through fuzzing
play

through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar - PowerPoint PPT Presentation

Jun 24, 2023 •677 likes •1.17k views

Razzer: Finding Kernel Race Bugs through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

  1. Razzer: Finding Kernel Race Bugs through Fuzzing Dae R. Jeong † Kyungtae Kim ∗ Basavesh Shivakumar ∗ Byoungyoung Lee ‡ ∗ Insik Shin † † Korea Advanced Institute of Science and Technology ‡ Seoul National University ∗ Purdue University

  2. Kernel Vulnerability 2

  3. Kernel Vulnerability 2

  4. Kernel Vulnerability Attacker can control the entire system 2

  5. Fuzzing: Focused to Extend Coverage • Fuzzing • One of the most practical approaches in finding vulnerabilities • Coverage-guided fuzzing • It gathers interesting inputs that extend code coverage. • The more coverage, the more vulnerabilities 3

  6. Race Bugs • Assumption: Race condition between two threads • Race condition occurs if following three conditions meet • Two instructions access the same memory location • At least one of two is a write instruction • These two are executed concurrently • If a race occurs, the computational results may vary depending on the execution order • A race vulnerability is caused by the execution order unintended by developers. 4

  7. Inefficient Fuzzing for Race Bugs • Traditional fuzzers are inefficient to find race bugs • Instructions should be executed within a specific time window • Called as race window • Execution orders are not determined by the fuzzer • Execution orders are determined by the kernel scheduler 5

  8. Inefficient Fuzzing for Race Bugs: Example Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window strcpy(buf, file_name ); 6

  9. Inefficient Fuzzing for Race Bugs: Example Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window strcpy(buf, file_name ); 6

  10. Inefficient Fuzzing for Race Bugs: Example Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window strcpy(buf, file_name ); 6

  11. Inefficient Fuzzing for Race Bugs: Example Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window strcpy(buf, file_name ); 6

  12. Inefficient Fuzzing for Race Bugs: Example Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window file_name is longer than strcpy(buf, file_name ); the allocated buffer 6

  13. Inefficient Fuzzing for Race Bugs: Example Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window file_name is longer than strcpy(buf, file_name ); the allocated buffer Buffer overflow! 6

  14. Inefficient Fuzzing for Race Bugs: Syzkaller • Syzkaller • A kernel syscall fuzzer developed by Google • Run Syzkaller to find three race bugs with limited set of syscalls • CVE-2016-8655 • CVE-2017-17712 • CVE-2017-2636 • None of CVEs was found within 10 hours • Traditional fuzzing is inefficient to find race bugs • Razzer can find all of them within 7~30 minutes 7

  15. Our approach: Razzer Thread interleaving Code coverage len = strlen( file_name ); buf = kmalloc(len); strcpy( file_name , longer_name); strcpy(buf, file_name ); 8

  16. Our approach: Razzer Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window strcpy(buf, file_name ); 9

  17. Our approach: Razzer Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window BP strcpy(buf, file_name ); BP 9

  18. Our approach: Razzer Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window BP strcpy(buf, file_name ); BP 9

  19. Our approach: Razzer Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window strcpy(buf, file_name ); BP 9

  20. Our approach: Razzer Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window strcpy(buf, file_name ); 9

  21. Our approach: Razzer Thread 1 Thread 2 Syscall: open() Syscall: rename() len = strlen( file_name ); buf = kmalloc(len); Race strcpy( file_name , longer_name); window strcpy(buf, file_name ); Buffer overflow! 9

  22. Design Overview Offline Online analysis testing Over-approximated Multi-thread Source data races input code Static analysis Single-thread Multi-thread fuzzing fuzzing 10

  23. Design Overview Offline Online analysis testing Over-approximated Multi-thread Source data races input code Static analysis Single-thread Multi-thread fuzzing fuzzing 11

  24. Static Analysis • Identifying instructions that may race • Teaching Razzer where to install breakpoints to trigger race • Inclusion-based points-to analysis • Also known as Andersen-style points-to analysis • This static analysis certainly has false positives • Next phases (fuzzing) takes care of this issue because it is “fuzzing” 12

