Fuzzing for Security Vulnerabilities

welcome to our session Korea track

our sponsors if you are fine everybody stop like you said my talk today I'm in [ __ ] buzzing for securities Twitter great

all right there we go higher so good line real quick so just about me I've been a server engineer for almost 11 years Evans there's two that mate but really the last two years have been focused on security so I talked to you guys you're enough research you kind of become the right guy to talk about and most of my experiences with Java Ruby on Rails I've done a bunch of hadoop in the past as well react recently and just buries other technology specs so I come with a big developer background which is why this talk may be a little bit different because it's not really a security and tester lot of stuff so quick outlet just think I see we're

going to talk about I'll give you a brief over minor what buzzing is why we do it what kind of things are we gonna find how do we do it and then we'll stuff like uh you know next step take away that for words you guys have some time for questions so let's talk what is [ __ ] so good organ it really came out of a software developer testing methodology a long time ago actually which was shocking to me because most the time when I deter precision security things it has nothing new coming from Sophos up a roll it's really designed around being purely automated you don't want to be hands on keyboard which most of time

in software engineering well it's pretty clearly dominated so that there we're really just gonna provide a bunch of invalid inputs to an application trying to get unexpected outputs or error stains or something of that nature things that we want to go and exploit take advantage of and really I'd like goodness to unit testing on steroids so this is Stephen Colbert you accept some steroids to shoot them around but if you're familiar with you in testing that's really what I like it too so quickly I talked about you know it came out of software developing it actually dates back to punch cards people know this with punch burns in the fifties I found some examples I was kind of surprised um

you know those guys back in the 50s were way smarter than me in credit for like they were use it little you guys are really the smart guys remember oh yeah we have computers like we have a real computer upon reading I read about a guy who Steve kappes who actually they think may have written one of the first programmatic ones in Mac Paint called the monkey back in 1983 and he was just trying to make images look different and try to make Mac Paint do something different than it was expected gator but really the term fuzzing came from University of Wisconsin a kid and of course created this thing in the eighties and they had a mr. know

and then it kind of took off for some software testing but then recently it's really taking this big giant threshold in and testing system security testing so so the lifecycle repent does it sorry for fuzzing is really similar to almost everything else we do from a testing perspective we're gonna define some targets so maybe some code may just be straight up you know C or C++ or Java or whatnot they may just be a website it may be an operating system it can be anything fuzzy works for everything it's great we're gonna generate some buzz data whether you make that automatic using a tool whether you do it yourself there's worthless stuff that you sort of

closing that there's all kinds of way to get this data and then you want to execute your budget this is where the automated stuff takes over just pathway and we'll come back with some results later you'll get the results you monitor you find some D data and then you go and exploit whatever those things that come back you sometimes you're gonna have it and sometimes gonna have misses this is true unit testing for engineering my sure and testers I talk to sometimes you you know you start working on something you get nothing out of it it's sad but it happens in much my research so briefly just to baby generic types of others mutation generation base but

really mutation bases is what I see is the one that goes these are considered dumb posers you're just giving them lists and their new bit flips and bit right changing and adding on so if you have to work buzz maybe you're changing out for you for asterisk you know the word buzz may be readies to the end of it really communicate I found a bunch of women doing all the research around this because I hadn't done it before there's a huge image libraries where people dedicate for images to do buzzing with and I'm looking at these it's like an emoticon libraries always think that they're passing into things like you don't paint through you're one

of those if I saw a J think you were thinking that to test their that somebody's not injecting something into an image to try and buzz an image so when somebody in your email send emails it's not really your grandkid effect on the next book that they're trying to think about it if you want and most of us are seem to act this way basically everything I see is they're just shifting something around and trying to find where there's somebody there's a this generation Mason I have a thought one of these these are really really a smarter kind of Buzzard and the NIV says you generate your inputs based on a data model or the data set that you're

working with so it knows based on some instrumentation of your data model that it's a website and it's got these status codes and it's got this kind of response and this kind of request headers that are coming through and I really I don't do eerie speech buzzer like it no it's expensive I think yeah yeah romantic yes so I didn't use it as a costume what do you I think that maybe not community edition but it's I I kind of was the same while I looked at what this town looks like a pain to set up a month and the dumb posers were really easy to you so I didn't really wear out more power to you go into that round

alright so uh so why do we want to bus as a software engineer which again it is kind of my job we're already doing this stuff today so we're really just taking what we're doing today and leveling up our skill set we're doing something more to make sure that we're finding the stuff that's bad in our application it's really just coming back from you know I'm going to test it zero in a minute that's one run that's 500 pastorate it's well defined inputs aren't going to give you the rankings you're looking for when you're doing software testing you need to test negative five million and positive ten million and just variable levels of different than other things

and then you're going to want to find the bugs you can fix so this is where you go find this is an xkcd from years and years ago where you're waiting at your code to compile if you also we got to the point where we're waiting on our food and funds and this isn't happening in engineering today but if we start adding these things started to use delivered pipelines integration just as a researcher you want to find every way you can use your attack something or find the more elusive something and so it's really just adding more tools in the toolbox and more things for you to exploit and go an attack so what's uh let's look at you

