Taking testing to the next level using Frida's dynamic binary instrumentation

What is Frida?

  • Dynamic instrumentation toolkit
    • Debug live processes
  • Scriptable
    • Execute your own debug scripts inside another process
  • Multi-platform
    • Windows, Mac, Linux, iOS, Android, QNX
  • Highly modular, JavaScript is optional
  • Open Source

Can we do fault injection at the socket API level?

Let's add a testing API to an existing application without modifying it

1) We are the developers of Quake. Can we make it expose an API for testing?

2) Let's make it expose a REST API.

3) Let's expose health and ammo.

#define MAX_CL_STATS 32

#define STAT_HEALTH 0
…
#define STAT_SHELLS 6
#define STAT_NAILS 7
#define STAT_ROCKETS 8

…

typedef struct
{
  int movemessages;
  usercmd_t cmd;
  int stats[MAX_CL_STATS];
  …
} client_state_t;

…

extern client_state_t cl;

4) Let's do that on the right thread.

5) How about POST /attack?

6) Can I have a Python API instead?

Can we detect memory leaks in C/C++ code?

1) Let's try Gum::SanityChecker.

2) Can we have backtraces, too?

3) Backtraces are expensive, can we collect them for a subset only?

Other use-cases:

  • Adding jitter to thread scheduling
  • Fuzzing

Questions?


Twitter: @oleavr @fridadotre

Thanks!

Please drop by https://t.me/fridadotre

(or #frida on FreeNode)

Taking testing to the next level using Frida's dynamic binary instrumentation

By Ole André Vadla Ravnås

Taking testing to the next level using Frida's dynamic binary instrumentation

  • 1,882