Finding Microsoft Office Vulnerabilities By Fuzzing Binary Files With Ruby presented at SyScan 2009

by Ben Nagy,

Tags: Security Fuzzing

Summary : While a lot of public material is available that _mentions_ fuzzing Office files, there is very little detail. While I have been dealing mainly with Word, the bulk of the techniques are applicable to any Office application. I plan to cover:
Reading and writing "streams" in the OLE "compound binary file" format
Recognising and parsing interesting structures in the Word Binary Fileformat
Highlights / 'errors' from the specification documents
Instrumenting Word with Win32OLE to automate the testing - Did it crash? Is the document sitting there open, wasting testing time?
Lightweight and totally flexible runtime monitoring by automating CDB with ruby (what good's a crash without the details?)
Dialog Boxes You Will Meet that will hang your fuzzer thread and How to Eliminate Them
Turning off annoying Word 2007 Resiliency features and other ways to reduce registry bloat
Where Word stores its bizarre, invisible temp files (which don't get deleted if it crashes)
Dealing with hangs and memory eaters.
Wrapping the whole lot up in a distributed fuzzing framework to spread the fuzzing load over as many client machines (or VMs) as you like, save all the results in a DB and even use other frameworks or languages to create test cases
Doing the whole lot in Ruby, because nobody else has, yet. (at least nobody who has released their code)