Grinder是比较有名的浏览器FUZZ框架,采用ruby语言编写,主要是作为测试框架来使用,在《白帽子讲浏览器安全》一书中作者使用了Nduja生成测试样本来配合Grinder使用。根据网上的资料,nduja、fileja的自动化部署默认都以Grinder作为支撑环境。

我个人觉得Grinder存在的意义在于能够快速部署我们想要的Fuzz样例而无需操心异常捕获、进程管理这些细节。

Grinder分为

Node:负责实际的FUZZ工作

Server:负责收集结果,主要是为了管理多台Fuzz机器

我这里只搭建了Node

  1. 安装ruby2.0环境,在Windows下我使用了RubyInstaller进行一键集成化的安装。
  2. 把.\grinder\node\data\x86\grinder_logger.dll放到c:\windows\system32\目录下
  3. 创建一个符号路径
  4. 修改config.rb把上面创建的符号路径和浏览器路径填进去
  5. 在FUZZ目录下制定测试的例子
  6. 运行ruby grinder.rb  --browser=BROWSER

Grinder是动态生成样本的。对于其它的fuzz来说是先生成待测试的样本,再由浏览器打开。但是Grinder会直接打开规则模版,动态生成样本。这样一来就需要对每次导致crash的值进行记录,Grinder通过向浏览器注入grinder_logger.dll,hook住Javascript中的parseFloat函数。在调用logger.log时,grinder_logger.dll设置的hook回调函数就可以记录下来其内容,并存储为log文件。因为要Hook javascript函数,也就是说要解析jscript9.dll,所以需要这个模块的符号。这就是我们第3布操作的作用。当成功进行Hook之后,会给出提示。

[+D+] Hooked JavaScript parseFloat() to grinder_logger.dll via proxy @ 0x99B0000

此外记录下来的log文件不是直接的样本,需要使用testcase.py进行解析。

.\grinder\node>ruby testcase.rb [--config=c:\path\to\CONFIG.RB] --log=c:\path\to\XXXXXXXX.XXXXXXXX.log --save=c:\path\to\XXXXXXXX.XXXXXXXX.html

About Nduja

根据上面的内容,我们可以看出Grinder其实只是提供了一些用于变异样本的语法,关键的内容还是要依靠自己来进行编写从而生成。

在这个基础上Rosario valotta开发了一套实际的fuzz策略称为Nduja Fuzzer

根据作者的介绍,得知Nduja的开发背景是在市面上已有DOM level1的fuzzer的情况下,去试图fuzz DOM level2和level3以获取更多的成果。

作者原话如下,我标注了一些重点出来:

The usual approach in browser fuzzing leverages on DOM Level 1 interfaces for performing DOM mutations:

  1. a big quantity of random HTML elements are created and randomly added to the HTML document tree
  2. the DOM tree is crawled and element references are collected for later reuse
  3. elements attributes and function calls are tweaked
  4. random DOM nodes are deleted
  5. garbage collection is forced
  6. collected references are crawled and tweaked again

This approach is effective but suffers from some design limitations:

  1. every DOM mutation (e.g. element tweaking, deletion, etc) is performed on a single HTML element, no mass mutations are managed
  2. the execution workflow  can only be altered by the cardinality and the type of randomly generated DOM nodes (e.g different tag names, attributes, etc).

The entropy of a browser fuzzer can be taken to a further level introducing some new functionalities defined in DOM Level 2 and Level 3 specifications.

即通过对DOM2和DOM3中的新特性进行Fuzz来增墒。 为此作者举了几个例子作以说明。

Working with aggregations of nodes (DOM Level 2)
DOM Level 2 specifications introduces several new interfaces that allow to perform mutations on collections of DOM elements.
For instance interfaces like DocumentFragment, Range, TextRange, SelectionRange allow to create logical nodes aggregations and execute CRUD mutations on them using a rich set of APIS. 
A quick list of these methods: createRange, deleteContents, extractContents, cloneContents, cloneRange, removeRange, createTextRange, pasteHTML, etc
The expectation is that each of the methods provided for the insertion, deletion and copying of contents can be directly mapped to a series of Node editing operations enabled by DOM Core. 
In this sense these operations can be viewed as convenience methods that also enable a browser implementation to optimize common editing patterns.
It turns out that implementation bugs in this methods can lead to serious memory corruption errors when not correctly mapped to atomic-safe node operations.

