top n challenges of deep fuzzing
play

Top N challenges of "deep" fuzzing Kostya Serebryany - PowerPoint PPT Presentation

May 29, 2023 •198 likes •472 views

Top N challenges of "deep" fuzzing Kostya Serebryany <kcc@google.com> FuzzCon Europe, September 2019 Sanitizing Googles & everyones C++ code since 2008 Testing: ASan, TSan, MSan, UBSan (KASAN, etc for kernel)

  1. Top N challenges of "deep" fuzzing Kostya Serebryany <kcc@google.com> FuzzCon Europe, September 2019

  2. Sanitizing Google’s & everyone’s C++ code since 2008 ● Testing: ASan, TSan, MSan, UBSan (KASAN, etc for kernel) ● Fuzzing : libFuzzer, Syzkaller, OSS-Fuzz, Libprotobuf-mutator ○ Fuzzing At Google Today And Tomorrow (Shonan 2019-09) ○ Also: building a specialized fuzzer for a proprietary system ● Hardening in production: LLVM CFI, ShadowCallStack, UBSan ● Testing in production: GWP-ASan ● Hardware-assisted memory safety (Arm MTE)

  3. “Deep” fuzzing is not the most important ● How to define “Deep” fuzzing? ○ Find more bugs? ○ Discover more control flow edges? More code paths? More data flows? ○ More “ what else ”? ● More important to Fuzz: ○ Wide: apply fuzzing to more code ○ Often: fuzzing as part of CI, starting with pre-submit ○ Incrementally: focus on the recently changed code ○ Early: design software with fuzzability in mind (fuzz-driven-development) ○ Naturally: design programming languages with fuzzability in mind ○ Young: fuzzing in CS education ● Still, “deep” is interesting ○ Lots of existing fuzz targets. Code owners need to stay ahead of adversaries ○ Fun research

  4. Guided fuzzing ● Acquire the “seed corpus” ● while(true) ○ Choose input(s) ○ Mutate / crossover ○ Execute: find bugs, collect control flow, data flow, whatever else ○ Update the corpus: maybe expand, maybe shrink Every step here needs an improvement!

  5. Guided fuzzing ● Acquire the “seed corpus” ● while(true) ○ Choose input(s) ○ Mutate / crossover ○ Execute: find bugs, collect control flow, data flow, whatever else ○ Update the corpus: maybe expand, maybe shrink Every step here needs an improvement!

  6. Seed corpus ● File formats: crawl the web ● Use corpus from other fuzz targets ○ Crash Windows USB via Fuzzing Linux USB ○ OSS-Fuzz: corpus of one SSL implementation crashes another. Same for font libs. ● Monitor the live system, scavenge “interesting” inputs ○ Choosing what’s “interesting” with a non-instrumented build; or instrumented build in prod ○ Privacy issues, etc ○ How to automate? ○ Better integration of fuzz targets and production code ● Feedback loop from production bugs, e.g. GWP-ASan ○ Some early one-off success cases, but no automation

  7. Guided fuzzing ● Acquire the “seed corpus” ● while(true) ○ Choose input(s) ○ Mutate / crossover ○ Execute: find bugs, collect control flow, data flow, whatever else ○ Update the corpus: maybe expand, maybe shrink Every step here needs an improvement!

  8. while (true) ● Frequent question: when to stop fuzzing? ● Frequent answer: never ○ More time => more chance to find something new ○ Tools evolve ○ Code evolves ● Diminishing returns after some point ○ Assuming the code/tools don’t change ○ How do we know when to stop? ○ And when to restart? ● With 350+ projects and growing, OSS-Fuzz starts to cost quite a bit

  9. Guided fuzzing ● Acquire the “seed corpus” ● while(true) ○ Choose input(s) ○ Mutate / crossover ○ Execute: find bugs, collect control flow, data flow, whatever else ○ Update the corpus: maybe expand, maybe shrink Every step here needs an improvement!

  10. Choosing inputs to mutate / crossover ● k inputs in the corpus ● compute W(i) (i=1..k), the weight of i-th input ● Naive: uniform W(i) = 1 / k ● Naive (libFuzzer): prefer most recent, W(i) ~= 2 * i / (k*k) ● Less naive (Entropic): favor inputs with “infrequent” control flow edges ● Open question: is this important? ○ Entropic vs libFuzzer shows considerable improvement in short runs (hours, days) ○ No sign of improvement in long runs (weeks, months) ● Same problem for choosing pairs/tuples for crossover ○ I’m not aware of research on crossover!

  11. Guided fuzzing ● Acquire the “seed corpus” ● while(true) ○ Choose input(s) ○ Mutate / crossover ○ Execute: find bugs, collect control flow, data flow, whatever else ○ Update the corpus: maybe expand, maybe shrink Every step here needs an improvement!

