# Fuzzying

## Alessandro Bruni

## Ethical Hacking course, March 1st, 2023

# Material on fuzzing
## Papers
- [An empirical study of the reliability of UNIX utilities](https://dl.acm.org/doi/pdf/10.1145/96267.96279)
- [The Art, Science, and Engineering of Fuzzing: A Survey](https://arxiv.org/pdf/1812.00140.pdf)

## Practical
- [Fuzzing Like a Caveman, A series on the practical techniques to writing a fuzzer in C++](https://h0mbre.github.io/Fuzzing-Like-A-Caveman/)

## Practice
- [Fuzzgoat, An application to test fuzzers](https://github.com/fuzzstati0n/fuzzgoat)

## Tools and fuzzers
- [AFL (mutation, coverage-guided)](https://github.com/google/AFL)
- [AFL++ (more advanced than above, a fork)](https://aflplus.plus/)
- [LibFuzzer (advanced, llvm-based)](https://llvm.org/docs/LibFuzzer.html)
- [Radamsa (mutational, test-case generator, prototyping)](https://gitlab.com/akihe/radamsa)
- [Fuzzowski (Network)](https://github.com/nccgroup/fuzzowski)

## Advanced
- [Driller](https://sites.cs.ucsb.edu/~vigna/publications/2016_NDSS_Driller.pdf)

## Web fuzzing
- [Restler](https://www.microsoft.com/en-us/research/publication/restler-stateful-rest-api-fuzzing/)
- [APIFuzzer](https://github.com/KissPeter/APIFuzzer)

Today's plan
- white gray black box
- dumb/smart fuzzers
- what makes a good target? e.g. parsers
- hard to find constants, but mitigated by existence of lightweight symbolic analysis
- completely random, generative/grammar-based, mutation-based
- tension between generating valid input vs finding bugs
- REST API fuzzers
- dangers of fuzzying

Exercise:
- use radamsa for test case generation
- find a binary to fuzz (e.g. gunzip) with radamsa
- how to setup AFL

# Housekeeping

For next week:
- Form groups (2-3 people) and think of a project, look at the relevant disclosure policy, briefly present in class your target

Once we are done with exploitation:
- Assignment 2

# Plan for this lecture

- What is fuzzying
- Build your own fuzzer
- American Fuzzy Lop (AFL)

# Intro: What is fuzzying?

Slides courtesy of Brandon Faulk

QA Engineer walks into a bar. Orders a beer. Orders 0 beers. Orders 999999999 beers. Orders a lizard. Orders -1 beers. Orders a sfdeljknesv.

Fuzzying is (almost) like that

# Fuzzying

- Often used for file formats or networking protocols
- Easy to set up
- Almost no compute requirements for simple programs
- Generating/mutating inputs for a program
    + Large set of valid inputs (corpus) mixed together and corrupted
    + Read a specification for a protocol, design something to make valid traffic
- Goal of creating an exceptional condition
    + Program crash
    + Unique errors
    + Hangs

# The fuzz cycle

![image.png](attachment:image.png)

# Limitations of fuzzying

- Generating all valid inputs is nearly impossible
- Custom protocol extensions hard to know about without reversing
- Non-crashing bugs typically not found
   + Arbitrary file read
   + SQL injection
   + Magical privilege escalation
- Hard to interpret progress
   + No crashes? Are there no bugs? Is your fuzzer not working?
   + Loads of crashes? Maybe it’s working? Maybe you’re finding 1% of the bugs?
- Most off the shelf tooling requires source

# Harnessing

<img style="float: right;" src="img/harness.png"/>

- The tooling used to observe program behavior
   + Debugger watching for crashes
   + Code coverage instrumentation by a compiler
   + Emulators/hypervisors to observe a whole system
- What are they looking for?
   + Crashes
   + Code coverage
   + Unexpected program states
   + Error messages
   + Information leakage



# Examples

(off-the-shelf fuzzers)

# Just invoking the program

- Usually the right place to start
- Write some tool that generates a mutated file
- Run the program to parse the file
- What if we get a crash?
  +  Ehh… just attach GDB or WinDbg or enable core dumps :D
- Reproducibility can be a huge issue
- Can be impossible to scale as the program can only have one instance
- Program startup times can be long (seconds to open up Word)

