Download - CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013
![Page 1: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/1.jpg)
CAP6135: Malware and Software Vulnerability Analysis
Fuzzing Test ExampleCliff Zou
Spring 2013
![Page 2: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/2.jpg)
Objective
Explain basic fuzzing with concrete coding example
Explain how the vulnerable code in programming project 2 is derived
Introduce several useful techniques in doing the fuzzing test on project 2
2
![Page 3: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/3.jpg)
Example Code
$ fuzzTest-target 200 “what is this?” 2 Example code needs three inputs
Int, string, Intint inputInteger; /* global variable */
if (argc != 4){ fprintf(stderr, "fuzzTest needs 3 input parameters: int string int!\n"); exit(0); }sscanf(argv[1], "%d", &inputInteger); my_func(inputInteger, argv[2], argv[3]);
Subfun my_func() introduces 3 man-made bugs
3
![Page 4: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/4.jpg)
Bug # 1: Integer Overflowint my_func(short argLen, char *str, char *divStr){ int denominator; float x; char buf[bufLen];
if (argLen != inputInteger) {fprintf(stderr, "Bug #1: integer overflow triggered\n");foo = (void *)0xbfffffff;foo(argLen); /* trigger illegal instruction fault */exit(1);
Int variable inputInteger changes to short Overflow happens when inputInteger>32767
foo() is a function pointer Give it an arbitrary address will cause illegal memory reference for
executing code
4
![Page 5: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/5.jpg)
Bug # 2: buffer Overflowchar buf[10]; if (strlen(str) > 10){ fprintf(stderr, "Bug #2: buffer overflow triggered. strlen=%d\n", strlen(str)); strcpy(buf, str); /* trigger segmentation fault or stack smashing , */ return 2; /*if overwriting return address, it will cause segmentation fault */ }
5
![Page 6: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/6.jpg)
Bug #3: divide by zero int denominator; float x; sscanf(divStr, "%d", &denominator); if (denominator == 0){ fprintf(stderr, "Bug #3: division by zero triggered\n"); x = argLen / denominator; foo = (void *)0xbffbffff; foo(argLen); /* trigger illegal instruction fault */ }else x = argLen / denominator; return 0;
6
![Page 7: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/7.jpg)
Fuzzer Outline
Generate inputs (random or follow rules)firstInt = rand()%50000; secondInt = rand() % 2;arraySize = rand() % 20;
charArray = (char *) malloc(arraySize);for (j=0; j< arraySize; j++) charArray[j] = 'A';charArray[arraySize-1] = NULL;
Generate execution command linesprintf(buffer, "./fuzzTest-target %d \"%s\" %d\n", firstInt, charArray, secondInt);free(charArray); /* must free memory for repeat testing! */
7
![Page 8: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/8.jpg)
Fuzzer Outline Execute target code
ret = system(buffer); Obtain target execution exit code
wait(&status);retCode = WEXITSTATUS(ret);
Check abnormal exit code and record inputs that cause the abnormal
if ( retCode == 128+11 || retCode ==128+6) /* segmentation fault (11) or Abort (6) */ { printf("retCode=%d ## Input: firstInt = %d, arraySize = %d, secondInt = %d\n", retCode,
firstInt, arraySize, secondInt); fflush(stdout); /*make sure output is print out immediately ! */ }
Repeat from start in generating inputs
8
![Page 9: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/9.jpg)
How to Record Fuzzing Result?
When abnormal happens, record down inputs that cause the abnormal
Record the corresponding abnormal message printout by target code
Unix OS I/O definition: stdin (0), stdout (1), stderr (2)
I/O redirection: $ Command < data.txt: let stdin get from file (instead of keyboard) $ Command > output.txt: let stdout redirect to file $ Command 2> error.txt: let stderr redirect to file $ Command &> output.txt: let stdout and stderr redirect to file
For our example: $./fuzzTest100 &> output.txt
9
![Page 10: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/10.jpg)
Program Project 2 Introduction
10
![Page 11: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/11.jpg)
Manual Read Sample.jpg File
To understand the jpeg file format and the project’s ‘sample.format’ description, you need a HEX Editor: In Unix: use “$hexdump sample.jpg > hex.txt”
Each two-byte value is shown as ‘daff’ where the first byte is ‘ff’ and second byte is ‘da’ !
A bit confusing on the byte order HexEdit for Win: http://www.physics.ohio-state.edu/~prewett/hexedit/
This program shows each byte value, so no confusion on big-endian or little-endian stuff.
