You are previewing Fuzzing: Brute Force Vulnerability Discovery.
O'Reilly logo
Fuzzing: Brute Force Vulnerability Discovery

Book Description

FUZZING

Master One of Today’s Most Powerful Techniques for Revealing Security Flaws!

Fuzzing has evolved into one of today’s most effective approaches to test software security. To “fuzz,” you attach a program’s inputs to a source of random data, and then systematically identify the failures that arise. Hackers have

relied on fuzzing for years: Now, it’s your turn. In this book, renowned fuzzing experts show you how to use fuzzing to reveal weaknesses in your software before someone else does.

Fuzzing is the first and only book to cover fuzzing from start to finish, bringing disciplined best practices to a technique that has traditionally been implemented informally. The authors begin by reviewing how fuzzing works and outlining its crucial advantages over other security testing methods. Next, they introduce state-of-the-art fuzzing techniques for finding vulnerabilities in network protocols, file formats, and web applications; demonstrate the use of automated fuzzing tools; and present several insightful case histories showing fuzzing at work. Coverage includes:

• Why fuzzing simplifies test design and catches flaws other methods miss

• The fuzzing process: from identifying inputs to assessing “exploitability”

• Understanding the requirements for effective fuzzing

• Comparing mutation-based and generation-based fuzzers

• Using and automating environment variable and argument fuzzing

• Mastering in-memory fuzzing techniques

• Constructing custom fuzzing frameworks and tools

• Implementing intelligent fault detection

Attackers are already using fuzzing. You should, too. Whether you’re a developer, security engineer, tester, or QA specialist, this book teaches you how to build secure software.

