Home Page Icon
Home Page
Table of Contents for
I. Background
Close
I. Background
by Pedram Amini, Adam Greene, Michael Sutton
Fuzzing: Brute Force Vulnerability Discovery
Copyright
Dedication
Foreword
Preface
Introduction
Intended Audience
Prerequisites
Approach
A Touch of Humor
About the Cover
Companion Website:www.fuzzing.org
Acknowledgments
Group Acknowledgements
Michael’s Acknowledgements
Adam’s Acknowledgements
Pedram’s Acknowledgements
About the Authors
Michael Sutton
Adam Greene
Pedram Amini
I. Background
1. Vulnerability Discovery Methodologies
White Box Testing
Source Code Review
Tools and Automation
Pros and Cons
Black Box Testing
Manual Testing
Automated Testing or Fuzzing
Pros and Cons
Gray Box Testing
Binary Auditing
Automated Binary Auditing
Pros and Cons
Summary
2. What Is Fuzzing?
Definition of Fuzzing
History of Fuzzing
Fuzzing Phases
Fuzzing Limitations and Expectations
Access Control Flaws
Poor Design Logic
Backdoors
Memory Corruption
Multistage Vulnerabilities
Summary
3. Fuzzing Methods and Fuzzer Types
Fuzzing Methods
Pregenerated Test Cases
Random
Manual Protocol Mutation Testing
Mutation or Brute Force Testing
Automatic Protocol Generation Testing
Fuzzer Types
Local Fuzzers
Command-Line Fuzzers
Environment Variable Fuzzers
File Format Fuzzers
Remote Fuzzers
Network Protocol Fuzzers
Simple Protocols
Complex Protocols
Web Application Fuzzers
Web Browser Fuzzers
In-Memory Fuzzers
Fuzzer Frameworks
Summary
4. Data Representation and Analysis
What Are Protocols?
Protocol Fields
Plain Text Protocols
Binary Protocols
Network Protocols
File Formats
Common Protocol Elements
Name–Value Pairs
Block Identifiers
Block Sizes
Checksums
Summary
5. Requirements for Effective Fuzzing
Reproducibility and Documentation
Reusability
Process State and Process Depth
Tracking, Code Coverage, and Metrics
Error Detection
Resource Constraints
Summary
II. Targets and Automation
6. Automation and Data Generation
Value of Automation
Helpful Tools and Libraries
Ethereal/Wireshark
libdasm and libdisasm
Libnet/LibnetNT
LibPCAP
Metro Packet Library
PTrace
Python Extensions
Programming Language Choice
Data Generation and Fuzz Heuristics
Integer Values
String Repetitions
Field Delimiters
Format Strings
Character Translation
Directory Traversal
Command Injection
Summary
7. Environment Variable and Argument Fuzzing
Introduction to Local Fuzzing
Command-Line Arguments
Environment Variables
Local Fuzzing Principles
Finding Targets
UNIX File Permissions Explained
Local Fuzzing Methods
Enumerating Environment Variables
The GNU Debugger (GDB) Method
Automating Environment Variable Fuzzing
Library Preloading
Detecting Problems
Summary
8. Environment Variable and Argument Fuzzing: Automation
Features of iFUZZ Local Fuzzer
Development
Development Approach
Fork, Execute, and Wait Approach
Fork, Ptrace/Execute, and Wait/Ptrace Approach
Language
Case Study
Benefits and Room for Improvement
Summary
9. Web Application and Server Fuzzing
What Is Web Application Fuzzing?
Targets
Methods
Set Up
Inputs
Method
Request-URI
Protocol
Headers
Cookies
Post Data
Identifying Inputs
Vulnerabilities
Detection
Summary
10. Web Application and Server Fuzzing: Automation
Web Application Fuzzers
Features
Requests
Fuzz Variables
Responses
Necessary Background Information
Identifying Requests
Detection
HTML Status Codes
Error Messages Embedded in the Response
User Input Embedded in the Response
Performance Degradation
Request Timeouts
WebFuzz Error Messages
Handled or Unhandled Exceptions
Development
Approach
Language Selection
Design
TcpClient Class
Asynchronous Sockets
Generating Requests
Receiving Responses
Case Studies
Directory Traversal
Overflow
SQL Injection
XSS Scripting
Benefits and Room for Improvement
Summary
11. File Format Fuzzing
Targets
Methods
Brute Force or Mutation-Based Fuzzing
Intelligent Brute Force or Generation-Based Fuzzing
Inputs
Vulnerabilities
Denial of Service
Integer Handling Problems
Simple Stack and Heap Overflows
Logic Errors
Format Strings
Race Conditions
Detection
Summary
12. File Format Fuzzing: Automation on UNIX
notSPIKEfile and SPIKEfile
What’s Missing?
Development Approach
Exception Detection Engine
Exception Reporting (Exception Detection)
Core Fuzzing Engine
Meaningful Code Snippets
Usually Interesting UNIX Signals
Not So Interesting UNIX Signals
Zombie Processes
Usage Notes
Adobe Acrobat
RealNetworks RealPlayer
Case Study: RealPlayer RealPix Format String Vulnerability
Language
Summary
13. File Format Fuzzing: Automation on Windows
Windows File Format Vulnerabilities
Features
File Creation
Application Execution
Exception Detection
Saved Audits
Necessary Background Information
Identifying Targets
Windows Explorer
Windows Registry
Development
Approach
Language Selection
Design
File Creation
Reading from Source Files
Writing to Fuzz Files
Application Execution
Exception Detection
Case Study
Benefits and Room for Improvement
Summary
14. Network Protocol Fuzzing
What Is Network Protocol Fuzzing?
