Address Sanitizer

American Fuzzy Lop

Hanno Böck

https://hboeck.de/

https://fuzzing-project.org/

#include <stdlib.h>
#include <strings.h>
#include <stdio.h>
int main() {
  char* a;
  a = malloc(10);
  bzero(a, 10);
  free(a);
  printf("%i\n",a[0]);
}

Address Sanitizer (ASAN)

Finds bugs like buffer overflows, out of bounds reads, use after free etc.

-fsanitize=address in CFLAGS

American Fuzzy Lop (AFL)

  • 1. Feed input with random errors in application
  • 2. Watch for new code paths
  • 3. Wait until bad things happen (crashes)

Address Sanitizer / American Fuzzy Lop

Best used together

Fuzzing math

  • Common: Use fuzzing to find crashes / memory corruption
  • But other bugs can be fuzzed, too
  • Idea: calculation with two implementations, compare
  • Bugs found in OpenSSL (CVE-2015-3193), NSS (CVE-2016-1938), Nettle (CVE-2015-8803, CVE-2015-8804)

Thanks for listening

Use Address Sanitizer!

Fuzz your software.

Questions?

https://fuzzing-project.org/