Using document traversal data structures (DOM Level 2)
In the classic fuzzer approach, crawling the DOM tree is performed walking the physical tree from the top level node (DOCTYPE or HTML) to the leaves using DOM Level 1 methods (.children, .parentNode, .nextSiebling, etc).
In DOM Level 2 several data structures are available to create logical view of a Document subtree (eg. NodeList, TreeWalker, NodeIterator); we refer to these as the logical views to distinguish them from the physical view, which corresponds to the document subtree per se. 
These logical views are dynamic, in the sense that they modify their structure to reflect changes made to the underlying document.
That's why some memory corruption scenarios arise when DOM mutations performed on the physical tree are not correctly managed on the logical counterpart.

Introducing events (DOM Level 3)
In order to add more entropy to the fuzzer workflow, events firing and propagation can be used. DOM Level 3 specification defines a standard way to create events, fire them and manage event listeners for every DOM node. On top of that, specification defines a standard for event propagation model.
From the spec page (http://www.w3.org/TR/DOM-Level-3-Events/#dom-event-architecture):
"Event objects are dispatched to an event target. At the beginning of the dispatch, implementations must first determine the event object's propagation path."
The propagation path of an event include 3 steps:

  1. capture phase: the event propagates through the target's ancestors from the document root to the target's parent. Event listeners registered for this phase handle the event before it reaches its target.
  2. target phase: the event arrives at the final target element. Event listeners registered for this phase  handle the event once it has reached its target.
  3. bubble phase: the event  propagates through the target's ancestors in reverse order, starting with the target's parent and ending with the document root element. Event listeners registered for this phase must handle the event after it has reached its target.

From the spec page: "The propagation path must be an ordered list of current event targets through which the event object must pass. For DOM implementations, the propagation path must reflect the hierarchical tree structure of the document. The last item in the list must be the event target; the preceding items in the list are referred to as the target's ancestors, and the immediately preceding item as the target's parent. Once determined, the propagation path must not be changed; for DOM implementations, this applies even if an element in the propagation path is moved within the DOM. or removed from the DOM. Additionally, exceptions inside event listeners must not stop the propagation of the event or affect the propagation path."

So the idea here is to let an event fire and alter the DOM tree structure after the propagation path has already been defined. This can be easily obtained attaching random eventListeners to every DOM element, setting the "capturable" flag to true. Whenever an event targeting a node is intercepted by a node's anchestor, some random operations on DOM tree are performed, removing o inserting whole sets of elements. Then the propagation of the event goes on.
Note: this technique proved to be  dramatically effective in crashing IE9/10, probably because IE9 is the first IE version to support standard W3C event model and is not still "bullet-proof".

The listeners map of a node can be altered during dispatch, but is immutable once the dispatch reached that node .

Once determined, the propagation path must not be changed, even if an element in the propagation path is moved/removed within the DOM

作者给出了Nduja的操作流程概述

  • Initialization
    • create a given number of random HTML elements
    • for each element tweak random attributes/functions/styles
    • for each element add a given number of event listeners
    • append the elements in a random position in the document tree
    • create logical views of a random DOM subtree (nodeIterator, treeWalker)
  • Crawling
    • Crawl DOM tree
    • Create random Range (or similar DOM Level 2 structure) and apply random mutatios on it (delete, insert,surround, etc)
    • Crawl DOM logical views
  • Event management: events are managed accordingly to the dispatching phase
    • if the event is in the capture/bubble phase:
      • remove some random event listeners from the current target
      • create random Range (or similar DOM Level 2 structure) and apply random mutatios on it (delete, insert,surround, etc)
      • crawl physical tree and logical views
    • if the event is in the target phase
      • add some other event listeners to the event target node

参考资料:

node
-browser
chrome.rb
firefox.rb
internetexplorer.rb
safari.rb
-core
debug
debugger.rb
debuggerexception.rb
heaphook.rb
hookedprocess.rb
logger.rb
processsymbols.rb
configuration.rb
crypt.rb
debugger.rb
logging.rb
server.rb
webstats.rb
xmlcrashlog.rb
-crashes
-data
-fuzzer
*.html
-lib
metasm
-source
--部分dll的源码
config.rb
crypto.rb
grinder.rb
reduction.rb
testcase.rb
server
--主要用于分布式节点的漏洞结果汇总,这里不再详述

http://www.freebuf.com/sectool/93130.html

http://blog.nsfocus.net/web-browser-fuzzing/

Grinder搭建小记与Nduja(这次不待续了)的更多相关文章

  1. thinkPHP环境搭建小记

    php一直以来都被人诟病,说什么设计得很糟糕,有种你别用啊,不然就别bb了.最近,森哥在去年暑假学习了php基础和mvc模式的基础上准备用尝试一下国产ThinkPHP框架. 1.搭建LAMP环境 我实 ...

