compiler fuzzing how much does it matter
play

Compiler Fuzzing: How Much Does It Matter? Michal Marcozzi* - PowerPoint PPT Presentation

Oct 24, 2022 •230 likes •684 views

Compiler Fuzzing: How Much Does It Matter? Michal Marcozzi* Qiyi Tang* Alastair F. Donaldson Cristian Cadar * The presented experimental study has been carried out equally by M. Marcozzi and Q. Tang. Outline 1. Context: compiler

  1. Compiler Fuzzing: How Much Does It Matter? Michaël Marcozzi* Qiyi Tang* Alastair F. Donaldson Cristian Cadar * The presented experimental study has been carried out equally by M. Marcozzi and Q. Tang.

  2. Outline 1. Context: compiler fuzzing 2. Problem: importance of fuzzer-found miscompilations is unclear 3. Goal: a study of the practical impact of miscompilation bugs 4. Methodology for bug impact measurement 5. Experiments and results 6. Conclusions

  3. Compiler Bugs • Software developers intensively rely on compilers , often with blind confidence • Compilers are software: they have bugs too (~150 fixed bugs/month in LLVM compiler) • In worst case , unnoticed miscompilation (silent generation of wrong code) History of LLVM Bug Tracking System (2003-2015) [Sun et al., ISSTA’16] M. Marcozzi 3 Compiler Fuzzing: How Much Does It Matter?

  4. Compiler Validation (1/2) • Classical software validation approaches have been applied to compilers • Formal verification: CompCert verified compiler, Alive optimisation prover, etc. • Testing: LLVM test suite, etc. M. Marcozzi 4 Compiler Fuzzing: How Much Does It Matter?

  5. Compiler Validation (2/2) • Recent surge of interest in compiler fuzzing : • Automatic and massive random generation of test programs to compile • Automatic miscompilation detection via di ff erential or metamorphic testing • e.g. 200+ miscompilations found in LLVM by Csmith 1 , EMI 2 , Orange 3 and Yarpgen 4 1 [Yang et al., PLDI’11] [Regehr et al., PLDI’12] [Chen et al., PLDI’13] 2 Equivalence Modulo Inputs [Le et al., PLDI’14, OOPSLA’15] [Sun et al.,OOPSLA’16] 3 [Nagai et al., T-SLDM] [Nakamura et al., APCCAS’16] 4 https://github.com/intel/yarpgen M. Marcozzi 5 Compiler Fuzzing: How Much Does It Matter?

  6. Outline 1. Context: compiler fuzzing 2. Problem: importance of fuzzer-found miscompilations is unclear 3. Goal: a study of the practical impact of miscompilation bugs 4. Methodology for bug impact measurement 5. Experiments and results 6. Conclusions

  7. Importance of Fuzzer-Found Miscompilations (1/2) • Audience of our talks on compiler fuzzers often question the importance of found bugs • In our experience, this is a contentious debate and people can be poles apart: In my opinion, compiler bugs are extremely dangerous, period. Thus, regardless of the real-world impact of compiler bugs, I think that techniques that can uncover (and help fix) compiler bugs are extremely valuable. One anonymous reviewer of this paper at a top P/L conference I would suggest that compiler developers stop responding to researchers working toward publishing papers on [fuzzers] . Responses from compiler maintainers is being becoming a metric for measuring the performance of [fuzzers], so responding just encourages the trolls . ’The Shape of Code’ weblog author (former UK representative at ISO International C Standard) M. Marcozzi 7 Compiler Fuzzing: How Much Does It Matter?

  8. Importance of Fuzzer-Found Miscompilations (2/2) • In this work, we consider a mature compiler in a non-critical environment : • The compiler has been intensively tested by its developers and users • Trade-o ff s between software reliability and cost are acceptable and common • In this context, doubting the impact of fuzzer-found bugs is reasonable : It is unclear if mature compilers leave much space to find severe bugs Fuzzers find bugs a ff ecting generated code, whose patterns may not occur in real code M. Marcozzi 8 Compiler Fuzzing: How Much Does It Matter?

