SLIDE 1
The Human Component in Automated Bug Finding
Christian Holler (:decoder) Staff Security Engineer
The Human Component in Automated Bug Finding Christian Holler - - PowerPoint PPT Presentation
The Human Component in Automated Bug Finding Christian Holler - - PowerPoint PPT Presentation
The Human Component in Automated Bug Finding Christian Holler (:decoder) Staff Security Engineer ~ 16M lines source code ~ 16M lines source code Last month: 340 authors with 2,475 commits Interfaces Media Formats Markup Fonts Languages
SLIDE 2
SLIDE 3
~ 16M lines source code
SLIDE 4
Last month: 340 authors with 2,475 commits ~ 16M lines source code
SLIDE 5
Media Formats Markup Languages Interfaces JavaScript Fonts Networking
SLIDE 6
Domain Knowledge
Developers know...
SLIDE 7
Domain Knowledge
Developers know...
… code architecture/contracts
SLIDE 8
Domain Knowledge
Developers know...
… code architecture/contracts … expected behavior
SLIDE 9
Domain Knowledge
Developers know...
… code architecture/contracts … expected behavior … weaknesses
SLIDE 10
Domain Knowledge
Developers know...
… code architecture/contracts … expected behavior … weaknesses
“Lone warrior” approach not sustainable
SLIDE 11
Mutual Trust Relationship
SLIDE 12
The Do’s and Don’ts
SLIDE 13
Ninja Style
SLIDE 14
Ninja Style
Build fuzzer alone and in secret
SLIDE 15
Ninja Style
Build fuzzer alone and in secret Rapid fire bugs at developers
SLIDE 16
Ninja Style
Build fuzzer alone and in secret Rapid fire bugs at developers “They’ll never know what hit them. Tehehe!!11oneeleven”
SLIDE 17
Defensive Behavior
SLIDE 18
Overwhelmed
Defensive Behavior
SLIDE 19
Overwhelmed
Defensive Behavior
Lack of Resources
SLIDE 20
Overwhelmed
Defensive Behavior
Lack of Resources Code Ownership Bias
SLIDE 21
21
SLIDE 22
22
“please stop filing fuzz bugs for the next few weeks until they can be addressed.”
SLIDE 23
DON’T
Surprise your developers
SLIDE 24
DON’T
Surprise your developers Act superior or adversarial
SLIDE 25
DON’T
Surprise your developers Act superior or adversarial Assume equal priorities
SLIDE 26
DO: Kickoff Meeting
SLIDE 27
DO: Kickoff Meeting
Developers, Fuzzing and Management
SLIDE 28
DO: Kickoff Meeting
Developers, Fuzzing and Management Show previous success stories
SLIDE 29
DO: Kickoff Meeting
Developers, Fuzzing and Management Show previous success stories Offer your help, ask about problems
SLIDE 30
DO: Kickoff Meeting
Developers, Fuzzing and Management Show previous success stories Offer your help, ask about problems Define Goals - Allocate Resources
SLIDE 31
DO: Kickoff Meeting
Developers, Fuzzing and Management Show previous success stories Offer your help, ask about problems Define Goals - Allocate Resources Educate on Requirements
SLIDE 32
DO: Kickoff Meeting
Developers, Fuzzing and Management Show previous success stories Offer your help, ask about problems Define Goals - Allocate Resources Educate on Requirements
SLIDE 33
DO: Kickoff Meeting
Developers, Fuzzing and Management Show previous success stories Offer your help, ask about problems Define Goals - Allocate Resources Educate on Requirements
SLIDE 34
Requirements and Goals
Developer Fuzzing
SLIDE 35
Requirements and Goals
Developer Fuzzing
SLIDE 36
Requirements and Goals
Developer Fuzzing
SLIDE 37
Requirements and Goals
Developer Fuzzing
SLIDE 38
Bugs must be fixed Example Requirement
SLIDE 39
Bugs must be fixed
“That bug isn’t interesting, please ignore it.”
Example Requirement
SLIDE 40
Bugs must be fixed
“... but that’s not a bug.”
Example Requirement
SLIDE 41
“Contract” about what constitutes a bug Bugs must be fixed
“... but that’s not a bug.”
Example Requirement
SLIDE 42
$ js js>
SLIDE 43
$ js js> print("Hello watman") Hello watman js>
SLIDE 44
$ js js> print("Hello watman") Hello watman js> crash(); Hit MOZ_CRASH(forced crash) at shell/js.cpp:3700 Segmentation fault
SLIDE 45
$ js --fuzzing-safe js>
SLIDE 46
$ js --fuzzing-safe js> crash(); typein:1:1 ReferenceError: crash is not defined
SLIDE 47
Requirements vs. Goals
Developer Fuzzing
SLIDE 48
Fuzzblockers
SLIDE 49
Fuzzblockers
Disruptive effect on fuzzing operations
SLIDE 50
Fuzzblockers
Disruptive effect on fuzzing operations
(e.g. highly frequent, resource intensive) + Hard to avoid
SLIDE 51
Fuzzblockers
Disruptive effect on fuzzing operations
(e.g. highly frequent, resource intensive) + Hard to avoid Highest Priority for Fuzzing (Usually) low priority for developers
SLIDE 52
Fuzzblockers
Disruptive effect on fuzzing operations
(e.g. highly frequent, resource intensive) + Hard to avoid Highest Priority for Fuzzing (Usually) low priority for developers
Try writing a fix yourself!
SLIDE 53
I want you to fix a bug
SLIDE 54
I want you to fix a bug
You learn something about the code
SLIDE 55
I want you to fix a bug
You learn something about the code You learn something about development
SLIDE 56
I want you to fix a bug
You learn something about the code You learn something about development You can progress faster
SLIDE 57
I want you to fix a bug
You learn something about the code You learn something about development You can progress faster Developers will be happy
SLIDE 58
When?
SLIDE 59
When to Fuzz?
SLIDE 60
When to Fuzz?
SLIDE 61
When to Fuzz?
SLIDE 62
When to Fuzz?
SLIDE 63
When to Fuzz?
Earliest version with well-defined behavior
SLIDE 64
When to Fuzz?
Earliest version with well-defined behavior Could help developers
SLIDE 65
When to Fuzz?
As early as possible (*)
Earliest version with well-defined behavior Could help developers
SLIDE 66
DO: Simple Steps to reproduce
SLIDE 67
DO: Simple Steps to reproduce
SLIDE 68
DO: Measure Code Coverage
SLIDE 69
DO: Measure Code Coverage SHARE!
SLIDE 70
DO: Educate
SLIDE 71
Fuzzing is Teamwork
SLIDE 72