hawkeye towards a desired directed grey box fuzzing
play

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, - PowerPoint PPT Presentation

Apr 23, 2023 •139 likes •476 views

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

  1. Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1

  2. Mutation Based Grey-box Fuzzing ● General-purpose Grey-box Fuzzing: Cover more paths and induce more bugs (if any) ● Directed Grey-box Fuzzing (DGF): Given a target site (e.g., file & line number), test this site intensively, and induce more relevant bugs 2

  3. Why Directed Grey-box Fuzzing ? (1) Patch Testing 3

  4. Why Directed Grey-box Fuzzing ? (2) Justify a suspicious vulnerability 4

  5. Why Directed Grey-box Fuzzing ? (3) Crash Reproduction based on vulnerability description 5

  6. Desired Properties for DGF (1) P1: A distance metric avoiding bias to certain traces reachable to targets All traces reachable to the ➢ target should be considered e.g., Given a patch for GNU ➢ Binutils nm CVE-2017-15023, there are >=2 traces reachable to dwarf2.c:1601 in concat_filename 6

  7. Desired Properties for DGF (2) P2: Balance cost-effectiveness between static analysis and dynamic analysis 1. static analysis has to be applied for DGF 2. Precise static analysis can be costly but may not be useful for dynamic fuzzing 3. Coarse static analysis provides little directedness for fuzzing 7

  8. Desired Properties for DGF (3) P3: Prioritize proper seeds and schedule mutations Prioritization can boost DGF significantly ● ○ variants of certain seeds have less chances to reach the target sites ○ some seeds contribute little in exploring new execution traces ● Scheduling more mutations on “good” seeds are more beneficial 8

  9. Desired Properties for DGF (4) P4: Adaptive mutation to increase mutators’ effectiveness Coarse-grained mutations typically change the execution ● traces greatly ● Apply more fine-grained mutations when execution traces are close to the target sites 9

  10. Overall Workflow of Hawkeye 10

  11. PART 1: Static Analysis ➢ Compute static distance utilities a. Apply whole program analysis to construct Interprocedural Control Flow Graph (ICFG) b. Build static directedness utilities w.r.t. target site(s) based on ICFG c. Instrument directedness utilities into the program under test 11

  12. Graph Construction 1. Call Graph (CG) a. Andersen’s pointer analysis b. Function pointers ⇒ Indirect calls i. Much more precise than explicit-only Call Graph ii. Less costly than context-/flow-sensitive analysis 2. Control Flow Graph (CFG) 3. CG + CFG ⇒ ICFG 12

  13. Adjacent-Function Distance Augmentation (1) How to determine the distances of fa→ fb and fa → fc ? 13

  14. Adjacent-Function Distance Augmentation (2) f 1 : Caller f 2 : callee C N : Call sites occurrences of f 2 inside f 1 C B : No. of basic blocks in f 1 that contains >= 1 call site of f 2 14

  15. Adjacent-Function Distance Augmentation (3) 15

  16. Directedness Utility Computation ● d f (f s , f t ) : distance between any two functions f s and f t in the call graph ● d f (n, T f ) : function level distance to target(s), where n is a function, T f is the set of target functions ● d b (m, T b ) : basic block distance to target(s) ● 𝜊 f (T f ): target function trace closure 16

  17. PART 2: Fuzzing Loop ➢ Dynamic fuzzing based on static utilities and feedback ○ Track two separate execution metrics to measure “distance” between current trace and “expected” traces Calculate a power function based on the two metrics ○ ○ Schedule mutation chances based on power function ○ Adaptively mutate based on reachability to target sites Prioritize seeds based on power function and coverage ○ 17

  18. Two Metrics Basic Block Trace Distance: Covered Function Similarity: 18

  19. Power Function ● C s favors longer traces that share more executed functions with the “expected” traces ● d s favors shorter traces that reach the expected targets ● Used directly for scheduling mutation chances 19

  20. Adaptive Mutation When a seed has reached target functions, prefer fine-grained mutations ○ Fine-grained: bit/byte level flips, add/sub on bytes/words, replace with interesting values ○ Coarse-grained: random chunk modifications, semantic mutations, crossover 20

  21. Seed Prioritization A three-tier queue to differentiate seed priorities and favor seeds that: a. cover new edges b. are close to targets c. reach target function(s) 21

  22. Hawkeye’s Solution to Desired Properties P1 : Combine basic block trace distance and covered function similarity for power function to avoid bias P2 : Apply precise graph construction and argument adjacent-function distance to generate cost-effective directedness utilities for dynamic fuzzing P3 : Apply target-favored seed prioritization and mutation power scheduling P4 : Apply adaptive mutation based on reachability to targets 22