Targets
Layer 2: Data Link Layer
Layer 3: Network Layer
Layer 4: Transport Layer
Layer 5: Session Layer
Layer 6: Presentation Layer
Layer 7: Application Layer
Methods
Brute Force or Mutation-Based Fuzzing
Intelligent Brute Force or Generation-Based Fuzzing
Modified Client Mutation Fuzzing
Fault Detection
Manual (Debugger Based)
Automatic (Agent Based)
Other Sources
Summary
15. Network Protocol Fuzzing:Automation on UNIX
Fuzzing with SPIKE
Choosing the Target
Reversing the Protocol
SPIKE 101
Fuzz Engine
Generic Line-Based TCP Fuzzer
Block-Based Protocol Modeling
Additional SPIKE Features
Protocol-Specific Fuzzers
Protocol-Specific Fuzz Scripts
Generic Script-Based Fuzzers
Writing the SPIKE NMAP Fuzzer Script
Summary
16. Network Protocol Fuzzing:Automation on Windows
Features
Packet Structure
Capturing Data
Parsing Data
Fuzz Variables
Sending Data
Necessary Background Information
Detection
Performance Degradation
Request Timeouts and Unexpected Responses
Protocol Driver
Development
Language Selection
Packet Capture Library
Design
Network Adapter
Capturing Data
Parsing Data
Fuzz Variables
Hexadecimal Encoding and Decoding
Case Study
Benefits and Room for Improvement
Summary
17. Web Browser Fuzzing
What Is Web Browser Fuzzing?
Targets
Methods
Approaches
Inputs
HTML Headers
HTML Tags
XML Tags
ActiveX Controls
Cascading Style Sheets
Client-Side Script
Flash
URLs
Vulnerabilities
Detection
Summary
18. Web Browser Fuzzing: Automation
Component Object Model Background
History in a Nutshell
Objects and Interfaces
ActiveX
Fuzzer Development
Enumerating Loadable ActiveX Controls
Properties, Methods, Parameters, and Types
Fuzzing and Monitoring
Summary
19. In-Memory Fuzzing
In-Memory Fuzzing: What and Why?
Necessary Background Information
No Really, What Is In-Memory Fuzzing?
Targets
Method: Mutation Loop Insertion
Method: Snapshot Restoration Mutation
Testing Speed and Process Depth
Fault Detection
Summary
20. In-Memory Fuzzing: Automation
Required Feature Set
Language Choice
Windows Debugging API
Putting It All Together
How Do We Implement Our Need to “Hook” into the Target Process at Specific Points?
How Do We Handle Process Snapshots and Restores?
How Do We Choose Our Hook Points?
How Do We Locate and Mutate Target Memory Space?
PyDbg, Your New Best Friend
A Contrived Example
Summary
III. Advanced Fuzzing Technologies
21. Fuzzing Frameworks
What Is a Fuzzing Framework?
Existing Frameworks
antiparser
dfuz
SPIKE
Peach
General Purpose Fuzzer
Autodafé
Custom Fuzzer Case Study: Shockwave Flash
Modeling SWF Files
Generating Valid Data
Fuzzing Environment
Testing Methodologies
Sulley: Fuzzing Framework
Sulley Directory Structure
Data Representation
Static and Random Primitives
Integers
Strings and Delimiters
Blocks
Groups
Encoders
Dependencies
Block Helpers
Sizers
Checksums
Repeaters
Legos
Session
Targets and Agents
Agent: Network Monitor (network_monitor.py)
Agent: Process Monitor (process_monitor.py)
Agent: VMWare Control (vmcontrol.py)
Web Monitoring Interface
Postmortem
A Complete Walkthrough
Building the Requests
Creating the Session
Setting Up the Environment
Ready, Set, Action! And Postmortem
Summary
22. Automated Protocol Dissection
What’s the Problem with Fuzzing?
Heuristic Techniques
Proxy Fuzzing
Improved Proxy Fuzzing
Disassembly Heuristics
Bioinformatics
Genetic Algorithms
Summary
23. Fuzzer Tracking
What Exactly Are We Tracking?
Binary Visualization and Basic Blocks
CFGs
CFGs Illustrated
Architecting a Fuzzer Tracker
Profiling
Tracing
Cross-Referencing
Dissecting a Code Coverage Tool
PStalker Layout Overview
Data Sources
Data Exploration
Data Capture
Limitations
Data Storage
Case Study
Strategy
Gizmo Context Dump at Time of Crash
Tactics
Benefits and Future Improvements
Future Improvements
Summary
24. Intelligent Fault Detection
Primitive Fault Detection
What Are We Looking For?
A Note on Choosing Fuzz Values
Automated Debugger Monitoring
A Basic Debugger Monitor
A More Advanced Debugger Monitor
First-Chance Versus Last-Chance Exceptions
Dynamic Binary Instrumentation
Summary
IV. Looking Forward
25. Lessons Learned
Software Development Lifecycle
Analysis
Design
Coding
Testing
Maintenance
Implementing Fuzzing in the SDLC
Developers
QA Researchers
Security Researchers
Summary
26. Looking Forward
Commercial Tools
Beyond Security beSTORM
BreakingPoint Systems BPS-1000
Codenomicon
GLEG ProtoVer Professional
Mu Security Mu-4000
Security Innovation Holodeck
Hybrid Approaches to Vulnerability Discovery
Integrated Test Platforms
Summary
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
About the Authors
Next
Next Chapter
1. Vulnerability Discovery Methodologies
Part I. Background
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset