Skip to content

Latest commit

 

History

History
executable file
·
364 lines (341 loc) · 41.6 KB

Fuzzing.md

File metadata and controls

executable file
·
364 lines (341 loc) · 41.6 KB
Raw

Fuzzing (and bug hunting)

Table of Contents

General

Fuzzing Stuff & Hunting Bugs

  • Dynamic Fuzzing
    • Frameworks
      • Triton
        • Triton is a dynamic binary analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a Taint engine, AST representations of the x86 and the x86-64 instructions set semantics, SMT simplification passes, an SMT Solver Interface and, the last but not least, Python bindings.
      • XDiFF
        • XDiFF is an Extended Differential Fuzzing Framework built for finding vulnerabilities in software. It collects as much data as possible from different executions an then tries to infer different potential vulnerabilities based on the different outputs obtained. The fuzzer uses Python and runs on multiple OSs (Linux, Windows, OS X, and Freebsd). Its main goal is to detect issues based on diffential fuzzing aided with the extended capabilities to increase coverage. Still, it will found common vulnerabilities based on hangs and crashes, allowing to attach a memory debugger to the fuzzing sessions.
    • Differential Fuzzers
      • 101
        • Differential testing - Wikipedia
          • Differential testing, also known as differential fuzzing, is a popular software testing technique that attempts to detect bugs, by providing the same input to a series of similar applications (or to different implementations of the same application), and observing differences in their execution. Differential testing complements traditional software testing, because it is well-suited to find semantic or logic bugs that do not exhibit explicit erroneous behaviors like crashes or assertion failures. Differential testing is sometimes called back-to-back testing.
      • Articles/Blogposts/Writeups
      • Talks and Presentations
        • Exposing Hidden ExploitableBehaviors in ProgrammingLanguagesUsingDifferential Fuzzing - Fernando Arnaboldi
        • Differential Slicing: Identifying Causal Execution Differences for Security Applications
          • Abstract —A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments. In this paper we propose a differential slicing approach that automates the analysis of such execution differences. Differential slicing outputs a causal difference graph that captures the input differences that triggered the observe d difference and the causal path of differences that led from thos e input differences to the observed difference. The analyst uses the graph to quickly understand the observed difference. We implement differential slicing and evaluate it on the analysis of 11 real-world vulnerabilities and 2 malware samples with environment-dependent behaviors. We also evaluate it in an informal user study with two vulnerability analysts. Our results show that differential slicing successfully identifies the input differences that caused the observed difference and that the causal difference graph significantly reduces the amount of time and effort required for an analyst to understand the observed difference
      • Tools
        • XDiFF
          • XDiFF is an Extended Differential Fuzzing Framework built for finding vulnerabilities in software. It collects as much data as possible from different executions an then tries to infer different potential vulnerabilities based on the different outputs obtained.
    • SAT/SMT Solvers
    • Taint Analysis
      • 101
      • Articles/Blogposts/Writeups
      • Talks and Presentations
        • Applying Taint Analysis and Theorem Proving to Exploit Development - Sean Heelan - RECON2010
        • All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)
          • Abstract — Dynamic taint analysis and forward symbolic execution are quickly becoming staple techniques in security analyses. Example applications of dynamic taint analysis and forward symbolic execution include malware analysis, input filter generation, test case generation, and vulnerability dis- covery. Despite the widespread usage of these two techniques, there has been little effort to formally define the algorithms and summarize the critical issues that arise when these techniques are used in typical security contexts. The contributions of this paper are two-fold. First, we precisely describe the algorithms for dynamic taint analysis and forward symbolic execution as extensions to the run-time se- mantics of a general language. Second, we highlight important implementation choices, common pitfalls, and considerations when using these techniques in a security context.
      • Papers
        • A Critical Review of Dynamic Taint Analysis and Forward Symbolic Execution
          • In this note , we describe a critical review of the paper titled “All you wanted to know about dynamics taint analysis and forward symbolic execution (but may have been afraid to ask)” [1] . We analyze the paper using Paul Elder critical thinking framework [2] . We sta rt with a summary of the paper and motivation behind the research work described in [1]. Then we evaluate the study with respect to the universal intellectual standards of [2]. We find that the paper provides a good survey of the existing techniques and algorithms used for security analysis. It explains them using the theoretical framework of operational runtime semantics. However in some places t he paper can do a better job in highlighting what new insights or heuristics can be gained from a runtime seman tics formulation. The paper fails to convince the reader how such an intricate understanding of operational semantics of a new generic language SimpIL helps in advancing the state of the art in dynamic taint analysis and forward symbolic execution. We also found that the Paul Elder critical thinking framework is a useful technique to reason about and analyze research papers.
        • TAJ: Effective Taint Analysis of Web Applications - Java Webapps
          • Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry. However, most static taint-analysis tools do not address criti- cal requirements for an industrial-strength tool. Specifically, an industrial-strength tool must scale to large industrial Web applica- tions, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors. We have designed and implemented a static Taint Analysis for Java (TAJ) that meets the requirements of industry-level applica- tions. TAJ can analyze applications of virtually any size, as it em- ploys a set of techniques designed to produce useful answers given limited time and space. TAJ addresses a wide variety of attack vec- tors, with techniques to handle reflective calls, flow through con- tainers, nested taint, and issues in generating useful reports. This paper provides a description of the algorithms comprising TAJ, evaluates TAJ against production-level benchmarks, and compares it with alternative solutions.
    • Tools
      • usercorn
        • dynamic binary analysis via platform emulation
    • Writeups
  • Static Fuzzing
    • 101
    • Articles/Blogposts/Writeups
    • Frameworks
      • Paper Machete
        • Paper Machete (PM) orchestrates Binary Ninja and GRAKN.AI to perform static analysis on binary targets with the goal of finding exploitable vulnerabilities. PM leverages the Binary Ninja MLIL SSA to extract semantic meaning about individual instructions, operations, register/variable state, and overall control flow. This data is then migrated into GRAKN.AI, a hyper-relational database. We then run queries against the database that are designed to look for indications of common software vulnerability classes.
    • Tools
    • Talks/Writeups
      • Aiding Static Analysis: Discovering Vulnerabilities in Binary Targets through Knowledge Graph Inferences - John Toterhi - Derbycon7
        • Static analysis is the foundation of vulnerability research (VR). Even with today's advanced genetic fuzzers, concolic analysis frameworks, emulation engines, and binary instrumentation tools, static analysis ultimately makes or breaks a successful VR program. In this talk, we will explore a method of enhancing our static analysis process using the GRAKN.AI implementation of Google's knowledge graph and explore the semantics from Binary Ninja's Medium Level static single assignment (SSA) intermediate language (IL) to perform inference queries on binary-only targets to identify vulnerabilities.
  • Android Bug Hunting/Fuzzing
    • Articles/Writeups
    • Tools
      • MFFA - Media Fuzzing Framework for Android
      • android-afl
        • Fuzzing Android program with american fuzzy lop (AFL)
      • Droid Application Fuzz Framework
        • Droid Application Fuzz Framework (DAFF) helps you to fuzz Android Browsers and PDF Readers for memory corruption bugs in real android devices. You can use the inbuilt fuzzers or import fuzz files from your own custom fuzzers. DAFF consist of inbuilt fuzzers and crash monitor. It currently supports fuzzing the following applications:
      • MFFA - Media Fuzzing Framework for Android (Stagefright fuzzer)
        • The main idea behind this project is to create corrupt but structurally valid media files, direct them to the appropriate software components in Android to be decoded and/or played and monitor the system for potential issues (i.e system crashes) that may lead to exploitable vulnerabilities. Custom developed Python scripts are used to send the malformed data across a distributed infrastructure of Android devices, log the findings and monitor for possible issues, in an automated manner. The actual decoding of the media files on the Android devices is done using the Stagefright command line interface. The results are sorted out, in an attempt to find only the unique issues, using a custom built triage mechanism.
  • Browser Bug Hunting/Fuzzing
    • Browser Bug Hunting and Mobile
    • Grinder - Fuzzer
      • Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes. Grinder Nodes provide an automated way to fuzz a browser, and generate useful crash information (such as call stacks with symbol information as well as logging information which can be used to generate reproducible test cases at a later stage). A Grinder Server provides a central location to collate crashes and, through a web interface, allows multiple users to login and manage all the crashes being generated by all of the Grinder Nodes.
    • browserfuzz
      • A very simple browser fuzzer based on tornado.
    • Browser bug hunting - Memoirs of a last man standing, Atte Kettunen
    • morph
      • an open source browser fuzzing framework for fun.
  • C/C++ Fuzzing
    • ansvif - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.
    • libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.
  • Cellular Related Technologies Bug Hunting/Fuzzing
  • Cisco
    • asadbg
      • asadbg is a framework of tools to aid in automating live debugging of Cisco ASA devices, as well as automating interaction with the Cisco CLI over serial/ssh to quickly perform repetitive tasks.
    • asatools - NCCGroup
      • Main repository to pull all Cisco ASA-related projects.
    • asafw
      • Set of scripts to deal with Cisco ASA firmware [pack/unpack etc.]
  • COM Fuzzing
    • COMRaider
      • ActiveX Fuzzing tool with GUI, object browser, system scanner, and distributed auditing capabilities
      • Github
  • Embedded Devices Fuzzing/Bug Hunting
  • File Formats Bug Hunting/Fuzzing
  • Network Protocols Bug Hunting/Fuzzing
  • Fuzzing Linux
    • Kernel
    • Syscalls
      • syzkaller - linux syscall fuzzer
        • An unsupervised, coverage-guided Linux syscall fuzzer. It is meant to be used with KASAN (CONFIG_KASAN=y), KTSAN (CONFIG_KTSAN=y), or KUBSAN.
  • Libraries
  • Medical Devices
    • Open Up and Say 0x41414141: Attacking Medical Devices - Robert PortvlIet - Toorcon19
      • Network accessible medical devices are ubiquitous in today’s clinical environment. These devices can be of great aid to healthcare profes- sionals in assessing, treating and monitoring a patient’s condition. However, they can also fall victim to a number of systemic vulnerabili- ties that can expose personal health information or PHI, compromise the integrity of patient data in transit, and affect the availability of the devices themselves. This talk looks at the methodology and approach to penetration testing of modern medical devices. It will provide an overview of the various stages of a medical device assessment, including discovery and analysis of a device’s remote and local attack surface, reverse engineering and exploitation of proprietary network protocols, vulner- ability discovery in network services, compromising supporting sys- tems, attacking common wireless protocols, exploitation of hardware debug interfaces and bus protocols and assessing proprietary wireless technologies. It will also cover a number of real world vulnerabilities that the speaker has discovered during medical device penetration testing assessments. These include weak cryptographic implementations, device impersonation and data manipulation vulnerabilities in pro- prietary protocols, unauthenticated database interfaces, hardcoded credentials/keys and other sensitive information stored in firmware/ binaries and the susceptibility of medical devices to remote denial of service attacks. The talk will conclude with some suggestions on how some of the most common classes of medical device vulnerabilities might be reme- diated by vendors and also how hospitals and other healthcare provid- ers can defend their medical devices in the meantime.
  • OS X Bug Hunting/Fuzzing
  • PDF
  • RTP
    • ohrwurm
      • ohrwurm is a small and simple RTP fuzzer, I tested it on a small number of SIP phones, none of them did withstand.
  • Source Code Fuzzing/Bug Hunting
  • USB Bug Hunting/Fuzzing
  • Virtual Appliance Bug Hunting/Fuzzing
    • Hacking Virtual Appliances - DerbyconV
      • Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remotes on these appliances.
  • Web Application Bug Hunting/Fuzzing
  • Windows Fuzzing/Bug Hunting
    • F
    • Tools
      • WinAFL - A fork of AFL for fuzzing Windows binaries
      • !exploitable Crash Analyzer
      • DiffRay
        • Tool for diffing Win7 & Win8 Libraries based on textfile outputs from IDA Pro.
      • sandbox-attacksurface-analysis-tools
        • This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
      • CERT’s Failure Observation Engine (FOE)
        • The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways looking for cases that cause crashes.) The FOE automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of FOE is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
        • Walkthrough of setting up CERT’s FOE fuzzer and fuzzing irfanview
    • Articles/Writeups
    • Patch Analysis
      • Microsoft Patch Analysis for Exploitation - Stephen Sims
        • Since the early 2000's Microsoft has distributed patches on the second Tuesday of each month. Bad guys, good guys, and many in-between compare the newly released patches to the unpatched version of the files to identify the security fixes. Many organizations take weeks to patch and the faster someone can reverse engineer the patches and get a working exploit written, the more valuable it is as an attack vector. Analysis also allows a researcher to identify common ways that Microsoft fixes bugs which can be used to find 0-days. Microsoft has recently moved to mandatory cumulative patches which introduces complexity in extracting patches for analysis. Join me in this presentation while I demonstrate the analysis of various patches and exploits, as well as the best-known method for modern patch extraction.

