Fuzzing

What is Fuzzing?

Testing mechanism that sends malformed data to a well behaving protocol implementation. Research technique that has shown great success in identifying vulnerability. Essential part of a Software development life cycle for secure products.

Value of Fuzzing

  • Applied to evaluate software for faults

  • Useful in identifying problems beyond static code analysis

  • Successful at identifying many flaws otherwise missed in code audit.

  • White-box or black-box applicability.

Fuzzing Requirements

  • Documentation: A source of information about the target being evaluated (RFC's)

  • Target: One or more targets to evaluate

  • Tools: Fuzzing tools or a programmatic harness to leverage for building tools

  • Monitoring: Methods to identify when a fault is reached on the target.

  • Time, Practice, Creativity.

Techniques - Static Test Cases

  • During information collection, analyst identifies individual tests.

  • Test case stored as a file that can be sent to the target, often binary file

  • Lots of up-front development time

  • Limited by creativity of analyst

  • Easy to reproduce tests across systems.

Techniques - Mutation

  • No protocol analysis, just a sample data set for mutation

  • Mutates one byte/short/long at a time through entire data set

  • History of success, but limited at testing parsing flaws in string, delimiters

  • Quick to get started, little ramp-up time

What to Test?

Using intelligent mutation or static fuzzing, analyst selects permutations Randomly inserting new data will have limited value in testing Better to identify targets to manipulate to indentify code vulnerabilities.

Signed and Unsigned Integers

Signed integer can represent positive and negative values. Unsigned integer - can only represent positive values MSB used to indicate +/- when signed Improper use to pass signed integer where function expects unsigned

Value

Signed

Unsigned

1

1

1

-1

-1

4294967295

What happens when memcpy expects unsigned len:memcpy(destptr,srcptr,-1);

Integer underflow

Introduces sign error where a value becomes negative following subtraction. Can be an array index value, manipulated outside of the index length

char array[16];
signed short index;
while(index != 0 && index < 16)
writedata(array[index]);

Index

0:0

1:0

2:0

3:0

4:0

5:0

6:0

7:0

8:0

9:0

10:0

11:0

12:0

13:0

14:0

15:0

-4 -3 -2 -1 still fits into that loop & can be broken.

Command Injection

Nearly all programming languages include option to execute local OS commands.

  • Perl: foo, system(), open()

  • Python: os.system()

  • PHP and Ruby: system()

  • Uses delimiter for specific languages to terminate one command and start another

  • | ``; && &