Scribd
Upload
16 views84 pages

Hushcon 23

The document discusses the evolution and advancements in fuzzing techniques, highlighting significant milestones from 2013 to 2023, including the discovery of thousands of vulnerabilities through tools like ClusterFuzz and AFL++. It emphasizes the importance of benchmarking, advanced instrumentation, and grammar-based fuzzing methods for improving vulnerability detection. The presentation concludes with insights on fuzzing challenges and future directions in the field.

Uploaded by

cinema.info.edit
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
16 views84 pages

Hushcon 23

The document discusses the evolution and advancements in fuzzing techniques, highlighting significant milestones from 2013 to 2023, including the discovery of thousands of vulnerabilities through tools like ClusterFuzz and AFL++. It emphasizes the importance of benchmarking, advanced instrumentation, and grammar-based fuzzing methods for improving vulnerability detection. The presentation concludes with insights on fuzzing challenges and future directions in the field.

Uploaded by

cinema.info.edit
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 84

Fuzzing:

The Age of
Vulnerability
Discovery
Agenda
S

Owner, Fuzzing IO
Advanced Fuzzing and Crash Analysis Training
Contract fuzzing harness and security tool
development

Principal Security Researcher, Eclypsium


Platform Security, Reverse Engineering and Fuzzing
Edge Devices, UEFI, BMC, Firmware, etc
Contact
[email protected]
@richinseattle
Introduction The Fuzzing
Renaissance
Introduction
Remembering How We Got Here
AMERICAN FUZZY LOP - ZALEWSKI, 2013
Remembering How We Got Here
AMERICAN FUZZY LOP - ZALEWSKI, 2013
Remembering How We Got Here
AMERICAN FUZZY LOP - ZALEWSKI, 2013
2013-2018: Fuzzing Explosion
IS FEEDBACK DRIVEN FUZZING AI?
2013-2018: Fuzzing Explosion
IS FEEDBACK DRIVEN FUZZING AI?
The Age of
Vulnerability
Discovery
2023: Fuzzing Super Mario Bros?
IS FEEDBACK DRIVEN FUZZING AI?
As of February 2023,
ClusterFuzz has
found ~27,000 bugs
in Google and over
8,900 vulnerabilities
and 28,000 bugs
across 850 projects
integrated with OSS-
Fuzz.
“Evaluating Fuzz Testing”
GEORGE KLEES, ANDREW RUEF, BENJI COOPER, SHIYI WEI, MICHAEL HICKS - 2018

problems in every

existing experimental evaluations


translate to actual wrong or misleading assessments
“Evaluating Fuzz Testing”
GEORGE KLEES, ANDREW RUEF, BENJI COOPER, SHIYI WEI, MICHAEL HICKS - 2018
“Evaluating Fuzz Testing”
GEORGE KLEES, ANDREW RUEF, BENJI COOPER, SHIYI WEI, MICHAEL HICKS - 2018
“Evaluating Fuzz Testing”
GEORGE KLEES, ANDREW RUEF, BENJI COOPER, SHIYI WEI, MICHAEL HICKS
Benchmarking: Observable Success
FUZZBENCH
Benchmarking: Observable Success
FUZZBENCH
Benchmarking: Observable Success
FUZZBENCH
Benchmarking: Observable Success
FUZZBENCH – COVERAGE OVER TIME VIEW
Benchmarking: Observable Success
FUZZBENCH – LOG TIME VIEW DIFFERENTIATOR FOR LONGER FUZZING CAMPAIGNS
Benchmarking: Observable Success
FUZZBENCH – COMPARING PERFORMANCE OF FUZZER VS PARSER
Fuzz Introspector
LIKE GCOV REPORTS BUT FOR FUZZING!
Fuzz Introspector
LIKE GCOV REPORTS BUT FOR FUZZING!
Fuzz Introspector
LIKE GCOV REPORTS BUT FOR FUZZING!
Fuzzer Challenges
THE CRUCIBLE FOR FUZZING AND SOLVER TOOLS
Fuzzer Challenges
THE CRUCIBLE FOR FUZZING AND SOLVER TOOLS
Bugs Exist in New Code
Building the Fuzz Chain
FUZZING IN THE COMPILER
Building the Fuzz Chain
FUZZING IN THE RUNTIME

• Jazzer
Building the Fuzz Chain
JAZZER FUZZING HARNESS
Building the Fuzz Chain
JAZZER SUPPORTS CUSTOM SANITIZERS
Fuzzing in the Cloud
SECURITY IS A SHARED RESPONSIBILITY AND GOOGLE IS HERE TO HELP!
AFL++ - still the best general fuzzer
AFL++ - MARC HEUSE, HEIKO EISSFELDT, ANDREA FIORALDI, DOMINIK MAIER
AFL++ - still the best general fuzzer
AFL++ - MARC HEUSE, HEIKO EISSFELDT, ANDREA FIORALDI, DOMINIK MAIER
LibAFL: Modular Fuzzer Design
LIBAFL – ANDREA FIORALDI, DOMINIK MAIER, ET AL
LibAFL: Modular Fuzzer Design
LIBAFL – ANDREA FIORALDI, DOMINIK MAIER, ET AL
LibAFL: Modular Fuzzer Design
LIBAFL – ANDREA FIORALDI, DOMINIK MAIER, ET AL
Advanced
Instrumentation
Fuzzers need to
know when a
fault has
occurred.
Memory
corruption makes
this trivial but
other bug classes
may require
specific checkers
Sanitizers for Sanity
HEARTBLEED IMPACTED 66% OF WWW SERVERS

fuzzers
checkers
Sanitizers for Sanity
ADDRESS SANITIZER LIFTED THE SHADOW
Sanitizers for Sanity
LLVM SANITIZER FAMILY UNDEFINED BEHAVIOR SANITIZER
Sanitizers for Sanity
LLVM SANITIZER FAMILY HARDWARE-ASSISTED ADDRESS SANITIZER
Sanitizers for Sanity
LLVM SANITIZER FAMILY
Unconstrained Progress
WHEN YOU CAN’T BEAT THEM, UNJOIN THEM
Unconstrained Progress
WHEN YOU CAN’T BEAT THEM, UNJOIN THEM
Focused Mutation
CHEAP ALTERNATIVE TO TAINT TRACKING AND SYMBOLIC EXECUTION
Improved Input
Generation
“Grammar
mutators are
able to trigger
deep bugs that
are near
impossible to
find with code
coverage
guided fuzzers"
Grammars
CONTEXT FREE GRAMMARS STRUCTURED / API GRAMMARS
Searching for Approximate Grammar
FUZZING IS A CHEAP GRAMMAR EXTRACTION
Grammars are a Browser’s Best Friend
DOM FUZZING WITH DOMATO – IVAN FRATRIC / GOOGLE
Grammars are a Browser’s Best Friend
DOM FUZZING WITH DOMATO – IVAN FRATRIC / GOOGLE
Grammars are a Browser’s Best Friend
DOM FUZZING WITH DOMATO – IVAN FRATRIC / GOOGLE
Grammars are a Browser’s Best Friend
DOM FUZZING WITH DOMATO – IVAN FRATRIC / GOOGLE
Grammars are a Browser’s Best Friend
DOM FUZZING WITH DOMATO – IVAN FRATRIC / GOOGLE
Grammars are a Browser’s Best Friend
JAVASCRIPT JIT FUZZING - FUZZILI - SAMUEL GROß
Grammars are a Browser’s Best Friend
LIBPROTOBUF-MUTATOR VS THE CHROME SANDBOX
Grammars for APIs
LIBPROTOBUF-MUTATOR VS APIS
Grammars for Syscalls
GRAMMAR FUZZING SYSCALLS
When in Doubt, Math it Out
HIGHLY SELECTIVE APPLICATION OF HIGHLY SOPHISTICATED TECH WINS I N THE END
When in Doubt, Math it Out
SYMCC / SYMQEMU
When in Doubt, Math it Out
SYMCC / SYMQEMU
When in Doubt, Math it Out
SYMSAN TRITON-DSE
When in Doubt, Math it Out
T R IT ON -DSE

TritonDSE goal is to provide


higher-level primitives than .
Triton is a low-level framework
where one have to provide
manually all instructions to be
executed symbolically.”
Reaching New
Attack Surface
2019: 2046 Linux
kernel bugs found &
fixed by SyzKaller
(BlueHat IL 2020)

2023: 4535 fixed

Keeping average of
2-3/day
Fuzzing Windows
WINDOWS – THE ANTI-POSIX ENVIRONMENT
Fuzzing Windows with DBI
MANY CODE COVERAGE ENGINES HAVE PROPAGATED TO WINDOWS
Snapshot Fuzzing
A SNAPSHOT IN TIME UNLOCKS THE FUTURE POTENTIAL
Snapshot Fuzzing
A SNAPSHOT IN TIME UNLOCKS THE FUTURE POTENTIAL
Fuzzing Anything With Emulators
EMULATE CODE YOU CAN ISOLATE FROM HARDWARE I/O
WTF Fuzzer
SO YOU WANT TO FUZZ A WINDOWS KERNEL DRIVER
WTF Fuzzer
SO YOU WANT TO FUZZ A WINDOWS KERNEL DRIVER
kAFL / NYX Fuzzer
YOU WANT KASAN AND SYZKALLER ON WINDOWS?
kAFL / NYX Fuzzer
YOU WANT KASAN AND SYZKALLER ON WINDOWS?
“GDB Fuzzing”
TRADING OFF PERFORMANCE TO GET THE JOB DONE
Differential Fuzzing
ASK AN ORACLE WHEN HARNESSING IS IMPOSSIBLE
Differential Fuzzing
ASK AN ORACLE WHEN HARNESSING IS IMPOSSIBLE
Differential Fuzzing
ASK AN ORACLE WHEN HARNESSING IS IMPOSSIBLE
Summary
Thank You, HUSHCON’23
Questions?
Richard Johnson | [email protected] | @richinseattle

https://fuzzing.io/hushcon23.pdf

You might also like