  9. Outline 1. Context: compiler fuzzing 2. Problem: importance of fuzzer-found miscompilations is unclear 3. Goal: a study of the practical impact of miscompilation bugs 4. Methodology for bug impact measurement 5. Experiments and results 6. Conclusions

  10. Goal and Challenges • In this work, our objectives are to: Show specifically that compiler fuzzing matters or does not matter Study the impact of miscompilation bugs in a mature compiler over real apps Compare impact of bugs from fuzzers with others (e.g. found by compiling real code) • Operationally, we aim at overcoming the following challenges : • Take steps towards a methodology to measure the impact of a miscompilation bug • Apply it over a significant but tractable set of bugs and real applications M. Marcozzi 10 Compiler Fuzzing: How Much Does It Matter?

  11. Outline 1. Context: compiler fuzzing 2. Problem: importance of fuzzer-found miscompilations is unclear 3. Goal: a study of the practical impact of miscompilation bugs 4. Methodology for bug impact measurement 5. Experiments and results 6. Conclusions

  12. Bug Impact Measurement Methodology • Assumption: Restrict to publicly fixed bugs in open-source compilers , to extract Fixing Patch written by developers M. Marcozzi 12 Compiler Fuzzing: How Much Does It Matter?

  13. Bug Impact Measurement Methodology • Assumption: Restrict to publicly fixed bugs in open-source compilers , to extract Fixing Patch written by developers Buggy Compiler Source M. Marcozzi 12 Compiler Fuzzing: How Much Does It Matter?

  14. Bug Impact Measurement Methodology • Assumption: Restrict to publicly fixed bugs in open-source compilers , to extract Fixing Patch written by developers Fixed Compiler Source Buggy Compiler Source M. Marcozzi 12 Compiler Fuzzing: How Much Does It Matter?

  15. Bug Impact Measurement Methodology • Assumption: Restrict to publicly fixed bugs in open-source compilers , to extract Fixing Patch written by developers Fixed Compiler Source Buggy Compiler Source • Assumption: impact of miscompilation bug = ability to change semantics of real apps M. Marcozzi 12 Compiler Fuzzing: How Much Does It Matter?

  16. Bug Impact Measurement Methodology • Assumption: Restrict to publicly fixed bugs in open-source compilers , to extract Fixing Patch written by developers Fixed Compiler Source Buggy Compiler Source • Assumption: impact of miscompilation bug = ability to change semantics of real apps • We estimate the impact of the compiler bug over a real app in three stages : M. Marcozzi 12 Compiler Fuzzing: How Much Does It Matter?

  17. Bug Impact Measurement Methodology • Assumption: Restrict to publicly fixed bugs in open-source compilers , to extract Fixing Patch written by developers Fixed Compiler Source Buggy Compiler Source • Assumption: impact of miscompilation bug = ability to change semantics of real apps • We estimate the impact of the compiler bug over a real app in three stages : 1. Is the buggy compiler code reached and triggered during compilation? M. Marcozzi 12 Compiler Fuzzing: How Much Does It Matter?

  18. Bug Impact Measurement Methodology • Assumption: Restrict to publicly fixed bugs in open-source compilers , to extract Fixing Patch written by developers Fixed Compiler Source Buggy Compiler Source • Assumption: impact of miscompilation bug = ability to change semantics of real apps • We estimate the impact of the compiler bug over a real app in three stages : 1. Is the buggy compiler code reached and triggered during compilation? 2. How much does a triggered bug change the binary code? M. Marcozzi 12 Compiler Fuzzing: How Much Does It Matter?

  19. Bug Impact Measurement Methodology • Assumption: Restrict to publicly fixed bugs in open-source compilers , to extract Fixing Patch written by developers Fixed Compiler Source Buggy Compiler Source • Assumption: impact of miscompilation bug = ability to change semantics of real apps • We estimate the impact of the compiler bug over a real app in three stages : 1. Is the buggy compiler code reached and triggered during compilation? 2. How much does a triggered bug change the binary code? 3. Can the binary changes lead to di ff erences in binary runtime behaviour? M. Marcozzi 12 Compiler Fuzzing: How Much Does It Matter?

