Increased complexity makes it very hard and time-consuming to keep your software bug-free and secure. We introduce fuzz-testing as a method for automatically and continuously discovering vulnerabilities hidden in your code. The talk will explain how fuzzing works and how to integrate fuzz-testing into your Software Development Life Cycle to increase your code’s security.

1. Fuzz-testing: A hacker's approach to making
your code more secure
Pascal Zenker @parzel2 <pascal.zenker@posteo.de>
Vincent Ulitzsch @vinulium <vincent@srlabs.de>
Berlin | November 12 - 13, 2019

2. Who are we?
2
▪ Researcher at Security Research Labs (srlabs.de)
▪ Found multiplevulnerabilitiesin OSS with fuzzing
▪ Presented about fuzz-testing at BlackhatUSA
▪ Degree in Computer Science from TU Berlin
Vincent Ulitzsch / @vinulium / vincent@srlabs.de
▪ IndependentSecurity Researcher
▪ Member of Synack Red Team
▪ Offensive Security Certified Professional
▪ Degree in Computer Science from RWTH Aachen
Pascal Zenker / @parzel2 / pascal.zenker@postoe.de

3. You should fuzz-test your programs to tame complexityand identify vulnerabilities and bugs
early in the development process
3
▪ Software is too complex to manuallyensure your
software is bug-free
▪ As a defender/programmer, you need to fix every
mistake. Attackers only need one bug.
▪ Developerscan easily find bugs that affect the building
process and functionalityof the software, but corner
cases remain undetected.
▪ Code size increases but manualwork does not scale
Without fuzzing
▪ Fuzz testing fights complexity with computational brute
force.
▪ Attackers use fuzzers.We, as defenders, should as well.
▪ Fuzzing’s randomnessdetects corner cases.
▪ By integratingfuzz-testing in your software
developmentlifecycle and continuouslyfuzzing your
software, you can detect bugs early in the development
process.
With fuzzing

4. Fuzz-testingcan be used to identify high severity vulnerabilities
4
Researchers from Google leveraged fuzz-testing to find
security vulnerabilitiesin iMessage
Fuzzing was used to identify vulnerabilities
in libstagefright

5. Fuzz testing can be used to identify vulnerabilities in applications
5
We show you how fuzz testing can be used to identify vulnerabilities in
▪ Vulnerabilities: XSS, SQLi, Command Injection, …
▪ Tools: ffuf, Burp Suite, custom fuzzers
Web applicationsBinary applications
▪ Vulnerabilities: Memory corruptions, Denial of Service
▪ Often found through coverage guided fuzzing
▪ Tools: AFL, libfuzzer, go-fuzz, honggfuzz

6. Fuzzing engine
Seed the fuzzing engine with
valid program input
Fuzzing engine observes
behavior and saves
interesting testcases, e.g.,
crashing inputs
Fuzzing engine takes some
program input, mutates it,
runs it against the target
Fuzz-testingis a technique to identify vulnerabilities via mutating valid program input
6
Seeds Mutate + run input Target
Interesting
cases
c
a cb
Observe behaviour
ba

7. Fuzzing engine
Seed the fuzzing engine with
valid program input
Fuzzing engine observes
behavior and saves
interesting testcases, e.g.,
crashing inputs
Fuzzing engine takes some
program input, mutates it,
runs it against the target
Add inputs that yield new
coverage to input queue
Coverage guided fuzzing mutates seeds and adds them to a corpus if they yield new code
coverage
7
Seeds Mutate + run input Target
Interesting
cases
c
a cb d
Observe behaviour
ba
New
coverage
d

8. By adding inputs that yield new coverage to the seed collection, coverage guided fuzzing can
detect bugs not detected by usual fuzzers
8
Fuzzing engine
Seeds Mutate + run input Target
Interesting
cases
Observe behaviour
New
coverage
if (input[0]==‘F’){
void parse_input(char *input){
if(input[1]==‘U’){
if(input[2]==‘Z’){
if(input[3]==‘Z’){
//CRASH here
Seed queue
Input: F

9. By adding inputs that yield new coverage to the seed collection, coverage guided fuzzing can
detect bugs not detected by usual fuzzers
9
Fuzzing engine
Seeds Mutate + run input Target
Interesting
cases
Observe behaviour
New
coverage
if (input[0]==‘F’){
void parse_input(char *input){
if(input[1]==‘U’){
if(input[2]==‘Z’){
if(input[3]==‘Z’){
//CRASH here
Seed queue
Input: F
Input: FU

