cs412 software security
play

CS412 Software Security Program Testing Fuzzing Mathias Payer - PowerPoint PPT Presentation

Nov 15, 2022 •256 likes •657 views

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed

  1. CS412 Software Security Program Testing – Fuzzing Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security

  2. Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed behavior and specified behavior, i.e., a violation of the underlying specification: Functional requirements (features a, b, c) Operational requirements (performance, usability) Security requirements? Mathias Payer CS412 Software Security

  3. Forms of testing Manual testing Fuzz testing Symbolic and concolic testing Mathias Payer CS412 Software Security

  4. Manual testing Three levels of testing: Unit testing (individual modules) Integration testing (interaction between modules) System testing (full application testing) Mathias Payer CS412 Software Security

  5. Manual testing strategies Exhaustive: cover all input; not feasible due to massive state space Functional: cover all requirements; depends on specification Random: automate test generation (but incomplete) Structural: cover all code; works for unit testing Mathias Payer CS412 Software Security

  6. Testing example How do you decide when you have tested a function “enough”? double doFun(double a, double b, double c) { if (a == 23.0 && b == 42.0) { return a * b / c; } return a * b * c; } Mathias Payer CS412 Software Security

  7. Testing example How do you decide when you have tested a function “enough”? double doFun(double a, double b, double c) { if (a == 23.0 && b == 42.0) { return a * b / c; } return a * b * c; } Fails for a == 23.0 && b == 42.0 && c == 0.0 . Mathias Payer CS412 Software Security

  8. Testing approaches double doFun(double a, double b, double c) Exhaustive: 2ˆ{64}ˆ3 tests Functional: generate test cases for true/false branch, ineffective for errors in specification or coding errors Random: probabilistically draw a , b , c from value pool Structural: aim for full code coverage , generate test cases for all paths Mathias Payer CS412 Software Security

  9. Coverage as completeness metric Intuition: A software flaw is only detected if the flawed statement is executed. Effectiveness of test suite therefore depends on how many statements are executed. Mathias Payer CS412 Software Security

  10. Is statement coverage enough? int func(int elem, int *inp, int len) { int ret = -1; for (int i = 0; i <= len; ++i) { if (inp[i] == elem) { ret = i; break ; } } return ret; } Test input: elem = 2, inp = [1, 2], len = 2 . Full statement coverage. Mathias Payer CS412 Software Security

  11. Is statement coverage enough? int func(int elem, int *inp, int len) { int ret = -1; for (int i = 0; i <= len; ++i) { if (inp[i] == elem) { ret = i; break ; } } return ret; } Test input: elem = 2, inp = [1, 2], len = 2 . Full statement coverage. Loop is never executed to termination, where out of bounds access happens. Statement coverage does not imply full coverage. Today’s standard is branch coverage, which would satisfy the backward edge from i <= len to the end of the loop. Full branch coverage implies full statement coverage. Mathias Payer CS412 Software Security

  12. Is branch coverage enough? int arr[5] = { 0, 1, 2, 3, 4}; int func(int a, int b) { int idx = 4; if (a < 5) idx -= 4; else idx -= 1; if (b < 5) idx -= 1; else idx += 1; return arr[idx]; } Test inputs: a = 5, b = 1 and a = 1, b = 5 . Full branch coverage. Mathias Payer CS412 Software Security

  13. Is branch coverage enough? int arr[5] = { 0, 1, 2, 3, 4}; int func(int a, int b) { int idx = 4; if (a < 5) idx -= 4; else idx -= 1; if (b < 5) idx -= 1; else idx += 1; return arr[idx]; } Test inputs: a = 5, b = 1 and a = 1, b = 5 . Full branch coverage. Not all paths through the function are executed: a = 1, b = 1 results in a bug when both statements are true at the same time. Full path coverage evaluates all possible paths but this can be expensive (path explosion due to each branch) or impossible for loops. Loop coverage (execute each loop 0, 1, n times), combined with branch coverage probabilistically covers state space. Mathias Payer CS412 Software Security

  14. How to measure code coverage? Several (many) tools exist: gcov: https://gcc.gnu.org/onlinedocs/gcc/Gcov.html SanitizerCoverage: https://clang.llvm.org/docs/ SourceBasedCodeCoverage.html Mathias Payer CS412 Software Security

  15. How to achieve full testing coverage? Idea: look at data flow. Track constraints of conditions, generate inputs for all possible constraints. Mathias Payer CS412 Software Security

