not all coverage measurements are equal
play

Not All Coverage Measurements Are Equal Fuzzing by Coverage - PowerPoint PPT Presentation

Jan 19, 2024 •272 likes •528 views

Not All Coverage Measurements Are Equal Fuzzing by Coverage Accounting for Input Prioritization NDSS Symposium 2020 YanhaoWang, Xiangkun Jia, Yuwei Liu, Kyle Zeng, Tiffany Bao, DinghaoWu, and Purui Su 1 AFL Family and Coverage-based Fuzzing

  1. Not All Coverage Measurements Are Equal Fuzzing by Coverage Accounting for Input Prioritization NDSS Symposium 2020 YanhaoWang, Xiangkun Jia, Yuwei Liu, Kyle Zeng, Tiffany Bao, DinghaoWu, and Purui Su 1

  2. AFL Family and Coverage-based Fuzzing AFLFast FairFuzz CollAFL QSYM AFL-Sensitive AFL Driller 2

  3. AFL Family and Coverage-based Fuzzing Input Coverage Feedback Program Fuzzer Crash Inputs 3

  4. Coverage-based Fuzzing: The Internals Input Prioritization Factors: Execution Time, Input Size, etc. Queue Prioritized input Queue Culling ( isFavor ) Other input Prioritized Queue Favored 4

  5. Coverage Measurements are Treated Equally if len < 256 Spend equal time on security-sensitive paths and security-insensitive paths a b memcpy(x, y, len) print error msg Delay finding vulnerabilities return 5

  6. Anti-Fuzzing if len < 256 b' a Inject fake coverage measurements n fake paths to mislead coverage-based fuzzers memcpy(x, y, len) print error msg return 6

  7. What then? 7

  8. do not We treat coverage measurements equally 8

  9. Coverage Accounting if len < 256 if len < 256 a a b b The prioritization of input reflects secu curity sensitivity memcpy(x, y, len) memcpy(x, y, len) print error msg print error msg return return 9

  10. Coverage Accounting What should be the indicators? function level basic block level loop level Design a new queue culling scheme based on coverage accounting metrics 10

  11. Function Level malloc free ...... memcpy memmove memset Some functions are inherently likely to be involved in memory corruptions We crawled call-stacks from webpages of all CVEs in the latest 4 years Funct ction Nu Number ber Funct ction Number Nu ber 80 12 memcpy free 35 12 strlen memset 17 11 ReadImage delete 15 10 malloc memcmp 12 9 memmove getString 11

  12. Loop Level 1 Incorrect looping condition is often the root 2 3 cause of memory corruption vulnerabilities 4 5 12

  13. Basic Block Level read 1 shl [rbp+var1], 4 1 shl [rbp+var1], 4 write 2 mov edx, [rbp+var1] 2 mov edx, [rbp+var1] 3 mov eax, edx 3 mov eax, edx 4 shl eax, 4 4 shl eax, 4 5 add eax, edx 5 add eax, edx 6 mov [rbp+var1], eax 6 mov [rbp+var1], eax 7 mov rdx, [rbp+var2] 7 mov rdx, [rbp+var2] 8 mov rax, [rbp+i] 8 mov rax, [rbp+i] 9 add rax, rdx 9 add rax, rdx 10 movzx edx, byte ptr [rax] 10 movzx edx, byte ptr [rax] 11 movzx eax, [rbp+var3] 11 movzx eax, [rbp+var3] 12 xor eax, edx 12 xor eax, edx 13 movzx eax, al 13 movzx eax, al 14 add [rbp+var1], eax 14 add [rbp+var1], eax 15 movzx edx, [rbp+var3] 15 movzx edx, [rbp+var3] 16 mov eax, edx 16 mov eax, edx 17 shl eax, 3 17 shl eax, 3 13

  14. Design Coverage Accounting Information Queue Security-sensitive prioritized input Queue Culling Security-insensitive ( isFavor ) prioritized input Other input Prioritized Queue Favored 14

  15. TortoiseFuzz: Coverage-based Fuzzer with Coverage Accounting FairFuzz AFLFast CollAFL AFL QSYM TortoiseFuzz AFL-Sensitive Driller 15

  16. TortoiseFuzz: Coverage-based Fuzzer with Coverage Accounting The Hare and The Tortoise Story, Bedtime Story by Kids Hut https://www.youtube.com/watch?v=eMXmMHVNx4U 16