  23. Evaluation Tools Hawkeye: Our proposed fuzzer that tries to satisfy the ● proposed four desired properties ● Fidgety-AFL : State-of-the-art coverage-oriented Grey-box fuzzer ● AFLGo: DGF based on basic block distance instrumentation and simulated annealing scheduling HE-Go: DGF whose basic block distance instrumentation ● follows Hawkeye’s, but uses AFLGo’s scheduling 23

  24. Crash Reproduction (cxxfilt) 24

  25. Crash Reproduction (MJS) #1 Stack Overflow #2 Invalid read #3 Heap buffer overflow #4 Use after free 25

  26. Crash Reproduction (Oniguruma) #1, #2, #3 are from Oniguruma 6.2.0 #4 is from Oniguruma 6.8.2 26

  27. Target Site Covering (Google Fuzzer Test Suite) 27

  28. Summary 1. Directed Grey-box Fuzzing (DGF) can be helpful 2. We analyzed the challenges in DGF and developed a fuzzer Hawkeye aiming to satisfy the desired properties 3. Experimental results demonstrate Hawkeye’s effectiveness in both crash reproduction and target site covering 28

  29. FOT: A Versatile, Configurable, Extensible Fuzzing Framework (Fuzzing Orchestration Toolkit) ● highly modularized ● supports different features See our upcoming ESEC/FSE18 Demo: https://bit.ly/2yzLFla 29

  30. Thank you ! 30

  31. Two Relevant CVEs in Binutils nm (NULL pointer Read) $ nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC1 $ nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC2 ==3765==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 ==19042==ERROR: AddressSanitizer: SEGV on unknown address ==3765==The signal is caused by a READ memory access. 0x000000000000 ==3765==Hint: address points to the zero page. ==19042==The signal is caused by a READ memory access. #0 0x6a7375 in concat_filename ==19042==Hint: address points to the zero page. /home/hawkeye/binutils/bfd/dwarf2.c:1601:8 #0 0x6a76a5 in concat_filename #1 0x696e83 in decode_line_info /home/hawkeye/binutils/bfd/dwarf2.c:1601:8 /home/hawkeye/binutils/bfd/dwarf2.c:2258:44 #1 0x696ff3 in decode_line_info #2 0x6a2ab8 in comp_unit_maybe_decode_line_info /home/hawkeye/binutils/bfd/dwarf2.c:2265:44 /home/hawkeye/binutils/bfd/dwarf2.c:3642:26 #2 0x6a2d36 in comp_unit_maybe_decode_line_info #3 0x6a2ab8 in comp_unit_find_line /home/hawkeye/binutils/bfd/dwarf2.c:3651:26 /home/hawkeye/binutils/bfd/dwarf2.c:3677 #3 0x6a2d36 in comp_unit_find_line #4 0x6a0104 in _bfd_dwarf2_find_nearest_line /home/hawkeye/binutils/bfd/dwarf2.c:3686 /home/hawkeye/binutils/bfd/dwarf2.c:4789:11 #4 0x6a0369 in _bfd_dwarf2_find_nearest_line #5 0x5f330e in _bfd_elf_find_line /home/hawkeye/binutils/bfd/elf.c:8695:10 /home/hawkeye/binutils/bfd/dwarf2.c:4798:11 #6 0x5176a3 in print_symbol /home/hawkeye/binutils/binutils/nm.c:1003:9 #5 0x5f332e in _bfd_elf_find_line /home/hawkeye/binutils/bfd/elf.c:8695:10 #7 0x514e4d in print_symbols /home/hawkeye/binutils/binutils/nm.c:1084:7 #6 0x5176a3 in print_symbol /home/hawkeye/binutils/binutils/nm.c:1003:9 #8 0x514e4d in display_rel_file /home/hawkeye/binutils/binutils/nm.c:1200 #7 0x514e4d in print_symbols /home/hawkeye/binutils/binutils/nm.c:1084:7 #9 0x510976 in display_file /home/hawkeye/binutils/binutils/nm.c:1318:7 #8 0x514e4d in display_rel_file /home/hawkeye/binutils/binutils/nm.c:1200 #10 0x50f4ce in main /home/hawkeye/binutils/binutils/nm.c:1792:12 #9 0x510976 in display_file /home/hawkeye/binutils/binutils/nm.c:1318:7 #10 0x50f4ce in main /home/hawkeye/binutils/binutils/nm.c:1792:12 CVE-2017-15023 CVE-2017-15939 31

  32. Statistics of Tested Programs 32

  33. Selected Trophies Intel XED: 2 bugs binaryen: 17 bugs libjpeg-turbo: 1 CVE CImg: 2 bugs liblouis: 1 CVE Espruino: 9 CVEs lepton: 4 bugs FFmpeg: 3 CVEs libsass: 10 bugs FLIF: 2 bugs libvips: 11 bugs GNU bc: 18 bugs Oniguruma: 6 CVEs GNU Binutils: 1 CVE radare2: 40+ bugs GNU diffutils: 2 bugs MJS: 33 bugs GPAC: 15 bugs Swift: 7 bugs imagemagick: 2 CVEs 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2 , Sang Kil Cha 2 1 CSRC, KAIST 2 KAIST The Success of Grey-box Fuzzing OSS-Fuzz has found over 20,000 bugs in 300 open source projects.