  20. Stage 1: Compile-Time Analysis if (Not.isPowerOf2() if (Not.isPowerOf2()) && C->getValue().isPowerOf2() && Not != C->getValue()) /* Code transformation */ /* Code transformation */ fix for LLVM bug #26323 Buggy Compiler Source Fixed Compiler Source M. Marcozzi 13 Compiler Fuzzing: How Much Does It Matter?

  21. Stage 1: Compile-Time Analysis if (Not.isPowerOf2() if (Not.isPowerOf2()) && C->getValue().isPowerOf2() && Not != C->getValue()) /* Code transformation */ /* Code transformation */ fix for LLVM bug #26323 Buggy Compiler Source Fixed Compiler Source warn("Fixing patch reached!"); if (Not.isPowerOf2()) { if (!(C->getValue().isPowerOf2() && Not != C->getValue())) warn("Bug triggered!"); else /* Code transformation */ } Warning-Laden Compiler M. Marcozzi 13 Compiler Fuzzing: How Much Does It Matter?

  22. Stage 1: Compile-Time Analysis if (Not.isPowerOf2() if (Not.isPowerOf2()) && C->getValue().isPowerOf2() && Not != C->getValue()) /* Code transformation */ /* Code transformation */ fix for LLVM bug #26323 Buggy Compiler Source Fixed Compiler Source warn("Fixing patch reached!"); if (Not.isPowerOf2()) { C if (!(C->getValue().isPowerOf2() && Not != C->getValue())) C C warn("Bug triggered!"); else /* Code transformation */ } Warning-Laden Compiler M. Marcozzi 13 Compiler Fuzzing: How Much Does It Matter?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA

Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA

Sminaire VERIMAG Grenoble, 21/02/2020 Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA conference ~ *Michal Marcozzi 1 *Qiyi Tang 2 Alastair F. Donaldson 3,1 Cristian Cadar 1 * The presented experimental

894 views • 73 slides
Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler 2 whoami Security engineer, Solidity team Semantic testing of Solidity compiler Find

441 views • 28 slides
Subject Matter Compiler-based code improvement techniques > Sometimes called

Subject Matter Compiler-based code improvement techniques > Sometimes called

C OMP 512 This is C OMP 512 Advanced Compiler Construction Subject Matter Compiler-based code improvement techniques > Sometimes called optimization Analysis required to support them > No vector or multiprocessor

438 views • 20 slides
Chapter Front matter Course Script INF 5110: Compiler con- struction INF5110, spring 2019

Chapter Front matter Course Script INF 5110: Compiler con- struction INF5110, spring 2019

1 Front matter 1 Chapter Front matter Course Script INF 5110: Compiler con- struction INF5110, spring 2019 Martin Steffen Contents ii Contents 1 Front matter 1 2 Main matter 1 3 Grammars 2 3.1 Targets . . . . . . . . . . . . .

688 views • 34 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Co Compiler er Fuzzi zzing: g: Ho How Much Does It Matter? Michal Marcozzi, Qiyi Tang,

Co Compiler er Fuzzi zzing: g: Ho How Much Does It Matter? Michal Marcozzi, Qiyi Tang,

Co Compiler er Fuzzi zzing: g: Ho How Much Does It Matter? Michal Marcozzi, Qiyi Tang, Cristian Cadar, Alastair Donaldson 10th South of England Regional Programming Language Seminar (S-REPLS 10) Bi Birk rkbeck, , Un University of of

317 views • 11 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen, no matter what ! Crashes, thrown exceptions, non-termination ! All of these things can be the foundation of security vulnerabilities

1.57k views • 14 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Industrial Applications of Aerodynamic Shape Optimization Antony Jameson John C. Vassberg

