Review Bug Finding Memory safety vulnerabilities Dawn Song Buffer overflow Format string Integer overflow Double free Runtime detection Runtime bounds check dawnsong cs berkeley edu Purify Jones kelly Expensive Runtime detection of overwrite Stackguard etc Practical but only cover certain types of attacks Runtime mitigation to make attacks hard Randomization Practical but not fool proof 1 2 This Class Bug Finding IPhone Security Flaw Jul 2007 researchers at Independent Security Evaluators said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code The hack the first reported allowed them to tap the wealth of personal information the phones contain The iPhone story Blackbox bug finding Whitebox bug finding Charles Miller shown on his iPhone said that after finding a hole in security you were in complete control 3 4 0days Are a Hacker Obsession iPhone attack An 0day is a vulnerability that s not publicly known iPhone Safari downloads malicious web page Arbitrary code is run with administrative privileges Can read SMS log address book call history other data Can perform physical actions on the phone Modern 0days often combine multiple attack vectors vulnerabilities into one exploit system sound and vibrate the phone for a second could dial phone numbers send text messages or record audio as a bugging device Many of these are used only once on high value targets Can transmit any collected data over network to attacker 0day statistics Often open for months sometimes years See http www securityevaluators com iphone 5 6 5 Market for 0days How to Find a 0day Sell for 10K 100K Tippingpoint Eeye Gleg net Dsquare Idefense Digital armaments Breakingpoint Step 1 obtain information Hardware software information Sometimes the hardest step eBay to the rescue Step 2 bug finding Manual audit semi automated techniques tools 7 8 The iPhone Story Results Step 1 WebKit opensource svn co http svn webkit org repository webkit trunk WebKit Step 2 identify potential focus points From development site The JavaScriptCore Tests If you are making changes to JavaScriptCore there is an additional test suite you must rn before landing changes This is the Mozilla JavaScript test suite So we know what they use for unit testing Use code coverage to see which portions of code is not well tested Tools gcov icov etc measure test coverage 59 3 of 13622 lines in JavaScriptCore were covered 79 3 of main engine covered 54 7 of Perl Compatible Regular Expression PCRE covered Next step focus on PCRE Wrote a PCRE fuzzer 20 lines of perl Ran it on standalone PCRE parser pcredemo from PCRE library Started getting errors PCRE compilation failed at offset 6 internal error code overflow Evil regular expressions crash mobileSafari 9 10 The Art of Fuzzing Trivial Example Automaticly generate test cases Many slightly anomalous test cases are input into a target interface Application is monitored for errors Inputs are generally either file based pdf png wav mpg Or network based http SNMP SOAP 11 Standard HTTP GET request GET index html HTTP 1 1 Anomalous requests AAAAAA AAAA index html HTTP 1 1 GET index html HTTP 1 1 GET n n n n n n html HTTP 1 1 GET AAAAAAAAAAAAA html HTTP 1 1 GET index html HTTTTTTTTTTTTTP 1 1 GET index html HTTP 1 1 1 1 1 1 1 1 12 Regression vs Fuzzing Approach I Black box Fuzz Testing Regression Run program on many normal inputs look for badness Given a program simply feed it random inputs see whether it crashes Advantage really easy Disadvantage inefficient Goal Prevent normal users from encountering errors e g assertions bad Fuzzing Run program on many abnormal inputs look for badness Input often requires structures random inputs are likely to be malformed Inputs that would trigger a crash is a very small fraction probability of getting lucky may be very low Goal Prevent attackers from encountering exploitable errors e g assertions often ok 13 14 Example fuzzing a pdf viewer Enhancement I Mutation Based Fuzzing Take a well formed input randomly perturb flipping bit etc Little or no knowledge of the structure of the inputs is assumed Anomalies are added to existing valid inputs Anomalies may be completely random or follow some heuristics e g remove NUL shift character forward Examples E g ZZUF very successful at finding bugs in many real world programs http sam zoy org zzuf Taof GPF ProxyFuzz FileFuzz Filep etc Google for pdf about 1 billion results Crawl pages to build a corpus Use fuzzing tool or script to 1 2 3 4 Grab a file Mutate that file Feed it to the program Record if it crashed and input that crashed it 15 Mutation based Fuzzing In Short 16 Enhancement II Generation Based Fuzzing Strengths Super easy to setup and automate Little to no protocol knowledge required Weaknesses Limited by initial corpus May fail for protocols with checksums those which depend on challenge response etc Test cases are generated from some description of the format RFC documentation etc Using specified protocols file format info E g SPIKE by Immunity http www immunitysec com resourcesfreesoftware shtml 17 Anomalies are added to each possible spot in the inputs Knowledge of protocol should give better results than random fuzzing 18 Example Protocol Description Generation Based Fuzzing In Short Strengths png spk author Charlie Miller completeness Can deal with complex dependencies e g checksums Header fixed s binary 89504E470D0A1A0A IHDRChunk s binary block size word bigendian IHDR size of data field s block start IHDRcrc s string IHDR type s block start IHDR The following becomes s int variable for variable stuff 1 BINARYBIGENDIAN 3 ONEBYE s push int 0x1a 1 Width s push int 0x14 1 Height s push int 0x8 3 Bit Depth should be 1 2 4 8 16 based on colortype s push int 0x3 3 ColorType should be 0 2 3 4 6 s binary 00 00 Compression Filter shall be 00 00 s push int 0x0 3 Interlace should be 0 1 s block end IHDR s binary block crc word littleendian IHDRcrc crc of type and data s block end IHDRcrc Weaknesses Have to have spec of protocol Often can find good tools for existing protocols e g http SNMP Writing generator can be labor intensive for complex protocols The spec is not the code 19 Fuzzing Tools 20 Input Generation Existing generational fuzzers for common protocols ftp http SNMP etc Hackers job made easy Input generation Input injection Bug detection Workflow automation Mu 4000 Codenomicon PROTOS FTPFuzz Fuzzing Frameworks You provide a spec
View Full Document
Unlocking...