driller augmenting fuzzing through symbolic execution
play

Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens - PowerPoint PPT Presentation

Nov 14, 2022 •785 likes •1.15k views

Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna Motivation - Large number of memory

  1. Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna

  2. Motivation - Large number of memory corruption bugs - Problems with testcase generation techniques - Fuzzing - Symbolic Execution

  3. Fuzzing

  4. x = int(input()) if x > 10: if x < 100: Let's fuzz it! print "You win!" else: print "You lose!" 1 ⇒ "You lose!" else: print "You lose!" 593 ⇒ "You lose!" 183 ⇒ "You lose!" 4 ⇒ "You lose!" 498 ⇒ "You lose!" 48 ⇒ "You win!" 4

  5. Catching Bugs - Monitors program for crashes

  6. x = int(input()) Let's fuzz it! if x > 10: if x^2 == 152399025: print "You win!" else: 1 ⇒ "You lose!" print "You lose!" else: 593 ⇒ "You lose!" print "You lose!" 183 ⇒ "You lose!" 4 ⇒ "You lose!" 498 ⇒ "You lose!" 42 ⇒ "You lose!" 3 ⇒ "You lose!" ……… . 57 ⇒ "You lose!" 6

  7. Symbolic Execution

  8. ??? x = input() if x >= 10: if x % 1337 == 0: print "You win!" x < 10 x >= 10 else: print "You lose!" else: x >= 10 x >= 10 print "You lose!" x % 1337 != 0 x % 1337 == 0

  9. ??? x = input() if x >= 10: if x % 1337 == 0: print "You win!" x < 10 x >= 10 else: print "You lose!" else: x >= 10 x >= 10 print "You lose!" x % 1337 != 0 x % 1337 == 0 1337

  10. Catching Bugs - Checks each state for safety violations - symbolic program counter - writes/reads from symbolic address

  11. x = input() def recurse(x, depth): if depth == 2000 return 0 else { r = 0; if x[depth] == “B” : r = 1 return r + recurse(x[depth], depth) ??? if recurse(x, 0) == 1: print “You win!” x[d] != “B” x[d] == “B”

  12. Different Approaches Fuzzing Symbolic Execution - Good at finding solutions - Good at finding solutions for general conditions for specific conditions - Spends too much time - Bad at finding solutions for iterating over general specific conditions conditions

  13. Fuzzing vs. Symbolic Execution x = int(input()) x = input() if x >= 10: if x^2 == 152399025: def recurse(x, depth): print "You win!" if depth == 2000 else: return 0 print "You lose!" else { else: r = 0; print "You lose!" if x[depth] == “B” : r = 1 return r + recurse(x [depth], depth) if recurse(x, 0) == 1: print “You win!” Fuzzing Wins Symbolic Execution Wins

  14. Symbolic Execution Fuzzing good at find solutions for good at finding solutions specific input for general input

  15. American Fuzzy Lop + angr AFL angr - state-of-the-art - binary analysis platform instrumented fuzzer - implements symbolic - path uniqueness tracking execution engine - genetic mutations - influenced by Mayhem - open source - works on binary code - available on github

  16. Combining the Two (High-level) Test Cases Control Flow Graph

  17. Combining the Two Test Cases “Cheap” fuzzing coverage “X” “Y” Control Flow Graph

  18. Combining the Two Reachable? Test Cases “Cheap” fuzzing coverage “X” ! “Y” Tracing via Symbolic Execution Control Flow Graph

  19. Combining the Two Synthesized! Test Cases “Cheap” fuzzing coverage “X” “Y” Tracing via Symbolic Execution “MAGIC” New test cases generated Control Flow Graph

  20. Towards completer code coverage! Combining the Two Test Cases “Cheap” fuzzing coverage “X” “Y” Tracing via Symbolic Execution “MAGIC” New test cases generated “MAGICY” Control Flow Graph

  21. AFL’s Path Selection - Tracks state-transitions on each program run - Basic Block A -> Basic Block B - Path uniqueness = Set of state-trans uniqueness - Input generation is still primitive mutations

  22. Improving Path Selection with angr Test Cases AFL strcmp(input, "MAGIC") input[0] == 'X' ... ... ...

  23. Improving Path Selection with angr Test Cases AFL “X” strcmp(input, "MAGIC") input[0] == 'X' ... ... ...

  24. Improving Path Selection with angr Test Cases AFL “X” strcmp(input, "MAGIC") “Y” input[0] == 'X' ... ... ...

  25. Improving Path Selection with angr Test Cases AFL “X” strcmp(input, "MAGIC") “Y” input[0] == 'X' ... “Z” ... ...

  26. Improving Path Selection with angr Test Cases AFL “X” strcmp(input, "MAGIC") “Y” input[0] == 'X' ... ... ...

  27. Improving Path Selection with angr Test Cases angr “X” strcmp(input, "MAGIC") ? “Y” input[0] == 'X' ... ... ...

  28. Improving Path Selection with angr Test Cases angr “X” strcmp(input, "MAGIC") “Y” input[0] == 'X' ... “MAGIC” New state transition, ... ... synthesize!

  29. Improving Path Selection with angr angr ... ... ... ... ... ... ... Continue following “X”’s original path until completion, deviating when possible.

