qs qsym ym a a p pract ctical con concol olic ex executi
play

QS QSYM YM : A : A P Pract ctical Con Concol olic Ex Executi - PowerPoint PPT Presentation

Jun 17, 2023 •387 likes •912 views

QS QSYM YM : A : A P Pract ctical Con Concol olic Ex Executi tion on En Engine Tailor ored for or Hyb Hybrid id F Fuzzin ing Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang , and Taesoo Kim Georgia Institute of Technology &

  1. QS QSYM YM : A : A P Pract ctical Con Concol olic Ex Executi tion on En Engine Tailor ored for or Hyb Hybrid id F Fuzzin ing Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang †, and Taesoo Kim Georgia Institute of Technology & Oregon State University † 27th USENIX Security Symposium August 16, 2018 1

  2. Two popular ways to find security bugs: Fuzzing & Concolic execution Fuzzing Symbolic Execution 2

  3. Fuzzing and Concolic execution have their own pros and cons • Fuzzing • Good: Finding general inputs • Bad: Finding specific inputs • Concolic execution • Good: Finding specific inputs • Bad: State explosion 3

  4. Hybrid fuzzing can address their problems • Use both techniques: Fuzzing + Concolic execution • Find specific inputs: Using concolic execution • Limit state explosion: Only fork at branches that are hard to fuzzing 4

  5. Hybrid fuzzing has achieved great success in small- scale study • e.g.) Driller: a state-of-the-art hybrid fuzzer • Won 3 rd place in CGC competition • Found 6 new crashes: cannot be found by fuzzing nor concolic execution 5

  6. However, current hybrid fuzzing suffers from problems to scale to real-world applications • Very slow to generate constraint • Cannot support complete system calls • Not effective in generating test cases 6

  7. Our system, QSYM, addresses these issues by introducing several key ideas • Discard intermediate layer for performance • Use concrete environment to support system calls • Introduce heuristics to effectively generate test cases 7

  8. QSYM is scalable to real-world software • 13 previously unknown bugs in open-source software • All applications are already fuzzed (OSS-Fuzz, AFL, …) • Including ffmpeg that is fuzzed by OSS-Fuzz for 2 years • Bugs are hard to pure fuzzing – require complex constraints 8

  9. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … … Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 9

  10. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) Performance mov ebp, esp t2 = Sub32(t1,0x00000004) overhead Program … … Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 10

  11. Overview: QSYM 1. Instruction-level execution A[0] == ‘A’ push ebp && A[1] == ‘A’ mov ebp, esp && A[2] == ‘A’ Program … … Basic block Constraints Coverage Test cases Fuzzing 11

  12. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … … Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints Incomplete State forking Fuzzing Test cases Environment modeling 12

  13. Overview: QSYM 1. Instruction-level execution 2. Concrete environment modeling A[0] == ‘A’ push ebp && A[1] == ‘A’ mov ebp, esp && A[2] == ‘A’ Program … … Basic block Constraints Coverage Test cases Fuzzing 13

  14. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … … Ineffective test case generation due to unsatisfiable paths Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 14

  15. Overview: QSYM 1. Instruction-level execution 2. Concrete environment modeling A[0] == ‘A’ push ebp && A[1] == ‘A’ 3. Optimistic Solving mov ebp, esp && A[2] == ‘A’ Program … … Basic block Constraints Coverage Test cases Fuzzing 15

  16. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … Blocked … by complex logics Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 16

  17. Overview: QSYM 1. Instruction-level execution 2. Concrete environment modeling A[0] == ‘A’ push ebp && A[1] == ‘A’ 3. Optimistic Solving mov ebp, esp && A[2] == ‘A’ Program … … Basic block Constraints 4. Basic block pruning Refer our paper Coverage Test cases Fuzzing 17

  18. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) Performance mov ebp, esp t2 = Sub32(t1,0x00000004) overhead Program … … Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 18

  19. Intermediate representations (IR) are good to make implementations easier • Provide architecture-independent interpretations • Can re-use code for all architectures • e.g. angr works on many architectures: x86, arm, and mips 19

  20. Problem1: IR incurs significant performance overhead • Increase the number of instructions • 4.7 times in VEX (IR used by angr) • Need to execute a whole basic block symbolically • Due to caching and optimization • Only 30% of instructions need to be symbolically executed 20

  21. Solution1: Execute instructions directly without using intermediate layer • Remove the IR translation layer • Pay for the implementation complexity 21

  22. QSYM reduces the number of instructions to execute symbolically • 126 CGC binaries 4x less 22

  23. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … … Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints Incomplete State forking Fuzzing Test cases Environment modeling 23

  24. State forking can reduce re-execution overhead for constraint generation • No need to re-execute to reach the state • Recover from the snapshot 24

