Fuzzing (and bug hunting)

Table of Contents

sort

https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md

  • Add Descriptions/generals to types of fuzzing

  • 0-day streams: pdfcrack

  • FuzzManager

    • With this project, we aim to create a management toolchain for fuzzing. Unlike other toolchains and frameworks, we want to be modular in such a way that you can use those parts of FuzzManager that seem interesting to you without forcing a process upon you that does not fit your requirements.
  • COMRaider

    • ActiveX Fuzzing tool with GUI, object browser, system scanner, and distributed auditing capabilities
    • Github
  • Basic fuzzing framework

  • Fuzzing 101 (Part 1)

  • Fuzzing 101 (Part 2)

end sort


General


Fuzzing Stuff & Hunting Bugs

  • Dynamic Fuzzing
    • Frameworks
      • Triton
        • Triton is a dynamic binary analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a Taint engine, AST representations of the x86 and the x86-64 instructions set semantics, SMT simplification passes, an SMT Solver Interface and, the last but not least, Python bindings.
    • General
    • Tools
      • usercorn
        • dynamic binary analysis via platform emulation
    • Writeups
  • Static Fuzzing
    • Frameworks
      • Paper Machete
        • Paper Machete (PM) orchestrates Binary Ninja and GRAKN.AI to perform static analysis on binary targets with the goal of finding exploitable vulnerabilities. PM leverages the Binary Ninja MLIL SSA to extract semantic meaning about individual instructions, operations, register/variable state, and overall control flow. This data is then migrated into GRAKN.AI, a hyper-relational database. We then run queries against the database that are designed to look for indications of common software vulnerability classes.
    • General
    • Tools
    • Talks/Writeups
      • Aiding Static Analysis: Discovering Vulnerabilities in Binary Targets through Knowledge Graph Inferences - John Toterhi - Derbycon7
        • Static analysis is the foundation of vulnerability research (VR). Even with today's advanced genetic fuzzers, concolic analysis frameworks, emulation engines, and binary instrumentation tools, static analysis ultimately makes or breaks a successful VR program. In this talk, we will explore a method of enhancing our static analysis process using the GRAKN.AI implementation of Google's knowledge graph and explore the semantics from Binary Ninja's Medium Level static single assignment (SSA) intermediate language (IL) to perform inference queries on binary-only targets to identify vulnerabilities.
  • Taint Analysis
    • Taint analysis and pattern matching with Pin - Jonathan Salwan
    • Applying Taint Analysis and Theorem Proving to Exploit Development - Sean Heelan - RECON2010
    • All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)
      • Abstract —Dynamic taint analysis and forward symbolic execution are quickly becoming staple techniques in security analyses. Example applications of dynamic taint analysis and forward symbolic execution include malware analysis, input filter generation, test case generation, and vulnerability dis- covery. Despite the widespread usage of these two techniques, there has been little effort to formally define the algorithms and summarize the critical issues that arise when these techniques are used in typical security contexts. The contributions of this paper are two-fold. First, we precisely describe the algorithms for dynamic taint analysis and forward symbolic execution as extensions to the run-time se- mantics of a general language. Second, we highlight important implementation choices, common pitfalls, and considerations when using these techniques in a security context.
    • A Critical Review of Dynamic Taint Analysis and Forward Symbolic Execution
      • In this note , we describe a critical review of the paper titled “All you wanted to know about dynamics taint analysis and forward symbolic execution (but may have been afraid to ask)” [1] . We analyze the paper using Paul Elder critical thinking framework [2] . We sta rt with a summary of the paper and motivation behind the research work described in [1]. Then we evaluate the study with respect to the universal intellectual standards of [2]. We find that the paper provides a good survey of the existing techniques and algorithms used for security analysis. It explains them using the theoretical framework of operational runtime semantics. However in some places t he paper can do a better job in highlighting what new insights or heuristics can be gained from a runtime seman tics formulation. The paper fails to convince the reader how such an intricate understanding of operational semantics of a new generic language SimpIL helps in advancing the state of the art in dynamic taint analysis and forward symbolic execution. We also found that the Paul Elder critical thinking framework is a useful technique to reason about and analyze research papers.
    • TAJ: Effective Taint Analysis of Web Applications - Java Webapps
      • Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry. However, most static taint-analysis tools do not address criti- cal requirements for an industrial-strength tool. Specifically, an industrial-strength tool must scale to large industrial Web applica- tions, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors. We have designed and implemented a static Taint Analysis for Java (TAJ) that meets the requirements of industry-level applica- tions. TAJ can analyze applications of virtually any size, as it em- ploys a set of techniques designed to produce useful answers given limited time and space. TAJ addresses a wide variety of attack vec- tors, with techniques to handle reflective calls, flow through con- tainers, nested taint, and issues in generating useful reports. This paper provides a description of the algorithms comprising TAJ, evaluates TAJ against production-level benchmarks, and compares it with alternative solutions.