  12. Mutation: structure-aware ● Input is not a bag of bytes, but a highly structured input ○ Syntax tree? Graph? Compressed? Encrypted? With checksums? ● Lib protobuf -mutator: input is a protobuf (same: thrift, etc) ○ Can describe anything as proto, see e.g. SockPuppet ○ Creating/maintaining protos for non-proto APIs is time consuming ● Syzkaller: input is a sequence of syscalls with constraints ○ Creating syscall descriptions is time consuming ● Open question: how to automate? ○ File format => proto ○ Sequence of API calls => proto

  13. Mutation: guided ● Input and desired new behavior => produce an interesting mutation ● Extreme case: symbolic (concolic) execution ○ scalability challenges ● Limited data flow guidance ○ Capture bytes flowing into conditionals (or memcmp, strcmp, etc) ○ Substitute “left” with “right” in the input ○ libFuzzer, honggfuzz, AFL++, go-fuzz? ● Complete data flow traces ○ Use taint analysis (DFSan) to mark correspondence {input byte} => {conditional statement} ○ Mutate only the bytes that affect the target conditions ○ Early signs that it works great, but far from wide use

  14. Mutation: guided and structure-aware? ● Not hard in principle, but not aware of any implementations

  15. Mutation: how to choose a sequence of mutations? ● MOpt: Optimized Mutation Scheduling for Fuzzers ● Is this a taks for ML?

  16. Guided fuzzing ● Acquire the “seed corpus” ● while(true) ○ Choose input(s) ○ Mutate / crossover ○ Execute: find bugs, collect control flow, data flow, whatever else ○ Update the corpus: maybe expand, maybe shrink Every step here needs an improvement!

  17. Execution: find bugs ● What bugs can we find? ○ Memory safety, assertion failures, resource exhaustion, etc (boring) ○ Logical bugs? ○ ? ● Differential fuzzing: compare implementation A with implementation B ○ Self-differential: assert(2*X == X + X); // for a bignum class ○ Compare two revisions of the same code Round-trip: assert(Uncompress(Compress(Input)) == Input) ●

  18. Execution: collect control flow ● Everyone uses “coverage”, a.k.a. control flow edges ● Compiler options for better signal? ○ Prohibit optimizations that fold control flow or build with -O0? ○ More inlining or less inlining? ○ Function cloning? (Or, context-aware code coverage) ● Someone else’s control flow (differential fuzzing) ○ Nezha fuzzer: multiply my control flow by someone else’s

  19. Execution: data flow ● Turn data flow into more control flow (laf-intel) ○ if (a == b) => if (HighBits(a) == HighBits(b) && LowBits(a) == LowBits(b)) ● libFuzzer: value profiles ○ CMP(a, b) => feature[popcnt(a^b)]++; ■ Actively used ○ a[i] => feature[DistanceFromBounds(i)]++; ■ Not enabled, needs more research ● ???

  20. Execution: what else? ● What other signal can we extract from execution? ○ Time / space overhead (PerfFuzz) ○ Stack depth / call depths (libFuzzer) ● Requirements: ○ needs to be convertible into integers ○ needs to be ~ linear (maybe up to quadratic?) by the program size ■ e.g. full execution paths / traces are unlikely to ever work ●

  21. Guided fuzzing ● Acquire the “seed corpus” ● while(true) ○ Choose input(s) ○ Mutate / crossover ○ Execute: find bugs, collect control flow, data flow, whatever else ○ Update the corpus: maybe expand, maybe shrink Every step here needs an improvement!

  22. Corpus expansion ● When to add an input to the corpus, when to evict? ● What is the ideal corpus size? ○ Trade off between preserving information and diluting useful inputs ● Preserve or evict slow / large inputs? ● Ankou Fuzzer: maximize minimal “distance” between corpus elements ○ Distance measured based on control flow ○ Can we add data flow to Ankou?

  23. Misc: fuzzing stateful systems? ● Two typical approaches: ○ Pretend the system is not stateful ○ Reset the state on every input ● Syzkaller is an example (kernels have lots of state), but is highly specialized ○ Can we generalize?

  24. Misc: evaluating fuzzers ● Hard to improve what you can’t measure ● FuzzBench: large scale, real-life targets ○ Also: fuzzer-test-suite (deprecated) ○ Meaningful results require lots of CPU ● Evaluate fuzzers while doing useful fuzzing? ○ Moving target, hard to reproduce results ○ Only fuzz targets with saturated corpus ● Evaluate structure aware fuzzers ● Retirement LAVA & CGC is overdue ○ Too small & artificial, benchmarks with main() are counterproductive

  25. Misc: human in the loop ● On a saturated fuzz target, ask the developer to help ○ Visualize the “coverage frontier”, overlay with production coverage ○ Visualize the inputs reaching the frontier, and parts of inputs affecting the frontier conditionals ○ Especially or structure aware fuzzing (e.g. protobufs) ● If there are bugs, or slow / large inputs, help prioritize the fixes ○ Not important in ideal case, where all bugs are fixed. But, …, well, you know

