Security-Protocols

Schemer is a generic file and protocol fuzzer. Schemer requires an XML Schema describing the format of the data and an example or test case of the data to be fuzzed. Schemer makes available certain ways in which the data can be fuzzed, but lets the user specify the values used. For example, Schemer lets you replace strings with long strings, but the user has to specify the lengths used.

Schemer can output the fuzzed data in a variety of ways; to file, to an application, to the network, or to code provided by the user. Schemer can also monitor the software that is the target of the fuzzed data and record all test cases that affect the target.

Some examples have been included with Schemer to demonstrate how it can be used. The examples are a great place to start, in conjunction with the help documentation, to get a feel for using Schemer and to get the most out of it.

Schemer requires the .Net framework and is currently a command line application, although it only takes 1 argument, the configuration file.

You can download Schemer here.

Sulley is a fuzzer development and fuzz testing framework consisting of multiple extensible components. Sulley (IMHO) exceeds the capabilities of most previously published fuzzing technologies, commercial and public domain. The goal of the framework is to simplify not only data representation but to simplify data transmission and target monitoring as well. Sulley is affectionately named after the creature from Monsters Inc., because, well, he is fuzzy.

Modern day fuzzers are, for the most part, solely focus on data generation. Sulley not only has impressive data generation but has taken this a step further and includes many other important aspects a modern fuzzer should provide. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a known good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance. Overall usage of Sulley breaks down to the following: Data Representation: First step in using any fuzzer. Run your target and tickle some interfaces while snagging the packets. Break down the protocol into indvidual requests and represent that as blocks in Sulley.

· Session: Link your developed requests together to form a session, attach the various available Sulley monitoring agents (network, debugger, etc…) and commence fuzzing.

· Post Mortem: Review the generated data and monitored results. Replay individual test cases.

Authors
· Pedram Amini, pamini@tippingpoint.com
· Aaron Portnoy, aportnoy@tippingpoint.com

Downloads:
· Sulley Fuzzing Framework
· Manual
· EpyDocs
· Presentation slides from release at BlackHat 2007