  2. elk日志平台搭建小记

    最近抽出点时间,搭建了新版本的elk日志平台 elastaicsearch 和logstash,kibana和filebeat都是5.6版本的 中间使用redis做缓存,版本为3.2 使用的系统为ce ...

  3. samba服务器搭建小记

    经常要在局域网的linux和windows主机之间共享文件,我遇到了当年samba作者同样的问题,既然人家已经写好了这个软件那就直接拿来用吧. 首先,在linux主机上执行 sudo apt-get ...

  4. Ubuntu 14.04 LAMP搭建小记

    文章目录 LAMP WinQQ Ubuntu 的使用的建模工具 JDK Chormium flash Eclipse 无法找到Jre LAMP 参考资料: 1. 安装php环境   http://ww ...

  5. ADT Android开发环境搭建小记

    1.之前因为产品方向原因,Android开发暂时搁浅,最近重新启动,SDK Manager.exe不能启动的话用启动\sdk\tools\adroid.bat即可启动SDK Manager.exe 2 ...

  6. spark集群搭建(java)未完待续

    环境 操作系统:windows10 虚拟机工具:VMware14.1 NUX版本:Centos7.2(64) JDK:1.8(64) 一.安装linux,master(桥接模式上网),slave(na ...

  7. Maven搭建SpringMVC+Mybatis项目详解

    前言 最近比较闲,复习搭建一下项目,这次主要使用spring+SpringMVC+Mybatis.项目持久层使用Mybatis3,控制层使用SpringMVC4.1,使用Spring4.1管理控制器, ...

  8. Opencv Linux环境搭建(2)

    继上次ubuntu10.04搭建失败之后,这次又换了一个系统. 拿出之前闲置的笔记本,安装了ubuntu12.04,按照这里的教程开始搞起来: http://www.linuxidc.com/Linu ...

  9. Maven项目搭建(二):Maven搭建SSM框架

    上一章给大家讲解了如何使用Maven搭建web项目. 这次给大家介绍一下怎么使用Maven搭建SSM框架项目. 首先我们来看一下pom.xml的属性介绍: project: pom的xml根元素. p ...

随机推荐

  1. 数据库中增加操作insert into的用法和查询select的用法

    insert into的用法 1.一条insert into 可以插入多条记录 2.insert into 能判断主键是否冲突,和做出冲突处理 如果主键冲突的话会报错,还能写成如果冲突就更新的形式格式 ...

  2. iOS记录一常用的方法和语句

    1.当前控制器是否还显示,比较常用于网络请求回来页面已退出 //当前视图控制器是否在显示 +(BOOL)isCurrentViewControllerVisible:(UIViewController ...

  3. Cheerleaders UVA - 11806(容斥+二进制技巧)

    #include <iostream> #include <cstdio> #include <sstream> #include <cstring> ...

  4. bzoj 1012: [JSOI2008]最大数maxnumber (线段树)

    1012: [JSOI2008]最大数maxnumber Time Limit: 3 Sec  Memory Limit: 162 MBSubmit: 13081  Solved: 5654[Subm ...

  5. spring.net框架配置和使用

    spring.net框架学习笔记 spring.net框架是用于解决企业应用开发的复杂性的一种容器框架,它的一大功能IOC(控制反转),通俗解释就是通过spring.net框架的容器创建对象实体,而不 ...

  6. C++11 & C++14 & C++17新特性

    C++11:C++11包括大量的新特性:包括lambda表达式,类型推导关键字auto.decltype,和模板的大量改进. 新的关键字 auto C++11中引入auto第一种作用是为了自动类型推导 ...

  7. C#基础概念

    1.     面向对象的思想主要包括:继承 多态 封装 ●       封装:用抽象的数据类型将数据和基于数据的操作封装在一起,数据被保护在抽象数据类型内部. ●       继承:子类拥有父类的所有 ...

  8. linux BASH shell下设置字体及背景颜色

    BASH shell下设置字体及背景颜色 echo -e "\e[31mtest\e[41m" \e[30m 将字符的显示颜色改为黑色 \e[31m 将字符的显示颜色改为红色 \e ...

  9. python的面向对象-实例(对象)的相关知识、实例化

    1.对象就是实例,什么是实例 类运行的过程就是实例化的过程,实例化产生的结果就是产生了一个实例 class的牛逼之处就是不用手动的return,他会加载完函数之后,自动return  __init__ ...

  10. python---django中文件上传

    服务端: def upload(req): if req.method == "GET": return render(req, 'upload.html') else: prin ...