FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David - - PowerPoint PPT Presentation

fuzzification anti fuzzing techniques
SMART_READER_LITE
LIVE PREVIEW

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David - - PowerPoint PPT Presentation

Jun 04, 2023 476 likes •1.13k views

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

slide-1
SLIDE 1

FUZZIFICATION: Anti-Fuzzing Techniques

Jinho Jung, Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim

*

1

slide-2
SLIDE 2

Fuzzing Discovers Many Vulnerabilities

2

slide-3
SLIDE 3

Fuzzing Discovers Many Vulnerabilities

3

slide-4
SLIDE 4

Testers Find Bugs with Fuzzing

Source Compilation Released binary Normal users Testers Detected bugs Compilation Distribution Fuzzing

4

slide-5
SLIDE 5

But Attackers Also Find Bugs

Source Compilation Released binary Testers Detected bugs Compilation Distribution Fuzzing

5

Attackers Normal users

slide-6
SLIDE 6

Our work: Make the Fuzzing Only Effective to the Testers

Source Fuzzification Compilation Fortified binary Binary Testers Detected bugs Attackers Compilation Distribution Fuzzing

6

Normal users

?

slide-7
SLIDE 7

Threat Model

Source Fuzzification Compilation Fortified binary Binary Testers Detected bugs Attackers Compilation Distribution Fuzzing

7

Normal users

slide-8
SLIDE 8

Threat Model

Source Fuzzification Compilation Fortified binary Binary Testers Detected bugs Attackers Compilation Distribution Fuzzing

8

Normal users

Adversaries try to find vulnerabilities from fuzzing

slide-9
SLIDE 9

Threat Model

Source Fuzzification Compilation Fortified binary Binary Testers Detected bugs Attackers Compilation Distribution Fuzzing

9

Normal users

Adversaries only have a copy of fortified binary

slide-10
SLIDE 10

Threat Model

Source Fuzzification Compilation Fortified binary Binary Testers Detected bugs Attackers Compilation Distribution Fuzzing

10

Normal users

Adversaries know Fuzzification and try to nullify

slide-11
SLIDE 11

Research Goals

Source Fuzzification Compilation Fortified binary Binary Testers Detected bugs Attackers Compilation Distribution Fuzzing

11

Normal users

slide-12
SLIDE 12

Research Goals

Source Fuzzification Compilation Fortified binary Binary Testers Detected bugs Attackers Compilation Distribution Fuzzing

12

Normal users

Hinder Fuzzing Reduce the number of detected bugs

slide-13
SLIDE 13

Research Goals

Source Fuzzification Compilation Fortified binary Binary Testers Detected bugs Attackers Compilation Distribution Fuzzing

13

Normal users

Generic Affect most of the fuzzers

AFL HonggFuzz VUzzer QSym …

slide-14
SLIDE 14

Research Goals

Source Fuzzification Compilation Fortified binary Binary Testers Detected bugs Attackers Compilation Distribution Fuzzing

14

Normal users

Low overhead to normal user High overhead to attackers Overhead

slide-15
SLIDE 15

Research Goals

Source Fuzzification Compilation Fortified binary Binary Testers Detected bugs Attackers Compilation Distribution Fuzzing

15

Normal users Fortified binary

Resilient to the adversarial analysis Resiliency

slide-16
SLIDE 16

Why Existing Methods Are Not Applicable?

Method Generic to most fuzzers Low

  • verhead

Resilient to adversary Packing or obfuscation O X O

16

slide-17
SLIDE 17

Why Existing Methods Are Not Applicable?

Method Generic to most fuzzers Low

  • verhead

Resilient to adversary Packing or obfuscation O X O Bug injection O O X

17

slide-18
SLIDE 18

Why Existing Methods Are Not Applicable?

Method Generic to most fuzzers Low

  • verhead

Resilient to adversary Packing or obfuscation O X O Bug injection O O X Fuzzer detection X O X

18

slide-19
SLIDE 19

Why Existing Methods Are Not Applicable?

