Babysitting An Army Of Monkeys - WordPress
Babysitting an Army ofMonkeysAn analysis of fuzzing 4 products with 5 lines ofPythonAn analysis of fuzzing 4 products with 5 lines ofPythonCharlie MillerIndependent Security Evaluatorscmiller@securityevaluators.com
I talk about how to findbugs in this talkI don’t talk about thedetails of the bugs IfoundIf you want 0-days, runmy 5 lines of PythonYou’ll find some.I guarantee it!and you’ll feel all warmand fuzzy inside
Who I amFirst to hack the iPhone, G1 PhonePwn2Own winner, 2008, 2009AuthorMac Hackers HandbookFuzzing for Software Security Testing and QualityAssuranceMedia whore
OverviewThe fuzzing setupFuzzing PDF’s, Preview and Adobe Acrobat ReaderFuzzing PPT’s, OpenOffice and MS PowerPointFuzzing “truths” revealed
About this talkMost fuzzing talks take one of two formsI fuzzed and found this/these bugsHere is a new, smarter way to fuzzThese talks are about success, but real fuzzing is about failure,i.e. most test cases don’t crash the targetVery few talks that give realistic pictures of actual fuzzingBy sharing results, both positive and negative, we can learnabout fuzzing and improve our techniques
Other talks to check outFuzz by Number, Charlie Miller, exploitable and Effective Fuzzing Strategiesas a Regular Part of Testing, Jason Shirk, ffectivEffective Fuzzing Strategies, David Molnar andLars Opstad, CERT-pre
Questions to ponderHow many crashes can you expect?How many of these are unique?How many are “exploitable”?How important is the initial file when fuzzing?Are some bugs harder to find than others?How do post analysis tools compare?When have you fuzzed enough?How hard do various vendors fuzz and how many bugs dothey find?
A Historical PerspectiveMicrosoft Windows Vista File Fuzzing effort15 months, 350mil iterations, 250 file parsers 1.4mil iterations per parser (on average)300 issues fixedThis talk3 months, 7mil iterations, 4 parsers 1.8m iterations per parser (on average)However, quality is more important than quantityMy quality is purposefully very poor, should find much less thanMS!
The Fuzzing Setup
Fuzzing typesDumb fuzzing (mutational)Take a good input (file/packet/command line/etc) andadd anomalies to itVery easy to conductSmart fuzzing (generation based)Create invalid inputs from “scratch”, i.e. RFC, REVery hard, but explores every detail of protocol
Compromise for the lazyDumb fuzzing with lots of different initial filesSingle dumb fuzzing session will only fuzz theprotocol ‘features’ present in the initial fileWith enough initial files, hopefully you canfuzz all the ‘features’Still are screwed by things like CRC,compression, etc.
Selection of initial filesDownload every file you can find on the InternetFind the minimal subset that has the same code coverageas the large setExample: PDFFound 80,000 PDF’s on InternetUsed Adobe Reader Valgrind in Linux to measurecode coverageReduced to 1,515 files of ‘equivalent’ code coverageSame bang as fuzzing all 80k in 2% of the time
The 5 lines of PythonJust change random bytes to random valuesDon’t insert bytes, remove bytesEasiest (dumbest) conceivable way to fuzzShouldn’t find any bugs.numwrites random.randrange(math.ceil((float(len(buf)) / FuzzFactor))) 1for j inrange(numwrites):rbyte random.randrange(256)rn random.randrange(len(buf))buf[rn] "%c"%(rbyte);numwrites random.randrange(math.ceil((float(len(buf)) / FuzzFactor))) 1for j inrange(numwrites):rbyte random.randrange(256)rn random.randrange(len(buf))buf[rn] "%c"%(rbyte);
Other detailsRan it in a parallelized way using my fuzzing framework, TiamatUsed 1-5 Mac OS X computers, some of them virtualIncluding 2 Pwn2Own prizes!Open/Closed files using AppleScriptMonitored CPU activity to know when to launch next fileRan fixed number of iterations of each file (2000 or 1200)Estimated for 3 week runsRecorded repeatable crashes (either native or with glibmalloc)Originally, this slide was my whole talk.
The part aboutbabysittingThings didn’t always go smoothly
At least my kids learned how to notreport bugsClick“Ignore”
The vendors could at leastpay my power bill!Powergoesway up!
