about directed fuzzing and use after free how to find
play

About Directed Fuzzing and Use-After-Free: How to Find Complex & - PowerPoint PPT Presentation

Dec 19, 2022 •91 likes •546 views

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung Nguyen, Sbastien Bardin, Matthieu Lemerre (CEA LIST) Richard Bonichon (Tweag I/O) Roland Groz (Universit Grenoble Alpes) #BHUSA @BLACKHATEVENTS

  1. About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung Nguyen, Sébastien Bardin, Matthieu Lemerre (CEA LIST) Richard Bonichon (Tweag I/O) Roland Groz (Université Grenoble Alpes) #BHUSA @BLACKHATEVENTS

  2. Who Are We? Manh-Dung Nguyen Sébastien Bardin @dungnm1710 sebastien.bardin@cea.fr manh-dung.nguyen@cea.fr Senior Researcher at CEA LIST PhD Student at CEA LIST & UGA Université Paris-Saclay #BHUSA @BLACKHATEVENTS

  3. What’s The Talk About? ● Fuzzing is great for finding vulnerabilities in the wild ● Directed fuzzing is a slightly different setting ○ Goal = reach a specific target ○ Bug reproduction, patch-oriented testing ● The problem: Current fuzzing techniques are bad for some classes of issues ○ Here: “Use-After-Free” (UAF) ○ Important: sensitive info leaks, data corruption or first step to other attacks ● Proposal: A directed fuzzing approach tailored to UAF bugs ○ and applications to patch-oriented testing ○ and a tour on UAF and (directed) fuzzing #BHUSA @BLACKHATEVENTS

  4. Use-After-Free ● Heap element is used after having been freed Critical exploits & serious consequences ● ○ Data corruption ○ Information leaks ○ Denial-of-service attacks # UAF bugs in National Vulnerability Database #BHUSA @BLACKHATEVENTS

  5. Teaser PoC: ‘AFU’ → no crash free ● Bug Target: 14 (alloc) → 17 → 6 → 3 ● (free) → 19 (use) Timeout: 6h ● AFLGo AFL-QEMU UAFuzz (source) (binary) (binary) alloc (6 hours) (6 hours) (~ 20 mins) use #BHUSA @BLACKHATEVENTS

  6. 1. Context -- about fuzzing, directed fuzzing #BHUSA @BLACKHATEVENTS

  7. Code-level Flaws: Fuzzing is The New Hype #BHUSA @BLACKHATEVENTS

  8. As Its Core, Fuzzing is Random Testing -- and it starts a long time ago #BHUSA @BLACKHATEVENTS

  9. Now: Three Shades of Fuzzing • Smart but don’t scale too much • The original taste • Scale but dumb • The new prodigy • Try to be smart & scale #BHUSA @BLACKHATEVENTS

  10. Principle of Grey/Black Fuzzing Choose “good” inputs Mutations Observe & compute score Greybox observes more The art, science, and engineering of fuzzing: A survey (Manès et al. 2019) #BHUSA @BLACKHATEVENTS

  11. No Silver Bullet Target-oriented Complex Code Structure Complex Bugs Testing? #BHUSA @BLACKHATEVENTS

  12. Directed Greybox Fuzzing (DGF) ● Input: code + target (trace, code location) ● Goal = Cover the target ● AFLGo (2017), Hawkeye (2018) ● Applications: ○ Bug reproduction ○ Patch-oriented testing ○ Static analysis report confirmation #BHUSA @BLACKHATEVENTS

  13. Coverage-guided Greybox Fuzzing AFL Initial Execution Edge ID Crash-based Testsuite characteristics Instrumentation Seed Selection Power Schedule Triage Bugs Binary Instrumentation Fuzzing Loop Triage #BHUSA @BLACKHATEVENTS

  14. Directed Greybox Fuzzing AFLGo, Hawkeye Edge ID + Execution Crash-based Distance characteristics Initial Testsuite Distance-guided Targets Seed Distance Instrumentation Seed Selection Power Schedule Triage Binary Bugs Instrumentation Fuzzing Loop Triage #BHUSA @BLACKHATEVENTS

