Get best of the week

Greybox Fuzzing par l'exemple d'AFLSmart


Tout le monde a probablement entendu parler de la fuzzer AFL cool.


Beaucoup l'utilisent comme outil principal pour rechercher des vulnérabilités et des erreurs.


AFL, AFLSmart, . , , AFL . , . AFLSmart , .


, - 2019 Smart Greybox Fuzzing. , . , 9 FFmpeg . AFLSmart .


, , Grey-Box Fuzzing. , ( honggfuzz, AFL ). , - ( ), ( AFLSmart). . AFLSmart Grey-Box , , Superion Nautilus.


. . , — AFLSmart. , , .


, , . , , AFLSmart , , . , .


. white paper AFLSmart , , . , , . , magic words, .., , . , AFLSmart , .


, ,

T-Fuzz: fuzzing by program transformation
, , , "hard" .


:


1) We show that fuzzing can more effectively find bugs by transforming the target program,
instead of resorting to heavy weight program analysis techniques.
2) We present a set of techniques that enable fuzzing to mutate both inputs and the programs, including techniques for
(i) automatic detection of sanity checks in the target program,
(ii) program transformation to remove the detected sanity checks,
(iii) reproducing bugs in the original program by filtering false positives that only crash in the transformed program.


, AFLSmart — : AFL Peach. Peach, , , (.. ). , , . , magic words, , .


, Peach , - (). , AFL , . , , , , , .


pcap , :


PcapHeader


bytestypeNameDescription
4uint32magic'A1B2C3D4' means the endianness is correct
2uint16vmajormajor number of the file format
2uint16vminorminor number of the file format
4int32thiszonecorrection time in seconds from UTC to local time (0)
4uint32sigfigsaccuracy of time stamps in the capture (0)
4uint32snaplenmax length of captured packed (65535)
4uint32networktype of data link (1 = ethernet)

Frame


bytestypeNameDescription
4uint32ts_sectimestamp seconds
4uint32ts_usectimestamp microseconds
4uint32incl_lennumber of octets of packet saved in file
4uint32orig_lenactual length of packet
incl_lenuint32datadata

pcap , , Frame(Ethernet Header, IPv4, UDP), , , data.


Peach :


<Defaults>
        <Number signed="false" valueType="hex" endian="little"/>
</Defaults>

<DataModel name="PcapHeader">
        <Number name="magic" size="32" mutable="false"/>
        <Number name="vmajor" size="16"/>
        <Number name="vminor" size="16"/>
        <Number name="thiszone" size="32"/>
        <Number name="sigfigs" size="32"/>
        <Number name="snaplen" size="32"/>
        <Number name="network" size="32"/>
    </DataModel>

    <DataModel name="Frame">
        <Number name="ts_sec" size="32"/>
        <Number name="ts_usec" size="32"/>
        <Number name="incl_len" size="32">
          <Relation type="size" of="data"/>
        </Number>
        <Number name="orig_len" size="32"/>
        <Blob name="data"/>
    </DataModel>

    <DataModel name="Pcap">
        <Block name="PHeader" ref="PcapHeader"/>
        <Block name="PFrame" ref="Frame" maxOccurs="100000"/>
    </DataModel>

, , , AFL , , .



, .





Seed s — , c c.start, c.end. — . , pcap A1B2C3D4, , c.start=0, c.end=3.





c2 c1 . , . timestamp A1B2C3D4 pcap . version_major, version_major PCAP Packet Header.




c1 c2. , .


, .


, Peach — - .


, :


peach -1 -inputFilePath=valid_file -outputFilePath=valid_file.chunks model.xml

valid_file.chunks .


pcap :


0,95,Pcap,Enabled
0,23,Pcap~PHeader,Enabled
0,3,Pcap~PHeader~magic,Disabled
4,5,Pcap~PHeader~vmajor,Enabled
6,7,Pcap~PHeader~vminor,Enabled
8,11,Pcap~PHeader~thiszone,Enabled
12,15,Pcap~PHeader~sigfigs,Enabled
16,19,Pcap~PHeader~snaplen,Enabled
20,23,Pcap~PHeader~network,Enabled
24,95,Pcap~PFrame,Enabled
24,95,Pcap~PFrame~PFrame,Enabled
24,27,Pcap~PFrame~PFrame~ts_sec,Enabled
28,31,Pcap~PFrame~PFrame~ts_usec,Enabled
32,35,Pcap~PFrame~PFrame~incl_len,Enabled
36,39,Pcap~PFrame~PFrame~orig_len,Enabled
40,95,Pcap~PFrame~PFrame~data,Enabled

, mutable.


.



mutable=false, . , magic word, pcap , , — A1B2C3D4.


, AFLSmart . , . AFLSmart -l, , {out}/log.


, . .


:


struct chunk {
  unsigned long
      id; /* The id of the chunk, which either equals its pointer value or, when
             loaded from chunks file, equals to the hashcode of its chunk
             identifer string casted to unsigned long. */
  int type;                /* The hashcode of the chunk type. */
  int start_byte;          /* The start byte, negative if unknown. */
  int end_byte;            /* The last byte, negative if unknown. */
  char modifiable;         /* The modifiable flag. */
  struct chunk *next;      /* The next sibling child. */
  struct chunk *children;  /* The children chunks linked list. */
};

modifiable. 0, , 1 — .


, - .


, . , .


get_chunk_to_delete , :


struct chunk *get_chunk_to_delete(struct chunk **chunks_array, u32 total_chunks,
                                  u32 *del_from, u32 *del_len) {
  struct chunk *chunk_to_delete = NULL;
  u8 i;

  *del_from = 0;
  *del_len = 0;

  for (i = 0; i < 3; ++i) {
    int start_byte;
    u32 chunk_id = UR(total_chunks);

    chunk_to_delete = chunks_array[chunk_id];
    start_byte = chunk_to_delete->start_byte;

    if (start_byte >= 0 &&
        chunk_to_delete->end_byte >= start_byte) {
      *del_from = start_byte;
      *del_len = chunk_to_delete->end_byte - start_byte + 1;
      break;
    }
  }

get_target_to_splice, , :


struct chunk *get_target_to_splice(struct chunk **chunks_array,
                                   u32 total_chunks, int *target_start_byte,
                                   u32 *target_len, u32 *type) {
  struct chunk *target_chunk = NULL;
  u8 i;

  *target_start_byte = 0;
  *target_len = 0;
  *type = 0;

  for (i = 0; i < 3; ++i) {
    u32 chunk_id = UR(total_chunks);
    target_chunk = chunks_array[chunk_id];
    *target_start_byte = target_chunk->start_byte;

    if (*target_start_byte >= 0 &&
        target_chunk->end_byte >= *target_start_byte) {
      *target_len = target_chunk->end_byte - *target_start_byte + 1;
      *type = target_chunk->type;
      break;
    }
  }

  return target_chunk;
}

, modifiable - AFLSmart. .


, , AFLSmart .


AFLSmart


AFLSmart , , AFL().


. , , splicing. , ( ). , .


, . , , . . stacking -h.


, , -e <ext>: <ext> . AFL - {out}/.cur_input, , , , {out}/.cur_input.png|wav|avi .. , . .



AFLSmart . , AFLSmart , - , . AFL, , .


, , 42 zero-day . , AFLSmart .


, clang afl-llvm-pass.so , . AFL AFLSmart bitmap . .

More articles:


All Articles