Contribuez à SecuObs en envoyant des bitcoins ou des dogecoins.
Nouveaux articles (fr): 1pwnthhW21zdnQ5WucjmnF3pk9puT5fDF
Amélioration du site: 1hckU85orcGCm8A9hk67391LCy4ECGJca

Contribute to SecuObs by sending bitcoins or dogecoins.

Chercher :
Newsletter :  


Revues :
- Presse
- Presse FR
- Vidéos
- Twitter
- Secuobs





Sommaires :
- Tendances
- Failles
- Virus
- Concours
- Reportages
- Acteurs
- Outils
- Breves
- Infrastructures
- Livres
- Tutoriels
- Interviews
- Podcasts
- Communiques
- USBsploit
- Commentaires


Revue Presse:
- Tous
- Francophone
- Par mot clé
- Par site
- Le tagwall


Top bi-hebdo:
- Ensemble
- Articles
- Revue
- Videos
- Twitter
- Auteurs


Articles :
- Par mot clé
- Par auteur
- Par organisme
- Le tagwall


Videos :
- Toutes
- Par mot clé
- Par site
- Le tagwall


Twitter :
- Tous
- Par mot clé
- Par compte
- Le tagwall


Commentaires :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS/XML :
- Articles
- Commentaires
- Revue
- Revue FR
- Videos
- Twitter


RSS SecuObs :
- sécurité
- exploit
- windows
- attaque
- outil
- microsoft


RSS Revue :
- security
- microsoft
- windows
- hacker
- attack
- network


RSS Videos :
- curit
- security
- biomet
- metasploit
- biometric
- cking


RSS Twitter :
- security
- linux
- botnet
- attack
- metasploit
- cisco


RSS Comments :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS OPML :
- Français
- International











Revue de presse francophone :
- Appaloosa AppDome nouent un partenariat pour accompagner les entreprises dans le déploiement et la protection des applications mobiles
- D-Link offre une avec un routeur VPN sans fil AC
- 19 mai Paris Petit-Déjeuner Coreye Développer son business à l'abri des cyberattaques
- POYNTING PRESENTE LA NOUVELLE ANTENNE OMNI-291, SPECIALE MILIEU MARITIME, CÔTIER ET MILIEU HUMIDE
- Flexera Software Les utilisateurs français de PC progressent dans l'application de correctifs logiciels, mais des défis de tailles subsistent
- Riverbed lance SD-WAN basé sur le cloud
- Fujitsu multi-récompensé VMware lui décerne plusieurs Partner Innovation Awards à l'occasion du Partner Leadership Summit
- Zscaler Private Access sécuriser l'accès à distance en supprimant les risques inhérents aux réseaux privés virtuels
- QNAP annonce la sortie de QTS 4.2.1
- Une enquête réalisée par la société de cyber sécurité F-Secure a décelé des milliers de vulnérabilités graves, potentiellement utilisables par des cyber criminels pour infiltrer l'infrastru
- Trouver le juste équilibre entre une infrastructure dédiée et cloud le dilemme de la distribution numérique
- 3 juin - Fleurance - Cybersécurité Territoires
- Cyber-assurances Seules 40 pourcents des entreprises françaises sont couvertes contre les violations de sécurité et les pertes de données
- Des étudiants de l'ESIEA inventent CheckMyHTTPS un logiciel qui vérifie que vos connexions WEB sécurisées ne sont pas interceptées
- Les produits OmniSwitch d'Alcatel-Lucent Enterprise ALE gagnent en sécurité pour lutter contre les cyber-attaques modernes

Dernier articles de SecuObs :
- DIP, solution de partage d'informations automatisée
- Sqreen, protection applicative intelligente de nouvelle génération
- Renaud Bidou (Deny All): "L'innovation dans le domaine des WAFs s'oriente vers plus de bon sens et d'intelligence, plus de flexibilité et plus d'ergonomie"
- Mises à jour en perspective pour le système Vigik
- Les russes ont-ils pwn le système AEGIS ?
- Le ministère de l'intérieur censure une conférence au Canada
- Saut d'air gap, audit de firmware et (in)sécurité mobile au programme de Cansecwest 2014
- GCHQ: Le JTRIG torpille Anonymous qui torpille le JTRIG (ou pas)
- #FIC2014: Entrée en territoire inconnu
- Le Sénat investit dans les monnaies virtuelles

