Anykernels meet fuzzing
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Untertitel |
| |
| Serientitel | ||
| Anzahl der Teile | 102 | |
| Autor | ||
| Lizenz | CC-Namensnennung 4.0 International: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/43267 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
Chaos Communication Camp 201920 / 102
1
6
8
14
17
18
19
20
25
27
28
29
30
34
35
36
39
41
47
52
53
54
55
58
59
63
65
67
71
79
81
84
85
86
87
91
92
93
94
95
96
97
98
99
100
101
00:00
UnordnungTelekommunikationMinkowski-MetrikTaskFuzzy-LogikJSONXMLVorlesung/Konferenz
00:37
Web logBildschirmfensterOffene MengeMUDElektronischer FingerabdruckTaskSoftwaretestOpen SourceNP-hartes ProblemSelbst organisierendes SystemMultiplikationsoperatorVererbungshierarchieComputeranimationDiagramm
01:53
BetriebssystemARM <Computerarchitektur>ServerMinimalgradHardwareSystemzusammenbruchComputerarchitekturBitrateImplementierungKernel <Informatik>Nichtlinearer Operator
02:59
Elektronischer FingerabdruckSchätzungComputersicherheitDifferenzkernQuaderProjektive EbeneResultanteSichtenkonzeptSoftwareentwicklerKernel <Informatik>Computeranimation
03:58
LeckSoftwaretestTeraelektronenvoltbereichProjektive EbeneMinkowski-MetrikGoogolKernel <Informatik>AdressraumGewicht <Ausgleichsrechnung>GrenzschichtablösungQuaderMultiplikationsoperatorVorzeichen <Mathematik>Computeranimation
05:10
OvalBetti-ZahlSoftwareentwicklerDämon <Informatik>KonditionszahlArithmetischer AusdruckEreignishorizontPhysikalische TheorieDesign by ContractInklusion <Mathematik>SoftwareCodeBinärdatenBildschirmmaskeOpen SourceFitnessfunktionGerichtete MengeSubstitutionDienst <Informatik>Interrupt <Informatik>QuellcodeDistributionenraumProdukt <Mathematik>Video GenieGeradeKrümmungsmaßBitrateSoftwareentwicklerCodeMomentenproblemProgrammDiagrammComputeranimation
05:57
ProgrammUnrundheitGewicht <Ausgleichsrechnung>MomentenproblemSichtenkonzeptPunktMinkowski-MetrikProgrammbibliothekComputerarchitekturImplementierungRechter WinkelMereologieCASE <Informatik>Kernel <Informatik>Dämon <Informatik>Primitive <Informatik>ComputeranimationZeichnungJSONXMLUML
08:21
Innerer PunktVirtuelle MaschineMinkowski-MetrikKernel <Informatik>Physikalisches SystemMereologie
08:55
MereologieCAN-BusGammafunktionGeradeVersuchsplanungSpieltheorieMinkowski-MetrikProzess <Informatik>TaskKernel <Informatik>MereologieSoftwareentwicklerPhysikalisches SystemVirtuelle MaschineVerkehrsinformationComputeranimation
09:50
CAN-BusMereologieGewöhnliche DifferentialgleichungVersuchsplanungSharewareGreen-FunktionStrömungsrichtungDebuggingWeb logComputeranimation
10:29
MenütechnikDezimalbruchRuhmasseKontrollstrukturGammafunktionCOMProgrammierumgebungFirewallATMZentrische StreckungAuflösung <Mathematik>ComputeranimationProgramm/Quellcode
11:06
Meta-TagFolge <Mathematik>DebuggingKernel <Informatik>Web logMinkowski-MetrikProgramm/QuellcodeComputeranimation
11:46
ThreadBimodulFehlermeldungVerzeichnisdienstEin-AusgabeGewöhnliche DifferentialgleichungGruppenoperationRelativitätstheorieUnrundheitZahlenbereichMailing-ListeMinkowski-MetrikCAN-BusKernel <Informatik>Einfach zusammenhängender RaumServerEin-AusgabeFunktionalProtokoll <Datenverarbeitungssystem>Computeranimation
12:33
ThreadBimodulFehlermeldungInterrupt <Informatik>VerzeichnisdienstPunktProgrammFunktionalDatensatzTouchscreenVirtuelle MaschineEin-Ausgabe
13:26
ThreadBimodulFehlermeldungInterrupt <Informatik>VerzeichnisdienstStellenringInnerer PunktEin-AusgabeSoftwaretestDickeMinkowski-MetrikCASE <Informatik>PunktKontrollstrukturProgramm/QuellcodeComputeranimation
