LZfuzz
a fast compression-based fuzzer for poorly documented protocols
Presented By:
Sandhya Soren(1059/06)
NIT Kurukshetra
�Contents
Introduction Lampel Ziv algorithm Types of fuzzers Block based fuzzing for proprietary protocols LZfuzz in operation Fuzzing dissection quality metric Measurements Related wok Empirical results Conclusion and future work
NIT Kurukshetra
�What is Fuzzing?
Black box software testing Art of automatic bug finding Finds Software implementation faults Example:
A Binary to decimal converter can take inputs as 2 or 255.
NIT Kurukshetra
�Challenge of Fuzzing
Pass targets code initial sanity check Machine learning of features necessary Difficult to program fo absent protocol specification Target
NIT Kurukshetra
�Due to Limitation of Fuzz
Enters LZFuzz
5
NIT Kurukshetra
�Why LZfuzz is useful?
Basic idea same as Fuzzer Triggered flaws in the main processing area of the program Not in the initial sanity checks
�Evaluating Fuzzer efficiency
Ability to trigger all existing vulnerability Successfully induce faults in target process or crash Code coverage
NIT Kurukshetra
�Lempel Ziv Algorithm
Compressor - builds string translation table - stores unique two character strings - extension characters added in case of previously encountered strings
NIT Kurukshetra
�Lempel Ziv Algorithm(Contd.)
Decompressor - requires compressed string as input - builds identical string from compressed text
NIT Kurukshetra
�Types of Fuzzers
Automated - done in a completely automated fashion Semi-Automated - try one case and analyze the result - subtle bugs can be found - code can be changed
10
NIT Kurukshetra
�Types Of Fuzzers(Contd.)
Manual Fuzzers - detecting program parts for automated or semi automated fuzzing - critical bugs can be found
11
NIT Kurukshetra
�How Fuzzers Work
Two common approaches Random Approach Probabilistic approach
12
NIT Kurukshetra
�Random Fuzzing
Send data in endless loop Uncovers lot of bugs Limitation - pieces of code may remian unchecked
13
NIT Kurukshetra
�Probabilistic Approach
Finite approach High probability erroneous code checked Iteration done for all possible combinations of basic flaws
14
NIT Kurukshetra
�Block Based Fuzzing for Proprietary Protocols
Input modeled and generated as sequence of byte array blocks Filled randomly by fuzzer code Knowledge about protocol expressed as block types and relations between them
15
NIT Kurukshetra
�Block Based Fuzzing for Proprietary Protocols
Generator part of fuzzer built as combination of blocks Operates as aggregate iterator Limitation - considerable knowledge of protocol internals needed but not available
16
NIT Kurukshetra
�Bioinformatics Connection
Application of bioinformatics appears promising , yet :- tens of hours of C.P.U. required - exponential runtime requirements
17
NIT Kurukshetra
�LZfuzz in operation
18
NIT Kurukshetra
�LZfuzz in operation
FITM approach Packets segmented into tokens Tokens replaced or fuzzed Tokens reassembled and sent
19
NIT Kurukshetra
�Fuzzing Dissection Quality Metric
Precision or recall score
- Ratio of correct field boundary guesses and total no. of guesses vs. ratio of correct guesses and total number of actual boundaries.
qi = 1 (H(Fi)/ MaxlenD(Fi) (Fi))
- D(Fi) uniform ->qi ~ 0 - H(Fi) ~ 0 ->qi ~ 1
20
NIT Kurukshetra
�Related Work
LZfuzz approach implemented in 2008 Formalized by Prof. Barton Miller and students of university of Wisconsin Madison a few years back PROTOS test suite introduced at university of Oulu. Followed by SPIKE block based protocol analysis.
21
NIT Kurukshetra
�Related Work (Contd)
Bioinformatics approach implemented by Marshall Beddoe in PI Framework EFS- Genetic algorithm presented by a group from Michigan State University in 2007 Automated protocol dissection approach given by Dan Kaminski- CFG 9000 fuzzer
22
NIT Kurukshetra
�Empirical Results
Real time testing of LZfuzzer on various protocols.
Fuzzed the protocol used by AOL Instant Manager Gain Client in Ubuntu crashed Able to hang the iTunes client (version 2.6)
23
NIT Kurukshetra
�Conclusions and Future Work
Lzfuzz essenially a proof of concept Faster and requires less CPU Power Can be applied on online proxy based learning and Fuzzing Reserches to develop Fuzzer in a box package
Requires minimal administrator knowledge Deployed for testing proprietary equipment
24
NIT Kurukshetra
�25
NIT Kurukshetra
�26
NIT Kurukshetra
