Advanced Fuzzing with Peach 2
Agenda
Introduction to Peach 2
Peach 1
Peach 2
Modeling Based Fuzzing
Model Data: Types
Model Data: Relationships
Model Data: State Model
Benefits of Modeling
Data Modeling
State Modeling
State Modeling
State Modeling: Stream
State Modeling: Stream
State Modeling: Stream
State Modeling: Call
Data Mutations
Mutation: String
Mutation: Number
Mutation: Size Relation #1
Mutation: Size Relation #2
Mutation: Size Relation #3
Mutation: State
Mutation: State
Mutation: State
Add Custom Mutators
Fault Detection
Agents & Monitors
2 Tier Configuration
Monitors
Peach Development
Documented XML Schema
Peach Builder
Peach Shark
Peach Farm
Peach Farm
Peach in The Middle
Peach in The Middle
Q & A
1.81M
Категория: ПрограммированиеПрограммирование
Похожие презентации:
Multithreading IO Streams Java Core
Multithreading IO Streams Java Core
Introduction to Java
Introduction to Java
Java 4 WEB. Lesson 10 - IO, NIO
Java 4 WEB. Lesson 10 - IO, NIO
Internet and Java Foundations, Programming and Practice
Internet and Java Foundations, Programming and Practice
C++ Network Programming Systematic Reuse with ACE & Frameworks
C++ Network Programming Systematic Reuse with ACE & Frameworks
Programming paradigms
Programming paradigms
Machine-Level Programming V: Advanced Topics
Machine-Level Programming V: Advanced Topics
Microsoft official course. Creating methods, handling exceptions, and monitoring applications. (Module 2)
Microsoft official course. Creating methods, handling exceptions, and monitoring applications. (Module 2)
Java Core Introduction
Java Core Introduction
OOP with C#. Introduction C#. Data Types. Variables, expressions, statements. C# decision and iteration constructs
OOP with C#. Introduction C#. Data Types. Variables, expressions, statements. C# decision and iteration constructs

Advanced Fuzzing with Peach 2

1. Advanced Fuzzing with Peach 2

MICHAEL EDDINGTON
[email protected]

2. Agenda

Introduction to Peach 2
Data mutations
Peach State Machine
Peach Farm
Peach in The Middle

3. Introduction to Peach 2

4. Peach 1

Framework for writing fuzzers
Instrumentation via wrapper APIs
No data definition layer (DDL), just fuzzer
Steep learning curve
Complex fuzzers result in complex fuzzer code

5. Peach 2

Reduce creation time and simplify fuzzer generation
Fuzzer platform, not framework
Modeling based approach
Fault detection
Lower learning curve

6. Modeling Based Fuzzing

Model types and data
Model state machine
Support models with data sets
Mutate models with mutators

7. Model Data: Types

INT
INT
INT
Len
INT
Flags
INT
Len
STRING
DATA
INT
INT
INT
DATA

8. Model Data: Relationships

INT
INT
INT
Len
INT
Flags
INT
Len
STRING
DATA
INT
INT
INT
DATA

9. Model Data: State Model

Packet
B-1
Packet
B-2
Packet
D
Packet
A
Packet
C-1
Packet
C-2

10. Benefits of Modeling

Easy reuse of definitions
Complex mutations can be applied to a model
Improvements to data generation or mutation
independent of model
Data read into definition as well as generated

11. Data Modeling

Define structure of data
Block
Define relations in data
Sequence
Reuse definitions
Choice
String
Number
Flags/Flag
Blob
Relation
Transformer

12. State Modeling

13. State Modeling

Stream
Call
TCP, UDP, Files
COM, RPC, SOAP
Connect
Call
Method
Parameters
Result
Accept
Input
Output
Close

14. State Modeling: Stream

1
State Machine
2
3
State 1
State 2
State 3
Connect
Input
Input
Output
Output
Output
Input
Input
Input
Output
Output
Close
Change State
4
Change State
5

15. State Modeling: Stream

State Machine
1
State 1
State 2
State 3
Accept
Input
Input
Output
Output
Output
Input
Input
Input
Output
Output
Close
Change State
Change State
5

16. State Modeling: Stream

State Machine
State 1
1
2
State 2
State 3
Connect
Input
Output
Output
Output
Input
Input
Input
Close
Output
Close
Change State
Change State
Connect
3
4

17. State Modeling: Call

State Machine
1
2
State 1
State 2
Start
Call
Call
Call
Call
Call
Change State
Stop
3

18. Data Mutations

19. Mutation: String

“?k1=v+1&k2=v2”
40,000+
variations
?
k1
=
&
k2
=
v2
v
+
1

20. Mutation: Number

FFFFFFFFFFFFFFFF
00
Interesting Edge Cases

21. Mutation: Size Relation #1

Length:
Data:
200
200 Bytes

22. Mutation: Size Relation #2

Length:
200
Data:
200 Bytes

23. Mutation: Size Relation #3

Data & Length:
00
FFFFFFFFFFFFFFFF

24. Mutation: State

Packet
B-1
Packet
B-2
Packet
D
Packet
A
Packet
C-1
Packet
C-2

25. Mutation: State

Packet
B-1
Packet
A
Packet
B-2
Packet
D

26. Mutation: State

Packet
B-1
Packet
A
Packet
B-2
Packet
D

27. Add Custom Mutators

Sling some Python
Add additional mutations
Specific mutations
Etc.

28. Fault Detection

AND DATA COLLECTION

29. Agents & Monitors

Agents & Monitors
Debugger
Monitor
Debugger
Monitor
Debugger
Monitor
Peach
Agent
Peach
Agent
Peach
Agent
Network
Capture
Peach
Agent
Peach

30. 2 Tier Configuration

2
Peach
1
Agent
Manager
Agent 1
4
3
Agent 2
Network
Capture
Network
Capture
Engine
Debugger
Debugger
Logging
Target
Backend
6
5

31. Monitors

Debuggers
Process Monitor
Memory Monitor
Network Capture
VM Control (snapshot, revert)
Networked Power Strips (cycle power)
Easy to implement custom monitors

32. Peach Development

33. Documented XML Schema

34. Peach Builder

35. Peach Shark

36. Peach Farm

MASSIVELY PARALLEL FUZZING

37. Peach Farm

Adam Cecchetti
Massively Parallel Fuzzing
Scales from 1 to 10,000 nodes
Choose your Virtual Platform/Hosting
EC2, Xen, VMWare, Etc
Utilizes Map/Reduce Algorithm
Map: Maps the fuzzing cases to indexes and results
Reduce: Reduces fuzzing results to interesting cases
Metric based : Time, size, diff, expected errors, OS
faults, crashes

38. Peach in The Middle

WHAT’S NEXT?

39. Peach in The Middle

Peach
Data Model
Controller
Agent
Client
Server

40. Q & A

Q&A
HTTP://PEACHFUZZ.SF.NET
HTTP://PHED.ORG
[email protected]
English     Русский Правила