Fuzzer

• Generic Fuzzers
• Rust Fuzzers
• Java Serialization Fuzzers
  • Problems
  • Tools
• Javascript Engine Fuzzers
• Fuzzer for Windows
• Fuzzer Composition
  • Definition
  • Tools
• Concurrency
• Webapp fuzzing
• Trusted Environment Fuzzing
• Fuzzing during RTL development stage (specifications)
• Spec fuzzing
  • Fast
• Resources

Generic Fuzzers

• hongfuzz
• Afl++
• LibAFL
• Jackalope:
  • framework to easily build a black-box fuzzer
  • uses TinyInst

Rust Fuzzers

• cargo-fuzz: tool to invoke libfuzzer
• libfuzzer: archived
• cargodd
• afl.rs: crate from AFL
• cargo-libafl: wrapper around simple libafl fuzzer
• fuzzcheck: not updated since a year

Java Serialization Fuzzers

Problems

• Java serialization is flawed and input stream are converted to Object
• Attacker can feed any kind of byte stream to be deserialized and can trigger gadget execution
• This is much more difficult in Rust since target type for deserialization is defined at compile time
• This could be done if the deserialization has intricate invariant checking

Tools

ODDFuzz

• ODD for Open Dynamic deserialization
• uses lightweight taint analysis to identify potential gadget chains
• new guided fuzzing towards sensitive code rather than coverage

Javascript Engine Fuzzers

• Fuzzilli
  • generates synctatically and semantically valid JS scripts for fuzzing
  • mutates over a custom intermediate language rather than source or AST
• JIT-Picking
  • Differential Fuzzing of JavaScript Engines
  • differential fuzz JS engines with and without JIT optimizations
  • transparent probing of the state so it does not interfere with JIT optimizations
  • an execution hash depending on the observed variables values/types is calculated along the execution and sent to the fuzzer at the end for comparison
• Montage
  • neural network guided fuzzer
  • fuzz JS engines

Fuzzer for Windows

• WinAFL: AFL-based fuzzer for Windows

Fuzzer Composition

Definition

• there are no generic best fuzzers
• fuzzers perform differently depending on targets and resource usage

Tools

autofz: compose a set of fuzzers to use depending on the target and fuzz "trend" at runtime

Concurrency

DDrace: specialized in use-after free (UAF)

• reduce search space by targeting potentially vulnerable block code
• new metric to calculate "UAF distance"

Webapp fuzzing

in detail in next chapter

Trusted Environment Fuzzing

• Trusted App (TA) using Trusted Execution Environment (TEE)
  • Challenge: this is harder than blackbox because the TEE prevents runtime analysis
  • you can only use inputs and outputs coming out from the TEE
  • TEEzz

Fuzzing during RTL development stage (specifications)

• Advantage: fuzzing is done before production of the system therefore patching is less costly
• SpecDoctor
  • focuses against transient vulnerabilities
  • proposes a fuzzing template to emulate different scenarios (which part of the system is compromised)
  • uses differential fuzzing to identify side-channel behaviour

Spec fuzzing

use fuzzing to test the completeness of a specification

Fast

• Fast produces mutations on a program code we call CODE
• the goal is
• CODE mutants of the target program are both tested against
  • the original program test suite
  • against the Move prover
    • the Move prover takes both CODE and SPEC
    • CODE and SPEC will be compiled into Boogie
    • you can then uses an SMT solver to solve the Boogie input
• results from both the test suite and the move prover can be compared to point out potential omission in the SPEC

Resources

• LibAFL
• Fuzzers Like Lego (CCC Talk)
• Tauri Commands Documentation
• LibAFL paper from 2022
• Fuzzy 101
• AFL++ doc
• AFL++ modules explanation