SlideShare a Scribd company logo

NBTC#2 - Why instrumentation is cooler then ice

A
Alexandre Moneger

This document discusses the importance of instrumentation for effective fuzzing. It notes that while fuzzing may seem simple, it actually requires significant effort, target code adaptation, and input corpus minimization. Instrumentation is key to determining code coverage, finding new paths, and prioritizing inputs that lead to crashes or new code coverage. The document provides examples of instrumentation techniques using binary rewriting and hardware features and discusses how to set up fuzzing when source code is available versus when it is not. It also outlines some current gaps in fuzzing techniques.

Software
1 of 26
Why instrumentation is cooler then ice Alex Moneger
INTRODUCTION
The myth • Fuzzing is easy • Fuzzing is simple • Instrumentation is left as an exercise to the reader
The truth • Fuzzing requires effort • Generally requires adapting the target code • Most of the time requires to build a corpus of inputs • Requires minimizing the corpus • Requires instrumentation: – Did my target crash? – On what input? – Are my new inputs useful?
The hurdles • Tool selection • Tool integration • Reliability • Scale • A bug found prevents fuzzer from reaching further areas of code
INSTRUMENTATION
Before • 2 approaches: – Mutate data forever (randomly, byte flip, …) – Model data, mutate fields separately (Spike, Peach, Codenomicon, …) • Run for some iterations or until all states are modeled • hope for the best
Today • Genetic algorithms => retain only best inputs for further mutation 1. Mutate best input 2. Send to target 3. Measure impact based on some metric 4. Discard or prioritize input, back to 1.
Code coverage • Code coverage is the most used metric • Tells you if an input has triggered new code paths • All tools try to measure code coverage one way or another • Can be achieved : – binary instrumentation (PIN, DynamoRIO) – static rewriting (Dyninst) – kernel probing (perf) – HW (intel BTS => branch trace store)
How does it work • Model control flow using basic blocks • Discard unconditional edges (JMPs) • First approach, trace callgraph • Hard to compare 2 callgraphs • Best approach: retain edge count • Provides an unordered code coverage heatmap
Example callgraph
Compare code coverage maps? • Gained edges - lost edges > 0? • Simple, but will crush path divergence • Solution, keep track of interesting diverging paths • When no new edges, check edge hitcounts • Higher hitcounts, mean you control a loop boundary
CORPUS MINIMIZATION
Corpus minimization • You have collected all xml documents or IM packets from the internet • What is the minimal set of inputs which achieves maximal code coverage? • Open all inputs and record code coverage • Keep only valuable inputs
In practice • No open source tools to achieve this • Notable exception, with source on Nix for files => afl-cmin to the rescue • Otherwise, a good base is runtracer, drcov or coco.cpp pintool • Building the minset is up to you after that
WHAT NOW
An application • You want to fuzz an application/library • What next?
A few obvious questions first • Do you have source code? • Where does it take input from? – Network – File – … • Do you already have valid inputs? – Packets – Pdf – …
First of all • Turn on coredumps • Throw whatever you have at the binary • dd if=/dev/urandom bs=1024 count=1 | nc localhost 1234 • Or mutate some corpus inputs with radamsa • Keep CPU busy whilst you figure out a plan • Now think
You have source code • Find a way to get it to work with American Fuzzy Lop • AFL “batteries included” • AFL works great: – File input – Amazing performance/reliability (forkserver) – Instrumentation/stats built in (ASM instrumentation) – Scaling (distributed fuzzing) • Limitations: – Network fuzzing – Any form of daemon
Wrapping for AFL • Target can read from stdin or argv, your good • Otherwise, write a wrapper around your target functions • Read_from_stdin(char *buf) { target_func(buf); exit() } • Problem: complex when functions are tightly coupled (globals, complex structs, …)
No source? • Things start to get messy • Options: – Afl-qemu – Afl-pin – Afl-dyninst – Honggfuzz (Linux or requires HW support) – …
Mo problem • Idea is always the same • Through instrumentation, get code coverage info • Bind it someway to AFL: – AFL-qemu => Use Qemu userland to hook BBLs – AFL-PIN => Use PIN to hook BBLs, no forkserver support – AFL-Dyninst => static rewrite to hook BBLs
TODAY’S GAPS
Gaps • Smart fuzzing network daemons • Corpus minimization • Windows support • Triaging (exploitable doesn’t work on cores) • We need to build bricks, not solutions
Reference • Best advice on fuzzing by Ben Nagy: http://seclists.org/dailydave/2010/q4/47

Recommended

Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionSam Bowne
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 

Recommended

Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionSam Bowne
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systemsVsevolod Stakhov
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
rspamd-fosdem
rspamd-fosdemrspamd-fosdem
rspamd-fosdemVsevolod Stakhov
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingSam Bowne
 
Hacking Blind
Hacking BlindHacking Blind
Hacking BlindNikitaAndhale
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsSam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficSam Bowne
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
开化龙顶
开化龙顶开化龙顶
开化龙顶mikejiang
 
Algebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel NetworkAlgebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel Networkhellman1908
 

More Related Content

What's hot

CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systemsVsevolod Stakhov
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingSam Bowne
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsSam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficSam Bowne
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 

What's hot (20)

CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systems
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
rspamd-fosdem
rspamd-fosdemrspamd-fosdem
rspamd-fosdem
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash Functions
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: Shellcode
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
 

Viewers also liked

开化龙顶
开化龙顶开化龙顶
开化龙顶mikejiang
 
Algebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel NetworkAlgebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel Networkhellman1908
 
CyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 SniffersCyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 SniffersCyberLab
 
薏苡仁粉
薏苡仁粉薏苡仁粉
薏苡仁粉mikejiang
 
como insertar un power point
como insertar un power pointcomo insertar un power point
como insertar un power pointsdfbjkgfrfbjk
 
Formats i composicions
Formats i composicionsFormats i composicions
Formats i composicionsmartivmontoya
 
CyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer OverflowCyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer OverflowCyberLab
 
MIT 教我的七堂課
MIT 教我的七堂課MIT 教我的七堂課
MIT 教我的七堂課Xi-Zhe Lin
 
Deepak bhalla cv word format
Deepak bhalla cv word formatDeepak bhalla cv word format
Deepak bhalla cv word formatDeepak Bhalla
 
引導討論:Facilitation
引導討論:Facilitation引導討論:Facilitation
引導討論:FacilitationAudrey Tang
 
案例示範:UberX、Airbnb
案例示範:UberX、Airbnb案例示範:UberX、Airbnb
案例示範:UberX、AirbnbAudrey Tang
 
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話niceruru
 
Web cam sensing using sdk tool
Web cam sensing using sdk tool Web cam sensing using sdk tool
Web cam sensing using sdk tool eSAT Journals
 
20161222 網路工具教學與應用
20161222 網路工具教學與應用20161222 網路工具教學與應用
20161222 網路工具教學與應用小四 曾
 
山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男cettw
 

Viewers also liked (20)

开化龙顶
开化龙顶开化龙顶
开化龙顶
 
Algebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel NetworkAlgebraic Insights into the Secret Feistel Network
Algebraic Insights into the Secret Feistel Network
 
CyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 SniffersCyberLab CCEH Session - 8 Sniffers
CyberLab CCEH Session - 8 Sniffers
 
薏苡仁粉
薏苡仁粉薏苡仁粉
薏苡仁粉
 
como insertar un power point
como insertar un power pointcomo insertar un power point
como insertar un power point
 
linkdin
linkdinlinkdin
linkdin
 
Formats i composicions
Formats i composicionsFormats i composicions
Formats i composicions
 
CyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer OverflowCyberLab CCEH Session - 17 Buffer Overflow
CyberLab CCEH Session - 17 Buffer Overflow
 
MIT 教我的七堂課
MIT 教我的七堂課MIT 教我的七堂課
MIT 教我的七堂課
 
Deepak bhalla cv word format
Deepak bhalla cv word formatDeepak bhalla cv word format
Deepak bhalla cv word format
 
Huca marketing online
Huca marketing onlineHuca marketing online
Huca marketing online
 
引導討論:Facilitation
引導討論:Facilitation引導討論:Facilitation
引導討論:Facilitation
 
D2-4 2012里山倡議研討會-貢寮1011116
D2-4 2012里山倡議研討會-貢寮1011116D2-4 2012里山倡議研討會-貢寮1011116
D2-4 2012里山倡議研討會-貢寮1011116
 
Exploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption TechniquesExploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption Techniques
 
案例示範:UberX、Airbnb
案例示範:UberX、Airbnb案例示範:UberX、Airbnb
案例示範:UberX、Airbnb
 
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
2011.10.21新營社大演講版 -鹽業:人與海洋的時空對話
 
Web cam sensing using sdk tool
Web cam sensing using sdk tool Web cam sensing using sdk tool
Web cam sensing using sdk tool
 
20161222 網路工具教學與應用
20161222 網路工具教學與應用20161222 網路工具教學與應用
20161222 網路工具教學與應用
 
山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男山海國土議題盤點【原住民土地治理】林嘉男
山海國土議題盤點【原住民土地治理】林嘉男
 
la OCDE
la OCDEla OCDE
la OCDE
 

Similar to NBTC#2 - Why instrumentation is cooler then ice

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Ch 18: Source Code Auditing
Ch 18: Source Code AuditingCh 18: Source Code Auditing
Ch 18: Source Code AuditingSam Bowne
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Building Big Data Streaming Architectures
Building Big Data Streaming ArchitecturesBuilding Big Data Streaming Architectures
Building Big Data Streaming ArchitecturesDavid Martínez Rego
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingSam Bowne
 
EuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPIEuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPIDan Holmes
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Danny Mulligan
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Nikolay Savvinov
 
2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL ApplicationsMicro Focus
 
Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)AllineaSoftware
 
Storm presentation
Storm presentationStorm presentation
Storm presentationShyam Raj
 
Reading Notes : the practice of programming
Reading Notes : the practice of programmingReading Notes : the practice of programming
Reading Notes : the practice of programmingJuggernaut Liu
 
Taming the resource tiger
Taming the resource tigerTaming the resource tiger
Taming the resource tigerElizabeth Smith
 
Preventing Complexity in Game Programming
Preventing Complexity in Game ProgrammingPreventing Complexity in Game Programming
Preventing Complexity in Game ProgrammingYaser Zhian
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginSam Bowne
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010idsecconf
 

Similar to NBTC#2 - Why instrumentation is cooler then ice (20)

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Ch 18: Source Code Auditing
Ch 18: Source Code AuditingCh 18: Source Code Auditing
Ch 18: Source Code Auditing
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Introduction to multicore .ppt
Introduction to multicore .pptIntroduction to multicore .ppt
Introduction to multicore .ppt
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Server Tips
Server TipsServer Tips
Server Tips
 
Building Big Data Streaming Architectures
Building Big Data Streaming ArchitecturesBuilding Big Data Streaming Architectures
Building Big Data Streaming Architectures
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
 
EuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPIEuroMPI 2013 presentation: McMPI
EuroMPI 2013 presentation: McMPI
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...
 
2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications
 
Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)Preparing Codes for Intel Knights Landing (KNL)
Preparing Codes for Intel Knights Landing (KNL)
 
Storm presentation
Storm presentationStorm presentation
Storm presentation
 
Reading Notes : the practice of programming
Reading Notes : the practice of programmingReading Notes : the practice of programming
Reading Notes : the practice of programming
 
Taming the resource tiger
Taming the resource tigerTaming the resource tiger
Taming the resource tiger
 
Preventing Complexity in Game Programming
Preventing Complexity in Game ProgrammingPreventing Complexity in Game Programming
Preventing Complexity in Game Programming
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010
 

More from Alexandre Moneger

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 

More from Alexandre Moneger (10)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 

Recently uploaded

What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptrcbcrtm
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 

Recently uploaded (20)

What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.ppt
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 

