Biswajit Mazumder Rohit Hooda Arpan Chowdhary

 What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes: SCRASHME  sys_getdomainname()  vmsplice() : Local Root Exploit  Conclusion

 Short for FUZZ-TESTING.  Technique of Black-box testing Black Box Fuzzer Inputs: Malformed / SemiMalformed Random / Adaptive Crashes / Information leaks / Delays

 Event-Driven Fuzz  Character-Driven Fuzz  Database Fuzz

Based on type of Fuzzer:  Tool oriented Fuzzing  Manual Fuzzing Based on Attack Targets:  Application fuzzing.  Protocol fuzzing.  File-format fuzzing.  Operating System fuzzing.

 Simple fuzz approach using a pseudo random number generator as input.  Validation of fuzz attempts to assure that the random input is reasonable.  A combined approach using valid test data and invalid random input interjection.

 Open source system call fuzzer for Linux.  Stress tests system calls for robustness and security flaws.  -i: use sanitize methods before calling syscalls.  -c#: do syscall # with random inputs.  -C: check syscalls that call capable() return - EPERM.  -r: call random syscalls with random inputs.  -Sr: pass struct filled with random junk.  -Sxx: pass struct filled with hex value xx.  -x#: use value as register arguments.  -z: use all zeros as register parameters.

 Support for new syscall #333 in Linux Kernel i.e. sys_getdomainname().  Sanitize method for Local root exploit for vmsplice() syscall.

/* Structure describing the system and machine. */ struct utsname { /* Name of the implementation of the operating system. */ char sysname[_UTSNAME_SYSNAME_LENGTH]; /* Name of this node on the network. */ char nodename[_UTSNAME_NODENAME_LENGTH]; /* Current release level of this implementation. */ char release[_UTSNAME_RELEASE_LENGTH]; /* Current version level of this release. */ char version[_UTSNAME_VERSION_LENGTH]; /* Name of the hardware type the system is running on. */ char machine[_UTSNAME_MACHINE_LENGTH]; /* Name of the domain of this node on the network. */ char domainname[_UTSNAME_DOMAIN_LENGTH]; };

 getdomainname () is used to access the domain name of the current processor/node.  getdomainname() currently calls uname() in the current versions of Linux Kernel.  setdomainname() is used to change the domain name of the current processor/node.  In a FQDN e.g. temp.mynetwork.org “mynetwork” is the domainname.

asmlinkage long sys_getdomainname(char __user *name, int len) { int nlen; int err = -EINVAL; + if (len __NEW_UTS_LEN) + goto done; down_read(&uts_sem); nlen = strlen(utsname()->domainname) + 1; if (nlen < len) len = nlen; if ( copy_to_user(name, utsname()->domainname, len) ){ err = -EFAULT; goto done; } err = 0; done: up_read(&uts_sem); return err; }

 Splices a user pages into a pipe.  Provides userspace programs with full control over an arbitrary kernel buffer  “Copies" data from user space into the kernel buffer. long vmsplice(int fd, const struct iovec *iov, unsigned long nr_segs, unsigned int flags); Description: The vmsplice() system call maps nr_segs ranges of user memory described by iov into a pipe. The file descriptor fd must refer to a pipe.

 Doesn't check whether that application had the right to write to a specific memory location. So it acts as a quick-and-easy rootkit installation mechanism.  Doesn’t check whether the iovec structures (memory region) passed were in readable memory.  The third problem is in the memory-to-pipe implementation. This is an information disclosure vulnerability.

 Enables non-root user to become root  Doesn’t need specific hardware Available at: 

 Allows detection of critical security vulnerabilities in short time periods for various applications.  Simple, efficient and can be automated.  Considerable speed up of the whole process of security vulnerabilities detection.  Downside: Not the final solution for detection of all security vulnerabilities that exist in an application.