14:13
DefaultToken-RingKernel <Informatik>Exogene VariableQuaderTaupunktSoftwareSoftwaretestKonfigurationsraumProgrammART-NetzRationale ZahlSharewareKontrollstrukturPunktMinkowski-MetrikImplementierungInternetworkingGewicht <Ausgleichsrechnung>Keller <Informatik>XMLComputeranimationProgramm/QuellcodeTechnische Zeichnung
15:36
ThreadIndexberechnungStellenringAdressraumFehlermeldungMultiplikationsoperatorLokales MinimumQuaderSharewareNabel <Mathematik>SharewareKeller <Informatik>KonfigurationsraumSichtenkonzeptSchlüsselverwaltungTreiber <Programm>Kernel <Informatik>Programm/QuellcodeComputeranimationTechnische Zeichnung
16:28
IndexberechnungFehlermeldungMultiplikationsoperatorThreadAdressraumStellenringSimplexverfahrenBroadcastingverfahrenMultiplikationMetrisches SystemRahmenproblemFreier LadungsträgerVerschlingungWechselseitige InformationFahne <Mathematik>StatistikDefaultGruppenkeimMini-DiscWurzel <Mathematik>Interface <Schaltung>TUNIS <Programm>ProgrammKontrollstrukturSocket-SchnittstelleVorzeichen <Mathematik>Proxy ServerKonfiguration <Informatik>Einfach zusammenhängender RaumTopologieMereologieLesezeichen <Internet>VerschlingungKonfigurationsraumSharewareComputeranimation
18:30
QuaderQuaderKeller <Informatik>ServerProxy ServerTechnische ZeichnungComputeranimation
19:06
DefaultGruppenkeimVerschlingungMini-DiscBroadcastingverfahrenMultiplikationWurzel <Mathematik>StellenringSimplexverfahrenAdressraumFahne <Mathematik>StatistikATMDämon <Informatik>CachingLoginBenutzerprofilTouchscreenInformationTotal <Mathematik>Wechselseitige InformationVerzeichnisdienstMomentenproblemQuick-SortElektronische PublikationMetropolitan area networkSpywareZahlenbereichInternetworkingSichtenkonzeptMailing-ListeVerschlingungProxy ServerKeller <Informatik>SoftwareAbschattungSocketPasswortComputeranimation
21:26
StellenringSimplexverfahrenATMDämon <Informatik>Wurzel <Mathematik>AdressraumFahne <Mathematik>QuaderSharewareGeradeCoxeter-GruppeKernel <Informatik>ProgrammNeuroinformatikSystemzusammenbruchComputersicherheitFuzzy-Logikt-TestMinkowski-MetrikHypermediaCASE <Informatik>Programm/QuellcodeComputeranimation
23:26
SoftwaretestVerhandlungs-InformationssystemGammafunktionWurm <Informatik>SystemaufrufFuzzy-LogikRückkopplungPhysikalische TheorieSpeicherabzugComputeranimation
24:01
SoftwareschwachstellePrädikat <Logik>Fuzzy-LogikSystemaufrufBillard <Mathematik>Zellulares neuronales NetzLeckSharewareAutorisierungSpeicherabzugWort <Informatik>TLSMultiplikationsoperatorMetropolitan area networkTwitter <Softwareplattform>EinsProgrammLeckHalbleiterspeicherDifferenteVersionsverwaltungEinfacher RingProgrammbibliothekBildschirmmaskeBaum <Mathematik>BenutzerbeteiligungProjektive EbeneCASE <Informatik>UnrundheitGeradeFunktionalOrdnung <Mathematik>Kartesische KoordinatenKernel <Informatik>SystemplattformPatch <Software>AdressraumPhysikalisches SystemMusterspracheBetriebsmittelverwaltungStrömungsrichtungComputeranimationXML
28:18
ClientFuzzy-LogikMusterspracheMinkowski-MetrikSoftwaretestGatewayStellenringSimplexverfahrenATMDämon <Informatik>AdressraumFahne <Mathematik>DefaultGruppenkeimVerschlingungMini-DiscBroadcastingverfahrenMultiplikationStatistikSystemaufrufEin-AusgabeKoroutineE-MailProzess <Informatik>Konfiguration <Informatik>GenerizitätÜbersetzer <Informatik>CompilerSpeicherabzugStrebeKernel <Informatik>Rechter WinkelParametersystemFunktionalUnrundheitQuaderPrototypingSystemaufrufIterationKonfigurationsraumCodierungRandomisierungProgrammfehlerElektronische PublikationComputeranimation
