{"id":10537,"date":"2014-05-29T13:16:43","date_gmt":"2014-05-29T11:16:43","guid":{"rendered":"https:\/\/www.corelan.be\/?p=10537"},"modified":"2014-05-29T13:16:43","modified_gmt":"2014-05-29T11:16:43","slug":"hitb2014ams-day-1-harder-better-faster-fuzzer-advances-in-blackbox-evolutionary-fuzzing","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2014\/05\/29\/hitb2014ams-day-1-harder-better-faster-fuzzer-advances-in-blackbox-evolutionary-fuzzing\/","title":{"rendered":"HITB2014AMS - Day 1 - Harder, Better, Faster Fuzzer: Advances in BlackBox Evolutionary Fuzzing"},"content":{"rendered":"

Vulnerability Hunting<\/h4>\n

Active security testing, Fabien explains, is the process of generating input which travel in the application, hit a sink and violate a property. \u00a0It applies to all kinds of vulnerabilities, not just limited to buffer overflows or memory corruption bugs. \u00a0 Blackbox and whitebox\/greybox testing (both static and dynamic) are ways to perform security testing.<\/p>\n

\"DSC<\/p>\n

Fuzzing is an active testing technique which automates the creation and evaluation of numerous malicious inputs. \u00a0It's based on \"knowledge\" (random, grammar, model) and was mostly used to find memory corruption bugs in the past. \u00a0A genetic algorithm is used to guide the fuzzing.<\/p>\n

\"DSC<\/p>\n

Evolutionary PDF Fuzzing<\/h4>\n

Fabien introduced the people who joined his efforts to look at PDF blackbox fuzzing and then explains that the inital approach he took is to take an initial PDF file (download from the internet), and take an ordered list of seed, anomaly operators and parameters to create mutated versions of the original PDF file. Fabien explained that you can improve the crash triage classification by using Dr Memory or AddressSanitizer. \u00a0 To determine how close the \"individual\" is to find a vuln, he used a classification scale based on Depth of the production tree, used grammar production rules, distinct anomaly operators, interpreter warnings, the fact that the file was rejected by the app, duration to load and singularity. \u00a0<\/p>\n

The fuzzing operators applied are based on anti-random testing, where the source file, seed, 1st anomaly operator and it's parameter, etc \u00a0are used as dimensions. \u00a0The idea is to create an individual (file) that are as much different as possible as the other\/previous files. \u00a0Additionally, they used a combination of mutation and crossover fuzzing operators. \u00a0<\/p>\n

This approach is implemented in \"ShiftMonkey\" (Ruby + Python) and uses te Origami (Ruby) framework to create PDF files. \u00a0The anomaly generator used is \"Radamsa\" (which has 26 operators). \u00a0 Comparing the results with other tools, the approach to focus on singularity (= dimension of fitness) achieved a higher level of distinct vulnerabilities using ShiftMonkey.<\/p>\n

Another experiment that was performed is based on Basic Blocks Coverage. \u00a0 They instrumented the tested executable to see which basic blocks were used and used that as input to improve ShiftMonkey so it would produce cases that cover more basic blocks.<\/p>\n

Some of the remaining questions are :<\/p>\n

    \n
  1. can we improve our ability to find \"complex\" vulnerabilities (where the metric is based on the depth of the stack trace and weighted by the rarity of the targeted basic blocks).<\/li>\n
  2. can we find a combination of anomaly operators, of greater efficiency, when fuzzing a given format. \u00a0If you apply too many anomaly operators, you often violate too many constraints, which means the files would be rejected by the application.<\/li>\n<\/ol>\n

    Fabien continues by listing some related work on evolutionary fuzzing by Jared De Mott, Budynek (et al), B. Nagy, Noreen et al.<\/p>\n

    \"DSC<\/p>\n

    Evolutionary XSS Fuzzing<\/h4>\n

    The idea is to find Type-1 (Reflected) and Type-2 (Stored) XSS vulnerabilities in websites, in a blackbox approach. \u00a0BlackBox web scanners use fuzzing to find XSS vulnerabilities, but there are some problems:\u00a0<\/p>\n