In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer

1
In the lands of corrupted elves:
Breaking ELF software with Melkor fuzzer
Alejandro Hernández
IOActive

About me
 Senior Security Consultant [IOActive.com]
 ELF, C programming & fuzzing enthusiast
 Passionate about security. ~11 years now.
 From Chiapas, Mexico
'~~~-,
'-,_
/ `~'~'' M E X I C O
_ /~
__
.
`~~
' . /
/ |
_ | _.----,
| ! /
'._ _ __/ _/
_ ''--'' __/
.__ |
''.__ __.._ o<-_---- here !
'' './ `
 http://www.brainoverflow.org
 @nitr0usmx2

Agenda
 The ELF file format
 ELF parsing
 Who’s is parsing?
 Security risks in ELF parsing
 Discovered vulnerabilities in the past
 ELF parsing (mistakes) nowadays
 ELF Fuzzing
 Smart vs dumb
 Code / branch coverage
 ELF metadata dependencies
 Cont.
3

Agenda (Cont.)
 Melkor – an ELF file format fuzzer
 Who’s Melkor
 Design & Implementation
 Fuzzing rules
 Generators and test data
 Usage
 Logging
 Download
 Breaking Fuzzing ELF software
 DEMOS
 Conclusions
4

The ELF file format
 Executable and Linkable Format
 In 1999 was chosen as the standard binary
file format for Unix and Unix-like systems
on x86
 Adopted by many OS on many different
platforms
 Executables, relocatable objects (.o),
shared libraries (.so) and core dumps.
5

The ELF file format
 Specification(s) [10]
7

The ELF file format
 Data types (/usr/include/elf.h)
8

The ELF file format
 Data structures (/usr/include/elf.h)
9

The ELF file format
10
 Relationships between metadata

for(k = 0; k < hdr.e_shnum; k++, shdr++){
if(shdr->sh_type != SHT_REL)
continue;
symtab_section = shdr_table[shdr->sh_link];
strtab_section = *(Elf64_Shdr *) (mem + hdr.e_shoff +
(symtab_section.sh_link * sizeof(Elf64_Shdr)));
symstrtab_offset = strtab_section.sh_offset;
rela = (Elf64_Rela *) (mem + shdr->sh_offset);
sym = (Elf32_Sym *) (mem + symtab_section.sh_offset);
...
The ELF file format
 Example:
11

The ELF file format
 Example:
12
SHT_REL
strtab_section
symtab_section
sh_link
sh_link
1
2
sh_offset
Section Header Table

The ELF file format
 Example:
13

ELF parsing
 OS kernels
 Thoroughly audited over the years
 Debuggers
 gdb
 IDA Pro
 Etc.
 Reverse Engineering frameworks
 ERESI
 radare2
 Etc.
 OS utilities
 binutils
 #apt-cache search ELF14

ELF parsing
 Malware
 Antivirus engines?
 Sophail by Tavis Ormandy [6]
15

ELF parsing
 Google dork: “+ELF (parser|parsing)”
16

ELF parsing
 Memory corruption / Buffer overflows
 Out of bounds array indexes or offsets
 Loops copying data more times than
expected
 Invalid memory dereferences
 Out of bounds array indexes or offsets
 Crashes / DoS
 Arithmetic / Integer wrap-arounds
 Calculations with user-controlled data
 nElements * elementSize
 nElements * sizeof()
 totalSize / elementSize
 arrayIndex * sizeof()17

ELF parsing
 Memory corruption / Buffer overflows
 Might lead to code execution
 Undefined behaviors
 Crashes / DoS
 In the debugger / reversing tool
 Anti-reversing technique
 Binaries harder to debug
 Protection against malware infections
 Malware has parsers too
 OS kernel panic()’s
18

ELF parsing
 Most data types are unsigned ints. Two of
them are signed ints (/usr/include/elf.h):
 typedef int32_t Elf32_Sword;
 typedef int32_t Elf64_Sword;
 typedef int64_t Elf32_Sxword;
 typedef int64_t Elf64_Sxword;
 r_addend (Relocations)
 d_tag (Dynamic information)
 Harder to trigger integer overflows
 However, when assigning values to
local signed variables, signedness
bugs might exist [1]
19