Method Generic to most fuzzers Low

  • verhead

Resilient to adversary Packing or obfuscation O X O Bug injection O O X Fuzzer detection X O X Emulator detection X O X

19

slide-20
SLIDE 20

Why Existing Methods Are Not Applicable?

Method Generic to most fuzzers Low

  • verhead

Resilient to adversary Packing or obfuscation O X O Bug injection O O X Fuzzer detection X O X Emulator detection X O X Fuzzification O O O

20

slide-21
SLIDE 21

Fuzzification Hinders Advanced Features

21

Parallel execution Fork server

  • Fast execution
  • Coverage-guidance
  • Hybrid approach

H/W feature

slide-22
SLIDE 22

Fuzzification Hinders Advanced Features

22

  • Fast execution
  • Coverage-guidance
  • Hybrid approach

Parallel execution Fork server H/W feature

SpeedBump

slide-23
SLIDE 23

Fuzzification Hinders Advanced Features

23

Parallel execution Fork server Coverage

  • Fast execution
  • Coverage-guidance
  • Hybrid approach

H/W feature

slide-24
SLIDE 24

Fuzzification Hinders Advanced Features

24

  • Fast execution
  • Coverage-guidance
  • Hybrid approach

Parallel execution Fork server Coverage H/W feature

BranchTrap

slide-25
SLIDE 25

Fuzzification Hinders Advanced Features

25

Symbolic execution Dynamic taint analysis Queue Parallel execution Fork server Coverage

  • Fast execution
  • Coverage-guidance
  • Hybrid approach

H/W feature

slide-26
SLIDE 26

Fuzzification Hinders Advanced Features

26

  • Fast execution
  • Coverage-guidance
  • Hybrid approach

Symbolic execution Dynamic taint analysis Queue Parallel execution Fork server Coverage H/W feature

Anti-Hybrid

slide-27
SLIDE 27

SpeedBump: Selective Delay Injection

27

Basic block

slide-28
SLIDE 28

SpeedBump: Selective Delay Injection

28

Basic block Rarely visited path Frequently visited path

  • Identify frequently and

rarely visited paths

slide-29
SLIDE 29

SpeedBump: Selective Delay Injection

29

1 2

Basic block Rarely visited path Frequently visited path

  • Identify frequently and

rarely visited paths

  • Inject delays from the most

rarely visited edges

slide-30
SLIDE 30

SpeedBump: Selective Delay Injection

30

Basic block Rarely visited path Frequently visited path

  • Why this is effective?

▫ User: follows common paths ▫ Attacker: searches for new paths

➔ Impact of delay is more significant to attackers

1 2

slide-31
SLIDE 31

SpeedBump: How to delay?

  • Strawman: using sleep()

➔ trivially removed by adversary

31

slide-32
SLIDE 32

SpeedBump: How to delay?

  • Strawman: using sleep()

➔ trivially removed by adversary

  • Counter to advanced adversary

▫ Use randomly generated code ➔ avoid static-pattern

32

slide-33
SLIDE 33

SpeedBump: How to delay?

  • Strawman: using sleep()

➔ trivially removed by adversary

  • Counter to advanced adversary

▫ Use randomly generated code ➔ avoid static-pattern ▫ Impose control-flow and data-flow dependency ➔ avoid automated analysis

33

slide-34
SLIDE 34

SpeedBump: Selective Delay Injection

34

int rarely_executed_code () { return 0; }

slide-35
SLIDE 35

SpeedBump: Selective Delay Injection

35

int rarely_executed_code () { return 0; } //define global variables int global1 = 1; int global2 = 2; int rarely_executed_code () { //inject delay function int pass = 20; global2 = func(pass); return 0; }

slide-36
SLIDE 36

SpeedBump: Selective Delay Injection

36

int func(int p6) { int local1[10]; // affect global1 variable global1 = 45; int local2 = global1; for (int i = 0; i < 1000; i++) // affect local1 variable local1[i] = p6 + local2 + i; // affect global2 variable return local1[5]; } int rarely_executed_code () { return 0; } //define global variables int global1 = 1; int global2 = 2; int rarely_executed_code () { //inject delay function int pass = 20; global2 = func(pass); return 0; }

