weizz automatic grey box fuzzing for structured binary
play

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats - PowerPoint PPT Presentation

Feb 03, 2024 •36 likes •666 views

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono DElia and Emilio Coppa @andreafioraldi andreafioraldi@gmail.com Format-aware Fuzzing Input Input Program Crashes Format Generation Under

  1. WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono D’Elia and Emilio Coppa @andreafioraldi andreafioraldi@gmail.com

  2. Format-aware Fuzzing Input Input Program Crashes Format Generation Under Test Model 2 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  3. Format-aware Fuzzing ● LangFuzz ● Peach ● Spike ● CSmith ● ... 3 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  4. Problems ● Impossible if the input structure is unknown 4 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  5. Problems ● Impossible if the input structure is unknown ● May fail to find bugs related to syntactically invalid inputs in parsers 5 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  6. Problems ● Impossible if the input structure is unknown ● May fail to find bugs related to syntactically invalid inputs in parsers ● Parser implementations do not always closely mirror format specifications 6 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  7. Problems ● Impossible if the input structure is unknown ● May fail to find bugs related to syntactically invalid inputs in parsers ● Parser implementations do not always closely mirror format specifications ● Models take some time to be written by a human (and contains simplifications) 7 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  8. Problems ● Impossible if the input structure is unknown ● May fail to find bugs related to syntactically invalid inputs in parsers ● Parser implementations do not always closely mirror format specifications ● Models take some time to be written by a human (and contain simplifications) ● Wrong models make fuzzing ineffective 8 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  9. Solutions? ● Automatically learn the model from the actual implementation of the parser 9 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  10. Solutions? ● Automatically learn the model from the actual implementation of the parser ● Generate not always syntactically valid inputs 10 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  11. Solutions? ● Automatically learn the model from the actual implementation of the parser ○ (Approximation of) Taint Tracking ■ [Tupni] [Autogram] [Polyglot] [Grimoire] ○ Machine Learning ■ [Learn&Fuzz] [REINAM] ○ Oracle based ■ [GLADE] ● Generate not always syntactically valid inputs 11 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  12. Coverage-guided Fuzzing Coverage Corpus Input Program Mutation Under Test Crashes 12 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  13. Problems ● Fail to explore deep paths behind parsers 13 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  14. Problems ● Fail to explore deep paths behind parsers ● Affected by roadblocks (multi-byte comparisons, checksums, hashes, … ) if (hash(input[0:8]) != input[8:12]) exit(1) if (input[12:16] == 0xABADCAFE) bug() 14 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  15. Structured Fuzzing Corpus Coverage Input Program Input Mutation Under Test Format Model Crashes 15 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  16. Structured Fuzzing ● AFLSmart ● Nautilus ● Superion ● Libprotobuf-Mutator ● Zest ● ... 16 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  17. Bypass Roadblocks ● Concolic Fuzzing ○ [Driller] [QSYM] [Eclipser] ● (Approximation of) Taint Tracking ○ [TaintScope] [Vuzzer] [Angora] [Redqueen ] ● Sensitive feedbacks ○ [LAF-Intel] [CompareCoverage] [FuzzFactory] [IJON] 17 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  18. Bypass Roadblocks ● Concolic Fuzzing ○ [Driller] [QSYM] [Eclipser] ● (Approximation of) Taint Tracking ○ [TaintScope] [Vuzzer] [Angora] [Redqueen ] ● Sensitive feedbacks ○ [LAF-Intel] [CompareCoverage] [FuzzFactory] [IJON] 18 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  19. Idea #1 ● Reuse expensive analysis to bypass roadblocks previously explored in past works to enable Structure-aware mutations 19 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  20. Bypass Roadblocks [Redqueen] ● Mutations targeting magic byte comparisons (Input-To-State) 20 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  