SlideShare a Scribd company logo

The Fuzzing Project - 32C3

H
hannob

The document discusses the fuzzing project initiated by Hanno Böck to improve the reliability of C/C++ programming by identifying and mitigating common bugs through techniques like smart fuzzing and AddressSanitizer (ASan). It highlights the challenges and successes of fuzzing, including specific vulnerabilities found in notable software, and emphasizes the importance of using ASan for detecting memory access bugs. The presentation calls for increased usage of fuzzing tools and ASan in software development to enhance security.

Technology
1 of 35
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
1 THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Böck https://hboeck.de/
2 WHO AM I? Hanno Böck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2014 Since May 2015: Supported by Linux Foundation's Core Infrastructure Initiative
3 FUZZING? Throw garbage at software
4
5 FUZZING BINUTILS Hundreds of bugs
6 THE C PROBLEM C/C++ responsible for many common bug classes (Buffer overflows, use after free etc.) Replacing C is good, but we'll have to live with it for a while Mitigation: Good, but incomplete.
7 THE PAST Dumb fuzzing: Only finds the easy bugs Template-based fuzzing: a lot of work for each target
8 AMERICAN FUZZY LOP
9 AMERICAN FUZZY LOP (AFL) Smart fuzzing, quick and easy Code instrumentation Watches for new code paths
10
11 AFL SUCCESS STORIES Bash Shellshock variants (CVE-2014-{6277,6278}) Stagefright vulnerabilities (CVE-2015- {1538,3824,3827,3829,3864,3876,6602}) GnuPG (CVE-2015-{1606,1607,9087}) OpenSSH out-of-bounds in handshake OpenSSL (CVE-2015-{0288,0289,1788,1789,1790,3193}) BIND remote crashes (CVE-2015-{5477,2015,5986}) NTPD remote crash (CVE-2015-7855) Libreoffice GUI interaction crashes
12 FUZZING MATH 0x0505 05050505 ² mod 0x41 41414141 41414141 41412741 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41418000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000005 = 0x19324B 647D967D 644B3219 ? = 0x34 34343434 34343434 34341F67 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676774 74747474 74747474 74746F41 41414141 41417373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73738000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0019324B 647D967D 644B321D ?
13
0x0F FFFFFFFF FFFFFFFF^0 mod 1 = 0 or 1 ?
14 15 NETTLE ECC / NIST P256 point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF 001C2C00, 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A) * 1 != point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFE FFFFFFFF 001C2C00 , 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A )
16 ADDRESS SANITIZER (ASAN) If you only take away one thing from this talk: Use Address Sanitizer! -fsanitize=address in gcc/clang
17 SPOT THE BUG! int main() { int a[2] = {1, 0}; printf("%i", a[2]); }
18
19 ADDRESS SANITIZER HELPS Finds lots of hidden memory access bugs like out of bounds read/write (Stack, Heap, Global), use-after-free etc.
20
21 FINDING HEARTBLEED WITH AFL+ASAN Small OpenSSL handshake wrapper AFL finds Heartbleed within 6 hours LibFuzzer needs just 5 Minutes
22 ADDRESS SANITIZER If ASAN catches all these typical C bugs... ... can we just use it in production?
23 ASAN IN PRODUCTION Yes, but not for free 50 - 100 % CPU and memory overhead Example: Hardened Tor Browser
24 GENTOO LINUX WITH ASAN Everything compiled with ASAN except a few core packages (gcc, glibc, dependencies)
25 FIXING PACKAGES Memory access bugs in normal operation. These need to be fixed. bash, shred, python, syslog-ng, nasm, screen, monit, nano, dovecot, courier, proftpd, claws-mail, hexchat, ...
26 PROBLEMS / CHALLENGES ASAN executable + non-ASAN library: fine ASAN library + non-ASAN executable: breaks Build system issues (mostly libtool) Custom memory management (boehm-gc, jemalloc, tcmalloc)
27 IT WORKS Running server with real webpages. But: More bugs need to be fixed.
28 OTHER TOOLS
29 KASAN AND SYZCKALLER KASAN: ASAN for the Linux Kernel. syzkaller: syscall fuzzing similar to afl
30 UNDEFINED BEHAVIOR SANITIZER (UBSAN) Finds code that is undefined in C Invalid shifts, int overflows, unaligned memory access, ... Problem: Just too many bugs, problems rare There's also TSAN (Thread sanitizer, race conditions) and MSAN (Memory Sanitizer, uninitialized memory)
31 AFL AND NETWORKING Fuzzing network connections, experimental code by Doug Birdwell Usually a bit more brittle than file fuzzing Not widely used yet
32 AFL AND ANDROID Implementation from Intel just released Promising (Stagefright) Android Security desperately needs it
33 WHAT HAS THIS TO DO WITH FREE SOFTWARE? Remember the many eyes principle? "Free software is secure - because everyone can look at the source and find the bugs." We have to actually *do* that.
34 QUESTION TO THE AUDIENCE Do you develop / maintain software? In C? Do you know / use Fuzzing and Address Sanitizer? If not: Why not?
35 THANKS FOR LISTENING Use Address Sanitizer! Fuzz your software. Questions? https://fuzzing-project.org/