slide-37
SLIDE 37

BranchTrap Hinders Coverage Management

37

  • Fast execution
  • Coverage-guidance
  • Hybrid approach

Symbolic execution Dynamic taint analysis Queue Parallel execution Fork server Coverage H/W feature

slide-38
SLIDE 38

BranchTrap#1: Fabricates Input-sensitive Paths

38

1 3 2 “AAAA” Coverage #1

slide-39
SLIDE 39

BranchTrap#1: Fabricates Input-sensitive Paths

39

1 3 2 “AAAA” “AAAB” Coverage #1 Coverage #2

slide-40
SLIDE 40

BranchTrap#1: Fabricates Input-sensitive Paths

40

1 3 2 “AAAA” “AAAB” Coverage #1 Coverage #2 1 3 2 “AAAA” Coverage #1

BranchTrap

slide-41
SLIDE 41

BranchTrap#1: Fabricates Input-sensitive Paths

41

1 3 2 “AAAA” “AAAB” Coverage #1 Coverage #2 1 3 2 “AAAA” Coverage #1 “AAAB” Coverage #2

BranchTrap

slide-42
SLIDE 42

Func1 (arg1, arg2)

call Func1 next inst

Caller

Original epilogue pop rbp pop r15 ret

42

BranchTrap#1: ROP-based Fake Paths Generation

slide-43
SLIDE 43

BranchTrap#1: ROP-based Fake Paths Generation

Code snippet 1 pop rbp pop r15 ret Code snippet 2 pop rbp pop r15 ret

call Func1 next inst

43

Original epilogue pop rbp pop r15 ret Code snippet N …

Func1 (arg1, arg2) Caller

slide-44
SLIDE 44

BranchTrap#1: ROP-based Fake Paths Generation

index = arg1 ^ arg2

Code snippet 1 pop rbp pop r15 ret Code snippet 2 pop rbp pop r15 ret Code snippet N …

call Func1 next inst

① ②

44

Original epilogue pop rbp pop r15 ret

Func1 (arg1, arg2) Caller

slide-45
SLIDE 45

BranchTrap#1: ROP-based Fake Paths Generation

index = arg1 ^ arg2

Code snippet 1 pop rbp pop r15 ret Code snippet 2 pop rbp pop r15 ret

jmp table [index] call Func1 next inst

① ② ③ ④

45

Original epilogue pop rbp pop r15 ret Code snippet N …

Func1 (arg1, arg2) Caller

slide-46
SLIDE 46

Code snippet 1 pop rbp pop r15 ret Code snippet 2 pop rbp pop r15 ret

Code snippet N …

BranchTrap#1: ROP-based Fake Paths Generation

index = arg1 ^ arg2 jmp table [index] call Func1 next inst

① ② ③ ④ ⑤

46

Original epilogue pop rbp pop r15 ret

Func1 (arg1, arg2) Caller

slide-47
SLIDE 47

BranchTrap#2: Saturate Feedback State

47

1 3 2

  • One-time visit makes effect
  • BranchTrap:

▫ Saturates bitmap data ▫ Prevents coverage recording

slide-48
SLIDE 48

AntiHybrid Hinders Hybrid Fuzzing

48

  • Fast execution
  • Coverage-guidance
  • Hybrid approach

Symbolic execution Dynamic taint analysis Queue Parallel execution Fork server Coverage H/W feature

slide-49
SLIDE 49

Challenge of Hybrid Fuzzing

49

  • Dynamic taint analysis

▫ Expensive implicit flow

Transform explicit data-flow ➔ implicit data-flow

slide-50
SLIDE 50

Challenge of Hybrid Fuzzing

50

  • Dynamic taint analysis

▫ Expensive implicit flow

  • Symbolic execution

▫ Path explosion

Transform explicit data-flow ➔ implicit data-flow

Introduce an arbitrary path explosions

slide-51
SLIDE 51

AntiHybrid Avoids Dynamic Taint Analysis

  • Transform explicit data-flow to implicit data-flow

51

char input = ‘a’; char anti_dta; if (input == 97) anti_dta = ‘a’; if (!strcmp(anti_dta, ‘a’)) { … } char input = ‘a’; if (!strcmp(input, ‘a’)) { … }

