american fuzzy lop
TRANSCRIPT
![Page 1: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/1.jpg)
American Fuzzy LopBlack Box Fuzzing
2016-10-24
![Page 2: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/2.jpg)
• American Fuzzy Lop (AFL) is a fuzzing tool• Also, a breed of rabbit• Written by Michał Zalewski (`lcamtuf`)
• Used as part of a bunch of DEFCON presentations (including CGC)• Big in the computer security field
• Finds crashes in programs• Works on (instrumented) binaries• Has no understanding of problem domain
• Has found A LOT of tricky, impressive bugs:• http://lcamtuf.coredump.cx/afl/• Firefox, OpenSSL, clang, glibc, perl, screen, Redis…
American Fuzzy Lop
![Page 3: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/3.jpg)
• Fuzz testing is the generation of random, hopefully invalid inputs
• Meant to catch the edge cases that you didn’t anticipate / test for
Aside: Fuzz Testing
![Page 4: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/4.jpg)
1. Create a binary that reads from stdin, returns non-zero on exception2. Give AFL the binary and a few sample inputs3. Profit! (analyze crash logs)
Usage
![Page 5: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/5.jpg)
• We want to check for crashes in the encode/decode functions of pyhocon
• HOCON (Human-Optimized Config Object Notation)• https://github.com/typesafehub/config/blob/master/HOCON.md
• pyhocon is a python library for HOCON SerDes• https://github.com/chimpler/pyhocon
Example
![Page 6: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/6.jpg)
• We want to check for crashes in the encode/decode functions of pyhocon
1. Write a simple wrapper program
2. Since we’re in Python, we also use the python-afl library
3. Add the expected Exceptions
4. Run!
5. Wait…
Example
![Page 7: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/7.jpg)
The code
![Page 8: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/8.jpg)
It’s running!
![Page 9: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/9.jpg)
• Bit + Byte flips• Arithmetic offsets• Troublesome values (0, 1, INT_MAX, etc)• Random overwrites + appends• Inserts/Deletes/Splices of inputs at random offsets
Checks
![Page 10: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/10.jpg)
• Bit + Byte flips• Arithmetic offsets• Troublesome values (0, 1, INT_MAX, etc)• Random overwrites + appends• Inserts/Deletes/Splices of inputs at random offsets
Checks
![Page 11: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/11.jpg)
• https://github.com/chimpler/pyhocon/issues/103• It happens when you try to append to an list that is nested in a dictionary
• Internally, a boolean was being passed in when it should have been a string
• While type checking would have also found this, a person manually testing likely would not (and did not) find it
Bug found!
![Page 12: American Fuzzy Lop](https://reader031.vdocuments.net/reader031/viewer/2022021813/587cf9ed1a28ab1e7e8b494d/html5/thumbnails/12.jpg)
• American Fuzzy Lop is a very good tool for black box fuzz testing of software.
• Very easy to use (nothing to learn, no domain knowledge)
• Especially useful for code:• That is complex• That you didn’t write• That you don’t have the source code for• ie. Code you don’t understand
• Further reading:• https://github.com/mirrorer/afl/blob/master/docs/technical_details.txt
• “10/10; would crash again”
Conclusions