  • Android Bug Hunting/Fuzzing
  • Browser Bug Hunting/Fuzzing
    • Browser Bug Hunting and Mobile
    • Grinder - Fuzzer
      • Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes. Grinder Nodes provide an automated way to fuzz a browser, and generate useful crash information (such as call stacks with symbol information as well as logging information which can be used to generate reproducible test cases at a later stage). A Grinder Server provides a central location to collate crashes and, through a web interface, allows multiple users to login and manage all the crashes being generated by all of the Grinder Nodes.
    • browserfuzz
      • A very simple browser fuzzer based on tornado.
    • Browser bug hunting - Memoirs of a last man standing, Atte Kettunen
    • morph
      • an open source browser fuzzing framework for fun.
  • C/C++ Fuzzing
    • ansvif - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.
    • libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.
  • Cellular Related Technologies Bug Hunting/Fuzzing
  • Cisco
    • asadbg
      • asadbg is a framework of tools to aid in automating live debugging of Cisco ASA devices, as well as automating interaction with the Cisco CLI over serial/ssh to quickly perform repetitive tasks.
    • asatools - NCCGroup
      • Main repository to pull all Cisco ASA-related projects.
    • asafw
      • Set of scripts to deal with Cisco ASA firmware [pack/unpack etc.]
  • File Formats Bug Hunting/Fuzzing
    • Practical File Format Fuzzing
      • File format fuzzing has been very fruitful at discovering exploitable vulnerabilities. Adversaries take advantage of these vulnerabilities to conduct spear-phishing attacks. This talk will cover the basics of file format fuzzing and show you how to use CERT’s fuzzing frameworks to discovery vulnerabilities in file parsers.
    • File Format Fuzzing in Android
  • Network Protocols Bug Hunting/Fuzzing
  • Fuzzing Linux
    • Kernel
    • Syscalls
      • syzkaller - linux syscall fuzzer
        • An unsupervised, coverage-guided Linux syscall fuzzer. It is meant to be used with KASAN (CONFIG_KASAN=y), KTSAN (CONFIG_KTSAN=y), or KUBSAN.
  • Libraries
    • [libFuzzer]((http://llvm.org/docs/LibFuzzer.html)
      • library for in-process evolutionary fuzzing of other libraries.
  • Medical Devices
    • Open Up and Say 0x41414141: Attacking Medical Devices - Robert PortvlIet - Toorcon19
      • Network accessible medical devices are ubiquitous in today’s clinical environment. These devices can be of great aid to healthcare profes- sionals in assessing, treating and monitoring a patient’s condition. However, they can also fall victim to a number of systemic vulnerabili- ties that can expose personal health information or PHI, compromise the integrity of patient data in transit, and affect the availability of the devices themselves. This talk looks at the methodology and approach to penetration testing of modern medical devices. It will provide an overview of the various stages of a medical device assessment, including discovery and analysis of a device’s remote and local attack surface, reverse engineering and exploitation of proprietary network protocols, vulner- ability discovery in network services, compromising supporting sys- tems, attacking common wireless protocols, exploitation of hardware debug interfaces and bus protocols and assessing proprietary wireless technologies. It will also cover a number of real world vulnerabilities that the speaker has discovered during medical device penetration testing assessments. These include weak cryptographic implementations, device impersonation and data manipulation vulnerabilities in pro- prietary protocols, unauthenticated database interfaces, hardcoded credentials/keys and other sensitive information stored in firmware/ binaries and the susceptibility of medical devices to remote denial of service attacks. The talk will conclude with some suggestions on how some of the most common classes of medical device vulnerabilities might be reme- diated by vendors and also how hospitals and other healthcare provid- ers can defend their medical devices in the meantime.
  • OS X Bug Hunting/Fuzzing
  • RTP
    • ohrwurm
      • ohrwurm is a small and simple RTP fuzzer, I tested it on a small number of SIP phones, none of them did withstand.
  • Source Code Fuzzing/Bug Hunting
    • Articles/Talks/Writeups
      • Improving security with Fuzzing and Sanitizers
        • A bug in Gstreamer could be used to own a Linux Desktop system. TCPDump released a security update fixing 42 CVEs. We have far too many security critical bugs in the free and open source software stack. But we have powerful tools to find them - we just have to use them.
    • Tools
  • USB Bug Hunting/Fuzzing
  • Virtual Appliance Bug Hunting/Fuzzing
    • Hacking Virtual Appliances - DerbyconV
      • Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remotes on these appliances.
  • Web Application Bug Hunting/Fuzzing
  • Windows Fuzzing/Bug Hunting
    • f
    • Tools
      • WinAFL - A fork of AFL for fuzzing Windows binaries
      • !exploitable Crash Analyzer
        • !exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx, or watch the video at http://channel9.msdn.com/posts/PDCNews/Bang-Exploitable-Security-Analyzer/.
      • DiffRay
        • Tool for diffing Win7 & Win8 Libraries based on textfile outputs from IDA Pro.
      • sandbox-attacksurface-analysis-tools
        • This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
      • CERT’s Failure Observation Engine (FOE)
        • The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways looking for cases that cause crashes.) The FOE automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of FOE is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
        • Walkthrough of setting up CERT’s FOE fuzzer and fuzzing irfanview
    • Articles/Writeups