Tools usedlibgmalloc: uses guard pages to find when heapoverflows first occur (like libefence), OS XCrashWrangler: Apple tool to bin crashes anddetermine exploitability, OS Xmemcheck: Valgrind tool which simulatesprogram execution and records invalid memoryoperations, Linux and OS X!exploitable: MS tool used to bin crashes anddetermine exploitability, Windows
Final thoughts: Fuzzing asFilteringFuzzing isn’t about creating and running testcase, it’s about filteringStart with a ton of test casesFilter those to the ones that cause a crashFilter those to the ones that represent uniquecrashesFilter those to the ones that are exploitable
AdobeAcrobatReader(PDF)(PDF)
Reader statsReader 9.2.03,036,000 test cases testedMaximum test cases/min 132Minimum test cases/min 7
8440expl17of33 5 UseProbablyProbablynotreads11Invalidcras100 uniqueEIPsoita ilesfuzzedhesbleefiles3 exploitable34 unique20 unique*2 Processterminated*valgrind failed frequentlycause acrobat has problems even with clean files
Points of interestAcrobat Reader, under valgrind, has lots of errorsExamples: mismatched malloc/freeDon’t know how it runs normally.Ignoring these errors makes you miss lots of crashes100 unique EIPs, around 20-40 repro’d with binning tools3-4 exploitables, according to toolsDisagreement about what files cause what crashes and whichare exploitable
Comparisons ndCrash 1Exploitableis exploitable yesProcess terminatedCrash 2Exploitableis exploitable noValgrind failedCrash 3Exploitableis exploitable noUninitialized variableCrash 4Exploitableis exploitable noProcess terminatedCrash 5Probably Exploitableis exploitable noValgrind failedCrash 6Probably Exploitableis exploitable noValgrind failedCrash 7Probably Exploitableis exploitable noValgrind failedCrash 8Probably Exploitableis exploitable noValgrind failedCrash 9Probably Exploitableis exploitable noInvalid writeCrash 10Probably Exploitableis exploitable noUninitialized variableCrash 11Probably Exploitableis exploitable noInvalid writeCrash 12Probably Exploitableis exploitable noInvalid writeCrash 13Probably Exploitableis exploitable noInvalid writeCrash 14Probably Exploitableis exploitable noValgrind failedCrash 15not on winis exploitable yesUninitialized variableCrash 16not on winis exploitable yesUninitialized variable
Number of times each crashoccurred
Reader crash rarity info100 different crashes57 were found exactly onceEither rare or lots of manifestations of one bug81 were found less than 10 timesRare?7 were found more than 60 timesCommon bugs4 were found more than 100 timesVery common bugsOne crash found 1452 timesThis one crash is responsible for 56% of crashes in the testing
Choice of initial file1515 different filesCrashes at 100 different EIP’sAll crashes occurred when fuzzing only 192 filesNo crashes from 87% of initial files!!!All files but one found between 1-3 crashes1 file found 32 crashes (all but one with invalid EIP)Probably one (really nasty) bugThese bugs all coalesced when used libgmalloc
# Crashes found per file
To find an exploitableFor the 4 !exploitables, lets see info about other crashesthat crashed at the same EIPCrash 1: 2 files, each crashed once or twiceCrash 2: 2 files, each crashed there onceCrash 3: 2 files, each crashed there twiceCrash 4: 42 files crashed there from 1 to 63 timesEarliest test case to find one of these was the 486thiterationLast was the 1923rd iteration (of 2000)
More on findingexploitablesFind the first 3 exploitables in 9 test cases out of 3 millionOnly 6 of 1515 files generate the first 3If you fuzz each file 500 times, you find 1 exploitable1000 times, you find 21500 times, you find 32000 times, you find 4What happens if you iterate 3000, 100000, 100000000?
