Peach Fuzzing Framework

During my internship at McAfee Inc., I was introduced to this amazing fuzzing framework called Peach. I wrote a short piece for the same, that I am posting here. The article is my understanding of Peach fuzzing framework and I am in no way associated with Peach.

Introduction

Peach is a fuzzing framework, capable of doing both generation and mutation fuzzing. It has a modular architecture which not only encourages code reuse, but also makes it easily extensible; hence one can easily write custom mutators, fixups and mutation strategies. Moreover, it has features like agents, monitors and data analyzers, which make peach a comprehensive tool to carry out fuzzing. In this paper I will try to throw some light on these features, and along with it I will share some of my experiences of using peach. I am assuming that you have a basic idea about the working of Peach, if not please read the tutorial on the peach website. [1]

Data Analyzers

Peach has a feature called Data Analyzers which takes in various formats like xml, asn.1 and Wireshark capture file as an input and makes a DataModel out of them. This feature allows one to create a pit file for a protocol like HTTP and WebDAV using the Wireshark data analyzers. For HTTP, you could just capture one request and run the Wireshark analyzer on top of it. This only creates a basic fuzzer, but it is a good starting point, as the generated pit file can be expanded to include more features. Also, the XML analyzer can be used to speed up the fuzzer development as in the case of WebDAV, where it is used to create DataModels for the XML included in various WebDAV requests.

Also, Peach provides a really useful analyzer called the binary analyzer using which you could analyze binary files or blobs for strings. It then automatically creates a block after the analysis. This feature significantly speeds up the fuzzer creation process as you don’t have to manually go through the data searching for strings.

Agents & Monitors

When fuzzing an application, it is important to ascertain when an error condition occurs, so as to write exploits for the same. It is also helpful to know, how much resources are being used by the application being fuzzed, and what is the effect of various test cases on the environment in which the application being fuzzed is hosted. Peach provides agents and monitors for these purposes, which support variety of debuggers and also provide facility to monitor various environment variables and features both locally and remotely.

Hence monitors like UnixGdb and WindowsDebugEngine can be used to monitor and control various applications. Memory used by an application can be monitored using the memory monitor. While various properties of a process can be studied using the process monitor, and finally it can be checked if a remote machine is live or not using the ping monitor. Thus if the various features provided by Peach are used correctly, one could ascertain substantial information about the state of the application and the environment hosting the application, for various test cases, and use it effectively while writing exploits for the discovered vulnerabilities.

A property that I have observed about Peach is that it automatically stops when the application you being fuzzed crashes. In context of fuzzing various implementations of HTTP, if a server crashes, Peach stops running. Hence the last request that is sent may be the probable reason, which may have caused the server to crash.

Mutation Fuzzing Using Peach

Though Peach has the capability to do Mutation Fuzzing, the number of features provided for the same are limited. Peach supports mutation fuzzing by means of blobs, where you specify the length of data you want to fuzz, and Peach does dumb fuzzing for the specified length of data. This process could be simplified for binaries by using binary analyzer, which as mentioned before automatically searches for strings and creates a block to be used in the pit file. For more information on this feature please check [2] .

Fuzzing DLLs & Stored SQL Procedures

Another impressive capability of Peach is that it can be used for DLL fuzzing. This is done with the help of a DLL publisher. Peach also allows one to create custom datastructures and pointers that could be input to the DLL being fuzzed. For example, consider a DLL which has a method which takes in a structure as an argument, and the structure itself contains a pointer to another structure. The Datamodel for the above example would be as shown in [3] .

Peach also provides a capability to fuzz stored SQL procedures, and thus find potential SQL injection vulnerabilities. Peach uses sql.ODBC publisher to communicate with the database and fuzz the stored procedure [4]

Peach provides various tools for improving code coverage. Using one of the provided tools, the minimum set of files required for the coverage of the pit file being used can be determined. Complementary to that Peach also provides a tool using which the coverage of a fuzzer pit file for a particular input file can be determined. In context of the file fuzzing example for .wav files on the website, it can be checked if all the chunks are being fuzzed, or if an additional another input file is required [5] .

Code Coverage

It is important to have good code coverage when fuzzing an application, as lack of code coverage results in some critical bugs and vulnerabilities not being discovered. So when fuzzing an application, to get the maximum code coverage the fuzzer should be customized as per some instance of the application. For example in context of the HTTP fuzzer, when testing a particular web server, there should be at least basic authentication, otherwise most of the requests would be discarded, hence reduced code coverage. Also, using URL and resources that exist on the webserver at the time of fuzzing improves code coverage.

DataModel Properties

In Peach by default all the elements of a DataModel are sent. Peach doesn’t mutate over the data elements at present. To do that a custom mutation strategy is required. The mutation stratergies are found in the folder Peach\MutateStrategies\rand.py. Peach presently provides two mutation strategies which are sequential and random. While the sequential strategy fuzzes elements of the DataModel in a sequential order, the random mutation strategy selects specific number of elements of DataModel at random and fuzzes them.

In context of my HTTP fuzzer, I had defined all the headers possible for a HTTP request. Hence in each request all the headers were sent, which substantially reduces the code coverage as most of the request were discarded with any processing. To tackle this issue, I had commented a few headers, which resulted in deeper penetration of the request. The approach that I followed for WebDAV was to design different DataModels for different request methods. In each DataModel, only the most commonly used header fields were included.

Conclusion

Thus Peach fuzzing framework allows the developer to design fuzzers for various protocols and applications, by just understanding the protocol or finding the input parameters, as it provides a rich set of features like mutators, mutation strategies and fixups, thus reducing the development time. Though this may be beneficial is one respect, at the same time is can be a drawback as the developer doesn’t have a control on how various parameters are being fuzzed.