  30. State Space Reduction - Symbolic Execution’s state-space is reduced to AFL’s - Reduces path explosion

  31. Symbolic Execution (angr) - 16 total Fuzzing (AFL) - 68 total 16 S & F Shared - 13 total 68 71 / 128 binaries Binary Crashes per Technique

  32. Symbolic Execution (angr) - 16 77 Fuzzing (AFL) - 68 16 S & F Shared - 13 total Driller - 77 55 68 77 / 128 binaries Binary Crashes per Technique

  33. Distribution of Transitions Found as Iterations of Symbolic Execution and Fuzzing symbolic execution fuzzing

  34. Limitations int main(void) { char data[100]; char *computed_hash; char hash[16]; read (0, data, sizeof data); computed_hash = hash (data); read (0, hash, sizeof hash); if ( memcmp (hash, computed_hash, 16) != 0) { // `data` processed here // code susceptible to fuzzing } } Fuzzing beyond the hash is still problematic!

  35. Conclusion - Driller is greater than the sum of its parts - Offers a >10% increase in crashes over pure AFL - Driller curbs path explosion

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

1 Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs! including NSA code-breaking challenge! Please submit your working exploits for previous weeks! New recitations: Monday:

293 views • 28 slides
Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik Sen EECS Department University of California, Berkeley https://people.eecs.berkeley.edu/~ksen/ 1 Programs are still written by humans, and will

1.62k views • 134 slides
Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten

Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten

Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten Corina S. Pasareanu yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 1 Problem Solution Example

403 views • 17 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels 1 July 16, 2020 The game of attack and defense Bug fi nding Exploitation Pro fi t Meng Xu

2.82k views • 173 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes &amp; memory leaks)

417 views • 17 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Intro Concurrency Mutual Exclusion Condition Variables Reentrant Read / Write Locks CS 2112 Lab

Intro Concurrency Mutual Exclusion Condition Variables Reentrant Read / Write Locks CS 2112 Lab

Intro Concurrency Mutual Exclusion Condition Variables Reentrant Read / Write Locks CS 2112 Lab 11: Monitors Intro Concurrency Mutual Exclusion Condition Variables Reentrant Read / Write Locks CS 2112 Lab 11: Monitors November 18 / 20,

195 views • 16 slides
JUST THE MATHS SLIDES NUMBER 8.4 VECTORS 4 (Triple products) by A.J.Hobson 8.4.1 The

JUST THE MATHS SLIDES NUMBER 8.4 VECTORS 4 (Triple products) by A.J.Hobson 8.4.1 The

JUST THE MATHS SLIDES NUMBER 8.4 VECTORS 4 (Triple products) by A.J.Hobson 8.4.1 The triple scalar product 8.4.2 The triple vector product UNIT 8.4 - VECTORS 4 TRIPLE PRODUCTS 8.4.1 THE TRIPLE SCALAR PRODUCT DEFINITION 1 Given

375 views • 8 slides
Katalyst: Boosting Convex Katayusha for Non-Convex Problems with a Large Condition Number Zaiyi

Katalyst: Boosting Convex Katayusha for Non-Convex Problems with a Large Condition Number Zaiyi

Katalyst: Boosting Convex Katayusha for Non-Convex Problems with a Large Condition Number Zaiyi Chen, Yi Xu, Haoyuan Hu, Tianbao Yang zaiyi.czy@alibaba-inc.com 2019-06-10 Chen Z., et al. (CAINIAO.AI&amp;USTC&amp;UIowa) Katalyst 2019-06-10 1

559 views • 21 slides
Statement 27 February 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser Generator

Statement 27 February 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser Generator

Statement 27 February 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser Generator string of string of abstract string of characters tokens program integers (source code) (words) (object code) A BL program consists

756 views • 50 slides
Some sufficient condition for the ergodicity of the L evy transform Vilmos Prokaj E otv

Some sufficient condition for the ergodicity of the L evy transform Vilmos Prokaj E otv

Some sufficient condition for the ergodicity of the L evy transform Vilmos Prokaj E otv os Lor and University, Hungary Probability, Control and Finance A Conference in Honor of Ioannis Karatzas 2012, New York L evy

748 views • 56 slides
The condition number of a randomly perturbed matrix STOC 07 Terence Tao (UCLA) Van Vu

The condition number of a randomly perturbed matrix STOC 07 Terence Tao (UCLA) Van Vu

The condition number of a randomly perturbed matrix STOC 07 Terence Tao (UCLA) Van Vu (Rutgers) 1 Well-conditioned matrices Suppose one wants to solve the matrix equation Mx = b , where M is an n n matrix and the vector b is given. In

170 views • 15 slides
Office Orthopaedics: MSK or not MSK? That is the Question UCSF Orthopedics Primary Care Sports

Office Orthopaedics: MSK or not MSK? That is the Question UCSF Orthopedics Primary Care Sports

7/23/2015 Office Orthopaedics: MSK or not MSK? That is the Question UCSF Orthopedics Primary Care Sports Medicine Anthony Luke MD, MPH Essentials of Primary Care 2015 Disclosures Founder, RunSafe Founder &amp; CEO, SportZPeak Inc.

862 views • 28 slides

More recommend