The Aftermath of a Fuzz Run - What to Do About Those Crashes?

Explore effective techniques for analyzing and addressing crashes resulting from fuzz testing in this informative conference talk. Learn about tools, tactics, and strategies for post-fuzz run analysis, with the goal of identifying and fixing vulnerabilities. Delve into memory corruption bugs, exploitability assessment, and mitigation techniques such as ASLR and DEP. Gain insights on workflow optimization, crash corpus minimization, and the use of analysis tools like Valgrind. Examine real-world examples, including invalid reads/writes, stack vs. heap corruption, and use-after-free scenarios. Understand the importance of bug chains in modern exploits and discover how seemingly innocuous issues can lead to significant vulnerabilities, as demonstrated by case studies from Google Project Zero, C-Ares, and Chrome OS.

Intro
NeXT, Apple, Weblogic, BEA Systems, Azul Systems
1 Introduce/Review Memory Corruption Bugs 2 A Post Fuzz Run Workflow 3 Real World Examples
Invalid Reads/Writes
Stack vs Heap Corruption
Use After Free
Other Memory Bugs
b: What is Exploitability?
Re-programming with input data- not code
Does "exploitability" matter?
Google Project Zero
Many modern exploits are bug chains
Surprisingly Exploitable
C-Ares / Chrome OS Remote Code Execution
Section 1c: Memory Corruption Mitigations
ASLR Address Space Layout Randomization
DEP Data Execution Prevention
Minimize the Corpus of Crashes
b: Memory Corruption Analysis Tools
Valgrind (memcheck)
Section 2c: Determine Exploitability / Find the Root Cause
Disable ASLR
Identify critical memory locations
PHP: Low invalid read
Netflix Dynomite: Invalid Write