting other languages/environments. Just check it out here: https://github.com/mirrorer/afl/blob/master/docs/ sister_projects.txt • Still doesn’t suit your needs? Then write your own fuzzer!
HOW TO FUZZ NETWORK PROTOCOLS? - Will it work??? $> while true; > do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21; > done FAIL
LIMITATIONS OF DUMB FUZZING (1) • Not compliant types
LIMITATIONS OF DUMB FUZZING (2) • Not compliant fixups (checksum, length etc.)
LIMITATIONS OF DUMB FUZZING (3) • Not supported relationships
LIMITATIONS OF DUMB FUZZING (4) • Not supported program states
GENERATION BASED FUZZING - CREATING A MODEL (1) • Fuzzing frameworks like Peach or Sulley require modelling each portion of data Peach: http://peachfuzzer.com/resources/peachcommunity
• With DataModels, you can create different states
• You can also define a monitor for tested process • Finally, put all defined parts in a Test
SMART FUZZING WITH PEACH $> sudo mono Peach.exe --debug ./samples/ftp.xml
SMART FUZZING WITH PEACH
SMART FUZZING WITH PEACH
HOMEWORK • Fuzz a “Vulnserver”. Download from: http://sites.google.com/site/lupingreycorner/ vulnserver.zip • Write a Peach model. Refer to this tutorial: http://resources.infosecinstitute.com/fuzzing- vulnserver-with-peach-part-2/
FUZZING WEB APPLICATION • Locate an input you want fuzz
• Intercept request (e.g. Burp Suite/OWASP Zap)
• Define which parameter should be fuzzed
• Select a dictionary with invalid input More sample dictionaries: https://github.com/fuzzdb- project/fuzzdb
• Find errors!
ANALYSING THE CRASH • Every crash can be treated as a pure DoS attack • Not every crash can be exploited :( • Depending on OS, use different tools to analyse a crash: - Microsoft !exploitable Crash Analyser (Windows) - CERT GDB exploitable plugin (Linux) - Apple Crash Wrangler Monitor (OSX)
WHY IT’S WORTH FUZZING? • High return on investment - machine time is cheap and human time is expensive • Human role is just to customize a fuzzer to your needs and… profit!
WHAT YOU CAN FUZZ? • Literally - every piece of software which accepts user input • All kinds of apps (mobile, desktop, web, etc.) • OS -> https://vimeo.com/129701495 • Online games -> http://bit.ly/2e0w2YO • Bluetooth -> http://bit.ly/2dQfPqM • HDMI -> http://bit.ly/2e0ynmA • Fonts -> http://bit.ly/293DKE0 • Virtualization systems -> http://bit.ly/2ernSfs …and much more!
WHAT FUZZERS CAN FIND? • Buffer overruns (remote code execution), • Deadlocks, thread hangs, unhandled exceptions (denial-of-service) • Memory leaks (Heartbleed)
WHAT’S NEXT? IMPLEMENT FUZZING IN SDLC
FUZZING AND OTHER TESTING METHODS • Fuzzing can find some type of bugs, but not all of them • That means, fuzzing should be treated as ADDITIONAL method to your security tests You still need static analysis, vulnerability assessment and penetration tests!!!
FUTURE OF FUZZING • Fuzzing as a service: project Springfield (https://www.microsoft.com/en-us/springfield)
FUTURE OF FUZZING • That reminds me DARPA Cyber Grand Challenge bots: symbolic execution (e.g. angr) + directed fuzzing (e.g. AFL)
SUMMARY • Fuzzer should contain: input generator, history of generated input and process monitor • Fuzzing discovers bugs by providing invalid input • There are 2 main types of fuzzers: • Any software can be fuzzed, so always remember about this method! - generation based (requires sample definition) - mutation based (mutates a valid sample)
THANK YOU! Contact me: pawel.rzepa@owasp.org

Recommandé

American Fuzzy Lop
American Fuzzy LopAmerican Fuzzy Lop
American Fuzzy LopMichael Overmeyer
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Security Testing: Fuzzing
Security Testing: FuzzingSecurity Testing: Fuzzing
Security Testing: FuzzingAndrei Rubaniuk
 
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzerGangSeok Lee
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Designbannedit
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugsOWASP
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzingn|u - The Open Security Community
 

Recommandé

American Fuzzy Lop
American Fuzzy LopAmerican Fuzzy Lop
American Fuzzy LopMichael Overmeyer
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Security Testing: Fuzzing
Security Testing: FuzzingSecurity Testing: Fuzzing
Security Testing: FuzzingAndrei Rubaniuk
 
