expanding the reach of fuzzing
play

Expanding the Reach of Fuzzing Caroline Lemieux September 8 th , - PowerPoint PPT Presentation

May 21, 2023 •444 likes •1.35k views

Expanding the Reach of Fuzzing Caroline Lemieux September 8 th , 2020 Fuzzcon Europe Coverage-Guided Fuzzing Greybox, Mutational seeds Input Input Input Input Initial Input pick mutate Input execute Input Input Input n save

  1. Expanding the Reach of Fuzzing Caroline Lemieux September 8 th , 2020 Fuzzcon Europe

  2. Coverage-Guided Fuzzing Greybox, Mutational seeds Input Input Input Input Initial Input pick mutate Input execute Input Input Input n ’ save Execution Execution Feedback Execution Input 2 ’ Interesting Feedback? Feedback Execution Feedback Input n ’ Feedback n 1 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  3. Coverage-Guided Fuzzing Can we modify CGF tools for: Greybox, Mutational seeds Different Bugs Input Input Input Input Initial Input pick mutate Input execute Input Input Input n ’ Deeper Exploration save Execution Execution Feedback Execution Input 2 ’ Interesting Feedback? Feedback Execution Feedback Input n ’ Feedback n 2 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  4. Different Bugs Deeper Exploration 3 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  5. Pe PerfFuzz https://github.com/carolemieux/perffuzz Fu FuzzF zzFactor ory https://github.com/rohanpadhye/FuzzFactory Deeper Exploration 4 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  6. Nobody Expects Performance Problems 5 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  7. Alleviating Performance Problems DEV DE Pathological Input Profiling Tool 6 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  8. Alleviating Performance Problems DEV DE Pathological Input Profiling Tool 7 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  9. PerfFuzz Goal Automatically generate pathological inputs DEV DE Pathological Input Profiling Tool 8 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  10. Can We Use Coverage-Guided Fuzzing? seeds Input Input Input Input Initial Input pick mutate Input execute Input Input Input n ’ save Execution Execution Feedback Execution Input 2 ’ Interesting Feedback? Feedback Execution Feedback Input n ’ Feedback n Input executes for longer? Execution time of input 9 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  11. Can We Use Coverage-Guided Fuzzing? seeds Input Input ✗ Input Input Initial Input pick mutate Input execute Input Input Input n ’ Too coarsed-grained! save Execution Execution Feedback Execution Input 2 ’ Interesting Feedback? Feedback Execution Feedback Input n ’ Feedback n Input executes for longer? Execution time of input 10 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  12. Can We Use Coverage-Guided Fuzzing? seeds Input Input Input Input Initial Input pick mutate Input execute Input Input Input n ’ save Execution Execution Feedback Execution Input 2 ’ Interesting Feedback? Feedback Execution Feedback Input n ’ Feedback n 11 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  13. PerfFuzz seeds Input Input Input Input Initial Input pick mutate Input execute Input Input Input n ’ save Ed Edge # # Hits Ed Edge # # Hits Ed Edge # Hits # Edge Ed # Hits # Input 2 ’ Interesting Feedback? Input n ’ ... ... ... ... ... ... ... ... 12 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  14. PerfFuzz seeds Input Input Input Input Initial Input pick mutate Input execute Input Input Input n ’ save Ed Edge # # Hits Ed Edge # # Hits Maximizes # hits Edge Ed # Hits # for some edge? Edge Ed # Hits # Input 2 ’ Input n ’ ... ... ... ... ... ... ... ... 13 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  15. PerfFuzz pick input seeds maximizing # hits for Input Input Input Input Initial some edge Input mutate Input execute Input Input Input n ’ save Edge Ed # # Hits Edge Ed # Hits # Maximizes # hits Edge Ed # # Hits for some edge? Ed Edge # # Hits Input 2 ’ Input n ’ ... ... ... ... ... ... ... ... 