testing and fuzzing
play

Testing and Fuzzing Gang Tan Penn State University Spring 2019 - PowerPoint PPT Presentation

Feb 11, 2024 •553 likes •1.17k views

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Our Goal Develop techniques to detect vulnerabilities automatically before they are exploited

  1. Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger

  2. Our Goal  Develop techniques to detect vulnerabilities automatically before they are exploited  How to find them?  Many techniques  Software testing  Fuzzing  Program analysis 3

  3. Program Testing  Testing: the process of running a program on a set of test cases and comparing the actual results with expected results  For the implementation of a factorial function, test cases could be {0, 1, 5, 10}  Testing cannot guarantee program correctness  What’s the simplest program that can fool the test cases above?  However, testing can catch many bugs 4

  4. Program Verification  A program takes some input and has some output  Verification: an argument that a program works on all possible inputs  The argument can be either formal or informal and is usually based on the static code of the program  If so, we say a program is correct  E.g., given an implementation of a factorial function f, we argue in program verification for all n, f(n) = n!  In general, the cost of program verification is high 5

  5. Example Program For Verification ‐ How should we argue the following program computes the factorial of n? int f (int n) { y := 1; z := 0; while (z != n) do { z := z + 1; y := y * z } return y; } Q: Actually, does the function work for all n? 6

  6. Software Testing “50% of my company employees are testers, and the rest spends 50% of their time testing!” Bill Gates 1995 7

  7. Testing Process expected output oracle test compare test data results real prog output 8

  8. Selecting Test Data  Testing is w.r.t. a finite test set  Exhaustive testing is usually not possible  E.g, a function takes 3 integer inputs, each ranging over 1 to 1000 • Suppose each test takes 1 second • Exhaustive testing would take ~31 years  Question: How do you design the test set?  Black‐box testing  White‐box testing (or, glass‐box) 9

  9. Black‐Box Testing  Generating test cases based on specification alone  Without considering the implementation (internals)  Advantage  Test cases are not biased toward an implementation • E.g., boundary conditions 10

  10. Generating Black‐Box Test Cases  Example static float sqrt (float x, float epsilon) // Requires: x >= 0 && .00001 < epsilon < .001 // Effects: Returns sq such that x-epsilon <= sq*sq <= x+ epsilon  The precondition can be satisfied  Either x=0 and .00001 < epsilon < .001,  Or x>0 and .00001 < epsilon < .001  Any test data should cover these two cases  Also test the case when x is negative and epsilon is outside the expected range 11

  11. More Examples static boolean isPrime (int x) // Effects: If x is a prime returns true else false  Test cases: cover both true and false cases; test numbers 0, 1, 2, and 3 static int search (int[ ] a, int x) // Effects: If a is null throws NullPointerException else if x is in a, returns i such that a[i]=x, else throws NotFoundException  Test cases? • a=null • A case where a[i]=x for some i • A case where x is not in the array a 12

  12. Boundary Conditions  Common programming mistakes: not handling boundary cases  Input is zero  Input is negative  Input is null  …  Test data should include these boundary cases 13

  13. Example Program static void appendVector (Vector v1, Vector v2) // Effects: If v1 or v2 is null throws NullPointerException else removes all elements of v2 and appends them in reverse order to the end of v1  Test cases?  v1=null;  v2=null  v1 is the empty vector  v2 is the empty vector  …  Another one is v1=v2  Aliases 14

  14. White‐Box Testing  Looking into the internals of the program to figure out a set of sufficient test cases static int maxOfThree (int x, int y, int z) // Effects: Return the maximum value of x, y and z  Black‐box test cases?  Now suppose you are given its implementation static int maxOfThree (int x, int y, int z) { if (x>y) if (x>z) return x; else return z; else if (y>z) return y; else return z; }  Looks like the implementation is divided into four cases • x>y and x>z • x>y and x<=z • x<=y, and y>z • x<=y, and y<=z  A reasonable strategy then is to cover all four cases 15

  15. Test Coverage  Idea: code that has not been covered by tests are likely to contain bugs  Divide a program into elements  Define the coverage of a test suite to be: # of elements executed by the test suite # of elements in total 16

  16. Test Coverage  Goodness is determined by the coverage of the program by the test set so far  Benefits  Can be used as a stopping rule: stop testing if 100% of elements have been tested  Can be used as a metric: a test set that has a test coverage of 80% is better than one that covers 70%  Can be used as test case generator: look for a test which exercises some statements not covered by the tests so far • The idea behind AFL 17

  17. Different Coverage Criteria  Usually based on control flow graphs (CFG)  Can have automated tool support  Statement coverage  Edge coverage  Edges in CFGs  Path coverage  … 18

  18. A Running Example 19

  19. Covering Statements 1: found = false; 2: counter = 0; 3: while ((counter < n) && (!found)) 4: { 5: if (table[counter] == element) 6: found = true; 7: 8: counter++; 9: }  Test data: table={3,4,5}; n=3; element=3  Does it cover all statements? • Yes  But does it cover all edges?  No, missing the edge from 3a to 10 and 5 to 7 20

  20. Statement Coverage in Practice  100% is hard  Usually about 85% coverage  Microsoft reports 80‐90% statement coverage  Safety‐critical application usually requires 100% statement coverage  Boeing requires 100% statement coverage 21

  21. Edge Coverage 1: found = false; 2: counter = 0; 3: while ((counter < n) && (!found)) 4: { 5: if (table[counter] == element) 6: found = true; 7: 8: counter++; 9: }  Test data to cover all edges  table={3,4,5}; n=3; element=3  table={3,4,5}; n=3; element=4  table={3,4,5}; n=3; element=6 22

  22. Path Coverage  Path‐complete test data  Covering every possible control flow path  For example static int maxOfThree (int x, int y, int z) { if (x>y) if (x>z) return x; else return z; if (y>z) return y; else return z; } // Effects: Return the maximum value of x, y and z  Test data is complete as long as the following four case are covered • x>y and x>z • x>y and x<=z • x<=y, and y>z • x<=y, and y<=z 23

  23. Covering All Paths  A program passes path‐complete test data doesn’t mean it’s correct static int maxOfThree (int x, int y, int z) { return x; }  Any non‐empty test data is path‐complete  Same goes for the case of all‐statement coverage, or all‐edge coverage  In general, code coverage can’t complain about missing cases 24

  24. Possibly Infinite # of Paths  If there is a loop in the program, then there are possibly infinite # of paths  In general, impossible to cover all of them  One Heuristic  Include test data that cover zero, one, and two iterations of a loop  Why two iterations? • A common programming mistake is failing to reinitialize data in the second iteration  This offers no guarantee, but can catch many errors 25

  25. Exercise: Figuring Out a Test Suite that Covers zero, one, and two iterations of the loop 1: found = false; 2: counter = 0; 3: while ((counter < n) && (!found)) 4: { 5: if (table[counter] == element) 6: found = true; 7: 8: counter++; 9: }  Test data  Zero iteration: table={ }; n=0; element=3  One iteration: table={3,4,5}; n=3; element=3  Two iterations: table={3,4,5}; n=2; element=4 26

  26. Combining Them All  A good set of test data combines various testing strategies  Black‐box testing • Generating test cases by specifications • Boundary conditions  White‐box testing • Test coverage (e.g., being edge complete) 27

  27. Example // Effects: If s is null throws NullPointerException, else returns true iff s is a palindrome boolean palindrome (String s) throws NullPointerException { int low=0; int high = s.length() -1; while (high>low) { if (s.charAt(low) != s.charAt(high)) return false; low++; high--; } return true; } 28

  28. Test Data for the Example  Based on spec.  s=null  s=“deed”  s=“abc”  s=“” (boundary condition)  s=“a” (boundary condition)  Based on the program  Not executing the loop  Returning false in the first iteration  Returning true after the first iteration  Returning false in the second iteration  Returning true after the second iteration 29

  29. Penetration Testing (Pen Testing)  Security‐oriented testing  Typically performed on a whole IT system, not just a single program  Good intentioned  Performed by white hackers  With the goal of reporting found vulnerabilities  Can be part of a security audit  National Cyber Security Center definition: "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and 30 techniques as an adversary might."