  17. Implementation We implement co accounting on AFL as To coverag age acco TortoiseFuzz TortoiseFuzz for both source code and binaries We implement To 17

  18. Experiment Setup We ran TortoiseFuzz on 30 real-world programs Each experiment lasted for 140 hours Each experiment was done 10 times We performed Mann-Whitney U test to measure statistical significance 18

  19. Vulnerability Discovery Average # of discovered vulnerabilities 45 40 35 TortoiseFuzz outperforms 5 30 state-of-the-art fuzzers and 25 achieves comparable results 20 with QSYM 15 10 5 0 TortoiseFuzz AFL AFLFast FairFuzz MOPT Angora QSYM 19

  20. Comparison with QSYM TortoiseFuzz uses 2 % of QSYM’s memory usage on average 20

  21. Complementary to Other Fuzzers Coverage accounting helps improve QSYM in discovering vulnerabilities Averag age # of disco covered vulnerab abilities QSYM QSYM + coverage accounting 39.8 51.2 28.6 % improvement 21

  22. Robustness to Anti-fuzzing if len < 256 b' a Fake paths do not contain many coverage n fake paths accounting info memcpy(x, y, len) print error msg return 22

  23. Robustness to Anti-fuzzing # of covered edges over time 12000 10000 8000 Coverage accounting metrics are more robust to anti-fuzzing 6000 4000 2000 0 0 12 24 36 48 60 72 AFL AFL+anti-fuzzing TortoiseFuzz TortoiseFuzz+anti-fuzzing 23

  24. Conclusion We propose coverage accounting which is complementary to other coverage-based fuzzers We design and implement TortoiseFuzz, and we are going to release it at https://github.com/TortoiseFuzz/TortoiseFuzz We evaluate TortoiseFuzz on 30 real-world programs and find 20 zero-day vulnerabilities TortoiseFuzz outperforms 5 state-of-the-art fuzzers and achieves comparable results with QSYM with 2 % of its memory usage 24

  25. Not All Coverage Measurements Are Equal Fuzzing by Coverage Accounting for Input Prioritization Thank you! Q & A Kyle Zeng zengyhkyle@asu.edu 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Equality: Are Some Equality: Are Some More Equal than than More Equal Others? Others? All

Equality: Are Some Equality: Are Some More Equal than than More Equal Others? Others? All

Equality: Are Some Equality: Are Some More Equal than than More Equal Others? Others? All animals are equal, but some animals are more equal than others. Orwell, G. (2004). Animal farm. New York: Signet. United States Bill of Rights

177 views • 13 slides
Not all Neurons are created equal: Towards a feature level Deep Neural Network Test Coverage

Not all Neurons are created equal: Towards a feature level Deep Neural Network Test Coverage

Not all Neurons are created equal: Towards a feature level Deep Neural Network Test Coverage Metric Nils Wenzler - CSC2125: Topics in Software Engineering Winter 2019 Problem DNN Problem Does it work? Does it really work? DNN Problem

767 views • 40 slides
Dairy Margin Coverage (DMC) Program Farm Service Agency USDA is a equal opportunity provider,

Dairy Margin Coverage (DMC) Program Farm Service Agency USDA is a equal opportunity provider,

Dairy Margin Coverage (DMC) Program Farm Service Agency USDA is a equal opportunity provider, employer, and lender. 1 www.fsa.usda.gov Welcome Cynthia Cuellar , National Outreach Specialist Hosts: Doug Kilgore , National Program Manager

400 views • 25 slides
Equal Value: How do We Get There? The Presentation Equal Pay and UN Global Compact

Equal Value: How do We Get There? The Presentation Equal Pay and UN Global Compact

Equal Pay for Work of Equal Value: How do We Get There? The Presentation Equal Pay and UN Global Compact Principles The concept of Equal Pay Advantages of Equal Pay The gender pay gap in numbers Why a gender pay gap?

