finding vulnerabilities with fuzzing
play

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua - PowerPoint PPT Presentation

Dec 15, 2023 •232 likes •1.23k views

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua University http://netsec.ccert.edu.cn/chaoz/ About Me 2004-2008-2013 2013-2016 2016-present p Hack for fun software and system security Tencent

  1. 软件漏洞挖掘方法探索 Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua University http://netsec.ccert.edu.cn/chaoz/

  2. About Me 2004-2008-2013 2013-2016 2016-present è è p Hack for fun software and system security Tencent CSS TSec 2 nd Place, 300+ CVE p Automated vuln. discovery: p Automated exploit mitigation: Microsoft BlueHat Prize (Special Recognition Award) p Automated exploit generation: Tencent CSS TSec Breakthrough Prize (1 st place) DARPA CGC (1 st in defense 2015, 2 nd in offense 2016) p Automated attack & defense: DEFCON CTF (2 nd in 2016, 5 th in 2015 and 2017) p Manual hacking: p Goal: AlphaGo for software security. To better defend yourself, know your enemy first. --- Sun Tzu 2020/8/22 2

  3. Research Interests 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 3

  4. http://netsec.ccert.edu.cn/ 网络空间安全实验室 p 段海新教授,张超副教授,李琦副教授,诸葛建伟副研究员等 p 学术研究 p 研究方向:网络、系统、应用安全(AI、物联网、区块链) p 学术成果:国际四大安全会议论文数量名列前茅 p 实践应用:促进Google、微软、IETF等多次改进产品、协议标准安全性 p 组织发起 p InForSec网络安全研究国际学术论坛 p XCTF 国际网络安全技术对抗联赛 p “蓝莲花”“紫荆花”战队 4

  5. 没有什么能够阻挡 紫荆花 蓝莲花 没有什么能够阻挡 你对自由的向往 … … 如此的清澈高远 盛开着永不凋零 蓝莲花 欢迎热爱安全研究的同学们加入蓝莲花!(不限学校)

  6. 6 Vulnerability: Ghost in Cyberspace p Valuable assets, root causes of most security incidents 2020/8/22 http://netsec.ccert.edu.cn/chaoz/

  7. Hacking Practice: DEFCON CTF Global Blue-Lotus (coach) • • 2013 first time in DEFCON ; 2013 : ppp, men in black hats, raon_ASRT 2014 5 th place ; • • 2014 : ppp, hitcon, dragonsector, blue-lotus 2015 5 th place ; • • 2015 : defkor, ppp, 0daysober, hitcon, blue-lotus 2016 2 nd place ; (human vs. machine) • • 2016 : ppp, b1o0p, defkor, hitcon 2017 5 th place ; • • 2017 : ppp, hitcon, a*0*e, defkor, tea-deliverers 2018 6 th place • • 2018 : defkoroot, ppp, hitcon, a*0*e, sauercloud, tea-deliverers 7 2019 3 rd place • • 2019: ppp, hitcon, tea-deliverers

  8. DARPA Cyber Grand Challenge ( Automated Offense and Defense ) ( CodeJitsu Team Captain, CQE Defense #1 , CFE Offense #2 )

  9. Vulnerability Discovery p Code Review (10%?) p Static Analysis p Dynamic Analysis p Taint Analysis p Symbolic Execution p Model Checking p Fuzzing (80%?) 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 9

  10. Fuzzing p Goal: p Finding PoC samples that prove vulnerabilities p Solution: testing monitor Security Generator/ target how? inputs violation? Mutator program bugs p Find needle in the haystack 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 10

  11. A better strategy: Genetic Algorithm Target Application Test Select Mutate seed seed seed Track Testcases Seed Seed Security Report Tracking Crashes Potential Filter Initial Seed Vulnerabilities Inputs Pool Seeds p Iterative testing, keep GOOD seeds, report bugs 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 11

  12. A better strategy: Genetic Algorithm Target Instrument Application Cov. Security Algor. Sanitizers Test Select Mutate seed seed seed Track Testcases Seed Seed Security Report Tracking Crashes Coverage Tracking Potential Filter Initial Seed coverage Vulnerabilities Inputs Pool Seeds p GOOD: coverage increases p Bugs: sanitizers 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 12

  13. A pioneer tool: AFL Target Instrument Application Seed Seed Cov. Security Selection Mutation Optimizations Testing Algor. Sanitizers Policies Policies Env Test Select Mutate seed seed seed Track Testcases Seed Seed Security Report Tracking Crashes Coverage Filtering Seed Tracking Policies Generation Potential Filter Initial Seed coverage Vulnerabilities Inputs Pool Seeds • Evolving: filter out only GOOD samples contributing to code coverage • Scalable: mutation-based, few knowledge required • Fast: fork-server, persistent, parallel • Sensitive: support different sanitizers to catch security violations 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 13