21. Bypass Roadblocks [Redqueen] ● Mutations targeting magic byte comparisons (Input-To-State) input: AAAABBBBCCCCBBBB cmp eax, FFFF → eax = BBBB 21 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  22. Bypass Roadblocks [Redqueen] ● Mutations targeting magic byte comparisons (Input-To-State) input: AAAABBBBDDCCDDCC (equivalent in coverage) cmp eax, FFFF → eax = BBBB 22 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  23. Bypass Roadblocks [Redqueen] ● Mutations targeting magic byte comparisons (Input-To-State) input: AAAABBBBDDCCDDCC (equivalent in coverage) cmp eax, FFFF → eax = BBBB new input: AAAAFFFFDDCCDDCC 23 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  24. Bypass Roadblocks [Redqueen] ● Mutations targeting magic byte comparisons (Input-To-State) ● Patch out checksum checks 24 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  25. Formats as an AST [Grimoire] + / 5 = 12 3 25 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  26. Not all formats are parsed into an AST 26 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  27. Comparisons for validation if (chunk->size_field > SIZE_MAX) error(“Invalid Chunk Size”); 27 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  28. Idea #2 ● Instead of using memory accesses to reconstruct the format ([Tupni] [Autogram]) use the comparisons instructions that are likely validation checks 28 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  29. Idea #3 ● Don’t learn a model and use it to guide the fuzzer, but reconstruct each time the structure and apply mutations. This avoids the problem of having errors in the learning process. 29 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  30. Weizz ● Based on AFL 2.52b ● Binary-only (QEMU) ● Approximate Taint to bypass Roadblocks and learn information about validation checks ● Structural mutations based on that information (inspired by [AFLSmart]) 30 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  31. Architecture 31 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  32. Architecture 32 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  33. Architecture 33 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  34. GetDeps: Approximating Taint Tracking Input: AAAABBBBCCCCDDDD cmp eax, FFFF → eax = AAAA 34 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  35. GetDeps: Approximating Taint Tracking Input: AAAABBBBCCCCDDDD cmp eax, FFFF → eax = AAAA Bitflip #1: BAAABBBBCCCCDDDD cmp eax, FFFF → eax = BAAA 35 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  36. Detect Checksum Checks ● One operand is I2S ● The other operand is not I2S and GetDeps revealed dependencies on some input bytes ● The sets of their byte dependencies are disjoint 36 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  37. Input Tags ● Comparison ID ● Timestamp ● Parent ID ● Number of tags with the same ID ● The Comparison ID of the inner checksum that guard this byte ● Flags (which CMP operand, if this is a checksum field, … ) 37 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  38. Many Comparisons affected by the same byte 1. Prioritize Checksum fields 38 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  39. Many Comparisons affected by the same byte 1. Prioritize Checksum fields 2. Prioritize comparisons appeared earlier in time (possible validation checks) 39 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  40. Many Comparisons affected by the same byte 1. Prioritize Checksum fields 2. Prioritize comparisons appeared earlier in time (possible validation checks) 3. Prioritize if the number of bytes influencing the comparison are low 40 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  41. Fixing Checksum ● Late-stage repair ● Topological Sort (Tags have the info for this) ● Unpatch false positives 41 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  42. Locating Fields 42 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  43. Locating Chunks struct { int type; int x , y; int cksm; }; 43 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  44. Locating Chunks struct { 1. Pick a tag type int type; int x , y; int cksm; }; 44 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  45. Locating Chunks struct { 1. Pick a tag type int type; 2. Recurse if next Timestamp (ts) > current int x , y; int cksm; }; 45 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2 , Sang Kil Cha 2 1 CSRC, KAIST 2 KAIST The Success of Grey-box Fuzzing OSS-Fuzz has found over 20,000 bugs in 300 open source projects.

