1 / 40

Advanced Fuzzing with Peach 2

Advanced Fuzzing with Peach 2. Michael Eddington mike@leviathansecurity.com. Agenda. Introduction to Peach 2 Data mutations Peach State Machine Peach Farm Peach in The Middle. Introduction to Peach 2. Peach 1. Framework for writing fuzzers Instrumentation via wrapper APIs

deon
Download Presentation

Advanced Fuzzing with Peach 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Advanced Fuzzing with Peach 2 Michael Eddington mike@leviathansecurity.com

  2. Agenda • Introduction to Peach 2 • Data mutations • Peach State Machine • Peach Farm • Peach in The Middle

  3. Introduction to Peach 2

  4. Peach 1 • Framework for writing fuzzers • Instrumentation via wrapper APIs • No data definition layer (DDL), just fuzzer • Steep learning curve • Complex fuzzers result in complex fuzzer code

  5. Peach 2 • Reduce creation time and simplify fuzzer generation • Fuzzer platform, not framework • Modeling based approach • Fault detection • Lower learning curve

  6. Modeling Based Fuzzing • Model types and data • Model state machine • Support models with data sets • Mutate models with mutators

  7. Model Data: Types INT INT INT Flags INT Len STRING INT Len DATA INT INT INT DATA

  8. Model Data: Relationships INT INT INT Flags INT Len STRING INT Len DATA INT INT INT DATA

  9. Model Data: State Model Packet B-2 Packet B-1 Packet D Packet A Packet C-1 Packet C-2

  10. Benefits of Modeling • Easy reuse of definitions • Complex mutations can be applied to a model • Improvements to data generation or mutation independent of model • Data read into definition as well as generated

  11. Data Modeling • Define structure of data • Define relations in data • Reuse definitions • Block • Sequence • Choice • String • Number • Flags/Flag • Blob • Relation • Transformer

  12. State Modeling

  13. State Modeling Stream Call • TCP, UDP, Files • Connect • Accept • Input • Output • Close • COM, RPC, SOAP • Call • Method • Parameters • Result

  14. State Modeling: Stream State Machine 1 2 State 1 State 2 State 3 Connect Input Input 3 Output Output Output Input Input Input Output Output Close 5 Change State Change State 4

  15. State Modeling: Stream State Machine State 1 State 2 State 3 Accept Input Input 1 Output Output Output Input Input Input Output Output Close 5 Change State Change State

  16. State Modeling: Stream State Machine State 1 State 2 State 3 Connect 3 Connect 1 Input Output Output Output Input Input Input Close Output Close 2 4 Change State Change State

  17. State Modeling: Call State Machine State 1 State 2 Start 1 Call Call Call 2 Call Call Stop Change State 3

  18. Data Mutations

  19. Mutation: String “?k1=v+1&k2=v2” 40,000+ variations

  20. Mutation: Number FFFFFFFFFFFFFFFF 00 Interesting Edge Cases

  21. Mutation: Size Relation #1 200 • Length: • Data: 200 Bytes

  22. Mutation: Size Relation #2 • Length: • Data: 200 Bytes 200

  23. Mutation: Size Relation #3 • Data & Length: FFFFFFFFFFFFFFFF 00

  24. Mutation: State Packet B-2 Packet B-1 Packet D Packet A Packet C-1 Packet C-2

  25. Mutation: State Packet B-2 Packet B-1 Packet D Packet A

  26. Mutation: State Packet B-2 Packet B-1 Packet D Packet A

  27. Add Custom Mutators • Sling some Python • Add additional mutations • Specific mutations • Etc.

  28. Fault Detection And data collection

  29. Agents & Monitors Debugger Monitor Debugger Monitor Debugger Monitor Network Capture Peach Agent Peach Agent Peach Agent Peach Agent Peach

  30. 2 Tier Configuration 2 3 Agent 1 Agent 2 Peach 1 4 Network Capture Network Capture Agent Manager Debugger Debugger Engine Backend Target Logging 6 5

  31. Monitors • Debuggers • Process Monitor • Memory Monitor • Network Capture • VM Control (snapshot, revert) • Networked Power Strips (cycle power) • Easy to implement custom monitors

  32. Peach Development

  33. Documented XML Schema

  34. Peach Builder

  35. Peach Shark

  36. Peach Farm Massively Parallel Fuzzing

  37. Peach Farm • Adam Cecchetti • Massively Parallel Fuzzing • Scales from 1 to 10,000 nodes • Choose your Virtual Platform/Hosting • EC2, Xen, VMWare, Etc • Utilizes Map/Reduce Algorithm • Map: Maps the fuzzing cases to indexes and results • Reduce: Reduces fuzzing results to interesting cases • Metric based : Time, size, diff, expected errors, OS faults, crashes

  38. Peach in The Middle What’s Next?

  39. Peach in The Middle Peach Data Model Controller Agent Client Server

  40. Q & A http://peachfuzz.sf.net http://phed.org mike@leviathansecurity.com

More Related