You can use windows accessories “calculator” to translate between decimal and hexadecimal values
Use ‘programmer’ option in ‘view’ menu
11
![Page 12: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/12.jpg)
One-Round Fuzzing Outline
In our fuzzer, we need to first read sample.jpg into a char buffer array
Then, modify the buffer (randomly or follows format rules)
Then, write the content of the buffer to test.jpg file.
Then, invoke jpegconv on test.jpg to do fuzz test
12
![Page 13: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/13.jpg)
Read sample.jpg into Buffer
char imageBuf[10000]; /*enough to hold sample.jpg */
int fSize;FILE *fin, *fout;fin = fopen(“./sample.jpg”, "rb"); fout = fopen(“./test.jpg”, “wb"); fseek(fin, 0, SEEK_END); /* set file pointer to the file end */fSize=ftell(fin); /*get input file size */fseek(fin, 0, SEEK_SET); /* rewind the pointer to the start of file fin */fread(imageBuf, 1, fSize, fin); /* read byte stream of the file */fclose(fin);
/* then, modify imageBuf randomly, *//* or follow jpeg format on the header section*/
13
![Page 14: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/14.jpg)
Jpeg Header Format Now the ‘sample.jpg’ is in the char array imageBuf[] Check the ‘sample.format’ for the Jpeg format For example:
imageBuf[0] = 0xff; imageBuf[1] = 0xd8; SOI header imageBuf[158]=0xff; imageBuf[159]=0xc0; SOF header imageBuf[609]=0xff; imageBuf[610]=0xda; SOS header
Simple fuzzing: Mutation-based fuzzing Only work on Jpeg Header section since all bugs are in here You may only be able to find a few bugs in this way
Of course, trying millions of inputs may find all bugs if you are lucky Advanced fuzzing: Protocol-aware fuzzing
Follow the guide in project description, modify format sections step-by-step
Modify different section could trigger different bugs
14
![Page 15: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/15.jpg)
Write fuzzed image to test.jpg
fwrite (imageBuf , 1, fSize, fout ); /* if you modified the image size, then use the new fSize */fclose (fout);/* then, invoke jpegconv on test.jpg for testing */
Note that the ‘test.jpg’ will only save the newest fuzzed file!
15
![Page 16: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/16.jpg)
Save Fuzzed Input That Causes Bug
int status, ret, retCode; int crashNum = 0;char fileName[20]; /* saved fuzzed image file name */char comBuf[200]; /* save the command line string */sprintf(comBuf, “./jpegconv -ppm -outfile foo.ppm test.jpg");
ret = system(buffer);wait(&status); retCode = WEXITSTATUS(ret); if (retCode == 139){ /* Segmentation fault for a bug */ crashNum ++; sprintf(fileName, “./crashed-%d.jpg”, crashNum); fout = fopen(fileName, “wb"); fwrite (imageBuf, 1, fSize, fout ); fclose (fout);}
16
![Page 17: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/17.jpg)
Notes Remember, do not save every fuzzed input into
image files! There is no enough disk space for that on Eustis! You will still have multiple fuzzed image saved for the same
bug. You can find smart way to only save one copy for each bug.
When one or two bugs are repeatedly triggered Try to modify image on other format sections Mutate image file in different ways
Change to different values random, negative, zero, upper-bound…
Change different number of bytes Consecutive, randomly picked….
17
![Page 18: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/18.jpg)
Unsolved Task
How to Match crashed-x.jpg to its bug ID? Hint: Jpegconv uses stderr to print out “BUG
X TRIGGERED” I will leave this task to you
18
![Page 19: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/19.jpg)
Notes
Do not directly copy code in the slide! The quotation mark has been changed by Word!
How many runs should I do? No. of fuzzed input files No. of saved fuzzed image files
In order to not blow your disk space quota in Eustis No. of different bugs found
Need your code to process stderr message Your code needs to check if fopen() succeeds or
not!
19
![Page 20: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/20.jpg)
Working Environment
You can do this project on Eustis, or any Linux machine you set up Make sure ‘jpegconv’ works on your computer (see
project description) You can use any programming langrage in
Linux for the project But your code must be able to run under Eustis for
project submission Eustis support: Perl, Java, C, Python, Sbcl Your report must explain how we can run your code
in Eustis!
20
![Page 21: CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2013](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813fc8550346895daaa61a/html5/thumbnails/21.jpg)
Last Words
After this detailed explanation and coding, the project should be not hard
My own mutation-based fuzzer only contains less than 60 lines in C Find two bugs in 1300 inputs Protocol-aware fuzzer will be longer
21