14 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  16. PerfFuzz: Algorithmic Complexity • Maximum path length for varying input sizes Insertion Sort PCRE URL regex Word Frequency 500 3erI)uzz 3erI)uzz 3erI)uzz 0axLPuP 3ath Length 0axLPuP 3ath Length 0axLPuP 3ath Length 300k 6low)uzz 6low)uzz 6low)uzz 3000 400 300 200k 2000 200 1000 100k 100 0 10 20 30 40 50 60 10 20 30 40 50 60 10 20 30 40 50 60 0ax InSut Length (bytes) 0ax InSut Length (bytes) 0ax InSut Length (bytes) 15 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  17. PerfFuzz: Algorithmic Complexity • Maximum path length for varying input sizes All hash collisions Insertion Sort PCRE URL regex Word Frequency 500 3erI)uzz 3erI)uzz 3erI)uzz 0axLPuP 3ath Length 0axLPuP 3ath Length 0axLPuP 3ath Length 300k 6low)uzz 6low)uzz 6low)uzz ? 3000 400 300 200k 2000 200 1000 Many short words 100k 100 0 10 20 30 40 50 60 10 20 30 40 50 60 10 20 30 40 50 60 0ax InSut Length (bytes) 0ax InSut Length (bytes) 0ax InSut Length (bytes) 16 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  18. PerfFuzz pick input seeds maximizing https://github.com/carolemieux/perffuzz # hits for Input Input Input Input Initial some edge Input mutate Input execute Input Input Input n ’ Built on top of AFL • Comes with afl-showmax tool to • identify bad inputs save Edge Ed # Hits # Ed Edge # # Hits Maximizes # hits Requires building with afl-clang- • Ed Edge # Hits # for some edge? Edge Ed # # Hits Input 2 ’ Input n ’ fast ... ... ... ... ... ... ... ... 17 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  19. PerfFuzz pick input seeds maximizing # hits for Input Input Input Input Initial some edge Input mutate Input execute Input Input Input n ’ save Edge Ed # # Hits Edge Ed # Hits # Maximizes # hits Edge Ed # # Hits for some edge? Ed Edge # # Hits Input 2 ’ Input n ’ ... ... ... ... ... ... ... ... 18 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  20. Observation: Algorithm is More General pick input seeds maximizing # hits for Input Input Input Input Initial some edge Input mutate Input execute Input Input Input n ’ save Edge Ed # # Hits Edge Ed # Hits # Maximizes # hits Edge Ed # # Hits for some edge? Ed Edge # # Hits Input 2 ’ Input n ’ ... ... ... ... ... ... ... ... 19 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  21. Observation: Algorithm is More General pick input seeds maximizing value for va Input Input Input Input Initial some ke key Input mutate Input execute Input Input Input n ’ save Ke Key Value Va Ke Key Va Value Maximizes va value Ke Key Va Value for some ke key ? Key Ke Va Value Input 2 ’ Input n ’ ... ... ... ... ... ... ... ... 20 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  22. What Other Problems Can We Solve? Ke Key Va Value ... ... ... ... ... ... ... ... 21 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  23. What Other Problems Can We Solve? e.g. finding memory-allocation maximizing inputs Ke Key Va Value ... ... Memory Allocation Location: Cumulative amount of memory ... ... allocated Line 247: x = malloc(…); ... ... ... ... 22 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  24. What Other Problems Can We Solve? e.g. going through “hard” comparisons Ke Key Va Value ... ... “Hard” Comparison Location: ... ... Number of bits matched if ( x == 0xBAD0CAFE) ... ... ... ... 23 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  25. Observation: Algorithm is More General pick input seeds maximizing value for va Input Input Input Input Initial some ke key Input mutate Input execute Input Input Input n ’ save Ke Key Value Va Ke Key Va Value Maximizes va value Ke Key Va Value for some ke key ? Key Ke Va Value Input 2 ’ Input n ’ ... ... ... ... ... ... ... ... 24 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  26. FuzzFactory pick input seeds maximizing value for va Input Input Input Input Initial some ke key Input mutate Input execute Input Input Input n ’ save Ke Key Value Va Ke Key Va Value Maximizes va value Ke Key Va Value for some ke key ? Key Ke Va Value Input 2 ’ Input n ’ ... ... ... ... ... ... ... ... 25 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

  27. FuzzFactory, Step 1: Generalize Algorithm pick input with newest seeds aggregate va value for Input Input Input Input Initial some ke key Input mutate Input execute Input Input Input n ’ save Key Ke Value Va Ke Key Va Value New aggregate va value Ke Key Va Value for some ke key Key Ke Va Value Input 2 ’ Input n ’ ... ... ... ... ... ... ... ... 26 9/10/20 Caroline Lemieux -- Expanding the Reach of Fuzzing @ FuzzCon Europe

