Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Introduction to fuzzing with AFL
Slide 2
Slide 2 text
Ayush Priya VIT, Vellore @ayushpriya10 https://ayushpriya.com https://www.linkedin.com/in/ayushpriya10
Slide 3
Slide 3 text
What am I learning? ● What is fuzzing and fuzzers? ● What is AFL? ● How to use AFL?
Slide 4
Slide 4 text
Why am I learning this? ● Discover undiscovered bugs ● Build a robust approach to development ● (Maybe make some money)
Slide 5
Slide 5 text
What is Fuzzing? ● A form of testing ● Random invalid input ● Behaviour analysis
Slide 6
Slide 6 text
"You can find bugs in your sleep." - Craig Young
Slide 7
Slide 7 text
Why fuzz at all? ● Unique test cases ● Eliminates methodology bias ● Metrics - Code Coverage, Path Coverage
Slide 8
Slide 8 text
Types of fuzzers ● Mutational ● Grammar ● Feedback-based
Slide 9
Slide 9 text
Introduction to AFL ● Open-source ● Smart fuzzer: PoC - “Hello JPG”
Slide 10
Slide 10 text
Prerequisites ● GCC, CLang ● GDB, Exploitable ● Screen ● Libtool-bin, automake, bison, libglib2.0-dev, qemu
Slide 11
Slide 11 text
Installation ● Install AFL ● Enable LLVM mode ● Enable QEMU mode
Slide 12
Slide 12 text
AFL Workflow ● Compiling the binary with AFL’s compilers ● Building a Test Corpus ● Running AFL on the target binary ● Analyse findings
Slide 13
Slide 13 text
Compiling with AFL $ export CC=afl-clang-fast $ export AFL_HARDEN=1 $ export AFL_INST_RATIO=100 $ ./configure $ make
Slide 14
Slide 14 text
Building Test Corpus ● Supplying test case(s) $ cp /bin/ps afl_in/
Slide 15
Slide 15 text
Fuzzing with source ● Build binary from source AFL ● Add test cases to afl_in ● Fuzz! $ afl-fuzz -i in/ -o out/ -- ./bin @@
Slide 16
Slide 16 text
Parallel Fuzzing ● One core per fuzzer ● Check free cores $ afl-fuzz -i in -o out -M f1 -- ./bin @@ $ afl-fuzz -i in -o out -S f2 -- ./bin @@
Slide 17
Slide 17 text
Output Structure ● One folder per fuzzer ● /crashes, /hangs, /queue
Slide 18
Slide 18 text
Analysing AFL Screen
Slide 19
Slide 19 text
Hands-on ● Clone fuzzgoat ● Compile with AFL ● Fuzz in parallel ● Check status
Slide 20
Slide 20 text
GDB and Exploitable ● Open binary with GDB ● Choose a crash case ● Run test case ● Classify with Exploitable
Slide 21
Slide 21 text
Optimising Fuzzing ● Execution Speed, Fail Fast ● Isolate test code ● Minimise test cases ● Minimise test files
Slide 22
Slide 22 text
Fuzzing a binary without source ● Linux binaries ● AFL’s QEMU Mode
Slide 23
Slide 23 text
Limitations of AFL ● Supports file/STDIN input ● Supports selective binaries ● Supports selective OSs
Slide 24
Slide 24 text
Thanks!