MICHAEL EDDINGTONMIKE@LEVIATHANSECURITY.COM

Advanced Fuzzing with Peach 2

Agenda

Introduction to Peach 2

Data mutations

Peach State Machine

Peach Farm

Peach in The Middle

Introduction to Peach 2

Peach 1

Framework for writing fuzzers

Instrumentation via wrapper APIs

No data definition layer (DDL), just fuzzer

Steep learning curve

Complex fuzzers result in complex fuzzer code

Peach 2

Reduce creation time and simplify fuzzer generation

Fuzzer platform, not framework

Modeling based approach

Fault detection

Lower learning curve

Modeling Based Fuzzing

Model types and data

Model state machine

Support models with data sets

Mutate models with mutators

Model Data: Types

INTINT INTINT INTINT FlagsFlags

INTLenINTLen STRINGSTRING

DATADATA

INTLenINTLen

INTINT INTINT INTINT

DATADATA

Model Data: Relationships

INTINT INTINT INTINT FlagsFlags

INTLenINTLen STRINGSTRING

DATADATA

INTLenINTLen

INTINT INTINT INTINT

DATADATA

Model Data: State Model

Packet A

Packet A

Packet B-1

Packet B-1

Packet C-1

Packet C-1

Packet C-2

Packet C-2

Packet D

Packet D

Packet B-2

Packet B-2

Benefits of Modeling

Easy reuse of definitions

Complex mutations can be applied to a model

Improvements to data generation or mutation independent of model

Data read into definition as well as generated

Data Modeling

Define structure of data

Define relations in data

Reuse definitions

BlockSequenceChoiceStringNumberFlags/FlagBlob

RelationTransformer

State Modeling

StreamStream CallCall

TCP, UDP, Files

ConnectAcceptInputOutputClose

COM, RPC, SOAP

Call Method Parameters Result

State Modeling

State Modeling: Stream

State MachineState Machine

State 1State 1

ConnectConnect

OutputOutput

InputInput

OutputOutput

Change State

Change State

State 2State 2

InputInput

OutputOutput

InputInput

OutputOutput

Change State

Change State

State 3State 3

InputInput

OutputOutput

InputInput

CloseClose

11 22

33

4455

State Modeling: Stream

State MachineState Machine

State 1State 1

AcceptAccept

OutputOutput

InputInput

OutputOutput

Change State

Change State

State 2State 2

InputInput

OutputOutput

InputInput

OutputOutput

Change State

Change State

State 3State 3

InputInput

OutputOutput

InputInput

CloseClose

11

55

State Modeling: Stream

State MachineState Machine

State 1State 1

ConnectConnect

OutputOutput

InputInput

CloseClose

Change State

Change State

State 2State 2

ConnectConnect

OutputOutput

InputInput

OutputOutput

Change State

Change State

State 3State 3

InputInput

OutputOutput

InputInput

CloseClose

11

22

33

44

State Modeling: Call

State MachineState Machine

State 1State 1

StartStart

CallCall

CallCall

Change State

Change State

State 2State 2

CallCall

CallCall

CallCall

StopStop

11

22

33

Data Mutations

Mutation: String

“?k1=v+1&k2=v2”

40,000+ variations

Mutation: Number

00

Interesting Edge Cases

FFFFFFFFFFFFFFFF

Mutation: Size Relation #1

Length:

Data: 200 Bytes

200

Mutation: Size Relation #2

Length:

Data: 200 Bytes

200

Mutation: Size Relation #3

Data & Length:

00 FFFFFFFFFFFFFFFF

Mutation: State

Packet A

Packet A

Packet B-1

Packet B-1

Packet C-1

Packet C-1

Packet C-2

Packet C-2

Packet D

Packet D

Packet B-2

Packet B-2

Mutation: State

Packet A

Packet A

Packet B-1

Packet B-1

Packet D

Packet D

Packet B-2

Packet B-2

Mutation: State

Packet A

Packet A

Packet B-1

Packet B-1

Packet D

Packet D

Packet B-2

Packet B-2

Add Custom Mutators

Sling some Python

Add additional mutations

Specific mutations

Etc.

AND DATA COLLECTION

Fault Detection

Agents & Monitors

Peach

2 Tier Configuration

Agent 1Agent 1

DebuggerDebugger

TargetTarget

Network CaptureNetwork Capture

Agent 2Agent 2

DebuggerDebugger

BackendBackend

Network CaptureNetwork Capture

PeachPeach

EngineEngine

Agent Manager

Agent Manager

LoggingLogging

11

22 33

44

5566

Monitors

DebuggersProcess MonitorMemory MonitorNetwork CaptureVM Control (snapshot, revert)Networked Power Strips (cycle power)

Easy to implement custom monitors

Peach Development

Documented XML Schema

Peach Builder

Peach Shark

MASSIVELY PARALLEL FUZZING

Peach Farm

Peach Farm

Adam Cecchetti Massively Parallel Fuzzing

Scales from 1 to 10,000 nodes

Choose your Virtual Platform/Hosting EC2, Xen, VMWare, Etc

Utilizes Map/Reduce Algorithm Map: Maps the fuzzing cases to indexes and results Reduce: Reduces fuzzing results to interesting cases

Metric based : Time, size, diff, expected errors, OS faults, crashes

WHAT’S NEXT?

Peach in The Middle

Peach in The Middle

ClientClient ServerServer

PeachPeach

Controller

Controller AgentAgent

Data ModelData Model

HTTP://PEACHFUZZ.SF.NET

HTTP://PHED.ORG

MIKE@LEVIATHANSECURITY.COM

Q & A