1 00:00:01,280 --> 00:00:12,559 [Music] 2 00:00:14,540 --> 00:00:17,630 hi guys okay let's go 3 00:00:17,630 --> 00:00:20,520 [Music] 4 00:00:20,520 --> 00:00:23,039 so what am I going to talk about this is 5 00:00:23,039 --> 00:00:25,080 just a warning so you can get out now in 6 00:00:25,080 --> 00:00:28,519 case it doesn't interest you anyway 7 00:00:28,680 --> 00:00:30,900 I have a strong desire to find security 8 00:00:30,900 --> 00:00:33,899 bugs well because it's fun and sometimes 9 00:00:33,899 --> 00:00:35,700 it pays the bills 10 00:00:35,700 --> 00:00:37,559 I think it's even better if you can find 11 00:00:37,559 --> 00:00:39,780 him while you're sleeping which means 12 00:00:39,780 --> 00:00:41,880 doing some fuzzing normally 13 00:00:41,880 --> 00:00:43,680 [Music] 14 00:00:43,680 --> 00:00:45,539 I'm gonna go through a series of 15 00:00:45,539 --> 00:00:47,640 problems I encountered when I was 16 00:00:47,640 --> 00:00:49,860 attempting to First in this case Adobe 17 00:00:49,860 --> 00:00:51,360 Reader 18 00:00:51,360 --> 00:00:53,219 hopefully 19 00:00:53,219 --> 00:00:55,620 good Solutions and if they're not good 20 00:00:55,620 --> 00:00:57,180 someone else can give me better 21 00:00:57,180 --> 00:00:59,640 Solutions and then well basically it's a 22 00:00:59,640 --> 00:01:01,800 step-by-step guide on how you 23 00:01:01,800 --> 00:01:05,780 can find the security bugs and stuff 24 00:01:05,820 --> 00:01:09,960 so if we look at fuzzing as a whole 25 00:01:09,960 --> 00:01:12,000 there are some things you must have when 26 00:01:12,000 --> 00:01:14,100 you want to do a fuzzing campaign right 27 00:01:14,100 --> 00:01:16,740 you need some sort of input generation 28 00:01:16,740 --> 00:01:19,200 to be fit to something which passes the 29 00:01:19,200 --> 00:01:21,720 input that input Generation Well the 30 00:01:21,720 --> 00:01:23,640 input you generate has to be 31 00:01:23,640 --> 00:01:27,240 conformant to Any Given standard that 32 00:01:27,240 --> 00:01:28,759 the parser 33 00:01:28,759 --> 00:01:34,520 that the parser expects you want to 34 00:01:34,740 --> 00:01:37,979 a little bit closer better 35 00:01:37,979 --> 00:01:39,659 better now 36 00:01:39,659 --> 00:01:42,920 fantastic okay 37 00:01:43,320 --> 00:01:47,040 you need an input delivery mechanism 38 00:01:47,040 --> 00:01:49,200 where you can feed the input there's an 39 00:01:49,200 --> 00:01:51,960 end on my computer uh 40 00:01:51,960 --> 00:01:54,899 um we need an input delivery mechanism 41 00:01:54,899 --> 00:01:56,579 where you can feed 42 00:01:56,579 --> 00:01:59,640 the generated input to your Target and 43 00:01:59,640 --> 00:02:01,380 you want to execute your target as fast 44 00:02:01,380 --> 00:02:03,479 as possible because more executions 45 00:02:03,479 --> 00:02:05,520 means more test cases executed and so on 46 00:02:05,520 --> 00:02:08,699 and so on and so on you need a mechanism 47 00:02:08,699 --> 00:02:11,280 for fault detection so that you know if 48 00:02:11,280 --> 00:02:13,739 your generated input has caused a fault 49 00:02:13,739 --> 00:02:17,220 so you can do crazy duplication and 50 00:02:17,220 --> 00:02:19,800 similar things and fault analysis of 51 00:02:19,800 --> 00:02:21,920 course 52 00:02:22,400 --> 00:02:24,060 so 53 00:02:24,060 --> 00:02:26,280 when we look at 54 00:02:26,280 --> 00:02:28,319 the current state of the art inversing 55 00:02:28,319 --> 00:02:30,780 and that of course means something like 56 00:02:30,780 --> 00:02:33,360 AFL 57 00:02:33,360 --> 00:02:36,420 it's fantastic but it also takes work 58 00:02:36,420 --> 00:02:39,840 and it's actually it quickly becomes 59 00:02:39,840 --> 00:02:42,239 complicated at least if you want to do 60 00:02:42,239 --> 00:02:44,340 things 61 00:02:44,340 --> 00:02:45,300 um 62 00:02:45,300 --> 00:02:48,720 let's say as good as possible right so 63 00:02:48,720 --> 00:02:51,060 one of the problems well not problem as 64 00:02:51,060 --> 00:02:53,160 such but one of the challenges is that 65 00:02:53,160 --> 00:02:54,660 modern fuzzing has evolved into 66 00:02:54,660 --> 00:02:57,599 something extremely complex so there's 67 00:02:57,599 --> 00:02:59,819 there's been in the later years there's 68 00:02:59,819 --> 00:03:02,220 been almost like a 69 00:03:02,220 --> 00:03:05,159 a revolution in how will forces perform 70 00:03:05,159 --> 00:03:08,700 and if you're not doing it the right way 71 00:03:08,700 --> 00:03:10,980 maybe it should 72 00:03:10,980 --> 00:03:13,080 but it doesn't have to be like that 73 00:03:13,080 --> 00:03:15,120 because bugs are so plentiful that 74 00:03:15,120 --> 00:03:18,180 they're still room for doing it 75 00:03:18,180 --> 00:03:20,640 just good enough right you don't have to 76 00:03:20,640 --> 00:03:21,720 do 77 00:03:21,720 --> 00:03:23,760 input tracing and hit tracing and 78 00:03:23,760 --> 00:03:24,959 function coverage and feedback 79 00:03:24,959 --> 00:03:27,379 reinforcing and all that stuff which is 80 00:03:27,379 --> 00:03:31,440 amazing but also complicated and this is 81 00:03:31,440 --> 00:03:33,299 what I refer to when I mean Park hunting 82 00:03:33,299 --> 00:03:34,920 for normal people because you don't have 83 00:03:34,920 --> 00:03:37,080 to 84 00:03:37,080 --> 00:03:39,900 be God's gift to computers or Ellen 85 00:03:39,900 --> 00:03:42,420 during to uh to be able to write for us 86 00:03:42,420 --> 00:03:45,480 to find bugs in actual contemporary 87 00:03:45,480 --> 00:03:48,060 software you can just 88 00:03:48,060 --> 00:03:50,099 start symbol and then just sort of make 89 00:03:50,099 --> 00:03:51,599 it up as you go and see where it takes 90 00:03:51,599 --> 00:03:53,459 you 91 00:03:53,459 --> 00:03:56,819 so for Adobe Reader 92 00:03:56,819 --> 00:03:58,799 um the first problem you'll encounter is 93 00:03:58,799 --> 00:04:01,739 that once back in the day it was enough 94 00:04:01,739 --> 00:04:03,840 to just download random PDF files off 95 00:04:03,840 --> 00:04:05,280 the internet 96 00:04:05,280 --> 00:04:08,099 and just do some random mutations in 97 00:04:08,099 --> 00:04:09,780 them and do some bit flipping and 98 00:04:09,780 --> 00:04:11,459 whatever insert weird strings and that 99 00:04:11,459 --> 00:04:13,439 would be enough to find exploitable 100 00:04:13,439 --> 00:04:15,420 vulnerabilities where you 101 00:04:15,420 --> 00:04:17,459 the smash your function pointer or 102 00:04:17,459 --> 00:04:20,459 something else which could be 103 00:04:20,459 --> 00:04:22,560 sort of trivial to exploit 104 00:04:22,560 --> 00:04:23,820 um 105 00:04:23,820 --> 00:04:27,180 Excuse excuse me 106 00:04:27,180 --> 00:04:29,520 this is no longer the case if you look 107 00:04:29,520 --> 00:04:32,699 at checkpoint research they made a 108 00:04:32,699 --> 00:04:35,880 a pretty good post called I think it was 109 00:04:35,880 --> 00:04:37,979 50 bucks in 50 days or something where 110 00:04:37,979 --> 00:04:38,820 they 111 00:04:38,820 --> 00:04:40,139 um 112 00:04:40,139 --> 00:04:42,060 they first a lot of the Adobe Reader 113 00:04:42,060 --> 00:04:45,240 binary content passes using I think it 114 00:04:45,240 --> 00:04:47,759 was winning the excellent article but 115 00:04:47,759 --> 00:04:49,440 that sort of also 116 00:04:49,440 --> 00:04:52,139 took away well it took away at least 50 117 00:04:52,139 --> 00:04:54,479 of the bugs in Adobe Reader right which 118 00:04:54,479 --> 00:04:55,919 is bad for 119 00:04:55,919 --> 00:04:59,040 us who else the rest of us who wants to 120 00:04:59,040 --> 00:05:00,419 find bugs in it 121 00:05:00,419 --> 00:05:03,240 um so the solution for that problem is 122 00:05:03,240 --> 00:05:05,660 to 123 00:05:06,660 --> 00:05:08,400 take a step back and find out what else 124 00:05:08,400 --> 00:05:10,979 you can attack which is not the binary 125 00:05:10,979 --> 00:05:14,039 passes that checkpoint has referred to 126 00:05:14,039 --> 00:05:17,400 death and I figured maybe we can just 127 00:05:17,400 --> 00:05:20,280 find uh unflippable functionality in the 128 00:05:20,280 --> 00:05:22,560 software meaning that I can't just bit 129 00:05:22,560 --> 00:05:24,419 flip my way to a memory corruption and 130 00:05:24,419 --> 00:05:27,900 go woohoo money right so instead of 131 00:05:27,900 --> 00:05:30,419 looking at that you can look at the PDF 132 00:05:30,419 --> 00:05:33,120 spec it's very long and not super 133 00:05:33,120 --> 00:05:36,120 interesting but it 134 00:05:36,120 --> 00:05:38,880 it gives you an idea of what the formal 135 00:05:38,880 --> 00:05:41,400 action supports and in this case it's 136 00:05:41,400 --> 00:05:43,380 JavaScript so it's been supporting 137 00:05:43,380 --> 00:05:46,560 JavaScript since around Y2K and you 138 00:05:46,560 --> 00:05:48,419 cannot just 139 00:05:48,419 --> 00:05:50,280 build flip JavaScript and find good 140 00:05:50,280 --> 00:05:52,259 boards well you can find some but but 141 00:05:52,259 --> 00:05:54,560 nothing 142 00:05:55,259 --> 00:05:57,300 the amount of compute Cycles you need to 143 00:05:57,300 --> 00:06:00,360 do to just do blind mutation 144 00:06:00,360 --> 00:06:02,520 on JavaScript and hope to find boxes 145 00:06:02,520 --> 00:06:04,979 through the roof I mean it is possible 146 00:06:04,979 --> 00:06:07,259 I've done it but it is it's also a waste 147 00:06:07,259 --> 00:06:10,280 of cycles and pretty stupid 148 00:06:10,919 --> 00:06:14,039 so when we look at versing a very 149 00:06:14,039 --> 00:06:15,600 important part of it is the input 150 00:06:15,600 --> 00:06:16,860 generation right 151 00:06:16,860 --> 00:06:19,080 and I only have a limited