cab fuzz practical concolic
play

CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating - PowerPoint PPT Presentation

May 24, 2023 •347 likes •812 views

CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho Lee, Insu Yun, Wen Xu, Byoungyoung Lee, Youngtae Yun, Taesoo Kim USENIX Annual Technical Conference July 14, 2017 The Affiliated Institute of ETRI

  1. CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho Lee, Insu Yun, Wen Xu, Byoungyoung Lee, Youngtae Yun, Taesoo Kim USENIX Annual Technical Conference July 14, 2017 The Affiliated Institute of ETRI Georgia Institute of Technology Purdue University

  2. Why Microsoft can’t detect a driver with a bug (NDProxy)? bool flag_table[125] = {false}; void (* fn_table[36] )(); int dispatch_device_io_control(ulong ctrl_code, ulong *buf) { switch (ctrl_code) { case 0x8fff23c4: … case 0x8fff23cc: if (buf[0]>246 || buf[1]>124 || buf[2]>36 ) return -1; if (flag_table[buf[1]]) (* fn_table[buf[2]] )(); for (int i=1; i<=buf[0]; ++i) { … } } 2 * https://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/

  3. Why Microsoft can’t detect a driver with a bug (NDProxy)? bool flag_table[125] = {false}; void (* fn_table[36] )(); int dispatch_device_io_control(ulong ctrl_code, ulong *buf) { switch (ctrl_code) { case 0x8fff23c4: … buf[2]>35 case 0x8fff23cc: if (buf[0]>246 || buf[1]>124 || buf[2]>36 ) return -1; buf[2] == 36 -> Out-of-bound execution if (flag_table[buf[1]]) (* fn_table[buf[2]] )(); for (int i=1; i<=buf[0]; ++i) { … } } 2 * https://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/

  4. Why Microsoft can’t detect a driver with a bug (NDProxy)? bool flag_table[125] = {false}; void (* fn_table[36] )(); int dispatch_device_io_control(ulong ctrl_code, ulong *buf) { Microsoft’s large -scale fuzzing tools switch (ctrl_code) { case 0x8fff23c4: couldn’t this bug … buf[2]>35 case 0x8fff23cc: if (buf[0]>246 || buf[1]>124 || buf[2]>36 ) return -1; buf[2] == 36 -> Out-of-bound execution if (flag_table[buf[1]]) (* fn_table[buf[2]] )(); for (int i=1; i<=buf[0]; ++i) { … } } 2 * https://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/

  5. Challenge 1: Path explosion because of array and loop bool flag_table[125] = {false}; void (*fn_table[36])(); int dispatch_device_io_control(ulong ctrl_code , ulong * buf ) { switch (ctrl_code) { case 0x8fff23c4: … case 0x8fff23cc: if ( buf[0]>246 || buf[1]>124 || buf[2]>36 ) return -1; if (flag_table[ buf[1] ]) (*fn_table[ buf[2] ])(); for (int i=1; i<= buf[0] ; ++i) { … } } 3

  6. Challenge 1: Path explosion because of array and loop bool flag_table[125] = {false}; void (*fn_table[36])(); int dispatch_device_io_control(ulong ctrl_code , ulong * buf ) { switch (ctrl_code) { Symbolic variables case 0x8fff23c4: … case 0x8fff23cc: if ( buf[0]>246 || buf[1]>124 || buf[2]>36 ) return -1; if (flag_table[ buf[1] ]) (*fn_table[ buf[2] ])(); for (int i=1; i<= buf[0] ; ++i) { … } } 3

  7. Challenge 1: Path explosion because of array and loop bool flag_table[125] = {false}; void (*fn_table[36])(); int dispatch_device_io_control(ulong ctrl_code , ulong * buf ) { switch (ctrl_code) { Symbolic variables case 0x8fff23c4: … case 0x8fff23cc: if ( buf[0]>246 || buf[1]>124 || buf[2]>36 ) return -1; if (flag_table[ buf[1] ]) Symbolic memories (*fn_table[ buf[2] ])(); for (int i=1; i<= buf[0] ; ++i) { … } } 3

