Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
rootedcon
1,562 views
38 slides
May 09, 2017
Slide 1 of 38
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
About This Presentation
Peach is a smart and widely used fuzzer, which has lots of advantages like cross-platform, aware of file format, extend easily and so on. But when AFL fuzzer has appeared, peach seems to be out of date, since it doesn't have coverage feedback and run slowly. Due to peach is a flexible fuzzer fra...
Slide Content
Smarter Peach: Add Eyes to Peach Fuzzer Yihan Lian && Zhibin Hu/ Qihoo 360 Gear Team
About us Yihan Lian security researcher at Gear team of Qihoo 360 focused on vulnerability discovery of Open-Source-Software. got more than a dozen CVE last year (e.g. qemu , ntp , ffmpeg ) Fan of Xavi. Zhibin Hu security researcher at Gear team of Qihoo 360 l ast several years mainly focus on vulnerability discovery and analysis on windows, and receive msrc top 19 in 2014. recent two years interested in cloud security.
Agenda M otivation Peach fuzzer framework Strengths and weaknesses of Peach fuzzer A dd eyes to Peach fuzzer Performance comparison and conclusion Demo Questions
motivation Stop re-inventing the wheel. Peach is mature, high stability and strong expandability etc. Coverage-feedback make traditional fuzzer more efficient. The mutate strategy of AFL is a little crude, not aware of file format.
Comparison of mainstream fuzzers FOE Peach AFL Coverage feedback √ Source Code Agnostic √ √ Aware of file format √ aware of protocol format √
Peach fuzzer framework
Peach fuzzer framework Original Peach core framework Switch Iteration Test Case output to target Monitor Log Fault Normal File Format File Database OriginalCase Mutate
Strengths and weaknesses of Peach fuzzer Strengths Aware of file format, mutation strategies are more flexible Smarter when communicating with target Cross platform weaknesses Fat and complex No Coverage Feedback
aware of file format 1/5 Basic elements: Number, String and Blob etc “\ xAB \ xCD ” is hex Number “ABCD” is String “AB\ xCD ” is Blob Describe relationships in the data : Relation, Fixup and Hint etc Relation: 32 is the numbers of bits of “\x41\x41\x41\x41” Fixup : 0x9B0D08F1 is CRC-32 of “\x41\x41\x41\x41” Hint: Assign a more exquisite mutate strategy
aware of file format 2/5 If we need to fuzz a function like this: if( data_head is "PNG "){ switch( data_tag ){ case ("IHDR"): if( check_CRC ) { Parse(data); core_code ; } else return ; c ase ... } }
aware of file format 3/5 Example: PNG head Elem_0 = data[0-7] type = Blob mutator = Blob mutators Elem_1 = data[8 – 0xB] type = Number_hex mutator = hex mutators //Elem_1 is the length of Elem_3 ~ elem_9. Elem_2 = data[0xC – 0xF] type = String mutator = ASCII or UNICODE … mutators Elem_3 = data[0x10 – 0x13] type = Number_hex Elem_4 = data[0x14 – 0x17] type = Number_hex Elem_5 = data[0x18] type = Number_hex …... Elem_10 = data[0x1D - 0x21] type = Number_CRC_of_elem_2-9 fixup = calculate CRC //Elem_10 is the CRC of Elem_2 ~ Elem_9.
aware of file format 4/5 DataModel in Peach Pit < DataModel name=" PNGTest "> < Blob name="head" length=" 8“ mutable=“false”/> < Number name=" dataLength " size="32" valueType ="hex" endian="big"> < Relation type="size" of="chunk" expressionGet ="size+4" expressionSet ="size-4"/> </ Number > < Block name="chunk"> < String name=" chunkHead " length="4 "> <Hint name=“ ValidValues ” value=“ pHYs;fcTL;IDAT ;”/> </ String > < Number name="width" size="32" valueType ="hex" endian="big"/> < Number name=" height" size="32" valueType ="hex" endian="big"/> < Number name=" enum " size="8" minOccurs ="1"/> </ Block> < Number name="CRC" size="32" endian="big"> < Fixup class=" Crc "> < Param name="ref" value="chunk"/> </ Fixup > </ Number > </ DataModel >
aware of file format 5/5 The mutated file still triggers core code. The length of CRC of
Sm art er when communicating with target 1/3 Most of fuzzers send mutated-data to target application, but can not receive valuable data from it. They are hard to fuzz servers which need to communicate client.
Sm art er when communicating with target 2/3 Action: Send commands through Publisher. Read and write data from target. Publisher: I/O interfaces. it could be a file or a traffic data.
Sm art er when communicating with target 3/3 Example: … < Action type=" input " publisher =“Target" > < DataModel name=" InputModel " ref =“model_1" /> </Action > < Action type=" slurp " valueXpath ="// InputModel // TransID ” setXpath ="// OutputModel // TransID "/> < Action type=" output " publisher =" Target "> < DataModel name=" OutputModel ” ref=“model_2”/> < Data fileName =" data/request" /> </Action > … < Publisher name=“Target" class =“ Udp "> < Param name="Host" value =“192.168.11.11" /> < Param name="Port" value =“6666" /> </ Publisher >
Cross platform Peach supports all major Operating-Systems. Windows Install Microsoft.NET v4 Runtime Install Debugging Tools for Windows Unzip Peach binary distribution to a working folder OS X Install latest Mono packages Install Crash Wrangler ( download ) Unzip Peach binary distribution to a working folder Linux Install latest Mono packages Ubuntu/ Debian : mono-complete package SUSE: See download instructions Unzip Peach binary distribution to a working folder Remote fuzz
weaknesses Fat and complex Needs to parse the seed file once in every fuzz-iteration. N eed to store too many data models and actions. No Coverage Feedback Peach belongs to Black-Box-Fuzzer. Cannot distinguish which mutated file is more valuable.
A dd eyes to Peach fuzzer
Add eyes to Peach fuzzer
Problems How to detect code coverage How to return coverage info better How to store valuable files How to reproduce valuable files How to select a valuable file for next fuzz circle
How to detect code coverage 1/3 Use LLVM Pass to insert codes in Basic Block Source code: IDA output:
How to detect code coverage 2/3 IDA after inserting codes l lcov_pcov_block_call is inserted into the Basic-Block of target program.
How to detect code coverage 3/3 llvm_pcov_block_call : llvm_pcov_block_call function is used to mark whether this Basic-Block was run before, and message to Peach the amount of New-Basic-Block in this fuzz iteration.
How to return coverage info better We need to insert codes in a lot of basic-blocks. In order to be more efficiency, we pass info between llvm_proc_block_call and Peach through shared memory.
How to store valuable files 1/3 We cannot store valuable files directly, since the valuable files does not match the File-Format in most cases, and this could raise a Peach exception. Just like this: [*] Test 'Default' finished. Error, failed to crack “**data\ png \test.png " into " PNGTest ": Block ' PNGTest.chunk ' has length of 1744830496 bits but buffer only has 168 bits left .
How to store valuable files 2/3 I choose to store the Fuzz status.
How to store valuable files 3/3 What is Fuzz status Name of seed file – file used to be mutated. Random status – some numbers used to generate a random number. Action name – action used to generate this I-File. Mutator name – mutation strategy name used before. Etc.
How to reproduce valuable files 1/2 On every switch- teration , Peach will store lots of information about each seed file to a Original-Data-Model object. All of the mutated data is mutated on this object.
How to reproduce valuable files 2/2 What we should to do is modify the original-Data-Model before this iteration beginning. File Format File Database File choice and parse
How to select a valuable file for next fuzz circle 1/2 There will be many valuable files after fuzzing a period of time. Valuable files info: fileNameIs0::***bin/data/ mov /test_1.mov 33 lastMutatorList lastMutatorRun_1.Initial.Action.... fileNameIs1 ::***/bin/data/ mov /test_1.mov 32 lastMutatorList lastMutatorRun_1.Initial.Action.... lastMutatorList lastMutatorRun_1.Initial.Action.... fileNameIs2::***bin/data/ mov /test_2.mov ...
How to select a valuable file for next fuzz circle 2/2 If a valuable file gets more New_Block_Counts , it will get more weight. And if the mutated files mutated from it get New_Block_Counts else, the weight of it will increase at the same time. Whereas: the weight will decrease. This strategy decrease or increase the weight in linear.
performance comparison
Performance comparison and conclusion After fuzzing FFMPEG with mutating MOV-file 24 hours by Peach-original, Peach- cov and AFL , the difference between the amount of triggered source code related with MOV-file is very clear. For the AFL case, it will trigger other code which is not relevant with MOV-file , so we only calculate relevant part.
Performance comparison and conclusion Preponderance: Is more efficient than original Peach fuzzer Is more efficient than AFL when comparing the depth of triggered source code. Future work: Strategy of valuable-file chosen use Markov chain like AFL-FAST a dd weight on mutators P erformance improvement use fork-server like AFL Automatic learn the format u se machine learning like: https :// arxiv.org/pdf/1701.07232.pdf
DEMO
Questions
Thank you Yihan Lian && Zhibin Hu/Gear Team , Qihoo 360 Inc [email protected] [email protected]
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,562
- Slides 38
- Favorites 2
- Age 3128 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views