22C3 - 2.2

22nd Chaos Communication Congress
Private Investigations

Tag 3
Raum Saal 2
Beginn 16:00
Dauer 02:00
ID 537
Veranstaltungstyp Vortrag
Track Hacking
Sprache englisch


Breaking software in an automated fashion

Fuzzing is the art of automatic bug finding. This is done by providing applications with somewhat broken to really broken input. During my talk I'll give an overview of current fuzzers and how to build your own.

In this talk fuzzing will be explained. Fuzzing is the art of providing an application with a lot of different and mostly broken input. The input should in most cases be good enough so applications will assume it's valid input, but at the same time be broken enough so that parsing done on this input will fail. Such failing can lead to unexpected results such as crashes, information leaks, delays, ...

In order to decently fuzz a given application tools are needed. Some are better then others and a variaty of fuzzing tools will be covered in this lecture. Some of the most known are:

  • spike
  • scapy
  • smudge
  • protos
  • ...
There are 3 basic types of fuzzers that will be covered:
  • Manual testing.
  • semi-automatic fuzzing
  • automatic fuzzing.
The tools that will be covered are either standalone fuzzers which can usually only fuzz 1 type of protocol or application or so called fuzzing frameworks. Fuzzing frameworks have api's to easely produce broken data and implement specific protocols. Most fuzzing tools concentrate only on fuzzing certain network protocols. This lecture will show that a lot more can fuzzed, such as:
  • network stacks
  • Arguments, signals, stdin, envvar, file descriptors, ....
  • Api's (library calls, systemcalls)
  • files (binary, human readable, ...)
During the lecture a lot of examples will be shown. I'll show how some of the most widely used applications break within seconds with some of the fuzzing tools. Some of these applications are:
  • internet explorer
  • ios 12.x
  • solaris kernel
  • grandstream GXP2000 voip phone
  • many many more
A large part of the talk will go deeper into how to produce broken input that will likely cause problems. As will be shown size fields and strings are usually very interesting to change. Some time will also be spend with exploring the current debugging and disassembling tools in order to figure out what broke, and where it broke. Near the end there will also be a list of annoying things that one might enounter during fuzzing. Usually they get in the way of automated fuzzing (Think of an application that will give an annoying popup every single time it recieves badly formed data). Some ideas will be given to bypass these annoyances. At the end of the lecture pretty much all attendants will realize that most people writing parsing code today aren't doing such a good job (in term of security !) and how easy it is to go out and find cool security bugs with automated tools.