  8. Challenge 1: Path explosion because of array and loop bool flag_table[125] = {false}; void (*fn_table[36])(); int dispatch_device_io_control(ulong ctrl_code , ulong * buf ) { switch (ctrl_code) { Symbolic variables case 0x8fff23c4: … case 0x8fff23cc: if ( buf[0]>246 || buf[1]>124 || buf[2]>36 ) return -1; if (flag_table[ buf[1] ]) Symbolic memories (*fn_table[ buf[2] ])(); for (int i=1; i<= buf[0] ; ++i) { … } Loop controlled by a symbolic variable } 3

  9. Challenge 1: Path explosion because of array and loop bool flag_table[125] = {false}; void (*fn_table[36])(); int dispatch_device_io_control(ulong ctrl_code , ulong * buf ) { More than million paths (124 x 36 x 246) to explore switch (ctrl_code) { Symbolic variables case 0x8fff23c4: because of two arrays and a single loop … case 0x8fff23cc: if ( buf[0]>246 || buf[1]>124 || buf[2]>36 ) return -1; if (flag_table[ buf[1] ]) Symbolic memories (*fn_table[ buf[2] ])(); for (int i=1; i<= buf[0] ; ++i) { … } Loop controlled by a symbolic variable } 3

  10. Challenge 1: Path explosion because of array and loop • The number of feasible program paths to test exponentially increases according to its size • COTS OS is complex and huge • Almost infinite number of paths to test 4

  11. Challenge 2: Difficulty in constructing pre-contexts to test targets bool flag_table[125] = {false}; // default: false void (*fn_table[36])(); int dispatch_device_io_control(ulong ctrl_code, ulong *buf) { switch (ctrl_code) { case 0x8fff23c4 : for (int i=0; i<125; ++i) flag_table[i] = true; case 0x8fff23cc: … if (flag_table[buf[1]]) (* fn_table[buf[2]] )(); } 5

  12. Challenge 2: Difficulty in constructing pre-contexts to test targets bool flag_table[125] = {false}; // default: false void (*fn_table[36])(); int dispatch_device_io_control(ulong ctrl_code, ulong *buf) { switch (ctrl_code) { case 0x8fff23c4 : for (int i=0; i<125; ++i) flag_table[i] = true; should be executed to case 0x8fff23cc: trigger the bug … if (flag_table[buf[1]]) (* fn_table[buf[2]] )(); } 5

  13. Challenge 2: Difficulty in constructing pre-contexts to test targets bool flag_table[125] = {false}; // default: false void (*fn_table[36])(); int dispatch_device_io_control(ulong ctrl_code, ulong *buf) { Difficult to construct pre-contexts to trigger bugs switch (ctrl_code) { case 0x8fff23c4 : for (int i=0; i<125; ++i) flag_table[i] = true; should be executed to case 0x8fff23cc: trigger the bug … if (flag_table[buf[1]]) (* fn_table[buf[2]] )(); } 5

  14. Challenge 2: Difficulty in constructing pre-contexts to test targets • Many functions and code blocks have pre- contexts to execute them correctly • Execution order to set up states (open before read), input validation (checksum), … • Difficult to construct or guess pre-contexts 6

  15. Challenge 2: Difficulty in constructing pre-contexts to test targets • Many functions and code blocks have pre- contexts to execute them correctly • Execution order to set up states (open before read), input validation (checksum), … • Difficult to construct or guess pre-contexts Research goal: Can we make a concolic testing tool that 1) avoids path explosion and 2) constructs pre-contexts automatically ? 6

  16. Idea 1: Test paths likely having bugs first • Prioritize array and loop boundary states • Detect bugs due to a lack of proper boundary checks 7

  17. Idea 2: Construct pre-contexts using real programs • Let real programs run until they call target OS APIs • Would have prepared necessary conditions before calling the APIs (they will call open syscall before read syscall) • Hook the API calls and initiate concolic testing 8

  18. Promising results • Implemented by modifiying S2E and evaluated with Windows 7 and Windows Server 2008 • Found 21 unique crashes in six device drivers • Two local privilege escalation vulnerabilities • Information disclosure in a crypto driver 9

  19. Overview of CAB-Fuzz 10

  20. Synthetic symbolization with S2E ulong ctrl_code = 0; ulong in_buf[IN_BUF_SIZE] = {0}; NtCreateFile(&device_handle, … , &object_attributes, … ); s2e_make_symbolic( &ctrl_code , sizeof(ctrl_code ), “code”); s2e_make_symbolic( &in_buf , sizeof(in_buf ), “ buf ”); NtDeviceIoControlFile( device_handle, NULL, NULL, NULL, &io_status_block, ctrl_code , &in_buf , IN_BUF_SIZE , &out_buf, OUT_BUF_SIZE); 11

  21. Synthetic symbolization with S2E ulong ctrl_code = 0; ulong in_buf[IN_BUF_SIZE] = {0}; NtCreateFile(&device_handle, … , &object_attributes, … ); s2e_make_symbolic( &ctrl_code , sizeof(ctrl_code ), “code”); s2e_make_symbolic( &in_buf , sizeof(in_buf ), “ buf ”); NtDeviceIoControlFile( device_handle, NULL, NULL, NULL, Specify target API &io_status_block, ctrl_code , &in_buf , IN_BUF_SIZE , &out_buf, OUT_BUF_SIZE); 11

  22. Synthetic symbolization with S2E ulong ctrl_code = 0; ulong in_buf[IN_BUF_SIZE] = {0}; Specify target drivers NtCreateFile(&device_handle, … , &object_attributes, … ); s2e_make_symbolic( &ctrl_code , sizeof(ctrl_code ), “code”); Symbolize two s2e_make_symbolic( &in_buf , sizeof(in_buf ), “ buf ”); arguments NtDeviceIoControlFile( device_handle, NULL, NULL, NULL, Specify target API &io_status_block, ctrl_code , &in_buf , IN_BUF_SIZE , &out_buf, OUT_BUF_SIZE); 11

  23. Synthetic symbolization with S2E ulong ctrl_code = 0; ulong in_buf[IN_BUF_SIZE] = {0}; Specify target drivers NtCreateFile(&device_handle, … , &object_attributes, … ); s2e_make_symbolic( &ctrl_code , sizeof(ctrl_code ), “code”); Symbolize two s2e_make_symbolic( &in_buf , sizeof(in_buf ), “ buf ”); arguments NtDeviceIoControlFile( device_handle, NULL, NULL, NULL, Specify target API &io_status_block, ctrl_code , &in_buf , IN_BUF_SIZE , &out_buf, OUT_BUF_SIZE); Don’t symbolize the size to avoid path explosion 11

  24. Array-boundary prioritization • Concretize the lowest and highest addresses of symbolic memory first • Compute the boundary addresses using KLEE solver’s getRange function • For symbolic memory triggering a state fork at least twice 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes &amp; memory leaks)

417 views • 17 slides
LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity Oss-Fuzz Overview Continuous Fuzzing of our import filters Thanks to Google we get to use their infrastructure and resources

542 views • 26 slides
Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg January 25th, 2016 Marco Probst Concolic Testing 1 / 22 Overview Code Example 1 Unit Testing 2 Random Testing Symbolic Execution Concolic

919 views • 89 slides
Efficient Concolic Testing of MPI Applications Hongbo Li Zizhong Chen Rajiv Gupta CC19,

Efficient Concolic Testing of MPI Applications Hongbo Li Zizhong Chen Rajiv Gupta CC19,