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Expanding the Reach of Practice Facilitation Lessons learned from inter-organizational

Expanding the Reach of Practice Facilitation Lessons learned from inter-organizational

Expanding the Reach of Practice Facilitation Lessons learned from inter-organizational collaboration Suzanne Herzberg, Megan Fallon, Susanne Campbell, Jayne Daylor, PhD, OTR/L, PCMH CCE MS, RD MS, RN, PCMH CCE MS, RN Director and Practice

548 views • 18 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
How Impact is Changing Research Caroline Fiennes www.giving-evidence.com

How Impact is Changing Research Caroline Fiennes www.giving-evidence.com

How Impact is Changing Research Caroline Fiennes www.giving-evidence.com caroline.fiennes@giving-evidence.com Twitter: @carolinefiennes 1 Giving Evidence, www.giving-evidence.com www.twitter.com/carolinefiennes What my work has got to do

530 views • 38 slides
Detec&ng Jupiter Analogues Caroline Caldwell

Detec&ng Jupiter Analogues Caroline Caldwell

Detec&ng Jupiter Analogues Caroline Caldwell University of Texas at Aus&n Collaborators:

425 views • 13 slides
Annual Performance Report (APR) Training: Using Sage to Complete your APR CoC and Recipient

Annual Performance Report (APR) Training: Using Sage to Complete your APR CoC and Recipient

Annual Performance Report (APR) Training: Using Sage to Complete your APR CoC and Recipient Training April 18 and 19, 2017 Logistics for Presentation Due to the high number of registrants, the phone lines are muted Please submit

146 views • 14 slides
Linux - a quick Introduction Caroline Sporleder & Ines Rehbein WS 09/10 Sporleder &

Linux - a quick Introduction Caroline Sporleder & Ines Rehbein WS 09/10 Sporleder &

Linux - a quick Introduction Caroline Sporleder & Ines Rehbein WS 09/10 Sporleder & Rehbein (WS 09/10) Linux - Introduction November 2009 1 / 19 What is a shell? Interface between the user and the system Command language interpreter

433 views • 19 slides
Out with Old EdTech and in With the New: Learning Relationship Management (LRM) Platforms

Out with Old EdTech and in With the New: Learning Relationship Management (LRM) Platforms

Out with Old EdTech and in With the New: Learning Relationship Management (LRM) Platforms October 22, 2015 The webcast will begin at the top of the hour. There is no audio being broadcast at this time. If you need assistance, contact

471 views • 34 slides
Research Software Engineering Fellow of the Software Sustainability Institute EPSRC RSE

Research Software Engineering Fellow of the Software Sustainability Institute EPSRC RSE

Robert Haines University of Manchester Computer Science Software Engineering Research Software Engineering Fellow of the Software Sustainability Institute EPSRC RSE Network Co-I UKRSE executive I am not a researcher

409 views • 3 slides
Security mini-panel e-ISCA 1:45p EDT June 1, 2020 Panelists Chris Fletcher Caroline Trippel

Security mini-panel e-ISCA 1:45p EDT June 1, 2020 Panelists Chris Fletcher Caroline Trippel

Security mini-panel e-ISCA 1:45p EDT June 1, 2020 Panelists Chris Fletcher Caroline Trippel Assistant Professor, UIUC Assistant Professor, Stanford Ed Suh Frank Mckeen Professor, Cornell Security/Computer Architect, Intel Panel format

560 views • 6 slides
An Update on the Bamberg CS30 Strategy Encouraging female students since 2005 Prof. Dr. Ute

An Update on the Bamberg CS30 Strategy Encouraging female students since 2005 Prof. Dr. Ute

An Update on the Bamberg CS30 Strategy Encouraging female students since 2005 Prof. Dr. Ute Schmid, Prof. Dr. Daniela Nicklas, Caroline E. Oehlhorn WIRE Workshop 2019 | Caroline E. Oehlhorn | University of Bamberg, WIAI p. 1 Who we are Prof.

477 views • 12 slides

More recommend