Codemotion2_VU_SZ.pdf

Transcript

1. Fuzz-testing: A hacker's approach to making your code more secure

   Pascal Zenker @parzel2 <[email protected]> Vincent Ulitzsch @vinulium <[email protected]> Berlin | November 12 - 13, 2019

2. Who are we? 2 ▪ Researcher at Security Research Labs

   (srlabs.de) ▪ Found multiple vulnerabilities in OSS with fuzzing ▪ Presented about fuzz-testing at Blackhat USA ▪ Degree in Computer Science from TU Berlin Vincent Ulitzsch / @vinulium / [email protected] ▪ Independent Security Researcher ▪ Member of Synack Red Team ▪ Offensive Security Certified Professional ▪ Degree in Computer Science from RWTH Aachen Pascal Zenker / @parzel2 / [email protected]

3. You should fuzz-test your programs to tame complexity and identify

   vulnerabilities and bugs early in the development process 3 ▪ Software is too complex to manually ensure your software is bug-free ▪ As a defender/programmer, you need to fix every mistake. Attackers only need one bug. ▪ Developers can easily find bugs that affect the building process and functionality of the software, but corner cases remain undetected. ▪ Code size increases but manual work does not scale Without fuzzing ▪ Fuzz testing fights complexity with computational brute force. ▪ Attackers use fuzzers. We, as defenders, should as well. ▪ Fuzzing’s randomness detects corner cases. ▪ By integrating fuzz-testing in your software development lifecycle and continuously fuzzing your software, you can detect bugs early in the development process. With fuzzing

4. Fuzz-testing can be used to identify high severity vulnerabilities 4

   Researchers from Google leveraged fuzz-testing to find security vulnerabilities in iMessage Fuzzing was used to identify vulnerabilities in libstagefright

5. Fuzz testing can be used to identify vulnerabilities in applications

   5 We show you how fuzz testing can be used to identify vulnerabilities in ▪ Vulnerabilities: XSS, SQLi, Command Injection, … ▪ Tools: ffuf, Burp Suite, custom fuzzers Web applications Binary applications ▪ Vulnerabilities: Memory corruptions, Denial of Service ▪ Often found through coverage guided fuzzing ▪ Tools: AFL, libfuzzer, go-fuzz, honggfuzz

6. Fuzzing engine Seed the fuzzing engine with valid program input

   Fuzzing engine observes behavior and saves interesting testcases, e.g., crashing inputs Fuzzing engine takes some program input, mutates it, runs it against the target Fuzz-testing is a technique to identify vulnerabilities via mutating valid program input 6 Seeds Mutate + run input Target Interesting cases c a c b Observe behaviour b a

7. Fuzzing engine Seed the fuzzing engine with valid program input

   Fuzzing engine observes behavior and saves interesting testcases, e.g., crashing inputs Fuzzing engine takes some program input, mutates it, runs it against the target Add inputs that yield new coverage to input queue Coverage guided fuzzing mutates seeds and adds them to a corpus if they yield new code coverage 7 Seeds Mutate + run input Target Interesting cases c a c b d Observe behaviour b a New coverage d

8. By adding inputs that yield new coverage to the seed

   collection, coverage guided fuzzing can detect bugs not detected by usual fuzzers 8 Fuzzing engine Seeds Mutate + run input Target Interesting cases Observe behaviour New coverage if (input[0]==‘F’){ void parse_input(char *input){ if(input[1]==‘U’){ if(input[2]==‘Z’){ if(input[3]==‘Z’){ //CRASH here Seed queue Input: F

9. By adding inputs that yield new coverage to the seed

   collection, coverage guided fuzzing can detect bugs not detected by usual fuzzers 9 Fuzzing engine Seeds Mutate + run input Target Interesting cases Observe behaviour New coverage if (input[0]==‘F’){ void parse_input(char *input){ if(input[1]==‘U’){ if(input[2]==‘Z’){ if(input[3]==‘Z’){ //CRASH here Seed queue Input: F Input: FU

10. By adding inputs that yield new coverage to the seed

    collection, coverage guided fuzzing can detect bugs not detected by usual fuzzers 10 Fuzzing engine Seeds Mutate + run input Target Interesting cases Observe behaviour New coverage if (input[0]==‘F’){ void parse_input(char *input){ if(input[1]==‘U’){ if(input[2]==‘Z’){ if(input[3]==‘Z’){ //CRASH here Seed queue Input: F Input: FU Input: FUZ

