Presentation is loading. Please wait.

Presentation is loading. Please wait.

Objective Explain basic fuzzing with concrete coding example

Similar presentations


Presentation on theme: "Objective Explain basic fuzzing with concrete coding example"— Presentation transcript:

1 CAP6135: Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou Spring 2016

2 Objective Explain basic fuzzing with concrete coding example
Fuzzing code that can run under Linux Explain how the vulnerable code in programming project 2 is derived Introduce several useful techniques in doing the fuzzing test on project 2

3 Example Code $ fuzzTest-target 200 “what is this?” 2
Example code needs three inputs Int, string, Int int inputInteger; /* global variable */ void (*foo)(short); if (argc != 4){ fprintf(stderr, "fuzzTest needs 3 input parameters: int string int!\n"); exit(0); } sscanf(argv[1], "%d", &inputInteger); my_func(inputInteger, argv[2], argv[3]); Subfun my_func() introduces 3 man-made bugs

4 Bug # 1: Integer Overflow
int my_func(short argLen, char *str, char *divStr) { int denominator; float x; char buf[bufLen]; if (argLen != inputInteger) { fprintf(stderr, "Bug #1: integer overflow triggered\n"); foo = (void *)0xbfffffff; foo(argLen); /* trigger illegal instruction fault */ exit(1); Int variable inputInteger changes to short Overflow happens when inputInteger>32767 foo() is a function pointer Give it an arbitrary address will cause illegal memory reference for executing code A simple way to cause a program to crash

5 Bug # 2: buffer Overflow char buf[10]; if (strlen(str) > 10){
fprintf(stderr, "Bug #2: buffer overflow triggered. strlen=%d\n", strlen(str)); strcpy(buf, str); /* trigger segmentation fault or stack smashing error */ return 2; /*if overwriting return address, it will cause segmentation fault */ }

6 Bug #3: divide by zero int denominator; float x; sscanf(divStr, "%d", &denominator); if (denominator == 0){ x = argLen / denominator; fprintf(stderr, "Bug #3: division by zero triggered\n"); foo = (void *)0xbffbffff; foo(argLen); /* trigger illegal instruction fault */ }else return 0; The divide by zero error will usually not cause a program to crash Thus we use the foo function to make sure the program will crash when this bug is triggered

7 Fuzzer Outline Generate inputs (random or follow rules)
firstInt = rand()%50000; secondInt = rand() % 2; arraySize = rand() % 20; charArray = (char *) malloc(arraySize); for (j=0; j< arraySize; j++) charArray[j] = 'A'; charArray[arraySize-1] = NULL; Generate execution command line sprintf(buffer, "./fuzzTest-target %d \"%s\" %d\n", firstInt, charArray, secondInt); free(charArray); /* must free memory for repeat testing! */

8 Fuzzer Outline Execute target code ret = system(buffer);
Obtain target execution exit code wait(&status); retCode = WEXITSTATUS(ret); Check abnormal exit code and record inputs that cause the abnormal if ( retCode == || retCode ==128+4) /* segmentation fault (11) or illegal (4) */ { printf("retCode=%d ## Input: firstInt = %d, arraySize = %d, secondInt = %d\n", retCode, firstInt, arraySize, secondInt); fflush(stdout); /*make sure output is print out immediately ! */ } Repeat from start in generating inputs

9 List of Unix Signal Number
You can find it at: The WEXITSTATUS() returns a value that is the signal number that caused the termination plus 128

10 How to Record Fuzzing Result?
When abnormal happens, record down inputs that cause the abnormal Record the corresponding abnormal message printout by target code Unix OS I/O definition: stdin (0), stdout (1), stderr (2) I/O redirection: $ Command < data.txt: let stdin get from file (instead of keyboard) $ Command > output.txt: let stdout redirect to file $ Command 2> error.txt: let stderr redirect to file $ Command &> output.txt: let stdout and stderr redirect to file For our example: $./fuzzTest100 &> output.txt


Download ppt "Objective Explain basic fuzzing with concrete coding example"

Similar presentations


Ads by Google