Fuzzing everything in 2014

About me

Hacking binary since 15
Left my first=last employer in 2004, independent

A BIT AWAY FROM A 0-DAY…

Section 1: hacker’s

Microsoft Word 2007/2010 E

THE IDEAL FUZZER

Section 2: engineer’s

Problems with fuzzers

Too specialized.
E.g. fuzz only browsers, or only files
Not suitable

What I want (from a fuzzer)

Omnivore.
Target invariant: software type, data type,

What I want, cont’d

Autonomous.
Can leave it for a week?
Just runs
Unlimited, native

Key design decisions

Network client-server architecture
Build upon isolated, generic tools
Native automation
bash, cmd/PowerShell,

Done

Results

THE MAGIC

Section 3: director’s

Fuzzing in 2014

“Shellcoder’s Handbook”: 10 years ago
“Fuzzing: Brute Force Vulnerability Discovery”:

The beginner’s delusion

“Success in fuzzing is defined by speed & scale”

Thinking

One only needs millions of test cases, if majority of those

Problem

No algorithm to discover “fresh” code paths
Code coverage can only measure

Where is the “new” code?
Code unobviously triggered or reached
Presumably effortful input

Unobvious Examples

CVE-2013-3906: TIFF 0’day
Ogl.dll=gdiplus.dll alternative only in Office 2007
CVE-2014-0315: Insecure Library

Presumably Effortful Examples
CVE-2013-1296: MS RDP ActiveX Use-after-Free
No public ActiveX tools can

Presumably Constrained Example
Standard ActiveX in Windows
Requires user interaction in IE
But IE

RESULTS

Section 4: sponsor’s ☺

Microsoft Word

Microsoft XML

Reporting & Bounty

Today: 22.05.2014

+ Money arrived: 2014-05-07 ($2000)

“Critical infrastracture attack” contest @ PHDays: my 5 cents ☺

Lessons Learnt

Research! Primary target: code bases
Not data formats or data input