Foreword     xix

Preface        xxi

Acknowledgments  xxv

About the Author   xxvii

PARTI         BACKGROUND     1

Chapter 1    Vulnerability Discovery Methodologies  3

Chapter 2    What Is Fuzzing?   21

Chapter 3    Fuzzing Methods and Fuzzer Types     33

Chapter 4    Data Representation and Analysis        45

Chapter 5    Requirements for Effective Fuzzing      61

PART II      TARGETS AND AUTOMATION          71

Chapter 6    Automation and Data Generation        73

Chapter 7    Environment Variable and Argument Fuzzing 89

Chapter 8    Environment Variable and Argument Fuzzing: Automation 103

Chapter 9    Web Application and Server Fuzzing     113

Chapter 10  Web Application and Server Fuzzing: Automation    137

Chapter 11  File Format Fuzzing         169

Chapter 12  File Format Fuzzing: Automation on UNIX     181

Chapter 13  File Format Fuzzing: Automation on Windows         197

Chapter 14  Network Protocol Fuzzing         223

Chapter 15  Network Protocol Fuzzing: Automation on UNIX     235

Chapter 16  Network Protocol Fuzzing: Automation on Windows         249

Chapter 17  Web Browser Fuzzing      267

Chapter 18  Web Browser Fuzzing: Automation     283

Chapter 19  In-Memory Fuzzing         301

Chapter 20  In-Memory Fuzzing: Automation         315

PART III    ADVANCED FUZZING TECHNOLOGIES      349

Chapter 21  Fuzzing Frameworks       351

Chapter 22  Automated Protocol Dissection  419

Chapter 23  Fuzzer Tracking     437

Chapter 24  Intelligent Fault Detection 471

PART IV     LOOKING FORWARD    495

Chapter 25  Lessons Learned    497

Chapter 26  Looking Forward    507

Index 519

Table of Contents

  1. Copyright
    1. Dedication
  2. Foreword
  3. Preface
    1. Introduction
    2. Intended Audience
    3. Prerequisites
    4. Approach
    5. A Touch of Humor
    6. About the Cover
    7. Companion Website:www.fuzzing.org
  4. Acknowledgments
    1. Group Acknowledgements
    2. Michael’s Acknowledgements
    3. Adam’s Acknowledgements
    4. Pedram’s Acknowledgements
  5. About the Authors
    1. Michael Sutton
    2. Adam Greene
    3. Pedram Amini
  6. I. Background
    1. 1. Vulnerability Discovery Methodologies
      1. White Box Testing
        1. Source Code Review
        2. Tools and Automation
        3. Pros and Cons
      2. Black Box Testing
        1. Manual Testing
        2. Automated Testing or Fuzzing
        3. Pros and Cons
      3. Gray Box Testing
        1. Binary Auditing
        2. Automated Binary Auditing
        3. Pros and Cons
      4. Summary
    2. 2. What Is Fuzzing?
      1. Definition of Fuzzing
      2. History of Fuzzing
      3. Fuzzing Phases
      4. Fuzzing Limitations and Expectations
        1. Access Control Flaws
        2. Poor Design Logic
        3. Backdoors
        4. Memory Corruption
        5. Multistage Vulnerabilities
      5. Summary
    3. 3. Fuzzing Methods and Fuzzer Types
      1. Fuzzing Methods
        1. Pregenerated Test Cases
        2. Random
        3. Manual Protocol Mutation Testing
        4. Mutation or Brute Force Testing
        5. Automatic Protocol Generation Testing
      2. Fuzzer Types
        1. Local Fuzzers
          1. Command-Line Fuzzers
          2. Environment Variable Fuzzers
          3. File Format Fuzzers
        2. Remote Fuzzers
          1. Network Protocol Fuzzers
            1. Simple Protocols
            2. Complex Protocols
          2. Web Application Fuzzers
          3. Web Browser Fuzzers
        3. In-Memory Fuzzers
        4. Fuzzer Frameworks
      3. Summary
    4. 4. Data Representation and Analysis
      1. What Are Protocols?
      2. Protocol Fields
      3. Plain Text Protocols
      4. Binary Protocols
      5. Network Protocols
      6. File Formats
      7. Common Protocol Elements
        1. Name–Value Pairs
        2. Block Identifiers
        3. Block Sizes
        4. Checksums
      8. Summary
    5. 5. Requirements for Effective Fuzzing
      1. Reproducibility and Documentation
      2. Reusability
      3. Process State and Process Depth
      4. Tracking, Code Coverage, and Metrics
      5. Error Detection
      6. Resource Constraints
      7. Summary
  7. II. Targets and Automation
    1. 6. Automation and Data Generation
      1. Value of Automation
      2. Helpful Tools and Libraries
        1. Ethereal/Wireshark
        2. libdasm and libdisasm
        3. Libnet/LibnetNT
        4. LibPCAP
        5. Metro Packet Library
        6. PTrace
        7. Python Extensions
      3. Programming Language Choice
      4. Data Generation and Fuzz Heuristics
        1. Integer Values
        2. String Repetitions
        3. Field Delimiters
        4. Format Strings
        5. Character Translation
        6. Directory Traversal
        7. Command Injection
      5. Summary
    2. 7. Environment Variable and Argument Fuzzing
      1. Introduction to Local Fuzzing
        1. Command-Line Arguments
        2. Environment Variables
      2. Local Fuzzing Principles
      3. Finding Targets
        1. UNIX File Permissions Explained
      4. Local Fuzzing Methods
      5. Enumerating Environment Variables
        1. The GNU Debugger (GDB) Method
