2014_EN_BrowserFuzzing_RosarioValotta

Recommendations

Info

DUMB Mutation fuzzing format// fuzzing Generation fuzzing Start with a pool of valid testcases Model your input defining structure of data blocks (grammar aware fuzzing) Perform pseudo-random mutations on them (bit flipping, append random,etc) Several free tools available: • zzUF • RADAmsa • SDL Minifuzz Define a state model and agents (operation available on data) Several valuable tools: • peach • spike + easier approach - Lesser code coverage and code paths + may provide unexcpected results even in the long run - Require deep knowledge of protocol/file format + Better coverage, because of valid combinations + comprehensive and more scalable
DOM fuzzing • DOM has a complex data structure, that carries the heavy load of modeling all possible operations enabled by modern HTML – JS – CSS • Lot of apis: Dom SPECIFICATIONS ARE DEFINED BY and divided in 4 different documents • Crossfuzz by michal zalewski is still the benchmark • Lot of mods, widespread coverage hard to spot new crashes • Nduja introduced some new concepts from DOM Level 2 and 3 specs and provided interesting results • BASIC WORKflow: Several namespaces ON simple elements And on collections Create random elements Tweak elements attributes Collect element reference Perform random mutations on DOM Trigger GC (e.g. Heap spray) Crawl DOM reference Define custom Events handlers Native JS structures or DOM collections Also on event handling routines
Page 1 and 2: BROWSER FUZZING IN 2014: David vs G
Page 3 and 4: 你好 ! • Hi beijing! I am rosa
Page 5 and 6: Vulnerabilities market Providers Bu
Page 7 and 8: Memory corruption vulns: a primer
Page 9: Usual Targets for Browser fuzzing R
Page 13 and 14: Stone #1 - Fuzzing/with/TIME
Page 15 and 16: • browsers are event-driven JS ti
Page 17 and 18: • Event objects are dispatched to
Page 19 and 20: Fuzzing with events setTimeout(fn,0
Page 21 and 22: FUZZing with XHR (2/2) Similar cons
Page 23 and 24: …the other side of the party •
Page 25 and 26: Stone #2 - Fuzzing/with/space
Page 27 and 28: Using legacy engines • By default
Page 29 and 30: Cross engines interactions • When
Page 31 and 32: Introducing fileja • A prototype
Page 33 and 34: SOME RESULTS #1 Registers: EAX = 0x
Page 35 and 36: SOME RESULTS #3 Registers: EAX = 0x
Page 37 and 38: Registers: EAX = 0x00454545 - EBX =
Page 39 and 40: SOME RESULTS #7 Caught a Write Acce
Page 41 and 42: SOME RESULTS #9 Caught a Read Acces
Page 43: Thankyou 谢谢

2014_EN_BrowserFuzzing_RosarioValotta

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?