Jumat, 03 Februari 2012

Fuzzing

Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. 

Fuzzer Implementation
A fuzzer is a program which inject automatically semi-random data into a program/stack and detect bugs. the data-generation part is made of generator, and vulnerability identification relies on debugging tools. generators usually use combination of static fuzzing vectors (known-to-be-dangerous-values), or totally random data. New generation fuzzers use genetic algorithms to link injected and observed impact. such tools are not public yet.

Comparison with cryptanalysis
The number of possible tryable solutions is the explorable solutions space. The aim of cryptanalysis is to reduce this space, which means findinf a way of having less keys to try than pure bruteforce to decrypt something.
Most of the fuzzers are :
- protocol/file-format dependant
- data-type dependant 

Attack types 
A fuzzer would try combinatios of attack on :
- numbers (signed/unsigned inputs)
- metadata : user-input text (id3 tag)
- chars (urls, comand-line inputs)
- pure binary sequences
 A common approach to fuzzing is to define lists of "known-to-be-dangerous-values" (fuzz vectors) for each type, and to inject them or recombinations. 
-for integers : zero, possibly interpretable characters / instructions (ex: for SQL requests, quotes / 
  commands)
- for binary: random ones

Protocols and file formats imply norms, which are sometimes blurry, very complicated or badly implemented: that`s developers sometimes mess up in the implementation process (because of time/cost consttraints). That`s why it can be interseting to take the opposite approach: take a norm, look at all mandatory features and constaints, and try all of them; forbidden/reserved values. linked parameters, field sizes. That would be conformance testing oriented fuzzing.

Application fuzzing
Whatever the fuzzed is the attack vectors are within it`s I/O. For a desktop app :
- the UUI((testing all the buttons sequences / text inputs)
- the command-line options
- the import/export capabilities 
For a web app: urls, forms, user-generated content, RPC requests, ...




Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)