29:41
StellenringSimplexverfahrenATMDämon <Informatik>AdressraumFahne <Mathematik>PufferspeicherKeller <Informatik>ThreadFehlermeldungProgrammfehlerVerkehrsinformationKernel <Informatik>KontrollstrukturQuaderSoundverarbeitungComputeranimation
30:31
StellenringStandardabweichungSimplexverfahrenATMDämon <Informatik>AdressraumFahne <Mathematik>Wurzel <Mathematik>StabSinusfunktionVirtuelle RealitätOISCProgrammbibliothekBenutzerprofilInformationCodierung <Programmierung>Total <Mathematik>BroadcastingverfahrenMini-DiscFuzzy-LogikEin-AusgabeOvalStrebeKernel <Informatik>TaskZellularer AutomatMetropolitan area networkDateiverwaltungElektronische PublikationCodeFuzzy-LogikGeradeClientParametersystemProgrammfehlerQuaderPhysikalisches SystemComputeranimation
31:41
Hill-DifferentialgleichungLokales MinimumWurzel <Mathematik>ProgrammfehlerCodeSystemzusammenbruchGeradeDateiverwaltungOrdnung <Mathematik>Elektronische PublikationLoopDivisionRoutingQuaderProgramm/Quellcode
32:56
Fuzzy-LogikMenütechnikBitKernel <Informatik>SoftwareDateiverwaltungInterrupt <Informatik>SichtenkonzeptBildgebendes VerfahrenPunktFunktionalProgrammfehlerSocket-SchnittstelleKartesische KoordinatenMomentenproblemDemoszene <Programmierung>Physikalisches SystemFormation <Mathematik>Computeranimation
34:21
Inklusion <Mathematik>AdressraumFahne <Mathematik>StellenringATMDämon <Informatik>SimplexverfahrenCASE <Informatik>StrebeKoroutineEin-AusgabeE-MailProzess <Informatik>Konfiguration <Informatik>PASS <Programm>Interface <Schaltung>Radikal <Mathematik>QuaderEin-AusgabeImplementierungFunktionalProgrammSoftwareOpen SourceKernel <Informatik>Gewicht <Ausgleichsrechnung>Programm/QuellcodeComputeranimation
35:37
LoopProgrammfehlerStrömungsrichtungSummierbarkeitARM <Computerarchitektur>SoftwareentwicklerComputeranimation
36:15
CAN-BusProgrammfehlerLemma <Logik>Suite <Programmpaket>VakuumFuzzy-LogikPASS <Programm>Projektive EbeneKernel <Informatik>QuaderSoftwareInternetworkingProgrammfehlerPhysikalisches SystemMathematikSoftwareentwicklerVerkehrsinformationTreiber <Programm>Data MiningStrömungsrichtungMinkowski-MetrikArithmetisches MittelGoogolComputeranimation
38:14
Lie-Gruppe
38:48
ATMInternetworkingProjektive EbeneRechter WinkelMetropolitan area networkComputeranimationVorlesung/Konferenz
39:21
SystemaufrufFuzzy-LogikZweiKernel <Informatik>Web logDateiverwaltungVirtuelle MaschineMultiplikationsoperatorCodeFunktionalSoftwareFreewareMereologieCASE <Informatik>TopologieProjektive EbeneSoftwaretestPhysikalisches SystemZahlenbereichDemoszene <Programmierung>Güte der AnpassungVierzigUnrundheitProgramm
41:01
Fuzzy-LogikFächer <Mathematik>Wurm <Informatik>Verzweigendes ProgrammProdukt <Mathematik>Kernel <Informatik>CASE <Informatik>ARM <Computerarchitektur>SoftwaretestWeb SiteAdditionTaskMinkowski-MetrikDeskriptive StatistikProtokoll <Datenverarbeitungssystem>Gewicht <Ausgleichsrechnung>Radikal <Mathematik>Elektronische PublikationInternetworkingGesetz <Physik>CAN-BusPartikelsystemOffene MengeComputeranimation
42:38
StellenringSimplexverfahrenDämon <Informatik>ATMAdressraumFahne <Mathematik>Interface <Schaltung>Prozess <Informatik>Konfiguration <Informatik>KoroutineEin-AusgabeE-MailPASS <Programm>InternetworkingWurzel <Mathematik>VererbungshierarchieInterface <Schaltung>VirtualisierungLeistung <Physik>SichtenkonzeptSharewareMereologieBeweistheorieComputeranimation
43:21
InternetworkingJSONComputeranimation
Transkript: English(automatisch erzeugt)
00:15
allowing many tasks to be delegated to userspace.