ELF parsing
 ELF, unlike PE (Portable Executable),
has been less audited
 Mostly found doing manual testing
 Code review + Binary modification
 Google dork: “site:securityfocus.com +ELF”
20

ELF parsing
21

ELF parsing
22

ELF parsing
23

ELF parsing
 Invalid pointer dereference in gdb (reported but still
unpatched) used as an anti-debugging technique [4]
24

ELF parsing
 Invalid pointer dereference in IDA Pro (patched) used
as an anti-debugging technique [4]
25

ELF parsing
 ELF parsing nowadays
 ~15 years later (adopted in 1999)
 Most ELF analysis tools rely on the SHT
(Section Header Table)
 The following bugs have been found with
Melkor
26

ELF parsing
 *still* blindly trust in the input:
 Offsets
 Indexes
 Sizes (total_size / struct_size)
 Addresses
 Debugging information (DWARF)
 Not part of ELF but it’s very related
27

ELF parsing
“The most common mistake applied by a
programmer is in trusting a field inside a
binary structure that should not be trusted.
“When dealing with sections that must have
subsections, knowing ahead of time how many
sections are embedded within the primary
section of a structure is required and again,
a value must be used to instruct the
application only to iterate x number of
times.” [7]
28

ELF parsing
 Example of a dummy program that executes the
for() loop based on e_shnum and size/entsize:
29
for(k = 0; k < hdr->e_shnum; k++, shdr++){
if(shdr->sh_type != SHT_SYMTAB && shdr->sh_type != SHT_DYNSYM)
continue;
...
nsyms = shdr->sh_size / shdr->sh_entsize;
sym = (Elf64_Sym *) (mem + shdr->sh_offset);
...
for(l = 0; l < nsyms; l++, sym++)
if(ELF64_ST_TYPE(sym->st_info) != STT_SECTION)
printf(“[%2d] %sn", mem + strtab + sym->st_name);
}

ELF parsing
30
2
31

ELF parsing
 Some applications validate if memory
addresses (p_vaddr, e_entry, etc.) and/or
file offsets (sh_offset, p_offset, etc.)
are inside their valid boundaries
 Some others don’t:
31 (Found with Melkor fuzzer.)

ELF parsing
32
src/libexec/ld.so/ldconfig/prebind.c:
elf_check_note(void *buf, Elf_Phdr *phdr)
{
u_long address;
u_int *pint;
char *osname;
address = phdr->p_offset;
pint = (u_int *)((char *)buf + address);
osname = (char *)buf + address + sizeof(*pint) * 3;
if (pint[0] == 8 /* OpenBSD0 */ && pint[1] == 4 &&
pint[2] == 1 /* type_osversion */ &&
strcmp("OpenBSD", osname) == 0)
return 1;
return 0;
}

ELF parsing
 Some trust in sizeof(*user_input), some
others prefer sizeof(Elfx_DataType) and
some others perform validations:
 if(sizeof(*x) != sizeof(dataType))
return ERROR;
33

ELF parsing
 Some do not validate the number of
elements before allocate memory:
 Allocate less memory space than needed
 Buffer overflows
 Memory exhaustion
 malloc(nElems_user_input * sizeof(Elfx_Struct));
 malloc(nElems_user_input * sizeof(*user_input));
 calloc(nElems_user_input , sizeof(Elfx_Struct));
34

ELF parsing
 Process memory exhaustion:
35
(Found with Melkor fuzzer.)

ELF parsing
 Process memory exhaustion:
36

ELF parsing
 More loops based on sh_size/sh_entsize running
more times than expected. (sh_size = 0xbad0c0de):
 Temporary DoS (CPU usage) in HT Editor:
 The application was killed by the OS
after ~19 secs.
37

ELF parsing
38
ht-2.0.22/htelfrel.cc:
rela_size = sizeof (ELF_RELA64);
relnum = elf_shared->sheaders.sheaders64[reloctab_shidx].sh_size /
(reloctab_sh_type == ELF_SHT_REL ? rel_size : rela_size);
...
for (uint i = 0; i < relnum; i++){
char *tt = t;
/* dest offset */
tt = tag_make_edit_qword(tt, tt_end, h+i*rel_size, endianness);
tt += ht_snprintf(tt, tt_end, " ");
/* symbol (table idx) */
tt = tag_make_edit_dword(tt, tt_end, h+i*rel_size+8+4,
endianness);
tt += ht_snprintf(tt, tt_end, " ");
...
}