know take our hands off the keyboard what's the bucks and things run because we are going to find vulnerabilities of these things and that's what that's part about it's gonna find stuff the idea here is you're gonna let them run as long as they take and there's gonna be something you're gonna find out it I found in some of the tools were finding people had you know had these long running applications of been around forever and they apply a closer to them they do find stuff and I'll talk about this a little bit in a matter of days I mean it takes a lot of time to find it but you will find vulnerabilities students so what that summary in five

because that's you know what we're kind of interested and really what we're gonna find is very significant things so an integer overflow in Java for example so it's okay if you're not familiar Java this is a real signature build example all we're doing is taking an input and we're adding it to the max integer so a Maxima during job is like 2 billion 147 billion change we're just add where that number is to it and then we're gonna grab the two results of those and you're going to see real quickly and you except I run this from the console I'm just running it with a Java command execute this if I execute with the the number 0 that's 0

and we just get back to the same result now if I do this again I'm gonna get an overflow if I give it 1 or any other value greater than 1 and what is interesting about this is we're gonna see a different result in unexpected result in this case it gives us negative billions it loops back around so in Java you don't get they you know the positive version of this you go back to negative which that's unexpected or something you can go try and take advantage of we do more of these you know I recorded this one but it's really you know pacify negative ten varying things and you get there or negative five and ten and you

can see how loops are so negative definite or five then subtract so then it adds more but you can see how we attest bearing snare is the joint above are unemployed see this is a really common one that we've seen historically it's not so much anymore as people have moved past I'm sorry they say that it's still happening but people are moving into better memory management applications and things like that where this isn't a big concern but what we're doing here is I'm taking a hundred character I can take it a character 100 characters or less and then I'm trying to copy that into a buffer that I've only slaughtered with a length of five and in this case if we

copy that will print out the word copy if it doesn't the problem copying it will say success and so we run this with a safe value so I can maybe as you work safe it's my input and I trying to go report it says copy you're over just fine now if I move over and if I move over and I run with an unsafe buffer I think I use the word unsafe

so if you're running with the word unsafe it's gonna give us an abort because it actually failed and this is unexpected behavior expected but this is kind of the things were looking for to go test with buzzing and so you could pass it your unit test cases or your test cases that are all you know in cases you're expected to work but we're really trying to test the thing that we don't expect work stream format so websites that don't sanitize very cool yeah but you know and I didn't realize at the time but I gave a talk last year on injection attacks I didn't realize what I was doing at the time was really a version of fuzzing and trying to

attack science with buzzing so if you're interested in seeing that talking go see death talk so myself I didn't think of the work right anyway so in this case this is just a Reynolds application and this Rose application we have this sequel statement here and this sequel statement it doesn't sanitize the input it just takes blindly and whatever the user passes in is an ID and just passes the range of sequel directly and in calling this website if you're calling to RL out from a postman we can get back and we can pass it one plus or one into one is everything always values to true and then we get back before gambit of data

to the database and so what's interesting about this again is this is just a [ __ ] technique but I didn't realize at the time that I was doing that so so let's look you know we briefly talk about some examples things you're gonna find both of them you know application testing so how do we do this and really [ __ ] up picking a tool now as I've got more to this there's really no one tool for the job on this thing but what I did find was there's highly recommended tools and one of those seems to be an American Fuzzy's law I don't know a big is that before yeah W it seems you've

run a heightened or highly recommended tools it's pretty powerful I also found a tool called W funds I don't think you buzz before but it's really about testing application websites API but there are just so many of these there's extensions for other ones you write your own kind of go from there so let's look at American fuzzy lopper I don't actually know that ll be your lot of things for so it's a rabbit oh cool I looked briefly at good farmers alike it's probably one of the most popular ways on when I found its interpretation based so this one you can actually instrument your code so if you're doing C code or C++ or whatever

you actually think the pilot code with AF else buzzing compiler and you'll compile it with instrumentation so it was kind of what to do in it the test generates are based on your test case directory so if we run this thing we are gonna show you quickly how to compile your code it's just a different command rather than you know c c/e or stealing or GCC or whatever you see Bay FL stealin your client how we're gonna say that and then I just use my overflowing library my seed my railroad and I just I'm running out they were both just like we call it any other way different library to do it then we need

to create our test directory you go pull these African our test suite our court this is what it's called actually we're gonna attack them and so I'm gonna create one and this is just I'm going to make a director dictionary directory and put some words in it and you go police from the internet there's thousands of a mountain here you can use you know built into Kali Linux or Metasploit then we're listening there as well I place it for the sake of this I use my own alright generate my own I will show you later I didn't use a list but the 'near is that I agree remember list it's got you know for my words in it

they're all safe words and incident mutate things at this point so if I run AFL fuzz with my dictionary and I'm just gonna run my overflow program and it's going to take every line at the Bigfoot need to my from my dictionary and run it against here you're gonna see if Prince I want your stuff and I have that story too quick to see but it's running now and you can see it prints out the total crash is based on everything it's custom so far it's gonna tell you the different kinds of strategies and yields and so like in this case of tune by flips and bit flips and then it goes to this half

of one having takes forever it's testing a lot of things and you'll see what the results our second wave that slide but and then it really never gets done it will go for almost indefinitely and so I you have to kill yourself this I I love these runs like two days and just kept going oh yeah you just you kill yourself and then you go look at the results so we all get the results and it prints out to the Aqua directory it's got all your crashes and you can see what it did it changed my go word to random strings or random characters you're replacing I mean somebody's get really crazy okay dude watch your stuff