00:20
Bruce Wayne has prepared a fantastic guided tour on what we can do with and to that user land. Please give a warm, fuzzy welcome to our next speaker, Bruce Wayne. Hello, I'm Bruce.
00:40
Probably already you know me, but I will introduce myself. So I'm no longer a superhero. Now I'm working in IT, because working as a superhero is pretty much, you know, it's a hard task, and it's easier to work in IT. So by day, I am now a pen tester.
01:00
By night, I'm trying to fix some open source projects, including the NetBSD. So how many NetBSD users do we have here? Any of you? Few, yeah. So for the guys on the stream,
01:21
it's a full tent of NetBSD users. I want to also tell that it's my first camp, as you may suspect, and it's super cool. I met here so many friendly people,
01:41
people, and I'd like to give applause for organizers and volunteers and all people that let it happen, so thank you. So the NetBSD, so it's like, just like any other operating system,
02:02
but the better one. The BSD, so you might think that B stands for Berkeley, but in fact, it's Batman. It's a NetBSD multi-architectural, and it can be run on top of many hardware,
02:21
including the Atari or Amiga, one of the name servers of the NetBSDs running on top of Amiga. And it's not just a kernel, it's a kernel and the user land, so we are rather a cathedral, not the bazaar. And I'm going to talk about ramp kernels,
02:42
which is implementation of the any kernel idea, because it's, my opinion, is pretty underrated NetBSD feature, and I will try to convince you that it's super cool. I will show you a few demos, even a crash, the NetBSD, the great NetBSD for you,
03:04
by using ramp kernel, so, sorry. So, have you seen Ilya von Sprundell talk about the BSD last year? It was at DEFCON and then at CCC in December, I think.
03:23
He was talking if the old BSDs are created equally. Basically, it was an audit of the FreeBSD kernel, of the NetBSD kernel and the OpenBSD. And in fact, he found like 60 bucks in NetBSD.
03:40
For sure, we weren't happy about it. But one developer fixed all those 60 bucks overnight, so it's a pretty, pretty good result. But we are not happy about it, so we decided to do some quality improvements.
04:01
And there are many projects ongoing to help us nail more bucks in the NetBSD. Most of them, or some of them, rather, are connected with fuzzing. We have a few projects sponsored by Google Summer of Code,
04:21
which includes AFL3, and fancy stuff like that, or syscolor. But today, I'm going to show you how we can fuzz the NetBSD kernel in the user space. Besides that, we have also things that led us to nail bucks in the kernel space
04:42
by using address sanitizer on top of kernel, or undefined behaviors sanitizer, et cetera, et cetera. And in fact, we are now, well, the most sanitized BSD in the world,
05:01
so many interesting projects are ongoing. But the question for you, what is the logo of the NetBSD? Orange flag, great. So let me also tell you some trivial fact
05:21
about the NetBSD. Do you know who is proof? Any ideas? So in fact, it is Julian Assange. He was the NetBSD developer like 20 years ago. And still, his code is in the NetBSD.
05:43
So if you are using SL attach, I think it's, yes, SL attach program, then you have the Julian's code. So the NetBSD logo looked like this a few years ago,
06:03
but now it's like this. But we're gonna pretend like the logo looks like this because it would be easier for me to let you know about the ramp kernel.
06:21
So let's pretend that this is the NetBSD kernel. We can call this demon like maybe Robin. So the ramp stands for the Runnable User Meta programs. And I don't really know,
06:42
I have no idea what it means. So I decided to dig into documentation and let you try to understand it. So I created this painting to let you know how it works.