ELF parsing
 A common low-hanging fruit crash is through
e_shstrndx in the ELF header. It holds a string
table index within the Section Header Table:
39

ELF fuzzing
 Fuzz testing
 Automated approach to create invalid /
semi-valid data to find bugs that would
have often been missed by human eyes
 If data is too valid, might not cause
problems
 If data is too invalid, might be quickly
rejected [9]
40
Taken from [5]

ELF fuzzing
 Smart vs dumb fuzzing
 Two approaches
 Mutation-based fuzzing (dumb)
 Takes an input and modifies it randomly
 Generation-based fuzzing (smart)
 Generates the tests with
specification knowledge
 dumb random fuzzing in most cases find
less bugs than smart fuzzing
41

ELF fuzzing
 Smart vs dumb fuzzing [2]
 All paths + all data == infinite problem
 Notion of randomness (dumbness) and
specific knowledge (intelligence)
 Semi-valid data
42

ELF fuzzing
 Code / branch coverage [8]
 Code coverage is a metric which can be
used to determine how much code has been
executed
 Branch coverage measures how many
branches in code have been taken
(conditional jmps)
 if( x > 2 )
x = 2;
 Specification based test generation
achieves better coverage testing
43

ELF fuzzing
 Code / branch coverage
 Interesting results in [9] show that
more bugs are discovered with higher
coverage:
44

ELF fuzzing
 Some data structures must be fuzzed in
the end or not fuzzed at all for higher
code / branch coverage:
45
3rd level metadata
2nd level
metadata
ELF Header
HDR
SHT
String tables
Relocation Tables,
etc. etc.
PHT Interp
CORRUPTED
Hidden bugs

ELF fuzzing
 In normal circumstances, the following
ELF metadata dependencies exist while
parsing:
46

ELF fuzzing
 Example: (SmartDec, Native code to C/C++
Decompiler for Windows)
 Normal ELF loading
47

ELF fuzzing
 Trying to load the same ELF with an invalid
e_ident[EI_CLASS] (a header field), it simply
handles the error and doesn’t open:
48

ELF fuzzing
 However, having an unmodified header, the basic
header validations will be bypassed and internal
bugs are reached:
49

Melkor fuzzer
 Who’s Melkor
 A fictional character
from J. R. R.
Tolkien's Middle-
earth legendarium
 Was the first Dark
Lord and master of
Sauron
50

Melkor fuzzer
 Who’s Melkor
 Mentioned briefly in The Lord of the
Rings and is known for:
"... Melkor had captured a number of ELVES before the Valar
attacked him, and he tortured and corrupted them, breeding
the first Orcs.“
"... Melkor was cunning and more filled with malice than
ever. Seeing the bliss of the ELVES and remembering that it
was for their sake that he was overthrown, Melkor desired
above all things to corrupt them.“
"Orcs...This has been so from the day they were bred by
Melkor from corrupted, tortured and
mutilated ELVES that may also have been
forced to breed with other unnatural abominations
in the dominion of the Dark Powers."
51

Melkor fuzzer
 Hybrid (Mutation-based / Generation-based)
 Mutate existing data in an ELF sample to
create orcs with knowledge of the file
format specification (fuzzing rules)
52
OrcsELF
Melkor fuzzer

Melkor fuzzer
 Design
 I’m not good at software design but...
drawing worked
53

Melkor fuzzer
 Implementation
54
numbers / rand()
generators.c
fuzz_<metatada>.c
(fuzzing rules)
logger.c
melkor.c
(main())

Melkor fuzzer
 Fuzzing rules
 Three inputs were used:
 Specification violations
 TIS ELF Specification 1.2 (May, 1995) [10]
 ELF-64 Object File Format 1.5 (May 1998)
 Misc. ideas & considerations
 Parsing patterns seen in ELF software
55