  15. 2. Back to Use-After-Free (UAF) #BHUSA @BLACKHATEVENTS

  16. Why is Detecting UAF Hard for Fuzzing? Rarely found by fuzzers ● ○ Complexity : 3 events in sequence spanning multiple functions Temporal & Spatial constraints : ○ extremely difficult to meet in practice ○ Silence : no segmentation fault # UAF bugs found ( 1% ) by OSS-Fuzz in 2017 #BHUSA @BLACKHATEVENTS

  17. Recall: Motivation PoC: ‘AFU’ → no crash ● Bug Target: 14 (alloc) → 17 → 6 → 3 ● (free) → 19 (use) Timeout: 6h ● AFLGo AFL-QEMU UAFuzz (source) (binary) (binary) (6 hours) (6 hours) (~ 20 mins) #BHUSA @BLACKHATEVENTS

  18. #BHUSA @BLACKHATEVENTS

  19. 3. UAFuzz: Directed Fuzzing for UAF #BHUSA @BLACKHATEVENTS

  20. Existing DGF: #1 No Ordering & No Prioritization Treat everything equally Initial Testsuite No Treat edges order equally Targets Seed Distance Instrumentation Seed Selection Power Schedule Triage Binary UAF Bugs Instrumentation Fuzzing Loop Triage Slow #BHUSA @BLACKHATEVENTS

  21. Existing DGF: #2 Crash Assumption Treat everything equally Initial Testsuite Expensive No Treat edges sanitizer-based order equally Targets triage Seed Distance Instrumentation Seed Selection Power Schedule Triage Binary UAF Bugs Instrumentation Fuzzing Loop Triage Slow #BHUSA @BLACKHATEVENTS

  22. Overview of UAFuzz [tailor every fuzzing step to UAF] Edge ID + Pre-triage Execution Distance (UAF-based) for free characteristics Initial Targets Cut-edge Testsuite Similarity Coverage Binary Seed Distance Targets Instrumentation Seed Selection Power Schedule Triage UAF Bugs Instrumentation Fuzzing Loop Triage #BHUSA @BLACKHATEVENTS Fast

  23. Key Insights of UAFuzz Seed Selection: based on similarity and ordering of input trace ★ Power Schedule: based on 3 seed metrics dedicated to UAF ★ ○ [function level] UAF-based Distance: Prioritize call traces covering UAF events ○ [edge level] Cut-edge Coverage: Cover edge destinations reaching targets ○ [basic block level] Target Similarity: Cover targets Triage only potential inputs covering all locations & pre-filter for free ★ Fast precomputation at binary-level ★ #BHUSA @BLACKHATEVENTS

  24. UAF Bug Target Dynamic Calling Tree Stack Traces of CVE-2018-20623 // stack trace for the bad Use ==4440== Invalid read of size 1 ==4440== at 0x40A8383: vfprintf (vfprintf.c:1632) ==4440== by 0x40A8670: buffered_vfprintf (vfprintf.c:2320) ==4440== by 0x40A62D0: vfprintf (vfprintf.c:1293) [6] ==4440== by 0x80AA58A: error (elfcomm.c:43) [5] ==4440== by 0x8085384: process_archive (readelf.c:19063) [1] ==4440== by 0x8085A57: process_file (readelf.c:19242) [0] ==4440== by 0x8085C6E: main (readelf.c:19318) // stack trace for the Free ==4440== Address 0x421fdc8 is 0 bytes inside a block of size 86 free'd ==4440== at 0x402D358: free (in vgpreload_memcheck-x86-linux.so) [4] ==4440== by 0x80857B4: process_archive (readelf.c:19178) [1] ==4440== by 0x8085A57: process_file (readelf.c:19242) Bug Trace Flattening [0] ==4440== by 0x8085C6E: main (readelf.c:19318) // stack trace for the Alloc UAF Bug Target: ==4440== Block was alloc'd at 0 (0x8085C6E, main) → 1 (0x8085A57, process_file) → 2 (0x80854BD, ==4440== at 0x402C17C: malloc (in vgpreload\_memcheck-x86-linux.so) process_archive) → 3 (0x80AC687, make_qualified_name) → 4 (0x80857B4, [3] ==4440== by 0x80AC687: make_qualified_name (elfcomm.c:906) [2] ==4440== by 0x80854BD: process_archive (readelf.c:19089) process_archive) → 5 (0x8085384, process_archive) → 6 (0x80AA58A, error) [1] ==4440== by 0x8085A57: process_file (readelf.c:19242) [0] ==4440== by 0x8085C6E: main (readelf.c:19318) #BHUSA @BLACKHATEVENTS