# AFL

<img src="img/afl.png" />

- The gold standard
   +  Looks to be being replaced slowly by libfuzzer in popularity
- Coverage guided
- Relies on having source in standard configuration
- Can use QEMU for coverage

# libfuzzer

<img src="img/libfuzzer.png" style="float: right;" />

- Designed to be baked into your target application
- Part of LLVM, easily used when building a target with clang
- Coverage guided
- Requires source
- Extremely fast as it’s in-memory fuzzing
  + Not dropping files to disk every iteration
- Similar to AFL it’s corpus based
  + Need to have some well formed inputs to start with

# Architectural Improvements to Fuzzing

# Coverage Guided fuzzying

<img src="img/coverage_graph.png" style="float: right; width: 30%" />

- Gather which code has been hit based on an input
- Input saved when a new unique codepath is observed
- Input is used as a basis for future inputs
- One of the biggest improvements that can be made to a fuzzer
- Can ultimately turn exponential complexity into linear complexity



# Coverage Guided Fuzzing Example

- Write a program to remove all occurrences of the word “the” in a sentence

![image.png](attachment:image.png)

# Coverage Guided Fuzzing Visualized

![image-2.png](attachment:image-2.png)

# Coverage Guided Fuzzing Visualized

![image.png](attachment:image.png)

# Feedback Fuzz Cycle

![image.png](attachment:image.png)

# Crash Amplification

<img src="img/mario.png" style="float: right; width:30%;" />

- Increase program sensitivity to malformed input
  + ASAN / PageHeap / Electric Fence
- Heatmaps direct fuzzying to inputs that generate more crashes
- Add hooks to find logic bugs (e.g. crash on auth success)
- Limitations:
    + Many programs won't start with ASAN
    + Some incorrect memory access does not result in crashes

# Roll your own fuzzer

Inspired from [fuzzying like a caveman](https://h0mbre.github.io/Fuzzing-Like-A-Caveman/#)

# Scheleton

In [1]:
import os, sys, random
from pexpect import run
from pipes import quote

def get_bytes(filename):
    f = open(filename, "rb").read()
    return bytearray(f)

def create_new(data):
    f = open("mutated.jpg", "wb+")
    f.write(data)
    f.close()

N = 100000

def exif(counter,data):
    command = "./exif mutated.jpg -verbose"
    out, returncode = run(command, withexitstatus=1)
    if b"ERROR" in out:
        f = open("crashes/crash.{}.jpg".format(str(counter)), "ab+")
        f.write(data)
        f.close()
    if counter % 100 == 0:
        print(counter, end="\r")
    
def fuzz(filename):
    for counter in range(N):
        data = get_bytes(filename)
        mutated = mutate(data)
        create_new(mutated)
        exif(counter,mutated)

  from pipes import quote


# Mutation

In [2]:
def bit_flip(data):
    num_of_flips = int((len(data) - 4) * .01)
    indexes = range(4, (len(data) - 4))
    chosen_indexes = random.sample(indexes, num_of_flips)
    for x in chosen_indexes:
        data[x] ^= 1 << random.randint(0,7)
    return data

# Gynvael’s Magic Numbers

- Gynvael Coldwind ‘Basics of fuzzing’  enumerates several ‘magic numbers’ that typically produce errors
- These numbers relate to data type sizes and arithmetic-induced errors

```
    0xFF
    0x7F
    0x00
    0xFFFF
    0x0000
    0xFFFFFFFF
    0x00000000
    0x80000000 <- minimum 32-bit int
    0x40000000 <- just half of that amount
    0x7FFFFFFF <- max 32-bit int
```
- If used as parameters to `malloc()` or other array operations, overflows are common
- For instance `0x1` plus `0xFF` on a one-byte register overflows to `0x00` and can produce unintended behavior
- HEVD actually has an integer overflow bug similar to this concept.