idea on how to 152 00:06:19,080 --> 00:06:21,360 make smart evil input it's pretty easy 153 00:06:21,360 --> 00:06:22,740 when it's binding forward because you 154 00:06:22,740 --> 00:06:23,639 can just 155 00:06:23,639 --> 00:06:26,220 flip bits and brute force your way to a 156 00:06:26,220 --> 00:06:28,620 solution right but in a textual context 157 00:06:28,620 --> 00:06:32,580 it's not very easy to to make smart evil 158 00:06:32,580 --> 00:06:34,440 input 159 00:06:34,440 --> 00:06:37,259 but some smart people in this case the 160 00:06:37,259 --> 00:06:39,720 guys from Mozilla I think released some 161 00:06:39,720 --> 00:06:43,020 free tools with a proven track record in 162 00:06:43,020 --> 00:06:45,240 this case Dharma from Mozilla tomato is 163 00:06:45,240 --> 00:06:46,740 from one of the guys at Google and 164 00:06:46,740 --> 00:06:49,620 redempts is from some Finnish guy for 165 00:06:49,620 --> 00:06:53,819 this one I settled on Dharma which is a 166 00:06:53,819 --> 00:06:56,039 generation based currency extreme 167 00:06:56,039 --> 00:06:58,620 grandmother and you can also use tomato 168 00:06:58,620 --> 00:07:00,180 if you're so inclined but I had used 169 00:07:00,180 --> 00:07:02,699 Dharma before for something else so it 170 00:07:02,699 --> 00:07:05,400 was natural to settle on this 171 00:07:05,400 --> 00:07:07,560 and what is a generation based context 172 00:07:07,560 --> 00:07:08,699 for your grandma first it sounds 173 00:07:08,699 --> 00:07:10,979 complicated but it's actually 174 00:07:10,979 --> 00:07:13,560 not because this is 175 00:07:13,560 --> 00:07:16,380 a grammar file I made for them just a 176 00:07:16,380 --> 00:07:20,520 for armor just a symbol grammar and as 177 00:07:20,520 --> 00:07:22,860 you can see here I instructed to 178 00:07:22,860 --> 00:07:23,819 generate 179 00:07:23,819 --> 00:07:27,180 output output must consist of either 180 00:07:27,180 --> 00:07:29,099 first one or second one it's going to 181 00:07:29,099 --> 00:07:30,840 pick one at random 182 00:07:30,840 --> 00:07:32,699 first one 183 00:07:32,699 --> 00:07:35,460 when we look at this consists of the 184 00:07:35,460 --> 00:07:37,800 string first one and then something 185 00:07:37,800 --> 00:07:39,780 which will be expanded in this case a 186 00:07:39,780 --> 00:07:41,340 parameter and a parameter and a 187 00:07:41,340 --> 00:07:43,259 parameter and then maybe with two 188 00:07:43,259 --> 00:07:45,539 parameters or with one or with none and 189 00:07:45,539 --> 00:07:48,180 second one is the same right and then 190 00:07:48,180 --> 00:07:50,699 parameter pulls from the standard 191 00:07:50,699 --> 00:07:54,539 library inside Dharma where it can put 192 00:07:54,539 --> 00:07:57,419 in a Boolean a digit integers 193 00:07:57,419 --> 00:07:59,759 all that stuff so you don't need to come 194 00:07:59,759 --> 00:08:02,759 up with what could be bad data right the 195 00:08:02,759 --> 00:08:07,759 the framework will handle that for you 196 00:08:07,919 --> 00:08:10,199 so you basically just describe the 197 00:08:10,199 --> 00:08:12,300 constraints free output in the in the 198 00:08:12,300 --> 00:08:14,039 grammar file and download will Generate 199 00:08:14,039 --> 00:08:16,199 random but well-formed input provided 200 00:08:16,199 --> 00:08:18,240 you make it well from grammar files 201 00:08:18,240 --> 00:08:20,479 right 202 00:08:20,940 --> 00:08:25,379 boom yes so this is what the grammar 203 00:08:25,379 --> 00:08:29,520 will output so we can see that it first 204 00:08:29,520 --> 00:08:31,379 iteration it just picked the thing 205 00:08:31,379 --> 00:08:33,479 called first one with no parameters and 206 00:08:33,479 --> 00:08:36,620 second one so subsequent 207 00:08:36,620 --> 00:08:39,958 uh executions of the person will just 208 00:08:39,958 --> 00:08:42,059 keep generating 209 00:08:42,059 --> 00:08:44,540 well-formed but 210 00:08:44,540 --> 00:08:47,420 malformed data if that makes sense so 211 00:08:47,420 --> 00:08:51,319 malicious in some sense right 212 00:08:51,540 --> 00:08:53,820 cool thing about Dharma it's written in 213 00:08:53,820 --> 00:08:54,980 Python 214 00:08:54,980 --> 00:08:58,260 the standard library of edge cases is 215 00:08:58,260 --> 00:09:00,920 fairly extensive so it covers all the 216 00:09:00,920 --> 00:09:03,720 well it covers integer overflows and all 217 00:09:03,720 --> 00:09:06,300 the edge case integers around where if 218 00:09:06,300 --> 00:09:08,940 you increase by one it goes negative and 219 00:09:08,940 --> 00:09:12,060 all that stuff it's easy to extend the 220 00:09:12,060 --> 00:09:13,860 grammar as well so you can just put in 221 00:09:13,860 --> 00:09:15,000 something like this where you go 222 00:09:15,000 --> 00:09:19,560 overflow and then repeat so this is like 223 00:09:19,560 --> 00:09:23,479 a macro which will expand 224 00:09:26,420 --> 00:09:30,180 and if you I mean it's really easy to 225 00:09:30,180 --> 00:09:32,459 modify the generators which means that 226 00:09:32,459 --> 00:09:34,620 you can put in your own secret sauce so 227 00:09:34,620 --> 00:09:36,899 even if you happen to write a grammar 228 00:09:36,899 --> 00:09:39,240 file which is exactly identical to the 229 00:09:39,240 --> 00:09:42,240 guy next to you if you extended some of 230 00:09:42,240 --> 00:09:45,120 the Badness Library you have a chance of 231 00:09:45,120 --> 00:09:46,740 finding bugs that that he won't find 232 00:09:46,740 --> 00:09:48,260 right 233 00:09:48,260 --> 00:09:50,100 uh 234 00:09:50,100 --> 00:09:51,839 you can steal the bad string library 235 00:09:51,839 --> 00:09:54,060 from something like Boo first which I 236 00:09:54,060 --> 00:09:55,500 and I think that one stole most of it 237 00:09:55,500 --> 00:09:58,380 from Spike back in the day 238 00:09:58,380 --> 00:10:01,019 well first is the continuation of Sully 239 00:10:01,019 --> 00:10:02,339 which stole the strings from the back 240 00:10:02,339 --> 00:10:04,640 anyway 241 00:10:04,920 --> 00:10:06,959 it's a good idea to ensure that this 242 00:10:06,959 --> 00:10:10,140 generated data is valid and monitor the 243 00:10:10,140 --> 00:10:12,420 output for syntax errors because 244 00:10:12,420 --> 00:10:15,600 as you can see in the bottom here I've 245 00:10:15,600 --> 00:10:18,360 generated some some data 246 00:10:18,360 --> 00:10:22,200 which is not valid and this means that 247 00:10:22,200 --> 00:10:24,560 the password will actually 248 00:10:24,560 --> 00:10:24,959 [Music] 249 00:10:24,959 --> 00:10:25,860 um 250 00:10:25,860 --> 00:10:28,260 it'll bail out because you cannot catch 251 00:10:28,260 --> 00:10:30,899 the you cannot catch syntax errors so 252 00:10:30,899 --> 00:10:32,160 you can catch 253 00:10:32,160 --> 00:10:34,200 uh let's say violent found exceptions 254 00:10:34,200 --> 00:10:35,839 and other things but you cannot catch 255 00:10:35,839 --> 00:10:40,940 syntheters so you have to make sure that 256 00:10:41,399 --> 00:10:44,700 it's syntactically valid to show that 257 00:10:44,700 --> 00:10:45,899 it's not 258 00:10:45,899 --> 00:10:48,060 being rejected by the initial passing 259 00:10:48,060 --> 00:10:49,860 mechanism which does some magic before 260 00:10:49,860 --> 00:10:53,300 it's executed right 261 00:10:54,959 --> 00:10:57,839 next problem you're going to encounter 262 00:10:57,839 --> 00:11:02,100 is that Dharma and tomato they don't 263 00:11:02,100 --> 00:11:04,079 in themselves know anything about PDF 264 00:11:04,079 --> 00:11:07,320 specific things so you have to make all 265 00:11:07,320 --> 00:11:09,720 the PDF stuff yourself right and if you 266 00:11:09,720 --> 00:11:11,399 say well I'll just 267 00:11:11,399 --> 00:11:13,560 use the standout grammar and first the 268 00:11:13,560 --> 00:11:15,959 JavaScript engine well it's a waste of 269 00:11:15,959 --> 00:11:17,820 time in the Adobe Reader case because 270 00:11:17,820 --> 00:11:20,399 it's spider monkey which is the 271 00:11:20,399 --> 00:11:24,380 JavaScript engine from Mozilla 272 00:11:24,420 --> 00:11:26,640 and it has been since 273 00:11:26,640 --> 00:11:29,160 maybe it started with the reader DC I 274 00:11:29,160 --> 00:11:30,540 don't know but it's it's been like that 275 00:11:30,540 --> 00:11:32,820 for quite a while it's of course a 276 00:11:32,820 --> 00:11:34,380 heavily modified spider monkey because 277 00:11:34,380 --> 00:11:36,180 all the PDF is 278 00:11:36,180 --> 00:11:39,240 specific JavaScript things I bolted on 279 00:11:39,240 --> 00:11:40,740 by Adobe 280 00:11:40,740 --> 00:11:41,420 um 281 00:11:41,420 --> 00:11:44,279 afterwards and you can 282 00:11:44,279 --> 00:11:47,100 maybe if you follow the spider monkey 283 00:11:47,100 --> 00:11:49,380 bar trigger maybe you can find when they 284 00:11:49,380 --> 00:11:51,600 fix a bug it's most likely not going to 285 00:11:51,600 --> 00:11:52,800 be 286 00:11:52,800 --> 00:11:55,019 fixed in the version that adobe has 287 00:11:55,019 --> 00:11:56,760 imported at least not instantly so 288 00:11:56,760 --> 00:11:58,860 there's there's quite a bit of latency 289 00:11:58,860 --> 00:12:00,899 period there where you you can score 290 00:12:00,899 --> 00:12:02,579 some quick wins maybe 291 00:12:02,579 --> 00:12:03,420 um 292 00:12:03,420 --> 00:12:05,339 so 293 00:12:05,339 --> 00:12:06,959 it's just a matter of finding something 294 00:12:06,959 --> 00:12:09,360 PDF related and JavaScript from the 295 00:12:09,360 --> 00:12:11,820 JavaScript reference write a grammar 296 00:12:11,820 --> 00:12:14,040 file and Away you go 297 00:12:14,040 --> 00:12:16,500 if you look at the PDF JavaScript 298 