1
00:00:06,540 --> 00:00:07,900
- So first, we're gonna talk a little bit

2
00:00:07,900 --> 00:00:11,320
about the different kinds of
fuzzers that we have out there

3
00:00:11,320 --> 00:00:12,670
that are available.

4
00:00:12,670 --> 00:00:14,890
We've already talked about the
different classes of fuzzers

5
00:00:14,890 --> 00:00:19,000
with the generation, mutation,
and evolutionary fuzzers.

6
00:00:19,000 --> 00:00:20,510
Let's go into the fuzzers

7
00:00:20,510 --> 00:00:22,870
that are available on
the commercial market.

8
00:00:22,870 --> 00:00:26,100
The first one we'll talk
about is Codenomicon.

9
00:00:26,100 --> 00:00:28,650
This was recently acquired by Synopsys.

10
00:00:28,650 --> 00:00:32,290
It's a very well-known and
used generation-based fuzzer.

11
00:00:32,290 --> 00:00:37,290
It is really designed
around fuzzing file formats

12
00:00:37,760 --> 00:00:39,060
and network protocols.

13
00:00:39,060 --> 00:00:43,120
It has a very extensive
suite of network protocols.

14
00:00:43,120 --> 00:00:44,490
Some of the downsides of it

15
00:00:44,490 --> 00:00:47,320
are that the test suites are
not extensible in any way.

16
00:00:47,320 --> 00:00:50,280
You tell it what parts of
the protocol you want to fuzz

17
00:00:50,280 --> 00:00:52,480
and they're more or less canned.

18
00:00:52,480 --> 00:00:55,050
You can boost up types of values

19
00:00:55,050 --> 00:00:56,410
that it tries as a test case

20
00:00:56,410 --> 00:00:58,670
but really, it's not
too terribly extensible.

21
00:00:58,670 --> 00:01:00,810
So if you have a new
feature in a protocol,

22
00:01:00,810 --> 00:01:02,980
you're really dependent on Codenomicon

23
00:01:02,980 --> 00:01:05,030
to implement that for you.

24
00:01:05,030 --> 00:01:06,770
And this is the fuzzer

25
00:01:06,770 --> 00:01:11,700
that found the famous Heartbleed
vulnerability in OpenSSL.

26
00:01:11,700 --> 00:01:14,470
You can find more information
about Codenomicon Defensics

27
00:01:14,470 --> 00:01:17,820
by going to www.codenomicon.com.

28
00:01:17,820 --> 00:01:19,740
The next commercial fuzzer I'll talk about

29
00:01:19,740 --> 00:01:21,070
was recently renamed.

30
00:01:21,070 --> 00:01:23,629
It is called Spirent CyberFlood.

31
00:01:23,629 --> 00:01:26,410
This was formerly Mu Dynamics

32
00:01:26,410 --> 00:01:28,307
which was an acquisition by Spirent,

33
00:01:28,307 --> 00:01:31,300
and this is really a network
protocol-oriented fuzzer.

34
00:01:31,300 --> 00:01:34,150
It's also generation-based

35
00:01:34,150 --> 00:01:36,720
and one of the things that
really makes this nice

36
00:01:36,720 --> 00:01:39,420
is you can put a system under a load

37
00:01:39,420 --> 00:01:40,450
while you're testing.

38
00:01:40,450 --> 00:01:42,590
So in other words, you
can simulate traffic.

39
00:01:42,590 --> 00:01:44,380
You can simulate sessions.

40
00:01:44,380 --> 00:01:46,630
And so if that's something
you think you would want to do

41
00:01:46,630 --> 00:01:49,430
in your systems, give Spirent a shot.

42
00:01:49,430 --> 00:01:51,820
You can find out more
information about CyberFlood

43
00:01:51,820 --> 00:01:56,820
by going to
www.spirent.com/Products/CyberFlood.

44
00:01:56,960 --> 00:01:59,690
And then finally, on the
commercial fuzzer side,

45
00:01:59,690 --> 00:02:01,520
there is the Peach Fuzzer.