  14. Our works Target Instrument Application MOpt (Sec19) Seed Seed Cov. Security Selection Mutation Optimizations Testing Algor. Sanitizers Policies Policies Env Test Select Mutate seed seed seed Track Testcases Seed Seed Security Report Tracking Crashes GreyOne (Sec20) Coverage Filtering Seed Tracking Policies Generation Potential Filter Initial Seed coverage Vulnerabilities Inputs Pool Seeds CollAFL (Oakland18) FANS (Sec20) HOTracer (Sec17) Vul Dist (ICSE20) 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 14

  15. Improvement 1: Coverage & Seed Selection 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 15

  16. IEEE S&P 2018 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 16

  17. Observations (1) p Collision in Coverage Tracking p “ The size of the map is chosen so that collisions are sporadic with almost all of the intended targets, which usually sport between 2k and 10k … ” -- from AFL’s description p AFL uses a 64KB bitmap to track edge coverage ; key: prev Code in BB1 ; key: cur hash = cur ⊕ (prev ≫ 1) bitmap[hash]++ Code in BB2 p Two edges may have a same hash p Discarding GOOD seeds p Discarding unique crashes p Providing inaccurate coverage info for fuzzing policies (e.g., seed selection) 17

  18. Observations (2) p Few seed selection policies aim at increasing the code coverage directly q E.g., AFLfast, VUzzer, AFLgo, QTEP, SlowFuzz p Coverage-first seed selection policies could reach higher code coverage faster. 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 18

  19. Our Solution: CollAFL Target Instrument Application Seed Seed Cov. Security Selection Mutation Optimizations Testing Algor. Sanitizers Policies Policies Env Test Select Mutate seed seed seed Track Testcases Seed Seed Security Report Tracking Crashes Coverage Filtering Seed Tracking Policies Generation Potential Filter Initial Seed coverage Vulnerabilities Inputs Pool Seeds p Mitigate collision in coverage tracking p Apply coverage-first seed selection policy 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 19

  20. RQ1: Eliminate hash collisions p AFL uses a 64KB bitmap to track edge coverage ; key: prev Code in BB1 ; key: cur hash = cur ⊕ (prev ≫ 1) bitmap[hash]++ Code in BB2 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 20

  21. Naïve solution: increase bitmap size 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 21

  22. Our solution: intuition p Replace the hash algorithm, without much performance loss ; key: prev code hash = cur ⊕ (prev ≫ 1) hash = (cur ≫ x) ⊕ (prev ≫ y) +z ; key: cur ; paras: x, y, z bitmap[hash]++ code p Each block could have different combination of parameters x,y,z p Search parameters x,y,z for all blocks one by one, to avoid collisions. p harder and harder to find parameters for remaining blocks. 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 22

  23. Our solution: in-a-nutshell p Search parameters x,y,z for multi-precedent blocks p Construct hash table for unsolvable multi-precedent blocks p Assign un-used hashes to single-precedent blocks 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 25

  24. Performance of Collision Mitigation The bitmap will be enlarged when the edge count is larger than bitmap size, otherwise collision is inevitable. Most BBs have only one precedent, saving hash computation and improving runtime performance. 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 26

  25. RQ2: Coverage-first seed selection p Prioritize seeds with more untouched branches code untouched Path explored code by a seed untouched code code touched p Mutations on these seeds are more likely to exercise those untouched branches, contributing to coverage. 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 27

  26. Evaluation: Code Coverage p 20% more paths over AFL With extra untouched-branch seed selection policy With collision mitigation only 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 28

  27. Evaluation: Crashes p 320% more unique crashes than AFL (CollAFL-br) average 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 29

  28. Evaluation: Vulnerabilities p 134 new bugs, 23 collided bugs, 95 CVE, 9 ACE 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 30

  29. Improvement 2: Seed Mutation & Tracking 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 31

  30. USENIX Security 2020 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 32

  31. p Where to mutate? p input[0:8] p How to mutate? p MAGICHDR p Seed prioritization p 1 byte match, vs. p 7 bytes match Data flow information is useful for fuzzing 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 33

  32. What types of data-flow features? p Taint attributes p Dependency between inputs and variables p Branch value conformance p Distance between branch condition operands p The higher conformance, the closer distance 2020/8/22 http://netsec.ccert.edu.cn/chaoz/ 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

598 views • 29 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency

943 views • 75 slides
Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing antti.levomaki@forcepoint.com opi@forcepoint.com WHO? ANTTI LEVOMKI OLLI-PEKKA NIEMI Research Scientist Director of Research WHAT? NETWORK EVASIONS +