00:12:16,500 --> 00:12:19,079 reference it's 299 00:12:19,079 --> 00:12:22,860 it's been updated it was updated in 21 300 00:12:22,860 --> 00:12:26,399 after maybe 10 years of nothing right 301 00:12:26,399 --> 00:12:30,240 it's actually pretty well sorted into uh 302 00:12:30,240 --> 00:12:33,300 the overall API and the properties and 303 00:12:33,300 --> 00:12:35,399 methods so you can focus on complex or 304 00:12:35,399 --> 00:12:37,200 interactive parts and you can actually 305 00:12:37,200 --> 00:12:38,399 just 306 00:12:38,399 --> 00:12:41,820 browse the table of contents as I do 307 00:12:41,820 --> 00:12:45,240 here and see that The annotation object 308 00:12:45,240 --> 00:12:48,360 has a bunch of properties and then you 309 00:12:48,360 --> 00:12:50,040 go a bit down and you see that it also 310 00:12:50,040 --> 00:12:51,779 has methods 311 00:12:51,779 --> 00:12:54,720 so maybe that's an easy target to pick 312 00:12:54,720 --> 00:12:57,980 it well I know it is 313 00:12:58,920 --> 00:13:02,040 then we come to the lies the computer is 314 00:13:02,040 --> 00:13:04,620 lying as usual all the document is lying 315 00:13:04,620 --> 00:13:07,620 because if you dump the search object 316 00:13:07,620 --> 00:13:09,240 from 317 00:13:09,240 --> 00:13:11,579 within the JavaScript console in Adobe 318 00:13:11,579 --> 00:13:15,480 Reader you will see that 319 00:13:15,480 --> 00:13:18,180 uh yeah okay I dumped the search object 320 00:13:18,180 --> 00:13:19,920 and then when you compare it to the 321 00:13:19,920 --> 00:13:22,860 actual documentation and the search 322 00:13:22,860 --> 00:13:25,019 methods according to the Dockers add 323 00:13:25,019 --> 00:13:26,880 index get index query and remove index 324 00:13:26,880 --> 00:13:29,700 but when you dump the object itself live 325 00:13:29,700 --> 00:13:31,500 you will see that there's a method 326 00:13:31,500 --> 00:13:33,600 called get index as well and there's 327 00:13:33,600 --> 00:13:35,760 also an undocumented property 328 00:13:35,760 --> 00:13:37,680 why is that good well it's good because 329 00:13:37,680 --> 00:13:39,839 it's either really old code which is 330 00:13:39,839 --> 00:13:42,060 supposed to go away and it's not no 331 00:13:42,060 --> 00:13:43,680 longer maintained and no longer kept in 332 00:13:43,680 --> 00:13:46,220 the table of contents or its new stuff 333 00:13:46,220 --> 00:13:49,320 which may mean that since it's let's say 334 00:13:49,320 --> 00:13:51,959 undocumented it may be a good area to 335 00:13:51,959 --> 00:13:52,680 find 336 00:13:52,680 --> 00:13:55,260 unboxing since nobody knows it exists 337 00:13:55,260 --> 00:13:57,660 right I've definitely found bugs in 338 00:13:57,660 --> 00:13:59,880 Adobe Reader where the documentation 339 00:13:59,880 --> 00:14:02,459 didn't mention any uh there were no 340 00:14:02,459 --> 00:14:05,339 references to some API it had but but it 341 00:14:05,339 --> 00:14:08,120 still worked right 342 00:14:08,279 --> 00:14:11,880 so if we go back to the Dharma stuff and 343 00:14:11,880 --> 00:14:14,579 look at The annotation properties 344 00:14:14,579 --> 00:14:17,339 and also here the alignment attachment 345 00:14:17,339 --> 00:14:20,880 AP blah blah all that stuff 346 00:14:20,880 --> 00:14:23,339 you just Define a grammar where you say 347 00:14:23,339 --> 00:14:26,899 the error properties can be known 348 00:14:26,899 --> 00:14:30,079 it's just 349 00:14:30,779 --> 00:14:33,000 this is the I would say this is one of 350 00:14:33,000 --> 00:14:34,860 the easiest ways of finding bugs 351 00:14:34,860 --> 00:14:37,019 actually because you just have to 352 00:14:37,019 --> 00:14:40,079 sit and transcribe the documentation 353 00:14:40,079 --> 00:14:43,199 from the JavaScript reference into a 354 00:14:43,199 --> 00:14:44,579 grammar file that darma can understand 355 00:14:44,579 --> 00:14:48,540 and then it's going to start generating 356 00:14:48,540 --> 00:14:50,880 malicious input that you can read and 357 00:14:50,880 --> 00:14:52,800 then bugs are gonna 358 00:14:52,800 --> 00:14:55,620 rain so it's pretty easy and it's pretty 359 00:14:55,620 --> 00:14:56,699 fun 360 00:14:56,699 --> 00:14:59,760 if you look at what the output from 361 00:14:59,760 --> 00:15:01,380 Dharma is for The annotation properties 362 00:15:01,380 --> 00:15:03,120 it's going to look like this where well 363 00:15:03,120 --> 00:15:04,680 for the set properties 364 00:15:04,680 --> 00:15:07,680 so it's going to sit a bunch of weird in 365 00:15:07,680 --> 00:15:08,579 this case still a bunch of weird 366 00:15:08,579 --> 00:15:11,459 properties do something with State 367 00:15:11,459 --> 00:15:14,579 models and maybe it's gonna 368 00:15:14,579 --> 00:15:17,579 change a logo and then call a function 369 00:15:17,579 --> 00:15:19,380 and then something bad is going to 370 00:15:19,380 --> 00:15:21,899 happen eventually 371 00:15:21,899 --> 00:15:25,320 so this is this output is well formed 372 00:15:25,320 --> 00:15:28,820 but nonsense right 373 00:15:29,100 --> 00:15:31,620 so next problem you're going to 374 00:15:31,620 --> 00:15:34,199 encounter sadly is that uh 375 00:15:34,199 --> 00:15:36,420 Adobe Reader is now 376 00:15:36,420 --> 00:15:38,639 it's no longer just something which 377 00:15:38,639 --> 00:15:41,220 passes and does stuff since reader DC 378 00:15:41,220 --> 00:15:43,620 it's split up 379 00:15:43,620 --> 00:15:46,920 uh with the standard renderer and broker 380 00:15:46,920 --> 00:15:49,800 model so the renderer is sandboxed and 381 00:15:49,800 --> 00:15:52,019 asks the broker process if it's allowed 382 00:15:52,019 --> 00:15:54,240 to do search inserts and such but but it 383 00:15:54,240 --> 00:15:56,639 also means that 384 00:15:56,639 --> 00:15:58,980 there's multiple processes that talk IPC 385 00:15:58,980 --> 00:16:01,320 and PDF surrendered in tabs and so on 386 00:16:01,320 --> 00:16:03,540 and so on and so on so you can't just 387 00:16:03,540 --> 00:16:06,060 start it twice and say you run this 388 00:16:06,060 --> 00:16:08,519 input and you run that input and if you 389 00:16:08,519 --> 00:16:10,440 guys should save it 390 00:16:10,440 --> 00:16:13,259 a pretty easy solution is to First on OS 391 00:16:13,259 --> 00:16:14,699 X instead 392 00:16:14,699 --> 00:16:16,259 because that one doesn't have a problem 393 00:16:16,259 --> 00:16:18,600 with spawning 20 simultaneous Adobe 394 00:16:18,600 --> 00:16:22,680 readers because well posix I guess 395 00:16:22,680 --> 00:16:24,839 or just use Virtual machines for 396 00:16:24,839 --> 00:16:27,839 isolation and scaling it's super 397 00:16:27,839 --> 00:16:30,000 primitive but it's also cheap 398 00:16:30,000 --> 00:16:33,480 if you need to 399 00:16:33,480 --> 00:16:35,339 um 400 00:16:35,339 --> 00:16:37,199 if you wanna 401 00:16:37,199 --> 00:16:38,820 make it so that you can run it over 402 00:16:38,820 --> 00:16:40,940 reader multiple times in the same 403 00:16:40,940 --> 00:16:43,139 Windows instance I mean you need to 404 00:16:43,139 --> 00:16:45,720 reverse it and find someone who knows 405 00:16:45,720 --> 00:16:47,339 what they're doing to to sort of give 406 00:16:47,339 --> 00:16:50,759 away the cannot run twice logic it's not 407 00:16:50,759 --> 00:16:55,740 worth it because Hardware is cheap and 408 00:16:55,740 --> 00:16:57,839 if you find a solution to make it run 409 00:16:57,839 --> 00:16:58,920 twice 410 00:16:58,920 --> 00:17:01,139 it's going to get updated and you'll 411 00:17:01,139 --> 00:17:02,759 need to reapply that solution with 412 00:17:02,759 --> 00:17:04,439 different offsets or whatever it's a 413 00:17:04,439 --> 00:17:07,400 nightmare and it's not not worth it 414 00:17:07,400 --> 00:17:10,619 the next problem when you start an 415 00:17:10,619 --> 00:17:12,660 application there's a bunch of work 416 00:17:12,660 --> 00:17:14,880 being done in loading libraries and 417 00:17:14,880 --> 00:17:18,179 other boring disk IO so I was thinking 418 00:17:18,179 --> 00:17:20,099 maybe you can just rip out the 419 00:17:20,099 --> 00:17:23,160 JavaScript engine and first that one 420 00:17:23,160 --> 00:17:25,260 turns out it's extremely complicated 421 00:17:25,260 --> 00:17:28,140 it's not like there's a javascript.tll 422 00:17:28,140 --> 00:17:30,660 which exports a function called pass 423 00:17:30,660 --> 00:17:33,900 JavaScript right sadly so extremely 424 00:17:33,900 --> 00:17:35,820 complicated and I I wanted something 425 00:17:35,820 --> 00:17:37,559 simple not a six month conversion 426 00:17:37,559 --> 00:17:40,520 project so 427 00:17:40,620 --> 00:17:44,280 solution is to we'll just 428 00:17:44,280 --> 00:17:48,260 no solution right now 429 00:17:48,660 --> 00:17:51,240 so what I ended up with is start the 430 00:17:51,240 --> 00:17:52,799 application only once and then just 431 00:17:52,799 --> 00:17:54,780 instrument the GUI 432 00:17:54,780 --> 00:17:57,419 to avoid restarting the application the 433 00:17:57,419 --> 00:18:00,900 good part about that is that you have 434 00:18:00,900 --> 00:18:04,860 you have a live PDF document with the 435 00:18:04,860 --> 00:18:07,559 with a Dom that you can interact with so 436 00:18:07,559 --> 00:18:10,380 you're all of a sudden it don't know me 437 00:18:10,380 --> 00:18:13,020 that with this you're you're not 438 00:18:13,020 --> 00:18:14,640 you're not forcing the JavaScript 439 00:18:14,640 --> 00:18:16,740 parsing you're actually forcing the the 440 00:18:16,740 --> 00:18:19,260 Dom itself which is a lot more useful 441 00:18:19,260 --> 00:18:21,900 because that's where all the well all 442 00:18:21,900 --> 