Fuzz Testing (Fuzzing) Eng. Hector M Lugo-Cordero, MS CIS 4361 Jan 27, 2012.

Slides:



Advertisements
Similar presentations
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Advertisements

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Attacking Session Management Juliette Lessing
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Computer Security and Penetration Testing
(semi)Automatic Methods for Security Bug Detection Tal Garfinkel Stanford/VMware.
Computer Networks IGCSE ICT Section 4.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2011.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Lecturer: Ghadah Aldehim
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
A Security Review Process for Existing Software Applications
Chapter 16 Designing Effective Output. E – 2 Before H000 Produce Hardware Investment Report HI000 Produce Hardware Investment Lines H100 Read Hardware.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Computer Security and Penetration Testing
Software Security Testing Vinay Srinivasan cell:
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Eng. Hector M Lugo-Cordero, MS CIS4361 Department of Electrical Engineering and Computer Science February, 2012 University of Central Florida.
TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
1 UNIT 13 The World Wide Web Lecturer: Kholood Baselm.
Focus On Bluetooth Security Presented by Kanij Fatema Sharme.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Computer Security By Duncan Hall.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2015.
1 UNIT 13 The World Wide Web. Introduction 2 Agenda The World Wide Web Search Engines Video Streaming 3.
1 UNIT 13 The World Wide Web. Introduction 2 The World Wide Web: ▫ Commonly referred to as WWW or the Web. ▫ Is a service on the Internet. It consists.
Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.
CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2016.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
TOPIC: Web Application Firewall & Fuzzers
CSCE 548 Student Presentation Ryan Labrador
Input testing SQL Injections
Chapter 7: Identifying Advanced Attacks
Security Testing Methods
Common Methods Used to Commit Computer Crimes
Secure Programming Dr. X
Module 30 (Unix/Linux Security Issues II)
*Acknowledgements: Dawn Song, Kostya Serebryany,
A Security Review Process for Existing Software Applications
CSC 495/583 Topics of Software Security Stack Overflows (2)
Secure Software Development: Theory and Practice
Fuzzing fuzz testing == fuzzing
Introduction to Information Security
*Acknowledgements: Suman Jana, Dawn Song, Kostya Serebryany,
Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou University of Central Florida.
CSC-682 Advanced Computer Security
CS5123 Software Validation and Quality Assurance
Acknowledgement This lecture is modified based on the lecture notes from: Dr. Dawn Song: CS161: computer security.
When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.
Presentation transcript:

Fuzz Testing (Fuzzing) Eng. Hector M Lugo-Cordero, MS CIS 4361 Jan 27, 2012

Resources The following slides are a mixture from Dr Cliff Zou’s Malware class, and personal knowledge

3 Review Memory-safety vulnerabilities –Buffer overflow –Format string –Integer overflow Runtime detection –Runtime bounds check Purify, Jones & kelly (string bound check) Expensive –Runtime detection of overwrite Stackguard, etc. Practical, but only cover certain types of attacks –Runtime mitigation to make attacks hard Randomization Practical, but not fool proof

4 IPhone Security Flaw Jul 2007: “researchers at Independent Security Evaluators, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.” Found by Charles Miller –Dr. Charlie Miller presented the details of the exploit at BlackHat in Las Vegas on August 2, The slides from this talk are also available.BlackHatavailable Details see:

5 iPhone attack iPhone Safari downloads malicious web page –Arbitrary code is run with administrative privileges –Can read SMS log, address book, call history, other data –Can perform physical actions on the phone system sound and vibrate the phone for a second could dial phone numbers, send text messages, or record audio (as a bugging device) –Can transmit any collected data over network to attacker

6 0days Are a Hacker Obsession An 0day is a vulnerability that’s not publicly known Modern 0days often combine multiple attack vectors & vulnerabilities into one exploit –Many of these are used only once on high value targets 0day statistics –Often open for months, sometimes years

7 How to Find a 0day? Step #1: obtain information –Hardware, software information –Sometimes the hardest step Step #2: bug finding –Manual audit –(semi)automated techniques/tools Fuzz testing (focus of this lecture)

Fuzz Testing Attempt to crash or hang a program by feeding it malformed inputs Blackbox fuzzing –Generational –Mutation

9 Trivial Example Standard HTTP GET request –GET /index.html HTTP/1.1 Anomalous requests –AAAAAA...AAAA /index.html HTTP/1.1 –GET ///////index.html HTTP/1.1 –GET %n%n%n%n%n%n.html HTTP/1.1 –GET /AAAAAAAAAAAAA.html HTTP/1.1 –GET /index.html HTTTTTTTTTTTTTP/1.1 –GET /index.html HTTP/

10 Regression vs. Fuzzing Regression: Run program on many normal inputs, look for badness. –Goal: Prevent normal users from encountering errors Fuzzing: Run program on many abnormal inputs, look for badness. –Goal: Prevent attackers from encountering exploitable errors

Fuzz Testing: Motivation Nobody is perfect Programs may be very large and dificult to test Find bugs to fix Exploit programs for malware

Fuzz Testing: Challenges Random fuzzing has to cover a huge sample space –E.g. audio signal of 4s, 32k bytes 2 256,000 possible values Symbolic fuzzing can’t bypass checksum instructions

13 Approach I: Black-box Fuzz Testing Given a program, simply feed it random inputs, see whether it crashes Advantage: really easy Disadvantage: inefficient –Input often requires structures, random inputs are likely to be malformed –Inputs that would trigger a crash is a very small fraction, probability of getting lucky may be very low

14 Enhancement I: Mutation-Based Fuzzing Take a well-formed input, randomly perturb (flipping bit, etc.) Little or no knowledge of the structure of the inputs is assumed Anomalies are added to existing valid inputs Anomalies may be completely random or follow some heuristics –e.g. remove NUL, shift character forward Examples: –ZZUF, very successful at finding bugs in many real-world programs, –Taof, GPF, ProxyFuzz, FileFuzz, Filep, etc.

15 Example: fuzzing a pdf viewer Google for.pdf (about 1 billion results) Crawl pages to build a corpus Use fuzzing tool (or script to) –1. Grab a file –2. Mutate that file –3. Feed it to the program –4. Record if it crashed (and input that crashed it)

16 Mutation-based Fuzzing In Short Strengths –Super easy to setup and automate –Little to no protocol knowledge required Weaknesses –Limited by initial corpus –May fail for protocols with checksums, those which depend on challenge response, etc.

17 Enhancement II: Generation-Based Fuzzing Test cases are generated from some description of the format: RFC, documentation, etc. –Using specified protocols/file format info –E.g., SPIKE by Immunity re.shtml re.shtml Anomalies are added to each possible spot in the inputs Knowledge of protocol should give better results than random fuzzing

18 Generation-Based Fuzzing In Short Strengths –completeness –Can deal with complex dependencies e.g. checksums Weaknesses –Have to have spec of protocol Often can find good tools for existing protocols e.g. http, SNMP –Writing generator can be labor intensive for complex protocols –The spec is not the code Our goal is code testing, not spec testing

Other Approachs White-box Fuzzing –Code is known –Can use symbolic execution –Potential inputs can be known Novelty Search (Gray-box fuzzing?) Evolutionary computation keeping track of which genes (bits) give more chance of code exploitation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.