303 views • 29 slides
K EY INSIGHTS FROM EQUAL EQUAL funding (particularly under the Adaptability pillar) has provided

K EY INSIGHTS FROM EQUAL EQUAL funding (particularly under the Adaptability pillar) has provided

EQUAL PAVES THE WAY FOR SOCIALLY RESPONSIBLE RESTRUCTURING In a recent presentation to the CEDEFOP[1] conference on Guidance for Workforce Development , held in Thessaloniki on 25/26 June 2007, the EQUAL programme had the opportunity to present its

341 views • 3 slides
INTERNET MEASUREMENTS ESNOG 10/4/2018 Barcelona (Janusz Jezowicz, Speedchecker Ltd)

INTERNET MEASUREMENTS ESNOG 10/4/2018 Barcelona (Janusz Jezowicz, Speedchecker Ltd)

MULTIPLATFORM INTERNET MEASUREMENTS ESNOG 10/4/2018 Barcelona (Janusz Jezowicz, Speedchecker Ltd) www.speedchecker.xyz Outline Introduction Choices of measurement platforms Coverage How to run measurements Sample

326 views • 17 slides
Pay Equity Law Federal Equal Pay Act Employers are required to provide equal pay for men and

Pay Equity Law Federal Equal Pay Act Employers are required to provide equal pay for men and

October 24, 2019 Pay Equity Law Federal Equal Pay Act Employers are required to provide equal pay for men and women for jobs within the same establishment that require: equal skill, effort and responsibility, and are performed under

629 views • 39 slides
The ADAAA in the Courts: Some Broad Observations Commissioner Chai R. Feldblum U.S. Equal

The ADAAA in the Courts: Some Broad Observations Commissioner Chai R. Feldblum U.S. Equal

The ADAAA in the Courts: Some Broad Observations Commissioner Chai R. Feldblum U.S. Equal Employment Opportunity Commission 8 th Circuit Judicial Conference 2014 ADAAA Purposes: (1) Expand and simplify coverage analysis should be quick and

431 views • 9 slides
GENI WiMax @ GEC11 Coverage Measurements Caleb Phillips caleb.phillips@colorado.edu Dirk

GENI WiMax @ GEC11 Coverage Measurements Caleb Phillips caleb.phillips@colorado.edu Dirk

GENI WiMax @ GEC11 Coverage Measurements Caleb Phillips caleb.phillips@colorado.edu Dirk Grunwald grunwald@cs.colorado.edu Bicycle Measurement Platform Cart-o-Science Measurement Rig Anritsu 2.4-2.5 GHz Antenna (5 dBi) GPS Antenna 2

597 views • 4 slides
European Quadricycles League (EQUAL) United- Kingdom PRESENTATION OF EQUAL EQUAL is the European

European Quadricycles League (EQUAL) United- Kingdom PRESENTATION OF EQUAL EQUAL is the European

European Quadricycles League (EQUAL) United- Kingdom PRESENTATION OF EQUAL EQUAL is the European association of manufacturers of quadricycles. We Represent key quadricycle manufacturers whos facilities are primarily based in France and Italy.

256 views • 10 slides
PingER End to End Internet measurements: what we learn Les Cottrell SLAC , Presented at the

PingER End to End Internet measurements: what we learn Les Cottrell SLAC , Presented at the

PingER End to End Internet measurements: what we learn Les Cottrell SLAC , Presented at the OARC/TechDay for the ICANN San Francisco March 7 th , 2011 1 Outline How do we measure? Coverage What do we find? Measure: Losses, RTT,

396 views • 24 slides
GPU Panel for Medicine at UMD Measurement Science Based on Full Coverage Microscopic

GPU Panel for Medicine at UMD Measurement Science Based on Full Coverage Microscopic

GPU Panel for Medicine at UMD Measurement Science Based on Full Coverage Microscopic Measurements Peter Bajcsy Information Technology Laboratory National Institute of Standards and Technology (NIST) Gaithersburg, MD, USA Measurement Problem

274 views • 6 slides
Coverage Towards a realistic coverage model Chenyang Lu Department of Computer Science and

Coverage Towards a realistic coverage model Chenyang Lu Department of Computer Science and

Outline Integrate coverage and connectivity Coverage Towards a realistic coverage model Chenyang Lu Department of Computer Science and Engineering Washington University in St. Louis 2 Motivation Sufficient Service

672 views • 7 slides
Occupy Central Coverage 2014 Coverage via Facebook Coverage via Twitter Liveblogging the Events

Occupy Central Coverage 2014 Coverage via Facebook Coverage via Twitter Liveblogging the Events

Occupy Central Coverage 2014 Coverage via Facebook Coverage via Twitter Liveblogging the Events Story Made for Video Video from All Angles First Chance to Stream Live Live on WSJ.com &amp; YouTube Overcoming Tech Obstacles Cash Overcomes

367 views • 26 slides
Logic-based test coverage Basic approach Clauses and predicates Basic coverage criteria: CC, PC,