More Related Content

PDF
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Security Session
 
PDF
Inspector - Node.js : Notes
Subhajit Sahu
 
PDF
Of tutorials v1612+
Etsuji Nomura
 
PDF
The true story_of_hello_world
fantasy zheng
 
PDF
TLS Interception considered harmful (Chaos Communication Camp 2015)
hannob
 
PDF
Library Operating System for Linux #netdev01
Hajime Tazaki
 
PDF
May2010 hex-core-opt
Jeff Larkin
 
PPTX
Windows Debugging with WinDbg
Arno Huetter
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Security Session
 
Inspector - Node.js : Notes
Subhajit Sahu
 
Of tutorials v1612+
Etsuji Nomura
 
The true story_of_hello_world
fantasy zheng
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
hannob
 
Library Operating System for Linux #netdev01
Hajime Tazaki
 
May2010 hex-core-opt
Jeff Larkin
 
Windows Debugging with WinDbg
Arno Huetter
 

Similar to The Fuzzing Project - 32C3 (20)

PDF
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
ODP
ooc - A hybrid language experiment
Amos Wenger
 
ODP
ooc - A hybrid language experiment
Amos Wenger
 
PDF
Cray XT Porting, Scaling, and Optimization Best Practices
Jeff Larkin
 
PPT
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
PDF
Systems@Scale 2021 BPF Performance Getting Started
Brendan Gregg
 
PDF
Parallelism in a NumPy-based program
Ralf Gommers
 
PDF
Surge2012
davidapacheco
 
PPT
Writing Metasploit Plugins
amiable_indian
 
PDF
SFO15-500: VIXL
Linaro
 
PDF
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Daniel Lemire
 
ODP
x86 & PE
Ange Albertini
 
PDF
Kettunen, miaubiz fuzzing at scale and in style
DefconRussia
 
PDF
HackLU 2018 Make ARM Shellcode Great Again
Saumil Shah
 
PDF
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Yulia Tsisyk
 
PDF
Why kernelspace sucks?
OpenFest team
 
PDF
Web (dis)assembly
Shakacon
 
PPTX
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
Andrey Karpov
 
PDF
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
 
PPTX
Raising the Bar on Robotics Code Quality
Thomas Moulard
 
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
ooc - A hybrid language experiment
Amos Wenger
 
ooc - A hybrid language experiment
Amos Wenger
 
Cray XT Porting, Scaling, and Optimization Best Practices
Jeff Larkin
 
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
Systems@Scale 2021 BPF Performance Getting Started
Brendan Gregg
 
Parallelism in a NumPy-based program
Ralf Gommers
 
Surge2012
davidapacheco
 
Writing Metasploit Plugins
amiable_indian
 
SFO15-500: VIXL
Linaro
 
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Daniel Lemire
 
x86 & PE
Ange Albertini
 
Kettunen, miaubiz fuzzing at scale and in style
DefconRussia
 
HackLU 2018 Make ARM Shellcode Great Again
Saumil Shah
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Yulia Tsisyk
 
Why kernelspace sucks?
OpenFest team
 
Web (dis)assembly
Shakacon
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
Andrey Karpov
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
 
Raising the Bar on Robotics Code Quality
Thomas Moulard
 
Ad

More from hannob (9)

PDF
Some tales about TLS
hannob
 
PDF
Crypto workshop part 3 - Don't do this yourself
hannob
 
PDF
Crypto workshop part 1 - Web and Crypto
hannob
 
PDF
How broken is TLS?
hannob
 
PDF
Papierlos
hannob
 
PDF
Gehackte Webapplikationen und Malware
hannob
 
PDF
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
ODP
Stromsparen
hannob
 
ODP
Wirtschaftswachstum, klimawandel und Peak Oil
hannob
 
Some tales about TLS
hannob
 
Crypto workshop part 3 - Don't do this yourself
hannob
 
Crypto workshop part 1 - Web and Crypto
hannob
 
How broken is TLS?
hannob
 
Papierlos
hannob
 
Gehackte Webapplikationen und Malware
hannob
 
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
Stromsparen
hannob
 
Wirtschaftswachstum, klimawandel und Peak Oil
hannob
 
Ad

Recently uploaded (20)

PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 

The Fuzzing Project - 32C3

  • 1. 1 THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Böck https://hboeck.de/
  • 2. 2 WHO AM I? Hanno Böck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2014 Since May 2015: Supported by Linux Foundation's Core Infrastructure Initiative
  • 4. 4
  • 6. 6 THE C PROBLEM C/C++ responsible for many common bug classes (Buffer overflows, use after free etc.) Replacing C is good, but we'll have to live with it for a while Mitigation: Good, but incomplete.
  • 7. 7 THE PAST Dumb fuzzing: Only finds the easy bugs Template-based fuzzing: a lot of work for each target
  • 9. 9 AMERICAN FUZZY LOP (AFL) Smart fuzzing, quick and easy Code instrumentation Watches for new code paths
  • 10. 10
  • 11. 11 AFL SUCCESS STORIES Bash Shellshock variants (CVE-2014-{6277,6278}) Stagefright vulnerabilities (CVE-2015- {1538,3824,3827,3829,3864,3876,6602}) GnuPG (CVE-2015-{1606,1607,9087}) OpenSSH out-of-bounds in handshake OpenSSL (CVE-2015-{0288,0289,1788,1789,1790,3193}) BIND remote crashes (CVE-2015-{5477,2015,5986}) NTPD remote crash (CVE-2015-7855) Libreoffice GUI interaction crashes
  • 12. 12 FUZZING MATH 0x0505 05050505 ² mod 0x41 41414141 41414141 41412741 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41418000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000005 = 0x19324B 647D967D 644B3219 ? = 0x34 34343434 34343434 34341F67 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676774 74747474 74747474 74746F41 41414141 41417373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73738000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0019324B 647D967D 644B321D ?
  • 13. 13
  • 14. 0x0F FFFFFFFF FFFFFFFF^0 mod 1 = 0 or 1 ?
  • 15. 14 15 NETTLE ECC / NIST P256 point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF 001C2C00, 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A) * 1 != point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFE FFFFFFFF 001C2C00 , 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A )
  • 16. 16 ADDRESS SANITIZER (ASAN) If you only take away one thing from this talk: Use Address Sanitizer! -fsanitize=address in gcc/clang
  • 17. 17 SPOT THE BUG! int main() { int a[2] = {1, 0}; printf("%i", a[2]); }
  • 18. 18
  • 19. 19 ADDRESS SANITIZER HELPS Finds lots of hidden memory access bugs like out of bounds read/write (Stack, Heap, Global), use-after-free etc.
  • 20. 20
  • 21. 21 FINDING HEARTBLEED WITH AFL+ASAN Small OpenSSL handshake wrapper AFL finds Heartbleed within 6 hours LibFuzzer needs just 5 Minutes
  • 22. 22 ADDRESS SANITIZER If ASAN catches all these typical C bugs... ... can we just use it in production?
  • 23. 23 ASAN IN PRODUCTION Yes, but not for free 50 - 100 % CPU and memory overhead Example: Hardened Tor Browser
  • 24. 24 GENTOO LINUX WITH ASAN Everything compiled with ASAN except a few core packages (gcc, glibc, dependencies)
  • 25. 25 FIXING PACKAGES Memory access bugs in normal operation. These need to be fixed. bash, shred, python, syslog-ng, nasm, screen, monit, nano, dovecot, courier, proftpd, claws-mail, hexchat, ...
  • 26. 26 PROBLEMS / CHALLENGES ASAN executable + non-ASAN library: fine ASAN library + non-ASAN executable: breaks Build system issues (mostly libtool) Custom memory management (boehm-gc, jemalloc, tcmalloc)
  • 27. 27 IT WORKS Running server with real webpages. But: More bugs need to be fixed.
  • 29. 29 KASAN AND SYZCKALLER KASAN: ASAN for the Linux Kernel. syzkaller: syscall fuzzing similar to afl
  • 30. 30 UNDEFINED BEHAVIOR SANITIZER (UBSAN) Finds code that is undefined in C Invalid shifts, int overflows, unaligned memory access, ... Problem: Just too many bugs, problems rare There's also TSAN (Thread sanitizer, race conditions) and MSAN (Memory Sanitizer, uninitialized memory)
  • 31. 31 AFL AND NETWORKING Fuzzing network connections, experimental code by Doug Birdwell Usually a bit more brittle than file fuzzing Not widely used yet
  • 32. 32 AFL AND ANDROID Implementation from Intel just released Promising (Stagefright) Android Security desperately needs it
  • 33. 33 WHAT HAS THIS TO DO WITH FREE SOFTWARE? Remember the many eyes principle? "Free software is secure - because everyone can look at the source and find the bugs." We have to actually *do* that.
  • 34. 34 QUESTION TO THE AUDIENCE Do you develop / maintain software? In C? Do you know / use Fuzzing and Address Sanitizer? If not: Why not?
  • 35. 35 THANKS FOR LISTENING Use Address Sanitizer! Fuzz your software. Questions? https://fuzzing-project.org/