Advanced Fuzzing with Peach 2

Сентябрь 7, 2022

Главная
Алгебра
Advanced Fuzzing with Peach 2

Содержание

2. Agenda Introduction to Peach 2 Data mutations Peach State Machine Peach Farm Peach in The Middle
3. Introduction to Peach 2
4. Peach 1 Framework for writing fuzzers Instrumentation via wrapper APIs No data definition layer (DDL), just
5. Peach 2 Reduce creation time and simplify fuzzer generation Fuzzer platform, not framework Modeling based approach
6. Modeling Based Fuzzing Model types and data Model state machine Support models with data sets Mutate
7. Model Data: Types INT INT INT Flags INT Len STRING DATA INT Len INT INT INT
8. Model Data: Relationships INT INT INT Flags INT Len STRING DATA INT Len INT INT INT
9. Model Data: State Model Packet A Packet B-1 Packet C-1 Packet C-2 Packet D Packet B-2
10. Benefits of Modeling Easy reuse of definitions Complex mutations can be applied to a model Improvements
11. Data Modeling Define structure of data Define relations in data Reuse definitions Block Sequence Choice String
12. State Modeling
13. Stream Call TCP, UDP, Files Connect Accept Input Output Close COM, RPC, SOAP Call Method Parameters
14. State Modeling: Stream State Machine 1 2 3 4 5
15. State Modeling: Stream State Machine 1 5
16. State Modeling: Stream State Machine 1 2 3 4
17. State Modeling: Call State Machine 1 2 3
18. Data Mutations
19. Mutation: String “?k1=v+1&k2=v2” 40,000+ variations
20. Mutation: Number 00 Interesting Edge Cases FFFFFFFFFFFFFFFF
21. Mutation: Size Relation #1 Length: Data:
22. Mutation: Size Relation #2 Length: Data: 200 Bytes
23. Mutation: Size Relation #3 Data & Length:
24. Mutation: State Packet A Packet B-1 Packet C-1 Packet C-2 Packet D Packet B-2
25. Mutation: State Packet A Packet B-1 Packet D Packet B-2
26. Mutation: State Packet A Packet B-1 Packet D Packet B-2
27. Add Custom Mutators Sling some Python Add additional mutations Specific mutations Etc.
28. AND DATA COLLECTION Fault Detection
29. Agents & Monitors Peach
30. 2 Tier Configuration 1 2 3 4 5 6
31. Monitors Debuggers Process Monitor Memory Monitor Network Capture VM Control (snapshot, revert) Networked Power Strips (cycle
32. Peach Development
33. Documented XML Schema
34. Peach Builder
35. Peach Shark
36. MASSIVELY PARALLEL FUZZING Peach Farm
37. Peach Farm Adam Cecchetti Massively Parallel Fuzzing Scales from 1 to 10,000 nodes Choose your Virtual
38. WHAT’S NEXT? Peach in The Middle
39. Peach in The Middle Client Server Peach Controller Agent Data Model
41. Скачать презентацию

Слайд 2

Agenda
Introduction to Peach 2
Data mutations
Peach State Machine
Peach Farm
Peach in The Middle

Слайд 3

Introduction to Peach 2

Слайд 4

Peach 1
Framework for writing fuzzers
Instrumentation via wrapper APIs
No data definition layer

(DDL), just fuzzer
Steep learning curve
Complex fuzzers result in complex fuzzer code

Слайд 5

Peach 2
Reduce creation time and simplify fuzzer generation
Fuzzer platform, not framework
Modeling

based approach
Fault detection
Lower learning curve

Слайд 6

Modeling Based Fuzzing
Model types and data
Model state machine
Support models with data

sets
Mutate models with mutators

Слайд 7

Model Data: Types
INT
INT
INT
Flags
INT
Len
STRING
DATA
INT
Len
INT
INT
INT
DATA

Слайд 8

Model Data: Relationships
INT
INT
INT
Flags
INT
Len
STRING
DATA
INT
Len
INT
INT
INT
DATA

Слайд 9

Model Data: State Model
Packet A
Packet B-1
Packet C-1
Packet C-2
Packet D
Packet
B-2

Слайд 10

Benefits of Modeling
Easy reuse of definitions
Complex mutations can be applied to

a model
Improvements to data generation or mutation independent of model
Data read into definition as well as generated

Слайд 11

Data Modeling
Define structure of data
Define relations in data
Reuse definitions
Block
Sequence
Choice
String
Number
Flags/Flag
Blob
Relation
Transformer

Слайд 12

State Modeling

Слайд 13

Stream
Call
TCP, UDP, Files
Connect
Accept
Input
Output
Close
COM, RPC, SOAP
Call
Method
Parameters
Result
State Modeling

Слайд 14

State Modeling: Stream
State Machine
1
2
3
4
5

Слайд 15

State Modeling: Stream
State Machine
1
5

Слайд 16

State Modeling: Stream
State Machine
1
2
3
4

Слайд 17

State Modeling: Call
State Machine
1
2
3

Слайд 18

Data Mutations

Слайд 19

Mutation: String
“?k1=v+1&k2=v2”
40,000+ variations

Слайд 20

Mutation: Number
00
Interesting Edge Cases
FFFFFFFFFFFFFFFF

Слайд 21

Mutation: Size Relation #1
Length:
Data:

Слайд 22

Mutation: Size Relation #2
Length:
Data:
200 Bytes

Слайд 23

Mutation: Size Relation #3
Data & Length:

Слайд 24

Mutation: State
Packet A
Packet B-1
Packet C-1
Packet C-2
Packet D
Packet
B-2

Слайд 25

Mutation: State
Packet A
Packet B-1
Packet D
Packet
B-2

Слайд 26

Mutation: State
Packet A
Packet B-1
Packet D
Packet
B-2

Слайд 27

Add Custom Mutators
Sling some Python
Add additional mutations
Specific mutations
Etc.

Слайд 28

AND DATA COLLECTION
Fault Detection

Слайд 29

Agents & Monitors
Peach

Слайд 30

2 Tier Configuration
1
2
3
4
5
6

Слайд 31

Monitors
Debuggers
Process Monitor
Memory Monitor
Network Capture
VM Control (snapshot, revert)
Networked Power Strips (cycle power)
Easy

to implement custom monitors

Слайд 32

Peach Development

Слайд 33

Documented XML Schema

Слайд 34

Peach Builder

Слайд 35

Peach Shark

Слайд 36

MASSIVELY PARALLEL FUZZING
Peach Farm

Слайд 37

Peach Farm
Adam Cecchetti
Massively Parallel Fuzzing
Scales from 1 to 10,000

nodes
Choose your Virtual Platform/Hosting
EC2, Xen, VMWare, Etc
Utilizes Map/Reduce Algorithm
Map: Maps the fuzzing cases to indexes and results
Reduce: Reduces fuzzing results to interesting cases
Metric based : Time, size, diff, expected errors, OS faults, crashes

Слайд 38

WHAT’S NEXT?
Peach in The Middle

Слайд 39

Peach in The Middle
Client
Server
Peach
Controller
Agent
Data Model