Logic-based test coverage Basic approach Clauses and predicates Basic coverage criteria: CC, PC,

Logic-based test coverage Basic approach Clauses and predicates Basic coverage criteria: CC, PC, CoC Structural logic coverage of source code Logic coverage of specifications Active clause coverage criteria (GACC, CACC, RACC) Verificao e

829 views • 34 slides
Lesson 2 Greek Vocabulary One does not equal five!!! One does not equal five!!! One does not

Lesson 2 Greek Vocabulary One does not equal five!!! One does not equal five!!! One does not

Lesson 2 Greek Vocabulary One does not equal five!!! One does not equal five!!! One does not equal five!!! One does not equal five!!! One does not equal five!!! One does not equal five!!! One does not equal five!!! One does not equal

1.14k views • 87 slides
CS 744: DRF Shivaram Venkataraman Fall 2020 ML knowledge ADMINISTRIVIA q TEY Attend tM%L -

CS 744: DRF Shivaram Venkataraman Fall 2020 ML knowledge ADMINISTRIVIA q TEY Attend tM%L -

! morning good CS 744: DRF Shivaram Venkataraman Fall 2020 ML knowledge ADMINISTRIVIA q TEY Attend tM%L - - - Assignment 2 out! fainted Piazza , systems - Course Project students - Form groups? Cloud ~ 3 Google Form

886 views • 24 slides
De stina tio n Po int De fia nc e City o f T a c o ma a nd Me tro Pa rks De ve lo pme nt Re g

De stina tio n Po int De fia nc e City o f T a c o ma a nd Me tro Pa rks De ve lo pme nt Re g

De stina tio n Po int De fia nc e City o f T a c o ma a nd Me tro Pa rks De ve lo pme nt Re g ula tio n Ag re e me nt IPS Co mmitte e Me e ting F e b rua ry 11, 2015 20-Ye a r Ma ste r Pla n fo r Po int De fia nc e Pa rk E ffo rt

220 views • 8 slides
Logic Programming Using Data Structures Part 1 Temur Kutsia Research Institute for Symbolic

Logic Programming Using Data Structures Part 1 Temur Kutsia Research Institute for Symbolic

Logic Programming Using Data Structures Part 1 Temur Kutsia Research Institute for Symbolic Computation Johannes Kepler University of Linz, Austria kutsia@risc.jku.at Contents Structures and Trees Lists Recursive Search Mapping

570 views • 35 slides
PE-Miner : Mining Structural Information to Detect Malicious Executables in Realtime M. Zubair

PE-Miner : Mining Structural Information to Detect Malicious Executables in Realtime M. Zubair

PE-Miner : Mining Structural Information to Detect Malicious Executables in Realtime M. Zubair Shafiq, S. Momina Tabish, Fauzan Mirza, Muddassar Farooq RAID,2009

881 views • 36 slides
CSE 311 Foundations of Computing I Fall 2014 Remember, the site is

CSE 311 Foundations of Computing I Fall 2014 Remember, the site is

CSE 311 Foundations of Computing I Fall 2014 Remember, the site is http://tinyurl.com/ynlecture Get started on the green handout! Negations of Quantifiers x PurpleFruit(x) Domain: Fruit All fruits are

680 views • 21 slides
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller &amp; Baileys ECE 422 Cryptography is the study/practice of techniques for s ecure communication , even in the

732 views • 33 slides
The 2020 Census: Why Ensuring A Fair and Accurate Count Matters July 18, 2017 Co-sponsored by

The 2020 Census: Why Ensuring A Fair and Accurate Count Matters July 18, 2017 Co-sponsored by

7/18/2017 The 2020 Census: Why Ensuring A Fair and Accurate Count Matters July 18, 2017 Co-sponsored by 1 7/18/2017 Terri Ann Lowenthal is a nationally recognized expert on the U.S. census. During a 14-year career as a congressional aide,

468 views • 16 slides
Economics and Behavior Allan Fong CMSC 818D April 30, 2015 Decision making Economics Privacy

Economics and Behavior Allan Fong CMSC 818D April 30, 2015 Decision making Economics Privacy

Economics and Behavior Allan Fong CMSC 818D April 30, 2015 Decision making Economics Privacy and Security application What can be done Decision making Economics Privacy and Security application What can be done WHY DID YOU DO THAT?

862 views • 65 slides

More recommend