Zero bugs found? Hold my Beer AFL! How To Improve Coverage-Guided Fuzzing and Find New 0days in Tough Targets

Presented at DEF CON 27 (2019), Aug. 10, 2019, 2 p.m. (45 minutes)

Fuzzing remains to be the most effective technique for bugs hunting in memory-unsafe programs. Last year, hundreds of security papers and talks on fuzzing have been published and dozens of them were focused on adapting or improving American Fuzzy Lop in some way. Attracting with its simplicity and efficiency, AFL is the number one choice for the vast majority of security researchers. This high popularity means that hunting for bugs with AFL or a similar tool is becoming less and less fruitful since many projects are already covered by other researchers. It is especially hard when we talk about a project participating in Google OSS-Fuzz program which utilizes AFL to generate a half-trillion test cases per day. In practice, this means that we can not blindly rely on AFL anymore and should search for better fuzzing techniques. In order to overcome this challenge, we need to understand how AFL and similar fuzzers work and be able to use their weaknesses to find new 0days. This talk is aimed to discuss these weaknesses on real examples, explain how we can do fuzzing better and release a new open-source fuzzer called Manul. Manul is a high-scalable coverage-guided parallel fuzzer with the ability to search for bugs in open source and black box binaries on Windows and Linux. Manul was able to find 10 0-days in 4 widely-used projects that have been extensively tested by AFL. These vulnerabilities were not found by chance, but by analyzing and addressing issues exist in AFL. Authors will show several of the most critical vulnerabilities and explain why AFL overlooked them. This talk will be interested for experienced hackers, who are willing to improve their bug hunting capabilities, as well as for new researchers, who are making their first steps on the thorny trail of bug hunting.

Presenters:

• Maksim Shudrak - Security Researcher
  Maksim is a security researcher and vulnerability hunter in open-source and blackbox applications. In the past, he had experience working on dynamic binary instrumentation framework DynamoRIO, developing extremely abstract Windows OS emulator for malware analysis at IBM Research as well as writing sophisticated fuzzer to search for vulnerabilities in machine code. The latter was so exciting that he defended PhD on this topic. Today, he works on Red Team side at large cloud-based software company. Maksim has spoken at various security conferences around the world such as DEF CON, Positive Hack Days, Virus Bulletin and BSides SF. Twitter: @Mshudrak LinkedIn: https://www.linkedin.com/in/mshudrak

Links:

• https://defcon.org/html/defcon-27/dc-27-speakers.html#Shudrak
• https://infocon.org/cons/DEF CON/DEF CON 27/DEF CON 27 video and slides/DEF CON 27 - Maksim Shudrak - How To Improve Coverage-Guided Fuzzing and Find New 0days in Tough Targets.mp4
• https://infocon.org/cons/DEF CON/DEF CON 27/DEF CON 27 video and slides/DEF CON 27 - Maksim Shudrak - How To Improve Coverage-Guided Fuzzing and Find New 0days in Tough Targets.srt (subtitles)
• https://www.youtube.com/watch?v=4BkAxMfHSzI

Similar Presentations:

• ShmooCon XV (2019) / Writing a Fuzzer for Any Language with American Fuzzy Lop
• Black Hat USA 2018 / AFL's Blindspot and How to Resist AFL Fuzzing for Arbitrary ELF Binaries
• HOPE 2020 Virtual Rescheduled / Hunting Bugs in Your Sleep - How to Fuzz (Almost) Anything With AFL/AFL++