Advanced Fuzzing with Peach 2

Tags:

Preview:

Click to see full reader

DESCRIPTION

Advanced Fuzzing with Peach 2. Michael Eddington mike@leviathansecurity.com. Agenda. Introduction to Peach 2 Data mutations Peach State Machine Peach Farm Peach in The Middle. Introduction to Peach 2. Peach 1. Framework for writing fuzzers Instrumentation via wrapper APIs - PowerPoint PPT Presentation

Citation preview

MICHAEL EDDINGTONMIKE@LEVIATHANSECURITY.COM

Advanced Fuzzing with Peach 2

Agenda

Introduction to Peach 2

Data mutations

Peach State Machine

Peach Farm

Peach in The Middle

Introduction to Peach 2

Peach 1

Framework for writing fuzzers

Instrumentation via wrapper APIs

No data definition layer (DDL), just fuzzer

Steep learning curve

Complex fuzzers result in complex fuzzer code

Peach 2

Reduce creation time and simplify fuzzer generation

Fuzzer platform, not framework

Modeling based approach

Fault detection

Lower learning curve

Modeling Based Fuzzing

Model types and data

Model state machine

Support models with data sets

Mutate models with mutators

Model Data: Types

INTINT INTINT INTINT FlagsFlags

INTLenINTLen STRINGSTRING

DATADATA

INTLenINTLen

INTINT INTINT INTINT

DATADATA

Model Data: Relationships

INTINT INTINT INTINT FlagsFlags

INTLenINTLen STRINGSTRING

DATADATA

INTLenINTLen

INTINT INTINT INTINT

DATADATA

Model Data: State Model

Packet A

Packet A

Packet B-1

Packet B-1

Packet C-1

Packet C-1

Packet C-2

Packet C-2

Packet D

Packet D

Packet B-2

Packet B-2

Benefits of Modeling

Easy reuse of definitions

Complex mutations can be applied to a model

Improvements to data generation or mutation independent of model

Data read into definition as well as generated

Data Modeling

Define structure of data

Define relations in data

Reuse definitions

BlockSequenceChoiceStringNumberFlags/FlagBlob

RelationTransformer

State Modeling

StreamStream CallCall

TCP, UDP, Files

ConnectAcceptInputOutputClose

COM, RPC, SOAP

Call Method Parameters Result

State Modeling

State Modeling: Stream

State MachineState Machine

State 1State 1

ConnectConnect

OutputOutput

InputInput

OutputOutput

Change State

Change State

State 2State 2

InputInput

OutputOutput

InputInput

OutputOutput

Change State

Change State

State 3State 3

InputInput

OutputOutput

InputInput

CloseClose

11 22

33

4455

State Modeling: Stream

State MachineState Machine

State 1State 1

AcceptAccept

OutputOutput

InputInput

OutputOutput

Change State

Change State

State 2State 2

InputInput

OutputOutput

InputInput

OutputOutput

Change State

Change State

State 3State 3

InputInput

OutputOutput

InputInput

CloseClose

11

55

State Modeling: Stream

State MachineState Machine

State 1State 1

ConnectConnect

OutputOutput

InputInput

CloseClose

Change State

Change State

State 2State 2

ConnectConnect

OutputOutput

InputInput

OutputOutput

Change State

Change State

State 3State 3

InputInput

OutputOutput

InputInput

CloseClose

11

22

33

44

State Modeling: Call

State MachineState Machine

State 1State 1

StartStart

CallCall

CallCall

Change State

Change State

State 2State 2

CallCall

CallCall

CallCall

StopStop

11

22

33

Data Mutations

Mutation: String

“?k1=v+1&k2=v2”

40,000+ variations

Mutation: Number

00

Interesting Edge Cases

FFFFFFFFFFFFFFFF

Mutation: Size Relation #1

Length:

Data: 200 Bytes

200

Mutation: Size Relation #2

Length:

Data: 200 Bytes

200

Mutation: Size Relation #3

Data & Length:

00 FFFFFFFFFFFFFFFF

Mutation: State

Packet A

Packet A

Packet B-1

Packet B-1

Packet C-1

Packet C-1

Packet C-2

Packet C-2

Packet D

Packet D

Packet B-2

Packet B-2

Mutation: State

Packet A

Packet A

Packet B-1

Packet B-1

Packet D

Packet D

Packet B-2

Packet B-2

Mutation: State

Packet A

Packet A

Packet B-1

Packet B-1

Packet D

Packet D

Packet B-2

Packet B-2

Add Custom Mutators

Sling some Python

Add additional mutations

Specific mutations

Etc.