458 views • 24 slides
No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
From Binary to Multiclass Classification CS 6355: Structured Prediction 1 We have seen binary

From Binary to Multiclass Classification CS 6355: Structured Prediction 1 We have seen binary

From Binary to Multiclass Classification CS 6355: Structured Prediction 1 We have seen binary classification We have seen linear models Learning algorithms Perceptron SVM Logistic Regression Prediction is simple Given

1.41k views • 78 slides
Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing antti.levomaki@forcepoint.com opi@forcepoint.com WHO? ANTTI LEVOMKI OLLI-PEKKA NIEMI Research Scientist Director of Research WHAT? NETWORK EVASIONS +

463 views • 18 slides
Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope Taintscope is: A Fuzzing tool

742 views • 42 slides
A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE

A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE

A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE by Kirk Gittings Note: Kirk Gittings has been photographing the prehistor- coast, but m aking a real living as an art photographer ic,

1.16k views • 8 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Automatic Georeferencing and Search on Structured Georeferenced Bibliographic Data c 1 Marjan

Automatic Georeferencing and Search on Structured Georeferenced Bibliographic Data c 1 Marjan

Introduction Challenges Automatic Georeferencing and Search on Structured Georeferenced Bibliographic Data c 1 Marjan Ceh 2 Dragan Ivanovi 1 University of Novi Sad, Serbia 2 University of Ljubljana, Slovenia 1st International KEYSTONE

492 views • 13 slides
Chapter 4 Tree-Structured Indexing ISAM and B + -trees Binary Search ISAM Architecture and

Chapter 4 Tree-Structured Indexing ISAM and B + -trees Binary Search ISAM Architecture and

Tree-Structured Indexing Torsten Grust Chapter 4 Tree-Structured Indexing ISAM and B + -trees Binary Search ISAM Architecture and Implementation of Database Systems Multi-Level ISAM Too Static? Summer 2016 Search Efficiency B + -trees

1.26k views • 68 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Introduction DBT principle Design flow Intermediate Representation Generation Conclusion Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc Michel and Nicolas Fournel Tima Laboratory , Grenoble,

686 views • 25 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
K-Nearest Neighbors Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

K-Nearest Neighbors Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

K-Nearest Neighbors Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Check out review materials Probability Linear algebra Python and NumPy Start your HW 0 On your Local machine: Install

730 views • 57 slides
AI Lab - Session 1 Uninformed Search Riccardo Sartea University of Verona Department of

AI Lab - Session 1 Uninformed Search Riccardo Sartea University of Verona Department of

AI Lab - Session 1 Uninformed Search Riccardo Sartea University of Verona Department of Computer Science March 15 th 2019 The OpenAI Gym Framework What is it Gym is a toolkit for developing and comparing reinforcement learn- ing algorithms.

420 views • 8 slides
Distribution Nion Swift Workshop Chris Meyer 2018 October 5 Nion Swift is software for

Distribution Nion Swift Workshop Chris Meyer 2018 October 5 Nion Swift is software for

Nion Swift Plug-in Distribution Nion Swift Workshop Chris Meyer 2018 October 5 Nion Swift is software for integrating instrument control, data acquisition, organization, visualization, and analysis using Python. Nion Swift Plug-in

199 views • 15 slides
E9 205 Machine Learning for Signal Processing 01-09-2017 Tutorial on Python Outline Basics

E9 205 Machine Learning for Signal Processing 01-09-2017 Tutorial on Python Outline Basics

E9 205 Machine Learning for Signal Processing 01-09-2017 Tutorial on Python Outline Basics and control statements Functions and lists Tuples, Dictionaries, Strings, File i/o Modules Packages: Numpy, (Scipy, Matplotlib)

480 views • 37 slides
Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels 1 July 16, 2020 The game of attack and defense Bug fi nding Exploitation Pro fi t Meng Xu

2.82k views • 173 slides
SnaPEA : Predictive Early Activation for Reducing Computation In Deep Convolutional Neural

SnaPEA : Predictive Early Activation for Reducing Computation In Deep Convolutional Neural

SnaPEA : Predictive Early Activation for Reducing Computation In Deep Convolutional Neural Networks * * Vahideh Akhlaghi Amir Yazdanbakhsh Kambiz Samadi Rajesh K. Gupta Hadi Esmaeilzadeh * Equal Contribution University

565 views • 32 slides
Acts Series Lesson #94 December 18, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Acts Series Lesson #94 December 18, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Acts Series Lesson #94 December 18, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. The Acts of the Apostles To the end of the earth Acts 1:8 Acts as a Transition and Overview of Things to Come Acts 13; Matthew

551 views • 19 slides
CS 241: Systems Programming Lecture 1. Introduction Spring 2020 Prof. Stephen Checkoway 1 What

CS 241: Systems Programming Lecture 1. Introduction Spring 2020 Prof. Stephen Checkoway 1 What

CS 241: Systems Programming Lecture 1. Introduction Spring 2020 Prof. Stephen Checkoway 1 What is this course about? Tools for succeeding in computer science Unix command line Bash scripting C programming Building software

268 views • 24 slides

More recommend