Seems Exploitable: Exposing Hidden Exploitable Behaviors Using Extended Differential Fuzzing


In December 2017 I presented a paper entitled “Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing” – a talk that focused on the unexpected behaviors that I found on programming languages when fuzzing the interpreters. A differential fuzzing framework was created to detect dangerous and unusual behaviors in similar software implementations. To prove its effectivity, multiple implementations of the top five interpreted programming languages were analyzed: JavaScript, Perl, PHP, Python, and Ruby. After fuzzing the default libraries and built-in functions, several dangerous behaviors were automatically identified.

In this session I present the technical side of that research: which are the different analysis that can be performed to obtain the unexpected behaviors. When fuzzed applications don’t crash, you can still potentially find more than 20 different types of issues. This talk exemplifies the capabilities of differential fuzzing with practical examples identifying which undocumented functions could allow OS command execution, when sensitive file contents may be partially exposed in error messages, how native code is being unexpectedly interpreted – locally and remotely – and when constant’s names could be used as regular strings for OS command execution. Additional undisclosed vulnerabilities will be shown throughout the talk to exemplify how to find more issues.

This talk will also include a new special release of the fuzzer.

Location: Track 2 Date: April 13, 2018 Time: 3:00 pm - 4:00 pm Fernando Arnaboldi