Fuzzing Stuff by Huascar Tejeda

Finding exploitation opportunities on the heap.

Smart Fuzzing

• Coverage-guided fuzzing
  • Monitors code coverage in real time to steer test case generation.
  • Same concept as covering an attack surface in a pen test. In fuzzing, we want to maximize our code coverage.
  • In a semi-random way, the fuzzer will figure out where the input needs to be mutated and which should stay fixed.

Tools:

💡 The best fuzzer is one you write for one specific task

• AFL-based Fuzzers
  • AFL++
  • LibFuzzer
  • LibAFL
• Kernel and System Fuzzers
  • SyzKaller
  • kAFL
• Standalone and Specialized Fuzzers
  • Honggfuzz
  • Nyx-Net
  • Fuzzer-in-the-Middle (FitM)
  • WTF
• https://fuzzing-survey.org
• https://github.com/google/fuzzbench

Crafting Quality Harnesses

A harness is an interface between the fuzzer and the target program

Know your target - perform an in-depth code review to understand your target

💡 Can leverage already existing community harnesses such as OSS-Fuzz projects

Target Selection

Fuzzing is effective for many projects, but especially those handling complex or untrusted input.

• Data Handling and Formats:
  • Parsers
  • Media codecs for audio/video/images
  • Compression algorithms
  • Cryptographic libraries
• Programming Languages and Runtime Environments
• Communication Protocols and Network Services
• Software Applications and Systems
• Github Search & Trends
• Coverity Scan
  • Hosted by Synopsys, provides static code analysis for open-source projects
  • https://scan.coverity.com/projects

Fuzzing Campaigns and Target Instrumentation

Prereqs: selected target, have a deep understanding of target

• Single/Multi System Parallel Fuzzing
  • Compile with afl-clang-fast and use afl-clang-lto for fine-grained coverage
  • Utilize CMPLOG for smarter input generation
  • Employ a mix of sanitizers
• Integrate various fuzzers to benefit from their unique detection capabilities
• Curate and minimize the corpus dynamically to focus on the most fruitful test cases
  • afl-tmin (test case against target)
  • afl-cmin ()

💡 From time to time, will need to clean up test data and corpus

Improving Code Coverage

• afl-cov: github.com/vanhauser-thc/afl-cov
  • Generates gcov coverage results using AFL++ test cases
• Analyze and Adapt
  • Perform continuous coverage analysis to refine fuzzing
  • Craft targeted inputs to exercise under-covered code paths
• Corpus Management
  • Optimize your test corpus based on coverage feedback
  • Focus on diverse and effective test cases

Efficient Crash Triage

• AFLTriage
  • Parallel crash triage and deduplication
• AddressSanitizer
  • Detailed memory corruption reports
• Exploitable
  • GDB extension for exploitability classification