  16. Testing completeness We now have a metric for testing completeness. How can we explore programs to maximize coverage? Mathias Payer CS412 Software Security

  17. Testing completeness We now have a metric for testing completeness. How can we explore programs to maximize coverage? Discuss: is coverage enough to find all bugs? Mathias Payer CS412 Software Security

  18. Fuzzing Fuzz testing (fuzzing) is an automated software testing technique. The fuzzing engine generates inputs based on some criteria: Random mutation Leveraging input structure Leveraging program structure The inputs are then run on the test program and, if it crashes, a crash report is generated. Mathias Payer CS412 Software Security

  19. Fuzzing effectiveness Fuzzing finds bugs effectively (CVEs) Proactive defense, part of testing Preparing offense, part of exploit development Mathias Payer CS412 Software Security

  20. Fuzz input generation Fuzzers generate new input based on generations or mutations. Generation-based input generation produces new input seeds in each round, independent from each other. Mutation-based input generation leverages existing inputs and modifies them based on feedback from previous rounds. Mathias Payer CS412 Software Security

  21. Fuzz input structure awareness Programs accept some form of input/output. Generally, the input/output is structured and follows some form of protocol. Dumb fuzzing is unaware of the underlying structure. Smart fuzzing is aware of the protocol and modifies the input accordingly. Example: a checksum at the end of the input. A dumb fuzzer will likely fail the checksum. Mathias Payer CS412 Software Security

  22. Fuzz program structure awareness The input is processed by the program, based on the program structure (and from the past executions), input can be adapted to trigger new conditions. White box fuzzing leverages semantic program analysis to mutate input Grey box leverages program instrumentation based on previous inputs Black box fuzzing is unaware of the program structure Mathias Payer CS412 Software Security

  23. Coverage-guided grey box fuzzing Figure 1: Mathias Payer CS412 Software Security

  24. American Fuzzy Lop AFL is the most well-known fuzzer currently AFL uses grey-box instrumentation to track branch coverage and mutate fuzzing seeds based on previous branch coverage The branch coverage tracks the last two executed basic blocks New coverage is detected on the history of the last two branches: cur XOR prev>>1 AFL: http://lcamtuf.coredump.cx/afl/ Mathias Payer CS412 Software Security

  25. Fuzzer challenges: coverage wall After certain iterations the fuzzer no longer makes progress Hard to satisfy checks Chains of checks Leaps in input changes Mathias Payer CS412 Software Security

  26. Fuzzer challenges: coverage wall Figure 2: Mathias Payer CS412 Software Security

  27. Symbolic execution Reason about program behavior through “execution” with symbolic values Concrete values (input) replaced with symbolic values Can have any value (think variable x instead of value 0x15 ) Track all possible execution paths at once Operations (read, write, arithmetic) become constraint collection Allows unknown symbolic variables in evaluation Execution paths that depend on symbolic variables fork Mathias Payer CS412 Software Security

  28. Symbolic execution: example void func(int a, int b, int c) { int x = 0, y = 0, z = 0; if (a) x = -2; if (b < 5) { if (!a && c) y = 1; z = 2; } assert(x + y + z != 3); } Mathias Payer CS412 Software Security

  29. Symbolic execution: example Figure 3: Mathias Payer CS412 Software Security

  30. Symbolic paths Path condition: quantifier-free formula over symbolic inputs that encodes all branch decisions (so far). Determine whether the path is feasible: check if path condition is satisfiable. SMT solver provides satisfying assignment, counter example, or timeout. Mathias Payer CS412 Software Security

  31. Challenges for symbolic execution Loops and recursion result in infinite execution traces Path explosion (each branch doubles the number of paths) Environment modeling (system calls are complex) Symbolic data (symbolic arrays and symbolic indices) Mathias Payer CS412 Software Security

  32. Concolic testing Idea: mix concrete and symbolic execution Record actual execution Symbolically execute near recorded trace Negate one condition, generate new input, repeat Mathias Payer CS412 Software Security

  33. KLEE KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs, Cadar et al., OSDI’08 Large scale symbolic execution tool Leverages LLVM to compile programs Abstracts environment Many different search strategies Mathias Payer CS412 Software Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1 Mathias Payer CS412 Software Security Widely-adopted defense mechanisms Hundreds of

1.34k views • 57 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a

532 views • 41 slides
CS412 Software Security Basic Principles Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Basic Principles Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Basic Principles Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software Security Allow intended use of software, prevent unintended use that may cause harm. Mathias Payer CS412 Software

