scheduling black box muta5onal fuzzing acm ccs 2013
play

Scheduling Black-box Muta5onal Fuzzing ACM CCS 2013 Maverick Woo - PowerPoint PPT Presentation

Jul 14, 2023 •100 likes •590 views

Scheduling Black-box Muta5onal Fuzzing ACM CCS 2013 Maverick Woo Carnegie Mellon University pooh@cmu.edu Our Crew Maverick Woo Sang Kil Cha Samantha Gottlieb David Brumley 2 The Story 3 Typical Exploit Genera5on Bug Finding Exploit

  1. Scheduling Black-box Muta5onal Fuzzing ACM CCS 2013 Maverick Woo Carnegie Mellon University pooh@cmu.edu

  2. Our Crew Maverick Woo Sang Kil Cha Samantha Gottlieb David Brumley 2

  3. The Story 3

  4. Typical Exploit Genera5on Bug Finding Exploit Fuzzing Bug Triage Generation crashes bugs 4

  5. Scheduling is Equally Important Ordering Time Allocation 5

  6. Scheduling Black-box Muta5onal Fuzzing 6

  7. Scheduling Black-box Muta5onal Fuzzing Termi- nation Test Fuzzer Program Input Crash A common program testing technique popularized by Miller et al. in late 1980s [18] • Use a fuzzer to generate test inputs to program-under-test • At its simplest, look for crashes —memory corruption, uncaught exceptions, failed assertions, etc. 7

  8. Scheduling Black-box Muta5onal Fuzzing Seed Termi- Input nation Mutated Fuzzer Program Input PRNG(j) Crash A black-box fuzzer observes a program’s I/O behavior only • cf. Whitebox Fuzzing by Godefroid et al. 2012 [11] • SimpliSication: only distinguish termination vs. crash Detect anomaly by mutating a valid input (= seed) 8

  9. Scheduling Black-box Muta5onal Fuzzing Seed Termi- Input nation Mutated Fuzzer Program Input PRNG(j) Crash A black-box fuzzer observes a program’s I/O behavior only • cf. Whitebox Fuzzing by Godefroid et al. 2012 [11] • SimpliSication: only distinguish termination vs. crash Given a seed input s and a mutation ratio r : 1. Select d = r × | s | bits in s uniformly at random 2. Flip each selected bit with probability ½ 9

  10. Scheduling Black-box Muta5onal Fuzzing Seed Termi- Input nation Mutated Fuzzer Program Input PRNG(j) Crash Key Observations: 1. We can reproduce a program crash by storing (a) the seed input and (b) the PRNG seed 2. Mutation = uniform sampling from the Hamming cube of radius d centered at s 10

  11. Scheduling Black-box Muta5onal Fuzzing Seed Termi- Input nation Mutated Fuzzer Program Input PRNG(j) Crash Key Observations: 1. We can reproduce a program crash by storing (a) the seed input and (b) the PRNG seed “Fuzz ConBiguration” 2. Mutation = uniform sampling from the Hamming cube of (i) program p radius d centered at s (ii) seed input s (iii) mutation ratio r 11

  12. Scheduling Black-box Muta5onal Fuzzing Seed Termi- Input nation Mutated Fuzzer Program Input PRNG(j) Crash Key Observations: 1. We can reproduce a program crash by storing (a) the seed input and (b) the PRNG seed “Fuzz ConBiguration” 2. Mutation = uniform sampling from the Hamming cube of (i) program p radius d centered at s (ii) seed input s (iii) 0.04% 12

  13. Scheduling Black-box Muta5onal Fuzzing Seed Termi- Input nation Mutated Fuzzer Program Input PRNG(j) Crash Key Observations: 1. We can reproduce a program crash by storing (a) the seed input and (b) the PRNG seed “Fuzz ConBiguration” 2. Mutation = uniform sampling from the Hamming cube of = radius d centered at s “(program, seed) pair” in this talk 13

