Fuzzing And Oracles By: Thomas Sidoti Overview • • • • • • Introduction Motivation Fuzzable Exploits Oracles Implementation Fuzzing Results Introduction • Find relationships between Oracles and Exploits/Errors. • What class of errors could a particular oracles hope to find? Motivation • Fuzzers: – Generate Input – Watch for errors • Without good oracles, some errors will never be found. Fuzzable Exploits • • • • Buffer Overflow Improper Validation of Array Index Integer Overflow Incorrect Calc of Buffer Size • From the CWE Top 25 Available Oracles • • • • • Process Crash Output Monitoring Memory Monitoring Monitoring Services Program Flow Monitoring (PaiMei) Fuzzable • Created a program with optional exploits available. • Flags – b : Heap Buffer Overflow – m : Calculated Memory Size Not Checked – s : Stack Buffer Overflow (and small version) – i : Integer Overflow (Multiplication) – a : Calculated Array Index Not Checked (and small version) File Format 10 - Number of Lines 30 - Chars per Line 1st Line 2nd Line ……………… Nth Line 9 - Get the xth Line 5 - The yth character from Analysis of Open Source Fuzzers • Open Source Fuzzing Software is difficult to use. – Evolution Fuzzing System did not appear to do anything. – FileFuzz crashes when program under test crashes. – Modified FileP to make it usable. • Most don’t include robust oracles. – Peach Fuzzer is the exception. Results: Oracle-less Fuzzers • FileP, FileFuzz – Random fuzzer based on a Sample File. • Fuzzled – Set of factories which makes it easy for a programmer to generate input. • Detects Program Crashes – All large errors Results: Peach Fuzzer • Oracles: Windows Debugger, Memory Monitor, Page Heap Debugging, etc. • Page Heap debugging found small heap space address miscalculation. • Memory Monitor found small excess in memory usage. (This flaw could also crash the program in Windows) Conclusion • A good portion of errors can be found even if only depending on program crash. • Output monitoring may work well if tailored to your program • Using more advanced debugging techniques while debugging will reveal more subtle errors. Thanks