  25. UAF-based Distance Metric Existing works compute seed distance ● ○ regardless of target ordering regardless of UAF characteristic: call traces may contain ○ in sequence alloc/free function and reach use function ● Intuition: UAFuzz favors the shortest path that is likely to cover more than 2 UAF events in sequence Example of Call Graph, favored pairs (caller, callee) are in red Statically identify and decrease weights of (caller, callee) ○ in Call Graph Ex: favored call traces <main, f 2 , f use >, <main, f 1 , f 3 , f use > ○ #BHUSA @BLACKHATEVENTS

  26. Cut-edge Coverage Metric ep ● Existing works treat edges equally in terms of reaching in sequence targets ● Cut-edge ○ Edge destinations are more likely to reach the next target in the bug trace ➀ call f 1 ○ Approximately identify via static intraprocedural analysis of CFGs ● Intuition: UAFuzz favors inputs exercising more cut edges via a score depending on # covered cut edges and their hit counts ➁ call f 2 Control Flow Graph, cut edges are in blue #BHUSA @BLACKHATEVENTS

  27. Target Similarity Metric ● Existing works select seeds to be mutated regardless of trace of input s: 0 → 1 → 2 → 3 → 7 → 8 → 5 number of covered target locations 0 alloc 1 ... Target Similarity Metric ● 2 free ○ Prefix: more precise 3 4 ○ Bag: less precise, but consider the whole trace 5 Intuition: Seed Selection heuristic based on both ● u s e prefix and bag metrics Bug Trace : 0 (alloc) → 1 → 2 (free) → 3 → 4 → 5 (use) ○ Select more frequently max-reaching inputs that have highest value of this metric (most similar to the bug trace) so far #BHUSA @BLACKHATEVENTS

  28. Power Schedule Intuition: UAFuzz assigns more energy (a.k.a, # mutants) to seeds that are closer (using UAF-based Distance ) ● ● seeds that are more similar to the bug trace (using Target Similarity Metric ) ● seeds that make better decisions at critical code junctions (using Cut-edge Coverage Metric ) #BHUSA @BLACKHATEVENTS

  29. Pre-filter Existing works simply send all fuzzed inputs to the bug triager ● Potential inputs: cover in sequence all target locations in the bug trace ● ● UAFuzz triages only potential inputs & safely discards others ○ Available for free after the fuzzing process via Target Similarity Metric Saving a huge amount of time in bug triaging ○ #BHUSA @BLACKHATEVENTS

  30. Implementation AFL-QEMU Support more open-source binary disassemblers #BHUSA @BLACKHATEVENTS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope Taintscope is: A Fuzzing tool

742 views • 42 slides
Fuzzing Clang to find ABI Bugs David Majnemer Whats in an ABI? The size, alignment, etc.

Fuzzing Clang to find ABI Bugs David Majnemer Whats in an ABI? The size, alignment, etc.