46
00:02:01,520 --> 00:02:05,430
This is actually both a
community edition that's for free

47
00:02:05,430 --> 00:02:08,830
and a commercial edition
of the Peach Fuzzer.

48
00:02:08,830 --> 00:02:12,300
This fuzzer has an
extensive set of features,

49
00:02:12,300 --> 00:02:13,980
it's very well supported,

50
00:02:13,980 --> 00:02:16,920
and it has quite a following
in the open-source community

51
00:02:16,920 --> 00:02:19,360
for doing different kinds of fuzzing.

52
00:02:19,360 --> 00:02:23,400
It has a very extensive
library called Pits

53
00:02:23,400 --> 00:02:26,960
that you could purchase for
file formats and protocols.

54
00:02:26,960 --> 00:02:28,160
It's fairly well known.

55
00:02:28,160 --> 00:02:30,930
And like I said, if you don't
want to pay for Peach Fuzzer,

56
00:02:30,930 --> 00:02:31,930
if you just wanted to try it out,

57
00:02:31,930 --> 00:02:33,680
you can try the community edition.

58
00:02:33,680 --> 00:02:37,690
But to find out more
information, it's www.peach.tech.

59
00:02:37,690 --> 00:02:38,560
So let's talk a little more

60
00:02:38,560 --> 00:02:40,130
about what Peach Fuzzer actually is,

61
00:02:40,130 --> 00:02:41,890
and this is the community edition.

62
00:02:41,890 --> 00:02:44,280
They have really two
versions of Peach Fuzzer.

63
00:02:44,280 --> 00:02:47,090
There's version two and version three.

64
00:02:47,090 --> 00:02:49,840
They have mostly migrated all development

65
00:02:49,840 --> 00:02:50,820
over to version three

66
00:02:50,820 --> 00:02:53,180
and version three is written in C Sharp

67
00:02:53,180 --> 00:02:55,590
on the .NET ecosystem.

68
00:02:55,590 --> 00:02:57,190
It is multi-platform.

69
00:02:57,190 --> 00:03:00,450
You could use either
Windows, Mac OS 10, or Linux,

70
00:03:00,450 --> 00:03:03,280
and the way you would do that
is by using the Mono Project

71
00:03:03,280 --> 00:03:06,170
which allows you to compile C Sharp code

72
00:03:06,170 --> 00:03:08,390
on those different types of systems.

73
00:03:08,390 --> 00:03:10,800
It's a generation-based fuzzer, again,

74
00:03:10,800 --> 00:03:13,810
but it can also do some
mutation-based fuzzing as well.

75
00:03:13,810 --> 00:03:16,520
You aren't stuck with the modeling.

76
00:03:16,520 --> 00:03:17,750
If you don't want to do that,

77
00:03:17,750 --> 00:03:19,460
you can do mutation-based fuzzing.

78
00:03:19,460 --> 00:03:21,590
It has very extensive modeling

79
00:03:21,590 --> 00:03:25,220
of not only protocols and messages

80
00:03:25,220 --> 00:03:27,230
but also the state of a protocol.

81
00:03:27,230 --> 00:03:30,120
So in other words, you can
simulate a state machine

82
00:03:30,120 --> 00:03:31,917
saying that "If I go into this state,"

83
00:03:31,917 --> 00:03:33,157
"then I will send this message."

84
00:03:33,157 --> 00:03:35,660
"If I receive another message,
I go into a different state,"

85
00:03:35,660 --> 00:03:36,730
and so on.

86
00:03:36,730 --> 00:03:39,390
And all of the protocol modeling

87
00:03:39,390 --> 00:03:41,250
and all of the data modeling

88
00:03:41,250 --> 00:03:43,670
is all done with an XML file,

89
00:03:43,670 --> 00:03:46,020
and so that's very, very extensive.

