0 knowledge fuzzing
play

0 Knowledge Fuzzing Vincenzo Iozzo vincenzo.iozzo@zynamics.com - PowerPoint PPT Presentation

0 Knowledge Fuzzing Vincenzo Iozzo vincenzo.iozzo@zynamics.com Disclaimer Disclaimer In this talk you wont see all those formulas, formal definition, code snippets and bullets and bullets. From past experiences the speaker learned that


  1. 0 ‐ Knowledge Fuzzing Vincenzo Iozzo vincenzo.iozzo@zynamics.com

  2. Disclaimer Disclaimer In this talk you won’t see all those formulas, formal definition, code snippets and bullets and bullets. From past experiences the speaker learned that all the aforementioned elements are no useful in making people understand your idea. You instead will see a lot of funny pictures which the speaker hopes will y p p p convey better the understanding of the ideas explained in the talk You don’t want slides like this, do you?

  3. Motivations Motivations

  4. Questions! Questions!

  5. Fuzzing Fuzzing

  6. How it used to be How it used to be

  7. How it is today (aka the reason of this talk)

  8. Dumb fuzzing Dumb fuzzing

  9. Smart Fuzzing Smart Fuzzing

  10. Evolutionary Based Fuzzing Evolutionary Based Fuzzing

  11. The idea The idea

  12. The surface The surface

  13. We need a filter We need a filter

  14. Cyclomatic complexity y p y

  15. This one This one

  16. Not this one Not this one

  17. Original formula Original formula M = E – N + 2P M E N + 2P Number of edges Number of nodes Connected components

  18. Why? Cyclomatic number Why? Cyclomatic number M = E – N + P

  19. Simplify Simplify

  20. Formula Formula M = E – N + 2

  21. Problem Problem

  22. Loop detection Loop detection

  23. Dominator tree Dominator tree

  24. Dominators Dominators

  25. Function Function

  26. Dominator tree Dominator tree

  27. Dominators Dominators

  28. Implicit loops Implicit loops

  29. REIL REIL

  30. Is that enough? Is that enough?

  31. Not enough Not enough Of course not more heuristics needed Of course not, more heuristics needed void *safe_strcpy(void *old_dest, void *src, int size){ void *dst = realloc(old dest size +1); void dst realloc(old_dest, size +1); strncpy(dst, src, size); return dst; }

  32. Add your own Add your own For static analysis we use

  33. DEMO DEMO

  34. Questions! Questions!

  35. Data Tainting Data Tainting

  36. Dytan Dytan

  37. PIN PIN

  38. Taint sources Taint sources

  39. Markings granularity Markings granularity

  40. Propagation Propagation add eax, ebx, edx , ,

  41. Output Output R Registers i t Memory locations Memory locations

  42. DEMO DEMO

  43. Questions! Questions!

  44. In ‐ memory fuzzing In memory fuzzing

  45. Why? Why?

  46. Problems Problems

  47. Expertise and patience Expertise and patience

  48. Memory instability

  49. False positives False positives

  50. False negatives False negatives

  51. Mutation loop insertion Mutation loop insertion

  52. Snapshot mutation restoration Snapshot mutation restoration

  53. What do we do? What do we do? • Hook image Hook image • Hook functions • Hook instructions k i i • Hook

  54. First approach First approach

  55. For instance… For instance… 30f064 ‐ 30f067 30f064 30f067 ABCD ABCD 0x8a Y 0x00 0x8a Y 0x00 K

  56. Second approach Second approach

  57. Example Example 30f064 ‐ 30f067 30f064 30f067 30f084 ‐ 30f097 30f084 30f097 0x89 K D F 0x96 ABCD 0x00 J K U Y W 0xA7 0xB8 0x00 0x10 A T N 0x00 0xD3

  58. Code coverage Code coverage

  59. How?? How?? Good sample Good sample Evil sample Evil sample Score Score Compare

  60. Score Score BB executed /BB total Basic Blocks Total Basic executed t d Blocks

  61. Halting Halting C C good = C evil + t C t Code coverage Code coverage User ‐ supplied good sample evil sample threshold

  62. What do we use? What do we use? Code coverage Faults monitor

  63. DEMO DEMO

  64. Future – A reasoner Future A reasoner

  65. Thanks Thanks

  66. Questions! Questions!

  67. More Info More Info viozzo wordpress com viozzo.wordpress.com @_snagg vincenzo.iozzo@zynamics.com

Recommend


More recommend