Fuzzing for CyberSecurity
Olivier Hainque 2019-10-03 Fuzzing for CyberSecurity
Fuzzing, a.k.a. Fuzz Testing
AFL, American Fuzzy Lop
AFL with GNAT Pro/Ada Fuzzing, a.k.a. Fuzz Testing Fuzz Testing (1)
Loop feed programs with random / mutated / invalid inputs to reach control flow paths unanticipated by regular tests.
Hope is to find bugs, visible as hangs, crashes or uncaught exceptions.
yes Generate input Execute Fault ? bugs no Fuzz Testing (2)
Originally developed in 1989 by Barton Miller, at the University of Wisconsin. Not a new idea.
The technique has evolved a lot since then.
Still a strong focus on security, for Also useful as a general various kinds of vulnerabilities. bug finding facility. Fuzz Testing (3)
Helps you find bugs/vulnerabilities Helps others find bugs/vulnerabilities in your code. in *your* code as well.
Better find the bugs first ... Finding bugs early is valuable anyway. Fuzz Testing (4)
Lots of fuzzing tools today, always computationally intensive
Input generation engine Various strategies, some and feedback loop are key sophisticated. Not monkey- to efficiency. testing anymore.
Regular Mutation 1 Mutation 2 Mutation 3 Mutation 4 Sphere
Fault ? A trendy fuzzer these days ...
AFL, American Fuzzy Lop American Fuzzy Lop
Wikipedia: << The American Fuzzy Lop is a rabbit breed recognized by the American Rabbit Breeders Association (ARBA). It is similar in appearance to a Holland Lop. >>
First hit on “fuzz” ? Rabbit Why that mutation name for ? the tool ? Rabbit vs Monkey ? American Fuzzy Killer Bunny ? Holland Lop Lop American Fuzzy Lop http://lcamtuf.coredump.cx/afl/ AFL, American Fuzzy Lop http://lcamtuf.coredump.cx/afl/
Smart: input mutation based, driven Fast: fork-point optimization and by CFG instrumentation feedback in-process fuzzing loops
Program Not Feedbac Init / setup phase all k Repeat Input processing that only phase this Fault ? AFL, American Fuzzy Lop
historical_notes.txt in version 2.52
<< Ultimately, what matters is that afl-fuzz is designed to find cool bugs - and has a pretty robust track record of doing just that. >> AFL, American Fuzzy Lop AFL with GNAT Pro / Ada AFL with GNAT Pro / Ada
Original idea and experiments by an AdaCore customer
Leveraging Ada Run-Time Checks with Fuzz Testing in AFL by Lionel Matias – Dec 19, 2017 https://blog.adacore.com/running-american-fuzzy-lop-on-your-ada-code
Now a nightly built internal package available for beta testing on demand. Linux only. Not a product.
Further work underway through a research project. AFL with GNAT Pro / Ada
AFL notion of Fault is a hang or a crash from signal
Seek hangs or unhandled exceptions in Ada, or crashes if checks removed AFL with GNAT Pro / Ada
Assuming a program P processing an input file : Fuzzing with AFL first incurs a simple wrapper : with Worker; with P; procedure P is procedure P_Crash is begin Filename : constant String := P; Command_Line.Argument (1); exception begin when E : others => Worker.Process (Filename); GNAT.Exception_Actions.Core_Dump (E); end; end; AFL with GNAT Pro / Ada
Then a very simple sequence of commands :
PATH=<...> AFL_PATH=<...> gprbuild -Pp.gpr p_crash.adb -XDRIVER=afl-gcc-fast afl-fuzz -i inputs -o findings -- obj/p_crash @@
Only minor project file updates to access ● The instrumenting compiler ● Facilities to leverage AFL’s fork-server and in-process fuzzing AFL with GNAT Pro / Ada
Interesting results from a number of experiments
Lionel in his blog post describes successful attempts on ZipAda, AdaYaml, GNATcoll.JSON
Then in-house work and interesting results on XMLAda Fuzzing for CyberSecurity Wrapup Wrapup
Fuzz testing is a technique that helps find vulnerabilities thanks to automatically generated input variations.
Quite a buzz around AFL these days, a powerful fuzzer on Linux.
Further work Fuzzing GNAT Pro Ada programs underway, is now possible with AFL. research efforts.
Better do it early ... Thank you !