90
00:03:46,020 --> 00:03:49,580
And these data models that
you would write in XML

91
00:03:49,580 --> 00:03:51,193
are called Peach Pits.

92
00:03:53,580 --> 00:03:56,660
Not only does it have the
state modeling features

93
00:03:56,660 --> 00:03:58,040
that you need for that,

94
00:03:58,040 --> 00:04:00,770
but it also can do robust fault monitoring

95
00:04:00,770 --> 00:04:03,020
and for collection of
crashes, and in some cases,

96
00:04:03,020 --> 00:04:05,810
it can even tell you which
crashes are the most important.

97
00:04:05,810 --> 00:04:08,610
And you can find out more
information at the link below.

98
00:04:10,100 --> 00:04:12,500
Another open-source
software package is Sulley,

99
00:04:12,500 --> 00:04:15,580
and there is a fork of
Sulley called Boofuzz

100
00:04:15,580 --> 00:04:18,050
which really take a block-based approach

101
00:04:18,050 --> 00:04:19,630
to modeling network protocols.

102
00:04:19,630 --> 00:04:21,730
It's really designed around protocols

103
00:04:21,730 --> 00:04:24,830
that you would connect over,
let's say, a TCP connection.

104
00:04:24,830 --> 00:04:27,510
And it's also generation-based as well.

105
00:04:27,510 --> 00:04:29,390
It's written in Python.

106
00:04:29,390 --> 00:04:31,510
And the model, you
start out with a request

107
00:04:31,510 --> 00:04:34,570
and then you add primitive
fields to those requests,

108
00:04:34,570 --> 00:04:36,500
and you can organize those in the blocks

109
00:04:36,500 --> 00:04:38,750
and nested blocks and so on.

110
00:04:38,750 --> 00:04:40,220
And they also have it fixed up

111
00:04:40,220 --> 00:04:42,420
for things like checksums and size,

112
00:04:42,420 --> 00:04:43,810
and then if you have, let's say,

113
00:04:43,810 --> 00:04:46,120
a field that is repeated so many times

114
00:04:46,120 --> 00:04:47,440
and you have a field that tells

115
00:04:47,440 --> 00:04:50,020
how many times that other
field is being repeated,

116
00:04:50,020 --> 00:04:51,210
that's a count field,

117
00:04:51,210 --> 00:04:52,620
it'll also do those as well

118
00:04:52,620 --> 00:04:53,620
and make those fix-ups

119
00:04:53,620 --> 00:04:57,300
so that the parser will
actually accept the input.

120
00:04:57,300 --> 00:04:59,120
And you can find out more information

121
00:04:59,120 --> 00:05:01,570
about Sulley and Boofuzz
at the link below.

122
00:05:01,570 --> 00:05:04,110
I'll also have this link
in a GitHub repository

123
00:05:04,110 --> 00:05:05,790
that we have set up for this class as well

124
00:05:05,790 --> 00:05:07,360
with a whole list of links.

125
00:05:07,360 --> 00:05:11,120
Another fuzzer which has some
really interesting properties

126
00:05:11,120 --> 00:05:12,610
is called Radamsa.

127
00:05:12,610 --> 00:05:14,370
It's a mutation-based fuzzer.

128
00:05:14,370 --> 00:05:16,930
It's written in a language called Scheme,

129
00:05:16,930 --> 00:05:19,390
which is a dialect of Lisp.

130
00:05:19,390 --> 00:05:22,110
And it has an extraordinary ability

131
00:05:22,110 --> 00:05:26,710
to infer patterns from
a text in a protocol,

132
00:05:26,710 --> 00:05:29,080
and it can mutate that input.

133
00:05:29,080 --> 00:05:32,870
It's just an excellent,
excellent mutation-based fuzzer,

134
00:05:32,870 --> 00:05:35,180
especially for text-based protocols.