  25. State forking for kernel is non-trivial • State in concolic execution = Program state + Kernel state • Forking program state is trivial • Save application memory + register • Save constraints • Forking kernel state is non-trivial • Need to maintain all kernel data structures • e.g., file system, network state, memory system … 25

  26. Problem2: State forking introduces problems in either completeness or performance • Kernel modeling • e.g.) angr • Pros: Small performance overhead • Cons: Incompleteness – angr supports only 22 system calls in Linux • Full kernel emulation • e.g.) S2E • Pros: Completeness • Cons: Large performance overhead 26

  27. Solution2: Re-execute to use concrete environment instead of kernel state forking • Instead of state forking, re-execute from start • High re-execution overhead • Instruction-level execution • Basic block pruning • Limit constraint solving: Based on coverage from fuzzing 27

  28. Models minimal system calls and uses concrete values • Only model system calls that are relevant to user interactions • e.g.) standard input, file read, … • Other system calls: Call system call using concrete values • e.g.) mprotect(addr, sym_size , PROT_R) à mprotect(addr, conc_size , PROT_R) 28

  29. Problem: Concrete environment results in incomplete constraints • Add implicit constraints • e.g.) mprotect(addr, sym_size , PROT_R) à mprotect(addr, conc_size , PROT_R) • Without knowing semantics of system calls • Concretize: Over-constrained • Ignore: Under-constrained 29

  30. Unrelated constraint elimination can tolerate incomplete constraints x = int(input()) Constraints for x (Incomplete) y = int(input()) && y * y == 1337 * 1337 Path constraints # Incomplete constraints mprotect(addr, x, PROT_R) y * y == 1337 * 1337 if y * y == 1337 * 1337: Branch dependent constraints bug() x = Use concrete value y = 1337 30

  31. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … Ineffective test case generation … due to unsatisfiable paths Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 31

  32. Problem3: Over-constrained paths results in no test cases type = int(input()) type = int(input()) if type == TYPE1: parse_TYPE1() type == TYPE1 type != TYPE1 … …. + long time if type == TYPE2: parse_TYPE2() type == TYPE2 Unsatisfiable: No test case 32

  33. Problem3: Over-constrained paths results in no test cases If these branches are independent type = int(input()) type = int(input()) if type == TYPE1: parse_TYPE1() type == TYPE1 type != TYPE1 … …. + long time if type == TYPE2: parse_TYPE2() type == TYPE2 33

  34. Solution3: Solve constraints optimistically type = int(input()) type = int(input()) if type == TYPE1: parse_TYPE1() type == TYPE1 type != TYPE1 … …. + long time if type == TYPE2: parse_TYPE2() type == TYPE2 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pract ctical Cybersecu curity Ri Risk a and C Control Ma Maturi urity A y Asse ssessme

Pract ctical Cybersecu curity Ri Risk a and C Control Ma Maturi urity A y Asse ssessme

Pract ctical Cybersecu curity Ri Risk a and C Control Ma Maturi urity A y Asse ssessme ssments Brian Fricke, CISSP, CISM Chief Information Security Officer None of the data presented in this presentation represents the actual security

140 views • 13 slides
Practic Pra ctical al Experi perience ence to He o Help lp You our r Bu Busi siness

Practic Pra ctical al Experi perience ence to He o Help lp You our r Bu Busi siness

Reopening opening the e Wor orkplac kplace: e: Resour source ces, s, Be Best st Pra Practices, ctices, and Practic Pra ctical al Experi perience ence to He o Help lp You our r Bu Busi siness ness Th Thriv rive May 20,

389 views • 24 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes & memory leaks)

417 views • 17 slides
QSym over Sym has a stable basis Aaron Lauve and Sarah Mason 3 August 2010 Aaron Lauve and Sarah

QSym over Sym has a stable basis Aaron Lauve and Sarah Mason 3 August 2010 Aaron Lauve and Sarah

Overview Symmetric and quasisymmetric polynomials The Bergeron-Reutenauer basis QSym over Sym has a stable basis Aaron Lauve and Sarah Mason 3 August 2010 Aaron Lauve and Sarah Mason QSym/Sym Overview Symmetric and quasisymmetric

736 views • 62 slides
Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide

Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide

Dr. med. Christina Czeschik www.serapion.de Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide ide BalCCon 2k17 Sept 16, 2017, Novi Sad How to Make Users Behave Safely? Explain things to them?

