Advanced Fuzzing with Peach 2

1. Advanced Fuzzing with Peach 2

MICHAEL EDDINGTON
[email protected]

2. Agenda

Introduction to Peach 2
Data mutations
Peach State Machine
Peach Farm
Peach in The Middle

3. Introduction to Peach 2

4. Peach 1

Framework for writing fuzzers
Instrumentation via wrapper APIs
No data definition layer (DDL), just fuzzer
Steep learning curve
Complex fuzzers result in complex fuzzer code

5. Peach 2

Reduce creation time and simplify fuzzer generation
Fuzzer platform, not framework
Modeling based approach
Fault detection
Lower learning curve

6. Modeling Based Fuzzing

Model types and data
Model state machine
Support models with data sets
Mutate models with mutators

7. Model Data: Types

INT
INT
INT
Len
INT
Flags
INT
Len
STRING
DATA
INT
INT
INT
DATA

8. Model Data: Relationships

INT
INT
INT
Len
INT
Flags
INT
Len
STRING
DATA
INT
INT
INT
DATA

9. Model Data: State Model

Packet
B-1
Packet
B-2
Packet
D
Packet
A
Packet
C-1
Packet
C-2

10. Benefits of Modeling

Easy reuse of definitions
Complex mutations can be applied to a model
Improvements to data generation or mutation
independent of model
Data read into definition as well as generated

11. Data Modeling

Define structure of data
Block
Define relations in data
Sequence
Reuse definitions
Choice
String
Number
Flags/Flag
Blob
Relation
Transformer

12. State Modeling

13. State Modeling

Stream
Call
TCP, UDP, Files
COM, RPC, SOAP
Connect
Call
Method
Parameters
Result
Accept
Input
Output
Close

14. State Modeling: Stream

1
State Machine
2
3
State 1
State 2
State 3
Connect
Input
Input
Output
Output
Output
Input
Input
Input
Output
Output
Close
Change State
4
Change State
5

15. State Modeling: Stream

State Machine
1
State 1
State 2
State 3
Accept
Input
Input
Output
Output
Output
Input
Input
Input
Output
Output
Close
Change State
Change State
5

16. State Modeling: Stream

State Machine
State 1
1
2
State 2
State 3
Connect
Input
Output
Output
Output
Input
Input
Input
Close
Output
Close
Change State
Change State
Connect
3
4

17. State Modeling: Call

State Machine
1
2
State 1
State 2
Start
Call
Call
Call
Call
Call
Change State
Stop
3

18. Data Mutations

19. Mutation: String

“?k1=v+1&k2=v2”
40,000+
variations
?
k1
=
&
k2
=
v2
v
+
1

20. Mutation: Number

FFFFFFFFFFFFFFFF
00
Interesting Edge Cases

21. Mutation: Size Relation #1

Length:
Data:
200
200 Bytes

22. Mutation: Size Relation #2

Length:
200
Data:
200 Bytes

23. Mutation: Size Relation #3

Data & Length:
00
FFFFFFFFFFFFFFFF

24. Mutation: State

Packet
B-1
Packet
B-2
Packet
D
Packet
A
Packet
C-1
Packet
C-2

25. Mutation: State

Packet
B-1
Packet
A
Packet
B-2
Packet
D

26. Mutation: State

Packet
B-1
Packet
A
Packet
B-2
Packet
D

27. Add Custom Mutators

Sling some Python
Add additional mutations
Specific mutations
Etc.

28. Fault Detection

AND DATA COLLECTION

29. Agents & Monitors

Agents & Monitors
Debugger
Monitor
Debugger
Monitor
Debugger
Monitor
Peach
Agent
Peach
Agent
Peach
Agent
Network
Capture
Peach
Agent
Peach

30. 2 Tier Configuration

2
Peach
1
Agent
Manager
Agent 1
4
3
Agent 2
Network
Capture
Network
Capture
Engine
Debugger
Debugger
Logging
Target
Backend
6
5

31. Monitors

Debuggers
Process Monitor
Memory Monitor
Network Capture
VM Control (snapshot, revert)
Networked Power Strips (cycle power)
Easy to implement custom monitors

32. Peach Development

33. Documented XML Schema

34. Peach Builder

35. Peach Shark

36. Peach Farm

MASSIVELY PARALLEL FUZZING

37. Peach Farm

Adam Cecchetti
Massively Parallel Fuzzing
Scales from 1 to 10,000 nodes
Choose your Virtual Platform/Hosting
EC2, Xen, VMWare, Etc
Utilizes Map/Reduce Algorithm
Map: Maps the fuzzing cases to indexes and results
Reduce: Reduces fuzzing results to interesting cases
Metric based : Time, size, diff, expected errors, OS
faults, crashes

38. Peach in The Middle

WHAT’S NEXT?

39. Peach in The Middle

Peach
Data Model
Controller
Agent
Client
Server

40. Q & A

Q&A
HTTP://PEACHFUZZ.SF.NET
HTTP://PHED.ORG
[email protected]