0 ‐ Knowledge Fuzzing Vincenzo Iozzo vincenzo.iozzo@zynamics.com
Disclaimer Disclaimer In this talk you won’t see all those formulas, formal definition, code snippets and bullets and bullets. From past experiences the speaker learned that all the aforementioned elements are no useful in making people understand your idea. You instead will see a lot of funny pictures which the speaker hopes will y p p p convey better the understanding of the ideas explained in the talk You don’t want slides like this, do you?
Motivations Motivations
Questions! Questions!
Fuzzing Fuzzing
How it used to be How it used to be
How it is today (aka the reason of this talk)
Dumb fuzzing Dumb fuzzing
Smart Fuzzing Smart Fuzzing
Evolutionary Based Fuzzing Evolutionary Based Fuzzing
The idea The idea
The surface The surface
We need a filter We need a filter
Cyclomatic complexity y p y
This one This one
Not this one Not this one
Original formula Original formula M = E – N + 2P M E N + 2P Number of edges Number of nodes Connected components
Why? Cyclomatic number Why? Cyclomatic number M = E – N + P
Simplify Simplify
Formula Formula M = E – N + 2
Problem Problem
Loop detection Loop detection
Dominator tree Dominator tree
Dominators Dominators
Function Function
Dominator tree Dominator tree
Dominators Dominators
Implicit loops Implicit loops
REIL REIL
Is that enough? Is that enough?
Not enough Not enough Of course not more heuristics needed Of course not, more heuristics needed void *safe_strcpy(void *old_dest, void *src, int size){ void *dst = realloc(old dest size +1); void dst realloc(old_dest, size +1); strncpy(dst, src, size); return dst; }
Add your own Add your own For static analysis we use
DEMO DEMO
Questions! Questions!
Data Tainting Data Tainting
Dytan Dytan
PIN PIN
Taint sources Taint sources
Markings granularity Markings granularity
Propagation Propagation add eax, ebx, edx , ,
Output Output R Registers i t Memory locations Memory locations
DEMO DEMO
Questions! Questions!
In ‐ memory fuzzing In memory fuzzing
Why? Why?
Problems Problems
Expertise and patience Expertise and patience
Memory instability
False positives False positives
False negatives False negatives
Mutation loop insertion Mutation loop insertion
Snapshot mutation restoration Snapshot mutation restoration
What do we do? What do we do? • Hook image Hook image • Hook functions • Hook instructions k i i • Hook
First approach First approach
For instance… For instance… 30f064 ‐ 30f067 30f064 30f067 ABCD ABCD 0x8a Y 0x00 0x8a Y 0x00 K
Second approach Second approach
Example Example 30f064 ‐ 30f067 30f064 30f067 30f084 ‐ 30f097 30f084 30f097 0x89 K D F 0x96 ABCD 0x00 J K U Y W 0xA7 0xB8 0x00 0x10 A T N 0x00 0xD3
Code coverage Code coverage
How?? How?? Good sample Good sample Evil sample Evil sample Score Score Compare
Score Score BB executed /BB total Basic Blocks Total Basic executed t d Blocks
Halting Halting C C good = C evil + t C t Code coverage Code coverage User ‐ supplied good sample evil sample threshold
What do we use? What do we use? Code coverage Faults monitor
DEMO DEMO
Future – A reasoner Future A reasoner
Thanks Thanks
Questions! Questions!
More Info More Info viozzo wordpress com viozzo.wordpress.com @_snagg vincenzo.iozzo@zynamics.com
Recommend
More recommend