advanced systems security fuzz testing
play

Advanced Systems Security Fuzz Testing Trent Jaeger Systems and - PowerPoint PPT Presentation

Aug 02, 2023 •386 likes •812 views

Advanced Systems Security Fuzz Testing Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory

  1. Advanced Systems Security � Fuzz Testing Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  2. Detect Vulnerabilities • We want to develop techniques to detect vulnerabilities automatically before they are exploited ‣ What ’ s a vulnerability? ‣ How to find them? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  3. Vulnerability • How do you define computer ‘ vulnerability ’ ? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  4. Vulnerability • How do you define computer ‘ vulnerability ’ ? ‣ Flaw ‣ Accessible to adversary ‣ Adversary has ability to exploit Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4

  5. One Approach • Run the program on various inputs ‣ See what happens ‣ Maybe you will find a flaw • How should you choose inputs? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5

  6. Dynamic Analysis Options • Regression Testing ‣ Run program on many normal inputs and look for bad behavior in the responses • Typically looking for behavior that differs from expected – e.g., a previous version of the program • Fuzz Testing ‣ Run program on many abnormal inputs and look for bad behavior in the responses • Looking for behaviors that may be triggered by adversaries ‣ Bad behaviors are typically crashes caused by memory errors Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  7. Dynamic Analysis Options • Why do you think fuzz testing is more appropriate for finding vulnerabilities than regression testing? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  8. Fuzz Testing • Fuzz Testing ‣ Idea proposed by Bart Miller at Wisconsin in 1988 • Problem: People assumed that utility programs could correctly process any input values ‣ Available to all • Result: Found that they could crash 25-33% of UNIX utility programs Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  9. Fuzz Testing • Fuzz Testing ‣ Idea proposed by Bart Miller at Wisconsin in 1988 • Approach ‣ Generate random inputs ‣ Run lots of programs using random inputs ‣ Identify crashes of these programs ‣ Correlate with the random inputs that caused the crashes • Problems: Not checking returns, Array indices… Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9

  10. Fuzzing Example • Fuzz Testing ‣ Example format.c (line 276): ... while (lastc != ’\n’) { rdc(); } ... input.c (line 27): rdc() { do { readchar(); } while (lastc == ’ ’ || lastc == ’\t’); return (lastc); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10

  11. Challenges • Idea: Search for possibly accessible and exploitable flaws in a program by running the program under a variety of inputs • Challenge: Selecting input values for the program ‣ What should be the goals in choosing input values for dynamic analysis? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11

  12. Challenges • Idea: Search for possibility exploitable flaws in a program by running the program under a variety of inputs • Challenge: Selecting input values for the program ‣ What should be the goals in choosing input values for dynamic analysis? ‣ Find all exploitable flaws ‣ With the fewest possible input values • How should these goals impact input choices? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 12

  13. Black Box Fuzzing • Like Miller ‒ Feed the program random inputs and see if it crashes • Pros: Easy to configure • Cons: May not search efficiently ‣ May re-run the same path over again (low coverage) ‣ May be very hard to generate inputs for certain paths (checksums, hashes, restrictive conditions) ‣ May cause the program to terminate for logical reasons ‒ fail format checks and stop Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  14. Black Box Fuzzing • Example function( char *name, char *passwd, char *buf ) { if ( authenticate_user( name, passwd )) { if ( check_format( buf )) { update( buf ); } } } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 14

  15. Mutation-Based Fuzzing • Supply a well-formed input ‣ Generate random changes to that input • No assumptions about input ‣ Only assumes that variants of well-formed input may problematic • Example: zzuf ‣ http://sam.zoy.org/zzuf/ ‣ Reading: The Fuzzing Project Tutorial Systems and Internet Infrastructure Security Laboratory (SIIS) Page 15

  16. Mutation-Based Fuzzing • Example: zzuf ‣ http://sam.zoy.org/zzuf/ • The Fuzzing Project Tutorial ‣ zzuf -s 0:1000000 -c -C 0 -q -T 3 objdump -x win9x.exe ‣ Fuzzes the program objdump using the sample input win9x.exe ‣ Try 1M seed values (-s) from command line (-c) and keep running if crashed (-C 0) with timeout (-T 3) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 16

  17. Mutation-Based Fuzzing • Easy to setup, and not dependent on program details • But may be strongly biased by the initial input • Still prone to some problems ‣ May re-run the same path over again (same test) ‣ May be very hard to generate inputs for certain paths (checksums, hashes, restrictive conditions) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 17

  18. Generation-Based Fuzzing • Generational fuzzer generate inputs “from scratch” rather than using an initial input and mutating • However, to overcome problems of naïve fuzzers they often need a format or protocol spec to start • Examples include ‣ SPIKE, Peach Fuzz • However format-aware fuzzing is cumbersome, because you'll need a fuzzer specification for every input format you are fuzzing Systems and Internet Infrastructure Security Laboratory (SIIS) Page 18

  19. Generation-Based Fuzzing • Can be more accurate, but at a cost • Pros: More complete search ‣ Values more specific to the program operation ‣ Can account for dependencies between inputs • Cons: More work ‣ Get the specification ‣ Write the generator ‒ ad hoc • Need to do for each program Systems and Internet Infrastructure Security Laboratory (SIIS) Page 19

  20. Grey Box Fuzzing • Rather than treating the program as a black box, instrument the program to track the paths run • Save inputs that lead to new paths ‣ Associated with the paths they exercise • Example ‣ American Fuzzy Lop (AFL) • “State of the practice” at this time Systems and Internet Infrastructure Security Laboratory (SIIS) Page 20

  21. AFL • Provides compiler wrappers for gcc to instrument target program to collect fuzzing stats • http://lcamtuf.coredump.cx/afl/ Systems and Internet Infrastructure Security Laboratory (SIIS) Page 21

  22. AFL Display • Tracks the execution of the fuzzer • Key information are ‣ “total paths” ‒ number of different execution paths tried ‣ “unique crashes” ‒ number of unique crash locations Systems and Internet Infrastructure Security Laboratory (SIIS) Page 26

  23. AFL Output • Shows the results of the fuzzer ‣ E.g., provides inputs that will cause the crash • File “fuzzer_stats” provides summary of stats ‒ UI • File “plot_data” shows the progress of fuzzer • Directory “queue” shows inputs that led to paths • Directory “crashes” contains input that caused crash • Directory “hangs” contains input that caused hang Systems and Internet Infrastructure Security Laboratory (SIIS) Page 27

  24. AFL Operation • How does AFL work? ‣ http://lcamtuf.coredump.cx/afl/technical_details.txt • The instrumentation captures branch (edge) coverage, along with coarse branch-taken hit counts. ‣ cur_location = <COMPILE_TIME_RANDOM>; ‣ shared_mem[cur_location ^ prev_location]++; ‣ prev_location = cur_location >> 1; • Record branches taken with low collision rate • Enables distinguishing unique paths Systems and Internet Infrastructure Security Laboratory (SIIS) Page 30

  25. AFL Operation • How does AFL work? ‣ http://lcamtuf.coredump.cx/afl/technical_details.txt • When a mutated input produces an execution trace containing new tuples, the corresponding input file is preserved and routed for additional processing ‣ Otherwise, input is discarded • Mutated test cases that produced new state transitions are added to the input queue and used as a starting point for future rounds of fuzzing Systems and Internet Infrastructure Security Laboratory (SIIS) Page 31

  26. AFL Operation • How does AFL work? ‣ http://lcamtuf.coredump.cx/afl/technical_details.txt • Fuzzing strategies ‣ Highly deterministic at first ‒ bit flips, add/sub integer values, and choose interesting integer values ‣ Then, non-deterministic choices ‒ insertions, deletions, and combinations of test cases Systems and Internet Infrastructure Security Laboratory (SIIS) Page 32

  27. Grey Box Fuzzing • Finds flaws, but still does not understand the program • Pros: Much better than black box testing ‣ Essentially no configuration ‣ Lots of crashes have been identified • Cons: Still a bit of a stab in the dark ‣ May not be able to execute some paths ‣ Searches for inputs independently from the program • Need to improve the effectiveness further Systems and Internet Infrastructure Security Laboratory (SIIS) Page 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

Empowering Security Teams ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure EDSA Certification Communication/Network Robustness Testing (CRT) CRT examines the capability of the device to

859 views • 33 slides
Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 1 / 21 Introduction What is this lecture about? How do we find bugs in programs? ... by

363 views • 21 slides
RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

3/31/17 TOPICS 2 RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing: selection, prioritization T est input generation CS580A5 SPRING 2017 Fault localization SUDIPTO GHOSH Automatic program

276 views • 3 slides
CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho

CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho

CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho Lee, Insu Yun, Wen Xu, Byoungyoung Lee, Youngtae Yun, Taesoo Kim USENIX Annual Technical Conference July 14, 2017 The Affiliated Institute of ETRI

812 views • 46 slides
SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH

SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH

SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH Zurich Motivation Input universe Invalid inputs Well-formed inputs Security protocol implementation Abnormal behaviors Behaviors May expose

454 views • 17 slides
Fuzz Testing for Fun and Profit Presented by:

Fuzz Testing for Fun and Profit Presented by:

W3 Testing at Scale Wednesday, October 2nd, 2019 11:30 AM Fuzz Testing for Fun and Profit Presented by: Melissa Benua

441 views • 11 slides
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin (Microsoft Center for Software Excellence) David Molnar (UC Berkeley &amp; MSR) Fuzz Testing Send random data to application B.