Revue de presse internationale :
- VEHICLE CYBERSECURITY DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack
- Demand letter served on poll body over disastrous Comeleak breach
- The Minimin Aims To Be The Simplest Theremin
- Hacking group PLATINUM used Windows own patching system against it
- Hacker With Victims in 100 Nations Gets 7 Years in Prison
- HPR2018 How to make Komboucha Tea
- Circuit Bender Artist bends Fresnel Lens for Art
- FBI Director Suggests iPhone Hacking Method May Remain Secret
- 2016 Hack Miami Conference May 13-15, 2016
- 8-bit Video Wall Made From 160 Gaming Keyboards
- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry

Annuaire des videos
- FUZZING ON LINE PART THREE
- Official Maltego tutorial 5 Writing your own transforms
- Official Maltego tutorial 6 Integrating with SQL DBs
- Official Maltego tutorial 3 Importing CSVs spreadsheets
- install zeus botnet
- Eloy Magalhaes
- Official Maltego tutorial 1 Google s websites
- Official Maltego tutorial 4 Social Networks
- Blind String SQL Injection
- backdoor linux root from r57 php shell VPS khg crew redc00de
- How To Attaque Pc With Back Track 5 In Arabique
- RSA Todd Schomburg talks about Roundup Ready lines available in 2013
- Nessus Diagnostics Troubleshooting
- Panda Security Vidcast Panda GateDefender Performa Parte 2 de 2
- MultiPyInjector Shellcode Injection

Revue Twitter
- RT @fpalumbo: Cisco consistently leading the way ? buys vCider to boost its distributed cloud vision #CiscoONE
- @mckeay Looks odd... not much to go on (prob some slideshow/vid app under Linux)
- [SuggestedReading] Using the HTML5 Fullscreen API for Phishing Attacks
- RT @BrianHonan: Our problems are not technical but cultural. OWASP top 10 has not changed over the years @joshcorman #RSAC
- RT @mikko: Wow. Apple kernels actually have a function called PE_i_can_has_debugger:
- [Blog Spam] Metasploit and PowerShell payloads
- PinkiePie Strikes Again, Compromises Google Chrome in Pwnium Contest at Hack in the Box: For the second time thi...
- @mikko @fslabs y'all wldn't happen to have lat/long data sets for other botnets, wld you? Doing some research (free/open info rls when done)
- RT @nickhacks: Want to crash a remote host running Snow Leopard? Just use: nmap -P0 -6 --script=targets-ipv6-multicast-mld #wishiwaskidding
- An inexpensive proxy service called is actually a front for #malware distribution -

Mini-Tagwall
Revue de presse : security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone

+ de mots clés pour la revue de presse

Annuaires des videos : curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit

+ de mots clés pour les videos

Revue Twitter : security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall

+ de mots clés pour la revue Twitter

Top bi-hebdo des articles de SecuObs
- [Ettercap – Partie 2] Ettercap par l'exemple - Man In the Middle et SSL sniffing
- [Infratech - release] version 0.6 de Bluetooth Stack Smasher
- [IDS Snort Windows – Partie 2] Installation et configuration
- [Infratech - vulnérabilité] Nouvelle version 0.8 de Bluetooth Stack Smasher
- Mises à jour en perspective pour le système Vigik
- USBDumper 2 nouvelle version nouvelles fonctions !
- EFIPW récupère automatiquement le mot de passe BIOS EFI des Macbook Pro avec processeurs Intel
- La sécurité des clés USB mise à mal par USBDUMPER
- Une faille critique de Firefox expose les utilisateurs de Tor Browser Bundle
- Installation sécurisée d'Apache Openssl, Php4, Mysql, Mod_ssl, Mod_rewrite, Mod_perl , Mod_security

Top bi-hebdo de la revue de presse
- StackScrambler and the Tale of a Packet Parsing Bug