NBTC#2 - Why instrumentation is cooler then ice

  • 1. Why instrumentation is cooler then ice Alex Moneger
  • 3. The myth • Fuzzing is easy • Fuzzing is simple • Instrumentation is left as an exercise to the reader
  • 4. The truth • Fuzzing requires effort • Generally requires adapting the target code • Most of the time requires to build a corpus of inputs • Requires minimizing the corpus • Requires instrumentation: – Did my target crash? – On what input? – Are my new inputs useful?
  • 5. The hurdles • Tool selection • Tool integration • Reliability • Scale • A bug found prevents fuzzer from reaching further areas of code
  • 7. Before • 2 approaches: – Mutate data forever (randomly, byte flip, …) – Model data, mutate fields separately (Spike, Peach, Codenomicon, …) • Run for some iterations or until all states are modeled • hope for the best
  • 8. Today • Genetic algorithms => retain only best inputs for further mutation 1. Mutate best input 2. Send to target 3. Measure impact based on some metric 4. Discard or prioritize input, back to 1.
  • 9. Code coverage • Code coverage is the most used metric • Tells you if an input has triggered new code paths • All tools try to measure code coverage one way or another • Can be achieved : – binary instrumentation (PIN, DynamoRIO) – static rewriting (Dyninst) – kernel probing (perf) – HW (intel BTS => branch trace store)
  • 10. How does it work • Model control flow using basic blocks • Discard unconditional edges (JMPs) • First approach, trace callgraph • Hard to compare 2 callgraphs • Best approach: retain edge count • Provides an unordered code coverage heatmap
  • 12. Compare code coverage maps? • Gained edges - lost edges > 0? • Simple, but will crush path divergence • Solution, keep track of interesting diverging paths • When no new edges, check edge hitcounts • Higher hitcounts, mean you control a loop boundary
  • 14. Corpus minimization • You have collected all xml documents or IM packets from the internet • What is the minimal set of inputs which achieves maximal code coverage? • Open all inputs and record code coverage • Keep only valuable inputs
  • 15. In practice • No open source tools to achieve this • Notable exception, with source on Nix for files => afl-cmin to the rescue • Otherwise, a good base is runtracer, drcov or coco.cpp pintool • Building the minset is up to you after that
  • 17. An application • You want to fuzz an application/library • What next?
  • 18. A few obvious questions first • Do you have source code? • Where does it take input from? – Network – File – … • Do you already have valid inputs? – Packets – Pdf – …
  • 19. First of all • Turn on coredumps • Throw whatever you have at the binary • dd if=/dev/urandom bs=1024 count=1 | nc localhost 1234 • Or mutate some corpus inputs with radamsa • Keep CPU busy whilst you figure out a plan • Now think
  • 20. You have source code • Find a way to get it to work with American Fuzzy Lop • AFL “batteries included” • AFL works great: – File input – Amazing performance/reliability (forkserver) – Instrumentation/stats built in (ASM instrumentation) – Scaling (distributed fuzzing) • Limitations: – Network fuzzing – Any form of daemon
  • 21. Wrapping for AFL • Target can read from stdin or argv, your good • Otherwise, write a wrapper around your target functions • Read_from_stdin(char *buf) { target_func(buf); exit() } • Problem: complex when functions are tightly coupled (globals, complex structs, …)
  • 22. No source? • Things start to get messy • Options: – Afl-qemu – Afl-pin – Afl-dyninst – Honggfuzz (Linux or requires HW support) – …
  • 23. Mo problem • Idea is always the same • Through instrumentation, get code coverage info • Bind it someway to AFL: – AFL-qemu => Use Qemu userland to hook BBLs – AFL-PIN => Use PIN to hook BBLs, no forkserver support – AFL-Dyninst => static rewrite to hook BBLs
  • 25. Gaps • Smart fuzzing network daemons • Corpus minimization • Windows support • Triaging (exploitable doesn’t work on cores) • We need to build bricks, not solutions
  • 26. Reference • Best advice on fuzzing by Ben Nagy: http://seclists.org/dailydave/2010/q4/47

Editor's Notes

  1. What tool does the job (Peach, AFL, libFuzzer, …) ? How do I collect crashes, triage them, instrument? My fuzzer crashed after a 2 weeks run How do I synchronize my fuzzers/targets? Stagefright talk at Defcon. Audience hadn’t heard about AFL. Presenter had to fix a ton of bugs for the fuzzer to make progress.
  2. Count the edges, and variation in the edges Example tcp+3397 => tcp+3411: Will count as 3 edges in code coverage map
  3. AFL is an impressive tool. Check out how it works for
  4. Building a product for fuzzing is very similar to building a product for Q&A. You need to make loosely coupled modules which can be unit tested. This makes fuzzing jobs way easier Having a ball of code of 5M LOC with a trail of dependencies makes it very hard to fuzz.