  25. Static Analysis: Example Source code Read len = strlen( file_name ); buf = kmalloc(len); Write strcpy( file_name , longer_name); Read strcpy(buf, file_name ); 13

  26. Static Analysis: Example Source code Razzer identified 3.4M race candidates over the entire Linux kernel Read len = strlen( file_name ); buf = kmalloc(len); Write strcpy( file_name , longer_name); Read strcpy(buf, file_name ); 13

  27. Design Overview Offline Online analysis testing Over-approximated Multi-thread Source data races input code Static analysis Single-thread Multi-thread fuzzing fuzzing 14

  28. Single-thread Fuzzing Single-thread input … open() rename() … 15

  29. Single-thread Fuzzing Thread 1 Single-thread Syscall: open() input len = strlen( file_name ); … buf = kmalloc(len); open() strcpy(buf, file_name ); rename() … Syscall: rename() strcpy( file_name , longer_name); 15

  30. Transformation to Multi-thread Input … open() rename() … 16

  31. Transformation to Multi-thread Input Thread 2 Thread 1 … open() rename() … 16

  32. Transformation to Multi-thread Input Thread 2 Thread 1 … len = strlen( file_name ); buf = kmalloc(len); open() strcpy( file_name , BP rename() longer_name); strcpy(buf, file_name ); BP … 16

  33. Design Overview Offline Online analysis testing Over-approximated Multi-thread Source data races input code Static analysis Single-thread Multi-thread fuzzing fuzzing 17

  34. Multi-thread Fuzzing CPU 2 CPU 1 Thread 1 Thread 2 len = strlen( file_name ); … buf = kmalloc(len); strcpy( file_name , BP Syscall n Syscall m longer_name); strcpy(buf, file_name ); BP … Guest VM 18

  35. Multi-thread Fuzzing CPU 2 CPU 1 Thread 1 Thread 2 len = strlen( file_name ); … buf = kmalloc(len); strcpy( file_name , BP Syscall n Syscall m longer_name); strcpy(buf, file_name ); BP … Guest VM Hypervisor Thread 2 Thread 1 18

  36. Multi-thread Fuzzing CPU 2 CPU 1 Thread 1 Thread 2 len = strlen( file_name ); … buf = kmalloc(len); Hypercall Hypercall strcpy( file_name , BP Syscall n Syscall m longer_name); strcpy(buf, file_name ); BP … Guest VM Hypervisor Thread 2 Thread 1 18

  37. Multi-thread Fuzzing CPU 2 CPU 1 Thread 1 Thread 2 len = strlen( file_name ); … buf = kmalloc(len); Hypercall Hypercall strcpy( file_name , BP Syscall n Syscall m longer_name); strcpy(buf, file_name ); BP … Guest VM Hypervisor Thread 2 Thread 1 18

  38. Multi-thread Fuzzing CPU 2 CPU 1 Thread 1 Thread 2 len = strlen( file_name ); … buf = kmalloc(len); Hypercall Hypercall strcpy( file_name , BP Syscall n Syscall m longer_name); strcpy(buf, file_name ); BP … Guest VM Hypervisor strcpy( file_name , other_name); strcpy(buf, file_name ); Thread 2 Thread 1 18

  39. Multi-thread Fuzzing CPU 2 CPU 1 Thread 1 Thread 2 len = strlen( file_name ); … buf = kmalloc(len); Hypercall Hypercall strcpy( file_name , BP Syscall n Syscall m longer_name); strcpy(buf, file_name ); BP … Guest VM Hypervisor strcpy( file_name , other_name); strcpy(buf, file_name ); Two threads access the same memory  A race condition is occurred Thread 2 Thread 1 18

  40. Implementation • Static analysis • Implemented using SVF which is based on LLVM compiler suite • Single-thread/Multi-thread fuzzing • Implemented based on Syzkaller • Deterministic scheduler • Implemented using QEMU/KVM • Exposing hypercall interfaces to support per-core breakpoint 19