458 views • 24 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono DElia and Emilio Coppa @andreafioraldi andreafioraldi@gmail.com Format-aware Fuzzing Input Input Program Crashes Format Generation Under

666 views • 63 slides
About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung Nguyen, Sbastien Bardin, Matthieu Lemerre (CEA LIST) Richard Bonichon (Tweag I/O) Roland Groz (Universit Grenoble Alpes) #BHUSA @BLACKHATEVENTS

546 views • 44 slides
Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope Taintscope is: A Fuzzing tool

742 views • 42 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
Automated Concurrency-Bug Fixing Guoliang Jin, Wei Zhang, Dongdong Deng, Den Libit, Shan Lu (OSDI

Automated Concurrency-Bug Fixing Guoliang Jin, Wei Zhang, Dongdong Deng, Den Libit, Shan Lu (OSDI

Automated Concurrency-Bug Fixing Guoliang Jin, Wei Zhang, Dongdong Deng, Den Libit, Shan Lu (OSDI 2012) Presented by: Kevin Burns October 2, 2013 Outline Paper Presentation Background/Motivation CFix Overview Bug Understanding Fix Strategy

347 views • 24 slides
Fighting regressions with git bisect Christian Couder chriscool@tuxfamily.org October 29,2009

Fighting regressions with git bisect Christian Couder chriscool@tuxfamily.org October 29,2009

Fighting regressions with git bisect Christian Couder chriscool@tuxfamily.org October 29,2009 About Git A Distributed Version Control system (DVCS): created by Linus Torvalds maintained by Junio Hamano Basics: commits are states of the

1.11k views • 75 slides
KATCH: High-Coverage Tes2ng of So6ware Patches Paul Marinescu

KATCH: High-Coverage Tes2ng of So6ware Patches Paul Marinescu

KATCH: High-Coverage Tes2ng of So6ware Patches Paul Marinescu and Cris2an Cadar Imperial College London Intro Manual tes2ng is hard Supplement it

357 views • 23 slides
Do Automated Program Repair Techniques Repair Hard and Important Bugs? Manish Motwani Sandhya

Do Automated Program Repair Techniques Repair Hard and Important Bugs? Manish Motwani Sandhya

Do Automated Program Repair Techniques Repair Hard and Important Bugs? Manish Motwani Sandhya Sankarnarayanan Ren e Just Yuriy Brun University of Massachusetts Amherst Automatic Program Repair: An Active Research Area patched program

525 views • 37 slides
Community & Tools Update 2017 Thomas Monjalon DPDK Maintainer Mellanox Qian Xu

Community & Tools Update 2017 Thomas Monjalon DPDK Maintainer Mellanox Qian Xu

Community & Tools Update 2017 Thomas Monjalon DPDK Maintainer Mellanox Qian Xu DPDK CI & Bugzilla Manager Intel DPDK Summit Userspace Dublin 2017 Agenda Community Growth Community Interactions Community

609 views • 29 slides
The Real Deal of Android Device Security: The Third Party Collin Mulliner and Jon Oberheide

The Real Deal of Android Device Security: The Third Party Collin Mulliner and Jon Oberheide

The Real Deal of Android Device Security: The Third Party Collin Mulliner and Jon Oberheide CanSecWest 2014 Introductions Collin Mulliner Jon Oberheide Mulliner and Oberheide, CSW 2014 #Cats4Fun Mulliner and Oberheide, CSW 2014

949 views • 90 slides
How to Waste Time and Money Testing the Performance of a Software Product David Daly | Lead

How to Waste Time and Money Testing the Performance of a Software Product David Daly | Lead

How to Waste Time and Money Testing the Performance of a Software Product David Daly | Lead Engineer -- Performance | @daviddaly44 | https://daviddaly.me/ - 22 % 2 3 Understand the performance of our software and when it changes. 4 How

668 views • 33 slides
H OW TO R EPAIR V ULNERABILITIES ? Correcting vulnerable logic, e.g. race condition

H OW TO R EPAIR V ULNERABILITIES ? Correcting vulnerable logic, e.g. race condition

A UTOMATIC P ROGRAM R EPAIR Zhen Huang 1 Penn State University Spring 2019 CMPSC 447, Software Security P RE PATCH W INDOW Attackers can leverage the window of time before a vulnerability is addressed. Attackers can exploit the

931 views • 60 slides

More recommend