Introduction to Fuzzing with AFL

Transcript

1. Introduction to fuzzing with AFL

2. Ayush Priya VIT, Vellore @ayushpriya10 https://ayushpriya.com https://www.linkedin.com/in/ayushpriya10

3. What am I learning? • What is fuzzing and fuzzers?

   • What is AFL? • How to use AFL?

4. Why am I learning this? • Discover undiscovered bugs •

   Build a robust approach to development • (Maybe make some money)

5. What is Fuzzing? • A form of testing • Random

   invalid input • Behaviour analysis

6. "You can find bugs in your sleep." - Craig Young

7. Why fuzz at all? • Unique test cases • Eliminates

   methodology bias • Metrics - Code Coverage, Path Coverage

8. Types of fuzzers • Mutational • Grammar • Feedback-based

9. Introduction to AFL • Open-source • Smart fuzzer: PoC -

   “Hello JPG”

10. Prerequisites • GCC, CLang • GDB, Exploitable • Screen •

    Libtool-bin, automake, bison, libglib2.0-dev, qemu

11. Installation • Install AFL • Enable LLVM mode • Enable

    QEMU mode

12. AFL Workflow • Compiling the binary with AFL’s compilers •

    Building a Test Corpus • Running AFL on the target binary • Analyse findings

13. Compiling with AFL $ export CC=afl-clang-fast $ export AFL_HARDEN=1 $

    export AFL_INST_RATIO=100 $ ./configure $ make

14. Building Test Corpus • Supplying test case(s) $ cp /bin/ps

    afl_in/

15. Fuzzing with source • Build binary from source AFL •

    Add test cases to afl_in • Fuzz! $ afl-fuzz -i in/ -o out/ -- ./bin @@

16. Parallel Fuzzing • One core per fuzzer • Check free

    cores $ afl-fuzz -i in -o out -M f1 -- ./bin @@ $ afl-fuzz -i in -o out -S f2 -- ./bin @@

17. Output Structure • One folder per fuzzer • /crashes, /hangs,

    /queue

18. Analysing AFL Screen

19. Hands-on • Clone fuzzgoat • Compile with AFL • Fuzz

    in parallel • Check status

20. GDB and Exploitable • Open binary with GDB • Choose

    a crash case • Run test case • Classify with Exploitable

21. Optimising Fuzzing • Execution Speed, Fail Fast • Isolate test

    code • Minimise test cases • Minimise test files

22. Fuzzing a binary without source • Linux binaries • AFL’s

    QEMU Mode

23. Limitations of AFL • Supports file/STDIN input • Supports selective

    binaries • Supports selective OSs

24. Thanks!