-
Notifications
You must be signed in to change notification settings - Fork 1
/
SITCON 2022 R0 模糊測試哪裡模糊 [8Gb4b-tqLqY].srt
1615 lines (1212 loc) · 25.4 KB
/
SITCON 2022 R0 模糊測試哪裡模糊 [8Gb4b-tqLqY].srt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1
00:00:00,000 --> 00:00:04,000
接下來的議程是由林觀明帶來的
2
00:00:04,000 --> 00:00:06,000
模糊測試哪裡模糊
3
00:00:06,000 --> 00:00:08,000
讓我們歡迎林觀明
4
00:00:13,000 --> 00:00:15,000
好 歡迎大家
5
00:00:15,000 --> 00:00:17,000
先講一下
6
00:00:17,000 --> 00:00:21,000
因為這場議程我在 COSCUP 其實有講過一場
7
00:00:21,000 --> 00:00:22,000
Fuzzing Test
8
00:00:22,000 --> 00:00:24,000
基本上是一樣的東西
9
00:00:24,000 --> 00:00:25,000
只是名字換掉
10
00:00:25,000 --> 00:00:26,000
對
11
00:00:26,000 --> 00:00:27,000
好
12
00:00:27,000 --> 00:00:29,000
那我們就直接開始
13
00:00:29,000 --> 00:00:32,000
因為今天如果要講的東西一樣
14
00:00:32,000 --> 00:00:34,000
但是我只有 20 分鐘而已
15
00:00:34,000 --> 00:00:37,000
所以可能會帶的稍微快一點
16
00:00:37,000 --> 00:00:39,000
好 那我們就開始吧
17
00:00:39,000 --> 00:00:43,000
這場議程主要是跟各位
18
00:00:43,000 --> 00:00:46,000
介紹模糊測試的基本觀念
19
00:00:46,000 --> 00:00:50,000
跟介紹 AFL
20
00:00:50,000 --> 00:00:57,000
然後因為我研究所是讀模糊測試的
21
00:00:57,000 --> 00:01:00,000
大家好 我是林觀明
22
00:01:00,000 --> 00:01:04,000
今年是剛畢業 剛進職場
23
00:01:04,000 --> 00:01:08,000
之前是在陽交大的 SQLab
24
00:01:08,000 --> 00:01:13,000
然後論文也是做跟 fuzz 有相關的
25
00:01:13,000 --> 00:01:15,000
然後下面是我的 GitHub
26
00:01:15,000 --> 00:01:17,000
然後 Mail
27
00:01:17,000 --> 00:01:18,000
然後跟各位澄清一下
28
00:01:18,000 --> 00:01:20,000
我論文沒有用抄的
29
00:01:20,000 --> 00:01:23,000
我不像某一位
30
00:01:23,000 --> 00:01:26,000
前市長 對
31
00:01:26,000 --> 00:01:28,000
好
32
00:01:28,000 --> 00:01:31,000
我好像講到什麼關鍵字喔
33
00:01:31,000 --> 00:01:33,000
慘了 我們的議程要被 Ban 掉了
34
00:01:33,000 --> 00:01:35,000
大家可以去吃點心了
35
00:01:35,000 --> 00:01:36,000
好啦 我們不開玩笑了
36
00:01:36,000 --> 00:01:38,000
我們直接進入議程
37
00:01:38,000 --> 00:01:39,000
好
38
00:01:39,000 --> 00:01:40,000
那我接下來會介紹
39
00:01:40,000 --> 00:01:42,000
Fuzzing Test 的主要觀念
40
00:01:42,000 --> 00:01:47,000
與 AFL 的一些主要觀念
41
00:01:47,000 --> 00:01:50,000
對 就是這兩個東西
42
00:01:50,000 --> 00:01:53,000
那什麼是 Fuzzing Test
43
00:01:53,000 --> 00:01:57,000
Fuzzing Test 主要是做測試嘛
44
00:01:57,000 --> 00:01:59,000
然後它的主要觀念就是
45
00:01:59,000 --> 00:02:02,000
它可以自動去生成一個
46
00:02:02,000 --> 00:02:04,000
可以輸入的
47
00:02:04,000 --> 00:02:06,000
可以餵進去的輸入