07:01
So basically, we want to decompose the NetBSD kernel into pieces, which can be run on top of anything. And in our case, anything means that we are going to run it on top of Linux so we can fix the Linux world with our implementation.
07:25
But in fact, any kernel means that you can run these parts of the NetBSD wherever you want to. From the architecture point of view, it looks like this.
07:40
So there is a little library called ramp which gives the primitives that let us to run the FS stuff or VFS or INET or whatever we want to. And there is some glue between ramp and something.
08:02
It doesn't matter right now what it is. But for example, if we want to run the NetBSD kernel on top of the user space, then we should implement the ramp user to give the primitives from the user space
08:22
so we can run a ramp on top of it. For now, you can think about the whole thing that this is just a very light virtual machine. It's not necessarily true, but less or more, it's like this. But in fact, I also told you that it can be run
08:43
on top of anything and really it can be run in kernel space, user space outer space, it really doesn't matter. So why this is cool? So you can run the TCP stack or file system
09:01
or any other part of the kernel in user space. I will show you why this is cool. Later, I have a demo. And in fact, you can also debug things in the user space, which is pretty convenient. Also, for a developer, it's very convenient to run it.
09:28
I can speed up my development process because I don't need to reboot my station, et cetera. Et cetera, have you ever tried to debug kernel?
09:45
Any of you? Is it a task or rather not? You have to set up, yeah, it's a very complicated stuff, so sometimes you need a serial port and connect two machines, it's not that easy.
10:01
I'm going to give you a demo that in NetBSD it's easy. And in fact, you can also use the Userland tools on top of the ramp kernel, so you can use GDB
10:20
or Valgrind or whatever you want to. So the first demo is to show you the GDB debugger. So, sorry, oops, let me scale it, scale mode.
11:00
So the resolution has changed
11:03
and I don't know if you see it. It's okay? Okay, so have you ever tried to use GDB? GDB has built in debugger into the NetBSD kernel. You can get into by some magic key sequence
11:27
and now we are running in kernel space the debugger, but it's pretty simple, the debugger. Much, I mean that many features are not here
11:41
and using that it's pretty inconvenient. So I will run the ramp kernel on top of Linux and show you how you can debug the NetBSD kernel in user space. So I executed the ramp kernel here in the GDB
12:08
and it is listening for the connection on port number 10,000. Because the ramp CTRL is just a tiny script, less or more it's same as SSH connection
12:21
to ramp on server. And let's pretend that I want to debug the ICMP protocol. So let's set a breakpoint for a function ecmp input. Do you know what ecmp input does?
12:45
Any ideas? No ideas. Yeah, less or more. So let's set a breakpoint, continue a program and what do you think? How I can trigger that breakpoint?
13:06
Sorry? You have to scream because I can't hear you. Any ideas? Pink, yeah. So we're gonna send pink to the ramp machine. So let's try to do it.
13:23
Oh, but first of all, I'm in DDB right here so let's continue kernel here. Yes, so ramp pink. I'm not going to show you the details and talk about the details here
13:40
because I want to just show you the idea so you can explore things by yourself. So let's send just one packet there. And as you can see, the breakpoint was fired and we can in very convenient way debug it
14:02
just like any other user length program. And we exploit this fact. Sorry, we exploit this fact to write tests for the NetBSD also. I will show you how it look like. So for example, in this test case, in user space,
14:22
we are checking if our network stack is working properly and we can set up in the user space, program the whole network or the whole network configuration so it's a really powerful tool.
14:42
And another demo is to, sorry, yeah, another demo is to show you how to run the TCP IP stack of the NetBSD on top of the Linux. So you can show to the internet
15:01
only the NetBSD implementation which is running in user space and then we are going to run on another box, HTTP which is going to use that TCP IP stack on top of Linux.
15:22
Do you get it? Pretty much, yeah. So you can ask me why I want to do it. I have no idea but it's cool. So let's try to set it up. But first of all, I need to delete my breakpoint so I don't break the demo.
15:43
So let's delete all breakpoints. Yeah. Where is my cursor? It's here, okay. So first of all, I need to configure TCP IP stack on top of the Linux.