  14. Scheduling Black-box Muta5onal Fuzzing A fuzz campaign comprises a sequence of epochs : 1. takes a list of (program, seed) pairs as input 2. at the beginning of each epoch, picks one (program, seed) pair to fuzz based on data collected from previous epochs We investigate two epoch types : • Fixed-run : Sixed number of fuzz runs in each epoch – implemented in CMU CERT BFF v2.6 [14] • Fixed-time : Sixed amount of time in each epoch – proposed in this paper – slightly harder to implement 14

  15. Problem Statement Given a list of K fuzz conSigurations {( p 1 , s 1 ), . . . , ( p K , s K )}, the Fuzz Con?iguration Scheduling (FCS) problem seeks to maximize the number of unique bugs discovered in a fuzz campaign that runs for a duration of length T . Important Assumptions: 1. Only one conSiguration can be fuzzed within an epoch 2. Separate program analysis of ( p i , s i ) is not allowed 3. Bugs from different ( p i , s i ) are disjoint See paper for discussions 15

  16. How to Solve the FCS Problem? Two competing goals during a fuzz campaign: Explore each ( p i , s i ) Exploit knowledge of sufSiciently often so ( p i , s i ) that are likely vs. as to identify pairs to yield new bugs that can yield new bugs by fuzzing them more Good News: • Clearly a Multi-Armed Bandit (MAB) problem! 16

  17. Mul5-Armed Bandits 17

  18. MAB in Berlin 18

  19. How to Solve the FCS Problem? Two competing goals during a fuzz campaign: Explore each ( p i , s i ) Exploit knowledge of sufSiciently often so ( p i , s i ) that are likely vs. as to identify pairs to yield new bugs that can yield new bugs by fuzzing them more Good News: • Clearly a Multi-Armed Bandit (MAB) problem! • Lots of published MAB algorithms – provably optimal algorithms for many settings, e.g., Auer et al. 2002 [2] handles certain adversarial cases 19

  20. How to Solve the FCS Problem? Bad News: recognizing “FCS ∈ MAB” is not enough Given a list of K fuzz conSigurations {( p 1 , s 1 ), . . . , ( p K , s K )}, the Fuzz Con?iguration Scheduling (FCS) problem seeks to maximize the number of unique bugs discovered in a fuzz campaign that runs for a duration of length T . 1. Classic MAB: once you identify a good beer, it stays good ⇒ drink it often to accumulate rewards J 2. Our Setting: each program has a ?inite number of bugs ⇒ bug exhaustion gives a diminish of return L We are not aware of MAB algorithms that cater to our case… ⇒ We need our own algorithms! 20

  21. How to Solve the FCS Problem? Bad News: recognizing “FCS ∈ MAB” is not enough Given a list of K fuzz conSigurations {( p 1 , s 1 ), . . . , ( p K , s K )}, the Fuzz Con?iguration Scheduling (FCS) problem seeks to maximize the number of unique bugs discovered in a fuzz campaign that runs for a duration of length T . 1. Classic MAB: once you identify a good beer, it stays good ⇒ drink it often to accumulate rewards J 2. Our Setting: each program has a ?inite number of bugs ⇒ bug exhaustion gives a diminish of return L We are not aware of MAB algorithms that cater to our case… ⇒ We need our own algorithms! 21

  22. Previously Scheduling Black-box Muta5onal Fuzzing Seed Termi- Input nation Mutated Fuzzer Program Input PRNG(j) Crash Key Observations: 1. We can reproduce a program crash by storing (a) the seed input and (b) the PRNG seed 2. Mutation = uniform sampling from the Hamming cube of radius d centered at s 22

  23. Modeling Black-box Muta5onal Fuzzing Seed Termi- Input nation Mutated Fuzzer Program Input PRNG(j) Crash Consider the repeated fuzzings of a ?ixed ( p i , s i ) and let outcome i ( j ) denote the j -th outcome in the sequence: • Termination ⇒ ID 0 • Crash ⇒ bug ID obtained from bug triage Key Observation: BMF is memoryless , i.e., outcome i ( j ) are i.i.d. RVs for a Sixed i 23

