16
Use of Fuzzing in detecting security vulnerabilities Biswajit Mazumder Rohit Hooda Arpan Chowdhary

Biswajit Mazumder Rohit Hooda Arpan Chowdhary. What is Fuzzing? Fuzzing techniques Types of Fuzzing Fuzzing explained Case study and changes:

Embed Size (px)

Citation preview

Page 1: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Use of Fuzzing in detecting security

vulnerabilitiesBiswajit Mazumder

Rohit HoodaArpan Chowdhary

Page 2: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

What is Fuzzing? Fuzzing techniques Types of Fuzzing Fuzzing explained Case study and changes: SCRASHME sys_getdomainname() vmsplice() : Local Root Exploit Conclusion

Agenda

Page 3: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Short for FUZZ-TESTING. Technique of Black-box testing

What is Fuzzing?

Black Box

Fuzzer

Inputs:Malformed / SemiMalformedRandom / Adaptive

Crashes /Information leaks /Delays

Page 4: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Event-Driven Fuzz Character-Driven Fuzz Database Fuzz

Fuzzing Techniques

Page 5: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Based on type of Fuzzer: Tool oriented Fuzzing Manual FuzzingBased on Attack Targets: Application fuzzing. Protocol fuzzing. File-format fuzzing. Operating System fuzzing.

Types of Fuzzing

Page 6: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Simple fuzz approach using a pseudo random number generator as input.

Validation of fuzz attempts to assure that the random input is reasonable.

A combined approach using valid test data and invalid random input interjection.

Fuzzing Explained

Page 7: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Open source system call fuzzer for Linux. Stress tests system calls for robustness and security

flaws. -i: use sanitize methods before calling syscalls. -c#: do syscall # with random inputs. -C: check syscalls that call capable() return -EPERM. -r: call random syscalls with random inputs. -Sr: pass struct filled with random junk. -Sxx: pass struct filled with hex value xx. -x#: use value as register arguments. -z: use all zeros as register parameters.

Case Study: SCRASHME

Page 8: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Support for new syscall #333 in Linux Kernel 2.6.27.7 i.e. sys_getdomainname().

Sanitize method for Local root exploit for vmsplice() syscall.

SCRASHME: Changes

Page 9: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

/* Structure describing the system and machine. */

struct utsname

{

/* Name of the implementation of the operating system. */

char sysname[_UTSNAME_SYSNAME_LENGTH];

/* Name of this node on the network. */

char nodename[_UTSNAME_NODENAME_LENGTH];

/* Current release level of this implementation. */

char release[_UTSNAME_RELEASE_LENGTH];

/* Current version level of this release. */

char version[_UTSNAME_VERSION_LENGTH];

/* Name of the hardware type the system is running on. */

char machine[_UTSNAME_MACHINE_LENGTH];

/* Name of the domain of this node on the network. */

char domainname[_UTSNAME_DOMAIN_LENGTH];

};

struct utsname

Page 10: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

getdomainname () is used to access the domain name of the current processor/node.

getdomainname() currently calls uname() in the current versions of Linux Kernel.

setdomainname() is used to change the domain name of the current processor/node.

In a FQDN e.g. temp.mynetwork.org “mynetwork” is the domainname.

sys_getdomainname()

Page 11: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

asmlinkage long sys_getdomainname(char __user *name, int len) { int nlen; int err = -EINVAL;

+ if (len < 0 || len > __NEW_UTS_LEN) + goto done;

down_read(&uts_sem); nlen = strlen(utsname()->domainname) + 1; if (nlen < len) len = nlen;

if ( copy_to_user(name, utsname()->domainname, len) ){ err = -EFAULT; goto done; }

err = 0; done: up_read(&uts_sem); return err; }

sys_getdomainname() contd…

Page 12: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Splices a user pages into a pipe. Provides userspace programs with full control over

an arbitrary kernel buffer “Copies" data from user space into the kernel buffer.

long vmsplice(int fd, const struct iovec *iov, unsigned long nr_segs, unsigned int flags);

Description: The vmsplice() system call maps nr_segs ranges of user memory described by iov into a pipe. The file descriptor fd must refer to a pipe.

What is vmsplice()?

Page 13: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Doesn't check whether that application had the right to write to a specific memory location. So it acts as a quick-and-easy rootkit installation mechanism.

Doesn’t check whether the iovec structures (memory region) passed were in readable memory.

The third problem is in the memory-to-pipe implementation. This is an information disclosure vulnerability.  

Bugs in vmsplice()

Page 14: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Enables non-root user to become root Doesn’t need specific hardware

Available at: http://www.milw0rm.com/exploits/5092

vmsplice() : Local Root Exploit

Page 15: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Allows detection of critical security vulnerabilities in short time periods for various applications.

Simple, efficient and can be automated. Considerable speed up of the whole process

of security vulnerabilities detection. Downside: Not the final solution for

detection of all security vulnerabilities that exist in an application.

Conclusion

Page 16: Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Questions ?