lec09 fuzzing and symbolic execution
play

Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia - PowerPoint PPT Presentation

Aug 21, 2023 •13 likes •293 views

1 Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs! including NSA code-breaking challenge! Please submit your working exploits for previous weeks! New recitations: Monday:

  1. 1 Lec09: Fuzzing and Symbolic Execution Taesoo Kim

  2. 2 Administrivia • Three more labs! including NSA code-breaking challenge! • Please submit your working “exploits” for previous weeks! • New recitations: • Monday: 18:00~19:00, CoC 053 (Oct 29th: S106 Howney Physics) • Wednesday: 18:00~19:00, CoC 052 • In-class CTF on Nov 16-17 (24 hours)! • Due: Find your team members, and let us know ASAP! • Due: Submit your CTF challenge by Nov 13!

  3. 3 So far, focuses are more on “exploitation” • More important question: how to find bugs? • With source code (we will see in the last lecture!) • With only binary

  4. 4 Two Pre-conditions (often much difficult!) 1. Locating a bug (i.e., bug finding) 2. Triggering the bug (i.e., reachability) 1 // Q2. How to reach this path? 2 if (magic == 0xdeadbeef) { 3 // Q1. Is this buggy? 4 memcpy(dst, src, len) 5 }

  5. 5 Solution 1: Code Auditing (w/ code) 1 static OSStatus SSLVerifySignedServerKeyExchange(...) { 2 ... 3 if (err = SSLHashSHA1.update(&hashCtx, &clientRandom)) 4 goto fail; 5 if (err = SSLHashSHA1.update(&hashCtx, &serverRandom)) 6 goto fail; 7 if (err = SSLHashSHA1.update(&hashCtx, &signedParams)) 8 goto fail; 9 goto fail; 10 if (err = SSLHashSHA1.final(&hashCtx, &hashOut) 11 goto fail; 12 13 err = sslRawVerify(...); 14 fail: 15 return err; 16 }

  6. 6 Solution 2: Static Analysis (on binary) • Reverse Engineering (e.g., IDA)

  7. 7 Problem: Too Complex (e.g., browser)

  8. 8 Two Popular Directions • Symbolic execution (also static) • Fuzzing (dynamic)

  9. 9 Symbolic Execution

  10. 10 Problem: State Explosion • Too many path to explore (e.g., strcmp(“hello”, input)) • Too huge state space (e.g., browser? OS?) • Solving constraints is a hard problem

  11. 11 Today’s Topic: Fuzzing • Two key ideas • Reachability is given (since we are executing!) • Focus on quickly exploring the path/state • How? mutating inputs • How/what to mutate? based on code coverage!

  12. 12 How well fuzzing can explore all paths? 1 int foo(int i1, int i2) { 2 int x = i1; 3 int y = i2; 4 5 if (x > 80) { 6 x = y * 2; 7 y = 0; 8 if (x == 256) { 9 * __builtin_trap(); 10 return 1; 11 } 12 } else { 13 x = 0; y = 0; 14 } 15 return 0; 16 }

  13. 13 DEMO: LibFuzzer // $ clang -fsanitize=fuzzer ex.cc // $ ./a.out extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 8) return 0; int i1, i2; i1 = *(int *)(&data[0]); i2 = *(int *)(&data[4]); foo(i1, i2); return 0; }

  14. 14 Game Changing Fact: Speed • In this example, • Symbolic execution explores/checks just two conditions • Fuzzing requires 256 times (by scanning values from 0 to 256) • What if fuzzer is an order of magnitude faster (say, 10k times)? • In fact, LibFuzzer was much faster thanks to lots of heuristics!

  15. 15 Importance of High-quality Corpus • In fact, fuzzing is really bad at exploring paths • e.g., if (a == 0xdeadbeef) • So, paths should be (or mostly) given by corpus (sample inputs) • e.g., pdf files utilizing full features • but, not too many! (do not compromise your performance) • A fuzzer will trigger the exploitable state • e.g., len in malloc()

  16. 16 AFL (American Fuzzy Lop) • VERY well-engineered fuzzer w/ lots of heuristics

  17. 17 Examples of Mutation Techniques • interest: -1, 0x8000000, 0xffff, etc • bitflip: flipping 1,2,3,4,8,16,32 bits • havoc: random tweak in fixed length • extra: dictionary, etc • etc

  18. 18 Key Idea 1: Map Input to State Transitions • Input → [IPs] (problem?)

