no source no problem
play

No source? No problem! High speed binary fuzzing Nspace & - PowerPoint PPT Presentation

Oct 25, 2022 •28 likes •488 views

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

  1. No source? No problem! High speed binary fuzzing Nspace & @gannimo

  2. About this talk ● Fuzzing binaries is hard! ◦ Few tools, complex setup ● Fuzzing binaries in the kernel is even harder! ● New approach based on static rewriting High Speed Binary Fuzzing - HexHive - 36C3 2

  3. Kernel + ≈ 100M LoC Libc Desktop High Speed Binary Fuzzing - HexHive - 36C3 3

  4. Fuzzing 101 OK Bug! Input generation Target High Speed Binary Fuzzing - HexHive - 36C3 4

  5. Efgective fuzzing 101 ● Test cases must trigger bugs ◦ Coverage-guided fuzzing ● The fuzzer must detect bugs ◦ Sanitization ● Speed is key (zero sum game)! High Speed Binary Fuzzing - HexHive - 36C3 5

  6. Fuzzing with source code ● Add instrumentation at compile time ● Short snippets of code for coverage tracking, sanitization, ... Instrumented Compiler Source code binary Coverage tracking, sanitization, ... High Speed Binary Fuzzing - HexHive - 36C3 6

  7. Application Application Libraries Source No source Kernel Drivers High Speed Binary Fuzzing - HexHive - 36C3 7

  8. Rewriting binaries ● Approach 0: black box fuzzing ● Approach 1: rewrite dynamically ◦ Translate target at runtime ◦ Terrible performance (10-100x slower) ● Approach 2: rewrite statically ◦ More complex analysis ◦ ...but much better performance! High Speed Binary Fuzzing - HexHive - 36C3 8

  9. Static rewriting challenges ● Simply adding code breaks the target mov [rax + rbx*8], rdi mov [rax + rbx*8], rdi < n e w c o d e > dec rbx dec rbx jnz -7 jnz -7 ● Need to fjnd all references and adjust them High Speed Binary Fuzzing - HexHive - 36C3 9

  10. Static rewriting challenges ● Scalars and references are indistinguishable ◦ Getting it wrong breaks the target m o v [ r b p - 0 x 8 ] , 0 x 4 0 0 a a e ? l o n g ( * f o o ) ( l o n g ) = & b a r ; l o n g f o o = 0 x 4 0 0 a a e ; High Speed Binary Fuzzing - HexHive - 36C3 10

  11. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 11

  12. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 12

  13. RetroWrite [Oakland ‘20] ● System for static binary instrumentation ● Symbolized assembly fjles easy to instrument ● Implements coverage tracking and binary ASan High Speed Binary Fuzzing - HexHive - 36C3 13

  14. Position-independent code ● Code that can be loaded at any address ● Required for: ASLR, shared libraries ● Cannot use hardcoded static addresses ◦ Must use relative addressing instead High Speed Binary Fuzzing - HexHive - 36C3 14

  15. Position-independent code ● On x86_64, PIC leverages RIP-relative addressing ◦ l e a r a x , [ r i p + 0 x 1 2 3 4 ] ● Distinguish references from constants in PIE binaries ◦ RIP-relative = reference, everything else = constant High Speed Binary Fuzzing - HexHive - 36C3 15

  16. Symbolization ● Symbolization replaces references with assembler labels lea rax, [rip + 0x1234] call 0x1337 dec rcx jnz -15 High Speed Binary Fuzzing - HexHive - 36C3 16

  17. Symbolization ● Symbolization replaces references with assembler labels loop1: lea rax, [rip + 0x1234] call func1 1) Relative jumps/calls dec rcx jnz loop1 High Speed Binary Fuzzing - HexHive - 36C3 17

  18. Symbolization ● Symbolization replaces references with assembler labels loop1: lea rax, [data1] call func1 1) Relative jumps/calls dec rcx 2) PC-relative addresses jnz loop1 High Speed Binary Fuzzing - HexHive - 36C3 18

  19. Symbolization ● Symbolization replaces references with assembler labels loop1: lea rax, [data1] call func1 1) Relative jumps/calls dec rcx 2) PC-relative addresses jnz loop1 3) Data relocations High Speed Binary Fuzzing - HexHive - 36C3 19

  20. Symbolization ● Symbolization replaces references with assembler labels loop1: lea rax, [data1] < n e w c o d e > 1) Relative jumps/calls call func1 2) PC-relative addresses dec rcx 3) Data relocations jnz loop1 High Speed Binary Fuzzing - HexHive - 36C3 20

