SESSION ID: HTA-W12
Function Fuzzer (FuncFuzz)
Jason Raber Function Fuzzer Malwarebytes
#RSAC #RSAC Introduction
What – Traditional fuzzing versus function fuzzing o Traditional: Blackbox/Whitebox – Brute Force o FuncFuzz: Inside-out fuzzing – Automation Why – Find zero-days quicker and find more of them – Find bugs that could be exploitable – Extend FuncFuzz into protections How – Unique reverse engineering techniques adapted to novel fuzzing ”Inside Out” fuzzing
2 #RSAC Microsoft Detours
NOTE: SOURCE FUNCTION IS A DLL (I.E. KERNEL32, USER32, ETC.) System DLL rerouting via JMP trampolines
3 #RSAC Detours
Hooked function acts as a trampoline that allows control flow from a binary to hooked function. _PrintEnter() and _PrintExit() record runtime data to log files.
4 #RSAC Stack overflow
FUZZ
To overwrite
WHAT DOES A BOF LOOK LIKE? Lots of ways to exploit (i.e. UAF)
5 #RSAC Modern fuzzing
Controlling the data inputs/outputs is key! Black box fuzzing by generating random data that is fed to the targeted binary’s external inputs. Without source code this approach is computationally expensive and the data set generated is not exhaustive.
6 #RSAC Inside-Out fuzzing
What if we could create a fuzzing tool that is a more elegant approach to feeding generated data to functions? – Modify input/output parameters – Modify return values – Skip calling the “Real” API call – Pre-processing (additional function calls) – Post-processing
7 #RSAC Extending Detours
Fuzz DLLs? – Microsoft does pretty good coding of system DLLs… Fuzz Internal Functions? – Detours does not hook internal functions Solution: Extending Detours to do internal hooks – easy with the aid of IDA Pro and a little Python scripting
8 #RSAC FuncFuzz
Here we have control of the function Foo’s input parameter ‘char *bar’ Which takes char string “sample str”
DETOURS ONLY HOOKS DLLS NOT BINARY FUNCTIONS These log files will later be analyzed by other off-line analysis programs for identifying vulnerabilities.
9 #RSAC Type Rebuilding
To be able to fuzz function parameters we need to know how many, what order, and what type they are (w/o source code!) Leverage IDA Pro’s function prototyping
10 #RSAC Generating Hooks
IDA Pro does a relatively good job of correctly identifying the correct parameters and types, even without the binary being compiled with debug information or supplied with a support program database (.pdb) file. Disassembly Decompiler
Hint: ~ 40% Change of prototypes from Decompiler vs. Disassembly
11 #RSAC Parameter fuzzing
Push the limits (force stack overflow) IDA script generate .cpp files to compile into FuncFuzz
12 #RSAC Parameter Fuzzing (continued)
Key functions with string params FuncFuzz now controls the epilog and prolog of target function Overload those strings looking for vulnerabilities – Swap original string for new memory (larger) – Target does not check for sizing constraints…bingo! Also possible integer overflows
13 #RSAC Aftermath
Crash => examine our log files Zero in on which targeted function caused the crash – i.e. main()->foo("A string that is just too long") Crash = Exploitable vulnerability? – Access points? o i.e. XML file from website, Windows register, etc o Logs great! = See the chain of events before crash • func1()->func2()->func3()
14 #RSAC Formula
• Add hooks to binary using backend Detours • Detours designed for system DLLs not binaries Function Generation • Little help from IDA Pro on function prototypes
• Does every hook run? Profile
• Regenerate hooks with fuzzing API added Fuzz • Fuzz and interact with program to force execution paths
• Interpret output from FuncFuzz Analysis • Determine is an inherent bug vs. exploitable vulnerability
15 #RSAC FuncFuzz Malwarebytes Software
Secure our software! Several bugs and vulnerabilities found Vulnerabilities found in malware samples – Techniques to dump protected malware Due to sensitivity of Malwarebytes sensitivity code we will not show a demo
16 #RSAC Completed
Windows 32bit PE files
DLLs
Spawned executables or services
Integer Overflows – False Positives
17 #RSAC Limitations
64-bit
UAF – Use After Free
Clusters – Speed up
Driver/Kernel Land
18 #RSAC Possibilities - Protections
FuncFuzz is a man-in-the-middle probe – Verification o Could validate parameters! o SEH o Examine stack integrity (prolog/epilog) • Even d’ref target memory to see if local array being used
19 #RSAC Protections (continued)
What we need: .pdb file (program database file) – Holds correct type info – If no .pdb, we need to be spot on with parameter building UAF – Create a Map @ runtime – Call Indirect (i.e. call eax) o Verify if memory has been free’d o More on this later…
20 #RSAC Additional Research - Automation
Tool research – Dynamic taint analysis, Symbolic execution, and Constraint solving – High performance solution – Function Fuzzer currently extends strings; but, we could pair with an input generator o Compositional techniques • P. Godefroid. Compositional dynamic test generation. • J. Burnim and K. Sen. Heuristics for scalable dynamic test generation. • R. Majumdar and K. Sen. Hybrid concolic testing.
21 #RSAC Additional Research - UAF
A different approach than buffer overflows Hooks to call indirectly (C++ virtual functions) to dynamically monitor legitimate heap address/function pointers. – Call in-directs – Object frees + later refs = crash (exploitable) o Could FuncFuzz detect? • Verify in-directs since we have them hooked
22 #RSAC “Apply” Slide
Next week you should: – Identify software within your organization to fuzz In the first three months following this presentation you should: – We recommend that you download a free copy of the source code, please email: [email protected] Within six months you should: – Fix vulnerabilities found through this fuzzing method – Remember while a bug is not always a exploit, it could turn into one. Fix it!
23 #RSAC Questions?
24