From Crash to Win

csilva & GuiS

Agenda

What is Fuzzing

AFL

AFL all the things

Fuzzing

Automated software testing through the input of:

invalid data

unexpected data

random data

And monitor exceptions such as crashes

Anatomy

Generate test cases

Record test cases or any other information

Interface with the target to insert inputs

Detect crashes

Pros

Very fast (faster than manual code review)

Cons

Bugs with pre-conditions are hard to find

Scalable (you can run 1000 machines for 24/7)

Can't find logical bugs

Types of Fuzzing

Mutation

Replay

Proxy

Generation

Evolutionary

Mutation

Samples of valid input are mutated to produce malformed input

Replay

Saves inputs and replays them after mutating them

Proxy

Proxy that mutates the requests

Generation

Generate the input from scratch based on some form of inteligence

Evolutionary

Given a feedback the input generation is adjusted

AFL

Michał Zalewski

@lcamtuf

Compile-time instrumentation

Genetic algorithms

Pros

Very fast

Cons

Only binary fuzzing

Quick to use

Well maintained

Hard when external dependencies exist

Quick Start

Create folder structure

mkdir testcases
mkdir results

Create test cases

cat >> test.txt << EOF
input1
input2
input3
EOF

Compile with afl

afl-gcc -fno-stack-protector -z execstack <Input_file.c> -o <Output>

Fuzz

afl-fuzz -i ./testcases/ -o ./results/ ./<Bin>

Results

cd results/crashes
ls

id:000000,sig:11,src:000000,op:havoc,rep:64
id:000001,sig:11,src:000002,op:havoc,rep:4

Interesting Flags

-Q (Qemu mode)

-C (Crash exploration mode)

@@ (File input)

-t (timeout)

-m (max memory)

-d (dumb)

Cool Tools

afl fork-server

Good to Know

Mock everything

Sockets

Check preeny

White-Box Fuzzing

We fuzz what we can see

Black-Box Fuzzing

We fuzz what we cannot see

What about Windows?

?

Extra

Minify

mkdir test_cases_after_cmin
mkdir test_cases_after_tmin

afl-cmin -i ./test_cases -o ./test_cases_after_cmin -- ./<Code> -i @@
afl_tmin -i ./test_cases_after_cmin/test_file.extension \
    -o ./test_cases_after_tmin/test_file.extension -- ./<Code> -i @@

Golden Rules

Use Code/Edge Coverage Feedback

Create good test cases (download/feedback/grammar)

Minimize samples in size and number

Use sanitizers/heap libraries during fuzzing

Modify mutation engine to fit input data

Only instrument code to be tested

Mock everything

Don't fix checksums inside fuzzer, remove them

From Crash to Win

By apl3b

From Crash to Win

0xOPOSEC Fuzzing Presentation

apl3b

Apl3b

From Crash to Win

Agenda

Fuzzing

Automated software testing through the input of:

And monitor exceptions such as crashes

Anatomy

Pros

Cons

Types of Fuzzing

Mutation

Replay

Proxy

Generation

Evolutionary

Mutation

Replay

Proxy

Generation

Evolutionary

AFL

Michał Zalewski

@lcamtuf

Compile-time instrumentation

Genetic algorithms

Pros

Cons

Quick Start

Create folder structure

Create test cases

Compile with afl

Fuzz

Results

Interesting Flags

Cool Tools

Good to Know

Mock everything

White-Box Fuzzing

We fuzz what we can see

Black-Box Fuzzing

We fuzz what we cannot see

What about Windows?

?

Extra

Minify

Golden Rules

From Crash to Win

More from apl3b