48
00:02:06,000 --> 00:02:09,000
然後我們去跑 target
49
00:02:09,000 --> 00:02:10,000
看它有沒有一些 crash
50
00:02:10,000 --> 00:02:13,000
或是一些可以利用的東西
51
00:02:13,000 --> 00:02:15,000
但是我們這邊的
52
00:02:15,000 --> 00:02:18,000
洞不包括一些邏輯的問題
53
00:02:18,000 --> 00:02:20,000
它只是要去檢查說
54
00:02:20,000 --> 00:02:22,000
我的程式到底會不會 crash
55
00:02:22,000 --> 00:02:24,000
會不會莫名其妙
56
00:02:24,000 --> 00:02:26,000
你餵了一個東西進去之後
57
00:02:26,000 --> 00:02:30,000
它就掛掉了
58
00:02:30,000 --> 00:02:35,000
那我們可以來找找
59
00:02:35,000 --> 00:02:38,000
這段程式有什麼問題
60
00:02:38,000 --> 00:02:40,000
這是一個簡單的範例
61
00:02:40,000 --> 00:02:43,000
然後因為時間關係
62
00:02:43,000 --> 00:02:45,000
所以就繼續好了
63
00:02:45,000 --> 00:02:47,000
這邊最大的問題就是
64
00:02:47,000 --> 00:02:49,000
我們的 malloc
65
00:02:49,000 --> 00:02:53,000
不可以隨便去用任意大小
66
00:02:53,000 --> 00:02:54,000
它會爆掉
67
00:02:54,000 --> 00:02:57,000
就是會造成程式的 crash
68
00:02:57,000 --> 00:02:59,000
大概是這樣
69
00:02:59,000 --> 00:03:01,000
然後這個問題
70
00:03:01,000 --> 00:03:03,000
其實在我們日常生活中
71
00:03:03,000 --> 00:03:05,000
其實還蠻容易看見的
72
00:03:05,000 --> 00:03:07,000
像是我們處理一些
73
00:03:07,000 --> 00:03:09,000
JPG 檔或是 PNG 檔
74
00:03:09,000 --> 00:03:14,000
通常它的檔案的格式
75
00:03:14,000 --> 00:03:16,000
都會有一個長度
76
00:03:16,000 --> 00:03:18,000
但是我們這個長度
77
00:03:18,000 --> 00:03:21,000
就是我們不可以隨便讓 PNG
78
00:03:21,000 --> 00:03:23,000
就是裡面的人亂設
79
00:03:23,000 --> 00:03:24,000
如果我們亂設的話
80
00:03:24,000 --> 00:03:25,000
它就會爆掉
81
00:03:25,000 --> 00:03:27,000
就是很多程式的漏洞
82
00:03:27,000 --> 00:03:29,000
都是這樣子來的
83
00:03:29,000 --> 00:03:30,000
所以我們程式的邏輯
84
00:03:30,000 --> 00:03:32,000
應該要先去檢查
85
00:03:32,000 --> 00:03:34,000
它的長度是否正常
86
00:03:34,000 --> 00:03:35,000
比如說我長度
87
00:03:35,000 --> 00:03:37,000
就隨便給它一個超大的值
88
00:03:37,000 --> 00:03:39,000
它就會掛掉
89
00:03:39,000 --> 00:03:40,000
這樣是不行的
90
00:03:40,000 --> 00:03:42,000
其實有很多 [DJPG]
91
00:03:42,000 --> 00:03:44,000
或是處理 PNG 的檔案
92
00:03:44,000 --> 00:03:45,000
都有這些問題
93
00:03:45,000 --> 00:03:48,000
當然都已經被修復了
94
00:03:48,000 --> 00:03:52,000
就是有還蠻多 CVE 可以看的
95
00:03:52,000 --> 00:03:54,000
所以我們再 review 一次好了
96
00:03:54,000 --> 00:03:56,000
什麼是 Fuzzing test
97
00:03:56,000 --> 00:03:59,000
就是我們去生成一個 input
98
00:03:59,000 --> 00:04:00,000
然後怎麼生成
99
00:04:00,000 --> 00:04:02,000
我們等一下會提到
100
00:04:02,000 --> 00:04:04,000
然後我們去跑 target
