|
Tools hakin9 1/2007 General Purpose Fuzzer (GPF)Operating System: *NIX License: GPLv2 Purpose: Automated testing technique (fuzzing) to find bugs in software Homepage: http://www.appliedsec.com/developers.html GPF provides developers, security researchers, and quality assurance professionals the capability to quickly search for bugs/vulnerabilities in the exposed interface of networked applications. GPF uses captured packet sessions (pcap files) to construct a protocol description from real traffic.
My point is that monitoring the target process is every bit as important as creating and delivering malformed data. The best way to do this is to have a debugger launch the process under test and trap/report any memory access violations that may occur during testing. On Windows, the PaiMei reverse engineering framework is the latest and greatest way to do this. In fact, I'm currently working on PaiMei enhancements that will allow a fuzzer to communicate with the debugger. If the fuzzing tool is able to receive SEGV traps; overall reporting will be improved. However, sometimes long sequences of packets are required to trigger complex heap overflows or uninitialized variable flaws, so such report is still limited in it's ability to help diagnose the cause.
So how do we actually create the
malformed data and deliver it? As always, there are many methods,
techniques, and tools available. Some are free (GPF and autodafe) and
some cost money (Codenomicon, ImperfectNetworks, Mu Security,
BreakingPoint, beStorm, etc). The two main techniques are Generation
and Mutation. Generation fuzzers - one fuzzer for each
protocol. In other words, if you want to fuzz SIP you'll buy or
create a SIP fuzzer. This tool can only fuzz that protocol, but since
it was built for just that purpose, it may be more complete. Complete
in the sense of code coverage (CC), which could translate into an
increased ability to find bugs. Watch out for the much touted metric
of CC, however. One does need to fuzz as much of the attack surface
as possible, but just because it's been covered doesn't mean is was
sufficiently covered. The goal is to cover with data that may
trigger hard to find bugs, not just to cover. Since all paths with
all data is a NP-hard problem, fuzzing heuristics are typically
applied. Mutation fuzzers start with a known good session (pcap
capture from wireshark, ethereal, tcpdump, etc) and replay it against
the target. Mutations, or faults, are injected in at a varying rate.
A low rate of faults will be more productive as the target is likely
to end any session that appears grossly incorrect.
Disadvantages.I make no claims that GPF is the best fuzzer in the world. All I know is that I've personally found it useful for finding bugs. Possible disadvantages: GPF doesn't currently talk directly to a debugger that's watching the target. Again, mutation based systems may suffer from CC deficiencies. I'm working on both these problems: PaiMei for the debugger, and genetic algorithms for CC learning. Happy bug hunting! Additional material on hakin9.live CD1, catalouge art.
Jared DeMott |
|
Other useful features. GPF has
many modes it can run in: -C converts a pcap file to an easy to edit
text file, -R sends totally random packets, -G allows targeted flaws
(like a format error in the 10th byte of the third leg,
etc), and -P is the most powerful pattern fuzzing mode.
Pattern fuzzing, or tokenizing, is a techniques whereby GPF
understand the format of the protocol it's fuzzing. This is
particularly useful when fuzzing a binary protocol like DNS. In DNS
there are length fields that hold the size of the following data
field. If such fields are always incorrect fuzzing the data field
will be difficult as the target will likely ignore such packets. GPF
will automatically tokenize most text based protocols. A tokenizing
plug-in (tokAid) will need to be written for binary protocols not in
the GPF framework. This is a fairly painless process; see the DNS.c
or NORMAL_ASCII.c tokAids as examples. Also there is an extensive
README in the GPF framework, and a cool flash video on
http://www.appliedsec.com/developers.html. The movie is a big
file so be patient while downloading.