I'm never going to be able to do is a unit test or a pen tester but this tool just kind of runs through it and just crushes your application so kind of the box has got a couple sport length terms of C C++ objective-c but I found lots of derivatives of it that are effectively the same thing for almost every language I care about and then certainly we care we care about and then I mean just in general most common or most place to write code we love parties and you're saying up somebody went tested partly as a validator with American walk and they were able to you know for now 487 crashes within a day and a half and so

if somebody had just done the due diligence of testing some of this stuff ahead of time for a day and a half like ruin that heartbleed and how much awesome would that meant for everyone else and this is the output panel just testing it so w+ is another library i talked about briefly this is a web you know and running its websites and you testings use a dictionary attack to replace URLs so it's really simple to use and it's really configurable to which I really like about tools because not everybody was saying yeah so in example this I just set up a rail server running on for 2001 and it's just post around a super route home login and

what I did with this is all I was doing for the fuzzing on this one was I was just trying to pass it a dictionary and you can do this with lots of tools so I'm just a small example most people recommend you know I actually kind of first we have these virtually regularly because it's not something I do at work yesterday and so I was just trying to look for anything that I might care about my value and so just passing in that dictionary that you saw on the left side of the rake it's gonna double you posed against my application it's gonna churn through oh sorry this is that sort of something you

set lists it was a you know a bunch of a bunch of buzzing dictionaries and so I'm just navigating to anyway and then I'm going to sell it I want to only return status because of 200 and then I'm going to hit local doses where I'm running the rails server and and then every place the path I wanted to actually buzz with the word buzz so you can actually make this dynamic to where it's are sorry down to more than one half so you can actually have a necessary heartbeat things it's gonna test with it's gonna possibly prove you're printing out all the response code that's hitting for all the different domain all this so you can see I'm getting

poorer for so it's not find anything eventually we're going to get to a login and it's going to start spinning out to hundreds you see we've got all bunch of donuts and I found out something interesting with rails it actually will resolve all these other domains and that marked specific but they shouldn't so I actually need to go learn somewhere out of this way but now is I really expect the rails to return the login dot PHP three of the two hundred I didn't know that this tool and so this is things that you gonna learn new tests and so like now I know go and track your how to protect off other paths so they're not

leaving data out in the world all right so that's some quick examples sorry it's so quick this twenty minutes I don't have time to show you guys everything but what you need to do is is your take away so what's next for you guys what do you want to take away from this and I can't really give you a prescribed path because everybody here does something a little different we I'm an engineer I do something different than what I'm going to do well what I can tell you is is as a developer go introducing your testing so find a way to introduce as part of your testing ecosystem there it's the iPad one as a

security researcher use it to find vulnerabilities because you saw you can just kind of set this thing aside let it run I think they have versions of these things that run a raspberry pi C so you can set them up on a high that you know cost 20 bucks you just have this old machine the pipe or comes out big trouble but it's all around finding the right tool for the job and this is true of everything to do you gotta find the right tool so good no fire arrow or like I said there's derivatives of a lot of these tools you go create your own expand from it you create your own I didn't contribute it back though or keep

yourself either one guide it's really good there's a couple enterprise tools I actually reach out to these guys buzz-buzz is a buzzing as a service application they support a handful of languages out of the box right now having C C++ they're a pic of the Ring what it looked like to me AFL under the covers but it may do something else they're brand new to this from what I can tell they're actually email it last week because I saw them in a headline on TechCrunch they just got a two million dollar seed round of approach of investor ask them some questions and they were going to support pretty much every other language of my other testing and I ran through some of

their demo stuff it's pretty slick like you just upload that and you know file configured with some of the day - you care about and it was really cool so I Heather I could go and check in that out or if you don't want to pay for something or do something external like that cluster pose is my Google they actually have an open source buzzing technology and a distributed fashion and this is really cool because you can send those up in an organization and you could actually like start testing and bubbling things kind of a big big big scale across the hall in geography nobody help you here company if we're really big so we lots of are some of the

tests out there that I'm gonna wrap up that's all I have the conference or anything else there's feedback to be left at all and all the talks if you guys know some more about fuzzing or if you can I will be around you can chat with me I'll be at the Cerner booth here like 12:30 to 1:00 ish right around lunchtime for a little while you can show me there

you