101
00:04:04,000 --> 00:04:06,000
然後到底會不會有問題呢
102
00:04:06,000 --> 00:04:07,000
如果有 crash
103
00:04:07,000 --> 00:04:10,000
或是有其他的一些問題的話
104
00:04:10,000 --> 00:04:11,000
它就會
105
00:04:11,000 --> 00:04:12,000
就可能會變成
106
00:04:12,000 --> 00:04:14,000
可以利用的漏洞
107
00:04:15,000 --> 00:04:17,000
好
108
00:04:17,000 --> 00:04:18,000
以上的 Fuzzing test
109
00:04:18,000 --> 00:04:21,000
有幾個 issue 要解決
110
00:04:21,000 --> 00:04:22,000
第一個問題就是
111
00:04:22,000 --> 00:04:26,000
如果我隨機產生輸入的話
112
00:04:26,000 --> 00:04:28,000
那我今天的程式
113
00:04:28,000 --> 00:04:30,000
邏輯寫好一點
114
00:04:30,000 --> 00:04:32,000
我們 format 檢查的
115
00:04:32,000 --> 00:04:33,000
有檢查 format
116
00:04:33,000 --> 00:04:35,000
但是這樣子
117
00:04:35,000 --> 00:04:37,000
隨機生成的輸入
118
00:04:37,000 --> 00:04:39,000
往往就找不到更深層的邏輯
119
00:04:39,000 --> 00:04:41,000
所以我們有一個
120
00:04:41,000 --> 00:04:43,000
簡單的概念是變異測試
121
00:04:43,000 --> 00:04:45,000
這個後面會介紹
122
00:04:45,000 --> 00:04:48,000
但是
123
00:04:48,000 --> 00:04:50,000
我們沒有辦法知道程式的狀態
124
00:04:50,000 --> 00:04:53,000
譬如說我們今天去測一個 binary
125
00:04:53,000 --> 00:04:55,000
但是它沒有告訴我們
126
00:04:55,000 --> 00:04:56,000
這筆測資
127
00:04:56,000 --> 00:04:58,000
這個輸入
128
00:04:58,000 --> 00:05:01,000
它的出來的結果
129
00:05:01,000 --> 00:05:03,000
到底是好還是不好的
130
00:05:03,000 --> 00:05:06,000
所以我們又想到了一個方法
131
00:05:06,000 --> 00:05:09,000
我們可以去做一些插樁的東西
132
00:05:09,000 --> 00:05:12,000
然後去想辦法去記錄 code coverage
133
00:05:13,000 --> 00:05:15,000
然後利用這些 code coverage
134
00:05:15,000 --> 00:05:18,000
去引導我們的 fuzzer 去做更多的事情
135
00:05:18,000 --> 00:05:21,000
然後其實現在很多 fuzzer 都有這樣的概念
136
00:05:21,000 --> 00:05:25,000
只是可能大家的概念不太一樣
137
00:05:25,000 --> 00:05:27,000
有些可能是用 code coverage
138
00:05:27,000 --> 00:05:29,000
有些可能是用 memory
139
00:05:29,000 --> 00:05:31,000
或是在不同的應用上
140
00:05:31,000 --> 00:05:35,000
RESTful API 也有相關的應用
141
00:05:35,000 --> 00:05:38,000
然後接下來會來介紹
142
00:05:38,000 --> 00:05:41,000
Google 開發的 AFL
143
00:05:41,000 --> 00:05:43,000
好 AFL
144
00:05:43,000 --> 00:05:47,000
它是 Google 在 2013 年開發的模糊測試工具
145
00:05:47,000 --> 00:05:49,000
當然各位可以現在 Google
146
00:05:49,000 --> 00:05:53,000
也是找到它是 open source 的
147
00:05:53,000 --> 00:05:55,000
然後它已經沒有再更新了
148
00:05:55,000 --> 00:05:59,000
因為 Google 最近在某一年
149
00:05:59,000 --> 00:06:01,000
我忘記是哪一年了
150
00:06:01,000 --> 00:06:04,000
