Poised Solutions Tech Library

Fuzzing

Fuzzing Author: Michael Sutton Publisher: Addison-Wesley Published: 2007 Pages: 543

Fuzzing

Fuzzing Chapters

Fuzzing Chapters

1. Vulnerability Discovery Methodologies
   • White Box Testing
     • Source Code Review
     • Tools and Automation
     • Pros and Cons
   • Black Box testing
     • Manual testing
     • Automated Testing or Fuzzing
     • Pros and Cons
   • Gray Box Testing
     • Binary Auditing
     • Automated Binary Auditing
     • Pros and Cons
   • Summary
2. What is Fuzzing?
   • Definition of Fuzzing
   • History of Fuzzing
   • Fuzzing Phases
   • Fuzzing Limitations and Expectations
     • Access Control Flaws
     • Poor Design Logic
     • Backdoors
     • Memory Corruption
     • Multistage Vulnerabilities
   • Summary
3. Fuzzing Methods and Fuzzer Types
   • Fuzzing Methods
     • Pregenerated Test Cases
     • Random
     • Manual Protocol Mutation Testing
     • Mutation or Brute Force Testing
     • Automatic Protocol Generation Testing
   • Fuzzer Types
     • Local Fuzzers
     • Remote Fuzzers
     • In-Memory Fuzzers
     • Fuzzer Frameworks
   • Summary
4. Data Representation and Analysis
   • What Are Protocols?
   • Protocol Fields
   • Plain Text Protocols
   • Binary Protocols
   • Network Protocols
   • File Formats
   • Common Protocol Elements
     • Name-Value Pairs
     • Block Identifiers
     • Block Sizes
     • Checksums
   • Summary
5. Requirements for Effective Fuzzing
   • Reproducibility and Documentation
   • Reusability
   • Process State and Process Depth
   • Tracking, Code Coverage, and Metrics
   • Error Detection
   • Resource Constraints
   • Summary
6. Automation and Data Generation
   • Value of Automation
   • Helpful Tools and Libraries
     • Ethereal / Wireshark
     • libdasm and libdisasm
     • Libnet / LibnetNT
     • LibPCAP
     • Metro Packet Library
     • PTrace
     • Python Extensions
   • Programming Language Choice
   • Data Generation and Fuzz Heuristics
     • Integer Values
     • String Repetitions
     • Field Delimiters
     • Format Strings
     • Character Translation
     • Directory Traversal
     • Command Injection
   • Summary
7. Environment Variable and Argument Fuzzing
   • Introduction to Local Fuzzing
     • Command-Line Arguments
     • Environment Variables
   • Local Fuzzing Principles
   • Finding Targets
     • UNIX File Permissions Explained
   • Local Fuzzing Methods
   • Enumerating Environment Variables
     • The GNU Debugger (GDB) Method
   • Automating Environment Variable Fuzzing
     • Library Preloading
   • Detecting Problems
   • Summary
8. Environment Variable and Argument Fuzzing: Automation
   • Features of iFUZZ Local Fuzzer
   • Development
     • Development Approach
   • Language
   • Case Study
   • Benefits and Room for Improvement
   • Summary
9. Web Application and Server Fuzzing
   • What Is Web Application Fuzzing?
   • Targets
   • Methods
     • Set Up
     • Inputs
   • Vulnerabilities
   • Detection
   • Summary
10. Web Application and Server Fuzzing: Automation
    • Web Application Fuzzers
    • Features
      • Requests
      • Fuzz Variables
      • Responses
    • Necessary Background Information
      • Identifying Requests
      • Detection
    • Development
      • Approach
      • Language Selection
      • Design
    • Case Studies
      • Directory Traversal
      • Overflow
      • SQL Injection
      • XSS Scripting
    • Benefits and Room for Improvement
    • Summary
11. File Format Fuzzing
    • Targets
    • Methods
      • Brute Fore or mutation Based Fuzzing
      • Intelligent Brute Force or Generation-Based Fuzzing
    • Inputs
    • Vulnerabilities
      • Denial of Service
      • Integer handling Problems
      • Simple Stack and Heap Overflows
      • Logic Errors
      • Format Strings
      • Race Conditions
    • Detection
    • Summary
12. File Format Fuzzing: Automation on Unix
    • notSPIKEfile and SPIKEfile
      • What's Missing?
    • Development Approach
      • Exception Detection Engine
      • Exception Reporting (Exception Detection)
      • Core Fuzzing Engines
    • Meaningful Code Snippets
      • Usually Interesting UNIX Signals
      • Not so Interesting UNIX Signals
    • Zombie Processes
    • Usage Notes
      • Adobe Acrobat
      • RealNetworks RealPlayer
    • Case Study: RealPlayer RealPix Format String Vulnerability
    • Language
    • Summary
13. File Format Fuzzing: Automation on Windows
    • Windows File Format Vulnerabilities
    • Features
      • File Creation
      • Application Execution
      • Exception Detection
      • Saved Audits
    • Necessary Background Information
      • Identifying Targets
    • Development
      • Approach
      • Language Selection
      • Design
    • Case Study
    • Benefits and Room for Improvement
    • Summary
14. Network Protocol Fuzzing
    • What Is Network Protocol Fuzzing?