135
00:05:35,180 --> 00:05:37,547
And it even has some
modes where you can say,

136
00:05:37,547 --> 00:05:40,530
"This text is going to
look like XML" for example,

137
00:05:40,530 --> 00:05:43,600
and it will do some of the
fuzz testing against XML

138
00:05:43,600 --> 00:05:45,800
where you could test against the parser

139
00:05:45,800 --> 00:05:47,580
or you can test against even a program

140
00:05:47,580 --> 00:05:50,610
that interprets the data
based on an XML model.

141
00:05:50,610 --> 00:05:54,663
And it's just really, really
good for those kinds of tests.

142
00:05:55,600 --> 00:05:59,040
But it's only for really
doing local testing

143
00:05:59,040 --> 00:06:03,020
against, let's say, files
or passing onto a process.

144
00:06:03,020 --> 00:06:04,860
And so if you wanted to do something

145
00:06:04,860 --> 00:06:06,930
against a network-based protocol,

146
00:06:06,930 --> 00:06:09,360
you would probably wanna
use a proxy like Socat

147
00:06:09,360 --> 00:06:11,210
which allows you to open a session

148
00:06:11,210 --> 00:06:12,717
and then take the output from Radamsa

149
00:06:12,717 --> 00:06:15,780
and actually feed it into that connection.

150
00:06:15,780 --> 00:06:17,820
You can find out more
information about Radamsa

151
00:06:17,820 --> 00:06:19,410
at this link.

152
00:06:19,410 --> 00:06:22,110
Another mutational fuzzer is Zzuf.

153
00:06:22,110 --> 00:06:25,150
This is an older fuzzer that's
designed around fuzzing files

154
00:06:25,150 --> 00:06:26,700
like images and video.

155
00:06:26,700 --> 00:06:29,900
And what makes it interesting
is it's all written in C

156
00:06:29,900 --> 00:06:33,340
and it can intercept programs directly

157
00:06:33,340 --> 00:06:34,750
by linking in with them.

158
00:06:34,750 --> 00:06:38,530
You use LD-PRELOAD and
you use Zzuf as a library,

159
00:06:38,530 --> 00:06:41,400
and you would, at run time,
link that with the program

160
00:06:41,400 --> 00:06:44,410
and that will do some
file-based fuzz testing.

161
00:06:44,410 --> 00:06:45,920
Even though it's been
around a little longer,

162
00:06:45,920 --> 00:06:48,330
it has a good track record of finding bugs

163
00:06:48,330 --> 00:06:50,330
and if you're doing that kinda fuzzing,

164
00:06:50,330 --> 00:06:52,060
this is something you should give a try.

165
00:06:52,060 --> 00:06:55,070
You can find out more
information at this link.

166
00:06:55,070 --> 00:06:56,850
Another package that is a plugin

167
00:06:56,850 --> 00:06:59,580
to the OWASP Zed Attack Proxy,

168
00:06:59,580 --> 00:07:03,960
there is a feature in the
OWASP Zed Attack Proxy, or ZAP,

169
00:07:03,960 --> 00:07:05,040
and this is a fuzzer

170
00:07:05,040 --> 00:07:07,750
that allows you to fuzz web applications.

171
00:07:07,750 --> 00:07:10,190
And you can fuzz against HTTP.

172
00:07:10,190 --> 00:07:12,380
You can fuzz against WebSockets.

173
00:07:12,380 --> 00:07:14,620
And if you wanted to
target a particular field,

174
00:07:14,620 --> 00:07:17,570
you could just highlight
that field and fuzz that,

175
00:07:17,570 --> 00:07:20,500
and plug a buncha different
values that it already provides.

176
00:07:20,500 --> 00:07:21,890
It is kind of a canned fuzzer

177
00:07:21,890 --> 00:07:23,500
but it is something that is very useful

178
00:07:23,500 --> 00:07:25,890
for fuzzing web-based applications,

179
00:07:25,890 --> 00:07:28,930
especially where you have
a web-based application

180
00:07:28,930 --> 00:07:30,250
that calls other programs

181
00:07:30,250 --> 00:07:32,360
where you could somehow
trigger a vulnerability

182
00:07:32,360 --> 00:07:34,330
or an overflow in those programs.

