Hunting for bugs with afl 101 – a primer • aura information security research blog


This post is the first of a 2 part series, which aims to provide the reader with a primer into the process of searching for software vulnerabilities within a binary application through fuzzing. Today’s exchange rate usd to cad The idea is to provide a wholistic overview of the entire process, beginning with the preparation of a system for fuzzing, optimizing tools, preparing the target binary for fuzzing, performing the actual fuzz, and finally reviewing AFL outputs to identify potential security vulnerabilities.

Fuzzing is a term used to describe a testing technique that is focused on identifying anomalies within an application, through the evaluation of how the application responds when presented with different inputs.

Binary to text converter online The concept of fuzzing is not new by any means and is effective employed during a web application penetration test to identify web vulnerabilities such as SQL injection and cross site scripting.

Today however, we are going to take a look at fuzzing a binary. Euro to dollar exchange rate 2015 Fuzzing a binary is an extremely effective technique to identify bugs in code that may otherwise go unnoticed, and is a popular first step taken by security researchers towards discovering exploitable zero day vulnerabilities.

The concept of fuzzing is quite simple. Love quotes for girlfriend When fuzzing a binary you repeatedly run it thousands of times, each time providing a slightly different input file. Chf usd bloomberg Unaturally, you want your input files to cause the target to crash, because crashes tend to mean memory corruption, and memory corruption can sometimes lead to something more sinister such as remote code execution. Gender roles articles There are three main types of fuzzers in use today: dumb fuzzers, targeted fuzzers, and feedback driven fuzzers: Dumb fuzzers

Basic idea is to feed target application with randomly mutated input. Funny quotes and sayings for facebook For example randomly mutate jpeg image, and run it through the image conversion library expecting it to fail. Exchange rate usd to malawi kwacha Despite being simple in use, and extremely fast, successful crash is very dependent on the luck of the random mutation. Convert usd to inr Dumb fuzzers are not suitable for testing applications that verify integrity of the content, as randomly mutated file will almost always break the check sum. Usa today sports page Other issue is that dumb fuzzers can’t help with deep understanding of reason of crash, as they simply flip random bit’s and hope for the crash. Us to inr exchange rate today Most common example is zzuf. Euro to pound conversion rate Its popularity is due to the fact that one usually can get dumb fuzzing up and running easily within an hour. Usd to rmb exchange rate Targeted fuzzers

As you can guess by the name, this type of fuzzing is based on fuzzing very specific parts of the application. Stock market today futures For example, if we want to fuzz rar archives, we might want to use targeted fuzzing, by performing random mutation to the content of the archive, while updating the value of CRC checksum. Dollar exchange rate You can go very deep with these type of fuzzers, and find very interesting crashes, if you know where to look. Pound to euro exchange rate today Unfortunately setup generally takes a long time, you have to understand the format and the application you are dealing with, and write rules that will tell fuzzer what to fuzz, when and how. Gold forecast 2020 Examples of targeted fuzzers: Peach Fuzz, Sulley Feedback driven fuzzers

These are same as dumb fuzzers, start with performing random mutations on the input data. Usd cad forecast But instead of just logging the output of the operation, feedback driven fuzzers adjust their fuzzing based on the output, generating families of similar type of mutated input, and trying to narrow the list of possible malicious input that is required to crash the program. Love quotes from the bible This gives fuzzer an ability to go very deep inside the code, and find very hidden bugs. Usd eur converter Feedback driven fuzzers can be nearly as simple to use as dumb fuzzers. Aus usd The downside is warm up, as the fuzzer needs to find something to start learn and target input, and until then it’s just a dumb fuzzer waiting for it’s moment to bring the big guns. Gbp usd fx rate Examples: American Fuzzing Lop, honggfuzz.

The Fuzzing process is highly automated and tool dependent. Usd to british pound converter The automation provided by tools make the entire process of creating thousands of unique input testcases and repetitively running and terminating the target binary practical. Exchange rate us canada In this blog post we are going to be using a popular tool known as “AFL” (an acronym for “American Fuzzy Lop”) to assist us on our journey. Market futures live BASIC AFL CONCEPTS

American Fuzzy Lop (AFL) is an open source fuzzer which has been instrumental in discovering numerous vulnerabilities within many of today’s popular software packages such as nginx, OpenSSH, OpenSSL and PHP to name a few. Oil meaning in bible The “bug-o-rama” trophy case available on lcamtuf’s blog is extremely impressive and is a testament to the abilities of AFL. Iqd to usd exchange rate American Fuzzy Lop works on x86 Linux, OpenBSD, FreeBSD, and NetBSD, both 32- and 64-bit. Gold usd It supports programs written in C, C++, Objective C, compiled with either gcc or clang.

• afl-fuzz takes a testcase file as input from the PATH specified using the -i parameter, and executes the target binary, then monitors the binary activity for normal operation or a crash, if no crash is detected afl-fuzz terminates the binary and proceeds to step 2.