463 views • 18 slides
Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and Windows Servers About the presentation Whoami Introduction 0days and the rush for public vulnerabilities And Advanced fuzzing techniques

432 views • 31 slides
HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing

HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing

HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing William Blair Andrea Mambretti Sajjad Arshad Michael Weissbacher Boston University Northeastern University Northeastern University Northeastern

172 views • 14 slides
Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

3.64k views • 23 slides
HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = "Joshua Smith" job =

HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = "Joshua Smith" job =

HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = "Joshua Smith" job = "Senior Security Researcher" job += "HP Zero Day Initiative" irc = "kernelsmith" twit = "@kernelsmith"

577 views • 54 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes & memory leaks)

417 views • 17 slides
Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels 1 July 16, 2020 The game of attack and defense Bug fi nding Exploitation Pro fi t Meng Xu

2.82k views • 173 slides
Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nrnberg, Germany BAR20 BAR20 Motivation How secure are

352 views • 16 slides
The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov https://s2e.systems Ready-for-use docker image, demos, tutorials, source code, documentation Vitaly Chipounov Ph.D. in 2014 at EPFL, Switzerland

827 views • 57 slides
Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security Engineer 1 Agenda Context Fuzzing tool implementation Results and vulnerabilities 2 Context Intro to System Services System services

446 views • 31 slides
through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee

through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee

Razzer: Finding Kernel Race Bugs through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

1.17k views • 47 slides
The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko Julius-Maximilians-Universitt Wrzburg alexandra.dmitrienko@uni-wuerzburg.de SEPTEMBER 9 13, 2019 CROSSING Summer School on Sustainable Security & Privacy

2.37k views • 187 slides
System Security System Security Aurlien Francillon francill@eurecom.fr Administrativa...

System Security System Security Aurlien Francillon francill@eurecom.fr Administrativa...

System Security System Security Aurlien Francillon francill@eurecom.fr Administrativa... Administrativa... About me Assistant professor at Eurecom since 2011 Doing security research Embedded systems (MCU, smart phones,...)

1.21k views • 100 slides
The one universal imperative for every organization's progress - business, government and

The one universal imperative for every organization's progress - business, government and

1 2 The one universal imperative for every organization's progress - business, government and nonprofjt alike - is innovation. The alternative is stagnation, and that's not acceptable for the customers, clients or societies those

642 views • 9 slides
Thank you so much to the [Mowafaghian] Foundation and to SFU for inviting me here, and thanks to

Thank you so much to the [Mowafaghian] Foundation and to SFU for inviting me here, and thanks to

Steven Lewis Speech May 23, 2012 Thank you so much to the [Mowafaghian] Foundation and to SFU for inviting me here, and thanks to the Wosk family who had the foresight to convert this wonderful building into the

382 views • 27 slides
Rules of Thumb to Help the Public Assess "Scientific" Claims Caroline Crocker, MSc, PhD

Rules of Thumb to Help the Public Assess "Scientific" Claims Caroline Crocker, MSc, PhD

Rules of Thumb to Help the Public Assess "Scientific" Claims Caroline Crocker, MSc, PhD American Institute for Technology and Science Education Broccoli pills keep you young. Collagen reduces wrinkling. Daily baby aspirin is

326 views • 17 slides
Development of a Psychosocial Risk Screening Tool for Genetic Testing Objectives : To develop a

Development of a Psychosocial Risk Screening Tool for Genetic Testing Objectives : To develop a

Development of a Psychosocial Risk Screening Tool for Genetic Testing Objectives : To develop a reliable and valid psychological risk factor screening tool to help health care providers determine which of their patients undergoing genetic

463 views • 3 slides
INTRODUCTION TO GENETIC EPIDEMIOLOGY (EPID0754) Prof. Dr. Dr. K. Van Steen (February 2012)

INTRODUCTION TO GENETIC EPIDEMIOLOGY (EPID0754) Prof. Dr. Dr. K. Van Steen (February 2012)

INTRODUCTION TO GENETIC EPIDEMIOLOGY (EPID0754) Prof. Dr. Dr. K. Van Steen (February 2012) Introduction to Genetic Epidemiology Chapter 1: Setting the Pace CHAPTER 1: SETTING THE PACE 1 Course Responsible Contact details 2 Administrative

583 views • 31 slides
Pacing/Teacher's Notes Investigation #8: Transformation Click on the topic to go to that section

Pacing/Teacher's Notes Investigation #8: Transformation Click on the topic to go to that section

Slide 1 / 31 Slide 2 / 31 New Jersey Center for Teaching and Learning AP BIOLOGY Progressive Science Initiative This material is made freely available at www.njctl.org and is intended for the non-commercial use of Investigation #8 students

336 views • 6 slides

More recommend