make ios app more robust and security through fuzzing
play

Make iOS App more Robust and Security through Fuzzing Wei Wang - PowerPoint PPT Presentation

Dec 22, 2023 •272 likes •703 views

Make iOS App more Robust and Security through Fuzzing Wei Wang & Zhaowei Wang 2016-10-14 About us ID: Proteas, Shrek_wzw Working at: Qihoo 360 Nirvan Team Focused on: iOS and OS X Security Research Twitter: @ProteasWang,

  1. Make iOS App more Robust and Security through Fuzzing Wei Wang & Zhaowei Wang 2016-10-14

  2. About us • ID: Proteas, Shrek_wzw • Working at: Qihoo 360 Nirvan Team • Focused on: iOS and OS X Security Research • Twitter: @ProteasWang, @Shrek_wzw

  3. Agenda • Status of iOS App Security Development Lifecycle • Why Using AFL to Fuzz App during Development • Port AFL to iOS • Characteristics and Attacking Surfaces of iOS App • Fuzz iOS App • Fuzz 3rd Party Libraries

  4. Status of iOS App Security Development Lifecycle • There are about 2 million Apps on Apple AppStore as of June 2016 • Most developed by individual developers or small companies • For most of those developers or companies, there is no security engineer to protect the Apps • So the SDL may be like this:

  5. Status of iOS App Security Development Lifecycle

  6. Status of iOS App Security Development Lifecycle • For companies with iOS security engineers • Developers submit the App to security engineers first • Security engineers assess the App using the blackbox way • After security assessment, the App is submitted to iTunes Connect

  7. Status of iOS App Security Development Lifecycle

  8. Why Using AFL to Fuzz App during Development • Bugs should be found as earlier as possible • We have the source code of our App, this is import for using AFL • AFL is easy to config and easy to use • Can be integrated with CI(Continuous Integration) • When run unit tests with CI, should also run AFL fuzzing

  9. Why Using AFL to Fuzz App during Development • SDL with AFL

  10. Port AFL to iOS - Port Codes • Change the API used to create shared memory: shmget() —> shm_open() • All other changes are for this • Get the code from my repo: https://github.com/Proteas/afl/tree/ios-afl-clang-fast • This method is also compatible with AFL 2.35b(currently latest version)

  11. Port AFL to iOS - Build Clang • Before building AFL, should first build clang • Get code from: http://opensource.apple.com/ • Using Apple’s clang is for compatibility when building Xcode projects • After building clang, add the result bin dir to PATH • export PATH=“${CLANG_DIST_DIR}/bin:${PATH}”

  12. Port AFL to iOS - Build AFL • Set Env param: export AFL_NO_X86=1 • Cross-compile targets: • afl-fuzz, afl-showmap, afl-tmin, afl-gotcpu, afl-analyze • ./llvm_mode/afl-llvm-rt.o • Native compile: afl-clang-fast • Use lipo to merge the build results, then can fuzz macOS and iOS App using the same toolchain

  13. Port AFL to iOS - Tips and Tricks • Currently AFL-iOS can only fuzz arm64 binary • Because AFL using C++11’s thread local storage, the App deployment target should be >= 9.0 • Because of Jetsam, should limit the memory usage • ./afl-fuzz -i ${TEST_CASES} -o ${RESULT_DIR} -m 80M ${TARGET_APP} @@

  14. Port AFL to iOS

  15. Characteristics and Attacking Surfaces of iOS App • Most of the Apps only communicate with their own server • Requires HTTPS connections for iOS Apps by the end of this year • The remote attacking surface is narrow relatively after using HTTPS • If there are certificate validation vulnerabilities or config mistakes in iOS App • Traditional remote attacking surfaces will be back

  16. Characteristics and Attacking Surfaces of iOS App • Most of the communication protocol of iOS App based on: JSON • XML • Protocol Buffers • • If can be hijacked, the type-confusion is a kind of issue • We should validate the input data immediately after receiving it: JSON Schema • XML Schema • • Not allow any malformed data come into our App

  17. Characteristics and Attacking Surfaces of iOS App • If there are no certificate validation issues • We should pay more attention to this kind of Apps: • Apps like: iMessage, Twitter, Facebook, Dropbox, etc • Different Apps have different attack surfaces depends on how it processing the user generated data

  18. Characteristics and Attacking Surfaces of iOS App • There are lots of iOS libraries on Github • Writing iOS App is more and more like “stacking wood” • Search “ios” on Github(1476435790):

  19. Characteristics and Attacking Surfaces of iOS App • Sharing is great • There are so many codes on Github • Some are shared by companies with fully testing or security assessment • Some are written by individual developers • Some are just demos • We should do something to make the code more security • Using AFL is a practical choice

  20. Characteristics and Attacking Surfaces of iOS App • What libraries are more suitable for fuzzing with AFL ? Parsers: JSON Parser, XML Parser, DSLs Parser • Video & Audio Encoder and Decoder • Image Encoder and Decoder • Archive related libraries • … •

  21. Fuzz iOS App • Introduce practical steps about how to fuzz our own codes • We will use an open source app to demonstrate all the process • The key point here is: the target function to be fuzzed is coupled seriously • So the target function can’t be fuzzed on macOS • We need to do fuzzing on iDevice

  22. Fuzz iOS App • The demo App: https://github.com/songfei/ArchiveALL • Function of ArchiveALL is unarchiving rar, lzma, zip on iOS • Function code is seriously coupled with the demo app • It is not easy to extract the specific function(for example: unrar)

  23. Fuzz iOS App • clone the repository, and create a new branch: AFL-Fuzz • check out the newly created branch • copy main.m to main-normal.m • create file: main-afl.m • add following contents to main-afl.m :

  24. Fuzz iOS App main-afl.m #import "SFArchiveFileItem.h" int DoFuzzing(int argc, char * argv[]) { #import "SF7zArchive.h" if (argc != 3) { NSLog(@"Usage: ./ArchiveAll 0|1|2 ./test.zip"); #import "SFRarArchive.h" return -1; } #import "SFZipArchive.h" NSFileManager *fileManager = [NSFileManager defaultManager]; NSString *inputFileName = [NSString stringWithUTF8String:argv[2]]; if (![fileManager fileExistsAtPath:inputFileName]) { int DoFuzzing(int argc, char * argv[]); NSLog(@"%s: file not exist", __FUNCTION__); return -1; int FuzzArchive(SFBaseArchive *archive); } int FuzzUnzip(NSString *fileName); // Fuzz Type int type = 0; int FuzzUnrar(NSString *fileName); NSString *inputType = [NSString stringWithUTF8String:argv[1]]; int FuzzUn7z(NSString *fileName); type = (int)[inputType integerValue]; if (type == 0) { return FuzzUnzip(inputFileName); int main(int argc, char * argv[]) } else if (type == 1) { { return FuzzUnrar(inputFileName); } @autoreleasepool { else if (type == 2) { return FuzzUn7z(inputFileName); return DoFuzzing(argc, argv); } else { } NSLog(@"error fuzz type"); return -1; } } }

  25. Fuzz iOS App • Edit main.m : #ifdef AFL_FUZZ #include "./main-afl.m" #else #include "./main-normal.m" #endif • Key point of above code is using macro to control the entry of the App

  26. Fuzz iOS App • Create afl-ios.xcconfig to config build params for AFL building ONLY_ACTIVE_ARCH = NO ARCHS = arm64 VALID_ARCHS = arm64 ENABLE_BITCODE = NO OTHER_CFLAGS = "-DAFL_FUZZ=1" OTHER_CPLUSPLUSFLAGS = "-DAFL_FUZZ=1" OTHER_LDFLAGS = $(PATH_TO_AFL_DIST)/afl/afl-llvm-rt.o

  27. Fuzz iOS App • Build AFL_ROOT_DIR="TODO" export AFL_PATH="${AFL_ROOT_DIR}" export PATH="${AFL_ROOT_DIR}:${PATH}" rm -rf "./Build" xcodebuild \ CC="${AFL_ROOT_DIR}/afl-clang-fast" \ CXX="${AFL_ROOT_DIR}/afl-clang-fast++" \ -project "ArchiveALL.xcodeproj" \ -target "ArchiveALL" \ -xcconfig "./afl-ios.xcconfig" \ -configuration "Debug"

  28. Fuzz iOS App • Run it on iDevice • Fuzzing Unrar

  29. Fuzz iOS App • As the image shows: In less than 1 minute, we got a DoS • It can also DoS the App used this library. • QQ Browser v6.7.2.2345 • All the following fuzzers and fuzzing results can be downloaded from: • https://github.com/Proteas/fuzzers_based_on_afl

  30. Fuzz iOS App • QQ Browser v6.7.2.2345 • unrar DoS • CPU Usage: 99.4% • The GUI is freezing • Need to kill the app

  31. Fuzz 3rd Party Libraries • With the doc of AFL and the previous information • You can build your own fuzzers based on AFL • Although we can fuzz on iOS, we prefer to do fuzzing on OS X • The following will show some fuzzers and analysis some of the fuzzing results

  32. Fuzz 3rd Party Libraries • ZXingObjC - v3.1.0 • An Objective-C Port of ZXing • Out-of-Bounds Read • 140+ hangs(infinite loop)

  33. Fuzz 3rd Party Libraries • Unrar4iOS - 1.0.0 - 6c90561 • heap overflow: -[Unrar4iOS extractStream:] • heap overflow in C, but ObjC object may be overwritten • Unrar4iOS.mm // alloc buffer NSLog(@"buffer size: %lu", length); UInt8 *buffer = (UInt8 *)malloc(length * sizeof(UInt8)); …… // copy data to buffer NSLog(@"memcpy size: %ld", P2); memcpy(*buffer, (UInt8 *)P1, P2);

  34. Fuzz 3rd Party Libraries • opus codec • Audio Codecs • Versions flac-1.3.0 • libogg-1.3.2 • opus-1.1 • opus-tools-0.1.9 • • Analysis the fuzzing results, you will find: stack overflows, integer overflows, …

Recommend

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen, no matter what ! Crashes, thrown exceptions, non-termination ! All of these things can be the foundation of security vulnerabilities

1.57k views • 14 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
Fuzzing and how to evaluate it Michael Hicks The University of Maryland UM Joint work with

Fuzzing and how to evaluate it Michael Hicks The University of Maryland UM Joint work with

Fuzzing and how to evaluate it Michael Hicks The University of Maryland UM Joint work with George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen,

1.25k views • 69 slides
Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering autom ated reverse engineering Erik Poll Erik Poll Radboud University Nijmegen Testing Ingredients T ti I di t Two things are needed to test

865 views • 53 slides
File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda Intel OTC Security SQE Agenda File format fuzzing in Android Fuzzing the Stagefright media framework Fuzzing the Android application

614 views • 40 slides
CRASH AND PAY Cloning and Fuzzing the NFC world. PAYMENT SECURITY CONSULTING 1 WWW.PSCCO.COM.AU

CRASH AND PAY Cloning and Fuzzing the NFC world. PAYMENT SECURITY CONSULTING 1 WWW.PSCCO.COM.AU

CRASH AND PAY Cloning and Fuzzing the NFC world. PAYMENT SECURITY CONSULTING 1 WWW.PSCCO.COM.AU 15/09/2014 ABOUT ME Principle Consultant at Payment Security Consulting Banking, Payments, Certifications, breaking stuff; repairing

867 views • 52 slides
Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security Engineer 1 Agenda Context Fuzzing tool implementation Results and vulnerabilities 2 Context Intro to System Services System services

446 views • 31 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes & memory leaks)

417 views • 17 slides
Fuzzing your GSM phone using OpenBSC and scapy Harald Welte gnumonks.org gpl-violations.org

Fuzzing your GSM phone using OpenBSC and scapy Harald Welte gnumonks.org gpl-violations.org

GSM/3G security Implementing GSM protocols Security analysis Summary Fuzzing your GSM phone using OpenBSC and scapy Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de 26C3 conference, December 2009,

484 views • 31 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

650 views • 16 slides
Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security

Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security

Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security Testing Andreas Zeller, Saarland University Our Goal We want to cause the program to fail We have seen random (unstructured) input

868 views • 69 slides
Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky.

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky.

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 1 Transport Layer Security The most important crypto protocol HTTP, SMTP,

467 views • 43 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Fuzzing, Reversing and Maths \x01/1 AGENDA \x02/2 \x03/3 WHO WE ARE Josep Pi Rodrguez

Fuzzing, Reversing and Maths \x01/1 AGENDA \x02/2 \x03/3 WHO WE ARE Josep Pi Rodrguez

Fuzzing, Reversing and Maths \x01/1 AGENDA \x02/2 \x03/3 WHO WE ARE Josep Pi Rodrguez a.k.a delorean Pedro Guilln Nez a.k.a. p3r1k0 Penetration tester and Security Penetration tester and Security researcher at Deloitte /

1.08k views • 86 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds of file formats are supported in Windows, Office, et al. Many written in C/C++ Programming errors security bugs! Random choice of x: one

493 views • 35 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Our Goal Develop techniques to detect vulnerabilities automatically before they are exploited

1.17k views • 61 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
Lock, Stock And Two Smoking Apples - XNU Kernel Security Alex Plaskett (@alexjplaskett) / James

Lock, Stock And Two Smoking Apples - XNU Kernel Security Alex Plaskett (@alexjplaskett) / James

PUBLIC Lock, Stock And Two Smoking Apples - XNU Kernel Security Alex Plaskett (@alexjplaskett) / James Loureiro (@NerdKernel) PUBLIC Agenda System call fuzzing (OSXFuzz) Scaling up Code coverage IOKit and Mach fuzzing

1.04k views • 54 slides
Migration: Trying to make it more robust Red Hat Juan Quintela KVM Forum 2014 D usseldorf

Migration: Trying to make it more robust Red Hat Juan Quintela KVM Forum 2014 D usseldorf

Migration: Trying to make it more robust Red Hat Juan Quintela KVM Forum 2014 D usseldorf Abstract This talk shows what are the things we have done to improve migration to make it less fragile. 1 / 23 Agenda 1 What have we done? 2 What

391 views • 37 slides
Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler 2 whoami Security engineer, Solidity team Semantic testing of Solidity compiler Find

441 views • 28 slides

More recommend