The Aftermath of a Fuzz Run · 2017-12-14 · The Aftermath of a Fuzz Run: ... Founder/CEO. Talk...

Preview:

Click to see full reader

Citation preview

The Aftermath of a Fuzz Run:What to do with all those crashes?

David Moore

David Moore Bio

NeXT, Apple, Weblogic, BEA Systems, Azul Systems

Google, Twitter, Netflix, Optimizely, Card, kernel, 

ruby, php, cpio

Founder/CEO

Talk Outline1> Introduce/Review Memory Corruption Bugs

2> A Post Fuzz Run Workflow

3> Real World Examples

Section 1a:Introduce / Review 

Memory Corruption Bugs

InvalidReads/Writes

Stack vs HeapCorruption

int main (int argc, char **argv) { char buf[8]; strcpy(buf, argv[1]);}

./a.out AAAAAAAAAAAA

Use After Free

char* x = (char*)malloc(4);...

free(x);…

printf(x)   // uaf

Other Memory Bugs

Section 1b:What is Exploitability?

Re­programming with input data ­

not code

Re­programming with existing code in the 

process

Does “exploitability” 

matter?

ExploitableBy Whom?

GoogleProject Zero

NSA

hhhhh??

Many modern exploits are bug 

chains

Surprisingly Exploitable

C­Ares / Chrome OS Remote Code 

Execution

Triggered by a trailing escaped dot:

www.foo.com\.

Section 1c:Memory Corruption 

Mitigations

Stack Canaries

DEPData Execution

Prevention

ASLRAddress Space Layout

Randomization

Section 2:A Post Fuzz Run Workflow

2a> Minimize crash corpus 2b> Use Memory Corruption Tools 2c> Determine Exploitability ­ or ­  Find the Root Cause

Whyminimize?

Minimize the Corpus of Crashes

Minimize each crashing case individually

fdupes

Section 2b:Memory Corruption 

Analysis Tools

All Bets are Off

Address Sanitizer

ASAN­fsanitize­address

Valgrind(memcheck)

Exploitable

Section 2c:Determine

Exploitability /Find the Root Cause

Disable ASLRecho 0 | sudo tee

/proc/sys/kernel/randomize_va_space

Identify critical memory

locations

gdbgcc ­g ­O0 target.c

./target AAAA

0x41414141

rr

rr­project.org

It is OK and normal to:

Feel lost / frustratedTake a lot of time

Feel like your wheels are spinningGet sick of staring at hex

OneMore Thing:

Once the bugs are fixed -Fuzz the target again

Section 3: Real World Examples

PHP:Low invalid read

Ruby:Heap Buffer

Overflow

Netflix Dynomite: Invalid Write

Netflix Dynomite:● Running in production ~2 

years● 1000 Customer facing nodes● 1 Million ops/sec peak load

References:● RPI ­ Modern Binary Exploitation ­ 

GitHub: rpisec/mbe● Hacking: The Art of Exploitation ­ Jon 

Erickson● Project Zero Blog ­ What is Good 

Memory Corruption?● Sean Heelan’s Blog ­ Tracking Down 

Heap Overflows with rr

Thank You!David Moore@grajagandev

dave@fuzzstati0n.com

Recommended

Fuzz Face - Fuzz Dog's Pedal Partspedalparts.co.uk/docs/FuzzFace-Multi.pdf · Fuzz Face Vintage fuzz with optional voltage inverter Contents of this document are ©2014 Pedal Parts
Documents
HOT FUZZ – Opening Sequence
Documents
Fuzz slides - University of Wisconsin–Madisonpages.cs.wisc.edu/~bart/fuzz/fuzz-revisited-talk.pdf · Copyright © 1995 Barton P. Miller Fuzz Revisited ..... Page 9 Programming Errors
Documents
Whitebox Fuzz Tests - Symbolische Ausführung im Rahmen von ... · Whitebox Fuzz Tests Symbolische Ausführung im Rahmen von Fuzz Tests Ferhat Beyaz Seminar Beiträge zum Software
Documents
Hot fuzz - textual analysis
Education
Fuzz Pedal Design Project
Documents
Hot fuzz clip
Entertainment & Humor
Annual Fuzz Run 5K - Metro Atlanta Chamber · 34th Annual Fuzz Run 5K. Saturday, September 9, 2017. Benefits the Police Who Care Fund PACKET PICKUP:in supporting local charitable
Documents
Cottonmouth Fuzz Instruction Manual - Rocktron · Introduction: Warning! Snakes bite!! Rocktron proudly introduces the Cottonmouth Fuzz, a wild new fuzz box with flashing blue eyes
Documents
ELEPHANT FUZZ - PuzzleSounds – Your Custom Effect … ·  · 2017-02-25ELEPHANT FUZZ We hope you enjoy your new ELEPHANT FUZZ! In this manual, you will find documentation and guidelines
Documents
Fuzz Service
Documents
DSOTM FUZZ - 2018 · DSOTM FUZZ - 2018 A smooth, articulate and sustaining Fuzz Tone comparable to fuzz tones heard on Pink Floyd's 1973 Dark Side of the Moon album, but it covers
Documents
FUZZ-IEEE 2016 Programwcci2016.org/document/fuzzIEEEprog_2.pdf · FUZZ-IEEE 2016 Program ... Uncertainty Theory and Its Application / SS FUZZ ... Room: 208-209 2:30PM A Similarity-based
Documents
Windows 8 fuzz
Technology
Hot Fuzz Storyboard
Documents
hot fuzz editing scene
Art & Photos
Leviathan Fuzz - wamplerpedals.comLeviathan Fuzz Brian hasn't been your typical "fuzz guy" all his life. He doesn't use words like "hair" to describe the amount of distortion, and
Documents
Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities …ftp.cs.wisc.edu/pub/paradyn/technical_papers/fuzz... ·  · 2006-02-09Page 1 October 1995 Fuzz Revisited:
Documents
Paul Gilbert Fuzz Universe
Documents
The Aftermath of a Fuzz Run - eLinux.org · 2017. 3. 9. · Talk Outline 1> Introduce/Review Memory Corruption Bugs 2> A Post Fuzz Run Workflow 3> Real World Examples
Documents