AND DATA COLLECTION

Fault Detection

Agents & Monitors

Peach

2 Tier Configuration

Agent 1Agent 1

DebuggerDebugger

TargetTarget

Network CaptureNetwork Capture

Agent 2Agent 2

DebuggerDebugger

BackendBackend

Network CaptureNetwork Capture

PeachPeach

EngineEngine

Agent Manager

Agent Manager

LoggingLogging

11

22 33

44

5566

Monitors

DebuggersProcess MonitorMemory MonitorNetwork CaptureVM Control (snapshot, revert)Networked Power Strips (cycle power)

Easy to implement custom monitors

Peach Development

Documented XML Schema

Peach Builder

Peach Shark

MASSIVELY PARALLEL FUZZING

Peach Farm

Peach Farm

Adam Cecchetti Massively Parallel Fuzzing

Scales from 1 to 10,000 nodes

Choose your Virtual Platform/Hosting EC2, Xen, VMWare, Etc

Utilizes Map/Reduce Algorithm Map: Maps the fuzzing cases to indexes and results Reduce: Reduces fuzzing results to interesting cases

Metric based : Time, size, diff, expected errors, OS faults, crashes

WHAT’S NEXT?

Peach in The Middle

Peach in The Middle

ClientClient ServerServer

PeachPeach

Controller

Controller AgentAgent

Data ModelData Model

HTTP://PEACHFUZZ.SF.NET

HTTP://PHED.ORG

MIKE@LEVIATHANSECURITY.COM

Q & A

Recommended

Uncovering Zero-Days and Advanced Fuzzing - Slides
Documents
Fuzzing 101
Documents
HTTP Fuzzing: Using JBroFuzz to fuzz the web away€¦ · OWASP Alabama Chapter Presentation Overview Fuzzing in general Fuzzing in the web world HTTP Fuzzing with JBrofuzz Other
Documents
Fuzzing’– WhatTheFuzz - EurOpeneuropen.cz › Proceedings › 38 › fuzzing europen.pdf · 2017-05-04 · – An Introduction to SPIKE, the Fuzzer Creation Kit. "– MSRPC Fuzzing
Documents
Uncovering Zero-Days and advanced fuzzing - Exploit · Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and Windows Servers
Documents
683 Slides Fuzzing
Documents
Uncovering ZeroDays and Advanced Fuzzing
Documents
Advanced production technology of peach
Education
Wi-Fi Advanced Fuzzing - Black Hat Briefings
Documents
Fuzzing Frameworks, Fuzzing Languages?!
Documents
Smart COM Fuzzing they were for ActiveX fuzzing, not COM
Documents
File Format Fuzzing in Android - DeepSec · Agenda 2 •File format fuzzing in Android •Fuzzing the Stagefright media framework •Fuzzing the Android application installer •Fuzzing
Documents
Advanced Custom Network Protocol Fuzzing - DEF CON CON 26/DEF CON 26 workshops... · 2020-05-16 · Advanced Custom Network Protocol Fuzzing Joshua Pereyda Tim Clemans. Outline •Lecture:
Documents
Advanced Protocol Fuzzing – What We Learned when · PDF fileAdvanced Protocol Fuzzing – What We Learned when Bringing Layer2 Logic to SPIKE Land ... Not really “a protocol”
Documents
MICHAEL EDDINGTON MIKE@LEVIATHANSECURITY.COM Advanced Fuzzing with Peach 2
Documents
Security Testing esp. Fuzzing - cs.ru.nlcs.ru.nl/~erikpoll/ss/slides/12_Fuzzing.pdf · Overview • Testing • Abuse cases & negative tests • Fuzzing –dumb fuzzing –generational
Documents
Wi-Fi Advanced Fuzzing€¦ · Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 8 research & development France Telecom Group What We Were Aware of… Wi-Fi weakens entreprise’s
Documents
HIGH-DEF FUZZING - Ruxcon Fuzzing... · HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = "Joshua Smith" job = "Senior Security Researcher"
Documents
Fuzzing Frameworks - Black Hat | Home€¦ · Fuzzing Frameworks . Pedram Amini Introduction . There are a number of available specialized fuzzing utilities
Documents
0-knowledge fuzzing
Documents