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering autom ated reverse engineering Erik Poll Erik Poll Radboud University Nijmegen Testing Ingredients T ti I di t Two things are needed to test

865 views • 53 slides
Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky.

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky.

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 1 Transport Layer Security The most important crypto protocol HTTP, SMTP,

467 views • 43 slides
Fuzzing and how to evaluate it Michael Hicks The University of Maryland UM Joint work with

Fuzzing and how to evaluate it Michael Hicks The University of Maryland UM Joint work with

Fuzzing and how to evaluate it Michael Hicks The University of Maryland UM Joint work with George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen,

1.25k views • 69 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen, no matter what ! Crashes, thrown exceptions, non-termination ! All of these things can be the foundation of security vulnerabilities

1.57k views • 14 slides
CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed

657 views • 39 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler 2 whoami Security engineer, Solidity team Semantic testing of Solidity compiler Find

441 views • 28 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&amp;D firstname dot lastname at orange-ftgroup dot com research &amp; development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL

Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL

CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock, Readers/Writer Locks, and Condition Variables (oh my!) Kate Deibel Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL EXAM

826 views • 80 slides
2012-08-07 CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock,

2012-08-07 CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock,

2012-08-07 CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock, Readers/Writer Locks, and Condition Variables (oh my!) *ominous music* THE FINAL EXAM Kate Deibel Summer 2012 August 6, 2012 CSE 332 Data Abstractions,

339 views • 14 slides
Amortised Resource Analysis using Separation Logic Robert Atkey University of Strathclyde 20th

Amortised Resource Analysis using Separation Logic Robert Atkey University of Strathclyde 20th

Robert.Atkey@strath.ac.uk Amortised Resource Analysis using Separation Logic Robert Atkey University of Strathclyde 20th July 2017 Dagstuhl Seminar 17291 Resource Specification and Verification Programs execute. But not for free. How much

754 views • 61 slides
Selection of summary statistics for approximate Bayesian computation David Balding and Matt Nunes

Selection of summary statistics for approximate Bayesian computation David Balding and Matt Nunes

Selection of summary statistics for approximate Bayesian computation David Balding and Matt Nunes Institute of Genetics University College London COMPSTAT Paris, 26 August 2010 Research funded by UK EPSRC Mathematics underpinning the life

540 views • 27 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Grap aphQL hQL forget (the) REST? Christian Schwendtner

Grap aphQL hQL forget (the) REST? Christian Schwendtner

Grap aphQL hQL forget (the) REST? Christian Schwendtner https://www.pexels.com/photo/man-person-people-emotions-1990/ https://www.pexels.com/photo/man-person-people-emotions-1990/ REST Feelings Im lovin it Well, What else?

482 views • 46 slides
Thread synchronization David Hovemeyer 2 December 2019 David Hovemeyer Computer Systems

Thread synchronization David Hovemeyer 2 December 2019 David Hovemeyer Computer Systems

Thread synchronization David Hovemeyer 2 December 2019 David Hovemeyer Computer Systems Fundamentals: Thread synchronization 2 December 2019 A program 1 const int NUM_INCR=100000000, NTHREADS=2; typedef struct { volatile int count; }

658 views • 36 slides
The No Gap Conjecture: Proof by Pictures Stephen Hermes Wellesley College, Wellesley, MA

The No Gap Conjecture: Proof by Pictures Stephen Hermes Wellesley College, Wellesley, MA

The No Gap Conjecture: Proof by Pictures Stephen Hermes Wellesley College, Wellesley, MA Maurice Auslander Distinguished Lectures and International Conference Woods Hole May, 2016 Preliminaries Joint With Kiyoshi Igusa. arXiv:1601.04054

515 views • 35 slides

More recommend