  24. Coupon Collector’s Problem (CCP) Suppose every box of breakfast cereal comes with a coupon that is randomly chosen among M different coupon types • How many boxes do you expect to buy before you have collected at least one coupon of each type? Traditional Setting • Coupon types are uniformly distributed ⇒ Θ ( M log M ) Our Setting • Bugs do not occur uniformly at random ⇒ Weighted CCP • Prevalence of different bugs is unknown ahead of time 24

  25. Coupon Collector’s Problem (CCP) Suppose every box of breakfast cereal comes with a coupon that is randomly chosen among M different coupon types • How many boxes do you expect to buy before you have collected at least one coupon of each type? Traditional Setting • Coupon types are uniformly distributed ⇒ Θ ( M log M ) Our Setting • Bugs do not occur uniformly at random ⇒ Weighted CCP Also observed by • Prevalence of different bugs is unknown ahead of time Arcuri 2010 [1] 25

  26. WCCP w/ Unknown is Intractable No Free Lunch Theorem … vs . … (you did pay the registration, right? ) 26

  27. WCCP w/ Unknown is Intractable No Free Lunch Theorem … vs . … Wolpert and Macready 2005 on [22] • “Any two optimization algorithms are equivalent when their performance is averaged across all possible problems” 27

  28. “Bring Your Own Prior” No Free Lunch Theorem … vs . … Wolpert and Macready 2005 on [22] • “Any two optimization algorithms are equivalent when their performance is averaged across all possible problems” Circumvention may be possible! • NFL Theorem does not apply if we focus on distributions that are more likely to occur in practice • More accurate model ⇒ More accurate predictions ⇒ More bugs 28

  29. Rule of Three aaaa Q: Suppose we have Slipped a biased H-T coin n times and every time it comes up H . Does Pr[ T ] have to be small? A: No, so long as Pr[ T ] < 1, our observation is always possible See discussion ConBidence Intervals: in Jovanovic Pr[ T ] < 3/ n in 95% of all “parallel universes” 1997 [15] Usage: 1. Suppose ( p i , s i ) has yielded n different outcomes so far 2. Collectively call all n outcome types H 3. With 95% conSidence, Pr[ T (i.e., new outcome)] < 3/n 29

  30. Algorithm Design Space We explore 3 dimensions in algorithm design and present: • 2 Epoch Types – Sixed-run 2 * (3 + 2 * 5) = – Sixed-time 26 Scheduling • 5 MAB Algorithms Algorithms – Round-Robin – Uniform-Random – EXP3.S.1 from Auer et al. 2002 [2] – Weighted-Random – ε -Greedy w.r.t. belief metrics • 5 Belief Metrics 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black Hat Europe 2016, London PS&gt; whoami Project Zero @ Google Part time developer and frequent user of the fuzzing infrastructure. Dragon

1.57k views • 133 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua University http://netsec.ccert.edu.cn/chaoz/ About Me 2004-2008-2013 2013-2016 2016-present p Hack for fun software and system security Tencent

1.23k views • 98 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&amp;D firstname dot lastname at orange-ftgroup dot com research &amp; development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging &amp; Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
CPU Scheduling CPU Scheduling CPU Scheduling 101 CPU Scheduling 101 The CPU scheduler makes a

CPU Scheduling CPU Scheduling CPU Scheduling 101 CPU Scheduling 101 The CPU scheduler makes a

CPU Scheduling CPU Scheduling CPU Scheduling 101 CPU Scheduling 101 The CPU scheduler makes a sequence of moves that determines the interleaving of threads. Programs use synchronization to prevent bad moves. but

621 views • 22 slides
CPU Scheduling CPU Scheduling CPU Scheduling 101 CPU Scheduling 101 The CPU scheduler makes a

CPU Scheduling CPU Scheduling CPU Scheduling 101 CPU Scheduling 101 The CPU scheduler makes a

CPU Scheduling CPU Scheduling CPU Scheduling 101 CPU Scheduling 101 The CPU scheduler makes a sequence of moves that determines the interleaving of threads. Programs use synchronization to prevent bad moves. but

592 views • 29 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
The Exploration-Exploitation Dilemma A. LAZARIC ( SequeL Team @INRIA-Lille ) ENS Cachan - Master 2