566 views • 52 slides
COURSE ELEMENTS NGA ARIA I ROTO NGA TIKANGA NGA TIKANGA THEORY PRA PRACTICA CTICAL

COURSE ELEMENTS NGA ARIA I ROTO NGA TIKANGA NGA TIKANGA THEORY PRA PRACTICA CTICAL

COURSE ELEMENTS NGA ARIA I ROTO NGA TIKANGA NGA TIKANGA THEORY PRA PRACTICA CTICAL DEVELOPMENT OF TRADITIONAL PERFORMANCE AND DANCE TECHNIQUES RESEARCH SKILLS SELF-CONFIDENCE COLLATION OF WHAIKORERO/VOCAL

287 views • 6 slides
Case S Studie dies a and P Practica ctical Inte terpreta tatio tions ns o of ISO

Case S Studie dies a and P Practica ctical Inte terpreta tatio tions ns o of ISO

QTS Confidential Case S Studie dies a and P Practica ctical Inte terpreta tatio tions ns o of ISO SO11607 07 Todd Engelken Gerry Gunderson, CPP March 11-13, 2013 Louisville, KY QTS is a Medical Device Outsourcing company

1.21k views • 61 slides
AA AAV9. 9. L LAM AMP-2B R 2B Reverses M Metabol olic a and Ph Physiologic Mu Multiorgan

AA AAV9. 9. L LAM AMP-2B R 2B Reverses M Metabol olic a and Ph Physiologic Mu Multiorgan

AA AAV9. 9. L LAM AMP-2B R 2B Reverses M Metabol olic a and Ph Physiologic Mu Multiorgan Dy Dysfunc uncti tion n in n a Mur urine ne Mo Model el of Da Dano non Di Disease Ana Maria Manso, Emily Gault, Sherin Hashem, Bradley

463 views • 17 slides
Act Active S Shoot ooter Be Best P Pract ctice ces With Special G Wit h Special Gues

Act Active S Shoot ooter Be Best P Pract ctice ces With Special G Wit h Special Gues

Act Active S Shoot ooter Be Best P Pract ctice ces With Special G Wit h Special Gues uest St Star ar: Y : YouT uTube ube Ron LaPedis Bay Area Emergency Managers Conference 2018 Act Active S Shoot ooter Be Best P Pract ctice

351 views • 31 slides
T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y

T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y

T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y Po inte Be ha vio ra l He a lth Se rvic e , I nc . Pre side nt, Ca uc us o f Bla c k Psyc hia trists, APA PHYSI CI AN, K NOW T HYSE L F

400 views • 14 slides
RE DUCI NG JUDI CI AL ST RE SS WI T H RE F L E CT I VE PRACT I CE Ho n. Eliza b

RE DUCI NG JUDI CI AL ST RE SS WI T H RE F L E CT I VE PRACT I CE Ho n. Eliza b

RE DUCI NG JUDI CI AL ST RE SS WI T H RE F L E CT I VE PRACT I CE Ho n. Eliza b e th C rnko vic h Je nnie C o le -Mo ssm a n LIMHP I ntro duc tio ns I n the I nte re st o f . Stre ss a nd judg ing L o ne line ss

254 views • 21 slides
West w ard H Ho A Apart m ent s Phoenix, A AZ Healt hy H Hom es Best Pract ct ice ces

West w ard H Ho A Apart m ent s Phoenix, A AZ Healt hy H Hom es Best Pract ct ice ces

West w ard H Ho A Apart m ent s Phoenix, A AZ Healt hy H Hom es Best Pract ct ice ces I nt egrat ing Healt h Care Wit h Housing Cat hedral Developm ent Group Ari rizona St at e Univers rsit y Aug Augus ust 2016 Introductions

323 views • 16 slides
(OPG) Meeting Welcome and Introductions OPG Executi utives es Chair ( ) Evelyn Hii Past

(OPG) Meeting Welcome and Introductions OPG Executi utives es Chair ( ) Evelyn Hii Past

Osler Parent Group Sept 26, 2018 (OPG) Meeting Welcome and Introductions OPG Executi utives es Chair ( ) Evelyn Hii Past Chair ( ) Robin Halpern Secretary ( ) Jessie Yu Treasurers ( ) Crystal Xu & Maggie

272 views • 26 slides
(OPG) Meeting Welcome and Introductions OPG Executi utives es Chair Evelyn Hii Past Chair

(OPG) Meeting Welcome and Introductions OPG Executi utives es Chair Evelyn Hii Past Chair

Osler Parent Group Nov 28, 2018 (OPG) Meeting Welcome and Introductions OPG Executi utives es Chair Evelyn Hii Past Chair Robin Halpern Secretary Jessie Yu Treasurers Crystal Xu & Maggie Wang Members-At-Large Susnita Lynch &

