Camp 2007 - 1.01

Chaos Communication Camp 2007
To infinity and beyond

Speakers
Ben Kurtz
Schedule
Day 2
Room Shelter Bar
Start time 11:00
Duration 01:00
Info
ID 1959
Event type Lecture
Track Hacking
Language English
Feedback

Introducing Funk: The Functional Fuzzer

and further explorations into the use of functional languages for network traffic generation

This talk will introduce a simple and incredibly powerful framework for the scripted generation of network traffic: Funk, a new tool for fuzzing arbitrary network protocols written using the Chicken Scheme-to-C compiler. Source code will be provided and explained, so you can start using this framework today for all your network traffic generation needs! Some familiarity with functional languages like Lisp or Scheme will be helpful, but not required.

At my talk at DefCon 13, I described a framework and development environment for the generation of network traffic of arbitrary protocols. This framework was limited by it's reliance on a domain-specific language and the use of regular grammars.

By re-visiting the same problem with a new perspective, the use of a functional language like Scheme, I've found a much simpler and more powerful approach. By using Chicken Scheme instead of a home-grown scripting language, even complicated protocols like ASN.1 can be fuzz-tested with ease.

The use of a functional language makes it possible to provide a unified interface to all network protocols. This allows the abstraction of behavior for traffic generating programs, like fuzzers.

Chicken Scheme has other advantages for network testing as well:

  • It can be run through an interpreter for debugging.
  • It can be compiled to fast and efficient native C code for scalability and embedding.
  • C and Scheme can be mixed and matched in both the interpreter and compiler.
  • Very dynamic and complicated protocols can be handled cleanly due to intrinsic properties of functional languages.

I will be providing code representing the core of the framework as well as a protocol fuzzer written using it.

In this talk, I will give a very brief introduction to functional languages and protocol testing (~5 min), briefly discuss the shortcomings of my previous solution, and why Scheme is a better fit for the problem. The rest of the time will be spent on the program itself: how to get started using the demo fuzzer and how to start using the framework for all your network traffic scripting needs.

I'll also be estimating the interest in moving this forward as an open source project!

Ideas for extending the environment include:

  • Filter/Receive/Inject support
  • Visual Script Design
  • additional protocol support

Detailed Outline:

I. Introduction, Opening

II. Statement of Problem A. Initial Goals 1. Fuzzing 2. Flooding 3. Spoofing 4. Traffic Generation B. Long-term Goals 1. Query-Response 2. Arbitrary Network Scripting 3. Rapid Prototyping/Virtual Servers 4. Firewall and IDS C. Previous Attempt 1. Overview 2. Shortcomings

III. Choice of Tools A. Shortcomings of Procedural Approach B. Why Scheme? 1. What the hell is Scheme anyway? 2. Seriously, what's up with the parentheses? 3. Why are LISP programmers so smug? 4. Why can't you just use C like normal people? C. Why Chicken? 1. Interpreted 2. Compiles to straight C 3. Functional language is right tool D. Chicken vs. Python 1. Lies, Damn Lies, and ... E. To Wiretap or not to Wiretap

IV. Implementation Details and Source Code Review A. Protocol Representation 1. Operation Tables i. Generating ii. Serializing iii. Validating iv. Querying 2. Data Types i. Tables ii. Lambdas 3. Dynamic Protocols i. IP/TCP Checksums ii. ICMP iii. ASN.1 B. Packet Scripting 1. Abstract Operations 2. Flexibility 3. Extensibility and Openness C. Future Work 1. GUI, Long Term Goals 2. Project Volunteers?

V. Demo (time permitting) ~10 minutes A. Live Network Fuzzing B. PCAP File Generation C. Binary Format Fuzzing

VI. Conclusion, Q&A