fusil the fuzzer - fuzzing.infofuzzing fusil generate data fuzzers analyze more principles goals...
TRANSCRIPT
FuzzingFusil
Generate dataFuzzersAnalyze
More
Fusil the fuzzer
Victor Stinner
FOSDEM, february 2009
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
PrinciplesGoalsAdvantages
Fuzzing principles
Isolate input vectors
Inject faults
Watch the software reactions
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
PrinciplesGoalsAdvantages
Fuzzing goals
Find bugs
Test software stability
Offender’s point of view
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
PrinciplesGoalsAdvantages
Advantages of the fuzzing
Simple
Fast
Efficient
Free or closed software
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
FusilInput vectorsProbesScore
Fusil the fuzzer
Python library
20+ fuzzers
Found bugs in ClamAV, Gimp, GNUlibc, Python, ...
Test command line programs
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
FusilInput vectorsProbesScore
Input vectors
Command line
Files
Environment variables
TCP sockets
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
FusilInput vectorsProbesScore
The different probes
Standard output / logs
Process exit status
Network ping
Integrated debugger (ptrace)
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
FusilInput vectorsProbesScore
Probes score system
Weighted sum of probe scores
-100%: inputs rejected
0%: nothing special
100%: success (crash)
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
Random dataInject faultsData modelPython fuzzer
Generate pure random data
nc host port < /dev/urandom
Crashes softwares with noQA
... with no security
... with few users
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
Random dataInject faultsData modelPython fuzzer
Inject faults in valid data
Invert bits, replace bytes, etc.
Truncate file
Crashes all audio/videoplayers
Easiest technique
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
Random dataInject faultsData modelPython fuzzer
Generate data using a model
Generate random data
... respecting thespecifications
Deeper tests
Needs specifications
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
Random dataInject faultsData modelPython fuzzer
Example of the Python fuzzer
List Python modules
List module functions
Random function calls
Random argument numberand types
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
ApplicationsLibrariesLanguagesDemo
Application fuzzers
ClamAV (antivirus)
Firefox
Gstreamer, mplayer, VLC(audio/video)
Image Magick
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
ApplicationsLibrariesLanguagesDemo
Library fuzzers
gettext (i18n)
poppler (PDF): Evince and Kpdf
printf() of the libc
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
ApplicationsLibrariesLanguagesDemo
Programming languages fuzzers
Python
PHP
Random functions, randomarguments
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
ApplicationsLibrariesLanguagesDemo
Demonstration
Crash Python
Replay the crash
Analyze the crash
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
CriticityVulnerability?Answers
Criticity of an error
Denial of service
Lost data
Permanent error
Difficulty to reproduce the error
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
CriticityVulnerability?Answers
Bug or vulnerability?
Steal data (read)
Modify files (write)
Inject code (execute)
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
CriticityVulnerability?Answers
Editors’ answers
We don’t care!
Apply patches
Interested to test Fusil
Reflect the project quality
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
New faultsNew probesOther fuzzersWhy Fusil?QuestionsSources
Ideas for new faults
failmalloc, /dev/full
Time jumps
Send signals
Network fuzzers
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
New faultsNew probesOther fuzzersWhy Fusil?QuestionsSources
Ideas of new probes
Code coverage (gcov,DynamoRio)
Memory fault (Valgrind, Purify)
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
New faultsNew probesOther fuzzersWhy Fusil?QuestionsSources
Other fuzzer libraries
Sulley, Peach, EFS
Bunny, Flayer, Scapy
zzuf, PROTOS, SPIKE
...
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
New faultsNew probesOther fuzzersWhy Fusil?QuestionsSources
Why using Fusil?
Keep "success" files
Replay script
Crash informations
Safety
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
New faultsNew probesOther fuzzersWhy Fusil?QuestionsSources
Questions ?
Fusil: GPLv2
Linux, FreeBSD, (Windows)
Written in Python 2.5
http://fusil.hachoir.org
Victor Stinner Fusil the fuzzer
FuzzingFusil
Generate dataFuzzersAnalyze
More
New faultsNew probesOther fuzzersWhy Fusil?QuestionsSources
Picture sources
http://commons.wikimedia.org
File:Train_wreck_at_Montparnasse_1895.jpg
File:Bundesarchiv_Bild_102-12503,_Autounfall.jpg
File:Bundesarchiv_Bild_102-10248,_Mecklenburg,_Autounglück.jpg
File:B-24_Kopfstand.jpg
File:Men_inspecting_wreckage_of_first_Toronto_airplane_crash.jpg
File:AralShip.jpg
Victor Stinner Fusil the fuzzer