Chii chinonzi Fuzzing?
Intro: Chii chinonzi Fuzzing?
Muna 2014, Chinese hackers yakabiwa muCommunity Health Systems, cheni yezvipatara zvemuUS, uye yakaba data revarwere vane mamirioni mana. Matsotsi akabira tsikidzi inonzi Heartbleed iyo yakawanikwa muOpenSSL cryptography raibhurari mwedzi yakati kuti kubirwa kusati kwaitwa.
Heartbleed muenzaniso wekirasi yevanorwisa mavector ayo anobvumira vanorwisa kuti vawane chinangwa nekutumira zvikumbiro zvisina kurongeka zvinokwana kuti vapfuure cheki yekutanga. Nepo nyanzvi dzinoshanda munzvimbo dzakasiyana dzeapp dzichiita nepadzinogona napo kuti dzive nechokwadi chekuchengetedzwa kwayo, hazvigoneke kufunga nezvemakona ese anogona kupaza app kana kuita kuti ive panjodzi panguva yekuvandudza.
Apa ndipo panopinda 'fuzzing'.
Chii chinonzi Fuzzing Attack?
Fuzzing, kuyedza fuzz, kana kurwisa kusinganzwisisike, inyanzvi yekuongorora software inoshandiswa kupa zvisina tsarukano, isingatarisirwe, kana isiriyo data (inonzi fuzz) muchirongwa. Chirongwa ichi chinotariswa maitiro asina kujairika kana asingatarisirwe akadai sekufashukira kwebuffer, kuparara, kudonha kwendangariro, tambo inorembera, uye kuverenga/kunyora kutyora kwekuwana. Iyo fuzzing chishandiso kana fuzzer inobva yashandiswa kufumura chikonzero chemaitiro asina kujairika.
Fuzzing yakavakirwa pafungidziro yekuti masisitimu ese ane tsikidzi akamirira kuwanikwa, uye anogona kupihwa nguva yakakwana uye zviwanikwa zvekuita kudaro. Mazhinji masisitimu ane maparadzi akanaka kwazvo kana kudzivirira kuisirwa kwekuisa cybercrosec kubva pakushandisa chero fungidziro tsikidzi muchirongwa. Zvisinei, sezvatataura pamusoro apa, kuvhara makona ese ekona panguva yekuvandudza kwakaoma.
Mafuzzers anoshandiswa pamapurogiramu anotora mune yakarongeka yekuisa kana ane imwe mhando yekuvimba muganho. Semuyenzaniso, chirongwa chinobvuma mafaera ePDF chingava nerutsigiro rwekuti faira rive ne .pdf yekuwedzera uye kupatsanura kuti igadzirise faira rePDF.
Iyo fuzzer inoshanda inogona kuburitsa zvinopinda zvakaringana kuti ipfuure miganhu iyi asi isingaite zvekukonzera hunhu husingatarisirwi kure nechirongwa. Izvi zvakakosha nekuti kungokwanisa kupfuudza zvakasimbiswa hazvireve zvakawanda kana pasina kumwe kukuvadza kunokonzereswa.
Mafuzzers anoona kurwisa mavectors akafanana uye anosanganisira zvinofarirwa neSQL jekiseni, cross-saiti scripting, buffer mafashama, uye kuramba-kwe-sevhisi kurwiswa. Kurwiswa kwese uku kunokonzerwa nekudyisa data isingatarisirwi, isiriyo, kana isina kurongeka muhurongwa.
Mhando dzeFuzzers
Fuzzers inogona kurongeka zvichibva pane mamwe maitiro:
- Zvinangwa zvekurwisa
- Fuzz nzira yekugadzira
- Kuziva kwemaitiro ekupinza
- Kuziva kwegadziriro yepurogiramu
1. Kurwisa Zvinangwa
Uku kusarudzika kwakavakirwa parudzi rwepuratifomu iyo fuzzer iri kushandiswa kuyedza. Mafuzzers anowanzo shandiswa netiweki protocol uye software application. Imwe neimwe puratifomu ine imwe mhando yekupinza yainogamuchira, uye nekudaro inoda akasiyana marudzi emafuzzers.
Semuenzaniso, kana uchibata nemaapplication, kuedza kwese kusinganzwisisike kunoitika pamatanho akasiyana ekushandisa ekushandisa, senge mushandisi interface, yekuraira-mutsara terminal, mafomu/mameseji ekuisa, uye kurodha mafaira. Saka zvese zvinongedzo zvinogadzirwa nefuzzer zvinofanirwa kuenderana nezviteshi izvi.
Mafuzzers anobata nemaprotocol ekutaurirana anofanirwa kubata nemapaketi. Mafuzzers anonangidzira papuratifomu iyi anogona kugadzira mapaketi ekunyepedzera, kana kutoita semaproxies ekugadzirisa mapaketi akabatwa uye kuadzokorora.
2. Fuzz Creation Method
Mafuzzers anogona zvakare kuverengerwa zvichienderana nemagadzirirwo avanoita data kuti fuzz nayo. Nhoroondo, ma fuzzers akagadzira fuzz nekugadzira zvisina tsarukano data kubva kutanga. Aya ndiwo maitiro akaitwa naProfessor Barton Miller, muvambi wehunyanzvi uhu. Mhando yefuzzer iyi inonzi a chizvarwa-based fuzzer.