16:03
And the driver which lets me to do that is called VERT which just creates a tool device on top of Linux. So I can simply configure both
16:24
ramp kernel and Linux, so let's do it. Yeah, so we're going to use ramp-if-config-virt-0-create.
16:41
So we created the virt-0 device. And we have to assign an IP here. So let's assign an IP like this. Netmask, what's your favorite Netmask pick? Any.
17:01
24. So, whoops, sorry. I hope it won't break my demo but let's see. So it should be configured. Let's see. Yes, it is. So we should also set up the Linux part.
17:22
And there is a crazy program right now on Linux if config is no longer an option. So I hope that you will help me because I'm not the Linux guy. There is IP, oh, let's see if the toon zero is here. Toon zero is here. We have to set it up.
17:40
So IP, ADDR, add the D. Add the D, 002, 24, def toon zero. Yeah, and I have to set the interface up. And as far as I remember, it's IP set,
18:03
oh, sorry, link set to zero up. What was wrong with ify config? I have no idea but for some reason now cool kids use the IP. So we have a connection, I guess.
18:23
Let's try to ping 001, yeah, we have. So now we created this part. And now we have to run HTTPD which will proxy Cisco's sockets
18:41
Cisco's from box one to box two. So HTTPD can use the TCP IP stack of the RAMP server. So let's try to do it. Okay, so this is another box. On the left side I have a box two.
19:04
On the right side I have a box one. As you can see, it's the netBSD. And netBSD is shipped with the HTTPD. That HTTPD is called bozo HTTPD
19:22
and it's pretty simple daemon. It's like HTTPD, it's B minus F minus E. So I'm going to list in on the port 999, 9999. And which directory you want to serve to the internet?
19:44
Through the netBSD stack which is running on top of Linux. ATC, yeah, well, it's pretty standard I believe. But we should also do another thing.
20:01
If we execute the HTTP like this, it's gonna use the native TCP IP stack. So we have to preload something which is called user-lib-ramp-hijack.
20:22
So we simply hijack the socket stuff and proxy to the other TCP IP stack. And I wanted to serve the ETC. Oh, there is ETC. Okay, so let's see if it works.
20:47
Links HTTP, this is 001 was the TCP IP stack. Which we configured. Port number 9999. Which file from the ETC you want?
21:02
Network file. Password file, pswd. Shadow won't work, ah, it's gonna work but there is no shadow in the BSD world. What is the file called in the BSD world? Any ideas? Yes, master dot, yes, master dot pswd.
21:27
Yeah, so it works. So as you can see, it's pretty cool but yeah, why we did that? I have no idea but I will show you another,
21:44
how we can apply the ramp kernel another way. So let's get back to the presentation. Well, the cool thing is that if, for example, I am fighting with Joker. So if he wants to exploit my TCP stack,
22:04
if it's running in user space, I have another layer of security. So maybe that's why we did that. Yeah, and about fuzzing I guess
22:21
that all of you already heard about it. So I'm going to just present a story of the invention of fuzzing. So Professor Barton Miller in 88 was working from the remote on his computer
22:41
and it was dark and stormy night and the thunderstorm caused that his commands were mutated and he noticed that that mutations are making the programs crash so he thought that maybe it's a good idea
23:03
to use it and see if other programs behave like that. So what would you do if you were Barton Miller? He made an assignment for his students to test it and they were able to crash like 50% of the Unix tools,
23:25
I mean the existing Unix tools and 30 years later the fuzzing went mainstream and there are many flavors of fuzzing. One of them is dump fuzzing
23:42
and if you ever tried fuzzing, actually the dump fuzzing works and if you work for academia then probably you are trying to use some feedback driven fuzzing which uses the SMT stuff or not theory and things like that. And I have a comic strip for you about that.
24:04
Just get back to me, yeah. Probably you know that comic strip. I don't know who is the author but it is so true. Dump fuzzing usually works pretty well so don't be scared that you are doing simple things
24:25
because I will show you that it works. So yeah, so to test NetBSD we created something called FuzzRamp which is just a fork of built ramp which lets you to cross compile the ramp
24:42
for any POSIX compatible system and in our case any means that it works on top of Ubuntu and don't try any other platform because probably it's not going to work but if you want to port it
25:01
then we will be more than happy. We also realign the baseline from NetBSD 7 to NetBSD 9 which is going to be released when it's ready.
