structure aware fuzzing
play

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs - PowerPoint PPT Presentation

Aug 27, 2022 •100 likes •387 views

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -> growing number of bugs

  1. Structure-aware fuzzing for real-world projects Réka Kovács Eötvös Loránd University, Hungary rekanikolett@gmail.com 1

  2. Overview tutorial, no groundbreaking discoveries ● Motivation growing code size -> growing number of bugs ● big tech companies started to systematically fuzz their ● code recently we all should ● 2

  3. Quality assurance coding guidelines ● compiler warnings ● code review ● test suite ● static analysis ● dynamic analysis ● random testing ● 3

  4. Let’s look at who’s using this technology today. 4

  5. Who is fuzzing their code today? Microsoft ● every untrusted interface of every product is fuzzed ○ (Security Development Lifecycle) 670 machine-years devoted to fuzz Microsoft Edge & ○ Internet Explorer, more than 400 billion DOM manipulations generated from 1 billion HTML files Project Springfield (2016) ○ https://docs.microsoft.com/en-gb/microsoft-edge/deploy/group-policies/security -privacy-management-gp https://www.microsoft.com/en-us/security-risk-detection/ 5

  6. Who is fuzzing their code today? Google ● Chromium is fuzzed continuously with 15.000 cores ○ external reporters invited to write fuzzers ○ OSS-fuzz (2016): 158 open-source projects including ○ Boost, Coreutils, CPython, FFmpeg, Firefox, LLVM, OpenSSH, OpenSSL, … https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf https://security.googleblog.com/2014/01/ffmpeg-and-thousand-fixes.html https://opensource.google.com/projects/oss-fuzz 6

  7. When did this all start? 7

  8. History of fuzzing recently became a synonym for penetration testing ● term “fuzzing ”coined by prof. Bart Miller, University of ● Wisconsin-Madison 1990: original “fuzzing” paper ● Miller, B.P., Fredriksen, L. and So, B., 1990. An empirical study of the reliability of UNIX utilities. Communications of the ACM , 33 (12), pp.32-44. completely random input to UNIX utilities ○ 25-33% crashed ○ 8

  9. History of fuzzing 1995: “Fuzz Revisited”: network apps, GUI apps ● Miller, B.P., Koski, D., Lee, C.P., Maganty, V., Murthy, R., Natarajan, A. and Steidl, J., 1995. Fuzz revisited: A re-examination of the reliability of UNIX utilities and services . Technical report. 2000: Windows NT applications ● Forrester, J.E. and Miller, B.P., 2000, August. An empirical study of the robustness of Windows NT applications using random testing. In Proceedings of the 4th USENIX Windows System Symposium (Vol. 4, pp. 59-68). 2006: MacOS applications: 22/30 GUI apps crashed ● Miller, B.P., Cooksey, G. and Moore, F., 2006, July. An empirical study of the robustness of macos applications using random testing. In Proceedings of the 1st international workshop on Random testing (pp. 46-54). ACM. 9

  10. History of fuzzing “smart” fuzzers: 2011: CSmith https://embed.cs.utah.edu/csmith/ ● Yang, X., Chen, Y., Eide, E. and Regehr, J., 2011, June. Finding and understanding bugs in C compilers . In ACM SIGPLAN Notices (Vol. 46, No. 6, pp. 283-294). ACM. generates well-formed C programs from scratch ○ created to test compilers ○ ~80 gcc bugs, ~200 clang bugs reported ○ 10

  11. History of fuzzing “smart” fuzzers: 2012: SAGE ● Godefroid, P., Levin, M.Y. and Molnar, D., 2012. SAGE: whitebox fuzzing for security testing . Queue , 10 (1), p.20. ○ discovers new corner cases efficiently by combining symbolic execution and dynamic analysis if (x == 179000) abort(); // error 11

  12. Great! I want to fuzz my code. How do I go about it? 12

  13. How does fuzzing work? John Regehr & Sean Bennett: Software Testing https://eu.udacity.com/course/software-testing--cs258 random software test case under oracle generator test save it output not OK output OK 13

  14. Oracles John Regehr & Sean Bennett: Software Testing https://eu.udacity.com/course/software-testing--cs258 Weak Strong crash (hardware, OS) alternative implementation ● ● differential testing ○ rule violation of enhanced ● old version of software ○ execution environment reference implementation ○ Valgrind ○ inverse function pair ● sanitizers ○ e.g. encrypt/decrypt ○ Medium null space transformation ● assertions ● 14

  15. Input structure e.g. web browsers random bits “dumb” fuzzer protocol-correct code valid HTML “smart” fuzzer scripts, forms 15

  16. Program structure low coverage Black-box fuzzer “shallow” bugs fast no coverage feedback ● Grey-box fuzzer lightweight instrumentation ● e.g. AFL, libFuzzer ● White-box fuzzer “deep” bugs slow heavyweight program analysis ● high coverage e.g. SAGE ● 16

  17. Reuse of input seeds input space Generative synthetize test cases from scratch ● mutated input complex, a lot of work ● e.g. CSmith ● Mutation-based modify (non-)random test cases ● synthetized input treats input as a bag of bits ● e.g. AFL, libFuzzer ● 17

  18. This is too complicated. I want to set it up easily. What are my options? 18

  19. Tools if your code has never been fuzzed: black-box fuzzers ● probably will find some bugs ○ white-box fuzzers are a lot of work ● excellent grey-box fuzzers! ● AFL, libFuzzer ○ coverage-guided ○ can generate fairly structured inputs ○ e.g. JPEGs, IR code, primitive C programs ■ 19

  20. AFL: American Fuzzy Lop http://lcamtuf.coredump.cx/afl/ brute-force fuzzer with an instrumentation-guided ● genetic algorithm uses a modified form of edge coverage to pick up ● changes to program control flow needs user-supplied test cases that it can mutate ● result: a corpus of interesting test cases ● 20

  21. AFL: American Fuzzy Lop algorithm roughly: ● load initial test cases into a queue ○ take next input from the queue ○ try to trim the test case ○ repeatedly mutate the file ○ if any of the mutations resulted in a new state, add ○ the mutated output to the queue 21

  22. #include <iostream> int hi(const std::string &data, std::size_t size) { if (size > 0 && data[0] == 'H') if (size > 1 && data[1] == 'I') if (size > 2 && data[2] == '!') __builtin_trap(); return 0; } int main() { std::string s; std::cin >> s; return hi(s, s.length()); } 22

  23. 23

  24. libFuzzer https://llvm.org/docs/LibFuzzer.html in-process, coverage-guided, evolutionary fuzzing engine ● code coverage information provided by LLVM’s ● SanitizerCoverage generates mutations on the corpus of input data in order ● to maximize the code coverage works without initial seeds ● 24

  25. libFuzzer: input generation generic random fuzzing ● e.g. clang-fuzzer, clang-format-fuzzer, ... ○ https://llvm.org/docs/FuzzingLLVM.html custom mutators ● Justin Bogner: Adventures in Fuzzing Instruction Selection ○ https://www.youtube.com/watch?v=UBbQ_s6hNgg structured fuzzing using libprotobuf-mutator ● Kostya Serebryany: Structure-aware fuzzing for Clang and ○ LLVM with libprotobuf-mutator https://www.youtube.com/watch?v=U60hC16HEDY 25

  26. Protocol buffers message Const { message UnaryOp { required int32 val = 1; enum UnOp { } ABS = 1; SQRT = 2; message BinaryOp { }; enum BinOp { required UnOp kind = 1; PLUS = 0; required Expr arg = 2; MINUS = 1; } MUL = 2; DIV = 3; message Expr { MOD = 4; oneof expr_oneof { }; Const constant = 1; required BinOp kind = 1; BinaryOp binop = 2; required Expr left = 2; UnaryOp unop = 3; required Expr right = 3; } } } 26

