semi valid input coverage for fuzz testjng
play

Semi-valid Input Coverage for Fuzz Testjng Petar Tsankov , Mohammad - PowerPoint PPT Presentation

Jun 15, 2023 •240 likes •643 views

Semi-valid Input Coverage for Fuzz Testjng Petar Tsankov , Mohammad Torabi Dashtj, David Basin Instjtute of Informatjon Security ETH Zurich Fuzz Testjng Testjng a PDF Viewer Pass / Fail PDF Viewer Valid inputs Test Oracle Are the PDF fjles

  1. Semi-valid Input Coverage for Fuzz Testjng Petar Tsankov , Mohammad Torabi Dashtj, David Basin Instjtute of Informatjon Security ETH Zurich

  2. Fuzz Testjng Testjng a PDF Viewer Pass / Fail PDF Viewer Valid inputs Test Oracle Are the PDF fjles displayed correctly? 2

  3. Fuzz Testjng Fuzz-testjng a PDF viewer testjng Pass / Fail PDF Viewer Invalid inputs Test Oracle Are there any security faults? (e.g. memory errors) 3

  4. Semi-valid Inputs PDF Viewer Open Inputs 4

  5. Semi-valid Inputs PDF Viewer Open View Valid Inputs 5

  6. Semi-valid Inputs PDF Viewer Open View Valid Inputs 6

  7. Semi-valid Inputs PDF Viewer Open View Valid Block Inputs 7

  8. Semi-valid Inputs PDF Viewer Open View Valid Block Inputs 8

  9. Semi-valid Inputs PDF Viewer Open View Valid Block Inputs 9

  10. Semi-valid Inputs PDF Viewer Entjrely-invalid Open View Semi-valid Valid Block Inputs ● Entjrely-invalid inputs get blocked. ● Semi-valid inputs are essentjal for fuzz testjng. 10

  11. Coverage Criteria Measure Generate Test set Coverage Improve ● Low coverage hints at missing test cases. ● No existjng coverage metric tailored to fuzz testjng. - existjng metrics do not tell us how thoroughly we have tested with semi-valid inputs. 11

  12. Coverage for Fuzz Testjng 12

  13. Semi-valid Input Coverage ( SVCov ) ● Constraints defjne whether an input is valid or not. “The third byte is the XOR of the fjrst two bytes.” ( C1 ) 13

  14. Semi-valid Input Coverage ( SVCov ) ● Constraints defjne whether an input is valid or not. “The third byte is the XOR of the fjrst two bytes.” ( C1 ) Input Domain 14

  15. Semi-valid Input Coverage ( SVCov ) ● Constraints defjne whether an input is valid or not. “The third byte is the XOR of the fjrst two bytes.” ( C1 ) Inputs that satjsfy C1 C1 Input Domain 15

  16. Semi-valid Input Coverage ( SVCov ) ● Constraints defjne whether an input is valid or not. “The third byte is the XOR of the fjrst two bytes.” ( C1 ) Inputs that satjsfy C1 C1 C3 C2 Input Domain 16

  17. Semi-valid Input Coverage ( SVCov ) ● Constraints defjne whether an input is valid or not. “The third byte is the XOR of the fjrst two bytes.” ( C1 ) Inputs that satjsfy C1 C1 Valid inputs C3 C2 Input Domain 17

  18. Semi-valid Input Coverage ( SVCov ) ● Constraints defjne whether an input is valid or not. “The third byte is the XOR of the fjrst two bytes.” ( C1 ) Inputs that satjsfy C1 C1 Valid inputs C3 C2 Semi-valid input Input Domain 18

  19. Semi-valid Input Coverage ( SVCov ) ● Constraints defjne whether an input is valid or not. “The third byte is the XOR of the fjrst two bytes.” ( C1 ) Inputs that satjsfy C1 C1 Valid inputs C3 C2 Semi-valid input Entjrely-invalid inputs Input Domain 19

  20. Semi-valid Input Coverage ( SVCov ) ● Constraints defjne whether an input is valid or not. “The third byte is the XOR of the fjrst two bytes.” ( C1 ) Inputs that satjsfy C1 C1 Valid inputs C3 C2 Semi-valid input Entjrely-invalid inputs Input Domain SVCov = # covered semi-valid partjtjons # total semi-valid partjtjons 20

  21. SVCov Propertjes C1 # covered semi-valid partjtjons SVCov = # total semi-valid partjtjons C2 C3 Independent to test generatjon method. Valid inputs do not contribute to SVCov. The usefulness of SVCov depends on the constraints. 100% SVCov does not guarantee that the tests reveal all faults. 21