  41. Evaluation • 30 new races in the Linux kernel • 15 were fixed

  42. Evaluation • 30 new races in the Linux kernel • 15 were fixed Use-after-free

  43. Evaluation • 30 new races in the Linux kernel • 15 were fixed Use-after-free Heap overflow

  44. Evaluation • 30 new races in the Linux kernel • 15 were fixed Use-after-free Heap overflow Double free

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

Taking Browsers Fuzzing To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms ) Rosario Valotta Agenda Browser fuzzing: state of the art Memory corruption bugs: an overview Fuzzing

792 views • 40 slides
CSCI 4152/6509 Natural Language Processing Lab 9: Prolog Tutorial 2 Lab Instructor: Dijana

CSCI 4152/6509 Natural Language Processing Lab 9: Prolog Tutorial 2 Lab Instructor: Dijana

CSCI 4152/6509 Natural Language Processing Lab 9: Prolog Tutorial 2 Lab Instructor: Dijana Kosmajac, Tukai Pain Faculty of Computer Science Dalhousie University 25/27-Mar-2020 (9) CSCI 4152/6509 1 Lab Overview This is the second part

883 views • 26 slides
Engaging with peri-urban landholders: a webinar for councils and networks Session 4: 23 June

Engaging with peri-urban landholders: a webinar for councils and networks Session 4: 23 June

Engaging with peri-urban landholders: a webinar for councils and networks Session 4: 23 June 2020 Acknowledgement of Country Greater Sydney Local Land Services Acknowledge Country and the Aboriginal Custodians of the land on which we

142 views • 13 slides
A Tabled Prolog Program for Solving Sokoban Neng-Fa Zhou Agostino Dovier Department of Computer

A Tabled Prolog Program for Solving Sokoban Neng-Fa Zhou Agostino Dovier Department of Computer

A Tabled Prolog Program for Solving Sokoban Neng-Fa Zhou Agostino Dovier Department of Computer and Information Science, CUNY Brooklyn College & Graduate Center, USA Department of Mathematics and Computer Science, University of Udine,

1.03k views • 53 slides
Negation in logic programming Ex .: Old example program P f on family relations. Summary We would

Negation in logic programming Ex .: Old example program P f on family relations. Summary We would

Definite programs General programs Definite programs General programs NAF, CWA comp ( P ) Programs do not have any negative consequences. But sometimes we need them. Negation in logic programming Ex .: Old example program P f on family

84 views • 5 slides
CS5460: Operating Systems Lecture 7: Synchronization (Chapter 6) CS 5460: Operating Systems

CS5460: Operating Systems Lecture 7: Synchronization (Chapter 6) CS 5460: Operating Systems

CS5460: Operating Systems Lecture 7: Synchronization (Chapter 6) CS 5460: Operating Systems Lecture 7 Multi-level Feedback Queues Multiple queues with different priorities Alternative: single priority queue Round robin schedule

454 views • 24 slides
Lecture 10 Midterm review Announcements The midterm is on Tue Feb 9 th in class 4 Bring photo

Lecture 10 Midterm review Announcements The midterm is on Tue Feb 9 th in class 4 Bring photo

Lecture 10 Midterm review Announcements The midterm is on Tue Feb 9 th in class 4 Bring photo ID 4 You may bring a single sheet of notebook sized paper 8x10 inches with notes on both sides (A4 OK) 4 You may not bring a magnifying

491 views • 32 slides
Introduction to multi-threading and vectorization Matti Kortelainen LArSoft Workshop 2019 25

Introduction to multi-threading and vectorization Matti Kortelainen LArSoft Workshop 2019 25

Introduction to multi-threading and vectorization Matti Kortelainen LArSoft Workshop 2019 25 June 2019 Outline Broad introductory overview: Why multithread? What is a thread? Some threading models std::thread OpenMP

898 views • 47 slides
Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming

Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming

Introduction Static State Versioning Version Computation Conclusion Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming Languages and Compilers Institute of Software Technology University of

577 views • 28 slides

More recommend