366 views • 36 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Hardware Security Trent Jaeger

703 views • 46 slides
Advanced Systems Security: Virtual Machine Systems Trent Jaeger Systems and Internet

Advanced Systems Security: Virtual Machine Systems Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Virtual Machine Systems Trent

783 views • 43 slides
CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems Security Trent Jaeger Systems and

651 views • 28 slides
Advanced Systems Security: Capability Systems Trent Jaeger Systems and Internet

Advanced Systems Security: Capability Systems Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Capability Systems Trent Jaeger

622 views • 36 slides
Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security

370 views • 33 slides
Intelligent Software Engineering: Synergy between AI and Software Engineering Tao Xie

Intelligent Software Engineering: Synergy between AI and Software Engineering Tao Xie

Intelligent Software Engineering: Synergy between AI and Software Engineering Tao Xie University of Illinois at Urbana-Champaign taoxie@illinois.edu http://taoxie.cs.illinois.edu/ SETTA18 Keynote Artificial Intelligence Software

983 views • 46 slides
May 26, 2015 Presentation to Council and School Board Page 1 of 24 Page 2 of 24 Page 3 of 24

May 26, 2015 Presentation to Council and School Board Page 1 of 24 Page 2 of 24 Page 3 of 24

May 26, 2015 Presentation to Council and School Board Page 1 of 24 Page 2 of 24 Page 3 of 24 Page 4 of 24 Page 5 of 24 Two homes and a mesquite thicket were razed. Page 6 of 24 The gym was constructed. Page 7 of 24 Page 8 of 24 Page 9 of

435 views • 24 slides
Environmental Harm of California WaterFix and Protection by the Modified FMS Part 2 Testimony

Environmental Harm of California WaterFix and Protection by the Modified FMS Part 2 Testimony

Environmental Harm of California WaterFix and Protection by the Modified FMS Part 2 Testimony November 29, 2017 EXHIBIT ARWA-501 Contents Panel 1 California WaterFix Injury to Lower American River (LAR) Fish Panel 2 Modified Flow

591 views • 55 slides
Dynamics of Racial Food Security Gaps Public Comments to the NV Council on Food Security Ian K.

Dynamics of Racial Food Security Gaps Public Comments to the NV Council on Food Security Ian K.

Dynamics of Racial Food Security Gaps Public Comments to the NV Council on Food Security Ian K. McDonough University of Nevada, Las Vegas January 7, 2020 Ian K. McDonough (UNLV) FS Dynamics CFS, Jan. 7 1 / 8 Disparity in FS Rates by

267 views • 8 slides
CVPR 2 CVPR 2019 Tracking and Detection Challenge 16/06/2019 www.motchallenge.net CVPR 2019

CVPR 2 CVPR 2019 Tracking and Detection Challenge 16/06/2019 www.motchallenge.net CVPR 2019

CVPR 2019 Tracking and Detection Challenge CVPR 2 CVPR 2019 Tracking and Detection Challenge 16/06/2019 www.motchallenge.net CVPR 2019 Long Beach CVPR 2019 Tracking and Detection Challenge Overview 1. Dataset 2. Evaluation 3. Challenge

278 views • 17 slides
Pane nel Session: n: 5G Test and Measur ureme ment Malcolm Robertson, , Keysight Jon

Pane nel Session: n: 5G Test and Measur ureme ment Malcolm Robertson, , Keysight Jon

IEEE 5G Summit mit Pane nel Session: n: 5G Test and Measur ureme ment Malcolm Robertson, , Keysight Jon Martens, , Anritsu Chris Scholz, z, Rohde &amp; Schwarz Jason White, , National Instruments Moderator: : Ka Kate A. Remley, ,

562 views • 21 slides
Test Factoring: Focusing test suites on the task at hand David Saff, MIT ASE 2005 1 David

Test Factoring: Focusing test suites on the task at hand David Saff, MIT ASE 2005 1 David

Test Factoring: Focusing test suites on the task at hand David Saff, MIT ASE 2005 1 David Saff The problem: large, general system tests My test suite One hour Where I changed code Where I broke code How can I get: Quicker feedback?

1.03k views • 60 slides
DING T EST A UTOMATION XTENDI OR V IR ON FOR IRTU TUALI LIZATION Sharookh Daru aruwalla

DING T EST A UTOMATION XTENDI OR V IR ON FOR IRTU TUALI LIZATION Sharookh Daru aruwalla

11/1/2013 C HALLENGES E XTE DING T EST A UTOMATION XTENDI OR V IR ON FOR IRTU TUALI LIZATION Sharookh Daru aruwalla Inte tel Corp rporati tion Intel Confidential Do Not Forward C ONT ONTEXT Automation essential to manage todays

395 views • 22 slides

More recommend