25:20
But actually it was branched so we use the current version in FuzzRamp and we have also an AFL support and I'm going to show you how it works. And what problems we encountered.
25:40
So in case of allocators many subsystems in the kernel used pattern where they were allocating a big chunk of memory and the problem is that if you want to use address sanitizer then address sanitizer is not aware
26:02
what is happening inside of this big chunk. So instead of allocating one big chunk we wrote patches to allocate just the small ones so we can detect if something is happening
26:21
between those chunks and we wrote stuff like kmem, pool, et cetera, et cetera. And also the problem is that ramp kernel if you compile the application which uses the ramp kernel in order to avoid the clashes
26:45
between the name functions, ramp renames every function of the kernel with the prefix ramp and S. And the problem is that address sanitizer is not able to see that ramp and S memset
27:02
is in fact memset so we created just a simple library to expose the memset instead of ramp and S memset and using it is as easy as doing simple reloads
27:22
so address sanitizer can be happy again. And what to look for? Well, you know, the kernel is a little bit different than the user-length program and I mean that if we have a leak in a kernel or something like that and it can be triggered
27:42
from the user then probably by repeating one leak you can stop the whole kernel so this is pretty dangerous and in fact if you use the ramp you can also use
28:01
the address sanitizer feature which is called leak sanitizer to detect those leaks. So I'm going to show you the dump use case of ramp kernel. So well I started this project like two or three years ago
28:22
and it was my first approach to fuzz the kernel. I created a very simple fuzzer which looks like this. I'm going to show you the configuration file of it. It is here.
28:40
So I just provided the prototypes of the syscalls that we have in the netpsd and it's pretty well easy because I just copy and paste the prototype from the codes and that's it.
29:02
And I had, thanks to Minervali fuzzer, I had a fuzzer in five minutes and you can execute it like this, TCP. Oh sorry.
29:24
Let's try with 10 iterations. So it simply calls the random functions with the random arguments and in fact we were able to find a lot of bugs using it
29:42
which is quite embarrassing, right? Because we are rather not supposed to have bugs like that in the kernel but if we can use other sanitizer then we nailed bugs which are not necessarily cause the panic of the kernel or things like that. It was just harmless bugs but in fact they were bugs.
30:05
I have maybe here, yeah. I have here the example report from the fuzzing session. Let's take this one. So we found bugs like two years ago and it was fixed
30:24
and then I had a two years break and I wanted to check if I can use AFL on top of the ramp kernel. Well it wasn't trivial task to port
30:41
but we managed to compile a ramp using AFL clunk and things like that and I'm going to show you how easy it is to fuzz the netpsd with AFL. So if you want to do it, you have to fuzz ramp clients.
31:05
For now I will show you the FFS example which is just the file system. So we have here simply we are mounting the file
31:22
which is provided in the arguments of this client. So we just wrote 15 lines of code and we are able to run it in the AFL and find the bugs and I will show you that we in fact found some bugs
31:43
but let me log here. Well I'll show you the crash we found recently in X2 file system. Yeah, yeah I know, thank you.
32:01
So in order to mount the crash.emg you have to do it this way. So it's kind of a loop in the Linux world and then we're going to mount it X2 FFS file and zero MNT
32:24
and what do you think? What's going to happen? Crash, yeah, yeah so it crashed and it was fun thanks to 15 lines of code in AFL
32:40
it's a division by zero bug in the X2 FFS but in fact if you want to exploit that you have to be a root so it's pretty harmless and that's why I show it publicly right now and we also decided that the FFS stuff is,
33:03
well I would say that we expected to find the many bugs in file systems because if you mount, you know, unknown image then you are not responsible
33:22
so we thought that fuzzing network could be more interesting and our first approach was to use just the raw sockets in drum kernel but we had a problem that we didn't know when the packet is handled by the kernel
33:42
because there is, for example, if you send the IP packet to the netBSD it's handled by soft interrupt and we don't know when it's going to be fired up so we decided to, well it's another cool feature
34:01
that from the point of view of the application you can call any kernel function which is cool but well we are abusing here our API a little bit so I'll show you how it look like.
34:23
Let's get back to the terminals. We have here program called net input. Net input is a program that reads a packet
34:41
from the standard input and simply pushes it to the network stuff. We call here function fuzzramp IP input and we implemented that function in our kernel I will show you the implementation. SRC, sys net inet IP input.
