Слайд 2
![Agenda Introduction to Peach 2 Data mutations Peach State Machine Peach Farm Peach in The Middle](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-1.jpg)
Agenda
Introduction to Peach 2
Data mutations
Peach State Machine
Peach Farm
Peach in The Middle
Слайд 3
![Introduction to Peach 2](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-2.jpg)
Слайд 4
![Peach 1 Framework for writing fuzzers Instrumentation via wrapper APIs](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-3.jpg)
Peach 1
Framework for writing fuzzers
Instrumentation via wrapper APIs
No data definition layer
(DDL), just fuzzer
Steep learning curve
Complex fuzzers result in complex fuzzer code
Слайд 5
![Peach 2 Reduce creation time and simplify fuzzer generation Fuzzer](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-4.jpg)
Peach 2
Reduce creation time and simplify fuzzer generation
Fuzzer platform, not framework
Modeling
based approach
Fault detection
Lower learning curve
Слайд 6
![Modeling Based Fuzzing Model types and data Model state machine](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-5.jpg)
Modeling Based Fuzzing
Model types and data
Model state machine
Support models with data
sets
Mutate models with mutators
Слайд 7
![Model Data: Types INT INT INT Flags INT Len STRING](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-6.jpg)
Model Data: Types
INT
INT
INT
Flags
INT
Len
STRING
DATA
INT
Len
INT
INT
INT
DATA
Слайд 8
![Model Data: Relationships INT INT INT Flags INT Len STRING](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-7.jpg)
Model Data: Relationships
INT
INT
INT
Flags
INT
Len
STRING
DATA
INT
Len
INT
INT
INT
DATA
Слайд 9
![Model Data: State Model Packet A Packet B-1 Packet C-1 Packet C-2 Packet D Packet B-2](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-8.jpg)
Model Data: State Model
Packet A
Packet B-1
Packet C-1
Packet C-2
Packet D
Packet
B-2
Слайд 10
![Benefits of Modeling Easy reuse of definitions Complex mutations can](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-9.jpg)
Benefits of Modeling
Easy reuse of definitions
Complex mutations can be applied to
a model
Improvements to data generation or mutation independent of model
Data read into definition as well as generated
Слайд 11
![Data Modeling Define structure of data Define relations in data](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-10.jpg)
Data Modeling
Define structure of data
Define relations in data
Reuse definitions
Block
Sequence
Choice
String
Number
Flags/Flag
Blob
Relation
Transformer
Слайд 12
![State Modeling](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-11.jpg)
Слайд 13
![Stream Call TCP, UDP, Files Connect Accept Input Output Close](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-12.jpg)
Stream
Call
TCP, UDP, Files
Connect
Accept
Input
Output
Close
COM, RPC, SOAP
Call
Method
Parameters
Result
State Modeling
Слайд 14
![State Modeling: Stream State Machine 1 2 3 4 5](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-13.jpg)
State Modeling: Stream
State Machine
1
2
3
4
5
Слайд 15
![State Modeling: Stream State Machine 1 5](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-14.jpg)
State Modeling: Stream
State Machine
1
5
Слайд 16
![State Modeling: Stream State Machine 1 2 3 4](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-15.jpg)
State Modeling: Stream
State Machine
1
2
3
4
Слайд 17
![State Modeling: Call State Machine 1 2 3](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-16.jpg)
State Modeling: Call
State Machine
1
2
3
Слайд 18
![Data Mutations](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-17.jpg)
Слайд 19
![Mutation: String “?k1=v+1&k2=v2” 40,000+ variations](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-18.jpg)
Mutation: String
“?k1=v+1&k2=v2”
40,000+ variations
Слайд 20
![Mutation: Number 00 Interesting Edge Cases FFFFFFFFFFFFFFFF](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-19.jpg)
Mutation: Number
00
Interesting Edge Cases
FFFFFFFFFFFFFFFF
Слайд 21
![Mutation: Size Relation #1 Length: Data:](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-20.jpg)
Mutation: Size Relation #1
Length:
Data:
Слайд 22
![Mutation: Size Relation #2 Length: Data: 200 Bytes](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-21.jpg)
Mutation: Size Relation #2
Length:
Data:
200 Bytes
Слайд 23
![Mutation: Size Relation #3 Data & Length:](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-22.jpg)
Mutation: Size Relation #3
Data & Length:
Слайд 24
![Mutation: State Packet A Packet B-1 Packet C-1 Packet C-2 Packet D Packet B-2](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-23.jpg)
Mutation: State
Packet A
Packet B-1
Packet C-1
Packet C-2
Packet D
Packet
B-2
Слайд 25
![Mutation: State Packet A Packet B-1 Packet D Packet B-2](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-24.jpg)
Mutation: State
Packet A
Packet B-1
Packet D
Packet
B-2
Слайд 26
![Mutation: State Packet A Packet B-1 Packet D Packet B-2](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-25.jpg)
Mutation: State
Packet A
Packet B-1
Packet D
Packet
B-2
Слайд 27
![Add Custom Mutators Sling some Python Add additional mutations Specific mutations Etc.](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-26.jpg)
Add Custom Mutators
Sling some Python
Add additional mutations
Specific mutations
Etc.
Слайд 28
![AND DATA COLLECTION Fault Detection](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-27.jpg)
AND DATA COLLECTION
Fault Detection
Слайд 29
![Agents & Monitors Peach](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-28.jpg)
Слайд 30
![2 Tier Configuration 1 2 3 4 5 6](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-29.jpg)
2 Tier Configuration
1
2
3
4
5
6
Слайд 31
![Monitors Debuggers Process Monitor Memory Monitor Network Capture VM Control](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-30.jpg)
Monitors
Debuggers
Process Monitor
Memory Monitor
Network Capture
VM Control (snapshot, revert)
Networked Power Strips (cycle power)
Easy
to implement custom monitors
Слайд 32
![Peach Development](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-31.jpg)
Слайд 33
![Documented XML Schema](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-32.jpg)
Слайд 34
![Peach Builder](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-33.jpg)
Слайд 35
![Peach Shark](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-34.jpg)
Слайд 36
![MASSIVELY PARALLEL FUZZING Peach Farm](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-35.jpg)
MASSIVELY PARALLEL FUZZING
Peach Farm
Слайд 37
![Peach Farm Adam Cecchetti Massively Parallel Fuzzing Scales from 1](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-36.jpg)
Peach Farm
Adam Cecchetti
Massively Parallel Fuzzing
Scales from 1 to 10,000
nodes
Choose your Virtual Platform/Hosting
EC2, Xen, VMWare, Etc
Utilizes Map/Reduce Algorithm
Map: Maps the fuzzing cases to indexes and results
Reduce: Reduces fuzzing results to interesting cases
Metric based : Time, size, diff, expected errors, OS faults, crashes
Слайд 38
![WHAT’S NEXT? Peach in The Middle](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-37.jpg)
WHAT’S NEXT?
Peach in The Middle
Слайд 39
![Peach in The Middle Client Server Peach Controller Agent Data Model](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/96298/slide-38.jpg)
Peach in The Middle
Client
Server
Peach
Controller
Agent
Data Model