  22. Using SVCov C1 C2 C3 Fuzzing tool Test set SVCov 22

  23. Using SVCov Problems with the fuzzing tool C1 C2 C3 Fuzzing tool Test set SVCov 23

  24. Using SVCov Valid inputs Problems with the fuzzing tool C1 C2 C3 Fuzzing tool Test set SVCov 24

  25. Using SVCov Missing valid inputs Valid inputs Problems with the fuzzing tool C1 C2 C3 Fuzzing tool Test set SVCov 25

  26. Using SVCov Missing valid inputs Valid inputs Redundant constraints Problems with the fuzzing tool C1 C2 C3 Fuzzing tool Test set SVCov 26

  27. Case Study 27

  28. Case Study Research questjons: ● RQ1 : Feasibility Can we precisely defjne the semi-valid inputs of the SUT and effjciently measure SVCov? ● RQ2 : Relevance to coverage Does measuring SVCov provide meaningful informatjon on how to improve a test set's coverage? ● RQ3: Relevance to discovering faults Does increasing SVCov result in discovering additjonal faults? 28

  29. Case Study: Artjfacts ● Test subject: OpenSwan - IKE implementatjon for Linux, 600K LOC. - Input specifjcatjon: RFC2407, RFC2408, RFC2409. ● Fuzzing tool: SecFuzz - Mutatjon-based fuzzer for security protocols. ● Test oracle: MemCheck - Detects memory errors. ● SVCov checker - Currently supports only IKE. 29

  30. RQ1 : Feasibility ● We focused on “must (not) sentences” in the RFCs: “If a message contains a proposal payload, then the proposal’s next-payload fjeld must be set to 2 or 0.” ● The specifjcatjon of constraints for IKE is straightgorward: – Number of constraints: 217 . – Time to extract the constraints: 8 person hours . ● Negligible overhead for measuring SVCov: – Time to check all constraints for each test case: 41 ms . – Time to execute a test case: 1000 ms . 30

  31. RQ2 : Relevance to Coverage SVCov (initjal) Violated SVCov 1 Missing valid inputs or fuzz-operators 0.8 Imprecise Coverage 0.6 fuzz-operators 0.4 0.2 0 0K 10K 20K 30K Number of test cases ● Many constraints are violated, but not uniquely. ● Some constraints are never violated. 31

  32. RQ2 : Relevance to Coverage SVCov analysis ● Problems in the fuzzing tool - Imprecision in the “insert payload” fuzz operator. - Insert random numbers limited to [0, 100]. - ... ● Missing valid inputs - No valid inputs for IPv6 and ASN.1 X500 DN. ● Redundant constraints C1 C3 C2 32

  33. RQ2 : Relevance to Coverage SVCov (afuer improvements) Violated SVCov 1 0.8 Coverage 0.6 0.4 0.2 0 0K 10K 20K 30K Number of test cases ● SVCov improved from 41% to 89%. ● All constraints are violated. ● 9% of the constraints are not uniquely violated. 33

  34. RQ3 : Relevance to Discovering Faults ● A previously unknown security fault revealed afuer improving SVCov. SecFuzz OpenSwan Valid input Test case MemCheck Unallocated memory access ● The valid input was missing in the fjrst experiment. ● The test case belongs to a semi-valid partjtjon. 34

  35. SVCov Contributjons C1 C2 C3 Easy-to-use coverage Independent of the for fuzz testjng fuzz-testjng technique Pinpoint subtle problems Promising initjal in fuzz testjng empirical results 35

  36. Backup Slides 36

  37. Redundant Constraints Input Domain C1 C3 C2 ● Constraint C1 is redundant. - removing C1 does not change the set of valid inputs. ● Constraint C1 cannot be uniquely violated. - Any input that violates C1 also violates C2. 37

  38. Missing Valid Inputs Violated C guard Non-vacuously satjsfjed C target Vacuously satjsfjed ● To violate a constraint we need an input that satjsfjes the constraint non-vacuously. 38

  39. Case Study: Setup Valid inputs Fuzzed inputs SUT OpenSwan OpenSwan (initjator) (responder) MemCheck SecFuzz ● We measure and report SVCov of the fuzzed inputs. ● Measure SVCov of the valid inputs to check for missing inputs. 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart fuzzer that uses code coverage needs an initial corpus ~20 different mutations strategies only keep mutated inputs that modify coverage source