00:18:23,220 the Dom interactions are what's going to 443 00:18:23,220 --> 00:18:24,660 lead to you so if the reason all that 444 00:18:24,660 --> 00:18:25,620 stuff 445 00:18:25,620 --> 00:18:26,280 um 446 00:18:26,280 --> 00:18:27,780 and then 447 00:18:27,780 --> 00:18:29,880 I mean yes it is cheesy but it works 448 00:18:29,880 --> 00:18:31,440 well with just two periodic housekeeping 449 00:18:31,440 --> 00:18:34,440 restarts so fire off a thousand test 450 00:18:34,440 --> 00:18:36,539 cases restart the application and and 451 00:18:36,539 --> 00:18:39,140 done right 452 00:18:39,840 --> 00:18:42,960 so how do you get the console well you 453 00:18:42,960 --> 00:18:45,780 make your own console.pdf DDA Stevens 454 00:18:45,780 --> 00:18:49,679 has made a few PDF tools including one 455 00:18:49,679 --> 00:18:52,500 which can make a PDF which contains 456 00:18:52,500 --> 00:18:54,059 JavaScript that will be executed when 457 00:18:54,059 --> 00:18:56,220 you open it and then as the script you 458 00:18:56,220 --> 00:18:58,500 just put in this console.go so you can 459 00:18:58,500 --> 00:19:00,539 pop an interactive JavaScript console 460 00:19:00,539 --> 00:19:03,780 from the regular reader and not just the 461 00:19:03,780 --> 00:19:05,340 professional version which you normally 462 00:19:05,340 --> 00:19:07,799 need to do JavaScript development 463 00:19:07,799 --> 00:19:10,679 and this also works for foxit 464 00:19:10,679 --> 00:19:12,480 in the case of Adobe Reader there's this 465 00:19:12,480 --> 00:19:15,120 Acro help object you can pass as an 466 00:19:15,120 --> 00:19:16,440 argument 467 00:19:16,440 --> 00:19:19,260 it I think they've stopped maintaining 468 00:19:19,260 --> 00:19:22,020 it because it works for some things and 469 00:19:22,020 --> 00:19:24,539 then it also definitely doesn't work for 470 00:19:24,539 --> 00:19:27,559 a lot of things 471 00:19:27,660 --> 00:19:30,480 so the next problem is that you have the 472 00:19:30,480 --> 00:19:33,299 input and you know where to put it so 473 00:19:33,299 --> 00:19:37,460 you can get rid of the startup overhead 474 00:19:37,620 --> 00:19:39,240 but how do you get it there do you sit 475 00:19:39,240 --> 00:19:40,919 and copy paste the input you generated 476 00:19:40,919 --> 00:19:43,860 no you do not you just use Pi One auto 477 00:19:43,860 --> 00:19:45,780 and Paperclip 478 00:19:45,780 --> 00:19:47,220 uh 479 00:19:47,220 --> 00:19:49,679 it has it 480 00:19:49,679 --> 00:19:51,900 doing doing it like this where you 481 00:19:51,900 --> 00:19:54,480 generate the the 482 00:19:54,480 --> 00:19:57,120 the input externally has a distinct 483 00:19:57,120 --> 00:20:00,480 advantage over in Tom version because 484 00:20:00,480 --> 00:20:02,820 you have a precise log of all the Dom 485 00:20:02,820 --> 00:20:06,419 manipulations you attempt to perform 486 00:20:06,419 --> 00:20:08,400 I made another photo where I just do 487 00:20:08,400 --> 00:20:10,820 stuff 488 00:20:11,039 --> 00:20:12,960 a bunch of JavaScript sticking in 489 00:20:12,960 --> 00:20:14,460 executed where it does Dumb 490 00:20:14,460 --> 00:20:15,960 manipulations and the problem is that 491 00:20:15,960 --> 00:20:20,220 that when something goes wrong 492 00:20:20,220 --> 00:20:22,080 you don't really know what went wrong 493 00:20:22,080 --> 00:20:24,360 because logging is hard so I made a 494 00:20:24,360 --> 00:20:27,240 really this is the worst thing I've ever 495 00:20:27,240 --> 00:20:31,919 done I think I as a log function I 496 00:20:31,919 --> 00:20:34,740 tried to read a file where I get a 497 00:20:34,740 --> 00:20:36,240 permission denied but but it's still 498 00:20:36,240 --> 00:20:39,419 gonna it's still gonna lock the input so 499 00:20:39,419 --> 00:20:42,480 let's say my input is and here then I'm 500 00:20:42,480 --> 00:20:44,820 gonna try to read a file called blur 501 00:20:44,820 --> 00:20:46,860 right and 502 00:20:46,860 --> 00:20:49,620 it's going to feel but it's still gonna 503 00:20:49,620 --> 00:20:53,159 show up in something like um pragmon so 504 00:20:53,159 --> 00:20:54,780 I can just do API monitoring and see 505 00:20:54,780 --> 00:20:55,980 that it 506 00:20:55,980 --> 00:20:58,380 gets access denied by trying to read 507 00:20:58,380 --> 00:21:00,360 this file but I still have the log of 508 00:21:00,360 --> 00:21:01,980 the stuff that I fit into it right so 509 00:21:01,980 --> 00:21:03,740 that's a way of doing 510 00:21:03,740 --> 00:21:06,179 first logging inside the Dom but but 511 00:21:06,179 --> 00:21:07,080 it's 512 00:21:07,080 --> 00:21:10,799 it's a nightmare it's definitely trash 513 00:21:10,799 --> 00:21:12,900 and it's also easy when you do the Dom 514 00:21:12,900 --> 00:21:15,000 manipulations from inside the Dom to end 515 00:21:15,000 --> 00:21:17,220 up in a situation where 516 00:21:17,220 --> 00:21:19,020 when your father lives in the dorm your 517 00:21:19,020 --> 00:21:21,240 father can do a manipulation which 518 00:21:21,240 --> 00:21:22,860 destroys your fusser right because then 519 00:21:22,860 --> 00:21:25,380 all of a sudden rain is no longer a 520 00:21:25,380 --> 00:21:27,000 function because you've destroyed it 521 00:21:27,000 --> 00:21:30,059 with your fossil so ah not very good 522 00:21:30,059 --> 00:21:33,299 uh so for the Google automation pyburn 523 00:21:33,299 --> 00:21:36,000 Auto fantastic you can ride some python 524 00:21:36,000 --> 00:21:39,000 code you can attach to Pioneers you can 525 00:21:39,000 --> 00:21:40,620 find the dialogues you need and just 526 00:21:40,620 --> 00:21:43,020 make it click all the buttons and do all 527 00:21:43,020 --> 00:21:44,640 the things 528 00:21:44,640 --> 00:21:47,220 if you spawn it with piwin also 529 00:21:47,220 --> 00:21:49,620 it prevents easy debugging but 530 00:21:49,620 --> 00:21:52,140 the solution is just to 531 00:21:52,140 --> 00:21:54,000 don't spawn it with pyramid also you can 532 00:21:54,000 --> 00:21:55,980 just attach afterwards with the Power 533 00:21:55,980 --> 00:21:58,559 Note application connect right 534 00:21:58,559 --> 00:22:00,480 uh 535 00:22:00,480 --> 00:22:03,840 the next problem 536 00:22:03,840 --> 00:22:06,059 you're going to have and 537 00:22:06,059 --> 00:22:09,440 this is something you can only 538 00:22:09,900 --> 00:22:11,820 this is something you can only find once 539 00:22:11,820 --> 00:22:13,020 you've found your first crash right 540 00:22:13,020 --> 00:22:15,240 because if everything is working as 541 00:22:15,240 --> 00:22:19,020 intended uh well and and the program is 542 00:22:19,020 --> 00:22:21,059 not crashing then you'll never encounter 543 00:22:21,059 --> 00:22:23,220 these weird error dialogues right but 544 00:22:23,220 --> 00:22:24,600 then once you've found your first crash 545 00:22:24,600 --> 00:22:27,780 and your father says we'll continue it's 546 00:22:27,780 --> 00:22:31,460 just gonna stall so you need some some 547 00:22:31,460 --> 00:22:35,580 handling of error dialogues as well 548 00:22:35,580 --> 00:22:39,299 in the function reader case 549 00:22:39,299 --> 00:22:42,059 that's fun because if you feed a bunch 550 00:22:42,059 --> 00:22:44,280 of script script script it's going to 551 00:22:44,280 --> 00:22:46,200 pop up this 552 00:22:46,200 --> 00:22:48,299 um 553 00:22:48,299 --> 00:22:50,340 there's enter no more than 256 554 00:22:50,340 --> 00:22:53,039 characters dialogue but you can still 555 00:22:53,039 --> 00:22:55,620 keep feeding script to the console and 556 00:22:55,620 --> 00:22:57,659 it's just gonna get cute and then when 557 00:22:57,659 --> 00:22:59,640 you click OK the next 200 lines of 558 00:22:59,640 --> 00:23:02,280 script are going to get executed so that 559 00:23:02,280 --> 00:23:04,679 makes it really weird and something you 560 00:23:04,679 --> 00:23:05,970 need to to handle 561 00:23:05,970 --> 00:23:07,159 [Music] 562 00:23:07,159 --> 00:23:09,900 specifically I just patched out the call 563 00:23:09,900 --> 00:23:12,179 to the message box in this case because 564 00:23:12,179 --> 00:23:14,640 otherwise it it was impossible to find 565 00:23:14,640 --> 00:23:15,780 out what part of the script actually 566 00:23:15,780 --> 00:23:20,299 caused the questions in foxid 567 00:23:21,120 --> 00:23:21,840 um 568 00:23:21,840 --> 00:23:25,260 yes next problem pywin also 569 00:23:25,260 --> 00:23:27,480 Windows GUI automation starts working 570 00:23:27,480 --> 00:23:28,860 after a while I don't know if some 571 00:23:28,860 --> 00:23:31,500 handles are leaking or something 572 00:23:31,500 --> 00:23:34,020 just reboot the machine and it's a lot I 573 00:23:34,020 --> 00:23:35,100 mean 574 00:23:35,100 --> 00:23:37,980 rebooting wastes 575 00:23:37,980 --> 00:23:40,880 15 seconds of your first thing runtime 576 00:23:40,880 --> 00:23:43,860 and trying to investigate why it it 577 00:23:43,860 --> 00:23:46,860 feels well that you can always taste on 578 00:23:46,860 --> 00:23:48,600 it right and maybe you can't even do 579 00:23:48,600 --> 00:23:51,360 anything about it uh 580 00:23:51,360 --> 00:23:55,320 if you use the 64-bit pipe and also for 581 00:23:55,320 --> 00:23:56,880 32-bit apps 582 00:23:56,880 --> 00:23:59,039 you're gonna have the problems arise 583 00:23:59,039 --> 00:24:01,140 more often uh 584 00:24:01,140 --> 00:24:02,400 but 585 00:24:02,400 --> 00:24:04,440 you no longer need to maintain two 586 00:24:04,440 --> 00:24:06,840 different python installations because 587 00:24:06,840 --> 00:24:09,419 the recent acrobat will I no longer need 588 00:24:09,419 --> 00:24:10,919 to maintain two different because the 589 