Wednesday, August 17, 2011

Introduction to fuzzing

Fuzzing is an effective technique for finding potential security bugs in software. I will show two examples of fuzzing using SPIKE and SPIKEfile frameworks.

SPIKE is framework for fuzzing network protocols. Let's say that we want to o fuzz UDP server that communicates using very simple protocol:

[length][string]

So in the packet there are sent: length (32 bit integer) and string (of earlier sent length). To fuzz it we create following SPIKE script (mz.spk):

s_blocksize_string("fileformat", 4);
s_block_start("fileformat");
s_string(" ");
s_string_variable("abc");
s_block_end("fileformat");

Now we can execute generic_send_udp fuzzer from SPIKE framework:

$ ./generic_send_udp 127.0.0.1 81 mz.spk 0 0 10

We can observe packets sent by the fuzzer with tcpdump:

$ sudo tcpdump -i lo -n -X udp port 81

SPIKEfile is fuzzer based on SPIKE for file formats fuzzing. Let's consider badly vulnerable, sample application that opens a file (with format identical with packet format that we discussed above):

 int main(int argc, char **argv)
{
    FILE *f = fopen(argv[1], "r");
    int num;
    char array[650] = {0};

    fscanf(f, "%d %s", &num, array);
    fclose(f);

    printf("num: %d, array: %s\n", num, array);
    return 0;
}

As we can see, data from the file is copied to array without any length checking. We will fuzz it the same way as previous (using the same SPIKE script) but with SPIKEfile fuzzer:

$ ./SPIKEfile -f file.mz mz.spk 0 0 "./vuln_app %FILENAME%"

On each crash SPIKEfile will generate report with stack dump.

This two simple examples show philosophy behind fuzzing using SPIKE based fuzzers. When we have more complicated network protocol or file format, our SPIKE script is much longer (the better we now fuzzed protocol/file format the more effective fuzzing becomes) but the approch is the same.