Posted by kecoak on Nov 2, 2007

Bunny Fuzzer, the other approach for fuzzing

Michael Zalewski (lcamtuf) mengembangkan project yang disebut bunny. Project ini merupakan tools untuk melakukan fuzzing terhadap aplikasi C. Seperti biasa, lcamtuf membuat aplikasi yang merupakan inovasi dibandingkan aplikasi-aplikasi sejenis, dan bunny fuzzer ini menggunakan pendekatan lain dalam melakukan proses fuzzing terhadap aplikasi-aplikasi C.

A closed loop, high-performance, general purpose protocol-blind fuzzer for C programs.

Uses compiler-level integration to seamlessly inject precise and reliable instrumentation hooks into the traced program. These hooks enable the fuzzer to receive real-time feedback on changes to the function call path, call parameters, and return values in response to variations in input data.

This architecture makes it possible to significantly improve the coverage of the testing process without a noticeable performance impact usually associated with other attempts to peek into run-time internals.

Bunny is currently known to support Linux, FreeBSD, and Cygwin on IA32 systems.

Fuzzer umum nya mengharuskan kita memahami proses kerja suatu aplikasi, tujuan nya adalah agar kita dapat memberikan ‘seed’ atau data input yang akan digunakan untuk testing suatu aplikasi. Jika yang akan dilakukan adalah suatu protocol fuzzing, maka kita diharapkan memahami proses kerja protocol tersebut (yeah, RFC is ur friend then).

Bunny agak berbeda dalam hal implementasi fuzzy ini, berikut ini hal yang akan dilakukan bunny fuzzer:

  1. Seed fuzzing queue with a known good input file.
  2. Attempt several deterministic, sequential fuzzing strategies for subsequent regions in the input file, as well as for regions that are known to affect execution paths based on previously recorded data.
  3. If any change resulted in a never previously observed execution path, store the input that triggered it and queue it for further testing.
  4. If any change resulted in an interesting change in any function call parameter or return value within a known execution path (for example, we now have -3 where we had 7 previously), store and queue the input.
  5. If program fault is sensed for any input (crash, hang, etc), record this event and make copy of the offending input data.
  6. When done, fetch next input to be tested from queue, go to 2.

Bunny akan melakukan proses fuzzing dengan melakukan intergrasi terhadap aplikasi dan melakukan analisis pada level runtime execution. Proses yang dilakukan mirip dengan tehnik artificial intelligent dimana bunny akan diberikan berbagai macam legal input, dan kemudian baru diberikan input-input untuk testing. Bunny akan melakukan monitoring langsung saat runtime execution sehingga apabila ada execution yang ‘abnormal’ akan dicatat dan di proses lebih lanjut, dengan begini maka kita dapat melakukan proses fuzzing dengan lebih mudah.

Bunny fuzzer dapat di download disini, dan dokumentasinya dapat ditemukan disini.

Post a Comment

One Response to “Bunny Fuzzer, the other approach for fuzzing”

  1. erlang says:

    wew… cool program…

Leave a Reply

Your email address will not be published. Required fields are marked *