Fuzzing for CyberSecurity Abe Cohen 2019-11-13
Fuzzing for CyberSecurity ● What is fuzzing/fuzz testing? ● Why AFL? ● How does it work with GNAT Pro/Ada?
Premise: Fuzz Testing Definition: Stable Software ● Software that is highly unlikely to enter exceptional situations that it was ○ not designed for or tested against More situations tested, more stable software ● Stability via negative input testing equates to a higher level of security ●
How Fuzzing Works Seed with test corpus (optional) Generate new input Black Box Test connected to an input ● The fuzzer “fuzzes” the input data and feeds it ● Execute into the program no Fault? If the program crashes , it logs the bug ● yes Bugs
Fuzz Testing Benefits ● Helps you find bugs/vulnerabilities in your code ○ Not just crashing bugs when used with specific Sanitizers ● Replicates what a hacker might do to find a vulnerability ● High benefit-to-cost ratio
Fuzz Testing Limitations Doesn’t test software quality ● Meant to be used in addition to other testing techniques ○ Requires context/knowledge of the system to determine each found bug’s ● potential danger Ada mitigates this using compiler checks ○
American Fuzzy Lop American American Fuzzy Lop is Fuzzy Lop is a also a fuzzing rabbit breed library
AFL Sales Pitch Smart : input mutation based, driven Fast : fork-point optimization and by CFG instrumentation feedback in-process fuzzing loops Program Feedbac Not Init / setup phase k all that Repeat Input processing only this phase Fault ?
AFL Bug Trophy Case
AFL Bonuses Chainable to other tools ● Can sync/share test corpus with other tools ○ Low complexity setup ● No guesswork, settings to fine-tune ○
What We’re Working On Original idea came from customer blog post on AdaCore’s blog ● Leveraging Ada Run-Time Checks with Fuzz Testing in AFL by Lionel Matias ○ ○ https://blog.adacore.com/running-american-fuzzy-lop-on-your-ada-code Improve GCC instrumentation plugin ● Provide facilities to leverage AFL’s fork server & in-process abilities ● Nightly build available for beta testing on demand ● Further work underway through a research project ●
How AFL Works with GNAT Pro/Ada AFL looks for crashes via signal from OS ● Ada crashes more gracefully than that ● Assuming a program P processing an input file : Fuzzing with AFL first incurs a simple wrapper : with P; with Worker; procedure P_Crash is procedure P is begin Filename : constant String := P; Command_Line.Argument (1); exception begin when E : others => Worker.Process (Filename); GNAT.Exception_Actions.Core_Dump (E); end; end;
How AFL Works with GNAT Pro/Ada Then a very simple sequence of commands : Only minor project file updates to access ● The instrumenting compiler ● Facilities to leverage AFL’s fork-server PATH=<...> AFL_PATH=<...> and in-process fuzzing gprbuild -Pp.gpr p_crash.adb -XDRIVER=afl-gcc-fast afl-fuzz -i inputs -o findings -- obj/p_crash @@
Conclusion More fuzzing -> more stability -> more security ● Easy to configure and run, effective at finding bugs, and useful to other tools ● Starting to see it all over tech ● Becoming best practice to integrate into your testing process ○ Look out for GNATFuzz soon! ●
Recommend
More recommend