Efficient Concolic Testing of MPI Applications Hongbo Li Zizhong Chen Rajiv Gupta CC19, Washington DC, USA Feb. 17, 2019 Concolic Testing Symbolic Execution Concrete Execution It Is Popular Programming languages: Binary machine

769 views • 37 slides
LCT: An Open Source Concolic Testing Tool for Java Programs Kari Khknen, Tuomas Launiainen,

LCT: An Open Source Concolic Testing Tool for Java Programs Kari Khknen, Tuomas Launiainen,

LCT: An Open Source Concolic Testing Tool for Java Programs Kari Khknen, Tuomas Launiainen, Olli Saarikivi, Janne Kauttio, Keijo Heljanko and Ilkka Niemel BYTECODE 2011 Overview Concolic Testing Tool Overview Experiments

395 views • 13 slides
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin (Microsoft Center for Software Excellence) David Molnar (UC Berkeley &amp; MSR) Fuzz Testing Send random data to application B.

366 views • 36 slides
MACE: Model-inference-Assisted Concolic Exploration Domagoj Babic

MACE: Model-inference-Assisted Concolic Exploration Domagoj Babic

MACE: Model-inference-Assisted Concolic Exploration Domagoj Babic h-p://www.domagoj.info/ joint work with Chia Yuan Cho, Pongsin Poosankam, Kevin Zhijie Chen, Edward XueJun

508 views • 21 slides
Fuzz Testing for Fun and Profit Presented by:

Fuzz Testing for Fun and Profit Presented by:

W3 Testing at Scale Wednesday, October 2nd, 2019 11:30 AM Fuzz Testing for Fun and Profit Presented by: Melissa Benua

441 views • 11 slides
Semi-valid Input Coverage for Fuzz Testjng Petar Tsankov , Mohammad Torabi Dashtj, David Basin

Semi-valid Input Coverage for Fuzz Testjng Petar Tsankov , Mohammad Torabi Dashtj, David Basin

Semi-valid Input Coverage for Fuzz Testjng Petar Tsankov , Mohammad Torabi Dashtj, David Basin Instjtute of Informatjon Security ETH Zurich Fuzz Testjng Testjng a PDF Viewer Pass / Fail PDF Viewer Valid inputs Test Oracle Are the PDF fjles

643 views • 39 slides
CUTE: A Concolic Unit Testing Engine for C (ACM SIGSOFT Impact Award 2019) Koushik Sen, UC

CUTE: A Concolic Unit Testing Engine for C (ACM SIGSOFT Impact Award 2019) Koushik Sen, UC

CUTE: A Concolic Unit Testing Engine for C (ACM SIGSOFT Impact Award 2019) Koushik Sen, UC Berkeley Darko Marinov, UIUC Gul Agha, UIUC Programs Have Bugs 2 Why Program Testing? Programmer familiarity Concrete input for debugging

1.16k views • 68 slides
Eli lici citin ing Fu Fuzz zzy Kn Knowl wledg dge e fr from th the PI PIMA MA Dataset

Eli lici citin ing Fu Fuzz zzy Kn Knowl wledg dge e fr from th the PI PIMA MA Dataset

Eli lici citin ing Fu Fuzz zzy Kn Knowl wledg dge e fr from th the PI PIMA MA Dataset Antonio dAcierno ISA A CNR daci cier erno.a@ no.a@is isa.cnr a.cnr.it .it Giuseppe eppe De Pietro ro, , Massimo mo Esposit sito

370 views • 26 slides
BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research and Analysis: Zhenhua(Eric) Liu Vulnerability Researcher zhliu@fortinet.com Contributor and Editor: Guillaume Lovet Sr Manager of Fortinet's

646 views • 52 slides
USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart fuzzer that uses code coverage needs an initial corpus ~20 different mutations strategies only keep mutated inputs that modify coverage source

868 views • 29 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

3/31/17 TOPICS 2 RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing: selection, prioritization T est input generation CS580A5 SPRING 2017 Fault localization SUDIPTO GHOSH Automatic program