00:24:10,919 --> 00:24:13,260 reason the acrobat is now 64-bit finally 590 00:24:13,260 --> 00:24:15,440 woohoo 591 00:24:15,440 --> 00:24:19,380 uh next problem with acrobat the 592 00:24:19,380 --> 00:24:22,200 JavaScript console is the worst 593 00:24:22,200 --> 00:24:24,299 JavaScript console you will ever try in 594 00:24:24,299 --> 00:24:27,120 your life there's a maximum of 3200 595 00:24:27,120 --> 00:24:29,580 lines of script but the solution is to 596 00:24:29,580 --> 00:24:31,500 just generate your input in chunks and 597 00:24:31,500 --> 00:24:35,940 just feed it a thousand lines at a time 598 00:24:35,940 --> 00:24:37,340 and this 599 00:24:37,340 --> 00:24:40,020 this doubles as an easy fault indicator 600 00:24:40,020 --> 00:24:42,779 as well and what I mean by that I mean 601 00:24:42,779 --> 00:24:45,000 that if I cannot feed the data through 602 00:24:45,000 --> 00:24:46,620 the dialog 603 00:24:46,620 --> 00:24:49,380 my chunk of data then something uh bad 604 00:24:49,380 --> 00:24:51,539 has happened and I can act accordingly I 605 00:24:51,539 --> 00:24:55,260 know that well something bad happened 606 00:24:55,260 --> 00:24:58,020 so your next problem once you start 607 00:24:58,020 --> 00:25:02,100 finding crashes uh well Pi dbg hasn't 608 00:25:02,100 --> 00:25:03,240 worked for quite a while and wouldn't 609 00:25:03,240 --> 00:25:05,880 have dvg is a pain in the ass 610 00:25:05,880 --> 00:25:07,340 a lot of things 611 00:25:07,340 --> 00:25:10,679 well running Adobe Reader under a 612 00:25:10,679 --> 00:25:11,760 debugger 613 00:25:11,760 --> 00:25:13,380 while you're fussing it is also a 614 00:25:13,380 --> 00:25:15,120 complete waste of time 615 00:25:15,120 --> 00:25:16,140 um 616 00:25:16,140 --> 00:25:19,080 and my solution to this was uh just 617 00:25:19,080 --> 00:25:22,799 don't do it because when you look at the 618 00:25:22,799 --> 00:25:24,659 way it works when I do the sequential 619 00:25:24,659 --> 00:25:28,260 input feeding I feed this data and then 620 00:25:28,260 --> 00:25:30,539 eventually the app graduates I'm no 621 00:25:30,539 --> 00:25:31,919 longer able to 622 00:25:31,919 --> 00:25:33,900 feed the data so I know it is correct 623 00:25:33,900 --> 00:25:36,559 and then I can just save that data right 624 00:25:36,559 --> 00:25:39,659 so there's no need to do this 625 00:25:39,659 --> 00:25:42,559 Advanced uh fault detection 626 00:25:42,559 --> 00:25:46,500 at runtime using a debugger 627 00:25:46,500 --> 00:25:48,600 if you're so inclined you can also catch 628 00:25:48,600 --> 00:25:52,500 faults with mini terms but in in this 629 00:25:52,500 --> 00:25:54,840 case it's not needed because if you 630 00:25:54,840 --> 00:25:56,100 cannot feed the script you know that 631 00:25:56,100 --> 00:25:58,200 something's up and then 632 00:25:58,200 --> 00:26:01,520 you have a solution right 633 00:26:03,360 --> 00:26:05,520 um next problem well something you're 634 00:26:05,520 --> 00:26:08,760 going to find out when you wanna 635 00:26:08,760 --> 00:26:11,640 combine the sequence of of data into 636 00:26:11,640 --> 00:26:14,120 something that can reproduce the crash 637 00:26:14,120 --> 00:26:18,299 is that the disk IO well I use turquoin 638 00:26:18,299 --> 00:26:21,779 super slow with the exig overhead so you 639 00:26:21,779 --> 00:26:23,700 as you can see it takes like seven and a 640 00:26:23,700 --> 00:26:26,279 half seconds to concatenate a few files 641 00:26:26,279 --> 00:26:28,820 do it in Python it takes 642 00:26:28,820 --> 00:26:31,679 0.06 seconds instead 643 00:26:31,679 --> 00:26:33,600 so 644 00:26:33,600 --> 00:26:36,360 in this particular case any solution 645 00:26:36,360 --> 00:26:39,720 would also just be to the data that you 646 00:26:39,720 --> 00:26:41,460 generate if you save it in decent file 647 00:26:41,460 --> 00:26:44,039 names you won't need to do this terrible 648 00:26:44,039 --> 00:26:46,140 patch Loop and then you can just get all 649 00:26:46,140 --> 00:26:48,059 the files into one 650 00:26:48,059 --> 00:26:49,919 but this is something you're only going 651 00:26:49,919 --> 00:26:51,539 to find out once you actually start 652 00:26:51,539 --> 00:26:53,640 working on it and find out where where 653 00:26:53,640 --> 00:26:56,659 the Hang-Ups are in your in your queue 654 00:26:56,659 --> 00:26:59,400 next problem 655 00:26:59,400 --> 00:27:03,360 you have a crash uh what is it can I 656 00:27:03,360 --> 00:27:05,400 sell it can I use it what can I do with 657 00:27:05,400 --> 00:27:06,480 it 658 00:27:06,480 --> 00:27:08,460 it's super hard and complicated and 659 00:27:08,460 --> 00:27:12,120 takes time and actual work but 660 00:27:12,120 --> 00:27:14,340 you can use skylines bug ID for 661 00:27:14,340 --> 00:27:18,120 automatic triage of the walls so if 662 00:27:18,120 --> 00:27:20,820 anybody remembers there was this wind 663 00:27:20,820 --> 00:27:24,210 DPG plugin called Bing exploitable 664 00:27:24,210 --> 00:27:25,860 [Music] 665 00:27:25,860 --> 00:27:29,100 I'd I'd say this is being exploitable on 666 00:27:29,100 --> 00:27:32,340 steroids times a lot because this 667 00:27:32,340 --> 00:27:35,039 is actually very useful uh it generates 668 00:27:35,039 --> 00:27:37,440 beautiful HTML reports and comes with 669 00:27:37,440 --> 00:27:40,260 some page Heap script so you can enable 670 00:27:40,260 --> 00:27:43,440 page heave for your app or it has a 671 00:27:43,440 --> 00:27:45,480 bunch of defaults as well free for test 672 00:27:45,480 --> 00:27:47,220 runs you have to pay if you want to use 673 00:27:47,220 --> 00:27:48,659 it to make money 674 00:27:48,659 --> 00:27:51,960 if you look at page Heap the page view 675 00:27:51,960 --> 00:27:55,500 is useful because you set certain 676 00:27:55,500 --> 00:27:57,179 patterns in memory when allocating and 677 00:27:57,179 --> 00:27:58,320 feeding memory 678 00:27:58,320 --> 00:28:02,100 Etc which means that once you start 679 00:28:02,100 --> 00:28:03,960 doing some memorable rights on the Heap 680 00:28:03,960 --> 00:28:05,760 it's more likely to cause a crash or if 681 00:28:05,760 --> 00:28:07,919 you try to read from some data which has 682 00:28:07,919 --> 00:28:10,740 been freed it's also gonna crash instead 683 00:28:10,740 --> 00:28:13,020 of maybe reading something valid and 684 00:28:13,020 --> 00:28:16,080 continuing execution so you get some 685 00:28:16,080 --> 00:28:18,600 slowdown with it because well it's a 686 00:28:18,600 --> 00:28:20,580 different allocator but 687 00:28:20,580 --> 00:28:22,679 you get more bugs and I think that's 688 00:28:22,679 --> 00:28:25,279 that's a great treat-off 689 00:28:25,279 --> 00:28:30,659 if you look at a sample bug ID report 690 00:28:30,659 --> 00:28:34,020 uh the I think the meat of it is you 691 00:28:34,020 --> 00:28:35,460 have an access validation at this 692 00:28:35,460 --> 00:28:37,679 address blah blah blah blah 693 00:28:37,679 --> 00:28:40,200 uh 694 00:28:40,200 --> 00:28:43,500 and then when you look at the verdict 695 00:28:43,500 --> 00:28:47,279 from bug ID it says that if it might 696 00:28:47,279 --> 00:28:48,899 allow information disclosure but then 697 00:28:48,899 --> 00:28:50,279 when you look at 698 00:28:50,279 --> 00:28:52,799 the disassembly down below you can see 699 00:28:52,799 --> 00:28:56,760 that is trying to read eax into ESI and 700 00:28:56,760 --> 00:28:59,059 then he assigns vcx 701 00:28:59,059 --> 00:29:02,760 and then it's going to call you say okay 702 00:29:02,760 --> 00:29:04,320 so we control 703 00:29:04,320 --> 00:29:07,440 or at least eax is set to if you if you 704 00:29:07,440 --> 00:29:10,320 if you have zero which means that uh 705 00:29:10,320 --> 00:29:12,840 page Heap has well the memory has been 706 00:29:12,840 --> 00:29:14,940 freed and then page Heap has 707 00:29:14,940 --> 00:29:16,799 said this pattern for the field memory 708 00:29:16,799 --> 00:29:18,539 which means that 709 00:29:18,539 --> 00:29:22,200 while Bugatti thinks that it's uh 710 00:29:22,200 --> 00:29:24,659 it's an out of bounds read it's actually 711 00:29:24,659 --> 00:29:26,700 trying to 712 00:29:26,700 --> 00:29:28,740 de-reference some feed memory instead so 713 00:29:28,740 --> 00:29:30,899 you still need to do some manual 714 00:29:30,899 --> 00:29:32,340 analysis to make sure that you're not 715 00:29:32,340 --> 00:29:34,080 missing out on good books because this 716 00:29:34,080 --> 00:29:35,940 looks to be a use of the freeway and 717 00:29:35,940 --> 00:29:39,980 just get some code execution instead 718 00:29:42,059 --> 00:29:43,559 um if you 719 00:29:43,559 --> 00:29:45,840 the next problem yes uh you have a 720 00:29:45,840 --> 00:29:49,039 hundred thousand lines of JavaScript 721 00:29:49,140 --> 00:29:52,200 and minimizing that into finding out 722 00:29:52,200 --> 00:29:54,360 what causes the crash is also a huge 723 00:29:54,360 --> 00:29:55,640 pain 724 00:29:55,640 --> 00:29:58,620 uh you 725 00:29:58,620 --> 00:30:00,899 you cannot really be sure which which of 726 00:30:00,899 --> 00:30:03,000 the many many lines are required for the 727 00:30:03,000 --> 00:30:05,880 crash uh of course common sense is that 728 00:30:05,880 --> 00:30:07,500 since we're feeding the input 729 00:30:07,500 --> 00:30:11,039 sequentially into the reader the last 730 00:30:11,039 --> 00:30:13,440 blob of data 731 00:30:13,440 --> 00:30:16,320 is what's causing the application to 732 00:30:16,320 --> 00:30:20,399 crash but maybe it's dependent on it's 733 00:30:20,399 --> 00:30:22,740 well it's most certainly dependent on 734 00:30:22,740 --> 00:30:25,919 the