Top bi-hebdo de l'annuaire des videos
- DC++ Botnet. How To DDos A Hub With Fake IPs.
- Comment creer un server botnet!!!!(Réseau de pc zombies)
- Defcon 14 Hard Drive Recovery Part 3

Top bi-hebdo de la revue Twitter
- RT @secureideas: I believe that all the XSS flaws announced are fixed in CVS. Will test again tomorrow if so, release 1.4.3. #BASESnort
- Currently, we do not support 100% of the advanced PDF features found in Adobe Reader... At least that's a good idea.
- VPN (google): German Foreign Office Selects Orange Business for Terrestrial Wide: Full
- @DisK0nn3cT Not really, mostly permission issues/info leak...they've had a couple of XSS vulns but nothing direct.
- Swatting phreaker swatted and heading to jail: A 19-year-old American has been sentenced to eleven years in pris..
- RT @fjserna You are not a true hacker if the calc.exe payload is not the scientific one... infosuck.org/0x0035.png

Top des articles les plus commentés
- [Metasploit 2.x – Partie 1] Introduction et présentation
- Microsoft !Exploitable un nouvel outil gratuit pour aider les développeurs à évaluer automatiquement les risques
- Webshag, un outil d'audit de serveur web
- Les navigateurs internet, des mini-systèmes d’exploitation hors de contrôle ?
- Yellowsn0w un utilitaire de déblocage SIM pour le firmware 2.2 des Iphone 3G
- CAINE un Live[CD|USB] pour faciliter la recherche légale de preuves numériques de compromission
- Nessus 4.0 placé sous le signe de la performance, de l'unification et de la personnalisation
- [Renforcement des fonctions de sécurité du noyau Linux – Partie 1] Présentation
- [IDS Snort Windows – Partie 1] Introduction aux IDS et à SNORT
- Origami pour forger, analyser et manipuler des fichiers PDF malicieux