- If we choose to use `0x7FFFFFFF` as the magic number then we need to change four bytes

# Magic number mutation

In [3]:
def magic(data):

    magic_vals = [(1, 255), (1, 255), (1, 127), (1, 0), (2, 255), (2, 0), 
                  (4, 255), (4, 0), (4, 128), (4, 64), (4, 127) ]

    (picked_size, picked_magic) = random.choice(magic_vals)

    picked_index = random.randint(4, len(data)-4)
    
    for i in range(picked_size):
        data[picked_index + i] = picked_magic

    return data

# Mutation - putting it together

In [5]:
def mutate(data):
    f = random.choice([bit_flip, magic])
    return f(data)

fuzz('input.jpg')

7200

KeyboardInterrupt: 

- Input: ![input image](input.jpg)
- Target: https://github.com/mkttanabe/exif
- Compile with ASAN: `-fsanitize=address -ggdb`

# Triaging

In [8]:
import os

def get_files():
    return os.listdir("crashes/")

def triage_files(files):
    for x in files:
        original_output = os.popen(f"./exif crashes/{x} -verbose 2>&1").read()
        output = original_output

        # Getting crash reason
        crash = "SEGV" if "SEGV" in output else "HBO" if "heap-buffer-overflow" in output else None

        if crash == "HBO":
            output = output.split("\n")
            counter = 0
            while counter < len(output):
                if output[counter] == "=================================================================":
                    target_line = output[counter + 1]
                    target_line2 = output[counter + 2]
                    counter += 1
                else:
                    counter += 1
            target_line = target_line.split(" ")
            address = target_line[5].replace("0x","")


            target_line2 = target_line2.split(" ")
            operation = target_line2[0]


        elif crash == "SEGV":
            output = output.split("\n")
            counter = 0
            while counter < len(output):
                if output[counter] == "=================================================================":
                    target_line = output[counter + 1]
                    target_line2 = output[counter + 2]
                    counter += 1
                else:
                    counter += 1
            if "unknown address" in target_line:
                address = "00000000"
            else:
                address = None

            if "READ" in target_line2:
                operation = "READ"
            elif "WRITE" in target_line2:
                operation = "WRITE"
            else:
                operation = None

        if crash:
            log_name = (x.replace(".jpg","") + "." + crash + "." + address + "." + operation)
            f = open(log_name,"w+")
            f.write(original_output)
            f.close()
files = get_files()
triage_files(files)

['crash.6.jpg', 'crash.11.jpg', 'crash.27.jpg', 'crash.31.jpg', 'crash.105.jpg', 'crash.114.jpg', 'crash.126.jpg', 'crash.131.jpg', 'crash.140.jpg', 'crash.163.jpg', 'crash.195.jpg', 'crash.196.jpg', 'crash.198.jpg', 'crash.207.jpg', 'crash.223.jpg', 'crash.260.jpg', 'crash.268.jpg', 'crash.283.jpg', 'crash.288.jpg', 'crash.291.jpg', 'crash.296.jpg', 'crash.316.jpg', 'crash.327.jpg', 'crash.329.jpg', 'crash.330.jpg', 'crash.339.jpg', 'crash.348.jpg', 'crash.361.jpg', 'crash.367.jpg', 'crash.381.jpg', 'crash.386.jpg', 'crash.390.jpg', 'crash.402.jpg', 'crash.404.jpg', 'crash.435.jpg', 'crash.437.jpg', 'crash.447.jpg', 'crash.449.jpg', 'crash.452.jpg', 'crash.458.jpg', 'crash.499.jpg', 'crash.506.jpg', 'crash.508.jpg', 'crash.536.jpg', 'crash.542.jpg', 'crash.551.jpg', 'crash.563.jpg', 'crash.582.jpg', 'crash.585.jpg', 'crash.590.jpg', 'crash.596.jpg', 'crash.608.jpg', 'crash.615.jpg', 'crash.626.jpg', 'crash.645.jpg', 'crash.656.jpg', 'crash.677.jpg', 'crash.688.jpg', 'crash.689.jpg', '

AttributeError: 'list' object has no attribute 'split'

# Trying AFL

- Download [fuzzgoat](https://github.com/fuzzstati0n/fuzzgoat) and harness it!

# Non-binary targets? we've got you covered!


## REST APIs

- Try [Restler](https://www.microsoft.com/en-us/research/publication/restler-stateful-rest-api-fuzzing/)
- or [APIFuzzer](https://github.com/KissPeter/APIFuzzer)

### Disclaimer: check before you fuzz a live environment!
- API fuzzing on live environments is bad practice and can get you in trouble
- Often VDPs explicitely disallow it