Non-Specific Tools(Don't explicitly fit into above sections)

Sorting

  • dbusmap

    • This is a simple utility for enumerating D-Bus endpoints, an nmap for D-Bus.

  • Firmware Slap

    • Firmware slap combines concolic analysis with function clustering for vulnerability discovery and function similarity in firmware. Firmware slap is built as a series of libraries and exports most information as either pickles or JSON for integration with other tools.

https://github.com/secfigo/Awesome-Fuzzing

https://www.usenix.org/conference/woot12/workshop-program/presentation/vanegue https://labs.mwrinfosecurity.com/publications/corrupting-memory-in-microsoft-office-protected-view-sandbox/?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email&iid=565088e5a455476c97c557e8bbcec069&fl=4&uid=150127534&nid=244+285282312 https://github.com/nccgroup/fuzzowski https://mattwarren.org/2018/08/28/Fuzzing-the-.NET-JIT-Compiler/ https://github.com/jakobbotsch/Fuzzlyn

Fuzzing https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md

https://github.com/MotherFuzzers/meetups/blob/master/README.md

https://github.com/googleprojectzero/BrokenType * https://bloggeek.me/webrtc-fuzz-testing/ * https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/ * https://github.com/googleprojectzero/Street-Party * https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-5.html

Binary Instrumentation * http://deniable.org/reversing/binary-instrumentation * https://thefengs.com/wuchang/courses/cs492/afl/#0

http://joxeankoret.com/blog/2015/03/13/diaphora-a-program-diffing-plugin-for-ida-pro/ http://joxeankoret.com/blog/2018/08/12/histories-of-comparing-binaries-with-source-codes/ http://joxeankoret.com/blog/2018/11/04/new-cfg-based-heuristic-diaphora/