浏览器Fuzz技术
漏洞挖掘
白盒挖掘
代码审计
自动化代码分析黑盒挖掘
Fuzzing
两种Fuzzing技术
静态Fuzzing
基于变异的
- 文件、文档
- 多媒体
- bf3
基于生成的
- 浏览器
重点是测试用例的生成
动态Fuzzing
Fuzzing框架
- Grinder
Fuzzing工具
- CrossFuzz
- ndujaFuzz
- NodeFuzz
- X-Fuzzer
- jsFunFuzz
重点是测试用例的重建、Crash样本的捕获
怎么动手写Fuzzing工具
1.搜集POC
- 2.规范文档
- W3C
- MDN
- MSDN
- 3.目标
- javascript
- HTML
- CSS
策略
数据VS关系
数据类型朝向VS逻辑朝向
代码路径覆盖率->浏览器状态覆盖率
- DOM Tree状态
- 渲染森林状态
- 布局状态
- 事件句柄状态
- 多页面状态
规范标准
- W3C
- MDN
- MSDN
最终的指导
- HTML
- CSS
逻辑元素->各个字典(见下)->规范标准和指导
- 基础字典
- property字典
- 函数字典
- Style字典
目标
UAF漏洞
构造->Fuzz->Free->Use
释放的节点->无引用
Traverse Node 横穿节点??
1.保存引用(id[idex])
2.DOM实现(document.all[index])
节点引用
1.caching
2.clearing tree node
3.递归清除子树
Get Property
1.动态获取
- ProperTies
- FuncTions
- Events
2.缓存Caching
3.for...in
4.typeof
Fuzz Property
1.smart values->specification
2.random values->no dictionary
Fuzz Function
Functional programming + eval()
DOM Tree构造
- Base DOM Tree
- random nodes
- 随机树生成算法
- for loop
- document.createElement
- node.appendChild
 - Smarter structure
- Form
- Table
- Map
- List
- Audio
- Video
Svg
- Network
- XMLHttpRequest
WebSocket
Prelude
- TextNode
- Special nodes
- Window
- Document
- Attribute
- NamedNodeMap
- Group
- Range
- Selection
- NodeIterator
TreeWalker
- Multiple Pages
- Iframe
- Window.open
- Recursively nested iframes
Renderer process <=> Instance
- Web Worker & SharedWorker
MulTple threads
- Event handler
“ATM”
- CSS
- PseudoMclasses & pseudoMelements
Render forest
- Initial properties
Start states
Fuzzing
- DOM Node
- ProperTes
- Functions
Styles
Return value -> Fuzzing list
- Fuzzing Values
- Normal
- Dirty
- Random
Return
- Force Layout
Node.offsetParent
- Clear DOM SubTree
- innerHTML
- outerHTML
- innerText
outerText
- Clear whole DOM Tree
- write
- writeln
- open
documentElement.innerHTML
- DOM Tree Modify
- appendChild
- insertBefore
- insertAdjacentElement
- insertAdjacentHTML
- insertAdjacentText
- removeChild
- replaceChild
cloneNode
Special node manipulate
- Group manipulate
execCommand
- Multiple pages
- Mutual manipulate
Mutual clear
- setTimeout
Disrupt the Tme sequence
- Garbage Collect
Force IE Memory Protector to reclaim
####Finale
- GC
- Reuse all elements
- Properties
- Functions
- Styles
- Reuse group
- Reuse special nodes
- Reuse funcTon return values
Ditionary
通过准确性和完整性来判断字典的好坏。
字典->规范
- 规范
- Scripts(or grep + sed)
- Manual
扩展性
- 新东西
- 地理位置
- 客户端数据库
- Canvas
- Blobs
- 语音合成
规范+智能的值=字典
评估一种Fuzz方法的好坏要看它的结果。
- 漏洞
- UAF
- Double Free
OOB
- Bug
- 空指针引用
栈上溢
Event Handle
- Idea
- Fuzzing:rendering engine ->some state
- Set event handler: fuzzing and clear
- Fuzzing: fire event
Kind of race condiTon
- StateFuzzer
- CFlatMarkupPointer UAF
- CInput UAF
- CFrameSetSite CTreeNode UAF (CVE-2014-1769)
- CCaret Tracker UAF
CClipStack OOB Access (CVE-2014-1773)