它之後有推出一個 AFL++
151
00:06:04,000 --> 00:06:06,000
基本上也是承接著 AFL
152
00:06:06,000 --> 00:06:09,000
但是會有更多不一樣的觀念在裡面
153
00:06:09,000 --> 00:06:11,000
然後今天不會介紹啦
154
00:06:11,000 --> 00:06:13,000
然後它使用的觀念就是
155
00:06:13,000 --> 00:06:14,000
我們剛才使用的
156
00:06:14,000 --> 00:06:16,000
編譯測試跟 code coverage guide
157
00:06:16,000 --> 00:06:18,000
然後還有一個 forkserver
158
00:06:18,000 --> 00:06:20,000
但是今天的時間可能會不夠
159
00:06:20,000 --> 00:06:23,000
所以 forkserver 會跳得非常的快
160
00:06:23,000 --> 00:06:25,000
好 那它的流程是什麼
161
00:06:25,000 --> 00:06:28,000
它的流程就是
162
00:06:28,000 --> 00:06:31,000
我們現在有一個 initial seed
163
00:06:31,000 --> 00:06:32,000
這個 initial seed
164
00:06:32,000 --> 00:06:35,000
比如說你今天要測處理圖片的檔案
165
00:06:35,000 --> 00:06:36,000
我們就這個 initial seed
166
00:06:36,000 --> 00:06:38,000
就是一個正常的圖片檔案
167
00:06:38,000 --> 00:06:40,000
它會放在一個 queue 裡面
168
00:06:40,000 --> 00:06:42,000
然後我們去做 mutate
169
00:06:42,000 --> 00:06:45,000
然後去 run 整個 target
170
00:06:45,000 --> 00:06:47,000
然後去看它的 code coverage 有沒有增加
171
00:06:47,000 --> 00:06:48,000
如果有增加的話
172
00:06:48,000 --> 00:06:50,000
這個 seed 就代表說
173
00:06:50,000 --> 00:06:51,000
它是好的
174
00:06:51,000 --> 00:06:53,000
它是可以再被利用的
175
00:06:53,000 --> 00:06:56,000
它就會繼續放在 queue 裡面
176
00:06:56,000 --> 00:06:57,000
如果它很爛的話
177
00:06:57,000 --> 00:06:59,000
它就會被丟掉
178
00:06:59,000 --> 00:07:02,000
好 所以剛才有提到一個 mutate 的部分
179
00:07:02,000 --> 00:07:03,000
這個 mutate 的部分就是
180
00:07:03,000 --> 00:07:07,000
我們使用者要去給它一個 initial seed
181
00:07:07,000 --> 00:07:09,000
然後這個 initial seed 就是
182
00:07:09,000 --> 00:07:12,000
就是正常 format 的一個 seed
183
00:07:12,000 --> 00:07:15,000
就是它應該要可以跑正常的東西
184
00:07:15,000 --> 00:07:19,000
然後用這個 seed 去創造出更多的 seed
185
00:07:19,000 --> 00:07:21,000
但是這些更多的 seed
186
00:07:21,000 --> 00:07:22,000
其實是系統裡面
187
00:07:22,000 --> 00:07:24,000
fuzzer 裡面自己去生成的
188
00:07:24,000 --> 00:07:25,000
好 它的變異策略
189
00:07:25,000 --> 00:07:28,000
今天也不會細講
190
00:07:28,000 --> 00:07:30,000
然後大概是這五種
191
00:07:30,000 --> 00:07:31,000
Bitflip
192
00:07:31,000 --> 00:07:32,000
Arithmetic
193
00:07:32,000 --> 00:07:33,000
跟 Interest
194
00:07:33,000 --> 00:07:34,000
Dictionary
195
00:07:34,000 --> 00:07:36,000
跟 Havoc
196
00:07:37,000 --> 00:07:38,000
好 時間
197
00:07:38,000 --> 00:07:39,000
好 應該還可以
198
00:07:39,000 --> 00:07:41,000
