what you corrupt is not what you crash challenges in
play

What You Corrupt Is Not What You Crash: Challenges in Fuzzing - PowerPoint PPT Presentation

Sep 07, 2023 •168 likes •474 views

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2 , 3 Frank Kargl 3 elien Francillon 1 Davide Balzarotti 1 Aur 1 EURECOM 2 Siemens AG 3 Ulm University Introduction Embedded

  1. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2 , 3 Frank Kargl 3 elien Francillon 1 Davide Balzarotti 1 Aur´ 1 EURECOM 2 Siemens AG 3 Ulm University

  2. Introduction • Embedded devices are becoming increasingly more important • Vulnerabilities go beyond misconfigurations, weak authentication, hard-coded keys, etc. • Fuzz testing is a popular and effective method for uncovering programming errors • A variety of work improves input generation and fault detection for fuzzing 1

  3. Problem Statement How efficient are we at fuzzing embedded devices? Can we do it better? 2

  4. Fuzzing, Corruptions & Crashes

  5. Starting Point Corruption � = Crash 3

  6. Embedded Devices: A minimalistic classification Type-I: Type-II: General purpose OS-based Embedded OS-based Type-III: No OS-Abstraction 4

  7. Challenge #1: Fault Detection • Lack of basic features, such as: • Memory Management Unit (MMU) • Heap consistency checks • Canaries • Often only solution: Basic liveness checks 5

  8. Challenge #2: Performance & Scalability • Fuzzing greatly benefits from parallelization • This would mean 1 device per instance • Frequent restarts are required • Fast for software, slow for full systems 6

  9. Challenge #3: Instrumentation • Hard to retrieve coverage information • Tools for turning silent corruptions into observable ones rarely available • Unsupported instruction set architecturess • Operation tied to OS-specific features 7

  10. Measuring the effect of memory corruptions • Five common types of memory corruptions • Insertion of artificial bugs in two popular open source programs • Expat • mbedTLS • Trigger condition inspired by LAVA [1] • Vulnerable programs are compiled for four different devices [1] Dolan-Gavitt, Brendan, et al. ”Lava: Large-scale automated vulnerability addition.” IEEE Symposium on Security and Privacy (SP), 2016. 8

  11. Effects of Corruptions accross different systems Platform Desktop Type-I Type-II Type-III Format String ✓ ✓ ✗ ✗ ! ✓ Stack-based buffer overflow ✓ ✓ (opaque) (hang) ! Heap-based buffer overflow ✓ ✗ ✗ (late crash) ✗ Double Free ✓ ✓ ✗ (malfunc.) ✓ ✗ Null Pointer Dereference ✓ ✓ (reboot) (malfunc.) 9

  12. Possible Directions for Improvement • Static Instrumentation • Binary Rewriting • Pysical Re-Hosting • Full Emulation • Partial Emulation • Hardware-Supported Instrumentation 10

  13. Possible Directions for Improvement • Static Instrumentation • Binary Rewriting • Pysical Re-Hosting • Full Emulation • Partial Emulation • Hardware-Supported Instrumentation 10

  14. Leveraging (partial) emulation to improve fuzz testing

  15. Set-up: Overview Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs Analysis Emulation MMIO Peripherals Plugis Figure 1: Setup for fuzzing utilizing partial emulation Code will be available at: https://github.com/avatartwo/ndss18_wycinwyc 11

  16. Set-up: Target • The vulnerable expat program, as seen in the last part • Focus on a Type-III device • Fuzzed in four different configurations 12

  17. Set-up: Native Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 13

  18. Set-up: PE/MF Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 14

  19. Set-up: PE/PM Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 15

  20. Set-up: FE Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 16

  21. Set-up: Fuzzer • boofuzz [2], a python-based fuzzer based on Sulley • Configured to trigger the corruptions with different ratios • Used for 100 fuzzing sessions over one hour each [2] https://github.com/jtpereyda/boofuzz 17

  22. Set-up: Corruption Detection Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 18

  23. Set-up: Corruption Detection Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 19

  24. Set-up: Corruption detection • 6 simple heuristics, monitoring the execution: 1. Segment Tracking 2. Format Specifier Tracking 3. Heap Object Tracking 4. Call Stack Tracking 5. Call Frame Tracking 6. Stack Object Tracking 20

