1Bug FindingDawn [email protected]• Memory-safety vulnerabilities– Buffer overflow– Format string– Integer overflow– Double free• Runtime detection– Runtime bounds check» Purify, Jones & kelly» Expensive– Runtime detection of overwrite» Stackguard, etc.» Practical, but only cover certain types of attacks– Runtime mitigation to make attacks hard» Randomization» Practical, but not fool proof3This Class: Bug Finding• The iPhone story• Blackbox bug finding• Whitebox bug finding4IPhone Security Flaw• Jul 2007: “researchers at Independent Security Evaluators, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.”Charles Miller, shown on his iPhone, said that after finding a hole in security, “you were in complete control.”5iPhone attack• iPhone Safari downloads malicious web page– Arbitrary code is run with administrative privileges– Can read SMS log, address book, call history, other data– Can perform physical actions on the phone. » system sound and vibrate the phone for a second» could dial phone numbers, send text messages, or recordaudio (as a bugging device) – Can transmit any collected data over network to attackerSee http://www.securityevaluators.com/iphone/560days Are a Hacker Obsession• An 0day is a vulnerability that’s not publicly known• Modern 0days often combine multiple attack vectors & vulnerabilities into one exploit– Many of these are used only once on high value targets• 0day statistics– Often open for months, sometimes years7Market for 0days• Sell for $10K-100K• Tippingpoint• Eeye• Gleg.net• Dsquare• Idefense• Digital armaments• Breakingpoint8How to Find a 0day? • Step #1: obtain information– Hardware, software information– Sometimes the hardest step» eBay to the rescue• Step #2: bug finding– Manual audit– (semi)automated techniques/tools9The iPhone Story• Step #1: WebKit opensource– svn co http://svn.webkit.org/repository/webkit/trunkWebKit• Step #2: identify potential focus points– From development site:The JavaScriptCore Tests“If you are making changes to JavaScriptCore, there is an additional test suite you must rn before landing changes. This is the Mozilla JavaScript test suite.”– So we know what they use for unit testing» Use code coverage to see which portions of code is not well tested » Tools gcov, icov, etc., measure test coverage10Results• 59.3% of 13622 lines in JavaScriptCore were covered– 79.3% of main engine covered– 54.7% of Perl Compatible Regular Expression (PCRE) covered• Next step: focus on PCRE– Wrote a PCRE fuzzer (20 lines of perl)– Ran it on standalone PCRE parser (pcredemo from PCRE library)– Started getting errors:PCRE compilation failed at offset 6: internal error: code overflow• Evil regular expressions crash mobileSafari11The Art of Fuzzing• Automaticly generate test cases• Many slightly anomalous test cases are input into a target interface• Application is monitored for errors• Inputs are generally either file based (.pdf, .png, .wav, .mpg)• Or network based…– http, SNMP, SOAP12Trivial Example• Standard HTTP GET request– GET /index.html HTTP/1.1• Anomalous requests– AAAAAA...AAAA /index.html HTTP/1.1– GET ///////index.html HTTP/1.1– GET %n%n%n%n%n%n.html HTTP/1.1– GET /AAAAAAAAAAAAA.html HTTP/1.1– GET /index.html HTTTTTTTTTTTTTP/1.1– GET /index.html HTTP/1.1.1.1.1.1.1.113Regression vs. Fuzzing• Regression: Run program on many normal inputs, look for badness.– Goal: Prevent normal users from encountering errors (e.g. assertions bad).• Fuzzing: Run program on many abnormal inputs, look for badness.– Goal: Prevent attackers from encountering exploitable errors (e.g. assertions often ok)14Approach I: Black-box Fuzz Testing• Given a program, simply feed it random inputs, see whether it crashes• Advantage: really easy• Disadvantage: inefficient– Input often requires structures, random inputs are likely to be malformed– Inputs that would trigger a crash is a very small fraction, probability of getting lucky may be very low15Enhancement I: Mutation-Based Fuzzing• Take a well-formed input, randomly perturb (flipping bit, etc.)• Little or no knowledge of the structure of the inputs is assumed• Anomalies are added to existing valid inputs• Anomalies may be completely random or follow some heuristics (e.g. remove NUL, shift character forward)• Examples:– E.g., ZZUF, very successful at finding bugs in many real-world programs, http://sam.zoy.org/zzuf/– Taof, GPF, ProxyFuzz, FileFuzz, Filep, etc.16Example: fuzzing a pdf viewer• Google for .pdf (about 1 billion results)• Crawl pages to build a corpus • Use fuzzing tool (or script to)1. Grab a file2. Mutate that file3. Feed it to the program4. Record if it crashed (and input that crashed it)17Mutation-based Fuzzing In Short• Strengths– Super easy to setup and automate– Little to no protocol knowledge required• Weaknesses– Limited by initial corpus– May fail for protocols with checksums, those which depend on challenge response, etc.18Enhancement II: Generation-Based Fuzzing• Test cases are generated from some description of the format: RFC, documentation, etc.– Using specified protocols/file format info– E.g., SPIKE by Immunityhttp://www.immunitysec.com/resources-freesoftware.shtml• Anomalies are added to each possible spot in the inputs• Knowledge of protocol should give better results than random fuzzing19Example: Protocol Description//png.spk//author: Charlie Miller// Header - fixed.s_binary("89504E470D0A1A0A");// IHDRChunks_binary_block_size_word_bigendian("IHDR"); //size of data fields_block_start("IHDRcrc");s_string("IHDR"); // types_block_start("IHDR");// The following becomes s_int_variable for variable stuff// 1=BINARYBIGENDIAN, 3=ONEBYEs_push_int(0x1a, 1); // Widths_push_int(0x14, 1); // Heights_push_int(0x8, 3); // Bit Depth - should be 1,2,4,8,16, based on colortypes_push_int(0x3, 3); // ColorType - should be 0,2,3,4,6s_binary("00 00"); // Compression || Filter - shall be 00 00s_push_int(0x0, 3); // Interlace - should be 0,1s_block_end("IHDR");s_binary_block_crc_word_littleendian("IHDRcrc"); // crc of type and
View Full Document
Unlocking...