Nekudaro, nepo munhu achigona kuburitsa data iyo inodarika muganho wekuvimba, zvingatora nguva yakawanda uye zviwanikwa kuita kudaro. Naizvozvo nzira iyi inowanzoshandiswa kune masisitimu ane zvimiro zvakapfava zvekupinza.
Mhinduro kudambudziko iri kushandura data inozivikanwa kuve inoshanda kugadzira data inokwana kuti ipfuure muganho wekuvimba, asi isingaite zvekukonzera matambudziko. Muenzaniso wakanaka weizvi ndewe DNS fuzzer iyo inotora zita renzvimbo uye yobva yagadzira rondedzero hombe yemazita edomasi kuti ione dzingangove dzakaipa dzakanangana nemuridzi wenzvimbo yakatarwa.
Iyi nzira yakangwara kupfuura yekare uye inoderedza zvakanyanya mvumo inogoneka. Mafuzzer anoshandisa nzira iyi anonzi mutation-based fuzzers.
Pane imwe nzira yechitatu ichangoburwa iyo inoshandisa genetic algorithms kuchinjika pane yakakwana fuzz data inodiwa kubvisa kusagadzikana. Inoshanda nekuramba ichinatsa data rayo refuzz, uchifunga nezvekuita kweyega yega data rekuyedza kana yaiswa muchirongwa.
Iyo yakanyanya kuita seti yedata inobviswa kubva padziva re data, nepo zvakanakisa zvichishandurwa uye / kana kusanganiswa. Chizvarwa chitsva che data chinobva chashandiswa kuyedza fuzz zvakare. Mafuzzers aya anonzi evolutionary mutation-based fuzzers.
3. Kuziva kweInput Structure
Uku kusarudzika kwakavakirwa pakuti fuzzer inoziva uye nekushingairira iyo yekuisa chimiro chechirongwa mukugadzira fuzz data. A fuzzer mbeveve (fuzzer isingazive nezvechirongwa chekuisa chimiro) inogadzira fuzz nenzira yakawanda isingaite. Izvi zvinogona kusanganisira zvese chizvarwa uye mutation-based fuzzers.
Kana fuzzer ikapihwa neyokupinza modhi yechirongwa, fuzzer inogona kuyedza kugadzira kana kushandura data zvekuti inoenderana neyakapihwa modhi yekuisa. Iyi nzira inowedzera kuderedza huwandu hwezviwanikwa zvinoshandiswa kugadzira data risiri iro. Mufuza akadaro anonzi a smart fuzzer.
4. Kuziva kweChirongwa Chimiro
Mafuzzers anogona zvakare kuiswa muchikamu zvichienderana nekuti ivo vanoziva nezve mukati mechirongwa chavari kubhuya, uye shandisa kuziva ikoko kubatsira fuzz data kugadzirwa. Kana ma fuzzers achishandiswa kuyedza chirongwa pasina kunzwisisa chimiro chayo chemukati, chinonzi dema-bhokisi kuyedzwa.
Fuzz data inogadzirwa panguva yekuyedzwa kwebhokisi-dema kazhinji inongoitika kunze kwekunge iyo fuzzer iri shanduko-yakavakirwa fuzzer, iyo 'inodzidza' nekutarisa mashandiro ayo uye kushandisa iyo. ruzivo kunatsiridza fuzz data set.
White-bhokisi kuyedzwa kune rimwe divi rinoshandisa modhi yechirongwa chemukati chimiro kugadzira fuzz data. Iyi nzira inoita kuti fuzzer isvike kunzvimbo dzakaoma muchirongwa uye kuiyedza.
Yakakurumbira Fuzzing Zvishandiso
Kune zvakawanda zvekufungidzira midziyo kunze uko kushandiswa nepeni testers. Zvimwe zvezvinonyanya kufarirwa ndezvi:
Kuganhurirwa kweFuzzing
Nepo Fuzzing iri chaiyo inobatsira peni-yekuyedza tekinoroji, haina zvikanganiso zvayo. Zvimwe zvacho ndezvi:
- Zvinotora nguva yakati rebei kumhanya.
- Kupwanya uye mamwe maitiro asingatarisirwe anowanikwa panguva yekuyedzwa kwebhokisi-dema rechirongwa zvinogona kunetsa, kana zvisingaite kuongorora kana kugadzirisa.
- Kugadzira mutation templates ye smart mutation-based fuzzers inogona kutora nguva. Dzimwe nguva, zvingave zvisingatombogoneke nekuda kweiyo modhi yekuisa kuve muridzi kana kusazivikanwa.
Zvakangodaro, chishandiso chinobatsira uye chinodiwa kune chero munhu anoda kuwana tsikidzi pamberi pevakaipa.
mhedziso
Fuzzing inzira ine simba yekuyedza-peni iyo inogona kushandiswa kufumura kusasimba musoftware. Kune akawanda akasiyana marudzi efuzzers, uye fuzzers nyowani dziri kuvandudzwa nguva dzese. Nepo fuzzing iri chishandiso chinobatsira zvinoshamisa, ine painogumira. Semuyenzaniso, mafuzzers anogona kungowana kusazvibata kwakawanda uye anogona kunge aine zviwanikwa. Nekudaro, kana iwe uchida kuyedza nzira iyi inoshamisa iwe pachako, isu tine yemahara DNS Fuzzer API yaunogona kushandisa papuratifomu yedu.
Saka iwe uri kumirira chii?
