Fuzzable

Download Report

Transcript Fuzzable 

Fuzzing And Oracles
By: Thomas Sidoti
Overview
•
•
•
•
•
•
Introduction
Motivation
Fuzzable Exploits
Oracles
Implementation
Fuzzing Results
Introduction
• Find relationships between Oracles and
Exploits/Errors.
• What class of errors could a particular
oracles hope to find?
Motivation
• Fuzzers:
– Generate Input
– Watch for errors
• Without good oracles, some errors will
never be found.
Fuzzable Exploits
•
•
•
•
Buffer Overflow
Improper Validation of Array Index
Integer Overflow
Incorrect Calc of Buffer Size
• From the CWE Top 25
Available Oracles
•
•
•
•
•
Process Crash
Output Monitoring
Memory Monitoring
Monitoring Services
Program Flow Monitoring (PaiMei)
Fuzzable
• Created a program with optional exploits
available.
• Flags
– b : Heap Buffer Overflow
– m : Calculated Memory Size Not Checked
– s : Stack Buffer Overflow (and small version)
– i : Integer Overflow (Multiplication)
– a : Calculated Array Index Not Checked (and
small version)
File Format
10 - Number of Lines
30 - Chars per Line
1st Line
2nd Line
………………
Nth Line
9 - Get the xth Line
5 - The yth character from
Analysis of Open Source Fuzzers
• Open Source Fuzzing Software is difficult
to use.
– Evolution Fuzzing System did not appear to
do anything.
– FileFuzz crashes when program under test
crashes.
– Modified FileP to make it usable.
• Most don’t include robust oracles.
– Peach Fuzzer is the exception.
Results: Oracle-less Fuzzers
• FileP, FileFuzz
– Random fuzzer based on a Sample File.
• Fuzzled
– Set of factories which makes it easy for a
programmer to generate input.
• Detects Program Crashes
– All large errors
Results: Peach Fuzzer
• Oracles: Windows Debugger, Memory
Monitor, Page Heap Debugging, etc.
• Page Heap debugging found small heap
space address miscalculation.
• Memory Monitor found small excess in
memory usage. (This flaw could also
crash the program in Windows)
Conclusion
• A good portion of errors can be found even
if only depending on program crash.
• Output monitoring may work well if tailored
to your program
• Using more advanced debugging
techniques while debugging will reveal
more subtle errors.
Thanks