Fuzzing the Stock Market

@duartevolvox - 0xOPOSEC 0x6A

0x01- Introduction
  • What is a stock exchange - Life of a Trade
  • Understanding the target
  • The issue
  • The mindset && approach
  • The solution
  • The Results
0x02- The Stock Exchange
0x02(2)- The Target

https://euronext.com/optiq

0x02(3)- The Target
  • Multiparalelism,
  • Highest Perfomance ever (roundtrip time in 100μs) - HFT
  • Leveraging Open Source protocols (SBE, LZ4,...)
  • Interfaces: FIX / SBE
  • Ready to receive 3 Billions messages per day
0x02(4)- The Target
0x02(5)- The Target [INTERFACES] 
FIX
SBE
  • Financial Information Exchange
  • 1992
8=FIX.4.2|9=65|35=A|49=SERVER|56=CLIENT|34=177|52=20090107-18:15:16|98=0|108=30|10=062|
     0   + 0  + 5  +   10    +   10    +  7   +        21          + 5  +  7   +   0    = 65
  • Simple Binary Encoding
  • https://github.com/real-logic/simple-binary-encoding
  • SBE is an OSI layer 6 presentation for encoding and decoding binary application messages for low-latency financial applications.
0x03- The issue
  • How to do you test proprietary protocols?
    • ​With custom messages?
    • With weird and fucked'up flows?
    • With logic beyond our mortal comprehension?
0x04- The Mindset
  • Results of the Risk Assessment:
    • (in)voluntary sent of mal formed messages that can lead to unexpected behaviour or crashes.
0x05- The Approach - Fuzzing!
0x05- The Approach - Fuzzing!

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks.

0x05- The Approach - Fuzzing! [WHY]
0x05- The Approach - Fuzzing! [WHY]
  • Advantages:
    • ​No human interaction while testing,
    • If configured properly 99.99% Coverage,
    • Scalable!
  • ​Disadvantage:
    • ​Configuration...
    • Shit ton of crashes to review...
    • It's a good approach but manual testing is always needed
    •  
0x05- The Approach - Fuzzing! [WHY]
0x06- The Solutions

AFL

Libfuzzer

Zulu

Peach

Scripting

0x06- The Solutions
  • Whitebox Gramatical based Fuzzing - BooFuzz

aka "Euronext-fuzzer"

0x06- The Solutions - Boofuzz
  • Why?
    • Network based Fuzzing
    • Customisable with Python
    • Easy to setup
    • Reporting (CSV, HTML)
0x06- The Solutions - Boofuzz
  • Features:
    • ​Manual configuration of trading protocol messages,
    • And flows (Logon First, NewOrder, CancelOrder, Logout)
    • Pre-post send
    • REST API for Automation
    • ...
0x06- The Solutions - Boofuzz
  • Limitations:​
    • ​RAM - 16Gb not enough
    • Initial learning curve,
    • Output... and
    • Reproducibility
0x06- The Solutions - Boofuzz
  • Features - Daemon

Fuzzer

Exchange

test case N-1

test case N

test case N-1

test case N-1

Crash Detected

0x06- The Solutions - Boofuzz
  • Messages
0x06- The Solutions - Boofuzz
  • Deamon results
0x06- The Solutions - Boofuzz
  • Output
0x06- The Results

  • Issues were identified that can potentially lead to business outage (availability)

  • Root cause linked to memory management issues.

  • Now, they are all fixed

Q&A

Made with Slides.com