Presentation is loading. Please wait.

Presentation is loading. Please wait.

Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:

Published byCuthbert Cameron Modified over 9 years ago

Similar presentations

Presentation on theme: "Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:"— Presentation transcript:

1 Biswajit Mazumder Rohit Hooda Arpan Chowdhary

2  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes: SCRASHME  sys_getdomainname()  vmsplice() : Local Root Exploit  Conclusion

3  Short for FUZZ-TESTING.  Technique of Black-box testing Black Box Fuzzer Inputs: Malformed / SemiMalformed Random / Adaptive Crashes / Information leaks / Delays

4  Event-Driven Fuzz  Character-Driven Fuzz  Database Fuzz

5 Based on type of Fuzzer:  Tool oriented Fuzzing  Manual Fuzzing Based on Attack Targets:  Application fuzzing.  Protocol fuzzing.  File-format fuzzing.  Operating System fuzzing.

6  Simple fuzz approach using a pseudo random number generator as input.  Validation of fuzz attempts to assure that the random input is reasonable.  A combined approach using valid test data and invalid random input interjection.

7  Open source system call fuzzer for Linux.  Stress tests system calls for robustness and security flaws.  -i: use sanitize methods before calling syscalls.  -c#: do syscall # with random inputs.  -C: check syscalls that call capable() return - EPERM.  -r: call random syscalls with random inputs.  -Sr: pass struct filled with random junk.  -Sxx: pass struct filled with hex value xx.  -x#: use value as register arguments.  -z: use all zeros as register parameters.

8  Support for new syscall #333 in Linux Kernel 2.6.27.7 i.e. sys_getdomainname().  Sanitize method for Local root exploit for vmsplice() syscall.

9 /* Structure describing the system and machine. */ struct utsname { /* Name of the implementation of the operating system. */ char sysname[_UTSNAME_SYSNAME_LENGTH]; /* Name of this node on the network. */ char nodename[_UTSNAME_NODENAME_LENGTH]; /* Current release level of this implementation. */ char release[_UTSNAME_RELEASE_LENGTH]; /* Current version level of this release. */ char version[_UTSNAME_VERSION_LENGTH]; /* Name of the hardware type the system is running on. */ char machine[_UTSNAME_MACHINE_LENGTH]; /* Name of the domain of this node on the network. */ char domainname[_UTSNAME_DOMAIN_LENGTH]; };

10  getdomainname () is used to access the domain name of the current processor/node.  getdomainname() currently calls uname() in the current versions of Linux Kernel.  setdomainname() is used to change the domain name of the current processor/node.  In a FQDN e.g. temp.mynetwork.org “mynetwork” is the domainname.

11 asmlinkage long sys_getdomainname(char __user *name, int len) { int nlen; int err = -EINVAL; + if (len __NEW_UTS_LEN) + goto done; down_read(&uts_sem); nlen = strlen(utsname()->domainname) + 1; if (nlen < len) len = nlen; if ( copy_to_user(name, utsname()->domainname, len) ){ err = -EFAULT; goto done; } err = 0; done: up_read(&uts_sem); return err; }

12  Splices a user pages into a pipe.  Provides userspace programs with full control over an arbitrary kernel buffer  “Copies" data from user space into the kernel buffer. long vmsplice(int fd, const struct iovec *iov, unsigned long nr_segs, unsigned int flags); Description: The vmsplice() system call maps nr_segs ranges of user memory described by iov into a pipe. The file descriptor fd must refer to a pipe.

13  Doesn't check whether that application had the right to write to a specific memory location. So it acts as a quick-and-easy rootkit installation mechanism.  Doesn’t check whether the iovec structures (memory region) passed were in readable memory.  The third problem is in the memory-to-pipe implementation. This is an information disclosure vulnerability.

14  Enables non-root user to become root  Doesn’t need specific hardware Available at:  http://www.milw0rm.com/exploits/5092

15  Allows detection of critical security vulnerabilities in short time periods for various applications.  Simple, efficient and can be automated.  Considerable speed up of the whole process of security vulnerabilities detection.  Downside: Not the final solution for detection of all security vulnerabilities that exist in an application.

16

Download ppt "Biswajit Mazumder Rohit Hooda Arpan Chowdhary.  What is Fuzzing?  Fuzzing techniques  Types of Fuzzing  Fuzzing explained  Case study and changes:"

Similar presentations

Fuzzing for logic and state issues

Fuzzing for logic and state issues
Lecture 101 Lecture 10: Kernel Modules and Device Drivers ECE 412: Microcomputer Laboratory.

Lecture 101 Lecture 10: Kernel Modules and Device Drivers ECE 412: Microcomputer Laboratory.
Device Drivers. Linux Device Drivers Linux supports three types of hardware device: character, block and network –character devices: R/W without buffering.

Device Drivers. Linux Device Drivers Linux supports three types of hardware device: character, block and network –character devices: R/W without buffering.
USERSPACE I/O Reporter: R98922086 張凱富.

USERSPACE I/O Reporter: R 張凱富.
Topics: –DNS system –Gathering machine information How to find out the machines ip address, name, OS, version, etc.

Topics: –DNS system –Gathering machine information How to find out the machines ip address, name, OS, version, etc.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.

By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Software Testing. Overview Definition of Software Testing Problems with Testing Benefits of Testing Effective Methods for Testing.

Software Testing. Overview Definition of Software Testing Problems with Testing Benefits of Testing Effective Methods for Testing.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.

Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
DEEDS Meeting Oct., 26th 2006 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Summary.

DEEDS Meeting Oct., 26th 2006 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Summary.
Static Analysis for Security Amir Bazine Per Rehnberg.

Static Analysis for Security Amir Bazine Per Rehnberg.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.

Software Quality Assurance Lecture #8 By: Faraz Ahmed.
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering.

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering.

Similar presentations

Ads by Google