Fuzzing Clang to find ABI Bugs David Majnemer Whats in an ABI? The size, alignment, etc. of types Layout of records, RTTI, virtual tables, etc. The decoration of types, functions, etc. To generalize: anything that you need N

632 views • 36 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler 2 whoami Security engineer, Solidity team Semantic testing of Solidity compiler Find

441 views • 28 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&amp;D firstname dot lastname at orange-ftgroup dot com research &amp; development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Find and fix security vulnerabilities and bugs in free soware (Fuzzing Project,

693 views • 44 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging &amp; Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
Highlights from the art Users' Meeting, the FIFE workshop, and the LArSoft Usability Workshop

Highlights from the art Users' Meeting, the FIFE workshop, and the LArSoft Usability Workshop

Highlights from the art Users' Meeting, the FIFE workshop, and the LArSoft Usability Workshop Tom Junk DUNE Software and Computing General Meeting June 27, 2016 First an Announcement: ProtoDUNE Science Workshop@CERN June 28 to June 30

505 views • 22 slides
Solving (Problems with) Quantified Boolean Formulas: Recent Trends and Challenges Florian Lonsing

Solving (Problems with) Quantified Boolean Formulas: Recent Trends and Challenges Florian Lonsing

Solving (Problems with) Quantified Boolean Formulas: Recent Trends and Challenges Florian Lonsing Knowledge-Based Systems Group, Vienna University of Technology, Austria http://www.kr.tuwien.ac.at/staff/lonsing/ 25th International Joint

1.21k views • 104 slides
Drawing uniformly at random in dynamic sets of paths Fr ed eric Voisin, Marie-Claude Gaudel

Drawing uniformly at random in dynamic sets of paths Fr ed eric Voisin, Marie-Claude Gaudel

Drawing uniformly at random in dynamic sets of paths Fr ed eric Voisin, Marie-Claude Gaudel LRI, Univ Paris-Sud, CNRS, CentraleSup elec, Universit e Paris-Saclay, France Frederic.Voisin@lri.fr, marieclaude.gaudel@gmail.com CLA 2019,

650 views • 22 slides
CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs

CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs

CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs 5:00-6:20PM Deian Stefan UC San Diego Who am I? New assistant professor PhD at Stanford (Mazieres &amp; Mitchell) I like to build secure

896 views • 50 slides
or how to survive a PhD Don ont P Panic nic or how to survive a PhD

or how to survive a PhD Don ont P Panic nic or how to survive a PhD

or how to survive a PhD Don ont P Panic nic or how to survive a PhD Jilles V Vreeke ken Disclaimer 1) Im not the useful type of doctor Disclaimer 1) Im not the useful type of doctor. 2) Any

1.61k views • 145 slides
IE1206 Embedded Electronics PIC-block Documentation, Seriecom Pulse sensors Le1 Le2 I , U , R ,

IE1206 Embedded Electronics PIC-block Documentation, Seriecom Pulse sensors Le1 Le2 I , U , R ,

IE1206 Embedded Electronics PIC-block Documentation, Seriecom Pulse sensors Le1 Le2 I , U , R , P , serial and parallel Le3 Ex1 KC1 LAB1 Pulse sensors, Menu program Start of programing task Kirchhoffs laws Node analysis Two-terminals

734 views • 55 slides
The Recent Resurgence of the Electric Car The zero-emissions e-car went extinct a century ago.

The Recent Resurgence of the Electric Car The zero-emissions e-car went extinct a century ago.

The Recent Resurgence of the Electric Car The zero-emissions e-car went extinct a century ago. Now it is back in a big way, thanks to a complete redesign of the usual sedan's innards. Theres nothing under the hood. Or trunk. You have to

1.25k views • 70 slides
About William Bill Mason http://www.aoe.vt.edu/people/faculty/whmason.html R S Pant The Boss A

About William Bill Mason http://www.aoe.vt.edu/people/faculty/whmason.html R S Pant The Boss A

Aircraft Configuration Design Prof. Rajkumar S. Pant Aerospace Engineering Department IIT Bombay rkpant@aero.iitb.ac.in Credits: Mr. Vishaal Sharma, Junior Research Fellow, Aerospace Engg. Deptt, IIT Bombay About William Bill Mason

563 views • 20 slides

More recommend