fuzzing with go-fuzz

Fuzzing with Go-Fuzz August 2015

Upload: jnewmano

Post on 16-Jan-2017

303 views

Category:

Software

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Fuzzing with Go-FuzzAugust 2015

Why Fuzz?Your code probably has

problems.

Fuzzing• Mainly applicable to

packages that parse complex inputs

• Technique of testing software by continuously feeding it automatically mutated inputs

• Hardening systems that parse inputs from potentially malicious users

What to Fuzz• Image decoders

• Format string decoders

• SIP message decoders

• E-mail

• HTTP requests

• XML

• JSON

• Anything that has user inputs

Fuzzing• American Fuzzy Lop

• Throwing random things at your code isn’t effective

• Compile time instrumentation and genetic algorithms

• Instrumented source coverage to judge which mutations pushed the program into new paths, eventually hitting many rarely-tested branches

http://lcamtuf.coredump.cx/afl/ http://lcamtuf.coredump.cx/afl/README.txt

http://lcamtuf.coredump.cx/afl/

http://lcamtuf.coredump.cx/afl/README.txt

Fuzzing Flow1. Load user-supplied initial test cases into the queue,

2. Take next input file from the queue,

3. Attempt to trim the test case to the smallest size that doesn't alter the measured behavior of the program,

4. Repeatedly mutate the file using a balanced and well-researched variety of traditional fuzzing strategies,

5. If any of the generated mutations resulted in a new state transition recorded by the instrumentation, add mutated output as a new entry in the queue.

6. Go to 2.

Go-Fuzz• Based on American Fuzzy Lop

• Instruments the source by rewriting it

• Catches

• Index out of range

• Panics

• Deadlock

• Insane memory allocation

• Anything else you explicitly check for

https://github.com/dvyukov/go-fuzz

Go Fuzz• You provide

• an entry function for go-fuzz

• Fuzz(data []byte) int

• 0 on error

• 1 if input was interesting

• -1 if not interesting

• initial set of inputs

• compile your program with go-fuzz-build

Fuzz Time• Gossip

• http://godoc.org/github.com/StefanKopieczek/gossip/parser

• SIPParser

• http://godoc.org/github.com/dgv/sipparser

http://godoc.org/github.com/StefanKopieczek/gossip/parser

http://godoc.org/github.com/dgv/sipparser

Acknowledgments - University of WaterlooMLSecurity/talks/mayur.pdf · State of the Practice: Bug-Finding OSS-Fuzz: Continuous Fuzzing of Open-Source Software Project # MLOC jsc 5.05

Adaptive Grey-Box Fuzz-Testing with Thompson Sampling · Fuzz testing, or “fuzzing,” refers to a widely deployed class of tech-niques for testing programs by generating a set

Fuzz Testing for Dummies Testing for Dummies ... • Software watchdog Fuzzing scripts ... electronic form without requesting formal permission

Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and

Fuzzing Sucks! - Introducing Sulley Fuzzing Framework

Sulley: Fuzzing Frameworkfuzzing.org/wp-content/SulleyManual.pdf · Sulley: Fuzzing Framework Sulley is a fuzzer development and fuzz testing framework consisting of multiple extensible

Fuzzing Frameworks, Fuzzing Languages?!

Billions and Billions of Constraints: Whitebox Fuzz ... · Blackbox fuzzing is a form of blackbox random test-ingwhichrandomlymutateswell-formedprograminputs, ... formed inputs, which

Fuzzing—orhowtohelpcomputerscopewiththeunexpected Fuzzing ...cdn.ttgtmedia.com/.../downloads/RHUL_Fuzzing_final.pdf · RoyalHollowaySeries Fuzzing—orhowtohelpcomputerscopewiththeunexpected

New Testing Your Code for Security Issues With Automated Fuzzing · 2020. 1. 31. · 11 What is oss-fuzz? (III) oss-fuzz is a SAAS around libFuzzEngine + ASAN/MSAN/UBSAN + bug tracker

15 Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis …faculty.cse.tamu.edu › guofei › paper › Wang_TISSEC11_TaintScope.pdf · Fuzz testing has proven successful

1 V-Fuzz: Vulnerability-Oriented Evolutionary Fuzzing1 V-Fuzz: Vulnerability-Oriented Evolutionary Fuzzing Yuwei Li, Shouling Ji, Chenyang Lv, Yuan Chen, Jianhai Chen, Qinchen Gu,