276 views • 3 slides
void fuzz(char* buf, int&amp; len){ void fuzz(char* buf, int&amp; len){ void fuzz(char* buf,

void fuzz(char* buf, int&amp; len){ void fuzz(char* buf, int&amp; len){ void fuzz(char* buf,

void fuzz(char* buf, int&amp; len){ void fuzz(char* buf, int&amp; len){ void fuzz(char* buf, int&amp; len){ void fuzz(char* buf, int&amp; len){ void fuzz(char* buf, int&amp; len){ int q = rand()%20; int q = rand()%20; int q = rand()%20; int

836 views • 61 slides
Honeycomb Crea/ve Works is financed by the European

Honeycomb Crea/ve Works is financed by the European

Honeycomb Crea/ve Works is financed by the European Unions European Regional Development Fund through the INTERREG IVA Cross-border Programme managed

1.36k views • 103 slides
2018 Navigating the Annual Report and Proxy Season 2018: Looking Ahead Steven Kennedy Finally,

2018 Navigating the Annual Report and Proxy Season 2018: Looking Ahead Steven Kennedy Finally,

2018 Navigating the Annual Report and Proxy Season 2018: Looking Ahead Steven Kennedy Finally, a Full Commission Hester Pierce Robert Jackson Jr. George Mason Univ Columbia Law School Confirmed 12/21/17 Confirmed 12/21/17 3 SEC

722 views • 33 slides
Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event Abhishek

Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event Abhishek

Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event Abhishek Kumar (Georgia Tech / Google) Vern Paxson (ICSI) Nicholas Weaver (ICSI) Proc. ACM Internet Measurement Conference 2005 1 Enhancing Telescope

574 views • 55 slides
Dairy Industry Trends in NYS - Benchmarking Jason Karszes Senior Extension Associate PRO-DAIRY

Dairy Industry Trends in NYS - Benchmarking Jason Karszes Senior Extension Associate PRO-DAIRY

Dairy Industry Trends in NYS - Benchmarking Jason Karszes Senior Extension Associate PRO-DAIRY B21 Morrison Hall e-mail JK57@Cornell.edu Cornell University Phone 607-255-3809 Ithaca, NY 14853 Department of Animal Science

573 views • 43 slides
CISC 322 Software Architecture Lecture 19: Software Cost Estimation Emad Shihab Slides adapted

CISC 322 Software Architecture Lecture 19: Software Cost Estimation Emad Shihab Slides adapted

CISC 322 Software Architecture Lecture 19: Software Cost Estimation Emad Shihab Slides adapted from Ian Sommerville Last Class Program Evaluation and Review Technique (PERT) Determine critical path Calculate prob. that a project

459 views • 29 slides
Hijack: Taking Control of COTS Systems for Real-Time User-Level Services Gabriel Parmer and

Hijack: Taking Control of COTS Systems for Real-Time User-Level Services Gabriel Parmer and

Hijack: Taking Control of COTS Systems for Real-Time User-Level Services Gabriel Parmer and Richard West Computer Science Deparment Boston University Boston, MA 02215 { gabep1, richwest } @cs.bu.edu April 5, 2007 COTS in RT/Embedded Systems

706 views • 31 slides
Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group

Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group

Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group Meeting : August 10, 2010 Wireless Networks Today Mobile network High latency (100 - 200 ms) Low bandwidth Good coverage WLAN/WiFi

677 views • 21 slides
Augmenting Hypergraph Models with Message Nets to Reduce Bandwidth and Latency Costs

Augmenting Hypergraph Models with Message Nets to Reduce Bandwidth and Latency Costs

Augmenting Hypergraph Models with Message Nets to Reduce Bandwidth and Latency Costs Simultaneously Oguz Selvitopi, Seher Acer , and Cevdet Aykanat Bilkent University, Ankara, Turkey CSC16, Albuquerque, NM, USA October 10-12, 2016 To appear in

447 views • 11 slides

More recommend