Melkor fuzzer
 Fuzzing rules
 melkor-v1.0/docs/Melkor_Fuzzing_Rules.pdf
56

Melkor fuzzer
 Fuzzing rules
 Specification violations (Example 1)
 ELF Specification:
57

Melkor fuzzer
 Fuzzing rules
 Rule definition for that field:
58
Rule name implemented at code level

Melkor fuzzer
 Fuzzing rules
 That rule at code level:
59

Melkor fuzzer
 Fuzzing rules
60

Melkor fuzzer
 Fuzzing rules
61

Melkor fuzzer
 Fuzzing rules
 More complex rules
62

Melkor fuzzer
 Fuzzing rules
 More complex rules (Example 1)
63

Melkor fuzzer
 Fuzzing rules
64

Melkor fuzzer
 Fuzzing rules
65

Melkor fuzzer
 Fuzzing rules execution
 To iterate through the rules an array of function
pointers is created in every fuzzing module and
initialized with __attribute__((constructor)
66

Melkor fuzzer
 Chances of execution given by the –l (likelihood
parameter, default 10%) is translated to two
variables that’ll be used in ...
67

Melkor fuzzer
 ... Conjunction with rand() in the
iteration through the array of pointers
68

Melkor fuzzer
 Some fields are critical and even when
the rule is executed, inside the rule
function the likelihood is decreased.
 For example:
69

Melkor fuzzer
 These dependencies should not be
broken if you want to fuzz
deeper levels
70

Melkor fuzzer
 Translating them into specific fields:
71

Melkor fuzzer
72

Melkor fuzzer
73

Melkor fuzzer
 And at code level (Example 1):
74

Melkor fuzzer
 And at code level (Example 2):
75

Melkor fuzzer
 Semi-valid test data is used in the
rules
 Size fields: common integer bofs values
 Offsets / addresses: out of bounds values
 Indexes inside strings: common format
strings or non-printable chars
 Etc.
76

Melkor fuzzer
 numbers.h
77

Melkor fuzzer
 numbers.h
78

Melkor fuzzer
 numbers.h
79

Melkor fuzzer
 generators.c
 Functions to return test data based on
 numbers.h
 rand()
80

Melkor fuzzer
 ELF used as template
 Some provided in templates/
81

Melkor fuzzer
 Compilation
 With a simple $make
82

Melkor fuzzer
 Usage
 Fuzzing options
84

Melkor fuzzer
 Usage
 A simple run (testing preparation):
85

Melkor fuzzer
 Usage
 Malforming ELFs:
86

Melkor fuzzer
 Usage
 Malformed ELFs (orcs):
87

Melkor fuzzer
 Usage
 Malformed ELFs (Default 10%):
88

Melkor fuzzer
 Usage
 Malformed ELFs (Aggressive 70%):
89

Melkor fuzzer
 Usage
 Testing the malformed ELFs (test_fuzzed.sh)
90

Melkor fuzzer
 Usage
 No, Melkor will not send your orcs to
the shopping mall
91 http://mashable.com/2014/06/12/orc-mall-prank/

Melkor fuzzer
 Usage
 OS kernel / dynamic loader testing:
92

Melkor fuzzer
 Usage
 OS kernel / dynamic loader testing:
93

Melkor fuzzer
 Usage
 Application testing (Example: dumpelf)
94

Melkor fuzzer
 Usage
 Application testing (Example: gcc)
95

Melkor fuzzer
 Usage
 Application testing (Example: gcc)
96

Melkor fuzzer
 Logging
 A simple logging facility implemented to
identify the fuzzed metadata in detail
97

Melkor fuzzer
 Download
http://www.brainoverflow.org/code/melkor-v1.0.tar.gz
98

Fuzzing ELF software
DEMOS
 Homework: fuzz Melkor fuzzer ;-)
 Yes, inception fuzzing
 Read BUGS.txt
 It could be used as a test subject
99

Conclusions
 ELF is just another file format where
common parsing mistakes are still used
 ELF parsers are not just in the OS
kernels, readelf and objdump. Many new
software are parsing and supporting 32
& 64-bit ELF files
100

