Similar presentations:
Advanced Fuzzing with Peach 2
1. Advanced Fuzzing with Peach 2
MICHAEL EDDINGTON[email protected]
2. Agenda
Introduction to Peach 2Data mutations
Peach State Machine
Peach Farm
Peach in The Middle
3. Introduction to Peach 2
4. Peach 1
Framework for writing fuzzersInstrumentation via wrapper APIs
No data definition layer (DDL), just fuzzer
Steep learning curve
Complex fuzzers result in complex fuzzer code
5. Peach 2
Reduce creation time and simplify fuzzer generationFuzzer platform, not framework
Modeling based approach
Fault detection
Lower learning curve
6. Modeling Based Fuzzing
Model types and dataModel state machine
Support models with data sets
Mutate models with mutators
7. Model Data: Types
INTINT
INT
Len
INT
Flags
INT
Len
STRING
DATA
INT
INT
INT
DATA
8. Model Data: Relationships
INTINT
INT
Len
INT
Flags
INT
Len
STRING
DATA
INT
INT
INT
DATA
9. Model Data: State Model
PacketB-1
Packet
B-2
Packet
D
Packet
A
Packet
C-1
Packet
C-2
10. Benefits of Modeling
Easy reuse of definitionsComplex mutations can be applied to a model
Improvements to data generation or mutation
independent of model
Data read into definition as well as generated
11. Data Modeling
Define structure of dataBlock
Define relations in data
Sequence
Reuse definitions
Choice
String
Number
Flags/Flag
Blob
Relation
Transformer
12. State Modeling
13. State Modeling
StreamCall
TCP, UDP, Files
COM, RPC, SOAP
Connect
Call
Method
Parameters
Result
Accept
Input
Output
Close
14. State Modeling: Stream
1State Machine
2
3
State 1
State 2
State 3
Connect
Input
Input
Output
Output
Output
Input
Input
Input
Output
Output
Close
Change State
4
Change State
5
15. State Modeling: Stream
State Machine1
State 1
State 2
State 3
Accept
Input
Input
Output
Output
Output
Input
Input
Input
Output
Output
Close
Change State
Change State
5
16. State Modeling: Stream
State MachineState 1
1
2
State 2
State 3
Connect
Input
Output
Output
Output
Input
Input
Input
Close
Output
Close
Change State
Change State
Connect
3
4
17. State Modeling: Call
State Machine1
2
State 1
State 2
Start
Call
Call
Call
Call
Call
Change State
Stop
3
18. Data Mutations
19. Mutation: String
“?k1=v+1&k2=v2”40,000+
variations
?
k1
=
&
k2
=
v2
v
+
1
20. Mutation: Number
FFFFFFFFFFFFFFFF00
Interesting Edge Cases
21. Mutation: Size Relation #1
Length:Data:
200
200 Bytes
22. Mutation: Size Relation #2
Length:200
Data:
200 Bytes
23. Mutation: Size Relation #3
Data & Length:00
FFFFFFFFFFFFFFFF
24. Mutation: State
PacketB-1
Packet
B-2
Packet
D
Packet
A
Packet
C-1
Packet
C-2
25. Mutation: State
PacketB-1
Packet
A
Packet
B-2
Packet
D
26. Mutation: State
PacketB-1
Packet
A
Packet
B-2
Packet
D
27. Add Custom Mutators
Sling some PythonAdd additional mutations
Specific mutations
Etc.
28. Fault Detection
AND DATA COLLECTION29. Agents & Monitors
Agents & MonitorsDebugger
Monitor
Debugger
Monitor
Debugger
Monitor
Peach
Agent
Peach
Agent
Peach
Agent
Network
Capture
Peach
Agent
Peach
30. 2 Tier Configuration
2Peach
1
Agent
Manager
Agent 1
4
3
Agent 2
Network
Capture
Network
Capture
Engine
Debugger
Debugger
Logging
Target
Backend
6
5
31. Monitors
DebuggersProcess Monitor
Memory Monitor
Network Capture
VM Control (snapshot, revert)
Networked Power Strips (cycle power)
Easy to implement custom monitors
32. Peach Development
33. Documented XML Schema
34. Peach Builder
35. Peach Shark
36. Peach Farm
MASSIVELY PARALLEL FUZZING37. Peach Farm
Adam CecchettiMassively Parallel Fuzzing
Scales from 1 to 10,000 nodes
Choose your Virtual Platform/Hosting
EC2, Xen, VMWare, Etc
Utilizes Map/Reduce Algorithm
Map: Maps the fuzzing cases to indexes and results
Reduce: Reduces fuzzing results to interesting cases
Metric based : Time, size, diff, expected errors, OS
faults, crashes
38. Peach in The Middle
WHAT’S NEXT?39. Peach in The Middle
PeachData Model
Controller
Agent
Client
Server
40. Q & A
Q&AHTTP://PEACHFUZZ.SF.NET
HTTP://PHED.ORG
[email protected]