10. By adding inputs that yield new coverage to the seed collection, coverage guided fuzzing can
detect bugs not detected by usual fuzzers
10
Fuzzing engine
Seeds Mutate + run input Target
Interesting
cases
Observe behaviour
New
coverage
if (input[0]==‘F’){
void parse_input(char *input){
if(input[1]==‘U’){
if(input[2]==‘Z’){
if(input[3]==‘Z’){
//CRASH here
Seed queue
Input: F
Input: FU
Input: FUZ

11. By adding inputs that yield new coverage to the seed collection, coverage guided fuzzing can
detect bugs not detected by usual fuzzers
11
if (input[0]==‘F’){
void parse_input(char *input){
if(input[1]==‘U’){
if(input[2]==‘Z’){
if(input[3]==‘Z’){
//CRASH here
Seed queue
Input: F
Input: FU
Input: FUZ
Input: FUZZ
Fuzzing engine
Seeds Mutate + run input Target
Interesting
cases
Observe behaviour
New
coverage

12. A typical binary fuzzing run can be divided into five steps:Target selection, building, seed
selection, fuzzing, triaging
12
▪ Select functions
that parse complex
input
▪ Write functions
that takes fuzzer
data and passes it
to the function
under test
▪ Fuzzing needs a set
of seeds to start:
Seeds should be
validinput to
program
▪ Seeds should be
small and diverse
▪ C/C++: afl-fuzz,
libfuzzer, honggfuzz
▪ Go: go-fuzz
▪ Rust: honggfuzz-rs
▪ [...]
▪ Prepare target so
that we can easily
measure coverage.
▪ Usually done at
compile time:
Compiler options
often come with
the fuzzer
Triage crashes!Fuzz/Stress test!Select seeds
Build with
instrumentation
Select target functions
Write harness
1 42 3 5
Fuzzingconsists of five steps

13. Demo: Using libfuzzer to identify a memory corruption bug in a C-program
13
Demo

14. Fuzz-testingcan be used to stress-testweb applications and identify various vulnerabilities, e.g.
SQL injections, XSS, SSRF, SSTI
14
Seeds
Fuzzing
engine Target
Interesting
cases
Observe response: Identify anomalies
XSS
SQLi
SSTI
Different location
Response time
Evaluated expression
Run input

15. Web application fuzzing consists of four steps:Selecting a target endpoints, select an
appropriate input structure, fuzzing and triaging
15
▪ Select parameters that
interact with the website
e.g. reflected valueor
databaseinteraction
▪ ffuf
▪ Burp Suite
▪ Custom fuzzer with
Selenium using Firefox /
Chrome headless
▪ [...]
▪ Identify if anomaliesare
vulnerabilities,e.g., XSS
▪ Identify and fix root
cause of those
vulnerabilities
▪ Fuzzing needs input that
can produce anomalies
▪ A simple approachis to
use a wordlist with a lot
of inputs to stress our
filters
▪ More complex services
or parsers can be fuzzed
with e.g. grammar-based
approaches
Triage anomaliesFuzz/Stress test!
Select appropriateinput
structure
Select target endpoint
1 42 3
Fuzzingconsists of four steps

16. XSS is the reflected insertion of malicious Javascript
16
?search=test
Input
Result
</h1>Displaying results for
test</html>
Source
?search=<script>alert("XSS")
</script>
</h1>Displaying results for
<script>alert("XSS")</script>
</html>
<?php
$search_term = $_GET["search"];
echo "<html>";
echo "<h1>Search Results</h1>";
echo "Displaying results for".
$search_term;
echo "</html>";
?>

17. Demo: Identifying a XSS vulnerability with a simple custombuild API fuzzer
17
Demo

18. The fully automated nature of fuzz-testingcan be leveraged to integrate fuzz-testing into
continuous integration as addition to classical software testing
18
Run software tests & fuzzing after
each code change
Fuzzing and software testing
complement each other: Add unit
tests for bugs found by fuzzing
Fix bugs found by software testing
and fuzzing. Reiterate the process
a
b
c
BuildCode Release
Software
testing
Fuzz
testing
b
a
c

19. A dedicated fuzzing server can easily be integrated into your continuous integration setup
19
Code should be pulled and fuzzed
from code repository on a regular
basis
a
Fuzzing setup stores seed corpus
and old crashes found
c
Run seed corpus and old crashes
against current version to prevent
regressions
b
Dedicated fuzzing server
Old fuzzer outputs
Software repository
Seeds Crashes
a
c
b

20. Key Takeaways
20
1
Integrate fuzz-testinginto your software development lifecycle to detect bugs
early in the development process
2 Fuzz-testingcan fight software complexity with computationalpower
3 Fuzzing is easy: Start small and improve!
Thank you for your attention!
@vinulium/ vincent@srlabs.de
@parzel2 / pascal.zenker@posteo.de
https://github.com/parzel/codemotion-fuzzing-demo