      6. Automating Environment Variable Fuzzing
        1. Library Preloading
      7. Detecting Problems
      8. Summary
    3. 8. Environment Variable and Argument Fuzzing: Automation
      1. Features of iFUZZ Local Fuzzer
      2. Development
        1. Development Approach
          1. Fork, Execute, and Wait Approach
          2. Fork, Ptrace/Execute, and Wait/Ptrace Approach
      3. Language
      4. Case Study
      5. Benefits and Room for Improvement
      6. Summary
    4. 9. Web Application and Server Fuzzing
      1. What Is Web Application Fuzzing?
      2. Targets
      3. Methods
        1. Set Up
        2. Inputs
          1. Method
          2. Request-URI
          3. Protocol
          4. Headers
          5. Cookies
          6. Post Data
          7. Identifying Inputs
      4. Vulnerabilities
      5. Detection
      6. Summary
    5. 10. Web Application and Server Fuzzing: Automation
      1. Web Application Fuzzers
      2. Features
        1. Requests
        2. Fuzz Variables
        3. Responses
      3. Necessary Background Information
        1. Identifying Requests
        2. Detection
          1. HTML Status Codes
          2. Error Messages Embedded in the Response
          3. User Input Embedded in the Response
          4. Performance Degradation
          5. Request Timeouts
          6. WebFuzz Error Messages
          7. Handled or Unhandled Exceptions
      4. Development
        1. Approach
        2. Language Selection
        3. Design
          1. TcpClient Class
          2. Asynchronous Sockets
          3. Generating Requests
          4. Receiving Responses
      5. Case Studies
        1. Directory Traversal
        2. Overflow
        3. SQL Injection
        4. XSS Scripting
      6. Benefits and Room for Improvement
      7. Summary
    6. 11. File Format Fuzzing
      1. Targets
      2. Methods
        1. Brute Force or Mutation-Based Fuzzing
        2. Intelligent Brute Force or Generation-Based Fuzzing
      3. Inputs
      4. Vulnerabilities
        1. Denial of Service
        2. Integer Handling Problems
        3. Simple Stack and Heap Overflows
        4. Logic Errors
        5. Format Strings
        6. Race Conditions
      5. Detection
      6. Summary
    7. 12. File Format Fuzzing: Automation on UNIX
      1. notSPIKEfile and SPIKEfile
        1. What’s Missing?
      2. Development Approach
        1. Exception Detection Engine
        2. Exception Reporting (Exception Detection)
        3. Core Fuzzing Engine
      3. Meaningful Code Snippets
        1. Usually Interesting UNIX Signals
        2. Not So Interesting UNIX Signals
      4. Zombie Processes
      5. Usage Notes
        1. Adobe Acrobat
        2. RealNetworks RealPlayer
      6. Case Study: RealPlayer RealPix Format String Vulnerability
      7. Language
      8. Summary
    8. 13. File Format Fuzzing: Automation on Windows
      1. Windows File Format Vulnerabilities
      2. Features
        1. File Creation
        2. Application Execution
        3. Exception Detection
        4. Saved Audits
      3. Necessary Background Information
        1. Identifying Targets
          1. Windows Explorer
          2. Windows Registry
      4. Development
        1. Approach
        2. Language Selection
        3. Design
          1. File Creation
          2. Reading from Source Files
          3. Writing to Fuzz Files
          4. Application Execution
          5. Exception Detection
      5. Case Study
      6. Benefits and Room for Improvement
      7. Summary
    9. 14. Network Protocol Fuzzing
      1. What Is Network Protocol Fuzzing?
      2. Targets
        1. Layer 2: Data Link Layer
        2. Layer 3: Network Layer
        3. Layer 4: Transport Layer
        4. Layer 5: Session Layer
        5. Layer 6: Presentation Layer
        6. Layer 7: Application Layer
      3. Methods
        1. Brute Force or Mutation-Based Fuzzing
        2. Intelligent Brute Force or Generation-Based Fuzzing
        3. Modified Client Mutation Fuzzing
      4. Fault Detection
        1. Manual (Debugger Based)
        2. Automatic (Agent Based)
        3. Other Sources
      5. Summary
    10. 15. Network Protocol Fuzzing:Automation on UNIX
      1. Fuzzing with SPIKE
        1. Choosing the Target
        2. Reversing the Protocol
      2. SPIKE 101
        1. Fuzz Engine
        2. Generic Line-Based TCP Fuzzer
      3. Block-Based Protocol Modeling
      4. Additional SPIKE Features
        1. Protocol-Specific Fuzzers
        2. Protocol-Specific Fuzz Scripts
        3. Generic Script-Based Fuzzers
      5. Writing the SPIKE NMAP Fuzzer Script
      6. Summary
    11. 16. Network Protocol Fuzzing:Automation on Windows
      1. Features
        1. Packet Structure
        2. Capturing Data
        3. Parsing Data
        4. Fuzz Variables
        5. Sending Data
      2. Necessary Background Information
        1. Detection
          1. Performance Degradation
          2. Request Timeouts and Unexpected Responses
        2. Protocol Driver
      3. Development
        1. Language Selection
        2. Packet Capture Library
        3. Design
          1. Network Adapter