Non-Specific Tools(Don't explicitly fit into above sections)

  • AFL
    • American Fuzzy Lop AFL
      • American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code. The compact synthesized corpora produced by the tool are also useful for seeding other, more labor- or resource-intensive testing regimes down the road.
    • 101
    • Articles/Writeups/Talks
    • Associated Tools
      • crashwalk
        • Bucket and triage on-disk crashes. OSX and Linux.(automated triaging of AFL-based crashes)
      • afl-dyninst ; AFL Fuzzing blackbox binaries
        • American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries The tool has two parts. The instrumentation tool and the instrumentation library. Instrumentation library has an initialization callback and basic block callback functions which are designed to emulate what AFL is doing with afl-gcc/afl-g++/afl-as. Instrumentation tool (afl-dyninst) instruments the supplied binary by inserting callbacks for each basic block and an initialization callback either at _init or at specified entry point.
  • Peach
  • Miscellaneous/Other
    • Starting out with Joern
    • [Kitty][https://github.com/cisco-sas/kitty]
      • Fuzzing framework written in python(Not a fuzzer)
    • IDA Pro
    • PANDA ( Platform for Architecture-Neutral Dynamic Analysis )
    • QIRA (QEMU Interactive Runtime Analyser)
    • Fuzzapi - Fuzzapi is rails application which uses API_Fuzzer and provide UI solution for gem.
    • Zulu Fuzzer
      • The Zulu fuzzer
    • honggfuzz
      • Security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (sw and hw) http://google.github.io/honggfuzz/
    • Radamsa
      • Radamsa is a test case generator for robustness testing, aka a fuzzer. It can be used to test how well a program can stand malformed and potentially malicious inputs. It operates based on given sample inputs and thus requires minimal effort to set up. The main selling points of radamsa are that it is easy to use, contains several old and new fuzzing algorithms, is easy to script from command line and has already been used to find a slew of bugs in programs that actually matter.
    • binnavi - Binary analysis IDE, annotates control flow graphs and call graphs of disassembled code.
    • Capstone - Capstone is a lightweight multi-platform, multi-architecture disassembly framework.
    • Hodor Fuzzer - Yet Another general purpose fuzzer.
    • libfuzzer-gv - enhanced fork of libFuzzer
    • libFuzzer-gv: new techniques for dramatically faster fuzzing