The road to efficient Android fuzzing

Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

S'abonner au fil RSS global de la revue de presse



The road to efficient Android fuzzing

Par www.census labs.com
Le [2015-09-24] à 17:26:06



Présentation : In the aftermath of the recent Android stagefright vulnerabilities, efficient fuzz testing techniques and tools for the Android ecosystem are again in the spotlight. In this post we would like to share some of the fuzz testing experience we have gained through our projects and show how it can be applied in the Android world. Additionally, we ll enlist some of the public contributions we ve made to open source tools aiming to help the community focus more on the target and less on the tooling. The race for unique crashes When fuzzing campaigns are completed researchers expect to proceed with the investigation of craches bug-triaging rather than separating duplicates and going through garbage information. As such every decent fuzzing tool or framework offers either a post-run or runtime unique crash detection logic. While many prefer to filter unique crashes at the post-run stage, we strongly believe that it is more efficient to implement this at runtime. Especially for target environments with limited native debugging capabilities e.g. Android OS that require time-consuming remote analysis sessions. For example, in our initial fuzzing work against the new Android ART runtime 1 , each post-run GDB-scripted analysis was costing 6-10 seconds per crash. This is a big cost, especially when one considers the case where the same low hanging fruit bug is triggered over and over again. The most common unique crash filtering technique is to unwind the stack of the thread that triggered the abnormal behavior and use frame information to construct a signature of the crash. Depending on the fuzzing environment characteristics OS, security controls, etc. and target application, the available frame information might greatly vary affecting the fingerprinting logic. Hence, the decision algorithm that identifies a unique bug must cater for the above target characteristics ASLR, sanitizer enabled builds, symbols, etc. without requiring a manual tune or code refactoring effort per target. Moving to the implementation details, post-run analysis tools prefer to utilize debuggers with scripting capabilities GDB, LLDB, WinDBG, etc. to unwind and collect frame information. Runtime analysis tools require either a built-in unwinder e.g. libunwind or a target-aware dynamically linked backtrace library e.g. libbacktrace for Android OS 5.0 . For our Android fuzzing projects, we preferred the option of a built-in unwinder in order to avoid the dependency and versioning nightmare. Balancing our limited options, we chose libunwind 2 and patched this to support Android NDK cross-compilation for arm, arm64, x86 and x86_64 CPUs. A fully Android compatible libunwind is also maintained by Google in the AOSP tree used internally by libbacktrace 3 . We prefer to use a vanilla upstream fork of libunwind, because this AOSP mirror contains significant changes in order to support the Android debuggerd business requirements. Having the unwinder available at runtime, the next step was to write a frame fingerprinting algorithm that could also be applied to the Android OS. After a series of discussions with argp, fel1x and others, the following algorithm was selected for the signature hash If ProcFS maps read is available Parse target ProcFS maps Calculate frame s relative PC Use relative PC file name if region was mapped from a file of each frame Hash the first N most important frames to create the crash signature If ProcFS maps read is not available Use the last 3 nibbles of frame s PC as frame fingerprint Hash the first N most important frames to create the crash signature Relative PC and 3 least significant address nibbles ensure that in cases where disabling ASLR is not an option, hash signatures will maintain their values across runs. Additionally, it ensures that if the same binaries are loaded on different systems e.g. different Nexus devices , the unique signatures will be valid across all devices. The number of frames that construct the signature is a trade-off that highly depends on the code structure of the target. Usually we default it to 7 frames and this appears to be a good tradeoff for most targets. Our built-in libunwind support and parts of the signature algorithm have been contributed to the honggfuzz open source project 4 as part of the Linux Android PTRACE backend. Blacklisting triaged crashes The initial fuzzing campaigns usually produce crashes that to a large extent 50pourcents 70pourcents are caused by non exploitable bugs. To avoid carrying that noise in future campaign rounds, a blacklist file is maintained for each fuzzing target setup. We reuse the previous stack hash algorithm to assemble a list of hashes that represent non-interesting crashes. This list is then fed to the fuzzing engine which skips them if found again during the campaign. A honggfuzz stack hash blacklisting feature has been committed here 5 and will be pushed upstream soon. Automatic runtime reports In highly successful fuzzing campaigns i.e. campaigns that have identified a large number of unique crashes there s always the dilemma of where to start the analysis from. Some have the charisma and randomly pick the most promising crashes. For the rest of us, investigating additional contextual data helps a lot in the prioritization process. Inspired by the initial honggfuzz report created by robertswiecki we save the following information at runtime for each identified unique and non-blacklisted crash Fuzzer configuration Fuzzing target configuration and invoking arguments Original seed file name used to generate the test case for mutation based cases only PID of crashed target process Signal type code Fault address if available depends on the crash signal type Crash instruction assembly via statically compiled libcapstone Stack hash signature Full unwinded backtrace doesn t stop on major N frames of the signature ProcFS maps copy if available Register values at crashing frame We ve contributed most of our Android-specific crash reporting features to upstream honggfuzz 4 . The road towards a native fuzzing framework In order to efficiently perform fuzz testing against Android OS systems, we developed fully native C C engines fuzzing core, data generation, etc. that could run on target devices without requiring remote host