  27. Thank you! 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Structure-aware fuzzing for Clang and LLVM with libprotobuf-mutator Kostya Serebryany, Vitaly

Structure-aware fuzzing for Clang and LLVM with libprotobuf-mutator Kostya Serebryany, Vitaly

Structure-aware fuzzing for Clang and LLVM with libprotobuf-mutator Kostya Serebryany, Vitaly Buka, Matt Morehouse; Google October 2017 Agenda Fuzzing Fuzzing Clang/LLVM Fuzzing Clang/LLVM better (structure-aware)

914 views • 35 slides
Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope Taintscope is: A Fuzzing tool

742 views • 42 slides
Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security

Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security

Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security Testing Andreas Zeller, Saarland University Our Goal We want to cause the program to fail We have seen random (unstructured) input

868 views • 69 slides
WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono DElia and Emilio Coppa @andreafioraldi andreafioraldi@gmail.com Format-aware Fuzzing Input Input Program Crashes Format Generation Under

666 views • 63 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&amp;D firstname dot lastname at orange-ftgroup dot com research &amp; development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging &amp; Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of Computer Science CAV 2017 ETH Zurich July 22-28, Heidelberg Writing a Static Analyzer Framework for Java Static Type Checker Static Type

805 views • 46 slides
Everybody be Cool, This is a Robbery! Normal: Normal: Emphasis: Emphasis: Jean-Baptiste Bedrune

Everybody be Cool, This is a Robbery! Normal: Normal: Emphasis: Emphasis: Jean-Baptiste Bedrune

Color Scheme Color Scheme 52 29 89 89 89 89 55 32 89 89 40 68 121 37 121 200 208 200 226 194 194 153 153 255 153 153 150 153 153 0 Text Formatting Text Formatting Everybody be Cool, This is a Robbery! Normal:

766 views • 57 slides
An OCL Map Type Edward Willink Willink Transformations Ltd Eclipse Foundation MMT Component

An OCL Map Type Edward Willink Willink Transformations Ltd Eclipse Foundation MMT Component

An OCL Map Type Edward Willink Willink Transformations Ltd Eclipse Foundation MMT Component co-Lead OCL Project Lead QVTd Project Lead QVTo Committer OMG (Model Driven Solutions) OCL 2.3, 2.4, 2.5 RTF Chair QVT 1.2, 1.3, 1.4 RTF Chair OCL

553 views • 7 slides
Web applications are used extensively in many areas: We will rely on web applications more in

Web applications are used extensively in many areas: We will rely on web applications more in

Muath Alkhalaf 1 Shauvik Roy Choudhary 2 Mattia Fazzini 2 Tevfik Bultan 1 Alessandro Orso 2 Christopher Kruegel 1 1 UC Santa Barbara 2 Georgia Tech Web applications are used extensively in many areas: We will rely on web applications more in

872 views • 47 slides
Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin

Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin

Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin VirtualHealth About me Working with MySQL for 10-15 years Started at MySQL AB 2006 - Sun Microsystems, Oracle (MySQL Consulting) - Percona since

644 views • 50 slides
Monadic Imperatjve languages C# Java C / C++ Fortran Subtract abstractjons Scala Add

Monadic Imperatjve languages C# Java C / C++ Fortran Subtract abstractjons Scala Add

by Mario Fusco mario.fusco@gmail.com twitter: @mariofusco Monadic Imperatjve languages C# Java C / C++ Fortran Subtract abstractjons Scala Add abstractjons F# Hybrid languages Algol Lisp ML Haskell Functjonal languages new

1.71k views • 73 slides
What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen, no matter what ! Crashes, thrown exceptions, non-termination ! All of these things can be the foundation of security vulnerabilities

1.57k views • 14 slides
One-Slide Summary Programming The substitution model for evaluating Scheme does with not

One-Slide Summary Programming The substitution model for evaluating Scheme does with not

One-Slide Summary Programming The substitution model for evaluating Scheme does with not allow us to reason about mutation. In the environment model : State A name is a place for storing a value. define , cons and function application

361 views • 11 slides

More recommend