lecture: Guided Fuzzing And Binary Blobs

Finding deep bugs

Event large

Even though the notion of guided fuzzing has been around for years, Zalewski's AFL was the first to hit all the right spots, its main drawback being that it's using compile time instrumentation.
We have developed a tool which adds AFL compatible instrumentation to binaries directly enabling fuzzing closed source software. We present the tool itself, as well as some of the more interesting bugs it found.

With AFL, Michal Zalewski has made a technological leap in fuzzing. It changed the paradigm of fuzzing, turning the focus from whole applications to libraries with imperative on raw speed. Speed combined with compile time instrumentation gives impressive results in finding complex issues.

We have developed a tool based on Dyninst framework which rewrites existing binaries with added instrumentation required by AFL. By doing so statically, we retain close-to-native execution speed as compared to other dynamic binary instrumentation frameworks.

The tool has been used extensively over the past year on a number of closed source middleware libraries and we were able to find a couple of dozen vulnerabilities.
In this talk we will present the tool and comparisons against other approaches as well as showcase a couple of interesting vulnerabilities it has found.

The vulnerabilities presented won't be the most exploitable ones, but the most complex in terms of finding them in automated ways.


Day: 2016-09-15
Start time: 14:45
Duration: 00:30
Room: Main Stage

Language: en


Concurrent Events