  25. Measuring Fuzzing Throughput No Heuristics: Native Partial Emulation/Memory Forwarding Partial Emulation/Peripheral Modeling Full Emulation 10 4 Combined Heuristics: Partial Emulation/Memory Forwarding' Partial Emulation/Peripheral Modeling' #Inputs Full Emulation' 10 3 10 2 0 5 10 Corruption Ratio [%] 21

  26. Discussion, Future Work & Conclusion

  27. Insights from the experiments • Liveness checks only is a poor strategy • Full emulation is good - but rarely possible • Partial emulation can already help • But introduces significant performance overhead 22

  28. Limitations and Future Work • We focused on improving fault detection • Other challenges of fuzzing (e.g., input generation) not addressed in this work • Our experiments focused on artificial vulnerabilities • Good for improving our initial understanding • We investigated solutions based on partial emulation • Other approaches still open for research 23

  29. Conclusion • Fuzzing embedded devices requires a paradigm shift • (Partial) emulation can improve fault detection • We need good emulators • Fuzzing of embedded devices needs more investigation 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared 6/3/2020 1- Crash Identification Block The month, day and hour should be when the crash occurred Not when reported Not when you arrived 2- General

561 views • 15 slides
PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location System Website Address: http://pueblo.ms2soft.com Quick Search By: Study Location Location Crash Data Crash ID Date Crash Type LOG

555 views • 31 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides
A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure RNA DNA Replication Encoding Proteins Protein Folding Types of DNA Manipulating DNA PCR Biological Computation CPSC

378 views • 36 slides
Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

@amchamwatch| @HofstedeInsight @RudPedersenFIN Country Manager Network Breakfast: Crash Course into the New Finnish Government and HQ Communication Crash Course into the New Finnish Government and HQ Communication Esa Suominen Managing

262 views • 25 slides
CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain Landscape Architecture & Regional and Community Planning Kansas State University DLA Conference 2015 June 6, 2015 BACKGROUND AND CONTEXT

702 views • 31 slides
Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N. McDonough Archivist and Library Manager at the Kettering Foundation Owned by one cat Crash and Burn One fails toward success.

434 views • 7 slides
Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What code paths were executed What parts of the execution interacted with external data Input Determination Which input bytes influence the crash

583 views • 45 slides
Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants

Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants

Entrepreneurship Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants to become your own boss, set your own schedule, work from anywhere in the world, make a lot of money, love what you do, AND

1.06k views • 79 slides
The Foreign Corrupt Practices Act US legislation with global implications Illustration:

The Foreign Corrupt Practices Act US legislation with global implications Illustration:

The Foreign Corrupt Practices Act US legislation with global implications Illustration: Getty Images Dick Thornburgh, Edward J Fishman, Michael J Missal, Jeffrey B Maletta and Matt T Morley of K&L Gates LLP examine anti-corruption

304 views • 6 slides
MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash

MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash

MATLAB crash course 1 / 27 MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash course 2 / 27 Program Program I Interface: layout, menus, help, etc.. I Vectors and matrices I Graphics: I Plots,

2k views • 27 slides
Previous Studies Crash Reports Reviewed 2005-2013 crash reports 91% of crashes were

Previous Studies Crash Reports Reviewed 2005-2013 crash reports 91% of crashes were

Previous Studies Crash Reports Reviewed 2005-2013 crash reports 91% of crashes were motor vehicles vs. bikes resulting in injury to at least one person Mostly St. Augustine residents, not tourists Most people involved in

193 views • 6 slides
Towards Better Crash Frequency Modeling: Fusing Machine Learning & Econometric Methods

Towards Better Crash Frequency Modeling: Fusing Machine Learning & Econometric Methods

Towards Better Crash Frequency Modeling: Fusing Machine Learning & Econometric Methods Presenter: Behram Wali Ph.D. Student TSITE 2017 Summer Meeting Morning Session July 26, 2017 Contents Background/Challenges Conceptual

693 views • 44 slides
PAHOKEE ELEMENTARY CRASH SCENE INVESTIGATION TUES., MAY 15, 2018 The Crash--Kikis Silver Car