Bitflip 就是
199
00:07:41,000 --> 00:07:43,000
做 bit 的反轉
200
00:07:43,000 --> 00:07:45,000
然後運算就是去
201
00:07:45,000 --> 00:07:48,000
可能是某一個 bit
202
00:07:48,000 --> 00:07:49,000
做加加減減
203
00:07:49,000 --> 00:07:50,000
Interest 就是
204
00:07:50,000 --> 00:07:53,000
它可能會去拿 int
205
00:07:53,000 --> 00:07:54,000
int 的極大或極小
206
00:07:54,000 --> 00:07:56,000
去做一些測試
207
00:07:56,000 --> 00:07:57,000
然後 Dictionary 也是
208
00:07:57,000 --> 00:07:58,000
裡面會去做
209
00:07:58,000 --> 00:08:01,000
它裡面有一個地方可以
210
00:08:01,000 --> 00:08:02,000
設定它的 Dictionary
211
00:08:02,000 --> 00:08:04,000
你想要餵什麼東西進去
212
00:08:04,000 --> 00:08:05,000
然後它可以設定
213
00:08:05,000 --> 00:08:06,000
在一個地方裡面
214
00:08:06,000 --> 00:08:08,000
然後 Havoc 就是
215
00:08:08,000 --> 00:08:10,000
這上面的綜合體
216
00:08:10,000 --> 00:08:12,000
好 然後這邊的
217
00:08:12,000 --> 00:08:13,000
最重要的觀念就是
218
00:08:13,000 --> 00:08:15,000
一個 initial seed
219
00:08:15,000 --> 00:08:17,000
基本上就是要餵一個
220
00:08:17,000 --> 00:08:18,000
可以正常運作的
221
00:08:18,000 --> 00:08:21,000
initial seed
222
00:08:21,000 --> 00:08:23,000
好 接下來介紹
223
00:08:23,000 --> 00:08:25,000
code coverage
224
00:08:25,000 --> 00:08:27,000
然後 code coverage
225
00:08:27,000 --> 00:08:28,000
如果有在做
226
00:08:28,000 --> 00:08:29,000
Unit-test 的話
227
00:08:29,000 --> 00:08:31,000
應該會比較熟悉
228
00:08:31,000 --> 00:08:35,000
就是它會看成
229
00:08:35,000 --> 00:08:37,000
就是你現在這筆測資
230
00:08:37,000 --> 00:08:39,000
這筆這個輸入
231
00:08:39,000 --> 00:08:40,000
它會
232
00:08:40,000 --> 00:08:41,000
它跑到的程式的比例
233
00:08:41,000 --> 00:08:42,000
會有多少
234
00:08:42,000 --> 00:08:44,000
然後現在很多的
235
00:08:44,000 --> 00:08:45,000
模糊測試工具
236
00:08:45,000 --> 00:08:46,000
都是以這個為基準
237
00:08:46,000 --> 00:08:49,000
去看這個 seed 是好是壞
238
00:08:49,000 --> 00:08:52,000
然後 AFL 裡面
239
00:08:52,000 --> 00:08:54,000
AFL 裡面是使用插樁的方法
240
00:08:54,000 --> 00:08:56,000
去實作這個功能
241
00:08:56,000 --> 00:08:59,000
它就是去在程式的
242
00:08:59,000 --> 00:09:01,000
程式的某一個地方
243
00:09:01,000 --> 00:09:03,000
這邊也不會細講
244
00:09:03,000 --> 00:09:04,000
這個細講起來
245
00:09:04,000 --> 00:09:06,000
要講非常久
246
00:09:06,000 --> 00:09:08,000
然後它主要是在做
247
00:09:08,000 --> 00:09:10,000
就是把它插到某一個地方
248
00:09:10,000 --> 00:09:12,000
就比如說 function 的最一開始
249
00:09:12,000 --> 00:09:15,000
或是 if-else 的最一開始之類的
250
00:09:15,000 --> 00:09:18,000
它會去記錄它