From Crash to Win

csilva & GuiS

Agenda

What is Fuzzing

AFL

AFL all the things

Fuzzing

Automated software testing through the input of:

  • invalid data
  • unexpected data
  • random data

And monitor exceptions such as crashes

Anatomy

Generate test cases

Record test cases or any other information

Interface with the target to insert inputs

Detect crashes

Pros

  • Very fast (faster than manual code review)

Cons

  • Bugs with pre-conditions are hard to find
  • Scalable (you can run 1000 machines for 24/7)
  • Can't find logical bugs

Types of Fuzzing

Mutation

Replay

Proxy

Generation

Evolutionary

Mutation

Samples of valid input are mutated to produce malformed input

Replay

Saves inputs and replays them after mutating them

Proxy

Proxy that mutates the requests

Generation

Generate the input from scratch based on some form of inteligence

Evolutionary

Given a feedback the input generation is adjusted

AFL

Michał Zalewski

@lcamtuf

Compile-time instrumentation

Genetic algorithms

Pros

  • Very fast

Cons

  • Only binary fuzzing
  • Quick to use
  • Well maintained
  • Hard when external dependencies exist

Quick Start

Create folder structure

mkdir testcases
mkdir results

Create test cases

cat >> test.txt << EOF
input1
input2
input3
EOF

Compile with afl

afl-gcc -fno-stack-protector -z execstack <Input_file.c> -o <Output>

Fuzz

afl-fuzz -i ./testcases/ -o ./results/ ./<Bin>

Results

cd results/crashes
ls
id:000000,sig:11,src:000000,op:havoc,rep:64
id:000001,sig:11,src:000002,op:havoc,rep:4

Interesting Flags

-Q (Qemu mode)

@@ (File input)

-t (timeout)

-m (max memory)

-d (dumb)

Cool Tools

afl fork-server

Good to Know

Mock everything

Sockets

Check preeny

White-Box Fuzzing

We fuzz what we can see

Black-Box Fuzzing

We fuzz what we cannot see

What about Windows?

?

Extra

Minify

mkdir test_cases_after_cmin
mkdir test_cases_after_tmin

afl-cmin -i ./test_cases -o ./test_cases_after_cmin -- ./<Code> -i @@
afl_tmin -i ./test_cases_after_cmin/test_file.extension \
    -o ./test_cases_after_tmin/test_file.extension -- ./<Code> -i @@

Golden Rules

Use Code/Edge Coverage Feedback

Create good test cases (download/feedback/grammar)

Minimize samples in size and number

Use sanitizers/heap libraries during fuzzing

Modify mutation engine to fit input data

Only instrument code to be tested

Mock everything

Don't fix checksums inside fuzzer, remove them

Made with Slides.com