SESSION ID: HTA-W12

Function Fuzzer (FuncFuzz)

Jason Raber Function Fuzzer Malwarebytes

#RSAC #RSAC Introduction

What – Traditional fuzzing versus function fuzzing o Traditional: Blackbox/Whitebox – Brute Force o FuncFuzz: Inside-out fuzzing – Automation Why – Find zero-days quicker and find more of them – Find bugs that could be exploitable – Extend FuncFuzz into protections How – Unique reverse engineering techniques adapted to novel fuzzing ”Inside Out” fuzzing

2 #RSAC Detours

NOTE: SOURCE FUNCTION IS A DLL (I.E. KERNEL32, USER32, ETC.) System DLL rerouting via JMP trampolines

3 #RSAC Detours

Hooked function acts as a trampoline that allows control flow from a binary to hooked function. _PrintEnter() and _PrintExit() record runtime data to log files.

4 #RSAC Stack overflow

FUZZ

To overwrite

WHAT DOES A BOF LOOK LIKE? Lots of ways to exploit (i.e. UAF)

5 #RSAC Modern fuzzing

Controlling the data inputs/outputs is key! Black box fuzzing by generating random data that is fed to the targeted binary’s external inputs. Without source code this approach is computationally expensive and the data set generated is not exhaustive.

6 #RSAC Inside-Out fuzzing

What if we could create a fuzzing tool that is a more elegant approach to feeding generated data to functions? – Modify input/output parameters – Modify return values – Skip calling the “Real” API call – Pre-processing (additional function calls) – Post-processing

7 #RSAC Extending Detours

Fuzz DLLs? – Microsoft does pretty good coding of system DLLs… Fuzz Internal Functions? – Detours does not hook internal functions Solution: Extending Detours to do internal hooks – easy with the aid of IDA Pro and a little Python scripting

8 #RSAC FuncFuzz

Here we have control of the function Foo’s input parameter ‘char *bar’ Which takes char string “sample str”

DETOURS ONLY HOOKS DLLS NOT BINARY FUNCTIONS These log files will later be analyzed by other off-line analysis programs for identifying vulnerabilities.

9 #RSAC Type Rebuilding

To be able to fuzz function parameters we need to know how many, what order, and what type they are (w/o source code!) Leverage IDA Pro’s function prototyping

10 #RSAC Generating Hooks

IDA Pro does a relatively good job of correctly identifying the correct parameters and types, even without the binary being compiled with debug information or supplied with a support program database (.pdb) file. Disassembly Decompiler

Hint: ~ 40% Change of prototypes from Decompiler vs. Disassembly

11 #RSAC Parameter fuzzing

Push the limits (force stack overflow) IDA script generate .cpp files to compile into FuncFuzz

12 #RSAC Parameter Fuzzing (continued)

Key functions with string params FuncFuzz now controls the epilog and of target function Overload those strings looking for vulnerabilities – Swap original string for new memory (larger) – Target does not check for sizing constraints…bingo! Also possible integer overflows

13 #RSAC Aftermath

Crash => examine our log files Zero in on which targeted function caused the crash – i.e. main()->foo("A string that is just too long") Crash = Exploitable vulnerability? – Access points? o i.e. XML file from website, Windows register, etc o Logs great! = See the chain of events before crash • func1()->func2()->func3()

14 #RSAC Formula

• Add hooks to binary using backend Detours • Detours designed for system DLLs not binaries Function Generation • Little help from IDA Pro on function prototypes​

• Does every hook run? Profile

• Regenerate hooks with fuzzing API added Fuzz • Fuzz and interact with program to force execution paths

• Interpret output from FuncFuzz Analysis • Determine is an inherent bug vs. exploitable vulnerability

15 #RSAC FuncFuzz Malwarebytes Software

Secure our software! Several bugs and vulnerabilities found Vulnerabilities found in malware samples – Techniques to dump protected malware Due to sensitivity of Malwarebytes sensitivity code we will not show a demo

16 #RSAC Completed

Windows 32bit PE files

DLLs​

Spawned executables or services

Integer Overflows – False Positives​

17 #RSAC Limitations

64-bit​

UAF – Use After Free​

Clusters – Speed up​

Driver/Kernel Land

18 #RSAC Possibilities - Protections

FuncFuzz is a man-in-the-middle probe​ – Verification​ o Could validate parameters!​ o SEH​ o Examine stack integrity (prolog/epilog)​ • Even d’ref target memory to see if local array being used​

19 #RSAC Protections (continued)

What we need: .pdb file (program database file)​ – Holds correct type info​ – If no .pdb, we need to be spot on with parameter building UAF – Create a Map @ runtime​ – Call Indirect (i.e. call eax)​ o Verify if memory has been free’d o More on this later…

20 #RSAC Additional Research - Automation

Tool research – Dynamic taint analysis, Symbolic execution, and Constraint solving – High performance solution – Function Fuzzer currently extends strings; but, we could pair with an input generator o Compositional techniques • P. Godefroid. Compositional dynamic test generation. • J. Burnim and K. Sen. Heuristics for scalable dynamic test generation. • . Majumdar and K. Sen. Hybrid concolic testing.

21 #RSAC Additional Research - UAF

A different approach than buffer overflows Hooks to call indirectly (++ virtual functions) to dynamically monitor legitimate heap address/function pointers. – Call in-directs – Object frees + later refs = crash (exploitable) o Could FuncFuzz detect? • Verify in-directs since we have them hooked

22 #RSAC “Apply” Slide

Next week you should: – Identify software within your organization to fuzz In the first three months following this presentation you should: – We recommend that you download a free copy of the source code, please email: [email protected] Within six months you should: – Fix vulnerabilities found through this fuzzing method – Remember while a bug is not always a exploit, it could turn into one. Fix it!

23 #RSAC Questions?

24