Содержание
- 2. About me Hacking binary since 15 Left my first=last employer in 2004, independent ever since Done:
- 3. A BIT AWAY FROM A 0-DAY… Section 1: hacker’s
- 4. Microsoft Word 2007/2010 E
- 5. THE IDEAL FUZZER Section 2: engineer’s
- 6. Problems with fuzzers Too specialized. E.g. fuzz only browsers, or only files Not suitable for fuzzing
- 7. What I want (from a fuzzer) Omnivore. Target invariant: software type, data type, platform, architecture Omnipresent.
- 8. What I want, cont’d Autonomous. Can leave it for a week? Just runs Unlimited, native scaling.
- 9. Key design decisions Network client-server architecture Build upon isolated, generic tools Native automation bash, cmd/PowerShell, cscript/wscript,
- 10. Done
- 11. Results
- 12. THE MAGIC Section 3: director’s
- 13. Fuzzing in 2014 “Shellcoder’s Handbook”: 10 years ago “Fuzzing: Brute Force Vulnerability Discovery”: 7 years ago
- 14. The beginner’s delusion “Success in fuzzing is defined by speed & scale” Not exactly ClusterFuzz is
- 15. Thinking One only needs millions of test cases, if majority of those test cases are bad
- 16. Problem No algorithm to discover “fresh” code paths Code coverage can only measure the already reached
- 17. Where is the “new” code? Code unobviously triggered or reached Presumably effortful input generation Presumably constrained
- 18. Unobvious Examples CVE-2013-3906: TIFF 0’day Ogl.dll=gdiplus.dll alternative only in Office 2007 CVE-2014-0315: Insecure Library Loading with
- 19. Presumably Effortful Examples CVE-2013-1296: MS RDP ActiveX Use-after-Free No public ActiveX tools can target UaFs Strict
- 20. Presumably Constrained Example Standard ActiveX in Windows Requires user interaction in IE But IE is not
- 21. RESULTS Section 4: sponsor’s ☺
- 22. Microsoft Word
- 23. Microsoft XML
- 24. Reporting & Bounty Today: 22.05.2014 + Money arrived: 2014-05-07 ($2000)
- 25. “Critical infrastracture attack” contest @ PHDays: my 5 cents ☺
- 26. Lessons Learnt Research! Primary target: code bases Not data formats or data input interfaces or fuzzing
- 28. Скачать презентацию