fuzzing suricata finding vulnerabilities in large projects
play

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko - PowerPoint PPT Presentation

Mar 28, 2024 •294 likes •598 views

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

  1. Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Höer @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  2. Special thanks ● Robert Haist, DCSO ● Victor Julien, lead developer suricata, Open Infosec Foundation (OISF) ● Henning Perl, CTO, Code Intelligence ● Sergej Dechand, CEO, Code Intelligence 2 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  3. Disclaimer ● The methodologie mentioned here reflect my experiences about fuzz-testing and are not general approaches used by the BSI ! ● All opinions about Fuzzing expressed in this presentation are my opinions only. They are not the general opinion of the BSI ! 3 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  4. Table of content Introduction ● Methodology of Fuzzing Suricata ● Example: Ethernet Decoder Heap Buffer Overflow ● Conclusion ● 4 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  5. What is suricata Facts : - about 600k lines of code - more than 600 source files Open Source IDS / IPS / NSM ● - Uses Unit Tests and AFL Fuzzing (2019) Developed by Open Information Security Foundation ● - since March 2020 integration to google oss-fuzz written in c and rust ● Buildsystem: automake ● Version 5.0.3 ● 5 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  6. Methodology of Fuzzing Projects in general Analyse, Run Fuzzers, Setup Create Fuzz-Targets, Bug investigation, Debugging Bug report 6 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  7. Methodology of Fuzzing Suricata Analyse, Run Fuzzers, Setup Create Fuzz-Targets, Bug investigation, Debugging Bug report 7 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  8. My Setup Build process How to build the project ? ● $ user@host ./autogen $ user@host ./configure $ user@host make all -j$(nproc) Build the project 8 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  9. My Setup #!/usr/bin/sh set -e export CC=clang export CXX=clang++ Build process export ASAN_OPTIONS=detect_leaks=0 ./configure --disable-rust CFLAGS="-O1 -v -g -fPIC \ How to build the project ? ● -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep \ -fsanitize= address,fuzzer-no-link ,undefined,signed-integer-overflow,bool,pointer-o Create build script with sanitzer ● verflow" \ ○ patch object file LDFLAG="-fsanitize=address,fuzzer-no-link,undefined,signed-integer-overflow,bool,p ointer-overflow \ ○ pack all together -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep" \ make -j$(nproc) … echo "patch suricata.o ..." sed -i -e 's/main/mmmm/g' suricata.o echo "patched ..." echo "generate archiv suricata_fuzz.a ..." ar rv suricata_fuzz.a *.o echo "generated ..." build_suricata.sh Build parent Create build script 9 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  10. My Setup FROM base/archlinux #install main packages RUN echo "installing basic packages ..." Build process RUN pacman -Syu --noconfirm RUN pacman -S --noconfirm \ How to build the project ? ● screen \ git \ Create build script with sanitzer ● … Build fuzzing infrastructure (Docker) ● # install dep for suricata RUN pacman -Syu --noconfirm RUN pacman -S --noconfirm \ jansson \ libnet \ libyaml \ nss ... Dockerfile Build parent Create build script Create infra. 10 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  11. My Setup FUZZERS = fuzz_app \ ... fuzz_decoder_udp ... fuzz_%: $(src_target)/fuzz_%.c $(shell mkdir -p $(build_target)/$*) clang -O1 -g \ Build process $< \ ${CFLAGS} ${LDFLAGS} \ -DCLS=64 \ How to build the project ? ● -D HAVE_MAGIC \ Create build script with sanitzer -I../src -I../libhtp \ ● -fsanitize= fuzzer,address ,undefined, \ Build fuzzing infrastructure (Docker) ● signed-integer-overflow, \ bool,pointer-overflow \ Build Makefile for fuzz-targets ● -fsanitize-coverage=trace-pc-guard \ -fsanitize-thread-memory-access \ -lstdc++ \ -lmagic -lcap-ng -lpcap -lpthread -lnet -lyaml -lpcre -lz -llzma \ ../src/suricata_fuzz.a \ ../libhtp/htp/.libs/libhtp.a \ /usr/lib/liblz4.so \ -o $(build_target)/$*/$@ ... Makefile Build parent Create build script Create infra. Makefile 11 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  12. Methodology of Fuzzing Suricata Analyse, Bug investigation, Setup Fuzz-Targets, Bug report Running Tests 12 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  13. Analyse Biggest challenge: Finding entry points suricata ├── contrib Look at Unit-Test ├── doc ● ... ├── libhtp Look at Fuzz-Test (if fuzz-tests are available) ● ... ├── rust Look at the Bug-Tracker ● ├── src │ ├── alert-debuglog.c │ ├── alert-fastlog.c │ ├── alert-prelude.c │ ├── alert-syslog.c │ ├── alert-unified2-alert.c │ ├── app-layer.c │ ├── app-layer-dcerpc.c │ ├── app-layer-dcerpc-udp.c │ ├── app-layer-detect-proto.c │ ├── app-layer-dhcp.c │ ├── app-layer-dnp3.c … │ ├── app-layer-parser.c … │ ├── decode-erspan.c │ ├── decode-ethernet.c │ ├── decode-events.c ... │ ├── decode-gre.c │ ├── suricata.c ... └── suricata-update 13 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  14. Analyse Biggest challenge: Finding entry points suricata ├── contrib Look at Unit-Test ├── doc ● ... ├── libhtp Look at Fuzz-Test (if fuzz-tests are available) ● ... ├── rust Look at the Bug-Tracker ● ├── src │ ├── alert-debuglog.c │ ├── alert-fastlog.c │ ├── alert-prelude.c │ ├── alert-syslog.c │ ├── alert-unified2-alert.c │ ├── app-layer.c │ ├── app-layer-dcerpc.c │ ├── app-layer-dcerpc-udp.c │ ├── app-layer-detect-proto.c │ ├── app-layer-dhcp.c │ ├── app-layer-dnp3.c In this case, I look at: … │ ├── app-layer-parser.c … │ ├── decode-erspan.c Entrypoint : src/suricata.c ● │ ├── decode-ethernet.c │ ├── decode-events.c Unit-Tests: src/tests/*.c ● ... │ ├── decode-gre.c │ ├── suricata.c ... └── suricata-update 14 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  15. Analyse Find interesting things Fuzz-targets for AFL: ... 1183 static void ParseCommandLineAFL(const char *opt_name, char *opt_arg){ 1184 #ifdef AFLFUZZ_RULES About 25 written Targets (2019) ● 1185 if(strcmp(opt_name, "afl-rules") == 0) { MpmTableSetup(); App-Layer: ● . SpmTableSetup(); . http-request / response ○ . exit(RuleParseDataFromFile(opt_arg)); } else smb-request / response ○ #endif smtp ○ #ifdef AFLFUZZ_APPLAYER Low-Level decoder ● if(strcmp(opt_name, "afl-http-request") == 0) { //printf("arg: //%s\n", opt_arg); IPv4 / IPv6 decoder ○ MpmTableSetup(); PPP-decoder ○ SpmTableSetup(); Ethernet-decoder AppLayerProtoDetectSetup(); ○ AppLayerParserSetup(); RegisterHTPParsers(); exit(AppLayerParserRequestFromFile(IPPROTO_TCP, ALPROTO_HTTP, opt_arg)); } ... 1268 suricata.c 15 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  16. Analyse Finding good Fuzz-Targets Example: ● RuleParseDataFromFile(...) int RuleParseDataFromFile(char *filename) { ● AppLayerParserRequestFromFile(...) ... SigTableSetup(); ● AppLayerParserFromFile(...) SCReferenceConfInit(); SCClassConfInit(); ● MimeParserDataFromFile(...) DetectEngineCtx *de_ctx = DetectEngineCtxInit(); ... while (__AFL_LOOP(10000)) { ● DecoderParseDataFromFile(...) ... size_t result = fread(&buffer, 1, sizeof(buffer), fp); ● DerParseDataFromFile(...) if (result < sizeof(buffer)) { buffer[result] = '\0'; ● ConfYamlLoadString(...) Signature *s = SigInit(de_ctx, buffer); if (s != NULL) { SigFree(s); } } ... DetectEngineCtxFree(de_ctx); SCClassConfDeinit(); SCReferenceConfDeinit(); decoder-afl.c } 16 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

  17. The Fuzz-Target (Example) /* Include files */ … Creating Fuzz-Targets int LLVMFuzzerInitialize( int *argc, char ***argv) { MpmTableSetup(); SpmTableSetup(); AppLayerProtoDetectSetup(); ... AppLayerParserSetup(); if(strcmp(opt_name, "afl-http-request") == 0) { AppLayerParserRegisterProtocolParsers(); //printf("arg: //%s\n", opt_arg); MpmTableSetup(); /* Initialize random number generator */ SpmTableSetup(); srand(0); AppLayerProtoDetectSetup(); return 0; AppLayerParserSetup(); } RegisterHTPParsers(); exit(AppLayerParserRequestFromFile(IPPROTO_TCP, ALPROTO_HTTP, opt_arg)); AppProto AppProtoFromData() { ... } else if(strcmp(opt_name, "afl-tls") == 0) { return rand() % ALPROTO_MAX; //printf("arg: //%s\n", opt_arg); } MpmTableSetup(); ... SpmTableSetup(); AppLayerProtoDetectSetup(); AppLayerParserSetup(); RegisterSSLParsers(); exit(AppLayerParserFromFile(IPPROTO_TCP, ALPROTO_TLS, opt_arg)); ... suricata.c fuzz_app.c 17 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Höer

Recommend

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua University http://netsec.ccert.edu.cn/chaoz/ About Me 2004-2008-2013 2013-2016 2016-present p Hack for fun software and system security Tencent

1.23k views • 98 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File -&gt;

1.16k views • 78 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency

943 views • 75 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 . Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43 Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet

786 views • 59 slides
Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing antti.levomaki@forcepoint.com opi@forcepoint.com WHO? ANTTI LEVOMKI OLLI-PEKKA NIEMI Research Scientist Director of Research WHAT? NETWORK EVASIONS +

463 views • 18 slides
Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and Windows Servers About the presentation Whoami Introduction 0days and the rush for public vulnerabilities And Advanced fuzzing techniques

432 views • 31 slides
HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing

HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing

HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing William Blair Andrea Mambretti Sajjad Arshad Michael Weissbacher Boston University Northeastern University Northeastern University Northeastern

172 views • 14 slides
BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

Bro Befriends Suricata 23/09/16 20 : 23 BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski @michalpurzynski / Scripts are here - https://github.com/michalpurzynski

894 views • 47 slides
Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

3.64k views • 23 slides
HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = &quot;Joshua Smith&quot; job =

HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = &quot;Joshua Smith&quot; job =

HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = &quot;Joshua Smith&quot; job = &quot;Senior Security Researcher&quot; job += &quot;HP Zero Day Initiative&quot; irc = &quot;kernelsmith&quot; twit = &quot;@kernelsmith&quot;

577 views • 54 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes &amp; memory leaks)

417 views • 17 slides
Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels 1 July 16, 2020 The game of attack and defense Bug fi nding Exploitation Pro fi t Meng Xu

2.82k views • 173 slides
Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nrnberg, Germany BAR20 BAR20 Motivation How secure are

352 views • 16 slides
The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov https://s2e.systems Ready-for-use docker image, demos, tutorials, source code, documentation Vitaly Chipounov Ph.D. in 2014 at EPFL, Switzerland

827 views • 57 slides
Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security Engineer 1 Agenda Context Fuzzing tool implementation Results and vulnerabilities 2 Context Intro to System Services System services

446 views • 31 slides
through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee

through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee

Razzer: Finding Kernel Race Bugs through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

1.17k views • 47 slides
What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen, no matter what ! Crashes, thrown exceptions, non-termination ! All of these things can be the foundation of security vulnerabilities

1.57k views • 14 slides
Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University,

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University,

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -&gt; growing number of bugs

387 views • 27 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2 , Sang Kil Cha 2 1 CSRC, KAIST 2 KAIST The Success of Grey-box Fuzzing OSS-Fuzz has found over 20,000 bugs in 300 open source projects.

458 views • 24 slides

More recommend