PAHOKEE ELEMENTARY CRASH SCENE INVESTIGATION TUES., MAY 15, 2018 The Crash--Kikis Silver Car

PAHOKEE ELEMENTARY CRASH SCENE INVESTIGATION TUES., MAY 15, 2018 The Crash--Kikis Silver Car 1. Silver Mazda License Plate: 879RYZ Car hit by front right bumper near headlight 2. Driver KIKI 3. Passengers BRITTNEY

530 views • 15 slides
Carleton University Crash Dummy Crash-Test Dummy Mainly used to improve automotive safety

Carleton University Crash Dummy Crash-Test Dummy Mainly used to improve automotive safety

Carleton University Crash Dummy Crash-Test Dummy Mainly used to improve automotive safety No dummies available for cycling accidents Load Cell Accelerometer http://blog.al.com/living-

236 views • 7 slides
You Only Live Multiple Times Black box re-use of Crash-Stop Algorithms In Realistic Crash-Recovery

You Only Live Multiple Times Black box re-use of Crash-Stop Algorithms In Realistic Crash-Recovery

You Only Live Multiple Times Black box re-use of Crash-Stop Algorithms In Realistic Crash-Recovery Settings DAVID KOZHAYA 1 , OGNJEN MARIC 2 , AND YVONNE-ANNE PIGNOLET 1 1 ABB CORPORATE RESEARCH SWITZERLAND , 2 DIGITAL ASSET SWITZERLAND A

555 views • 19 slides
Meson production in ultra-peripheral heavy ion collisions C.A. Bertulani C.A. Bertulani, 8th

Meson production in ultra-peripheral heavy ion collisions C.A. Bertulani C.A. Bertulani, 8th

Meson production in ultra-peripheral heavy ion collisions C.A. Bertulani C.A. Bertulani, 8th Workshop of the APS Topical Group on Hadronic Physics, April 11, 2019 Collaboration Fernando Navarra Victor Goncalves Adeola Adeluyi Gerhard Baur

749 views • 43 slides
A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex

A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex

A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex Finkelstein and Haldun Hadimioglu Polytechnic University, Brooklyn, NY, USA Outline 1. Motivation/Goals and Related Work 2. Peripheral Context

887 views • 29 slides
Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia

963 views • 71 slides
high-sensitivity Troponin T measurements and 30-day mortality after noncardiac surgery PJ

high-sensitivity Troponin T measurements and 30-day mortality after noncardiac surgery PJ

Relationship between high-sensitivity Troponin T measurements and 30-day mortality after noncardiac surgery PJ Devereaux, MD, PhD McMaster University Background >5 Million Americans >45 yrs undergo in-patient noncardiac surgery

930 views • 10 slides
Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project?

Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project?

Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project? Small Footprint RTOS Truly Open Source Cross Architecture As small as 8KB Apache 2.0 License ARM Enables Hosted by Linux

340 views • 16 slides
ARM Assembly Language and Machine Code Goal: Blink an LED Summary You need to understand how

ARM Assembly Language and Machine Code Goal: Blink an LED Summary You need to understand how

ARM Assembly Language and Machine Code Goal: Blink an LED Summary You need to understand how processors represent and execute instructions Instruction set architecture often easier to understand by looking at the bits. Encoding instructions

636 views • 62 slides
System em on a a Programable C Chi hip p (SoPC) Cristian Sister erna Universidad Nacional

System em on a a Programable C Chi hip p (SoPC) Cristian Sister erna Universidad Nacional

System em on a a Programable C Chi hip p (SoPC) Cristian Sister erna Universidad Nacional San Juan Argentina SoC ICTP 1 Some backgr kgrou ound fro rom you. . Who knows about VHDL/Verilog? Who knows about FPGA? Who knows

357 views • 11 slides
Review Final exam Final exam will be 11-12 problems, drop any 2 Cumulative up to and including

Review Final exam Final exam will be 11-12 problems, drop any 2 Cumulative up to and including

Review Final exam Final exam will be 11-12 problems, drop any 2 Cumulative up to and including week 13 (emphasis on weeks 10-13: classes & pointers) 2 hours exam time, so 12 min per problem (midterm 2 had 8-ish) Review: Overview

769 views • 39 slides

More recommend