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzerGangSeok Lee
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Designbannedit
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugsOWASP
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzingn|u - The Open Security Community
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Packers
PackersPackers
PackersAnge Albertini
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensicsShane Macaulay
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMMintive
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 

Contenu connexe

Tendances

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 

Tendances (20)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Packers
PackersPackers
Packers
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensics
 

En vedette

OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMMintive
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
Wprowadzenie do CoreBluetooth
Wprowadzenie do CoreBluetoothWprowadzenie do CoreBluetooth
Wprowadzenie do CoreBluetoothintive
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu
[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu
[Confidence 2016] Red Team - najlepszy przyjaciel Blue TeamuPiotr Kaźmierczak
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesE Hacking
 
Ataki po stronie klienta w publicznych punktach dostępowych
Ataki po stronie klienta w publicznych punktach dostępowychAtaki po stronie klienta w publicznych punktach dostępowych
Ataki po stronie klienta w publicznych punktach dostępowychPawel Rzepa
 
What the HEC? Security implications of HDMI Ethernet Channel and other relate...
What the HEC? Security implications of HDMI Ethernet Channel and other relate...What the HEC? Security implications of HDMI Ethernet Channel and other relate...
What the HEC? Security implications of HDMI Ethernet Channel and other relate...44CON
 
Drive it Like you Hacked It - New Attacks and Tools to Wireles
Drive it Like you Hacked It - New Attacks and Tools to Wireles Drive it Like you Hacked It - New Attacks and Tools to Wireles
Drive it Like you Hacked It - New Attacks and Tools to Wireles E hacking
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...OWASP Turkiye
 
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кодаРазвитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кодаPositive Hack Days
 
Caturelli E. L'Ecografia Operativa. ASMaD 2016
Caturelli E. L'Ecografia Operativa. ASMaD 2016Caturelli E. L'Ecografia Operativa. ASMaD 2016
Caturelli E. L'Ecografia Operativa. ASMaD 2016Gianfranco Tammaro
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Web vulnerability seminar3
Web vulnerability seminar3Web vulnerability seminar3
Web vulnerability seminar3Sakuya Izayoi
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&AttackEmanuela Boroș
 
REES46 – система товарных рекомендаций и онлайн-мерчандайзинга
REES46 – система товарных рекомендаций и онлайн-мерчандайзингаREES46 – система товарных рекомендаций и онлайн-мерчандайзинга
REES46 – система товарных рекомендаций и онлайн-мерчандайзингаREES46
 
Web vulnerability seminar4
Web vulnerability seminar4Web vulnerability seminar4
Web vulnerability seminar4Sakuya Izayoi
 
.Net anywhere
.Net anywhere.Net anywhere
.Net anywhereintive
 

En vedette (20)

OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMM
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTING
 
Wprowadzenie do CoreBluetooth
Wprowadzenie do CoreBluetoothWprowadzenie do CoreBluetooth
Wprowadzenie do CoreBluetooth
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu
[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu
[Confidence 2016] Red Team - najlepszy przyjaciel Blue Teamu
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilities
 
Ataki po stronie klienta w publicznych punktach dostępowych
Ataki po stronie klienta w publicznych punktach dostępowychAtaki po stronie klienta w publicznych punktach dostępowych
Ataki po stronie klienta w publicznych punktach dostępowych
 
What the HEC? Security implications of HDMI Ethernet Channel and other relate...
What the HEC? Security implications of HDMI Ethernet Channel and other relate...What the HEC? Security implications of HDMI Ethernet Channel and other relate...
What the HEC? Security implications of HDMI Ethernet Channel and other relate...
 
Drive it Like you Hacked It - New Attacks and Tools to Wireles
Drive it Like you Hacked It - New Attacks and Tools to Wireles Drive it Like you Hacked It - New Attacks and Tools to Wireles
Drive it Like you Hacked It - New Attacks and Tools to Wireles
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
 
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кодаРазвитие технологий генерации эксплойтов на основе анализа бинарного кода
Развитие технологий генерации эксплойтов на основе анализа бинарного кода
 
Caturelli E. L'Ecografia Operativa. ASMaD 2016
Caturelli E. L'Ecografia Operativa. ASMaD 2016Caturelli E. L'Ecografia Operativa. ASMaD 2016
Caturelli E. L'Ecografia Operativa. ASMaD 2016
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Web vulnerability seminar3
Web vulnerability seminar3Web vulnerability seminar3
Web vulnerability seminar3
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&Attack
 