  21. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 21

  22. Coverage-guided fuzzing ● Record test coverage (e.g. input[0] == ‘P’ with instrumentation) input[1] == ‘N’ ● Inputs that trigger new paths are “interesting” input[2] == ‘G’ ● Mutate interesting inputs to do_something() fail() discover new paths High Speed Binary Fuzzing - HexHive - 36C3 22

  23. Coverage-guided fuzzing https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html High Speed Binary Fuzzing - HexHive - 36C3 23

  24. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 24

  25. Address Sanitizer (ASan) ● Instrumentation catches memory corruption at runtime ◦ Arguably most dangerous class of bugs ● Very popular sanitizer ◦ Thousands of bugs in Chrome and Linux ● About 2x slowdown High Speed Binary Fuzzing - HexHive - 36C3 25

  26. ASan red zones Red zone char buf[4]; buf strcpy (buf, “AAAAA”); Red zone High Speed Binary Fuzzing - HexHive - 36C3 26

  27. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 27

  28. RetroWrite instrumentation ● Coverage tracking: instrument basic block starts ● Binary ASan: instrument all memory accesses, link with libASan High Speed Binary Fuzzing - HexHive - 36C3 28

  29. Kernel vs. userspace fuzzing Crash Tooling Determinism handling OS handles Single-threaded Easy to use and Userspace crashes code usually widely available gracefully deterministic Need VM to keep More complex Interrupts, many Kernel the system setup, fewer concurrent stable tools threads High Speed Binary Fuzzing - HexHive - 36C3 29

  30. Kernel binary fuzzing ● Approach 0: black box fuzzing ● Approach 1: dynamic translation ◦ Slow! (10x +) ◦ No sanitization like ASan ● Approach 2: Intel Processor Trace (or similar) ◦ Requires hardware support ◦ Still no sanitization ● Approach 3: static rewriting High Speed Binary Fuzzing - HexHive - 36C3 30

  31. kRetroWrite ● Apply RetroWrite to the kernel ● Implemented so far: support for Linux modules ● Demonstrates that RetroWrite applies to the kernel High Speed Binary Fuzzing - HexHive - 36C3 31

  32. kRetroWrite ● Kernel modules are always position-independent ● Linux modules are ELF fjles ◦ Reuse RetroWrite’s symbolizer ● Implemented code coverage and binary ASan High Speed Binary Fuzzing - HexHive - 36C3 32

  33. kRetroWrite coverage ● Idea: use kCov infrastructure ◦ Can interoperate with source-based kCov ● Call coverage collector at the start of each basic block ● Integrates with, e.g., syzkaller, or debugfs High Speed Binary Fuzzing - HexHive - 36C3 33

  34. kRetroWrite coverage cmp rbx, 1234 jz block1 mov [rax], rbx mov [rax], 1234 High Speed Binary Fuzzing - HexHive - 36C3 34

  35. kRetroWrite coverage c a l l t r a c e _ p c cmp rbx, 1234 jz block1 c a l l t r a c e _ p c c a l l t r a c e _ p c mov [rax], rbx mov [rax], 1234 High Speed Binary Fuzzing - HexHive - 36C3 35

  36. kRetroWrite binary ASan ● In userspace: link with libASan ● In kernel: build kernel with KASan (kernel ASan) ● Reuse modifjed userspace instrumentation pass High Speed Binary Fuzzing - HexHive - 36C3 36

  37. kRetroWrite binary ASan ● Instrument each memory access with a check ● Failed checks print a bug report ● Compatible with source-based kASan High Speed Binary Fuzzing - HexHive - 36C3 37

  38. Fuzzing with kRetroWrite ● Rewritten modules can be loaded and fuzzed with standard kernel fuzzers ● So far: tested with syzkaller High Speed Binary Fuzzing - HexHive - 36C3 38

  39. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 39

  40. Our experiments ● Userspace: SPEC2006 runtime performance ◦ RetroWrite ASan ◦ Source ASan ◦ Valgrind memcheck ● Kernel: fuzz fjlesystems/drivers with syzkaller ◦ Source KASan + kCov ◦ kRetroWrite KASan + kCov High Speed Binary Fuzzing - HexHive - 36C3 40

  41. Results - Userspace High Speed Binary Fuzzing - HexHive - 36C3 41

  42. Preliminary results - kernel Exec/s - BTRFS Source kRetroWrite High Speed Binary Fuzzing - HexHive - 36C3 42

  43. Demo

  44. Let’s test kRetroWrite on a fjlesystem High Speed Binary Fuzzing - HexHive - 36C3 44

  45. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Source:

Source:

We are Here Source: Max Pixel Source: David Dixon Source: Google Earth Source: Arpingstone Source: Lee Cannon Source: Richard Drdul Source: Nicolas Nova

467 views • 20 slides
THEIA GPU Open Source multicore programmable GPU Problem Statement Develop an open source 3D

THEIA GPU Open Source multicore programmable GPU Problem Statement Develop an open source 3D

THEIA GPU Open Source multicore programmable GPU Problem Statement Develop an open source 3D Graphic Processor (GPU). Develop a high level language to program the GPU. Provide all of the necessary tools, test-bench and regressions.

