Fuzzing: Brute Force Vulnerability Discovery

SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers. SPIKE is open source and released under the flexible GNU General Public License (GPL)⁷. This favorable licensing has allowed for the creation of SPIKEfile, a repurposed version of the framework designed specifically for file format fuzzing (see Chapter 12, "File Format Fuzzing: Automation on UNIX"). SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols. Protocol data structures are broken down and represented as blocks, also referred to as a SPIKE, which contains both binary data and the block size. Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations. To better understand the block-based concept, consider the following simple example from the whitepaper "The Advantages of Block-Based Protocol Analysis for Security Testing":⁸

s_block_size_binary_bigendian_word("somepacketdata"); s_block_start("somepacketdata") s_binary("01020304"); s_block_end("somepacketdata");

Michael Sutton reads from his book Listen to author Michael Sutton, as he reads from Chapter 2: What is fuzzing?

This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata, pushes the four bytes 0x01020304 into the block and prefixes the block with the block length. In this case the block length would be calculated as 4 and stored as a big endian word. Note that most of the SPIKE API is prefixed with either s_ or spike_. The s_binary() API is used to add binary data to a block and is quite liberal with its argument format, allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00. Although simple, this example demonstrates the basics and overall approach of constructing a SPIKE. As SPIKE allows blocks to be embedded within other blocks, arbitrarily complex protocols can be easily broken down into their smallest atoms. Expanding on the previous example:

s_block_size_binary_bigendian_word("somepacketdata");
s_block_start("somepacketdata")
s_binary("01020304");
s_blocksize_halfword_bigendian("innerdata");
s_block_start("innerdata");
s_binary("00 01");
s_binary_bigendian_word_variable(0x02);
s_string_variable("SELECT");
s_block_end("innerdata");
s_block_end("somepacketdata");

Fuzzing: Brute Force Vulnerability Discovery Authors: Michael Sutton, Adam Greene, Pedram Amini 576 pages; $54.99 Addison Wesley official book page

In this example, two blocks are defined, somepacketdata and innerdata. The latter block is contained within the former block and each individual block is prefixed with a size value. The newly defined innerdata block begins with a static two-byte value (0x0001), followed by a four-byte variable integer with a default value of 0x02, and finally a string variable with a default value of SELECT. The s_binary_bigendian_word_variable() and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics), respectively, that have been known in the past to uncover security vulnerabilities. SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable. The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made. To examine or expand the current list of fuzz variables, look at SPIKE/src/spike.c.Version 2.9 of the framework contains a list of almost 700 error-inducing heuristics.

Using the basic concepts demonstrated in the previous example, you can begin to see how arbitrarily complex protocols can be modeled in this framework. A number of additional APIs and examples exist. Refer to the SPIKE documentation for further information. Sticking to the running example, the following code excerpt is from an FTP fuzzer distributed with SPIKE. This is not the best showcase of SPIKE's capabilities, as no blocks are actually defined, but it helps to compare apples with apples.

s_string("HOST ");
s_string_variable("10.20.30.40");
s_string("rn");
s_string_variable("USER");
s_string(" v);
s_string_variable("bob");
s_string("rn");
s_string("PASS ");
s_string_variable("bob");
s_string("rn");
s_string("SITE ");
s_string_variable("SEDV");
s_string("rn");
s_string("ACCT ");
s_string_variable("bob");
s_string("rn");
s_string("CWD ");
s_string_variable(".");
s_string("rn");
s_string("SMNT ");
s_string_variable(".");
s_string("rn");
s_string("PORT ");
s_string_variable("1");
s_string(",");
s_string_variable("2");
s_string(",");
s_string_variable("3");
s_string(",");
s_string_variable("4");
s_string(",");
s_string_variable("5");
s_string(",");
s_string_variable("6");
s_string("rn");

SPIKE is sporadically documented and the distributed package contains many deprecated components that can lead to confusion. However, a number of working examples are available and serve as excellent references for familiarizing with this powerful fuzzing framework. The lack of complete documentation and disorganization of the distribution package has led some researchers to speculate that SPIKE is purposefully broken in a number of areas to prevent others from uncovering vulnerabilities privately discovered by the author. The veracity of this claim remains unverified.

For more information about fuzzing: Should fuzzing be part of the secure software development process? Michael Cobb explains. Learn how fuzzing can deter VoIP protocol attacks.  Author Gary McGraw explains other ways to find software security bugs.

Depending on your individual needs, one major pitfall of the SPIKE framework is the lack of support for Microsoft Windows, as SPIKE was designed to run in a UNIX environment, although there are mixed reports of getting SPIKE to function on the Windows platform through Cygwin.⁹ Another factor to consider is that even minor changes to the framework, such as the addition of new fuzz strings, require a recompilation. On a final negative note, code reuse between developed fuzzers is a manual copy-and-paste effort. New elements such as a fuzzer for e-mail addresses cannot simply be defined and later referenced globally across the framework.

Overall, SPIKE has proven to be effective and has been used by both its author and others to uncover a variety of high-profile vulnerabilities. SPIKE also includes utilities such as a proxy, allowing a researcher to monitor and fuzz communications between a browser and a Web application. SPIKE's fault-inducing capabilities have gone a long way in establishing the value of fuzzing on a whole. The block-based approach to fuzzing has gained popularity evident in that since the initial public release of SPIKE, a number of fuzzing frameworks have adopted the technique.

⁷ http://www.gnu.org/copyleft/gpl.html
⁸ http://www.immunitysec.com/downloads/advantages_of_block_based_analysis.pdf
⁹ http://www.cygwin.com/

Learn about other specialized fuzzing utilities. Download the rest of Chapter 21: Visualization (.pdf).

Reproduced from the book Fuzzing: Brute Force Vulnerability Discovery Copyright [2007], Addison Wesley Professional. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240.Written permission from Pearson Education, Inc. is required for all other users.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Assessment Spotlight article: Domain 10, Operations Security CISSP Essentials training: Domain 10, Operations Security Security visualization helps make log files work Screencast: How to use Wikto for Web server assessment Security data lapses hamper researchers Database patch denial: How 'critical' are Oracle's CPUs? Is attack code valuable for vulnerabilities or just a publicity stunt? Will the features of Windows Vista SP1 encourage wider adoption of the OS? Is a Master Boot Record (MBR) rootkit completely invisible to the OS? How to install and configure Nessus Vulnerability Assessment Research Open Source Security Tools Screencasts: On-screen demonstrations of today's IT tools FISMA compliance made easier with OpenFISMA Wireshark tutorial: How to sniff network traffic Screencast: How to use Nipper to create network security reports Sun launches open source OpenSSO for identity management What reporting tools are available for an enterprise IDS? Positive changes coming to ModSecurity Analysis tool uses Intel virtualization to hide from malware Can IBM's SMash technology secure Web applications? Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com) risk analysis  (SearchSecurity.com) vulnerability analysis  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary