Scribd
Upload
24 views80 pages

Woot 23

This document discusses the state of fuzzing and vulnerability discovery. It notes that fuzzing renaissance began in 2013 with American Fuzzy Lop. ClusterFuzz has now found over 27,000 bugs at Google and OSS-Fuzz has found over 8,900 vulnerabilities across 850 projects. Benchmarking tools like FuzzBench now allow comparing different fuzzers. Advanced instrumentation with sanitizers and grammar-based and symbolic execution techniques are helping fuzzers find deeper bugs. Fuzzing is also being applied to new domains like Windows, device firmware, and kernel drivers to expand coverage of attack surfaces. Overall, fuzzing has matured into an essential technique for vulnerability discovery and prevention.

Uploaded by

Luke Bheniman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views80 pages

Woot 23

This document discusses the state of fuzzing and vulnerability discovery. It notes that fuzzing renaissance began in 2013 with American Fuzzy Lop. ClusterFuzz has now found over 27,000 bugs at Google and OSS-Fuzz has found over 8,900 vulnerabilities across 850 projects. Benchmarking tools like FuzzBench now allow comparing different fuzzers. Advanced instrumentation with sanitizers and grammar-based and symbolic execution techniques are helping fuzzers find deeper bugs. Fuzzing is also being applied to new domains like Windows, device firmware, and kernel drivers to expand coverage of attack surfaces. Overall, fuzzing has matured into an essential technique for vulnerability discovery and prevention.

Uploaded by

Luke Bheniman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 80

Fuzzing:

The Age of
Vulnerability
Discovery
Agenda
Owner, Fuzzing IO

Advanced Fuzzing and Crash Analysis Training


Contract fuzzing harness and security tool development

Contact
[email protected]
@richinseattle

whoami
Introduction The Fuzzing
Renaissance
Introduction
Introduction
Remembering How We Got Here
AMERICAN FUZZY LOP - ZALEWSKI, 2013
The Age of
Vulnerability
Discovery
As of February 2023,
ClusterFuzz has
found ~27,000 bugs
in Google and over
8,900 vulnerabilities
and 28,000 bugs
across 850 projects
integrated with OSS-
Fuzz.
“Evaluating Fuzz Testing”
GEORGE KLEES, ANDREW RUEF, BENJI COOPER, SHIYI WEI, MICHAEL HICKS - 2018

problems in every

existing experimental evaluations


translate to actual wrong or misleading assessments
“Evaluating Fuzz Testing”
GEORGE KLEES, ANDREW RUEF, BENJI COOPER, SHIYI WEI, MICHAEL HICKS - 2018
“Evaluating Fuzz Testing”
GEORGE KLEES, ANDREW RUEF, BENJI COOPER, SHIYI WEI, MICHAEL HICKS - 2018
“Evaluating Fuzz Testing”
GEORGE KLEES, ANDREW RUEF, BENJI COOPER, SHIYI WEI, MICHAEL HICKS
Benchmarking: Observable Success
FUZZBENCH
Benchmarking: Observable Success
FUZZBENCH
Benchmarking: Observable Success
FUZZBENCH
Benchmarking: Observable Success
FUZZBENCH – COVERAGE OVER TIME VIEW
Benchmarking: Observable Success
FUZZBENCH – LOG TIME VIEW DIFFERENTIATOR FOR LONGER FUZZING CAMPAIGNS
Benchmarking: Observable Success
FUZZBENCH – COMPARING PERFORMANCE OF FUZZER VS PARSER
Fuzz Introspector
LIKE GCOV REPORTS BUT FOR FUZZING!
Fuzz Introspector
LIKE GCOV REPORTS BUT FOR FUZZING!
Fuzz Introspector
LIKE GCOV REPORTS BUT FOR FUZZING!
Fuzzer Challenges
THE CRUCIBLE FOR FUZZING AND SOLVER TOOLS
Fuzzer Challenges
THE CRUCIBLE FOR FUZZING AND SOLVER TOOLS
Bugs Exist in New Code
Building the Fuzz Chain
FUZZING IN THE COMPILER
Building the Fuzz Chain
FUZZING IN THE RUNTIME

• Jazzer
Building the Fuzz Chain
JAZZER FUZZING HARNESS
Building the Fuzz Chain
JAZZER SUPPORTS CUSTOM SANITIZERS
Fuzzing in the Cloud
SECURITY IS A SHARED RESPONSIBILITY AND GOOGLE IS HERE TO HELP!
AFL++ - still the best general fuzzer
AFL++ - MARC HEUSE, HEIKO EISSFELDT, ANDREA FIORALDI, DOMINIK MAIER
AFL++ - still the best general fuzzer
AFL++ - MARC HEUSE, HEIKO EISSFELDT, ANDREA FIORALDI, DOMINIK MAIER
LibAFL: Modular Fuzzer Design
LIBAFL – ANDREA FIORALDI, DOMINIK MAIER, ET AL
LibAFL: Modular Fuzzer Design
LIBAFL – ANDREA FIORALDI, DOMINIK MAIER, ET AL
LibAFL: Modular Fuzzer Design
LIBAFL – ANDREA FIORALDI, DOMINIK MAIER, ET AL
Advanced
Instrumentation
Fuzzers need to
know when a
fault has
occurred.
Memory
corruption makes
this trivial but
other bug classes
may require
specific checkers
Sanitizers for Sanity
HEARTBLEED IMPACTED 66% OF WWW SERVERS