411 views • 18 slides
BFS and DFS Problem Solving Club Nov 2 2016 Breadth First Search (BFS) Review What is the

BFS and DFS Problem Solving Club Nov 2 2016 Breadth First Search (BFS) Review What is the

BFS and DFS Problem Solving Club Nov 2 2016 Breadth First Search (BFS) Review What is the main problem that BFS solves? Single Source Shortest Path (SSSP) on an unweighted graph - find shortest paths from a source vertex to all other

579 views • 6 slides
and Retrieval Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H.

and Retrieval Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H.

Semantic Image Indexing and Retrieval Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Outline State of the nation Early description methods

2.13k views • 130 slides
Increasing stability in the inverse source problem with attenuation and many frequencies Shuai

Increasing stability in the inverse source problem with attenuation and many frequencies Shuai

Introduction Increasing stability with attenuation Numerical algorithm for source identification Ongoing works Increasing stability in the inverse source problem with attenuation and many frequencies Shuai Lu (Fudan University) Joint work

825 views • 46 slides
The Bait &amp; Switch of Open Source Katrina Owen @kytrinyx GitHub an irresistible

The Bait &amp; Switch of Open Source Katrina Owen @kytrinyx GitHub an irresistible

The Bait &amp; Switch of Open Source Katrina Owen @kytrinyx GitHub an irresistible problem a perfect problem a perfect solution an irritating problem a tricky little hack a trivial problem annoying friction (irresistible)

1.33k views • 95 slides
Lecture 4 Matthieu Bloch 1 Source coding As shown in Fig. 1, the problem of source coding with

Lecture 4 Matthieu Bloch 1 Source coding As shown in Fig. 1, the problem of source coding with

1 Figure 1: Source coding with side information. assignments. can then analyze the probability of reconstruction error averaged over the set of all possible random sequences by assigning them a label drawn uniformly at random from a set of

456 views • 6 slides
Greedy algorithms Problem. Given a digraph G = ( V , E ) , edge lengths e 0 , source s

Greedy algorithms Problem. Given a digraph G = ( V , E ) , edge lengths e 0 , source s

Shortest-paths problem Greedy algorithms Problem. Given a digraph G = ( V , E ) , edge lengths e 0 , source s V , and destination t V , find the shortest directed path from s to t . Shortest paths in weighted graphs Tyler Moore

641 views • 6 slides
Source localization in electromyography: The Inverse Potential Problem Kees van den Doel Dept.

Source localization in electromyography: The Inverse Potential Problem Kees van den Doel Dept.

Source localization in electromyography: The Inverse Potential Problem Kees van den Doel Dept. of Computer Science, University of British Columbia, Vancouver, Canada with Uri Ascher, Dinesh Pai, Benjamin Gilles, Armin Curt, John Steeves

313 views • 15 slides
A Parallel Algorithm for the Single-Source Shortest Path Problem Kevin Kelley, Tao Schardl May

A Parallel Algorithm for the Single-Source Shortest Path Problem Kevin Kelley, Tao Schardl May

A Parallel Algorithm for the Single-Source Shortest Path Problem Kevin Kelley, Tao Schardl May 12, 2010 Outline The Problem Dijkstras Algorithm Gabows Scaling Algorithm Optimizing Gabow Parallelizing Gabow

340 views • 23 slides
Dijkstra s Algorithm Shortest Path Problem Directed graph G = (V , E) Source s l e = length

Dijkstra s Algorithm Shortest Path Problem Directed graph G = (V , E) Source s l e = length

Dijkstra s Algorithm Shortest Path Problem Directed graph G = (V , E) Source s l e = length of edge e l e 0 for all edges e Shortest path problem: (Google Maps!) find shortest path from s to all other nodes 1 a c 2 3 1 1 1 e

882 views • 18 slides
Individuals as Source of Social Order Marx The Problem How do humans achieve

Individuals as Source of Social Order Marx The Problem How do humans achieve

Individuals as Source of Social Order Marx The Problem How do humans achieve predictability (COORDINATION) overcome urge to self-serve (COOPERATION) In other words: what mechanisms lead to coordination and

561 views • 34 slides
February 27, 2013 Source: CBRE Source: CBRE Source: CBRE Source: CBRE Source: CBRE Miami

February 27, 2013 Source: CBRE Source: CBRE Source: CBRE Source: CBRE Source: CBRE Miami

MIAMI DADE INDUSTRIAL MARKET OVERVIEW February 27, 2013 Source: CBRE Source: CBRE Source: CBRE Source: CBRE Source: CBRE Miami Hialeah Infill $65/SF Total Space Available: 26,000 SF Rental Rate: $6 - $7.80 /SF/Year Min.