735 views • 36 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1: Mathias Payer CS412 Software Security Advanced mitigations Stack integrity

298 views • 26 slides
CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Mobile computing You are tasked in developing a mobile computing system. What features do you need? How do you ensure device

383 views • 24 slides
CS412 Software Security Attack Vectors Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Attack Vectors Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Attack Vectors Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Exploitation: Disclaimer This section introduces software exploitation We will discuss both basic and advanced exploitation

831 views • 48 slides
CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python: hex(int('00111000', 2))

696 views • 54 slides
CS412 Software Security Software Bugs Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Software Bugs Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Software Bugs Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security From Software Bugs to Attack Primitives Attack primitives are exploit building blocks Software bugs map to attack primitives , i.e.,

512 views • 23 slides
CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019

CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019

CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between

503 views • 28 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
The heart of the matter GODS ANATOMY OF OUR HEARTS THE HEARTACCORDING TO THE BIBLE Our

The heart of the matter GODS ANATOMY OF OUR HEARTS THE HEARTACCORDING TO THE BIBLE Our

Argyle Sermon Series Autumn 2018 The heart of the matter GODS ANATOMY OF OUR HEARTS THE HEARTACCORDING TO THE BIBLE Our hidden, innermost self, where our deepest hopes, desires, commitments and loves are found. 8 of 13 The written-on

426 views • 24 slides
Judges Blue Bible pg 254 Judges Blue Bible pg 254 In the days when the judges ruled there

Judges Blue Bible pg 254 Judges Blue Bible pg 254 In the days when the judges ruled there

Judges Blue Bible pg 254 Judges Blue Bible pg 254 In the days when the judges ruled there was a famine in the land Ruth 1:1 Dickens, A Tale of Two Cities It was the best of times, it was the worst of times, it was the age

646 views • 39 slides
The Bible is Our Map By Wayne Herman Overview of Maps Maps always reflect a particular

The Bible is Our Map By Wayne Herman Overview of Maps Maps always reflect a particular

The Bible is Our Map By Wayne Herman Overview of Maps Maps always reflect a particular perspective Maps serve multiple purposes Showing us where we are Identifying boundaries Identifying political spheres of authority

595 views • 13 slides
(Date of Composition: by 1406 BC) Moses: There is no clear statement in any book of the Pentateuch

(Date of Composition: by 1406 BC) Moses: There is no clear statement in any book of the Pentateuch

(Date of Composition: by 1406 BC) Moses: There is no clear statement in any book of the Pentateuch indicating that Moses wrote all 5 of these books. However, this is far from the end of the story. Deuteronomy 31:9 says that Moses wrote this

472 views • 29 slides
Final Exam Tuesday December 10, 9-12am Closed book exam Cover Chapters 1-6 of the

Final Exam Tuesday December 10, 9-12am Closed book exam Cover Chapters 1-6 of the

Final Exam Tuesday December 10, 9-12am Closed book exam Cover Chapters 1-6 of the textbook. Might also include a question on quantifier rank or the Ehrenfeucht-Fra ss e game (see Oct 29 slides). Greater focus on Chapter 3.3

619 views • 35 slides
What We Did Not Cover COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning What

What We Did Not Cover COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning What

What We Did Not Cover COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning What We Did Not Cover 1 / 9 What We Did Not Cover 1 Much More Detail 2 Statistical Machine Learning 3 Other Supervised Techniques 4 Reducing the Burden of

230 views • 9 slides
Graph Coloring Independent Set and Coloring k -Coloring : 3-Coloring IndependentSet Instance:

Graph Coloring Independent Set and Coloring k -Coloring : 3-Coloring IndependentSet Instance:

CS500 CS500 Graph Coloring Independent Set and Coloring k -Coloring : 3-Coloring IndependentSet Instance: A graph G . Question: Can the vertices of G be colored with k colors such that no two vertices of the same color are adjacent? (Note

226 views • 4 slides
Preliminary Calculations of CPA Properties of G10 Ultimate stress 32000 psi ultimate psi

Preliminary Calculations of CPA Properties of G10 Ultimate stress 32000 psi ultimate psi

Preliminary Calculations of CPA Properties of G10 Ultimate stress 32000 psi ultimate psi kg kg Density 1800 G10 m 3 Modulus 19.1 GPa E G10 GPa 9.6 10 6 cm cm Coefficient of thermal expansion

167 views • 5 slides

More recommend