support. Although dealing with the Android internals debuggerd ptrace, signal masking, bionic restrictions, compatibilities, etc. was seen as a significant cost during initial development, it was a cost that we decided to pay aiming at better results. Of course a maintenance cost will always remain, caused mainly by the Android OS evolution and vendor fragmentation. And that is one more reason towards our decision to publicly contribute part of our work, so that community feedback can hopefully balance it up. Once we had a stable and robust fuzzer core to work with, we were left to develop a data generation engine that would stress test each target application. Until recently our approach was to add the target-specific data generation logic to the fuzzer core, as we didnt want to pay the cost of an additional execve per iteration to invoke external tools. This approach resulted into big fragmentation and significant backport cost while we were adding features to the fuzzing engine. As such we took a step back and decided to upgrade the fuzzing engine into something more modular that can easily interface with 3rd party code through extensions. File format fuzzing parsers, decoders, etc. is a nice example of how researchers can benefit from the proposed extensions approach. In order to efficiently fuzz such targets, a common strategy under the mutation-based philosophy, is to apply smart mutations against the original corpus, while at the same time respecting parts of the target format structure header metadata, CRCs, etc. . Open source libraries and public tools can be easily chained together to accomplish this task. On the same note, native extensions are implemented by exporting a set of callbacks that will be triggered by the fuzzing engine. Callbacks are exported for the 5 main steps of a fuzzing campaign 1. Initialization phase corpus pre-parsing 2. Per fuzzing iteration data preparation Decision on mangling algorithm Prepare resize data buffers 3. Per fuzzing iteration data mangling 4. Per fuzzing iteration post mangle fix-ups Repair checksums, metadata, headers, etc. Discard iteration if some requirements haven t been met 5. Crash detection post event In case additional triaging automation is desired Native extensions are activated at compile time. They can make use of existing codebases libraries, parsers, header definitions, etc. and can be maintained as standalone entities. This cuts down on the tooling cost significantly, as math libs, file parsers and other libraries available in native code can be reused. In order to get further feedback from the community we decided to port part of this approach to the honggfuzz engine. On the master-dev branch 6 one can find a prototype implementation of the extension callbacks feature. As a proof of concept, sample PNG and DEX file format fuzzing extensions have been pushed under the extensions directory. You can follow commit logs or the new feature issue discussion page 7 for more details about the current state of the prototype. Concluding remarks At the end of the day the adoption of a fuzzing tool or fuzzing technique is really a matter of personal preference. There s a wide variety of fuzzing engines to choose from, and they still remain successful across many different targets. Having said that, we believe that for limited resource environments, such as embedded devices, researchers should not spend their time in reinventing the wheel, especially for core fuzzing functionality. Smart people should be motivated to write test case generation algorithms and targeted fuzzing templates, instead of debugging ptrace et al. wrappers. Through evaluation of the publicly available tools and through discussions with infosec researchers, we realized that the Android security community was lacking a generic but efficient fuzzing tool. The majority of publicly available fuzzing and triaging projects were relying on some very inefficient, fragile and hack-ish mechanisms that performed remote target execution adb , monitoring debuggerd over logcat and crash data collection tombstones . Such techniques practically void all previously discussed strategies that can be used to optimize fuzzing campaigns. For this reason, we decided to publicly contribute to a generic fuzzing tool honggfuzz, by way of implementing native Android OS support for the PTRACE and POSIX API architecture backends. Hopefully, Android researchers will benefit from our work, re-use the engine as a drive-in for more native tools and contribute back with ideas or identified inefficiencies bugs. Additionally, we re very happy to see that the Android team has started integrating the in-process LLVM libFuzzer fuzzing library in AOSP. When combined with LLVM sanitizers in the build tree, it definitely aids researchers that are focusing on the Android ecosystem. If you would like to share your thoughts or comments with us, feel free to drop an email to the team. References 1. http census-labs.com news 2015 06 18 fuzzing-objects-de-ART-HITB2015AMS 2. http www.nongnu.org libunwind 3. https android.googlesource.com platform external libunwind 4. https github.com google honggfuzz 5. https github.com anestisb honggfuzz tree stackhash_blacklist 6. https github.com anestisb honggfuzz tree master_dev 7. https github.com google honggfuzz issues 16

Les mots clés de la revue de presse pour cet article : android fuzzing
Les videos sur SecuObs pour les mots clés : android fuzzing
Les mots clés pour les articles publiés sur SecuObs : fuzzing
Les éléments de la revue Twitter pour les mots clé : android



AddThis Social Bookmark Widget



Les derniers articles du site "www.census labs.com" :

- GDCM buffer overflow in ImageRegionReader ReadIntoBuffer
- GDCM out of bounds read in JPEGLSCodec DecodeExtent
- Introducing Choronzon an approach at knowledge-based evolutionary fuzzing
- The road to efficient Android fuzzing
- Introducing wifiphisher - BSides London 2015
- Fuzzing Objects dART - Hack In The Box 2015 Amsterdam
- ORLYEH The Shadow over Firefox INFILTRATE 2015
- DTrace talk at CONFidence 2015
- 5th InfoCom Security Conference
- 5th InfoCom Mobile World Conference




S'abonner au fil RSS global de la revue de presse

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]



Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail




SecuToolBox :

Mini-Tagwall des articles publiés sur SecuObs :

Mini-Tagwall de l'annuaire video :

Mini-Tagwall des articles de la revue de presse :

Mini-Tagwall des Tweets de la revue Twitter :