384 views • 14 slides
= k w ( p ) w v ( , v ) i 1 i Single Single- -destination shortest

= k w ( p ) w v ( , v ) i 1 i Single Single- -destination shortest

Single Single- -Source Shortest Paths Source Shortest Paths Single Single- -Source Shortest Paths Problem: Source Shortest Paths Problem: Given a Given a weighted graph ((G=( ((G=(V,E),w V,E),w), ), find a shortest path find a shortest

431 views • 4 slides
1. Invent Yourself source: www.dilbert.com Byung Hoon Cho New Zealand 2016 1 The Problem

1. Invent Yourself source: www.dilbert.com Byung Hoon Cho New Zealand 2016 1 The Problem

1. Invent Yourself source: www.dilbert.com Byung Hoon Cho New Zealand 2016 1 The Problem Truly random numbers are a very valuable and rare resource. Design, produce, and test a mechanical device for producing random numbers. Analyse to

1.06k views • 66 slides
1 Data Quality Issues Modeling Tools Most probabilistic record linkage DQ Problem :

1 Data Quality Issues Modeling Tools Most probabilistic record linkage DQ Problem :

Modeling Intruder behavior Partial Data Source 1 Pointers from Research on Data Confidentiality and Data Quality Partial Data Source 2 ? Re-identification Intruders model Prediction Ashish Sanil Partial Data Source m

409 views • 4 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents on Fun Facts Why 10 digits? Because and the 0 represents off people typically have 10 fingers and 10 toes, making it easy for counting! 2

119 views • 10 slides
Recycling 101 Webster Groves Presbyterian Church March 17, 2019 J.R. Walters The Problem

Recycling 101 Webster Groves Presbyterian Church March 17, 2019 J.R. Walters The Problem

Recycling 101 Webster Groves Presbyterian Church March 17, 2019 J.R. Walters The Problem One Day We make, use, and throw away a lot of stuff! On average a person in the U.S. produces

454 views • 28 slides
Enhancing Solid Waste Diversion in a Retail Environment: Edmonton, AB Case Study RecycleSmart

Enhancing Solid Waste Diversion in a Retail Environment: Edmonton, AB Case Study RecycleSmart

Enhancing Solid Waste Diversion in a Retail Environment: Edmonton, AB Case Study RecycleSmart Solutions Waste and recycling consulting and management service Founded in 2008 Offices in Richmond, Calgary, Kelowna and Toronto

264 views • 15 slides
ETH Zrich FFmpeg and a thousand fixes &gt;1,000 bugs found and fixed 2 person-years &amp;

ETH Zrich FFmpeg and a thousand fixes &gt;1,000 bugs found and fixed 2 person-years &amp;

Fine-Grained Control-Flow Integrity through Binary Hardening Mathias Payer, Antonio Barresi, Thomas R. Gross ETH Zrich FFmpeg and a thousand fixes &gt;1,000 bugs found and fixed 2 person-years &amp; fuzzing on large cluster

366 views • 23 slides
Non-Silicon Non-Binary Computing: Why Not? Elena Dubrova, Yusuf Jamal, Jimson Mathew Royal

Non-Silicon Non-Binary Computing: Why Not? Elena Dubrova, Yusuf Jamal, Jimson Mathew Royal

Non-Silicon Non-Binary Computing: Why Not? Elena Dubrova, Yusuf Jamal, Jimson Mathew Royal Institute of Technology Stockholm, Sweden Overview Motivation Introduction to multiple-valued computing Implementation of multiple-valued

489 views • 24 slides
On Target Coun-ng by Sequen-al Snapshots of Binary Proximity

On Target Coun-ng by Sequen-al Snapshots of Binary Proximity

On Target Coun-ng by Sequen-al Snapshots of Binary Proximity Sensors Tongyang Li, Yongcai Wang, Lei Song Ins-tute for Interdisciplinary Informa-on Sciences (IIIS),

303 views • 26 slides
Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown

Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown

Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown Zhenlin Wang jshiebel@mtu.edu lebrown@mtu.edu zlwang@mtu.edu Department of Computer Science Michigan Technological University International

544 views • 31 slides

More recommend