  19. 19 Key Idea 1: Map Input to State Transitions • Input → [IPs] (problem?) • Input → map[IPs % len] (problem? A → B vs B → A)

  20. 20 Key Idea 1: Map Input to State Transitions • Input → [IPs] (problem?) • Input → map[IPs % len] (problem? A → B vs B → A) • Input → map[(prevIP >> 1 ^ curIP) % len] (problem?)

  21. 21 Key Idea 1: Map Input to State Transitions • Input → [IPs] (problem?) • Input → map[IPs % len] (problem? A → B vs B → A) • Input → map[(prevIP >> 1 ^ curIP) % len] (problem?) • Input → map[(rand1 >> 1 ^ rand2) % len]

  22. 22 Key Idea 2: Avoiding Redundant Paths • If you see the duplicated state, throw out • e.g., i1 = 1, 2, 3 • If you see the new path, keep it for further exploration • e.g., i1 = 81

  23. 23 How to Create Mapping? • Instrumentation • Source code → compiler (e.g., gcc, clang) • Binary → QEMU 1 if (block_address > elf_text_start 2 && block_address < elf_text_end) { 3 cur_location = (block_address >> 4) ^ (block_address << 8) 4 shared_mem[cur_location ^ prev_location] ++; 5 prev_location = cur_location >> 1; 6 }

  24. 24 Source Code Instrumentation

  25. 25 AFL Arts Ref. http://lcamtuf.coredump.cx/afl/

  26. 26 Other Types of Fuzzer • Radamsa: syntax-aware fuzzer • Cross-fuzz: function syntax for Javascript • langfuzz: fuzzing program languages • Driller/QSYM: fuzzing + symbolic execution

  27. 27 Today’s Tutorial • In-class tutorial: • Fuzzing with AFL • Fuzzing with LibFuzzer $ scp -P 9007 lab07@computron.gtisc.gatech.edu:fuzzing.tar.xz . $ unxz fuzzing.tar.xz $ docker load -i fuzzing.tar $ docker run --privileged -it fuzzing /bin/bash $ git pull $ cat README

  28. 28 References -Sanitize, Fuzz, and Harden Your C++ Code

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher

Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher

Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna Motivation - Large number of memory

1.15k views • 35 slides
Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik Sen EECS Department University of California, Berkeley https://people.eecs.berkeley.edu/~ksen/ 1 Programs are still written by humans, and will

1.62k views • 134 slides
Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten

Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten

Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten Corina S. Pasareanu yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 1 Problem Solution Example

403 views • 17 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels 1 July 16, 2020 The game of attack and defense Bug fi nding Exploitation Pro fi t Meng Xu

2.82k views • 173 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes &amp; memory leaks)

417 views • 17 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

558 views • 22 slides
symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT

symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT

CODE PROTECTION: the promises and limits of symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT MY LAB @CEA [Paris-Saclay, France] Sbastien Bardin GreHack 2017 | 2 IN A NUTSHELL

664 views • 40 slides
Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi,

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi,

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko (firstname.lastname@aalto.fi) Department of Computer Science and Engineering, Aalto University &amp; Helsinki Institute for

522 views • 41 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Loop Analysis in KeY Tobias Gedell gedell@cs.chalmers.se 4th KeY Workshop - L okeberg June

Loop Analysis in KeY Tobias Gedell gedell@cs.chalmers.se 4th KeY Workshop - L okeberg June

Loop Analysis in KeY Tobias Gedell gedell@cs.chalmers.se 4th KeY Workshop - L okeberg June 9th, 2005 p. 1/29 Introduction There are currently two ways of handling loops in KeY: Symbolic execution - repeated unwinding of loops Can be

434 views • 29 slides
Quantifiers and Functions in Intuitionistic Logic Association for Symbolic Logic Spring Meeting

Quantifiers and Functions in Intuitionistic Logic Association for Symbolic Logic Spring Meeting

Quantifiers and Functions in Intuitionistic Logic Association for Symbolic Logic Spring Meeting Seattle, April 12, 2017 Rosalie Iemhoff Utrecht University, the Netherlands 1 / 37 Quantifiers are complicated. 2 / 37 Even more so in

519 views • 37 slides

More recommend