How many iterations(theoretical)Run long enough, your fuzzer will find every bug (it iscapable of finding)Presumably, this gets harder and harderEnd up with some idealized graph of iterations vs bugsfoundWhen this curve becomes sufficiently flat, stop fuzzing Stop# bugs foundfuzzing# iterations
# iterations to find crashesMore iterations would have probably found more bugs(Curve isn’t flat yet)
“Fuzzc 1, ing2009Reader LessoOct 13, 2009ns9.2Learned”Progress?Probably not exploitable4Unknown17Probably exploitable8Exploitable4
Dec“Fuzz1,2009ingReader LessonsLearned”Progress?Feb 16,Jan 13, ly not exploitable4Unknown17Probably exploitable8Exploitable4Oct 13, 20099.2
Preview(PDF)(PDF)
Preview General InfoDefault Mac OS X PDF viewerTested: Mac OS X 10.6.1These bugs show up in Safari too2,790,000 test cases testedMaximum testcases/min: 160Minimum testcases/min: 4Total run time: Approximately 3 weeks
46 Use of129Invalidreads17Invalid writesuninitializedvariablesncomplete data)2,790,000fuzzedfiles1056 repro’d281 unique61 “exploitable”1373 uniqueEIPs157,337 crashes(5.6%)228 unique36 Processterminated
Talking pointsUmm.they haven’t fuzzed thisno !exploitable since Preview OS X onlyAround 250 unique crashesAround 60 exploitableThis is an overestimate, at least one bugmanifests itself in lots of crashes andlibgmalloc fails to bin it properly
Number of times each crashoccurred(by EIP)(by EIP)
More crash rarity infoCrashes at 1373 unique EIP’s791 EIP’s were found exactly one time (57.6%)Either rare or lots of manifestations of one bug341 were found between 1 and 10 timesrare?82 were found more than 100 timesCommon bugs26 were found more than 1000 timesVery common bugsOne EIP found in crashes 15,368 times
# times exploitable crashoccurred
“Exploitables”“exploitable” crashes at 61 EIP’s according tolibgmalloc crashwranger1 EIP was found 155 times42 were found only oncelots of rare ones or a few nasty ones56 were found less than 10 times
# of crashes at EIP byinitial file
File choices1395 files1 file found 58 “unique” crashes, by EIP68 files (5%) found 20 or more differentcrashes162 files (12%) found no crashes440 files (31%) found 2 or fewer crashes
Number of files which find eachexploitable
Files and exploitables61 crashes exploitable (by EIP)49 files found the most common exploitable crashOnly 2 crashes were found by more than 10 startingfiles42 (69%) crashes were found by exactly onestarting file50 (82%) crashes were found by at most twostarting files
More on file choicesThese 1399 files were not randomly chosen,they are very special!Yet, even with these, almost a third find almostnothingSo.If you randomly pick files to fuzz with, youprobably won’t find any interesting bugs
Should have fuzzedlongercrashes and exploitables found by iteration
Fixes through time (unique 20102010Nov19,2, 2009Sept10,2009175crash177 crashes228187es(by EIP)(byEIP)
Fixes through time, bytype10.6.210.6.12010 014.0.5
All bugs will be goneby.according to linear regression all bugs will befixed sometime in 2012
iPhoneiPhone 3.1.2, not jailbrokeniPhone doesn’t have Preview, but MobileSafari will displayPDF’sMuch of the complexity of PDF’s is ignored, e.g. fontsRecall Preview had 281 unique crashes (libgmalloc)22 crashed MobileSafari, all at unique pc7.8% of crashes affected bothNone of the corresponding Preview crashes were“exploitable”
PDF showdown100 crashes30-40 unique3-10 exploitable1373 crashes230-280 unique30-60 exploitable
Open Office(PPT)(PPT)
OpenOfficeOpenOffice 3.1.1, impress610,400 test cases testedMaximum testcases/min: 15Minimum testcases/min: 1Total run time: Approximately 3 weeks
122193expl42of68 8 UseProbablyProbablynotreads14Invalid205 uniqueEIPs40369crashes(6.6%)oita riablesuniquexploitable496 filesble610,400 fuzzed fileshese10 exploitable105 crashes27 unique186 crashes36 unique7 Processterminated
Some thoughtsAround 200 crashesDon’t know why half don’t crash underlibgmallocAround 30-70 unique crashesAround 10-12 exploitable crashes, as reportedby tools