183
00:07:34,330 --> 00:07:36,980
And now starting to get into
the evolutionary fuzzers.

184
00:07:36,980 --> 00:07:39,810
One of the really first popular fuzzers

185
00:07:39,810 --> 00:07:41,140
for evolutionary fuzzing

186
00:07:41,140 --> 00:07:44,490
was a fuzzer called American Fuzzy Lop,

187
00:07:44,490 --> 00:07:46,050
which was named after a rabbit,

188
00:07:46,050 --> 00:07:49,270
and it was written by Michal Zalewski.

189
00:07:49,270 --> 00:07:51,950
It works by instrumenting
a program at compile-time,

190
00:07:51,950 --> 00:07:55,570
so you do need, in most
cases, to have the source code

191
00:07:55,570 --> 00:07:57,350
for maximum coverage.

192
00:07:57,350 --> 00:07:59,320
And it supports programs that are written

193
00:07:59,320 --> 00:08:01,870
in C, C-Plus-Plus, or Objective C,

194
00:08:01,870 --> 00:08:06,070
and you could've either used
gcc or clang as the compiler.

195
00:08:06,070 --> 00:08:07,990
And then there is some
experimental support.

196
00:08:07,990 --> 00:08:09,190
If you don't have source code,

197
00:08:09,190 --> 00:08:13,680
you can run the program in QEMU,
which is a system emulator.

198
00:08:13,680 --> 00:08:16,240
This will allow you to
do black-box testing

199
00:08:16,240 --> 00:08:20,330
against programs that you
don't have source code for.

200
00:08:20,330 --> 00:08:22,210
It has a wonderful track record.

201
00:08:22,210 --> 00:08:23,770
It's found many bugs.

202
00:08:23,770 --> 00:08:27,500
It's also inspired forks for
other languages such as Python.

203
00:08:27,500 --> 00:08:31,260
And you can find more information
about AFL at this link.

204
00:08:31,260 --> 00:08:32,930
And then another advanced
evolutionary fuzzer

205
00:08:32,930 --> 00:08:36,060
that has been developed
by a gentleman at Google

206
00:08:36,060 --> 00:08:37,900
is called HongFuzz,

207
00:08:37,900 --> 00:08:41,690
and this fuzzer provides
more compile-time guidance

208
00:08:41,690 --> 00:08:45,270
but it also includes
some hardware features

209
00:08:45,270 --> 00:08:46,770
that are in Intel processors

210
00:08:46,770 --> 00:08:49,290
for things like code coverage monitoring.

211
00:08:49,290 --> 00:08:52,980
It has better support for remote
network processes than AFL

212
00:08:52,980 --> 00:08:56,520
and you could fuzz things
like an HTTP or a DNS server.

213
00:08:56,520 --> 00:08:58,910
And like AFL, it's also found many bugs

214
00:08:58,910 --> 00:09:00,910
and some of them critical.

215
00:09:00,910 --> 00:09:04,780
And then finally, this is
a really good curated list

216
00:09:04,780 --> 00:09:07,230
that comes from secfigo,

217
00:09:07,230 --> 00:09:10,570
and it has a list of books
and tutorials and tools.

218
00:09:10,570 --> 00:09:12,150
This is called Awesome Fuzzing

219
00:09:12,150 --> 00:09:14,300
and that's the link where
you can find Awesome Fuzzing

220
00:09:14,300 --> 00:09:17,670
and it is a wonderful
resource to keep up to date

221
00:09:17,670 --> 00:09:20,340
and to see what some of the
newer fuzzers that are out there

222
00:09:20,340 --> 00:09:22,750
and some of the new forks
because there's always,

223
00:09:22,750 --> 00:09:25,180
especially on the
evolutionary fuzzer size,

224
00:09:25,180 --> 00:09:27,293
there's always new tools coming out.