Variables and constants
Variables and constantsVariables and constants
Variables and constants
 
REES46 – система товарных рекомендаций и онлайн-мерчандайзинга
REES46 – система товарных рекомендаций и онлайн-мерчандайзингаREES46 – система товарных рекомендаций и онлайн-мерчандайзинга
REES46 – система товарных рекомендаций и онлайн-мерчандайзинга
 
Web vulnerability seminar4
Web vulnerability seminar4Web vulnerability seminar4
Web vulnerability seminar4
 
.Net anywhere
.Net anywhere.Net anywhere
.Net anywhere
 

Similaire à Fuzzing underestimated method of finding hidden bugs

Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfAbdelrahmanShaban3
 
مدخل برمجة صعيدي جيكس
مدخل برمجة صعيدي جيكس مدخل برمجة صعيدي جيكس
مدخل برمجة صعيدي جيكس Hesham Hanafi
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandReversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandSignalSEC Ltd.
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFAnthony Jose
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
모바일 트렌드와 iOS
모바일 트렌드와 iOS모바일 트렌드와 iOS
모바일 트렌드와 iOSJung Kim
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022MichaelM85042
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threatsVincenzo Iozzo
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
 

Similaire à Fuzzing underestimated method of finding hidden bugs (20)

Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
 
مدخل برمجة صعيدي جيكس
مدخل برمجة صعيدي جيكس مدخل برمجة صعيدي جيكس
مدخل برمجة صعيدي جيكس
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandReversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
 
Stealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploitStealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploit
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
모바일 트렌드와 iOS
모바일 트렌드와 iOS모바일 트렌드와 iOS
모바일 트렌드와 iOS
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 

Dernier

Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 

Dernier (20)

Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 

Fuzzing underestimated method of finding hidden bugs

  • 1. FUZZING UNDERESTIMATED METHOD OF FINDING HIDDEN BUGS by Pawel Rzepa
  • 2. AGENDA • What is fuzzing? • Mutation based (dumb) fuzzing • Instrumented fuzzing • Generation based (smart) fuzzing • Fuzzing web application • What is the future of fuzzing?
  • 3. BEFORE WE START… WHO AM I? • Security engineer in Intive (Wroclaw) • Former developer of advanced fuzzing module in Spirent’s CyberFlood device • Contributor in OWASP MSTG (Mobile Security Testing Guide) • Supporter of Wroclaw OWASP meetings
  • 4. — “Fuzzing: Brute Force Vulnerability Discovery” FUZZING IS A METHOD FOR DISCOVERING FAULTS IN SOFTWARE BY PROVIDING UNEXPECTED INPUT AND MONITORING FOR EXCEPTIONS. ” “ WHAT FUZZING REALLY IS?
  • 5. IN OTHER WORDS… A child noticed unwatched dad’s phone… A child has found a chain of instructions to crash a phone.
  • 6. HISTORY OF FUZZING In 1988 a professor Barton Miller from University of Winsconsin observed that when he was logged to a modem during a storm, there was a lot of line noise generating junk characters and those characters caused programs to crash.
  • 8. MUTATION IN PRACTICE more about Radamsa: https://github.com/aoh/radamsa
  • 9. LET’S FUZZ - DUMB FUZZING Testing robustness of Android AV to APK bombs Target: Android AV winner at av-test.org (July 2016)
  • 10. CREATING SAMPLE DATA • Create fuzzed data from sample: $> radamsa -o fuzz_sample_%n.apk -n 3000 > com.appsec.appuse.apk • Move fuzzed data to SD card $> for i in {1..3000}; do adb push > fuzz_sample_$i.apk /sdcard/Download; done • Capture logs $> adb logcat -v long > logs.txt
  • 11. DUMB FUZZING - V3 AV
  • 12. DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
  • 13. DUMB FUZZING - WHY NOT PERFECT? IF (VERY_RARE_CONDITION) { //VULNERABLE CODE } ELSE { … }
  • 14. DUMB FUZZING - TCPDUMP $> radamsa -o fuzz_sample_%n.pcap -n 3000 > small_capture.pcap $> for i in {1..3000}; do tcpdump -nr > fuzz_sample_%i.pcap >> radamsa_pcap.logs; done
  • 15. LET’S FUZZ - INSTRUMENTED FUZZING • Generates samples, which cover subsets of all code paths • Requires a dedicated compiler, which detects possible code paths • Much more effective • Let’s take a closer look on American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/)
  • 16. INSTRUMENTED FUZZING - PREPARATIONS • Compile sources with afl-gcc/afl-g++ $> CC=/path_to_AFL/afl-gcc ./configure $> make • Prepare valid sample (the best if <100 KB) • Create folders for input, output and (optionally) garbage, e.g.
  • 17. INSTRUMENTED FUZZING IN PRACTICE $> /path_to_AFL/afl-fuzz -i ./fuzz-input/ -o >./fuzz-output/ tcpdump-4.6.2/tcpdump -nr @@
  • 20. COOL STORY BRO, BUT MY PROGRAM ISN’T WRITTEN IN C… • AFL is so good that the community has created many implementations of AFL supporting other languages/environments. Just check it out here: https://github.com/mirrorer/afl/blob/master/docs/ sister_projects.txt • Still doesn’t suit your needs? Then write your own fuzzer!
  • 21. HOW TO FUZZ NETWORK PROTOCOLS? - Will it work??? $> while true; > do cat /dev/urandom | nc -vv ftp.hq.nasa.gov 21; > done FAIL
  • 22. LIMITATIONS OF DUMB FUZZING (1) • Not compliant types
  • 23. LIMITATIONS OF DUMB FUZZING (2) • Not compliant fixups (checksum, length etc.)
  • 24. LIMITATIONS OF DUMB FUZZING (3) • Not supported relationships
  • 25. LIMITATIONS OF DUMB FUZZING (4) • Not supported program states
  • 26. GENERATION BASED FUZZING - CREATING A MODEL (1) • Fuzzing frameworks like Peach or Sulley require modelling each portion of data Peach: http://peachfuzzer.com/resources/peachcommunity
  • 27. • With DataModels, you can create different states
  • 28. • You can also define a monitor for tested process • Finally, put all defined parts in a Test
  • 29. SMART FUZZING WITH PEACH $> sudo mono Peach.exe --debug ./samples/ftp.xml
  • 32. HOMEWORK • Fuzz a “Vulnserver”. Download from: http://sites.google.com/site/lupingreycorner/ vulnserver.zip • Write a Peach model. Refer to this tutorial: http://resources.infosecinstitute.com/fuzzing- vulnserver-with-peach-part-2/
  • 33. FUZZING WEB APPLICATION • Locate an input you want fuzz
  • 34. • Intercept request (e.g. Burp Suite/OWASP Zap)
  • 35. • Define which parameter should be fuzzed
  • 36. • Select a dictionary with invalid input More sample dictionaries: https://github.com/fuzzdb- project/fuzzdb
  • 38. ANALYSING THE CRASH • Every crash can be treated as a pure DoS attack • Not every crash can be exploited :( • Depending on OS, use different tools to analyse a crash: - Microsoft !exploitable Crash Analyser (Windows) - CERT GDB exploitable plugin (Linux) - Apple Crash Wrangler Monitor (OSX)
  • 39. WHY IT’S WORTH FUZZING? • High return on investment - machine time is cheap and human time is expensive • Human role is just to customize a fuzzer to your needs and… profit!
  • 40. WHAT YOU CAN FUZZ? • Literally - every piece of software which accepts user input • All kinds of apps (mobile, desktop, web, etc.) • OS -> https://vimeo.com/129701495 • Online games -> http://bit.ly/2e0w2YO • Bluetooth -> http://bit.ly/2dQfPqM • HDMI -> http://bit.ly/2e0ynmA • Fonts -> http://bit.ly/293DKE0 • Virtualization systems -> http://bit.ly/2ernSfs …and much more!
  • 41. WHAT FUZZERS CAN FIND? • Buffer overruns (remote code execution), • Deadlocks, thread hangs, unhandled exceptions (denial-of-service) • Memory leaks (Heartbleed)
  • 43. FUZZING AND OTHER TESTING METHODS • Fuzzing can find some type of bugs, but not all of them • That means, fuzzing should be treated as ADDITIONAL method to your security tests You still need static analysis, vulnerability assessment and penetration tests!!!
  • 44. FUTURE OF FUZZING • Fuzzing as a service: project Springfield (https://www.microsoft.com/en-us/springfield)
  • 45. FUTURE OF FUZZING • That reminds me DARPA Cyber Grand Challenge bots: symbolic execution (e.g. angr) + directed fuzzing (e.g. AFL)
  • 46. SUMMARY • Fuzzer should contain: input generator, history of generated input and process monitor • Fuzzing discovers bugs by providing invalid input • There are 2 main types of fuzzers: • Any software can be fuzzed, so always remember about this method! - generation based (requires sample definition) - mutation based (mutates a valid sample)