sequence of actions before that uh 735 00:30:25,919 --> 00:30:28,380 the Greek solution for that is also 736 00:30:28,380 --> 00:30:31,260 instead of trying to minimize by hand 737 00:30:31,260 --> 00:30:34,460 which is sometimes easy sometimes not 738 00:30:34,460 --> 00:30:39,720 it's just to use lithium so again from 739 00:30:39,720 --> 00:30:41,120 Mozilla 740 00:30:41,120 --> 00:30:46,260 line based test case reducer so 741 00:30:46,260 --> 00:30:48,840 here yeah this is the marketing material 742 00:30:48,840 --> 00:30:51,779 you can reduce the 3000 languages case 743 00:30:51,779 --> 00:30:53,039 to treated 744 00:30:53,039 --> 00:30:56,520 10 lines in minutes faster than you can 745 00:30:56,520 --> 00:30:59,120 do by hand and lithium works on 746 00:30:59,120 --> 00:31:01,860 interestingness tests as it's described 747 00:31:01,860 --> 00:31:04,320 in the literature 748 00:31:04,320 --> 00:31:06,899 so 749 00:31:06,899 --> 00:31:09,480 in my case I'm interested in things that 750 00:31:09,480 --> 00:31:11,640 crash due to memory errors so there's an 751 00:31:11,640 --> 00:31:13,620 interestingness test 752 00:31:13,620 --> 00:31:16,080 that's called crashes right and then you 753 00:31:16,080 --> 00:31:17,240 say 754 00:31:17,240 --> 00:31:20,640 you instruct lithium into 755 00:31:20,640 --> 00:31:22,620 monitoring the execution and then just 756 00:31:22,620 --> 00:31:25,380 cutting out chunks from the from the 757 00:31:25,380 --> 00:31:28,980 line in the PDF and when when it has cut 758 00:31:28,980 --> 00:31:31,860 out chunks that cause the application to 759 00:31:31,860 --> 00:31:34,860 no longer crash it throws out that and 760 00:31:34,860 --> 00:31:36,899 says well cut out something else instead 761 00:31:36,899 --> 00:31:39,139 right 762 00:31:39,179 --> 00:31:41,580 it supports these markers called TD 763 00:31:41,580 --> 00:31:45,299 begin TDN so you can stick it into in 764 00:31:45,299 --> 00:31:47,220 front and after your the JavaScript that 765 00:31:47,220 --> 00:31:49,559 you've injected into the PDF so that you 766 00:31:49,559 --> 00:31:50,360 don't 767 00:31:50,360 --> 00:31:53,640 try to minimize and remove essential 768 00:31:53,640 --> 00:31:56,220 parts of the actual PDF file itself 769 00:31:56,220 --> 00:31:58,080 which will just cause well the wrong 770 00:31:58,080 --> 00:31:59,519 kind of errors and not the stuff you're 771 00:31:59,519 --> 00:32:02,000 interested in 772 00:32:02,159 --> 00:32:04,200 and you go away that's fantastic right 773 00:32:04,200 --> 00:32:07,140 but then once you start looking and 774 00:32:07,140 --> 00:32:09,960 using lithium you find out that maybe 775 00:32:09,960 --> 00:32:13,080 you're a fantastic user after free is 776 00:32:13,080 --> 00:32:15,659 now being reduced into a different bug 777 00:32:15,659 --> 00:32:17,700 which causes and I'll find out the 778 00:32:17,700 --> 00:32:19,620 reference right and then all of a sudden 779 00:32:19,620 --> 00:32:23,880 your money making input has turned into 780 00:32:23,880 --> 00:32:27,240 something useless instead 781 00:32:27,240 --> 00:32:29,460 I just asked the guys uh 782 00:32:29,460 --> 00:32:32,039 help what I do here and they say well 783 00:32:32,039 --> 00:32:35,340 there's something called crashes at the 784 00:32:35,340 --> 00:32:37,799 pie from 785 00:32:37,799 --> 00:32:40,200 some other project it's not mainlined 786 00:32:40,200 --> 00:32:42,779 into lithium and probably never will but 787 00:32:42,779 --> 00:32:45,960 but you can use it anyway with that you 788 00:32:45,960 --> 00:32:48,080 can say I want 789 00:32:48,080 --> 00:32:51,840 the calls to actually look the same 790 00:32:51,840 --> 00:32:55,559 uh so that when lithium reduces your 791 00:32:55,559 --> 00:32:58,559 JavaScript it's a it instead of just 792 00:32:58,559 --> 00:33:02,100 saying crash good keep reducing if it 793 00:33:02,100 --> 00:33:04,919 sees that the call stack has changed 794 00:33:04,919 --> 00:33:08,279 it's gonna throw out that reduction uh 795 00:33:08,279 --> 00:33:11,100 so that you keep your good good crashing 796 00:33:11,100 --> 00:33:14,519 input and not uh bad crashing input 797 00:33:14,519 --> 00:33:16,820 right 798 00:33:17,399 --> 00:33:20,340 so next problem it's pretty hard to make 799 00:33:20,340 --> 00:33:21,960 something generic targeting different 800 00:33:21,960 --> 00:33:24,840 applications of course that's what I 801 00:33:24,840 --> 00:33:27,299 didn't want to make right so you end up 802 00:33:27,299 --> 00:33:31,220 hard coding a bunch of stuff but 803 00:33:31,460 --> 00:33:34,080 it's not a problem if you're not giving 804 00:33:34,080 --> 00:33:36,480 it to someone else I think some smart 805 00:33:36,480 --> 00:33:38,700 guy told me yesterday your code can be 806 00:33:38,700 --> 00:33:41,039 as terrible as you want if it's just for 807 00:33:41,039 --> 00:33:43,140 you it's you only have to make it nice 808 00:33:43,140 --> 00:33:44,519 when you give it to someone else right 809 00:33:44,519 --> 00:33:47,460 so just make all the temporary hacks 810 00:33:47,460 --> 00:33:49,140 it's it's perfect 811 00:33:49,140 --> 00:33:51,539 of course you can also use a modular 812 00:33:51,539 --> 00:33:53,640 approach and just make an application 813 00:33:53,640 --> 00:33:56,820 specific GUI instrumentation harness for 814 00:33:56,820 --> 00:33:58,380 the for example 815 00:33:58,380 --> 00:34:00,440 um 816 00:34:00,600 --> 00:34:02,760 when I made all this but I made it for 817 00:34:02,760 --> 00:34:04,080 Adobe Reader and it was like maybe 818 00:34:04,080 --> 00:34:05,580 there's some bugs and it as well 819 00:34:05,580 --> 00:34:08,579 the only thing I need to redo is the GUI 820 00:34:08,579 --> 00:34:10,560 instrumentation part and that's like 821 00:34:10,560 --> 00:34:12,540 seriously three minutes of work and then 822 00:34:12,540 --> 00:34:14,879 of course a few other 823 00:34:14,879 --> 00:34:16,859 changes but but 824 00:34:16,859 --> 00:34:18,960 it was pretty easy actually 825 00:34:18,960 --> 00:34:20,960 um 826 00:34:23,820 --> 00:34:25,739 yes 827 00:34:25,739 --> 00:34:29,040 if you do as if you read the diamond 828 00:34:29,040 --> 00:34:30,960 documentation and do as you're supposed 829 00:34:30,960 --> 00:34:34,619 to do you're gonna run into some art of 830 00:34:34,619 --> 00:34:36,780 memory problems in Adobe Reader when you 831 00:34:36,780 --> 00:34:38,099 keep 832 00:34:38,099 --> 00:34:41,579 adding annotations sadly but you can 833 00:34:41,579 --> 00:34:43,139 just then select the instrumentation 834 00:34:43,139 --> 00:34:46,339 from within Dharma 835 00:34:46,339 --> 00:34:48,659 instead and then 836 00:34:48,659 --> 00:34:52,859 this is the main fuzzing Loop this is 837 00:34:52,859 --> 00:34:56,040 basically all you need to do 838 00:34:56,040 --> 00:35:00,180 to generate data feed it and log faults 839 00:35:00,180 --> 00:35:03,900 right so as you viewer here will notice 840 00:35:03,900 --> 00:35:07,200 the complete lack of exception handling 841 00:35:07,200 --> 00:35:10,800 which works to my advantage because if 842 00:35:10,800 --> 00:35:12,000 the 843 00:35:12,000 --> 00:35:15,060 if the thing the Abomination here trying 844 00:35:15,060 --> 00:35:17,700 to type Keys into the JavaScript console 845 00:35:17,700 --> 00:35:19,800 if that fails 846 00:35:19,800 --> 00:35:24,480 than the f is Quest right and then the 847 00:35:24,480 --> 00:35:27,180 the puzzle will crash and then something 848 00:35:27,180 --> 00:35:30,660 external will say Well it the father 849 00:35:30,660 --> 00:35:33,300 stop feeding data save the input queue 850 00:35:33,300 --> 00:35:36,540 and then start everything again 851 00:35:36,540 --> 00:35:39,780 so the entire workflow in this is 852 00:35:39,780 --> 00:35:41,940 actually that you 853 00:35:41,940 --> 00:35:43,920 find some Target functionality and you 854 00:35:43,920 --> 00:35:46,020 write your grammar uh 855 00:35:46,020 --> 00:35:47,040 and 856 00:35:47,040 --> 00:35:48,300 [Music] 857 00:35:48,300 --> 00:35:51,960 you can even you can you can make a 858 00:35:51,960 --> 00:35:54,000 half-assed grammar initially and then 859 00:35:54,000 --> 00:35:55,980 you can just keep updating it while the 860 00:35:55,980 --> 00:35:57,839 version is running that's not a problem 861 00:35:57,839 --> 00:36:00,300 at all and then you use Dharma to 862 00:36:00,300 --> 00:36:02,520 generate your input based on this 863 00:36:02,520 --> 00:36:04,619 grammar feed it using pyron also and 864 00:36:04,619 --> 00:36:06,599 just wait for the crashes to start 865 00:36:06,599 --> 00:36:09,180 raining automated crash analysis with 866 00:36:09,180 --> 00:36:10,859 bug ID 867 00:36:10,859 --> 00:36:13,260 so that's handled for us minimizing the 868 00:36:13,260 --> 00:36:15,359 crashing input using lithium then that's 869 00:36:15,359 --> 00:36:17,220 handled for us 870 00:36:17,220 --> 00:36:20,339 and these these steps are not tightly 871 00:36:20,339 --> 00:36:22,380 covered right you can easily break them 872 00:36:22,380 --> 00:36:24,060 out to distinct worker nodes they they 873 00:36:24,060 --> 00:36:26,040 don't need to I mean the whole process 874 00:36:26,040 --> 00:36:27,960 is slow enough that that you can just 875 00:36:27,960 --> 00:36:30,240 have a centralized file storage where 876 00:36:30,240 --> 00:36:32,460 you SCP over files or something and then 877 00:36:32,460 --> 00:36:36,060 workers can come in and pull jobs 878 00:36:36,060 --> 00:36:38,460 it's uh it's it's quite fine 879 00:36:38,460 --> 00:36:40,920 and the way it works is that Dharma 880 00:36:40,920 --> 00:36:42,960 