35:08
Fuzzramp. So yeah, here we have implementation of the function that feeds the network stuff, stuck. So it just put the data into the mbuff
35:24
and pushes it to the IP input function. We also had to pretend like we are the software input but it's harmless. And what do you think by using this approach? How many bugs we have found so far?
35:42
And you should ask me Batman but what about the checksums and stuff like that? If you mutate packets then you're going to have invalid packets because of the checksums. So I showed you that we are feeding the loop back here
36:02
and the device and the checksum are turned off there so we don't have to care about it. And how many bugs we have found? What do you think? 20, any other ideas? So we have found nothing, nothing yet at least
36:21
which is both pretty cool. As a developer I'm really proud of it. As a bug hunter I'm pretty sad about it but it's not that our effort is meaningless because now we have a corpus that of the packets that covers
36:42
pretty much of our network style. So we can test every change by running this corpus if anything is broken. And in fact it wasn't a big surprise because the network start is pretty well tested in the wild. If you ever connected any box to the internet
37:03
you know that a lot of very special packets are there. Everyone is trying to scan you, et cetera, et cetera so it's not a big surprise. But at least we are not noobs
37:20
because we run the NetBSD kernel in the user space, we can compile with the AFL and finally we want to cover more drivers especially the Vfistock and the Bluetooth stuff. If you want to help us, we would be more than happy to cooperate with you.
37:43
We can also try to integrate this project with the OSS FAST by Google. So we can have reports from them that we, well, have a broken kernel or something like that.
38:05
So I know also that other operating systems like Linux have the same things as RAMP. I don't know if it's working or not. Maybe you would tell me. For example in Linux there is a libOS.
38:21
Have you ever tried to use it? Not really. But I think that it's not as advanced as RAMP stuff. So maybe you can work on it. Yeah, and I also want to say a big thank you
38:42
especially to Miho who helped me a lot. Do you have any questions?
39:01
Great, so if you have questions we have a microphone angel standing over there. We have a microphone angel standing over there. And we have perhaps some questions from the internet for Batman. No questions for Batman. The internet is very disappointing this evening. But here we have a question. Thanks for a nice talk.
39:21
You're welcome. As I understand, you started your project before syscaller started to support BSD, right? Yes, the syscaller was implemented last year I think as a part of the Google Summer of Code. I started my project like in 2017 but my free time, I'm a superhero
39:42
so my free time is, well, I don't have much free time. But anyway it is really great. Thank you very much. And if we compare your approach with, I would say, native fuzzing inside of virtual machine.
40:02
Do you have any better things? Well, currently there was a blog post on the NetBSD blog about fuzzing file systems using the IFL and kickoff which is coverage from kernel.
40:23
There is a special device in the dev tree. So you can run a syscall and see which functions were triggered. The guy who wrote this blog, I think,
40:41
he was able to run like 40 executions per second and using this approach, we can do a few hundred tests per second. Like in case of the network stuff, we are able to inject like 10,000 packets per second.
41:03
And the problem right now is that it's my hobby product mostly. I think that, well, you can use the jcoff stuff on top of the ramp kernel. So getting the coverage is pretty easy.
41:20
You can run the IFL and see which branches are triggered or not. And then you can put the test cases for that branches inside your corpus and run the IFL again. But it takes time.
41:43
It's not necessarily exciting task. So if you want to help us with it, then you are more, well, I'll be very happy about it. And a small additional question about net. So do you have some descriptions of protocols,
42:03
network protocols to have more efficient fuzzing, or you just leave it to IFL? Well, I built my corpus, I took the test from the Hong Fuzz, implemented pretty much same thing for Linux,
42:22
but it's not working in the user space. But they have a big corpus of packets. And I simply took it and tried how it works with the net.psd. And sorry, last one. And then we have to ask the internet
42:41
if there's any internet questions. So this is your last one. As I understand, you fuzz on the root, or super user. Yes, well, it doesn't matter if it run as root or not. You can run as a normal user. But the thing is that if you want to use super features
43:03
like the virtual interface and things like that, you need a super user power. And maybe I showed you the demos as a super user because I'm a superhero, so that's it. Great, any last thoughts from the internet?
43:23
No last thoughts from the internet. Then a last thought from us here for Bruce Wayne, let's hear it. Thanks.