11. By adding inputs that yield new coverage to the seed

    collection, coverage guided fuzzing can detect bugs not detected by usual fuzzers 11 if (input[0]==‘F’){ void parse_input(char *input){ if(input[1]==‘U’){ if(input[2]==‘Z’){ if(input[3]==‘Z’){ //CRASH here Seed queue Input: F Input: FU Input: FUZ Input: FUZZ Fuzzing engine Seeds Mutate + run input Target Interesting cases Observe behaviour New coverage

12. A typical binary fuzzing run can be divided into five

    steps: Target selection, building, seed selection, fuzzing, triaging 12 ▪ Select functions that parse complex input ▪ Write functions that takes fuzzer data and passes it to the function under test ▪ Fuzzing needs a set of seeds to start: Seeds should be valid input to program ▪ Seeds should be small and diverse ▪ C/C++: afl-fuzz, libfuzzer, honggfuzz ▪ Go: go-fuzz ▪ Rust: honggfuzz-rs ▪ [...] ▪ Prepare target so that we can easily measure coverage. ▪ Usually done at compile time: Compiler options often come with the fuzzer Triage crashes! Fuzz/Stress test! Select seeds Build with instrumentation Select target functions Write harness 1 4 2 3 5 Fuzzing consists of five steps

13. Demo: Using libfuzzer to identify a memory corruption bug in

    a C-program 13 Demo

14. Fuzz-testing can be used to stress-test web applications and identify

    various vulnerabilities, e.g. SQL injections, XSS, SSRF, SSTI 14 Seeds Fuzzing engine Target Interesting cases Observe response: Identify anomalies XSS SQLi SSTI Different location Response time Evaluated expression Run input

15. Web application fuzzing consists of four steps: Selecting a target

    endpoints, select an appropriate input structure, fuzzing and triaging 15 ▪ Select parameters that interact with the website e.g. reflected value or database interaction ▪ ffuf ▪ Burp Suite ▪ Custom fuzzer with Selenium using Firefox / Chrome headless ▪ [...] ▪ Identify if anomalies are vulnerabilities, e.g., XSS ▪ Identify and fix root cause of those vulnerabilities ▪ Fuzzing needs input that can produce anomalies ▪ A simple approach is to use a wordlist with a lot of inputs to stress our filters ▪ More complex services or parsers can be fuzzed with e.g. grammar-based approaches Triage anomalies Fuzz/Stress test! Select appropriate input structure Select target endpoint 1 4 2 3 Fuzzing consists of four steps

16. XSS is the reflected insertion of malicious Javascript 16 ?search=test

    Input Result </h1>Displaying results for test</html> Source ?search=<script>alert("XSS") </script> </h1>Displaying results for <script>alert("XSS")</script> </html> <?php $search_term = $_GET["search"]; echo "<html>"; echo "<h1>Search Results</h1>"; echo "Displaying results for". $search_term; echo "</html>"; ?>

17. Demo: Identifying a XSS vulnerability with a simple custom build

    API fuzzer 17 Demo

18. The fully automated nature of fuzz-testing can be leveraged to

    integrate fuzz-testing into continuous integration as addition to classical software testing 18 Run software tests & fuzzing after each code change Fuzzing and software testing complement each other: Add unit tests for bugs found by fuzzing Fix bugs found by software testing and fuzzing. Reiterate the process a b c Build Code Release Software testing Fuzz testing b a c

19. A dedicated fuzzing server can easily be integrated into your

    continuous integration setup 19 Code should be pulled and fuzzed from code repository on a regular basis a Fuzzing setup stores seed corpus and old crashes found c Run seed corpus and old crashes against current version to prevent regressions b Dedicated fuzzing server Old fuzzer outputs Software repository Seeds Crashes a c b

20. Key Takeaways 20 1 Integrate fuzz-testing into your software development

    lifecycle to detect bugs early in the development process 2 Fuzz-testing can fight software complexity with computational power 3 Fuzzing is easy: Start small and improve! Thank you for your attention! @vinulium/ [email protected] @parzel2 / [email protected] https://github.com/parzel/codemotion-fuzzing-demo