fuzzers
checkers
Sanitizers for Sanity
ADDRESS SANITIZER LIFTED THE SHADOW
Sanitizers for Sanity
LLVM SANITIZER FAMILY UNDEFINED BEHAVIOR SANITIZER
Sanitizers for Sanity
LLVM SANITIZER FAMILY HARDWARE-ASSISTED ADDRESS SANITIZER
Sanitizers for Sanity
LLVM SANITIZER FAMILY
Unconstrained Progress
WHEN YOU CAN’T BEAT THEM, UNJOIN THEM
Unconstrained Progress
WHEN YOU CAN’T BEAT THEM, UNJOIN THEM
Focused Mutation
CHEAP ALTERNATIVE TO TAINT TRACKING AND SYMBOLIC EXECUTION
Improved Input
Generation
“Grammar
mutators are
able to trigger
deep bugs that
are near
impossible to
find with code
coverage
guided fuzzers"
Grammars
CONTEXT FREE GRAMMARS STRUCTURED / API GRAMMARS
Searching for Approximate Grammar
FUZZING IS A CHEAP GRAMMAR EXTRACTION
Grammars are a Browser’s Best Friend
DOM FUZZING WITH DOMATO – IVAN FRATRIC / GOOGLE
Grammars are a Browser’s Best Friend
DOM FUZZING WITH DOMATO – IVAN FRATRIC / GOOGLE
Grammars are a Browser’s Best Friend
DOM FUZZING WITH DOMATO – IVAN FRATRIC / GOOGLE
Grammars are a Browser’s Best Friend
DOM FUZZING WITH DOMATO – IVAN FRATRIC / GOOGLE
Grammars are a Browser’s Best Friend
DOM FUZZING WITH DOMATO – IVAN FRATRIC / GOOGLE
Grammars are a Browser’s Best Friend
JAVASCRIPT JIT FUZZING - FUZZILI - SAMUEL GROß
Grammars are a Browser’s Best Friend
LIBPROTOBUF-MUTATOR VS THE CHROME SANDBOX
Grammars for APIs
LIBPROTOBUF-MUTATOR VS APIS
Grammars for Syscalls
GRAMMAR FUZZING SYSCALLS
When in Doubt, Math it Out
HIGHLY SELECTIVE APPLICATION OF HIGHLY SOPHISTICATED TECH WINS I N THE END
When in Doubt, Math it Out
SYMCC / SYMQEMU
When in Doubt, Math it Out
SYMCC / SYMQEMU
When in Doubt, Math it Out
SYMSAN TRITON-DSE
When in Doubt, Math it Out
T R IT ON -DSE

TritonDSE goal is to provide


higher-level primitives than .
Triton is a low-level framework
where one have to provide
manually all instructions to be
executed symbolically.”
Reaching New
Attack Surface
2019: 2046 Linux
kernel bugs found &
fixed by SyzKaller
(BlueHat IL 2020)

2023: 4535 fixed

Keeping average of
2-3/day
Fuzzing Windows
WINDOWS – THE ANTI-POSIX ENVIRONMENT
Fuzzing Windows with DBI
MANY CODE COVERAGE ENGINES HAVE PROPAGATED TO WINDOWS
Snapshot Fuzzing
A SNAPSHOT IN TIME UNLOCKS THE FUTURE POTENTIAL
Snapshot Fuzzing
A SNAPSHOT IN TIME UNLOCKS THE FUTURE POTENTIAL
Fuzzing Anything With Emulators
EMULATE CODE YOU CAN ISOLATE FROM HARDWARE I/O
WTF Fuzzer
SO YOU WANT TO FUZZ A WINDOWS KERNEL DRIVER
WTF Fuzzer
SO YOU WANT TO FUZZ A WINDOWS KERNEL DRIVER
kAFL / NYX Fuzzer
YOU WANT KASAN AND SYZKALLER ON WINDOWS?
kAFL / NYX Fuzzer
YOU WANT KASAN AND SYZKALLER ON WINDOWS?
“GDB Fuzzing”
TRADING OFF PERFORMANCE TO GET THE JOB DONE
Differential Fuzzing
ASK AN ORACLE WHEN HARNESSING IS IMPOSSIBLE
Differential Fuzzing
ASK AN ORACLE WHEN HARNESSING IS IMPOSSIBLE
Differential Fuzzing
ASK AN ORACLE WHEN HARNESSING IS IMPOSSIBLE
Summary
Thank You, WOOT’23
Questions?
Richard Johnson | [email protected] | @richinseattle

https://fuzzing.io/woot23.pdf

You might also like