Conclusions
 Fuzzing discover defects that normally
are harder to find in less time than
manual testing
 Fuzzing is much better having knowledge
of the semantics (specifications)
 A single crash could be an exploitable
security bug or could be used as an
anti-reversing or anti-infection
technique
101

Conclusions
 Melkor fuzzer will help you to find
functional (and security) bugs in
your ELF parsers.
102

References
[1] blexim. (2002). “Basic Integer Overflows”. PHRACK Magazine,
Release 60. Retrieved from http://phrack.org/issues/60/10.htm
[2] DeMott, J., Enbody, R. (Aug 5th, 2006). “The Evolving Art of
Fuzzing”. DEFCON 14. Retrieved from
https://www.defcon.org/images/defcon-14/dc-14-presentations/DC-14-
DeMott.pdf
[3] Dietz, W., Li, P., Regehr, J., and Adve, V. (June 2012).
“Understanding Integer Overflow in C/C++”. Proceedings of the 34th
International Conference on Software Engineering (ICSE), Zurich,
Switzerland. Retrieved from
http://www.cs.utah.edu/~regehr/papers/overflow12.pdf
[4] Hernández, A. (Dec 18th, 2012). “Striking Back GDB and IDA
debuggers through malformed ELF executables”. Retrieved from
http://blog.ioactive.com/2012/12/striking-back-gdb-and-ida-
debuggers.html
103

References
[5] Jarkko, L., Rauli, K., and Heikki, K. (2006). “Codenomicon
Robustness Testing - Handling the Infinite Space while breaking
Software”. Retrieved from
http://www.codenomicon.com/resources/whitepapers/code-whitepaper-
2006-06.pdf
[6] Ormandy, T. “Sophail: A Critical Analysis of Sophos Antivirus”.
Retrieved from https://lock.cmpxchg8b.com/sophail.pdf
[7] Padilla, O. (May 12th, 2005). “Analyzing Common Binary Parser
Mistakes”. Uninformed e-zine Vol. 3. Retrieved from
http://uninformed.org/index.cgi?v=3&a=1&t=pdf
[8] Miller, C. (Oct 20th, 2007). “Fuzzing with Code Coverage By
Example”. ToorCon 2007. Retrieved from
http://fuzzinginfo.files.wordpress.com/2012/05/cmiller_toorcon2007.
pdf
104

References
[9] Miller, C. (Mar 28th, 2008. “Fuzz By Number: More Data About
Fuzzing Than You Ever Wanted To Know”. CanSecWest 2008.
Retrieved from https://cansecwest.com/csw08/csw08-miller.pdf
[10] TIS Committee. (1995). “Executable and Linking Format (ELF)
Specification v 1.2”. Retrieved from
http://www.uclibc.org/docs/elf.pdf
[11] van Sprundel, I. (Dec 8th, 2005). “Fuzzing: Breaking software
in an automated fashion”. Retrieved from
http://events.ccc.de/congress/2005/fahrplan/attachments/582-
paper_fuzzing.pdf
[12] Wysopal, C., Nelson, L., Zovi, D. D., and Dustin, E. (2007).
“Local Fault Injection” (Ch. 11) in The Art of Software Security
Testing, pp. 201-229. Retrieved from
http://www.securityfocus.com/images/infocus/Wysopal_CH11.pdf
105

Special Thanks
 To all the researchers / coders from whom
I’ve learned cool ELF stuff and fuzzing:
Silvio Cesare, the ELF shell crew, mayhem,
scut, the grugq, Itzik Kotler, Electronic
Souls, Julien Vanegue, Andrew Griffiths,
dex, beck, Brian Raiter, Rakan El-Khalil,
Jared DeMott, skape, JunkCode, Sebastian
Krahmer, Paul Starzetz, Charlie Miller,
Ilja van Sprundel, Chris Rohlf, aczid,
Rebecca Shapiro, Sergey Bratus and some
others I forgot to mention
... Thanks !
106

Thanks !
107
/ Alejandro Hernández
/ @nitr0usmx

In Memorial †
Dedicated to the memory of one of my best friends,
Aaron Alba.
108

In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer

More Related Content

Similar to In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer (20)

More from Alejandro Hernández (9)

Recently uploaded (20)

In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer