 It is need-by-job, and yeah, I'm a security researcher at Breaking Point, and so, it's my first reading conference. I've never been to home before. I've been to a security conference, but yeah, it's a little different. And I like Ruby. I use it all the time at work. I use it at home, personal projects. I use it before in school. And it's something that I really like. I think it's really flexible, and it's really simple to use. I really enjoy it. All right, so some of the main concepts I would like you guys to take away from my talk is that meta-programming with Ruby is really easy, and it can be really fun. I really enjoy doing it. And I'm going to be talking a little bit about fuzzy, and yeah, so that's one of those main points, is that there are more intelligent ways to find it, and that meta-programming with Ruby can help you with that. All right, so I'll talk about fuzzy, what and why. Just basic meta-programming. I'm going to have some examples at the end. So first off, buzzing. This was a picture of what I thought buzzing was when somebody first described it to me. It's just a big ball of stuff, just buzz. And that is sort of what it is. So buzzing is a way of testing an application and trying to find bugs. And so you throw all types of input you can add in an effort to try to find bugs in the code, make it crash, raise an exception, what happened. There's different reasons for it. Like I said, the main reason is to find the bugs, and usually fix them in the security field. Sometimes you can find bugs, and that would be exploitable. You can run code on somebody else's computer, and if they're exploitable and you wanted to, you can sell them. So that's a different motivation for a lot of people. All right, so one of the other, one of the main ways people buzz things is dumb buzzing or bite buzzing. And that is where you create sets of valid input, and you just iterate over every single byte of pairs of bytes or combinations of bytes and just try all sorts of different types of values. And it's not very dynamic, and I think it has a lot of drawbacks, but it does work, and a different way would be less dumb. And to me, that means creating a model of the data format in memory and then iterating over the fields themselves. And in this way, if there's checksums in the file or the network protocol of those won't get thrown off because actions like that will still take place and be calculated with the right values. All right, yeah, just like I said, dumb buzzing is dumb. That's why it gets its name. Here's a basic example. So you've got some base file, and you read it in. And you iterate over every byte in the file and try every possible value. That's a very simple example, and I'll be enough. You do find some interesting crashes, some interesting bugs and applications like that. And this can be used for, yeah, file formats, network protocols, anything that accepts a type of input. You can buzz and just throw a random data and see what it does. And at less dumb way, there's a couple ways that I've thought of to be less dumb about it. One way is to have a model of the data format in memory, except without having any classes or reusability with it. And I really don't like that method. And a different way would be maybe to create a class for each data format. Say, for example, you want to buzz some images, and you want to see how quick time, if you can find bugs in quick time. So you might make a class for the different types of images that might open. However, you won't be able to use the same buzzing code for using the classes unless you start to create a framework for generating the classes for the different formats. And that's my last point, which I think is a lot better. And which is, yeah, my main point here. If you create a framework for it, then that creates the classes for each format, then they'll all be consistent, and you can use the same code to buzz any of them. And I think that is easiest or best done with Ruby and metaprogramming. So metaprogramming, when somebody first kind of explained it to me, code the rights code, I thought it was really confusing, and I thought it would just blow my mind. But it's not, it's really simple. And yeah, I hope I can kind of convey that today. So I'm going to talk about hooks and code the rights code. So these are some of the main hooks that are in Ruby. Two of the most popular ones are probably the inherited hook and the method missing hook. I know Ruby on Rails uses method missing a lot. Yeah, it's, it used to be very powerful, but they can get pain to debug. It's got too many of them going on at once. It's, it can get to be very hard to track things down. So here is a basic example. So we just have a class. It uses the inherited hook. When a class inherits it, it'll just print string. And so it will inherit it, and it prints A inherited inherited. And here's another example, method missing. It's very simple, and all works like it's supposed to. So we create a new instance of the class. We call some non-system method, and it prints the method name, as well as the arguments. Alright, can everybody, can everybody see this alright? Do we need to make it darker? Anybody want to make it darker? Of course, yeah. Yeah? Can we make it any darker? Are there any other switches we can turn on? Can you, can you do white and black there? Um... I'm not sure if I can change my fingers so fast. Alright. This doesn't matter. Do a control option command 8. Whoa. Control option... command 8. Oh, wow. Awesome. I think it was the badge, actually. Alright, so, can you guys still hear me? Yeah. Okay, cool. Alright, so the next one. Code the right scope. I come up with two different ways, or in my mind, there's two different ways you can do this, through method calls, or through various evals. And although instances are different, I'm not sure if you can hear me. I'm not sure if you can hear me. Method calls, or through various evals. And although instance eval, or just eval, those are method calls, I think they're completely different animals. Alright, so, different method calls that you can use to modify code, or have code that creates code. There's, you can create and get constants, remove constants, add methods, undefined methods. Yeah, there's a massive list of methods you can use to modify code. And here's an example. You can use the inherited book again. And, okay. And so when our example class gets inherited, we're going to create a method. And here it's a defined method, and we're going to add the subclass example method to the inherited class. And we're also going to use method missing hope. And somebody calls a method that doesn't exist and starts with create. We're actually just going to create the class and turn a new instance of it. And so, here at the bottom, we have our example. We inherit from the our example class. And we call the band we define function, and that works just fine. And we create a cookie monster object, and that works well. Alright, and so we can do the same thing using evals. We're going to talk a little bit about each one first, because they're all slightly different. So class eval, module eval, and instance eval, those are all very similar. They can accept either a string or a block. But eval accepts only a string. It works just a little different too. Alright, so class eval. Here we've got a private static method, and you can't call it normally, and it raises an error. But if you call it a thin class eval block, that works just fine. And you can also add methods to it. So this is adding method made by class eval. So any new class eval instances will have that method. Alright, an instance eval, just like the name says, it applies only to that instance of the object. And so we'll make a new one, and we'll call the private method. So instance eval is to me, it's kind of like reopening the class and running code inside of the class. And that's why we're able to call the private method. And we can add a new method through the instance eval. And you can see that it works, except it only applies to that one instance. Alright, so, and just plain eval. So this class, it has a greeting instance variable, and it has a method greet. It just displays the greeting. Nope, that works just like the thought of wood. And here, you can use eval to change the greeting variable, or instance variable. And so this was something I didn't know until I was researching for this talk. I mean, you can send a pass eval, a second parameter, an optional binding. And so that will make the string here, if you can't read it, it says, add greeting equals look out. That's driven to kind of dial it for hello, good morning, just a greeting. And so, since we're giving it the binding, this will be evaluated in the context of our instance object. And so now we say e.greed, and it says the new value. A different way to do it would be to have our object e, call the eval on itself, and then assign the greeting. And so we do that by using the send method. And that works just fine as well. Alright, so back to the same example, cookie monster, we're going to do the same thing, except using blocks or lambas. Yeah, evals, what have you. Alright, so class eval, we're going to add the subclass example method to it, and we're also going to use the method missing a book. Same thing, we're going to grab the name of the object it was trying to create, and we're going to return a new instance of it. And here, all we really have to do is just eval this code. So class, whatever the class name was, an n, and that will create the constant. And then to get the constant or the class back, we just eval the class name, that will return a sub, and then we just make a new instance of that class. And you can see it works just like the other example. So there's multiple ways to do things. And to me that's kind of what makes it pretty fun, because I think having different ways to do things makes, so each of the different ways is more applicable or useful in a different situation. So I'm going to go over some basic examples here. So we'll create our own basic data format library, and we'll also go over the library that I've made, I called it thunder, I'll talk about that after that. Okay. Alright, so one of the goals for this that I had, this should be easy to create formats, and it should be consistent for different formats. And these are some of the things that are very popular or common in network protocols, file formats. There's checksums, there's offsets, you have to calculate the length of certain fields. Yeah, or some formats might be acting as a transport for other formats. And so all of those things, yeah, this format library would have to handle. And I was thinking to make it try to look like this, kind of like a C struct, we'll compare what the field is, and then the name, and then the value, maybe some actions based on other fields, and then using it should be rather simple. Alright, so basically we'll start off, we'll have our class library, and we'll actually have it inherit from a field class. And every field, you can't see it, we'll have a name and a value, and there it goes. And this method, I'll get to this later, that will just be a method of outfilling and resolving the string of the entire class. Alright, and so first off, we need to add a field method away to defined fields. And with this, so you'll notice here, this is all static inside of the library class. And so when you pull the field method, it adds the name and value to the order array. And this is used when this class is initialized, when a new instance of that class is created. So when that is done, each of the values inside of this instance, or the static order variable, we'll enumerate over those, and then we'll create getter and setter for that name, and then we'll call the method instance variable set, and set the instance variable to the value. Alright, and so here's a simple example. The field, this is field 1, and value of 10, field 2, and it says this is field 2. Alright, and so we create a new instance of it, and we output the result, or we inspect it, and you can see that it created fields, created getters, and setters for it. And so our simple format library works so far. Alright, so now it's time to make that actually usable. Now we'll create classes for different data types. And so for most formats, there's only two basic types. There's strings, and there's integers. And so for an integer, we'll just assume that it's going to be output as a 16-bit integer, so it's packed in a network order. And for strings, we'll just return the value of about 2x. Alright, and we'll also create a pre-field class. Now this was one of the problems that I ran into, and it took me a while to realize what was going on. So if we go back to this example here, oops, yeah, so we have our class A here, and it's got two fields. If I created two instances of this class, and it started changing values on one of them, it would change the values on the other one as well. Because when we add everything to this array here, it's not cloning or equivocating anything. So they both reference the same object. And so we're going to use a pre-field class to kind of do a delay in instantiation. Alright, and you can see it's got a creative method, and it just creates the new class with the arguments that it was given. Alright, so we need to modify our library class, and so we'll have our... We need to change the field method to accept the name and the actual class of the field, and then we'll store pre-field instances in the static order variable. And when it gets initialized, we'll do pretty much the same thing as before, except we have to work with pre-fields instead. You'll see here we have to create it, and that will create on initialization new instances of these variables. Alright, and we also have to make a way to get the resulting string from our class. And so we'll add a to-out method, and all that does is iterate over... Oh, also didn't mention. We're adding an instance order variable, and so every field gets put into this, and so as fields are defined in the class, that's the order they will be output. And so here, when we call to-out, it will just iterate over each of the orders and call to-out on each of those and join the strings together. So here's a simple example. So we've got class A, and a field 1, and it's an int, its value is 10, a field 2 string, and its value is this field 2. And we'll just make sure everything's working alright, and so make a new instance. We inspect the output, and it looks right. It's packed as a 16-byte integer, network byte order, and the string is right after it, just like we expect. So we'll change the values around to make sure our filters and setters and so we'll change the field 1 value to 100, field 2 value, field 2 change, and that works as well. Alright, so, yeah. So basically, since we've defined or we've made it able for us to define formats and have the structure of the data format in memory, we can iterate over each of the fields and we can apply certain logic to the fields and fuzz the fields based on what they are, as opposed to just bytes. And we can also add bytes to the format remove zone on what happened here. And so, this is a basic fuzzer. We'll add a new method to the int and the string fields, and I get fval, so for fuzz values, and we'll just have a return and array of the values we want to fuzzle it by default, and so this will return an array 0, 1, 2, and 3, and string will return different lengths of A, so 2, 4, 8, 16. Alright, and then in field, it's really easy to do some recursion and grab all of the fields and all of the fields' children, and so we'll be using that to iterate over each field, and we'll also add a snapshot and a reset method so we can snapshot the value and then change with the fields and then reset everything once we're done. Alright, so the fuzzer is really simple, and so it accepts a field in the constructor and the fuzz method takes a block, and so first off, it iterates over each of the fields and then it gets the fuzz values for each field and assigns each of those to the child, and then it yields to the block, and so you can use it like this. So, pretty much the same example, so field 1, and we're assigning the value 0x ff ff f, 6, 5, 5, 3, 5, and field 2, it's a string, just says this is field 2, and we'll fuzz it, and this is the output, and that makes it really simple, and I think this is already a lot better than just normal done fuzzing or byte fuzzing because you can't add or remove bytes to anything. Now, I think the real, oh, yeah, that's right, and when I was coming up with these examples, I realized all this was only 100 lines of code, and so the example itself is 12 lines, and then the simple fuzzer class as well as the library class to create the formats, so that was 88, 5, so 88 plus 12 is only 100, and it's really simple, it uses metaprogramming, and I don't think it was too confusing. Hopefully it wasn't for you guys, and however, I think the real advantage to using something like this comes when there's actions that need to be applied based on certain fields, like lengths, check sums, or you can press something, 64 or, yeah, who knows what, and so I'm, we're not going to create that with our basic example, I'm going to shift now and talk about my project, and so this is a library I made for, yeah, stands for format understander, so founder, and it's a beat-up version of the example we just went over, and it has all those things out saying that we were missing as well as some extra stuff, and I've got it on Google code right now, you can check it out. I'm still making changes to it that it hasn't been around too long, but yeah, it's, I think it's fun to use, and I'll go over some examples on what exactly it can do. All right, so here, we're going to test some of the actions. We'll define some fields, and this is a 32-bit integer, it's the name's length, and a string, data, its value is compressed data, and a string was called base64. Now let's add some actions to it, and so the length, we'll say, is the length of the data field plus the base64 field, and so this is the way some syntactic sugar I made to be able to do that. You call it action method, and you give it a class for the action you want to perform, and then a lambda that returns an array of the fields that you need to do the actions on. All right, and this is the full definition of the length action, and basically the getFields method here just returns the result of the lambda, and then it just calls two out on each of the fields and joins the strings together and gets the length, it's pretty simple. And here for the compressed data, we're going to do the same thing, except we're going to use zlib deflate to deflate the data, and once again, these actions, they're really simple to use, and it's really easy to add more of them. Yeah, so it does the same thing. It creates the whole string, the whole field, and deflates it. And base64, except we're going to do this, we're going to base64 and code the compressed data field. And, yeah, another simple action definition. All right, so we'll make a new instance of our action test class, and then we'll do out it, and yeah, no errors, it looks like it looks all right. And so now, it just has a test to make sure that everything was working the way it should. We'll look at the base64 field, and that is definitely base64. And then, so we'll decode it, and that looks like the compressed data. If you work a lot with zlib, yeah, they usually look like that, and then we'll do an x, and then, yeah, so that looks right. And then we'll decompose that, just to make sure that was actually the value we thought, and it is. And so that ends up being compressed data. And so, things like this are what really makes Ruby and Meta programming work nice for buzzing or creating data formats, or data format classes. Yeah, especially for buzzing, because now we can iterate into the fields, and if I change this one, alright, so first thing it would do is generate values of everything, right? And then if we change the values on any of them, then when we call two out, if the fields had changed, the actions will run again, and everything will still be valid. Alright, so this one, this one took a lot of work to figure out, actually, how to have arrays Alright, so here we've got we'll have to find an item, as an ID number, and a length, which again, we'll have a length action, which is the length of the item name, right here. And the item name will have that be based off of the ID number as well. So it's just a lambda that returns a string with the ID number inside of it. Alright, and we'll have index entries, and the first field is, it's a byte, so one character, and it's an ID number, and a 16 bit integer being the item offset. Alright, and so to test this out, we'll get an array of index entries, as well as an array of items. And here, we're binding each index entry to whatever class is in the items field. So here, we're binding each index into those each items, and we're binding the field to the offset field of each item. And we're saying it's going through. Alright, and here we're going to bind each item to use index entries so we can get the ID number. Alright, and so test that out a little. Alright, so we'll grab the result and you can see here, we've got this is the first ID number and this is the first offset. There's a second ID number and then the first offset, third ID number, and the third offset. And then here are each of the items. You can see there's ID number 0, number 1, number 2, and just to make sure it's all working fine, we're going to grab the offset for the second item so it should be the 1, 2, 3, 4, 5, 2 bytes starting at index 4, so that's here, and 1 packet and that gives us the offset, 3, 7. And then so we'll go there and read 1 byte which should give us the length of the item, which is 17, and then we'll read that and that gives us the correct item value. Alright, so now this, once I finally come up with the origin example for this, this was going to really start getting interesting for me. So I, I enjoy digging around in RFCs, we're figuring out the specifications for file formats, network protocols, and so I use PNG as my thingy pig for everything. And so PNG image is made up of chunks and each chunk has a length which is the length of the data and after the length there's the type code, it's a 4 byte field, a string, and some variable length beta, and then it checks them at the end. The way my library works is that inheritance works rather nicely with it. So we can create a class that inherits from chunk and then only redefine the fields that we need to. And so for example the I header chunk contains metadata about the image, so the width, I on different specifications and so all we need to do is redefine the type code and it's I header and then for the data section we define all of the different fields inside of its data. So the width, the height, the bid depth, color type, refreshing method, interlace method, stuff like that. And redefining these doesn't change the order of what was defined up here. So here it still has the length and the checks on how you're getting them in. And this is actually the simplest PNG image example I can come up with. First a PNG starts with a PNG header and that's the magic most people call it and then it has the I header and some other fields. Yeah, I then have time or room to go over each of those but here's an example. So we'll make a new PNG instance and then we'll set the width and the height to 200 and we'll make it red and everything else will be zero, so no green, no blue and we'll write it out and that is actually supposed to be red because if I inverted all the colors. So I can't remember how to re-make it back normally. But so everything works rather nicely. And since we've got this structure in memory here like this and as well as these, we can iterate over these fields and try different values just on those specific fields. And if we change with that, if we mess with the values and the image data, then it will get compressed and everything will work out just fine when we do our puzzle. And actually there was a recent bug that was found in live PNG and if a PNG had an extra row of data in it, so applications like Chrome or Firefox would copy that extra row past the end of the buffer and there would be, yeah, that was a pretty serious vulnerability. And so I found that using this I wasn't the one who got credit for it. I found it, I never reported it but for me it was just kind of true, like my library works. And I said that was pretty cool to see that actually happen. All right, so I've got some, my code for fuzzing my library is also online in the repository. Yeah, so that is yeah, my talk and if anything, I hope I made it clear that metaprogramming can be very simple and it can save you a lot of time. And also if you do any fuzzing that there are more intelligent ways to fuzz besides by fuzzing or done fuzzing. And yeah, so anybody have any questions? I think the next person it's their time to get ready to answer your questions. I'll link for my slides. I don't have them up anymore. I was going to give them to the guy with the hat. Yeah, that's all I remember. I don't remember his name, I just remember saying yeah. Just find one of us in a staff t-shirt we can direct you. Oh, okay. All right, yeah, I'll put them up. I've actually got a different version of my slides today. It doesn't have all these steps in it so I'll put those up. Yeah. So thanks.