sign in sign up
<<
Home , Fuzzing

Fuzzing for CyberSecurity

Olivier Hainque 2019-10-03 for CyberSecurity

Fuzzing, a.k.a. Fuzz Testing

AFL, American Fuzzy Lop

AFL with GNAT Pro/Ada Fuzzing, a.k.a. Fuzz Testing Fuzz Testing (1)

Loop feed programs with random / mutated / invalid inputs to reach control flow paths unanticipated by regular tests.

Hope is to find bugs, visible as hangs, crashes or uncaught exceptions.

yes Generate input Execute Fault ? bugs no Fuzz Testing (2)

Originally developed in 1989 by Barton Miller, at the University of Wisconsin. Not a new idea.

The technique has evolved a lot since then.

Still a strong focus on security, for Also useful as a general various kinds of vulnerabilities. bug finding facility. Fuzz Testing (3)

Helps you find bugs/vulnerabilities Helps others find bugs/vulnerabilities in your code. in *your* code as well.

Better find the bugs first ... Finding bugs early is valuable anyway. Fuzz Testing (4)

Lots of fuzzing tools today, always computationally intensive

Input generation engine Various strategies, some and feedback loop are key sophisticated. Not monkey- to efficiency. testing anymore.

Regular Mutation 1 Mutation 2 Mutation 3 Mutation 4 Sphere

Fault ? A trendy fuzzer these days ...

AFL, American Fuzzy Lop American Fuzzy Lop

Wikipedia: << The American Fuzzy Lop is a rabbit breed recognized by the American Rabbit Breeders Association (ARBA). It is similar in appearance to a Holland Lop. >>

First hit on “fuzz” ? Rabbit Why that mutation name for ? the tool ? Rabbit vs Monkey ? American Fuzzy Killer Bunny ? Holland Lop Lop American Fuzzy Lop http://lcamtuf.coredump.cx/afl/ AFL, American Fuzzy Lop http://lcamtuf.coredump.cx/afl/

Smart: input mutation based, driven Fast: fork-point optimization and by CFG instrumentation feedback in-process fuzzing loops

Program Not Feedbac Init / setup phase all k Repeat Input processing that only phase this Fault ? AFL, American Fuzzy Lop

historical_notes.txt in version 2.52

<< Ultimately, what matters is that afl-fuzz is designed to find cool bugs - and has a pretty robust track record of doing just that. >> AFL, American Fuzzy Lop AFL with GNAT Pro / Ada AFL with GNAT Pro / Ada

Original idea and experiments by an AdaCore customer

Leveraging Ada Run-Time Checks with Fuzz Testing in AFL by Lionel Matias – Dec 19, 2017 https://blog.adacore.com/running-american-fuzzy-lop-on-your-ada-code

Now a nightly built internal package available for beta testing on demand. only. Not a product.

Further work underway through a research project. AFL with GNAT Pro / Ada

AFL notion of Fault is a hang or a from signal

Seek hangs or unhandled exceptions in Ada, or crashes if checks removed AFL with GNAT Pro / Ada

Assuming a program P processing an input file : Fuzzing with AFL first incurs a simple wrapper : with Worker; with P; procedure P is procedure P_Crash is begin Filename : constant String := P; Command_Line.Argument (1); exception begin when E : others => Worker.Process (Filename); GNAT.Exception_Actions.Core_Dump (E); end; end; AFL with GNAT Pro / Ada

Then a very simple sequence of commands :

PATH=<...> AFL_PATH=<...> gprbuild -Pp.gpr p_crash.adb -XDRIVER=afl-gcc-fast afl-fuzz -i inputs -o findings -- obj/p_crash @@

Only minor project file updates to access ● The instrumenting compiler ● Facilities to leverage AFL’s fork-server and in-process fuzzing AFL with GNAT Pro / Ada

Interesting results from a number of experiments

Lionel in his blog post describes successful attempts on ZipAda, AdaYaml, GNATcoll.JSON

Then in-house work and interesting results on XMLAda Fuzzing for CyberSecurity Wrapup Wrapup

Fuzz testing is a technique that helps find vulnerabilities thanks to automatically generated input variations.

Quite a buzz around AFL these days, a powerful fuzzer on Linux.

Further work Fuzzing GNAT Pro Ada programs underway, is now possible with AFL. research efforts.

Better do it early ... Thank you !