• afl-fuzz then makes a minor modification to the initial testcase file and executes the target binary once more using this new testcase file as input, monitors the activity, repeats the cycle.

• afl-fuzz makes another minor modification to the testcase file and executes the target binary again in the exact same way using the modified file as an input, once again afl-fuzz monitors for activity. Crude oil futures marketwatch In this particular example, the modified testcase file causes the binary to crash! If this happens, afl-fuzz will place a copy of the testcase file (that caused the crash) into the /crashes directory within the PATH specified using the -o parameter. Python binary afl-fuzz will then continue, by modifying the testcase slightly and repeating from step 1.

The first step in the process described above is a critical step, for when a binary is compiled with AFL’s compiler wrappers for C or C++, the source code is “instrumented”.

“Instrumentation refers to an ability to monitor or measure the level of a product’s performance, to diagnose errors and to write trace information” – Wikipedia.

Simplistically, “instrumentation” in our context will take place during compilation of the target binary source code. World markets futures It is the process of inserting small amounts of additional code into the binary, in a way that does not disturb the memory references used in the instructions of the binary program. Ringgit to usd converter The code added during instrumentation is sometimes called “instrumentation code” and it is through this instrumentation code that we achieve the ability to monitor and measure what is taking place within memory, whilst the binary is execurting, and more importantly when a crash occurs. 1 usd to thb BUILDING THE FUZZING ENVIRONMENT

A number of pre-requisites are required. 1 usd in euro Not only for AFL, but also for later crash analysis. Convert rmb to usd All pre-requisites can be easily obtained from the Ubuntu repositories. Nis to usd We will require the build-essential package, as well as the latest clang and gcc compilers. Exchange rate euro usd We also require the gdb debugger for crash file analysis.

Once AFL fires up and gets to work, you can sit back and admire your handy work. Dow futures market Attention must now turn towards monitoring the progress of afl-fuzz, to ensure that afl-fuzz is successfully finding new code execution paths within the target binary and running efficiently. Mxn to usd Whilst running, afl-fuzz displays a basic UI, which displays a number of metrics to the user.

The amount of time required to sufficiently fuzz an application is dependent on several factors such as the amount of processing power available to the fuzzing system and the complexity and execution speed of the target binary. Pound dollar exchange rate live Fuzzing may exhaust huge amounts of time and resources so its important that we fuzz effeciently and know when to stop and to ensure that the tool is functioning correctly.

The 2 areas of the the afl-fuzz UI that are of spefic interest to us (right now) are located at the top right (overall results) and center right (findings in depth). Us market futures cnbc The overall results section gives us an indicator as to whether or not afl-fuzz is successfully discovering new code execution paths, if this number isn’t increasing, there is a strong possibility that something isn’t working as expected and requireing investigation. Gbp to usd forecast Unique crashes is the next value of interest, this figure shows us the number of unique crashes, which is for all intents and purposes, the number of “potential” security vulnerabilities.

Generally you should try to continue fuzzing for as long as possible, or at the very least you should try and continue until several unique crash cases have been reported. Exchange rate pound to dollar history Once you are ready to begin exploring crash data, quit afl-fuzz by issuing Ctrl+C. Binary song CRASH EXPLORATION (PART 1)

As mentioned earlier. Python xml to json We WANT our target binary to crash and the more times the better as each unique crash represents the potential to identify a security flaw. Us stock market cnn money Once AFL has worked its magic for you, it’s time to begin exploring each unique crash.

AFL stores each testcase that it generates and feeds to the target binary in the location you specified with the -o switch when launching afl-fuzz. Binary to octal examples This is generally referred to as the “out” location. Binary search in c Testcases that resulted in a unique crash are stored in a sub directory, in our test environment this is ~/targets/out/crashes.

Whilst writing this post I ran afl-fuzz for approximately 12 hours, during this time 28 unique crashes of the target binary were detected. Binary to decimal conversion method The input file that resulted in the crash is copied to the ~/targets/out/crashes/ directory.

AFL provides a crash exploration script in /afl-2.36b/experimental/crash_triage/ which we can use to get a first glimpse at the crash data. Euro stock market The script is named and must be provided with the PATH to both the /out directory and the target binary, as follows:

When run the triage script will cycle through each crash file in /out/crashes directory and print the resulting crash data to the screen. Stock market futures after hours Highlighted in the first image is the initial information of interest be reviewed, it provides some basic information about the crash. Funny quotes about life In the case of the first image below, we can see that the target binary experienced a segmentation fault when afl-fuzz attempted to use a particular variant of the test input file. Verizon troubleshooting number This usually means a memory corruption has occured but doesn’t provide much further information to the nature of the crash.

The second crash data I’ve included alludes to a slightly more interesting type of crash, here we see that a stack overflow has been detected, crashes such as the below should be explored further.

That’s all for now. Baby pregnancy calculator In this post I’ve tried to cover some of the basics of getting up and fuzzing with AFL and searching for software bugs. Usd to ntd I hope to write a follow up post some time in the future, that picks up where this one leaves off and will continue with the crash data exploration process.