868 views • 29 slides
Not All Coverage Measurements Are Equal Fuzzing by Coverage Accounting for Input Prioritization

Not All Coverage Measurements Are Equal Fuzzing by Coverage Accounting for Input Prioritization

Not All Coverage Measurements Are Equal Fuzzing by Coverage Accounting for Input Prioritization NDSS Symposium 2020 YanhaoWang, Xiangkun Jia, Yuwei Liu, Kyle Zeng, Tiffany Bao, DinghaoWu, and Purui Su 1 AFL Family and Coverage-based Fuzzing

528 views • 25 slides
LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity Oss-Fuzz Overview Continuous Fuzzing of our import filters Thanks to Google we get to use their infrastructure and resources

542 views • 26 slides
Contjnuous Experimentatjon and A/B Testjng: A Mapping Study Rasmus Ros and Per Runeson A/B

Contjnuous Experimentatjon and A/B Testjng: A Mapping Study Rasmus Ros and Per Runeson A/B

Contjnuous Experimentatjon and A/B Testjng: A Mapping Study Rasmus Ros and Per Runeson A/B Testjng Software changes A User interface tweaks Algorithm parameters Old vs new feature B 1 http://bit.ly/rcose18ab A/B

679 views • 43 slides
Semi-Supervised Kernel Mean Shift Clustering A Semi-Supervised Clustering Approach Motivation:

Semi-Supervised Kernel Mean Shift Clustering A Semi-Supervised Clustering Approach Motivation:

Semi-Supervised Kernel Mean Shift Clustering A Semi-Supervised Clustering Approach Motivation: Need for Supervision Data may not form clusters in Mapping to Feature Space Constraint Vector Input Points Clustering Projection the input

307 views • 27 slides
Mutatjon-based Testjng of Rule-based Model Transformatjons Using Higher-order Transformatjons

Mutatjon-based Testjng of Rule-based Model Transformatjons Using Higher-order Transformatjons

Mutatjon-based Testjng of Rule-based Model Transformatjons Using Higher-order Transformatjons Presented by: Ali Parsai Supervisor: Prof. Vangheluwe Model-driven Engineering 2013-2014 Sofuware Testjng Testing is required to assure quality

357 views • 25 slides
RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

3/31/17 TOPICS 2 RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing: selection, prioritization T est input generation CS580A5 SPRING 2017 Fault localization SUDIPTO GHOSH Automatic program

276 views • 3 slides
Expanding the Reach of Fuzzing Caroline Lemieux September 8 th , 2020 Fuzzcon Europe

Expanding the Reach of Fuzzing Caroline Lemieux September 8 th , 2020 Fuzzcon Europe

Expanding the Reach of Fuzzing Caroline Lemieux September 8 th , 2020 Fuzzcon Europe Coverage-Guided Fuzzing Greybox, Mutational seeds Input Input Input Input Initial Input pick mutate Input execute Input Input Input n save

1.35k views • 89 slides
SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH

SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH

SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH Zurich Motivation Input universe Invalid inputs Well-formed inputs Security protocol implementation Abnormal behaviors Behaviors May expose

454 views • 17 slides
Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security

Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security

Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security Testing Andreas Zeller, Saarland University Our Goal We want to cause the program to fail We have seen random (unstructured) input

868 views • 69 slides
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin (Microsoft Center for Software Excellence) David Molnar (UC Berkeley & MSR) Fuzz Testing Send random data to application B.

366 views • 36 slides
BTW/BigBIA 2017 Applicatjon and Testjng of Business Processes in the Energy Domain Kristof

BTW/BigBIA 2017 Applicatjon and Testjng of Business Processes in the Energy Domain Kristof

BTW/BigBIA 2017 Applicatjon and Testjng of Business Processes in the Energy Domain Kristof Bhmer, Florian Stertz, Tobias Hildebrandt, Stefanie Rinderle-Ma University of Vienna Gnther Eibl, Cornelia Ferner, Dominik Engel, Sebastjan Burkhart

507 views • 23 slides
Numerical modeling of non-destructjve testjng of composites Katerina Beklemysheva, Alexey

Numerical modeling of non-destructjve testjng of composites Katerina Beklemysheva, Alexey

Numerical modeling of non-destructjve testjng of composites Katerina Beklemysheva, Alexey Ermakov, Alexander Kazakov, Igor B. Petrov, Alexey Vasyukov Moscow Instjtute of Physics and Technology Composites Low-velocity strike on a polymer

882 views • 19 slides
Fuzz Testing for Fun and Profit Presented by:

Fuzz Testing for Fun and Profit Presented by:

W3 Testing at Scale Wednesday, October 2nd, 2019 11:30 AM Fuzz Testing for Fun and Profit Presented by: Melissa Benua

441 views • 11 slides
Building and testjng an automotjve platgorm - how Automotjve Grade Linux is built and tested

Building and testjng an automotjve platgorm - how Automotjve Grade Linux is built and tested

Building and testjng an automotjve platgorm - how Automotjve Grade Linux is built and tested Embedded Linux Conference Europe 2016 Jan-Simon Mller Release Manager, AGL , The Linux Foundatjon ( jsmoeller@linuxfoundatjon.org, DL9PF @IRC and

688 views • 33 slides
Eli lici citin ing Fu Fuzz zzy Kn Knowl wledg dge e fr from th the PI PIMA MA Dataset

Eli lici citin ing Fu Fuzz zzy Kn Knowl wledg dge e fr from th the PI PIMA MA Dataset

Eli lici citin ing Fu Fuzz zzy Kn Knowl wledg dge e fr from th the PI PIMA MA Dataset Antonio dAcierno ISA A CNR daci cier erno.a@ no.a@is isa.cnr a.cnr.it .it Giuseppe eppe De Pietro ro, , Massimo mo Esposit sito

370 views • 26 slides
A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented

A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented

A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented by Orhun Kara 1 Outline The AES A 5-round distinguisher Attack on 7-round AES-192, AES-256 and 8-round AES-256 Some optimizations

504 views • 19 slides
Arrays Memory a b c d start 1-dimensional array x = [a, b, c, d] map into

Arrays Memory a b c d start 1-dimensional array x = [a, b, c, d] map into

1D Array Representation In Java, C, and C++ Arrays Memory a b c d start 1-dimensional array x = [a, b, c, d] map into contiguous memory locations location(x[i]) = start + i Space Overhead 2D Arrays Memory a b c d The

427 views • 6 slides
Bits and bytes Week 2: data representation Data is stored in the computer as bits. (20 cr

Bits and bytes Week 2: data representation Data is stored in the computer as bits. (20 cr

School of Computer Science, University of Birmingham. Java Lecture notes. M. D. Ryan. September 2000. Bits and bytes Week 2: data representation Data is stored in the computer as bits. (20 cr only) Bit stands for binary digit ; it has

76 views • 3 slides
Personal SE Computer Memory Addresses C Pointers Computer Memory Organization Memory is a

Personal SE Computer Memory Addresses C Pointers Computer Memory Organization Memory is a

Personal SE Computer Memory Addresses C Pointers Computer Memory Organization Memory is a bucket of bytes . Computer Memory Organization Memory is a bucket of bytes. Each byte is 8 bits wide. Computer Memory Organization Memory

994 views • 42 slides
6LoWPAN: An Open IoT Networking Protocol OpenIoT Summit 2016 San Diego Stefan Schmidt Samsung

6LoWPAN: An Open IoT Networking Protocol OpenIoT Summit 2016 San Diego Stefan Schmidt Samsung

6LoWPAN: An Open IoT Networking Protocol OpenIoT Summit 2016 San Diego Stefan Schmidt Samsung Open Source Group stefan@osg.samsung.com Samsung Open Source Group 1 6LoWPAN: An Open IoT Networking Protocol Open: Specified by the IETF

799 views • 37 slides
Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to

Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to

Chapter 11 Introduction to Programming in C C: A High-Level Language Gives symbolic names to values don t need to know which register or memory location Provides abstraction of underlying hardware operations do not depend on

363 views • 10 slides
CS 4803 / 7643: Deep Learning Topics: Specifying Layers Forward & Backward

CS 4803 / 7643: Deep Learning Topics: Specifying Layers Forward & Backward

CS 4803 / 7643: Deep Learning Topics: Specifying Layers Forward & Backward autodifferentiation (Beginning of) Convolutional neural networks Zsolt Kira Georgia Tech Projects We will release a set of project ideas for those

1.04k views • 50 slides
MATH 12002 - CALCULUS I 3.7: Antiderivatives (Part 1) Professor Donald L. White Department of

MATH 12002 - CALCULUS I 3.7: Antiderivatives (Part 1) Professor Donald L. White Department of

MATH 12002 - CALCULUS I 3.7: Antiderivatives (Part 1) Professor Donald L. White Department of Mathematical Sciences Kent State University D.L. White (Kent State University) 1 / 6 Definitions and Theorems Definition Let f be a function

254 views • 6 slides

More recommend