244 views • 23 slides
PRESENTATI ON OF JACQUELI NE COKE-LLOYD, EXECUTI VE DI RECTOR OF THE JAMAI CA EMPLOYERS

PRESENTATI ON OF JACQUELI NE COKE-LLOYD, EXECUTI VE DI RECTOR OF THE JAMAI CA EMPLOYERS

PRESENTATI ON OF JACQUELI NE COKE-LLOYD, EXECUTI VE DI RECTOR OF THE JAMAI CA EMPLOYERS FEDERATI ON ON THE ROLE OF ENTERPRI SE DEVELOPMENT I N PROMOTI NG DECENT WORK AT THE PREPARATORY MEETI NG OF THE HI GH LEVEL SEGMENT OF THE ECONOMI

315 views • 19 slides
DE F INING BE ST PRACT ICE F OR ADVE RSE E VE NT RE PORT ING WIT H INDUST RY-

DE F INING BE ST PRACT ICE F OR ADVE RSE E VE NT RE PORT ING WIT H INDUST RY-

1 1 TH A N N U A L M EETI N G O F I S M P P DE F INING BE ST PRACT ICE F OR ADVE RSE E VE NT RE PORT ING WIT H INDUST RY- SPONSORE D CL INICAL T RIAL MANUSCRIPT S April 28, 2015 Hya tt Re g e nc y Crysta l City

414 views • 17 slides
Validation of the Interface to the Routing System (I2RS) intermediate talk Kerem Saka June 15,

Validation of the Interface to the Routing System (I2RS) intermediate talk Kerem Saka June 15,

Chair for Network Architectures and Services Technical University of Munich (TUM) Validation of the Interface to the Routing System (I2RS) intermediate talk Kerem Saka June 15, 2016 Chair for Network Architectures and Services Department of

963 views • 13 slides
Networking and Protocol Architectures Examples ITS323: Introduction to Data Communications

Networking and Protocol Architectures Examples ITS323: Introduction to Data Communications

ITS323 Networks Layering TCP/IP Networking and Protocol Architectures Examples ITS323: Introduction to Data Communications Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 24 October 2014

299 views • 16 slides
Routing and Switching End-to-end delivery on layer 3 in TCP/IP terms Network Layer Primary

Routing and Switching End-to-end delivery on layer 3 in TCP/IP terms Network Layer Primary

IN2140: Introduction to Operating Systems and Data Communication Routing and Switching End-to-end delivery on layer 3 in TCP/IP terms Network Layer Primary task from a layer model perspective To provide service to the transport layer

377 views • 9 slides
CS 457 Lecture 12 Routing Fall 2011 IP Address and 24-bit Subnet Mask Address 12 34

CS 457 Lecture 12 Routing Fall 2011 IP Address and 24-bit Subnet Mask Address 12 34

CS 457 Lecture 12 Routing Fall 2011 IP Address and 24-bit Subnet Mask Address 12 34 158 5 00001100 00100010 10011110 00000101 11111111 11111111 11111111 00000000 255 255 255 0 Mask Scalability Improved Number related

333 views • 20 slides
On Under-Determined Dynamical Systems Oded Maler CNRS - VERIMAG Grenoble, France EMSOFT 2011

On Under-Determined Dynamical Systems Oded Maler CNRS - VERIMAG Grenoble, France EMSOFT 2011

On Under-Determined Dynamical Systems Oded Maler CNRS - VERIMAG Grenoble, France EMSOFT 2011 The ABC of Model Based Design To build complex systems other than by trial and error you need models Regardless of the language or tool used to

440 views • 30 slides
Radio-Activated Water (RAW) Systems RAW Exchange System Preliminary Design In-Process Stakeholder

Radio-Activated Water (RAW) Systems RAW Exchange System Preliminary Design In-Process Stakeholder

LBNF Long-Baseline Neutrino Facility Target Hall Radio-Activated Water (RAW) Systems RAW Exchange System Preliminary Design In-Process Stakeholder Buy-In Karl Williams, Raina Wang October 16, 2019 Target Hall RAW Exchange System Purpose of

301 views • 12 slides
CSE 6350 File and Storage System Infrastructure in Data centers Supporting Internet-wide Services

CSE 6350 File and Storage System Infrastructure in Data centers Supporting Internet-wide Services

CSE 6350 File and Storage System Infrastructure in Data centers Supporting Internet-wide Services MapReduce: Simplified Data Processing on Large Clusters Presenter: Uday Sagar Adusumalli Outline Introduction MapReduce Overview

329 views • 14 slides
Create your own type system in 1 hour Michael Ernst University of Washington

Create your own type system in 1 hour Michael Ernst University of Washington

Create your own type system in 1 hour Michael Ernst University of Washington http://CheckerFramework.org/ Motivation java.lang.NullPointerException java.lang.NullPointerException Java's type system is too weak Type checking prevents many

387 views • 28 slides

More recommend