Unable to taint input anti_dta

slide-52
SLIDE 52

AntiHybrid Incurs Path Explosions

52

  • Inject hash calculations into branches

if(a == 30) { … } if(Hash(a) == 0x300df11) { … }

Path Explosion

slide-53
SLIDE 53

Fuzzification Work-flow

Profile Binary Source ①Run Valid/invlid inputs

53

slide-54
SLIDE 54

Fuzzification Work-flow

Profile Binary Source ② Inject component LLVM IR SpeedBump BranchTrap AntiHybrid ①Run Valid/invlid inputs

54

slide-55
SLIDE 55

Fuzzification Work-flow

Profile Binary Source ② Inject component LLVM IR SpeedBump BranchTrap AntiHybrid Test run ①Run Valid/invlid inputs

55

③Measure Overhead & Inject More Component

slide-56
SLIDE 56

Fuzzification Work-flow

Profile Binary Source ② Inject component LLVM IR SpeedBump BranchTrap AntiHybrid Test run ④Release fortified binary ①Run Valid/invlid inputs

56

③Measure Overhead & Inject More Component

slide-57
SLIDE 57

Evaluation Summary

  • Implementation

▫ 6,599 lines of Python and 758 lines of C++

  • Evaluation questions:

▫ Effective in “Reducing discovered paths and bugs?” ▫ Effective on “Various fuzzers? ▫ Impose “Low overhead” to the normal user?

57

slide-58
SLIDE 58

Reduced the Discovered Coverage By 71%

BranchTrap

58

No Fuzzification All Fuzzifications

AntiHybrid SpeedBump Discovered Paths

* Fuzzing result on AFL-QEMU

  • bjdump (binutils)
slide-59
SLIDE 59

Reduced the Discovered Coverage By 71%

59

* Fuzzing result on AFL-QEMU

Other binaries

slide-60
SLIDE 60

Fuzzification is Effective on Various Fuzzers

Fuzzer Result AFL (QEMU) 74% HonggFuzz (PT) 61% QSym (AFL-QEMU) 80% Average 71%

60

Reduced code coverage

slide-61
SLIDE 61

Reduced the Discovered Bugs

Fuzzer Result AFL (QEMU) 88% HonggFuzz (PT) 98% QSym (AFL-QEMU) 94% Average 93%

61

Fuzzer Result Vuzzer 56% QSym (AFL-QEMU) 78% Average 67%

binutils v2.3.0 LAVA-M dataset

slide-62
SLIDE 62

File size & CPU Overheads

Overhead Result File Size 1.4MB (62.1%) CPU Overhead 3.7%

* Both overheads are configurable

62

binutils v2.3.0

Overhead Result File Size 1.3MB (5.4%) CPU Overhead 0.73%

Real-world applications (e.g., GUI)

slide-63
SLIDE 63

Discussion

  • Best-effort protections against adversarial analysis
  • Complementary to other defense techniques

▫ Not hiding all vulnerabilities ▫ But introducing significant cost on attacker

63

slide-64
SLIDE 64

Comparison: Fuzzification vs. AntiFuzz

Component Fuzzification AntiFuzz Delay execution

  • (+ cold path)
  • Fake coverage
  • (randomized return)
  • (fake code)

Saturate coverage

Prevent crash

  • Anti-hybrid
  • (+ anti-DTA)
  • Countermeasures

◐ ○

64

slide-65
SLIDE 65

Conclusion

  • SpeedBump: Inject delays and only affects attackers
  • BranchTrap: Insert input-sensitive branches
  • AntiHybrid: Hinder hybrid fuzzing techniques

65

Make the fuzzing only effective to the testers

https://github.com/sslab-gatech/fuzzification