          2. Capturing Data
          3. Parsing Data
          4. Fuzz Variables
          5. Hexadecimal Encoding and Decoding
      4. Case Study
      5. Benefits and Room for Improvement
      6. Summary
    12. 17. Web Browser Fuzzing
      1. What Is Web Browser Fuzzing?
      2. Targets
      3. Methods
        1. Approaches
        2. Inputs
          1. HTML Headers
          2. HTML Tags
          3. XML Tags
          4. ActiveX Controls
          5. Cascading Style Sheets
          6. Client-Side Script
          7. Flash
          8. URLs
      4. Vulnerabilities
      5. Detection
      6. Summary
    13. 18. Web Browser Fuzzing: Automation
      1. Component Object Model Background
        1. History in a Nutshell
        2. Objects and Interfaces
        3. ActiveX
      2. Fuzzer Development
        1. Enumerating Loadable ActiveX Controls
        2. Properties, Methods, Parameters, and Types
        3. Fuzzing and Monitoring
      3. Summary
    14. 19. In-Memory Fuzzing
      1. In-Memory Fuzzing: What and Why?
      2. Necessary Background Information
      3. No Really, What Is In-Memory Fuzzing?
      4. Targets
      5. Method: Mutation Loop Insertion
      6. Method: Snapshot Restoration Mutation
      7. Testing Speed and Process Depth
      8. Fault Detection
      9. Summary
    15. 20. In-Memory Fuzzing: Automation
      1. Required Feature Set
      2. Language Choice
      3. Windows Debugging API
      4. Putting It All Together
        1. How Do We Implement Our Need to “Hook” into the Target Process at Specific Points?
        2. How Do We Handle Process Snapshots and Restores?
        3. How Do We Choose Our Hook Points?
        4. How Do We Locate and Mutate Target Memory Space?
      5. PyDbg, Your New Best Friend
      6. A Contrived Example
      7. Summary
  8. III. Advanced Fuzzing Technologies
    1. 21. Fuzzing Frameworks
      1. What Is a Fuzzing Framework?
      2. Existing Frameworks
        1. antiparser
        2. dfuz
        3. SPIKE
        4. Peach
        5. General Purpose Fuzzer
        6. Autodafé
      3. Custom Fuzzer Case Study: Shockwave Flash
        1. Modeling SWF Files
        2. Generating Valid Data
        3. Fuzzing Environment
        4. Testing Methodologies
      4. Sulley: Fuzzing Framework
        1. Sulley Directory Structure
        2. Data Representation
          1. Static and Random Primitives
          2. Integers
          3. Strings and Delimiters
          4. Blocks
          5. Groups
          6. Encoders
          7. Dependencies
          8. Block Helpers
          9. Sizers
          10. Checksums
          11. Repeaters
          12. Legos
        3. Session
          1. Targets and Agents
          2. Agent: Network Monitor (network_monitor.py)
          3. Agent: Process Monitor (process_monitor.py)
          4. Agent: VMWare Control (vmcontrol.py)
          5. Web Monitoring Interface
        4. Postmortem
        5. A Complete Walkthrough
          1. Building the Requests
          2. Creating the Session
          3. Setting Up the Environment
          4. Ready, Set, Action! And Postmortem
      5. Summary
    2. 22. Automated Protocol Dissection
      1. What’s the Problem with Fuzzing?
      2. Heuristic Techniques
        1. Proxy Fuzzing
        2. Improved Proxy Fuzzing
        3. Disassembly Heuristics
      3. Bioinformatics
      4. Genetic Algorithms
      5. Summary
    3. 23. Fuzzer Tracking
      1. What Exactly Are We Tracking?
      2. Binary Visualization and Basic Blocks
        1. CFGs
        2. CFGs Illustrated
      3. Architecting a Fuzzer Tracker
        1. Profiling
        2. Tracing
        3. Cross-Referencing
      4. Dissecting a Code Coverage Tool
        1. PStalker Layout Overview
        2. Data Sources
        3. Data Exploration
        4. Data Capture
        5. Limitations
        6. Data Storage
      5. Case Study
        1. Strategy
          1. Gizmo Context Dump at Time of Crash
        2. Tactics
      6. Benefits and Future Improvements
        1. Future Improvements
      7. Summary
    4. 24. Intelligent Fault Detection
      1. Primitive Fault Detection
      2. What Are We Looking For?
      3. A Note on Choosing Fuzz Values
      4. Automated Debugger Monitoring
        1. A Basic Debugger Monitor
        2. A More Advanced Debugger Monitor
      5. First-Chance Versus Last-Chance Exceptions
      6. Dynamic Binary Instrumentation
      7. Summary
  9. IV. Looking Forward
    1. 25. Lessons Learned
      1. Software Development Lifecycle
        1. Analysis
        2. Design
        3. Coding
        4. Testing
        5. Maintenance
        6. Implementing Fuzzing in the SDLC
      2. Developers
      3. QA Researchers
      4. Security Researchers
      5. Summary
    2. 26. Looking Forward
      1. Commercial Tools
        1. Beyond Security beSTORM
        2. BreakingPoint Systems BPS-1000
        3. Codenomicon
        4. GLEG ProtoVer Professional
        5. Mu Security Mu-4000
        6. Security Innovation Holodeck
      2. Hybrid Approaches to Vulnerability Discovery
      3. Integrated Test Platforms
      4. Summary