What is Fuzzing?
Testing mechanism that sends malformed data to a well behaving protocol implementation. Research technique that has shown great success in identifying vulnerability. Essential part of a Software development life cycle for secure products.
Value of Fuzzing
Applied to evaluate software for faults
Useful in identifying problems beyond static code analysis
Successful at identifying many flaws otherwise missed in code audit.
White-box or black-box applicability.
Fuzzing Requirements
Documentation: A source of information about the target being evaluated (RFC's)
Target: One or more targets to evaluate
Tools: Fuzzing tools or a programmatic harness to leverage for building tools
Monitoring: Methods to identify when a fault is reached on the target.
Time, Practice, Creativity.
Techniques - Static Test Cases
During information collection, analyst identifies individual tests.
Test case stored as a file that can be sent to the target, often binary file
Lots of up-front development time
Limited by creativity of analyst
Easy to reproduce tests across systems.
Techniques - Mutation
No protocol analysis, just a sample data set for mutation
Mutates one byte/short/long at a time through entire data set
History of success, but limited at testing parsing flaws in string, delimiters
Quick to get started, little ramp-up time
What to Test?
Using intelligent mutation or static fuzzing, analyst selects permutations Randomly inserting new data will have limited value in testing Better to identify targets to manipulate to indentify code vulnerabilities.
Signed and Unsigned Integers
Signed integer can represent positive and negative values. Unsigned integer - can only represent positive values MSB used to indicate +/- when signed Improper use to pass signed integer where function expects unsigned
Value | Signed | Unsigned |
1 | 1 | 1 |
-1 | -1 | 4294967295 |
What happens when memcpy expects unsigned len:memcpy(destptr,srcptr,-1);
Integer underflow
Introduces sign error where a value becomes negative following subtraction. Can be an array index value, manipulated outside of the index length
char array[16];signed short index;while(index != 0 && index < 16)writedata(array[index]);
Index
0:0 | 1:0 | 2:0 | 3:0 | 4:0 | 5:0 | 6:0 | 7:0 | 8:0 | 9:0 | 10:0 | 11:0 | 12:0 | 13:0 | 14:0 | 15:0 |
-4 -3 -2 -1 still fits into that loop & can be broken.
Command Injection
Nearly all programming languages include option to execute local OS commands.
Perl: foo
, system(), open()
Python: os.system()
PHP and Ruby: system()
Uses delimiter for specific languages to terminate one command and start another
| ``; && &