The Exploration-Exploitation Dilemma A. LAZARIC ( SequeL Team @INRIA-Lille ) ENS Cachan - Master 2

The Exploration-Exploitation Dilemma A. LAZARIC ( SequeL Team @INRIA-Lille ) ENS Cachan - Master 2 MVA SequeL INRIA Lille MVA-RL Course The Exploration-Exploitation Dilemma A. LAZARIC Reinforcement Learning Fall 2017 - 2/95 The

2.19k views • 187 slides
MAB Learning in IoT Networks Learning helps even in non-stationary settings! Rmi Bonnefoi

MAB Learning in IoT Networks Learning helps even in non-stationary settings! Rmi Bonnefoi

MAB Learning in IoT Networks Learning helps even in non-stationary settings! Rmi Bonnefoi Lilian Besson milie Kaufmann Christophe Moy Jacques Palicot PhD Student in France Team SCEE, IETR, CentraleSuplec, Rennes &amp; Team SequeL,

507 views • 25 slides
An Optimal Private Stochastic-MAB Algorithm Based on an Optimal Private Stopping Rule Touqir Sajed

An Optimal Private Stochastic-MAB Algorithm Based on an Optimal Private Stopping Rule Touqir Sajed

An Optimal Private Stochastic-MAB Algorithm Based on an Optimal Private Stopping Rule Touqir Sajed &amp; Or Sheffet K-Armed Stochastic Bandit Problem There are K arms The learner pulls an arm at rounds : 1, , T Pulling an arm i

246 views • 6 slides
Beaufort Pediatrics QTIP team Jill Aiken, MD Nan Krueger, BSN Sydney Lubkin, RN Nikki Self A

Beaufort Pediatrics QTIP team Jill Aiken, MD Nan Krueger, BSN Sydney Lubkin, RN Nikki Self A

Beaufort Pediatrics QTIP team Jill Aiken, MD Nan Krueger, BSN Sydney Lubkin, RN Nikki Self A Voyage Decide Where you want to Go Plan Look at the Map All Aboard! Check Progress, Stay on Course Arrive at

412 views • 12 slides
A Multi-Armed Bandit Framework for Recommendations at Netflix Jaya Kawale Elliot Chow

A Multi-Armed Bandit Framework for Recommendations at Netflix Jaya Kawale Elliot Chow

A Multi-Armed Bandit Framework for Recommendations at Netflix Jaya Kawale Elliot Chow Recommendations at Netflix Personalized Homepage for each member Goal : Quickly help members find content theyd like to watch Risk : Member may

1.03k views • 44 slides
The Alternative Block Nondeterministially choose and execute any fragment whose guard is true

The Alternative Block Nondeterministially choose and execute any fragment whose guard is true

Specification Approaches Message Sequence Diagrams The Alternative Block Nondeterministially choose and execute any fragment whose guard is true c:Customer m:Merchant Provide Quote alt Accept Quote [Yes] Reject Quote [ Yes] Munindar P.

461 views • 16 slides
Noncommutative OSp ( 4 | 2 ) SUGRA canin 1 Dragoljub Go 1Faculty of Physics, University of

Noncommutative OSp ( 4 | 2 ) SUGRA canin 1 Dragoljub Go 1Faculty of Physics, University of

Noncommutative OSp ( 4 | 2 ) SUGRA canin 1 Dragoljub Go 1Faculty of Physics, University of Belgrade, Studentski Trg 12-16, 11000 Belgrade, Serbia D. Go canin &amp; V. Radovanovi c, Canonical Deformation of N = 2 AdS 4 SUGRA

392 views • 14 slides
A Gang of Bandits Will Knospe, Paul Reich, Bryce Bern, Dawson dAlmeida The Problem Trying

A Gang of Bandits Will Knospe, Paul Reich, Bryce Bern, Dawson dAlmeida The Problem Trying

A Gang of Bandits Will Knospe, Paul Reich, Bryce Bern, Dawson dAlmeida The Problem Trying to make a recommendation from thousands of choices Only understand users preferences as we recommend them shows MyHouse Friends Tags that

776 views • 43 slides

More recommend