    • Targets
      • Layer 2: Data Link Layer
      • Layer 3: Network Layer
      • Layer 4: Transport Layer
      • Layer 5: Session Layer
      • Layer 6: Presentation Layer
      • Layer 7: Application Layer
    • Methods
      • Brute Force or Mutation-Based Fuzzing
      • Intelligent Brute Force or Generation-Based Fuzzing
      • Modified Client Mutation Fuzzing
    • Fault Detection
      • Manual (Debugger Based)
      • Automatic (Agent Based)
      • Other Sources
    • Summary
15. Network Protocol Fuzzing: Automation on Unix
    • Fuzzing with SPIKE
      • Choosing the Target
      • Reversing the Protocol
    • SPIKE 101
      • Fuzz Engine
      • Generic Line-Based TCP Fuzzer
    • Block-Based Protocol Modeling
    • Additional SPIKE Features
      • Protocol-Specific Fuzzers
      • Protocol-Specific Fuzz Scripts
      • Generic Script-Based Fuzzers
    • Writing the SPIKE NMAP Fuzzer Script
    • Summary
16. Network Protocol Fuzzing: Automation on Windows
    • Features
      • Packet Structure
      • Capturing Data
      • Parsing Data
      • Fuzz Variables
      • Sending Data
    • Necessary Background Information
      • Detection
      • Protocol Driver
    • Development
      • Language Selection
      • Packet Capture Library
      • Design
    • Case Study
    • Benefits and Room for Improvement
    • Summary
17. Web Browser Fuzzing
    • What Is Web Browser Fuzzing?
    • Targets
    • Methods
      • Approaches
      • Inputs
    • Vulnerabilities
    • Detection
    • Summary
18. Web Browser Fuzzing: Automation
    • Component Object Model Background
      • History in a Nutshell
      • Objects and Interfaces
      • ActiveX
    • Fuzzer Development
      • Enumerating Loadable ActiveX Controls
      • Properties, Methods Parameters, and Types
      • Fuzzing and Monitoring
    • Summary
19. In-Memory Fuzzing
    • In-Memory Fuzzing: What and Why?
    • Necessary Background Information
    • No Really, What Is In-Memory Fuzzing?
    • Targets
    • Method: Mutation Loop Insertions
    • Method: Snapshot Restoration Mutation
    • Testing Speed and Process Depth
    • Fault Detection
    • Summary
20. In-Memory Fuzzing : Automation
    • Required Feature Set
    • Language Choice
    • Windows Debugging API
    • Putting It All Together
      • How Do We Implement Our Need to "Hook" into the Target Process at Specific Points?
      • How Do We handle Process Snapshots and Restores?
      • How Do We Choose Our Hook Points?
      • How Do We Locate and Mutate Target Memory Space?
    • PyDbg, Your New Best Friend
    • A Contrived Example
    • Summary
21. Fuzzing Frameworks
    • What Is a Fuzzing Framework?
    • Existing Frameworks
      • antiparser
      • Dfuzz
      • SPIKE
      • Peach
      • General Purpose Fuzzer
      • AutodafJ
    • Custom Fuzzer Case Study: Shockwave Flash
      • Modeling SWF Files
      • Generating Valid Data
      • Fuzzing Environment
      • Testing Methodologies
    • Sulley: Fuzzing Framework
      • Sulley Directory Structure
      • Data Representation
      • Session
      • Postmortem
      • A Complete Walkthrough
    • Summary
22. Automated Protocol Dissection
    • What's the Problem with Fuzzing?
    • Heuristic Techniques
      • Proxy Fuzzing
      • Improved Proxy Fuzzing
      • Disassembly Heuristics
    • Bioinformatics
    • Genetic Algorithms
    • Summary
23. Fuzzer Tracking
    • What Exactly Are We Tracking?
    • Binary Visualization and Basic Blocks
      • CFGs
      • CFGs Illustrated
    • Architecting a Fuzzer tracker
      • Profiling
      • Tracing
      • Cross Referencing
    • Dissecting a Code Coverage Tool
      • PStalker Layout Overview
      • Data Sources
      • Data Exploration
      • Data Capture
      • Limitations
      • Data Storage
    • Case Study
      • Strategy
      • Tactics
    • Benefits and Future Improvements
      • Future Improvements
    • Summary
24. Intelligent Fault Detection
    • Primitive Fault Detection
    • What Are We Looking For?
    • A Note on Choosing Fuzz Values
    • Automated Debugger Monitoring
      • A Basic Debugger Monitor
      • A More Advanced Debugger Monitor
    • First Chance Versus Last Chance Exceptions
    • Dynamic Binary Instrumentation
    • Summary
25. Lessons Learned
    • Software Development Lifecycle
      • Analysis
      • Design
      • Coding
      • Testing
      • Maintenance
      • Implementing Fuzzing in the SDLC
    • Developers
    • QA Researchers
    • Security Researchers
    • Summary
26. Looking Forward
    • Commercial Tools
      • Beyond Security beSTORM
      • BreakingPoint Systems BPS-1000
      • Codenomicon
      • GLEG ProtoVer Professional
      • Mu Security Mu-4000
      • Security Innovation Holodeck
    • Hybrid Approaches to Vulnerability Discovery
    • Integrated Test Platforms
    • Summary

Fuzzing Appendices

1. Index