Comparisons nd-921-Unknownis exploitable yesInvalid read-1200-Unknownis exploitable yesInvalid read-896-Unknown, Probably,Exploitableis exploitable yesInvalid read, uninit-723-Unknown, Probably,Exploitableis exploitable yesInvalid read-209-Unknownis exploitable yesInvalid read-328-Unknownis exploitable yesInvalid read-909-Unknownis exploitable yesInvalid write-702-Exploitableis exploitable yesInvalid write-783-Exploitableis exploitable yesInvalid write-119-no crashis exploitable yesInvalid write-1049-Exploitableis exploitable noTerminated-719-Exploitableis exploitable noInvalid read-733-Exploitableis exploitable noInvalid write
crash binningexploitables62317119896497a4947 outliner1b1511003366eGetPrevPara 238636676787087237831b151 726277021049328209PrevPara 238611200921909719733exploitable yesexploitable noExploitableProbablyexploitableUnknown
Crash binning failThese 2 tools disagree more than they agreevalgrind disagrees on the binning too.At least one (and possibly both) of these toolssuck at binning crashesAt least one (and possibly both) of these toolssuck at determining exploitability
Crash rarityStupid outlier
OO crash rarity600,000 test cases, 205 different crashes149 were found exactly once (73%)186 were found less than 10 times (91%)6 were found more than 200 times2 were found more than 1800 timesOne crash found 36,288 timesThis one crash is responsible for 90% of crashes inthe testing
Choice of initial file496 different filesCrashes at 205 different EIP’sAll but 5 files found at least one crash2 files found 12 crashesHere choice of initial file doesn’t seem soimportant
Crashes from initial file
Files to find exploitables496 initial files, 12 exploitable crashes (!exploitable)One crash was found by 13 files (2.6%)2 crashes were found by 3 files (0.6%)Rest were found by exactly one file (0.2%)Very rare to download a file, fuzz it, anddiscover exploitable bugs
Time to unique crash (!exploitable)terations to find crashes (blue) vs. exploitable (reiterations
Microsoft Office(PPT)(PPT)
MS Office PowerPointMS PowerPoint 2008 for Mac, 12.2.3 (091001)MS Office PowerPoint 2007 SP2 MSO(12.0.6425.1000) for !exploitable purposes595,200 test cases testedMaximum testcases/min: 34Minimum testcases/min: 1Total run time: Approximately 3 weeks
6328expl9of2410 UseProbablyProbablynotreads34Invalidcras174 e496 595,200fileshesblefuzzed filese30 exploitable146 crashes82 unique157 crashes56 unique2 Other
PowerPoint thoughtsDidn’t see nearly as many crashes in WindowsPowerPoint as in PowerPoint for MacSignificantly different code base?Reliance on different OS libraries, memorymanagement?Almost every Windows crash was unique (24/28)Seem to be a high percentage of “exploitable”crashes
Hand checkingTest case!exploitablecrashwranglerHand check on Mac-541-exploitablenoProbably not-235-exploitableyesLooks exploitable-1173-exploitablenoProbably not-1035-pexploitablenoProbably not-840-exploitablenoProbably not-1071exploitablenoProbably not-269Probably exploitablenoProbably not-600Probably exploitablenoProbably not-115Probably exploitablenoProbably not-1035-fProbably exploitableyesLooks exploitable-407Probably exploitablenoProbably not-215Probably exploitablenoProbably not-830UnknownnoDunno-1186UnknownnoProbably not-1007-UnknownnoProbably not-801UnknownyesProbably not-27-UnknownnoProbably not-1195-UnknownnoProbably not-246UnknownnoProbably not-625UnknownnoDunno-500-UnknownyesLooks exploitable-1126-Probably not exploitablenoProbably not-274-MProbably not exploitableyesLooks exploitable-1069Probably not exploitablenoProbably not
More hand checkingIf you disregard the “dunnos”Crashwranger agrees with me over 95% of the time!One single false positive, one false negative!exploitable agrees 26% of the timeHand checking was on Mac not Windows!exploitable had both Type 1 and Type 2 errors
Crash rarity174 crashes (by EIP)108 found only once (62%)149 found less than 10 times (86%)8 crashes found more than 100 times1 crash found 935 times
Crash rarity
Unique crashes by file
More crashes by file79 files found nothing203 found 2 or fewer crashes7 files found 10 or more crashes1 file found 25 crashes
Crashes by iteration number(OS X)
Crashes by iteration #(Win)
PPT showdown205 crashes30-70 unique10-12 exploitable174 crashes30-80 unique6-30 exploitable
Fuzzing “truths”revealed
CaveatsOnly 4 data pointsI present the data, you draw your ownconclusions
Crashes per unique crash(by EIP)Expect lots of crashes between unique crashesAnywhere between 25 and 200, depending on the program
Choice of initial filesOver 25% of files found 2 or fewer different crashesExcept OpenOffice, 10% of files found no crashesThese files represent less than 2% of Internet files
Bug rarityCrashes are rare and beautiful events55-75% of crashes are only found once80-90% of crashes are found 10 or less times
Unique crashes perexploitableExpect somewhere between 3-12 differentunique crashes between “exploitables”
!exploitable bugclassificationsExpect roughly 12-25% of crashes to be exploitableExpect roughly 35-50% of crashes to be at leastprobably exploitable
Valgrind bug typesExpect a rough split of 40/20/20/20 forRead/Write/Uninitialized/Terminated
# iterationsExpect to fuzz more than 2000 iterations per file
VendorsDespite the fun I had, please fuzz your productsYou’re not doing a good enough job at thisEspecially some of you!Fix the bugs you find, eventually someone else will findthemThis talk isn’t designed to embarrass you, just topresent my findingsIf you’re embarrassed, good, do something about it
Questions?E-mail me: cmiller@securityevaluators.comFollow me: @0xcharlie
Fuzzing for Software Security Testing and Quality Assurance Media whore. Overview The fuzzing setup Fuzzing PDF's, Preview and Adobe Acrobat Reader Fuzzing PPT's, OpenOffice and MS PowerPoint Fuzzing "truths" revealed. About this talk Most fuzzing talks take one of two forms
Arctic Monkeys - Do I Wanna Know Ashford & Simpson - Solid Arctic Monkeys - Don't Sit Down 'Cause I've Moved Your Chair Ashlee Simpson - Boyfriend Arctic Monkeys - Fluorescent Adolescent Ashlee Simpson - Lala Arctic Monkeys - R U Mine Aston & Dyke Gardner - Resurrection Shuffle Arctic Monkeys - Snap Ou
ing your babysitting services?" c) "Our policy forbids babysitting by staff for families in our program." d) "Our policy forbids babysitting for program families. However, if Rafiq's parents sign a 'hold harm-less' document, you may be able to take the job." Creativity. Imagination. Artistry. Insurance. (800) 915-1907
eric c. newman air force 2001-2009 george f. giehrl navy 1941-1945 f conrad f. wahl army 1952-1954 sidney albrecht . william c. westley jr. army 1954-1956 roland l. winters navy 1945-1946 michael a. skowronski army . joseph a. rajnisz army 1966-1971 james l. gsell army army army army army navy army navy air force army army
Three Little Monkeys Three little monkeys swinging from a tree, Teasing Mr. Alligator, “can’t catch me!” Along comes Mr. Alligator, quiet as can be and SNAPS that monkey right out of the tree! Two little Monkeys. One little monkey. No more monkeys swinging from the tree! And away goes Mr
Army Materiel Command (AMC) http://www.amc.army.mil/ AMCOM -Redstone Arsenal http://www.redstone.army.mil/ Association of the US Army (AUSA) http://www.ausa.org/ Army Center for Military History http://www.army.mil/cmh-pg/ Army Training Support Ctr http://www.atsc.army.mil/ CECOM http://www.monmouth.army.mil
Jun 03, 2018 · Babysitting course hosted by Franciscan Health Rensselaer Saturday, June 23, 2018 9:30 a.m. to Noon 20 Learn the basics of babysitting including age appropriate play, basic childcare skills, guidance and safety. This program covers topics including how to start a babysitting business
6 ADDventures in Babysitting aDHD: a WoRking Definition Y ou’ve just signed on for a job that requires intelligence, skill, and training: babysitting for a child who has Attention Deficit/Hyperactivity Disorder (ADHD). It’s about as different from babysitting
Chapter 7: The Business of Babysitting 57 This project was adapted for use in Kentucky 4-H with the permission of the authors from the publication entitled Babysitting Basics: First Rate Sitters Member's Guide, developed by The Ohio State University Extension Service, Scioto County, Ohio, 1997. The original authors were