Industrial Applications of Aerodynamic Shape Optimization Antony Jameson John C. Vassberg

Industrial Applications of Aerodynamic Shape Optimization Antony Jameson John C. Vassberg Boeing Technical Fellow T. V. Jones Professor of Engineering Advanced Concepts Design Center Dept. of Aeronautics & Astronautics Boeing Commercial

979 views • 73 slides
Raspberry Pi history, tips and use case EVENT NAME FOSDEM 2019@Ulb solbosch campus brussels

Raspberry Pi history, tips and use case EVENT NAME FOSDEM 2019@Ulb solbosch campus brussels

Raspberry Pi history, tips and use case EVENT NAME FOSDEM 2019@Ulb solbosch campus brussels belgium EVENT ORGANIZE FEB 3 RD IN 2019 JAPANESE RASPBERRY PI USERS GROUP DATE MASAFUMI OHTA FOUNDER AND REP. JAPANESE RASPBERRY PI USERS GROUP

869 views • 50 slides
An Aquatic Humic Structure Hydroxy Acid OH COOH From Thurman, 1985 HO COOH COOH

An Aquatic Humic Structure Hydroxy Acid OH COOH From Thurman, 1985 HO COOH COOH

CEE 680 Lecture #18 2/24/2020 Print version Updated: 24 February 2020 Lecture #18 Dissolved Carbon Dioxide: Introduction (Stumm & Morgan, Chapt.4 ) Benjamin; Chapter 5.4 & 7 David Reckhow CEE 680 #18 1 An Aquatic Humic

365 views • 7 slides
Virtual Leadership Program 2016 June 18 Agenda 10:00 Welcome and explanation of the day: Cindy

Virtual Leadership Program 2016 June 18 Agenda 10:00 Welcome and explanation of the day: Cindy

Virtual Leadership Program 2016 June 18 Agenda 10:00 Welcome and explanation of the day: Cindy Pao Welcome: Chris Lyons 10:30 The Basics of Running a Community: Emily Alfson 11:00 Financial Responsibilities: Jane Wilson 11:30 Tools for

349 views • 8 slides
Bugzilla, Bug-squad and GNOME3 Presented By Akhil Laddha 1 Agenda About me Bugzilla Bug

Bugzilla, Bug-squad and GNOME3 Presented By Akhil Laddha 1 Agenda About me Bugzilla Bug

Bugzilla, Bug-squad and GNOME3 Presented By Akhil Laddha 1 Agenda About me Bugzilla Bug triaging : In and Out Bugzilla Statistics GNOME3 contribution Q & A 2 Who am I ? Bug Master Evolution QA mailto: lakhil@gnome.org IRC nick :

477 views • 26 slides
Testing Basic Concepts Some important terms Bug : Error in a program. (Always expect

Testing Basic Concepts Some important terms Bug : Error in a program. (Always expect

Module 8 Testing Basic Concepts Some important terms Bug : Error in a program. (Always expect them!) Debugging : Process of finding & removing bugs Testing : Process of analyzing & running a program Testing is a common

922 views • 35 slides
Outline Intro to RL and Bayesian Learning History of Bayesian RL Model-based Bayesian

Outline Intro to RL and Bayesian Learning History of Bayesian RL Model-based Bayesian

Outline Intro to RL and Bayesian Learning History of Bayesian RL Model-based Bayesian RL Prior knowledge, policy optimization, discussion, Bayesian approaches for other RL variants Model-free Bayesian RL Gaussian

1.23k views • 63 slides
Automated Program Repair Opportunities, Challenges, Advances Chris Timperley 1 About me...

Automated Program Repair Opportunities, Challenges, Advances Chris Timperley 1 About me...

Automated Program Repair Opportunities, Challenges, Advances Chris Timperley 1 About me... Research Interests: Postdoc Carnegie Mellon University, USA Automated Program Repair w/ Claire Le Goues Fault Localisation GI for

676 views • 39 slides

More recommend