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2 , 3 Frank Kargl 3 elien Francillon 1 Davide Balzarotti 1 Aur 1 EURECOM 2 Siemens AG 3 Ulm University Introduction Embedded

474 views • 29 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&amp;D firstname dot lastname at orange-ftgroup dot com research &amp; development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging &amp; Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
Overview Background Deep submicron challenges Verification, testing, validation

Overview Background Deep submicron challenges Verification, testing, validation

Paper Review DIVA - A reliable substrate for Deep Submicron Microarchitecture Design - Todd Austin, Univ. of Michigan (1999) ECE1718 MCA - K.P. Tang November 2008 Overview Background Deep submicron challenges Verification,

547 views • 13 slides
No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
Social and Technological Networks Rik Sarkar University of Edinburgh, 2019. Course specifics

Social and Technological Networks Rik Sarkar University of Edinburgh, 2019. Course specifics

Social and Technological Networks Rik Sarkar University of Edinburgh, 2019. Course specifics Lectures Tuesdays 12:10 13:00 1 George square G8: Gaddum lecture theatre. Fridays 12:10 13:00 Geography 2.13. Exam :

786 views • 32 slides
The New Web: Characterizing AJAX Traffic Fabian Schneider fabian@net.t-labs.tu-berlin.de Sachin

The New Web: Characterizing AJAX Traffic Fabian Schneider fabian@net.t-labs.tu-berlin.de Sachin

The New Web: Characterizing AJAX Traffic Fabian Schneider fabian@net.t-labs.tu-berlin.de Sachin Agarwal Tansu Alpcan Anja Feldmann Technische Universtit at Berlin Deutsche Telekom Laboratories Passive and Active Measurement Conference

471 views • 20 slides
Urban Sustainability Transitions Systems and Agency Dynamics Dr. Niki Frantzeskaki Associate

Urban Sustainability Transitions Systems and Agency Dynamics Dr. Niki Frantzeskaki Associate

Urban Sustainability Transitions Systems and Agency Dynamics Dr. Niki Frantzeskaki Associate Professor Erasmus University Rotterdam, The Netherlands email: n.frantzeskaki@drift.eur.nl @NFrantzeskaki 21.10.2015 Copenhagen University, Denmark

946 views • 48 slides
WebVision 2020 Visual Understanding by Learning from Web Data Workshop Organizers General Chairs

WebVision 2020 Visual Understanding by Learning from Web Data Workshop Organizers General Chairs

WebVision 2020 Visual Understanding by Learning from Web Data Workshop Organizers General Chairs J. Berent L. Van Gool A. Gupta R. Sukthankar Program Chairs Wen Li Hilde Kuehne Suman Saha Qin Wang Limin Wang Wei Li Thanks to Workshop

408 views • 16 slides
AND SCALAR PRODUCTS AT ANY RANK Fedor Levkovich-Maslyuk Ecole Normale Superieure Paris 20xx.xxxx

AND SCALAR PRODUCTS AT ANY RANK Fedor Levkovich-Maslyuk Ecole Normale Superieure Paris 20xx.xxxx

SEPARATION OF VARIABLES AND SCALAR PRODUCTS AT ANY RANK Fedor Levkovich-Maslyuk Ecole Normale Superieure Paris 20xx.xxxx [Gromov, FLM, Ryan] 1910.13442 [Gromov, FLM, Ryan, Volin] based on 1907.03788 [Cavaglia, Gromov, FLM] 1610.08032

690 views • 35 slides
11-737 Multilingual NLP Lang in 10: Hindi Example of 10 minute presentation on a language Hindi

11-737 Multilingual NLP Lang in 10: Hindi Example of 10 minute presentation on a language Hindi

11-737 Multilingual NLP Lang in 10: Hindi Example of 10 minute presentation on a language Hindi Hindi spoken in Northern India 320mn native speakers 270 L2 speakers 3 rd or 4 th most spoken language in world (after

753 views • 9 slides
Recent B A B AR Studies of Bottomonium States Claudia Patrignani Universit e INFN Genova for

Recent B A B AR Studies of Bottomonium States Claudia Patrignani Universit e INFN Genova for

Recent B A B AR Studies of Bottomonium States Claudia Patrignani Universit e INFN Genova for the B A B AR Collaboration HADRON 2011 XIV International Conference on Hadron Spectroscopy 13-17 June 2011 Mnchen (Germany) Inclusive

737 views • 16 slides
1 John Series Lesson #073 August 25, 2002 Dean Bible Ministries www.deanbibleministries.org

1 John Series Lesson #073 August 25, 2002 Dean Bible Ministries www.deanbibleministries.org

1 John Series Lesson #073 August 25, 2002 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. 1 John 4:19, We love Him because He first loved us. 1. There are basically three Greek New Testaments available for

633 views • 34 slides

More recommend