produces for bug ID which produces for 881 00:36:42,960 --> 00:36:45,079 lithium 882 00:36:45,079 --> 00:36:48,060 the the mining for the actual bus with 883 00:36:48,060 --> 00:36:51,720 the armor is a lot slower than the bug 884 00:36:51,720 --> 00:36:55,560 ID analysis which is a lot faster than 885 00:36:55,560 --> 00:36:57,540 the lithium reducer right so it makes 886 00:36:57,540 --> 00:37:00,180 sense to have a lot of The Producers 887 00:37:00,180 --> 00:37:03,960 here in in number two uh maybe not so 888 00:37:03,960 --> 00:37:05,760 many for the Bugatti because that 889 00:37:05,760 --> 00:37:08,460 process is pretty static and then some 890 00:37:08,460 --> 00:37:11,099 more notes to do the the minimizing 891 00:37:11,099 --> 00:37:13,560 right so you can play around with that a 892 00:37:13,560 --> 00:37:15,900 bit and get something where 893 00:37:15,900 --> 00:37:18,480 you don't have nodes 894 00:37:18,480 --> 00:37:21,000 waiting around for for actual work but 895 00:37:21,000 --> 00:37:22,619 but that 896 00:37:22,619 --> 00:37:24,900 that requires some tuning and there's I 897 00:37:24,900 --> 00:37:26,640 I can't come up with a generic recipe 898 00:37:26,640 --> 00:37:28,560 for how many you need of each then so 899 00:37:28,560 --> 00:37:30,420 that that's just a matter of trying it 900 00:37:30,420 --> 00:37:32,040 out 901 00:37:32,040 --> 00:37:34,079 finally results 902 00:37:34,079 --> 00:37:35,040 um 903 00:37:35,040 --> 00:37:37,680 I first did for two weeks on a pretty 904 00:37:37,680 --> 00:37:42,240 shitty laptop and I got 339 crashes 905 00:37:42,240 --> 00:37:46,440 giving me 132 distinct uh 906 00:37:46,440 --> 00:37:50,640 reports from bug ID with 39 distinct 907 00:37:50,640 --> 00:37:53,280 crash locations and 908 00:37:53,280 --> 00:37:56,280 distinct reports but identical great 909 00:37:56,280 --> 00:37:57,780 locations means that there's a different 910 00:37:57,780 --> 00:37:59,520 call stack leading to the same crash 911 00:37:59,520 --> 00:38:01,680 location right and it's pretty much the 912 00:38:01,680 --> 00:38:04,800 entire palette of what Bugatti support 913 00:38:04,800 --> 00:38:07,680 so it's access for religion reading you 914 00:38:07,680 --> 00:38:09,540 know 915 00:38:09,540 --> 00:38:13,500 Buffalo flows out of bounds reads writes 916 00:38:13,500 --> 00:38:15,900 you name it you can have it all in Adobe 917 00:38:15,900 --> 00:38:16,980 Reader 918 00:38:16,980 --> 00:38:19,800 and I 919 00:38:19,800 --> 00:38:22,740 I definitely took some shortcuts when I 920 00:38:22,740 --> 00:38:24,060 wrote the grammar for some of the things 921 00:38:24,060 --> 00:38:27,180 so it was pretty lazy but it worked out 922 00:38:27,180 --> 00:38:29,520 a lot better than than I expected anyway 923 00:38:29,520 --> 00:38:32,520 so 924 00:38:32,700 --> 00:38:36,140 there you have it uh 925 00:38:36,839 --> 00:38:38,160 when you make your fuzzing 926 00:38:38,160 --> 00:38:41,339 infrastructure uh use don't use crabby 927 00:38:41,339 --> 00:38:43,500 old Windows XP machines or whatever you 928 00:38:43,500 --> 00:38:47,099 usually use a virtualized Windows 10 or 929 00:38:47,099 --> 00:38:50,400 Windows Server 2019 it boots in like 10 930 00:38:50,400 --> 00:38:53,339 12 seconds so the complete reset of 931 00:38:53,339 --> 00:38:55,140 state and everything on until you're 932 00:38:55,140 --> 00:38:56,579 back and the first one is running is 933 00:38:56,579 --> 00:38:59,940 like at 10 second job right 934 00:38:59,940 --> 00:39:02,579 and you can disable the antivirus on the 935 00:39:02,579 --> 00:39:04,680 server 936 00:39:04,680 --> 00:39:08,579 if you first on the end user OS and you 937 00:39:08,579 --> 00:39:12,359 generate this and you make PDF files and 938 00:39:12,359 --> 00:39:14,339 if they have even just a bit of meat in 939 00:39:14,339 --> 00:39:16,740 them Defender is going to quarantine 940 00:39:16,740 --> 00:39:19,440 your files right so get rid of that 941 00:39:19,440 --> 00:39:22,260 because otherwise it's also gonna every 942 00:39:22,260 --> 00:39:23,700 time you make files it's going to come 943 00:39:23,700 --> 00:39:25,920 in and scan and whatnot 944 00:39:25,920 --> 00:39:27,540 um 945 00:39:27,540 --> 00:39:29,820 I keep a shift down installation with 946 00:39:29,820 --> 00:39:31,980 basically nothing but 947 00:39:31,980 --> 00:39:34,859 Adobe Reader in it on some nvme and then 948 00:39:34,859 --> 00:39:38,220 I just spawn a linked clones or copy 949 00:39:38,220 --> 00:39:42,000 clones to Ram drives that's also 950 00:39:42,000 --> 00:39:44,579 pretty cheap and I avoid wearing out my 951 00:39:44,579 --> 00:39:46,220 nvmes 952 00:39:46,220 --> 00:39:49,200 and definitely destroy the Adobe Reader 953 00:39:49,200 --> 00:39:51,960 update mechanism because otherwise it's 954 00:39:51,960 --> 00:39:54,480 just going to update mid campaign and 955 00:39:54,480 --> 00:39:57,800 then you come in and 956 00:39:58,020 --> 00:40:00,660 your crashes are you have a big queue of 957 00:40:00,660 --> 00:40:02,220 crashes and you want to analyze them and 958 00:40:02,220 --> 00:40:03,960 they're no longer crashing and you're 959 00:40:03,960 --> 00:40:06,480 like what the hell is up Why didn't it 960 00:40:06,480 --> 00:40:08,280 work did I break something 961 00:40:08,280 --> 00:40:10,920 for me it was the reader so destroy that 962 00:40:10,920 --> 00:40:12,540 one uh 963 00:40:12,540 --> 00:40:16,079 building on this I think uh and 964 00:40:16,079 --> 00:40:19,920 something for you to do you can go ahead 965 00:40:19,920 --> 00:40:22,260 and write more grammars and write well 966 00:40:22,260 --> 00:40:25,859 some grammars for reader or even acrobat 967 00:40:25,859 --> 00:40:27,780 which is like the professional version 968 00:40:27,780 --> 00:40:31,380 to make PDF files it has a much richer 969 00:40:31,380 --> 00:40:35,040 feature set than 970 00:40:35,940 --> 00:40:38,700 then do a common reader 971 00:40:38,700 --> 00:40:40,500 I need to fix my grandma's for some 972 00:40:40,500 --> 00:40:41,940 better coverage because I took a bunch 973 00:40:41,940 --> 00:40:44,000 of shortcuts I was thinking to 974 00:40:44,000 --> 00:40:45,359 [Music] 975 00:40:45,359 --> 00:40:47,760 so if you look at Dharma and tomato 976 00:40:47,760 --> 00:40:51,359 they're both Country Grammar forces and 977 00:40:51,359 --> 00:40:53,099 they should be behaving more or less 978 00:40:53,099 --> 00:40:54,900 identically but maybe there's some 979 00:40:54,900 --> 00:40:56,339 secret sauce 980 00:40:56,339 --> 00:40:58,859 behind the scenes so I was thinking to 981 00:40:58,859 --> 00:41:02,280 maybe write the same grammar the formats 982 00:41:02,280 --> 00:41:04,380 are well close but not identical and 983 00:41:04,380 --> 00:41:07,520 then do a first off between tomato and 984 00:41:07,520 --> 00:41:10,560 Dharma just for fun 985 00:41:10,560 --> 00:41:13,099 something else you can do is look at 986 00:41:13,099 --> 00:41:16,319 historically problematic JavaScript 987 00:41:16,319 --> 00:41:19,079 um sort of regression test from 988 00:41:19,079 --> 00:41:21,720 Chrome or from Firefox 989 00:41:21,720 --> 00:41:25,260 that can also give you a hint uh 990 00:41:25,260 --> 00:41:28,819 as to what kind of 991 00:41:28,920 --> 00:41:31,260 malicious JavaScript that is you want to 992 00:41:31,260 --> 00:41:32,940 generate right when you write your 993 00:41:32,940 --> 00:41:34,859 grammars like do you want to 994 00:41:34,859 --> 00:41:37,859 set values to null or do you want to do 995 00:41:37,859 --> 00:41:40,619 some weird re-entrancy or whatever so it 996 00:41:40,619 --> 00:41:42,960 pays to 997 00:41:42,960 --> 00:41:45,119 it pays to follow what all the browsers 998 00:41:45,119 --> 00:41:47,040 guys are doing and of course not all of 999 00:41:47,040 --> 00:41:49,920 it applies to this limited subset but 1000 00:41:49,920 --> 00:41:52,380 but still it 1001 00:41:52,380 --> 00:41:55,980 it pays to Snoop on on their stuff 1002 00:41:55,980 --> 00:41:58,380 uh something else that 1003 00:41:58,380 --> 00:42:00,480 I or you could do I want to do it at 1004 00:42:00,480 --> 00:42:03,839 least is to make a replay algorithm 1005 00:42:03,839 --> 00:42:06,540 so I can minimize the minimizing efforts 1006 00:42:06,540 --> 00:42:08,400 because while it's 1007 00:42:08,400 --> 00:42:10,920 while lithium runs unattended and 1008 00:42:10,920 --> 00:42:14,359 automated it's still 1009 00:42:14,700 --> 00:42:17,160 it's still intensive and it it feels 1010 00:42:17,160 --> 00:42:19,339 like 1011 00:42:19,740 --> 00:42:21,480 well you're definitely wasting a bunch 1012 00:42:21,480 --> 00:42:23,460 of Cycles so if you have to pay for your 1013 00:42:23,460 --> 00:42:25,920 compute time maybe it pays to to well 1014 00:42:25,920 --> 00:42:29,339 cut down on the minimizing if it's uh 1015 00:42:29,339 --> 00:42:31,920 I was thinking to make some sort of 1016 00:42:31,920 --> 00:42:34,800 blacklisting through if I because if you 1017 00:42:34,800 --> 00:42:35,819 keep 1018 00:42:35,819 --> 00:42:38,460 crashing on the same unexplodable bug 1019 00:42:38,460 --> 00:42:41,700 early in your fuzzing then 1020 00:42:41,700 --> 00:42:43,619 you're again you're wasting Cycles right 1021 00:42:43,619 --> 00:42:45,900 it's surprisingly complicated to to 1022 00:42:45,900 --> 00:42:47,640 Blacklist things you don't want to do 1023 00:42:47,640 --> 00:42:50,880 when you do this the manipulation but 1024 00:42:50,880 --> 00:42:53,339 it is what it is it's not a big problem 1025 00:42:53,339 --> 00:42:56,880 it's just something to look at 1026 00:42:56,880 --> 00:43:01,020 so if we try to see 1027 00:43:01,020 --> 00:43:03,900 or make some sort of conclusion well I 1028 00:43:03,900 --> 00:43:06,540 think Adobe Reader is still incredibly 1029 00:43:06,540 --> 00:43:08,400 full of bugs right because I'm one guy 1030 00:43:08,400 --> 00:43:10,680 with one laptop and I sit down 1031 00:43:10,680 --> 00:43:12,900 for some weeks and press some buttons 1032 00:43:12,900 --> 00:43:16,740 and it's just raining crashes uh 1033 00:43:16,740 --> 00:43:18,960 for some reason it's still widely used 1034 00:43:18,960 --> 00:43:20,819 in corporate environments and I don't 1035 00:43:20,819 --> 00:43:23,819 understand this because they have the 1036 00:43:23,819 --> 00:43:26,040 quarterly paid cycle 1037 00:43:26,040 --> 00:43:27,900 um 1038 00:43:27,900 --> 00:43:30,119 and there's always code refusion bugs in 1039 00:43:30,119 --> 00:43:31,980 it right so 1040 00:43:31,980 --> 00:43:33,900 I honestly don't understand why it's not 1041 00:43:33,900 --> 00:43:36,660 blacklisted in all cooperations but hey 1042 00:43:36,660 --> 00:43:39,359 I don't write the policy 1043 00:43:39,359 --> 00:43:40,980 the bugs are easy to find if you look in 1044 00:43:40,980 --> 00:43:44,280 the right places tooling is easy 1045 00:43:44,280 --> 00:43:46,619 it's a bunch of scripting python page 1046 00:43:46,619 --> 00:43:48,420 files imagination 1047 00:43:48,420 --> 00:43:50,940 and uh 1048 00:43:50,940 --> 00:43:52,500 I don't like it when someone gives a 1049 00:43:52,500 --> 00:43:54,599 presentation and say Here's a person I 1050 00:43:54,599 --> 00:43:56,400 wrote this is how you do it I found all 1051 00:43:56,400 --> 00:43:58,020 the books and I reported it and made 1052 00:43:58,020 --> 00:44:00,380 money right so I didn't report anything 1053 00:44:00,380 --> 00:44:04,020 you can just go do what I described and 1054 00:44:04,020 --> 00:44:05,700 you'll find the same craze as me right 1055 00:44:05,700 --> 00:44:07,560 now so 1056 00:44:07,560 --> 00:44:10,260 also it's super complicated 1057 00:44:10,260 --> 00:44:12,780 or annoying at least to build your 1058 00:44:12,780 --> 00:44:14,819 versing pipeline if you don't have 1059 00:44:14,819 --> 00:44:17,160 anything that crashes right if you can't 1060 00:44:17,160 --> 00:44:19,740 find at least one valid crash it's hard 1061 00:44:19,740 --> 00:44:21,300 to work on your 1062 00:44:21,300 --> 00:44:23,520 crash detection logic and all that stuff 1063 00:44:23,520 --> 00:44:24,780 so 1064 00:44:24,780 --> 00:44:27,140 I left all the crazies in there 1065 00:44:27,140 --> 00:44:29,460 and that was it 1066 00:44:29,460 --> 00:44:32,520 so talk to me about computers and if you 1067 00:44:32,520 --> 00:44:34,440 made something better than this for PDF 1068 00:44:34,440 --> 00:44:36,480 down first thing 1069 00:44:36,480 --> 00:44:38,400 hook me up 1070 00:44:38,400 --> 00:44:39,310 thank you 1071 00:44:39,310 --> 00:44:46,560 [Applause] 1072 00:44:46,560 --> 00:44:48,960 awesome thanks very much so do we have 1073 00:44:48,960 --> 00:44:52,260 any questions in the room here if so 1074 00:44:52,260 --> 00:44:53,520 um could you 1075 00:44:53,520 --> 00:44:56,940 um line up behind the microphone uh any 1076 00:44:56,940 --> 00:44:59,160 questions from the internet no questions 1077 00:44:59,160 --> 00:45:01,920 from the internet uh 1078 00:45:01,920 --> 00:45:04,560 great okay well um 1079 00:45:04,560 --> 00:45:06,300 if if there are any kind of any 1080 00:45:06,300 --> 00:45:09,119 questions the uh people can come and uh 1081 00:45:09,119 --> 00:45:11,700 which which Village you're in in we do 1082 00:45:11,700 --> 00:45:13,380 you have a village you're in 1083 00:45:13,380 --> 00:45:15,359 anyways oh there's one question ah sorry 1084 00:45:15,359 --> 00:45:18,420 all right so have you met any software 1085 00:45:18,420 --> 00:45:22,760 that you uh couldn't find any bugs in 1086 00:45:23,400 --> 00:45:26,330 just yes or no no 1087 00:45:26,330 --> 00:45:28,760 [Laughter] 1088 00:45:28,760 --> 00:45:31,079 I mean 1089 00:45:31,079 --> 00:45:33,000 finding Birds 1090 00:45:33,000 --> 00:45:34,920 I think you should if you're interested 1091 00:45:34,920 --> 00:45:36,660 in in how to find bugs and all that 1092 00:45:36,660 --> 00:45:38,579 stuff if you watch marked out keynote 1093 00:45:38,579 --> 00:45:41,460 from offensive con I think that this 1094 00:45:41,460 --> 00:45:43,020 year I think that was awesome because it 1095 00:45:43,020 --> 00:45:44,160 goes into 1096 00:45:44,160 --> 00:45:46,079 the whole mindset required right because 1097 00:45:46,079 --> 00:45:48,480 I think also if you if you go in with 1098 00:45:48,480 --> 00:45:50,280 the mindset of everybody's looked at 1099 00:45:50,280 --> 00:45:51,660 this I'm not going to find any box then 1100 00:45:51,660 --> 00:45:53,880 you will most definitely be correct 1101 00:45:53,880 --> 00:45:56,339 right but if you go in with the mindset 1102 00:45:56,339 --> 00:45:58,260 of I'm probably going to find some bugs 1103 00:45:58,260 --> 00:46:01,140 you're also correct because finding the 1104 00:46:01,140 --> 00:46:03,319 bugs is a matter of 1105 00:46:03,319 --> 00:46:05,160 understanding 1106 00:46:05,160 --> 00:46:06,780 how the thing works and then just 1107 00:46:06,780 --> 00:46:10,940 pushing all the edge cases everywhere 1108 00:46:11,220 --> 00:46:14,880 thanks great thanks next question 1109 00:46:14,880 --> 00:46:16,619 hello yeah first of all thanks for your 1110 00:46:16,619 --> 00:46:18,359 dog real nice 1111 00:46:18,359 --> 00:46:20,040 um you said one of the tips was disable 1112 00:46:20,040 --> 00:46:22,200 the object mechanism which sounds 1113 00:46:22,200 --> 00:46:24,000 obvious 1114 00:46:24,000 --> 00:46:25,560 um but what about disabling the internet 1115 00:46:25,560 --> 00:46:27,720 well that actually result in different 1116 00:46:27,720 --> 00:46:31,819 behavior in your experience or 1117 00:46:33,980 --> 00:46:36,720 well so he's asking if it will help to 1118 00:46:36,720 --> 00:46:38,400 just disable the internet well I guess 1119 00:46:38,400 --> 00:46:40,020 it's 1120 00:46:40,020 --> 00:46:42,240 an easy quick solution but but I built 1121 00:46:42,240 --> 00:46:46,020 my uh I built my new or not my network 1122 00:46:46,020 --> 00:46:47,940 but my setup with distinct worker nodes 1123 00:46:47,940 --> 00:46:50,940 that talk over the network and pull jobs 1124 00:46:50,940 --> 00:46:54,420 and do stuff here and there so I think 1125 00:46:54,420 --> 00:46:56,220 it's a bigger pain in the ass to not 1126 00:46:56,220 --> 00:46:59,040 have internet on them than it is to just 1127 00:46:59,040 --> 00:47:02,700 screw with the update mechanism because 1128 00:47:02,700 --> 00:47:05,700 maybe you want your pipeline to actually 1129 00:47:05,700 --> 00:47:08,099 do check for the latest version and pull 1130 00:47:08,099 --> 00:47:10,140 that one down and 1131 00:47:10,140 --> 00:47:13,319 do everything automatically 1132 00:47:13,319 --> 00:47:15,060 update mechanism all together as in you 1133 00:47:15,060 --> 00:47:17,280 don't test that bar well the update 1134 00:47:17,280 --> 00:47:19,140 mechanism just downloads design binary 1135 00:47:19,140 --> 00:47:20,700 and executes that one right so that part 1136 00:47:20,700 --> 00:47:23,040 is not interesting but so I think it's 1137 00:47:23,040 --> 00:47:26,579 better to just destroy it and and have 1138 00:47:26,579 --> 00:47:28,440 then you know what version of Adobe 1139 00:47:28,440 --> 00:47:30,960 Reader your 1140 00:47:30,960 --> 00:47:33,240 you're fussing because it's not in the 1141 00:47:33,240 --> 00:47:34,500 case of Adobe Reader it's not going to 1142 00:47:34,500 --> 00:47:35,940 say there's a new version do you want to 1143 00:47:35,940 --> 00:47:38,280 update it's just gonna do it right yeah 1144 00:47:38,280 --> 00:47:40,859 I thought maybe perhaps they might do 1145 00:47:40,859 --> 00:47:42,059 different Behavior if you have internet 1146 00:47:42,059 --> 00:47:46,500 it might be speaking to the microphones 1147 00:47:46,500 --> 00:47:50,579 microphone now but uh yeah sure so I was 1148 00:47:50,579 --> 00:47:51,960 thinking perhaps that if you have 1149 00:47:51,960 --> 00:47:53,880 internet enabled 1150 00:47:53,880 --> 00:47:56,099 yeah is that better okay if you have 1151 00:47:56,099 --> 00:47:58,800 internet enabled then perhaps the other 1152 00:47:58,800 --> 00:48:01,079 reader would do some other checks as in 1153 00:48:01,079 --> 00:48:02,940 a load different pieces of code then 1154 00:48:02,940 --> 00:48:05,400 well it's there's no internet it might 1155 00:48:05,400 --> 00:48:07,680 skip that perhaps it might be a check if 1156 00:48:07,680 --> 00:48:09,720 this is online then go into this sub 1157 00:48:09,720 --> 00:48:11,819 routine but if it's not then that's a 1158 00:48:11,819 --> 00:48:13,980 private team so I was wondering if that 1159 00:48:13,980 --> 00:48:15,420 you know 1160 00:48:15,420 --> 00:48:17,160 might be interesting as well I mean you 1161 00:48:17,160 --> 00:48:19,319 might skip that yeah I I see what you 1162 00:48:19,319 --> 00:48:21,359 mean and possible but but I'd say not 1163 00:48:21,359 --> 00:48:22,740 relevant for the stuff I'm doing right 1164 00:48:22,740 --> 00:48:24,720 now but definitely something to bear in 1165 00:48:24,720 --> 00:48:26,099 mind right 1166 00:48:26,099 --> 00:48:28,500 thanks thanks for the question and uh 1167 00:48:28,500 --> 00:48:30,000 let's give a round of applause but 1168 00:48:30,000 --> 00:48:30,760 goodness 1169 00:48:30,760 --> 00:48:31,020 [Applause] 1170 00:48:31,020 --> 00:48:33,020 um