Fuzzing with Code Fragments (-2) - USENIX · Fuzzing with Code Fragments Christian Holler Mozilla Corporation [email protected] Kim Herzig ... Fuzz testing is an automated technique

Learning to Fuzz: Application-Independent Fuzz …mp.binaervarianz.de/TreeFuzz_TR_Nov2016.pdf · Learning to Fuzz: Application-Independent Fuzz Testing with Probabilistic, Generative

A Fuzz: Impeding Fuzzing Audits of Binary Executables · ANTIFUZZ: Impeding Fuzzing Audits of Binary Executables Emre Güler, Cornelius Aschermann, Ali Abbasi, and Thorsten Holz Ruhr-Universität

HTTP Fuzzing: Using JBroFuzz to fuzz the web away€¦ · OWASP Alabama Chapter Presentation Overview Fuzzing in general Fuzzing in the web world HTTP Fuzzing with JBrofuzz Other

Fuzz testing or fuzzing is a software testing techniqueindex-of.co.uk/Reverse-Engineering/Fuzzing [poc].pdf · 1. Fuzzing이란 무엇인가? 최근 국내 해커들도 각종 어플리케이션에

OPTIMIZING WEB APPLICATION FUZZING WITH GENETIC … · Chapter 1 Introduction..... 1 1.1 Fuzz Testing for Vulnerability Discovery . . . . . . . . . . . . . . . . 3 ... With the advent

Babysitting an Army of Monkeys - Fuzzing · Babysitting an Army of Monkeys An analysis of fuzzing 4 products with 5 lines of Python ... How hard do various vendors fuzz and how many

Implementing an USB Host Driver Fuzzer · Fuzzing “Fuzzing or Fuzz Testing is a software negative testing technique. It uses the fault injection approach, which basically

Program-Adaptive Mutational Fuzzing - KAIST › ~sangkilc › papers › cha-oakland... · 2018-02-18 · a user does not specify a value. AFL-fuzz (American Fuzzy Lop) [58] also

Fuzzing Bluetooth - Frontline Test Equipment · Fuzzing Bluetooth Crash-testing bluetooth-enabled devices ... Fuzz testing is a security testing method that uses broken in-In a controlled

File Format Fuzzing in Android - DeepSec · Agenda 2 •File format fuzzing in Android •Fuzzing the Stagefright media framework •Fuzzing the Android application installer •Fuzzing

Fuzz testing or fuzzing is a software testing techniquecodeengn.com/archive/Reverse Engineering/Fuzzing/Fu… · · 2014-12-081. Fuzzing이란 무엇인가? 최근 국내 해커들도

Learning to Fuzz from Symbolic Execution with Application ...feature representation tailored to fuzzing of smart contracts, a practical symbolic execution expert for smart contracts,

Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing ...reports-archive.adm.cs.cmu.edu/anon/2012/CMU-CS-12-116.pdf · Abstract Random mutational fuzz testing (fuzzing) and symbolic

What’s all the fuzz about? - SANS All the Fuzz About...What’s all the fuzz about? Project Robus Aegis™ Platform Adam Crain, ... Unsolicited response fuzzing of a master listening

Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz

Instrumented Fuzz Testing Using AIR Integers … · Instrumented Fuzz Testing using AIR Integers ... JasPer and FFmpeg. With the help of fuzzing tools, ... FFmpeg is a popular tool

Random and Fuzz Testing Program Testing and ... - Software Lab · Object-oriented Software, Ciupa et al., ICSE 2008 Fuzz testing Based on Fuzzing with Code Fragments, Holler et al.,

TaintScope: A Checksum-Aware Directed Fuzzing Tool …faculty.cs.tamu.edu/guofei/paper/TaintScope_Oakland10_slides.pdfFuzzing/Fuzz Testing Feed target applications with malformed inputs

Fuzzing the Corporate World - CCC Event Blog · What is fuzzing? “Fuzz testing or fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to

Fuzzing Android System Services by Binder Call to … · Fuzzing Android System Services by Binder Call to Escalate Privilege Guang Gong Security Reacher ... •Fuzz Android System

Google's continuous fuzzing service for open source software … · 2019-12-18 · OSS-Fuzz Google's continuous fuzzing service for open source software Kostya Serebryany