Scribd
Upload
84 views40 pages

Advanced Fuzzing With Peach 2: Michael Eddington

This document discusses the Peach 2 fuzzing platform. It provides an overview of Peach's capabilities including data modeling and mutation, state machine modeling, and fault detection using agents and monitors. Peach 2 aims to simplify the creation of fuzzers through a modeling based approach compared to the framework of Peach 1. The document also briefly outlines Peach Farm for massively parallel fuzzing and the potential for using Peach in the middle of network traffic.

Uploaded by

tukeshkatke4751
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
84 views40 pages

Advanced Fuzzing With Peach 2: Michael Eddington

This document discusses the Peach 2 fuzzing platform. It provides an overview of Peach's capabilities including data modeling and mutation, state machine modeling, and fault detection using agents and monitors. Peach 2 aims to simplify the creation of fuzzers through a modeling based approach compared to the framework of Peach 1. The document also briefly outlines Peach Farm for massively parallel fuzzing and the potential for using Peach in the middle of network traffic.

Uploaded by

tukeshkatke4751
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 40

Advanced Fuzzing with

Peach 2

MICHAEL EDDINGTON
[email protected]
Agenda

Introduction to Peach 2

Data mutations

Peach State Machine

Peach Farm

Peach in The Middle


Introduction to Peach 2
Peach 1

Framework for writing fuzzers

Instrumentation via wrapper APIs

No data definition layer (DDL), just fuzzer

Steep learning curve

Complex fuzzers result in complex fuzzer code


Peach 2

Reduce creation time and simplify fuzzer generation

Fuzzer platform, not framework

Modeling based approach

Fault detection

Lower learning curve


Modeling Based Fuzzing

Model types and data

Model state machine

Support models with data sets

Mutate models with mutators


Model Data: Types

INT INT INT Flags

INT INT
STRING
Len Len

DATA

INT INT INT

DATA
Model Data: Relationships

INT INT INT Flags

INT INT
STRING
Len Len

DATA

INT INT INT

DATA
Model Data: State Model

Packet Packet
B-1 B-2

Packet
Packet D
A

Packet Packet
C-1 C-2
Benefits of Modeling

Easy reuse of definitions

Complex mutations can be applied to a model

Improvements to data generation or mutation


independent of model

Data read into definition as well as generated


Data Modeling
Define structure of data Block
Define relations in data Sequence
Reuse definitions Choice
String
Number
Flags/Flag
Blob

Relation
Transformer
State Modeling
State Modeling

Stream Call

TCP, UDP, Files COM, RPC, SOAP

Connect Call
Accept  Method
Input
 Parameters
 Result
Output
Close
State Modeling: Stream

State Machine
1 2
State 1 State 2 State 3

Connect Input Input


3
Output Output Output

Input Input Input

Output Output Close


5
Change State 4 Change State
State Modeling: Stream

State Machine
State 1 State 2 State 3

1 Accept Input Input

Output Output Output

Input Input Input

Output Output Close


5
Change State Change State
State Modeling: Stream

State Machine
State 1 State 2 State 3
1 3
Connect Connect Input

Output Output Output

Input Input Input

2 Close Output Close 4


Change State Change State
State Modeling: Call

State Machine
State 1 State 2
1
Start Call

Call Call
2
Call Call

Change State Stop


3
Data Mutations
Mutation: String

“?k1=v+1&k2=v2”
40,000+
variations
Mutation: Number

00 FFFFFFFFFFFFFFFF

Interesting Edge Cases


Mutation: Size Relation #1

Length: 200

Data: 200 Bytes


Mutation: Size Relation #2

200
Length:

Data: 200 Bytes


Mutation: Size Relation #3

Data & Length:

00 FFFFFFFFFFFFFFFF
Mutation: State

Packet Packet
B-1 B-2

Packet
Packet D
A

Packet Packet
C-1 C-2
Mutation: State

Packet Packet
B-1 B-2

Packet
Packet D
A
Mutation: State

Packet Packet
B-1 B-2

Packet
Packet D
A
Add Custom Mutators

Sling some Python

Add additional mutations

Specific mutations

Etc.
Fault Detection

AND DATA COLLECTION


Agents & Monitors

Peach
2 Tier Configuration

2 3
Peach Agent 1 Agent 2
1
Agent 4 Network Network
Manager Capture Capture

Engine Debugger Debugger

Logging Target Backend


6
5
Monitors

Debuggers
Process Monitor
Memory Monitor
Network Capture
VM Control (snapshot, revert)
Networked Power Strips (cycle power)

Easy to implement custom monitors


Peach Development
Documented XML Schema
Peach Builder
Peach Shark
Peach Farm

MASSIVELY PARALLEL FUZZING


Peach Farm

Adam Cecchetti
Massively Parallel Fuzzing
 Scales from 1 to 10,000 nodes
Choose your Virtual Platform/Hosting
 EC2, Xen, VMWare, Etc
Utilizes Map/Reduce Algorithm
 Map: Maps the fuzzing cases to indexes and results
 Reduce: Reduces fuzzing results to interesting cases
Metric based : Time, size, diff, expected errors, OS
faults, crashes
Peach in The Middle

WHAT’S NEXT?
Peach in The Middle

Peach

Data Model

Controller Agent

Client Server
Q&A

HTTP://PEACHFUZZ.SF.NET

HTTP://PHED.ORG

[email protected]

You might also like