Date post: | 15-Jan-2016 |
Category: |
Documents |
Upload: | clifford-summers |
View: | 220 times |
Download: | 0 times |
Peach 1
Framework for writing fuzzers
Instrumentation via wrapper APIs
No data definition layer (DDL), just fuzzer
Steep learning curve
Complex fuzzers result in complex fuzzer code
Peach 2
Reduce creation time and simplify fuzzer generation
Fuzzer platform, not framework
Modeling based approach
Fault detection
Lower learning curve
Modeling Based Fuzzing
Model types and data
Model state machine
Support models with data sets
Mutate models with mutators
Model Data: Types
INTINT INTINT INTINT FlagsFlags
INTLenINTLen STRINGSTRING
DATADATA
INTLenINTLen
INTINT INTINT INTINT
DATADATA
Model Data: Relationships
INTINT INTINT INTINT FlagsFlags
INTLenINTLen STRINGSTRING
DATADATA
INTLenINTLen
INTINT INTINT INTINT
DATADATA
Model Data: State Model
Packet A
Packet A
Packet B-1
Packet B-1
Packet C-1
Packet C-1
Packet C-2
Packet C-2
Packet D
Packet D
Packet B-2
Packet B-2
Benefits of Modeling
Easy reuse of definitions
Complex mutations can be applied to a model
Improvements to data generation or mutation independent of model
Data read into definition as well as generated
Data Modeling
Define structure of data
Define relations in data
Reuse definitions
BlockSequenceChoiceStringNumberFlags/FlagBlob
RelationTransformer
StreamStream CallCall
TCP, UDP, Files
ConnectAcceptInputOutputClose
COM, RPC, SOAP
Call Method Parameters Result
State Modeling
State Modeling: Stream
State MachineState Machine
State 1State 1
ConnectConnect
OutputOutput
InputInput
OutputOutput
Change State
Change State
State 2State 2
InputInput
OutputOutput
InputInput
OutputOutput
Change State
Change State
State 3State 3
InputInput
OutputOutput
InputInput
CloseClose
11 22
33
4455
State Modeling: Stream
State MachineState Machine
State 1State 1
AcceptAccept
OutputOutput
InputInput
OutputOutput
Change State
Change State
State 2State 2
InputInput
OutputOutput
InputInput
OutputOutput
Change State
Change State
State 3State 3
InputInput
OutputOutput
InputInput
CloseClose
11
55
State Modeling: Stream
State MachineState Machine
State 1State 1
ConnectConnect
OutputOutput
InputInput
CloseClose
Change State
Change State
State 2State 2
ConnectConnect
OutputOutput
InputInput
OutputOutput
Change State
Change State
State 3State 3
InputInput
OutputOutput
InputInput
CloseClose
11
22
33
44
State Modeling: Call
State MachineState Machine
State 1State 1
StartStart
CallCall
CallCall
Change State
Change State
State 2State 2
CallCall
CallCall
CallCall
StopStop
11
22
33
Mutation: State
Packet A
Packet A
Packet B-1
Packet B-1
Packet C-1
Packet C-1
Packet C-2
Packet C-2
Packet D
Packet D
Packet B-2
Packet B-2
2 Tier Configuration
Agent 1Agent 1
DebuggerDebugger
TargetTarget
Network CaptureNetwork Capture
Agent 2Agent 2
DebuggerDebugger
BackendBackend
Network CaptureNetwork Capture
PeachPeach
EngineEngine
Agent Manager
Agent Manager
LoggingLogging
11
22 33
44
5566
Monitors
DebuggersProcess MonitorMemory MonitorNetwork CaptureVM Control (snapshot, revert)Networked Power Strips (cycle power)
Easy to implement custom monitors
Peach Farm
Adam Cecchetti Massively Parallel Fuzzing
Scales from 1 to 10,000 nodes
Choose your Virtual Platform/Hosting EC2, Xen, VMWare, Etc
Utilizes Map/Reduce Algorithm Map: Maps the fuzzing cases to indexes and results Reduce: Reduces fuzzing results to interesting cases
Metric based : Time, size, diff, expected errors, OS faults, crashes
Peach in The Middle
ClientClient ServerServer
PeachPeach
Controller
Controller AgentAgent
Data ModelData Model