In my next post I'll be explaining the purpose behind my new tool, bytefinder, and how it works. Before we get into that, I'll give a brief intro to fuzzing, what it is, how to do it, and why you should use it. Feel free to skip this intro, or just read parts of it if you think you know your stuff. ;)
What is fuzzing?
The idea behind fuzzing is that a sufficiently complex program (specifically, one designed to be able to accept an infinite amount of different inputs, such as packets or files) cannot possibly know how to parse and handle an infinite amount of different inputs (throwing errors when that input is invalid).
Fuzzing is a technique that consists of repeatedly and intentionally providing a program with invalid (and in some cases, random) input in an attempt to evade the parser's error handling and cause the program to behave erratically. These behaviors include, but are not limited to: crashing the program, halting it, leaking memory, bypassing input sanitation checks, etc.
The two most common targets of fuzzing are file formats and network protocols; any input can be fuzzed, however. Check this out for more info.
How would I go about this?
The real answer is that it depends on what you're fuzzing. In my case, I'm fuzzing MobileSafari using file containers, so the methodology is fairly simple: open a file parsable by MobileSafari using a hex editor, modify several bytes, save the modified file, and view it with MobileSafari.
Obviously, doing this one time doesn't have a very high chance of causing a crash--that's why you'd do it thousands of times. There are tools which completely automate the creation and injection of files into MobileSafari using fancy engines (I even wrote one myself). It's not really something I'm going to get into in this post, however. See Nexuist's beginner guide on that here for more info, or just add 'http://repo.tihmstar.org' in Cydia and play with some of the tools in there. (I recommend using them on a restorable (A4) test device with blobs; there's a good possibility you can mess something up and have to restore.) Actually, add that repo anyway because you'll need it later on.
Obviously, doing this one time doesn't have a very high chance of causing a crash--that's why you'd do it thousands of times. There are tools which completely automate the creation and injection of files into MobileSafari using fancy engines (I even wrote one myself). It's not really something I'm going to get into in this post, however. See Nexuist's beginner guide on that here for more info, or just add 'http://repo.tihmstar.org' in Cydia and play with some of the tools in there. (I recommend using them on a restorable (A4) test device with blobs; there's a good possibility you can mess something up and have to restore.) Actually, add that repo anyway because you'll need it later on.
But why??!?!?!1!?eleven!?
The erratic behaviors sometimes caused by fuzzing (crashing the program, halting it, leaking memory, failing error handling, bypassing input sanitation checks, etc.) are desired because they occasionally hint at deeper, underlying vulnerabilities can potentially be exploitable (hacking things is the goal here.) Why exploit things? So we can get The Cydia™, obviously. ;)
Closing remarks:
When I first started fuzzing MobileSafari, I assumed it would be like throwing crap at the wall hoping something would stick. Once I got started, I realized it's more like throwing rocks at a tree--almost none of them stick, and most of the time, you miss the tree entirely. The key here is to be patient and pick rocks that look sticky. (Okay, so it's not a perfect analogy. Deal with it. :P)
A wise man once said, "Never give up, never surrender!" If you don't get any crashes, keep trying, eh?
The Cydia™ is a trademark of the "and then i deleted", LLC (formerly SaurikIT, LLC). Any and all opinions stated herin belong to iH8sn0w.
The Cydia™ is a trademark of the "and then i deleted", LLC (formerly SaurikIT, LLC). Any and all opinions stated herin belong to iH8sn0w.
No comments:
Post a Comment