What You Corrupt Is Not What You Crash: Challenges in Fuzzing - - PowerPoint PPT Presentation

what you corrupt is not what you crash challenges in
SMART_READER_LITE
LIVE PREVIEW

What You Corrupt Is Not What You Crash: Challenges in Fuzzing - - PowerPoint PPT Presentation

Sep 07, 2023 168 likes •478 views

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2 , 3 Frank Kargl 3 elien Francillon 1 Davide Balzarotti 1 Aur 1 EURECOM 2 Siemens AG 3 Ulm University Introduction Embedded

slide-1
SLIDE 1

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices

Marius Muench1 Jan Stijohann2,3 Frank Kargl3 Aur´ elien Francillon1 Davide Balzarotti1

1EURECOM 2Siemens AG 3Ulm University

slide-2
SLIDE 2

Introduction

  • Embedded devices are becoming increasingly more important
  • Vulnerabilities go beyond misconfigurations, weak

authentication, hard-coded keys, etc.

  • Fuzz testing is a popular and effective method for uncovering

programming errors

  • A variety of work improves input generation and fault

detection for fuzzing

1

slide-3
SLIDE 3

Problem Statement

How efficient are we at fuzzing embedded devices? Can we do it better?

2

slide-4
SLIDE 4

Fuzzing, Corruptions & Crashes

slide-5
SLIDE 5

Starting Point

Corruption = Crash

3

slide-6
SLIDE 6

Embedded Devices: A minimalistic classification

Type-I: General purpose OS-based Type-II: Embedded OS-based Type-III: No OS-Abstraction

4

slide-7
SLIDE 7

Challenge #1: Fault Detection

  • Lack of basic features, such as:
  • Memory Management Unit (MMU)
  • Heap consistency checks
  • Canaries
  • Often only solution: Basic liveness checks

5

slide-8
SLIDE 8

Challenge #2: Performance & Scalability

  • Fuzzing greatly benefits from parallelization
  • This would mean 1 device per instance
  • Frequent restarts are required
  • Fast for software, slow for full systems

6

slide-9
SLIDE 9

Challenge #3: Instrumentation

  • Hard to retrieve coverage information
  • Tools for turning silent corruptions into observable ones rarely

available

  • Unsupported instruction set architecturess
  • Operation tied to OS-specific features

7

slide-10
SLIDE 10

Measuring the effect of memory corruptions

  • Five common types of memory corruptions
  • Insertion of artificial bugs in two popular open source

programs

  • Expat
  • mbedTLS
  • Trigger condition inspired by LAVA [1]
  • Vulnerable programs are compiled for four different devices

[1] Dolan-Gavitt, Brendan, et al. ”Lava: Large-scale automated vulnerability addition.” IEEE Symposium on Security and Privacy (SP), 2016. 8

slide-11
SLIDE 11

Effects of Corruptions accross different systems

Platform Desktop Type-I Type-II Type-III Format String ✓ ✓ ✗ ✗ Stack-based buffer overflow ✓ ✓ ✓

(opaque)

!

(hang)

Heap-based buffer overflow ✓ !

(late crash)

✗ ✗ Double Free ✓ ✓ ✗ ✗

(malfunc.)

Null Pointer Dereference ✓ ✓ ✓

(reboot)

(malfunc.)

9

slide-12
SLIDE 12

Possible Directions for Improvement

  • Static Instrumentation
  • Binary Rewriting
  • Pysical Re-Hosting
  • Full Emulation
  • Partial Emulation
  • Hardware-Supported Instrumentation

10

slide-13
SLIDE 13

Possible Directions for Improvement

  • Static Instrumentation
  • Binary Rewriting
  • Pysical Re-Hosting
  • Full Emulation
  • Partial Emulation
  • Hardware-Supported Instrumentation

10

slide-14
SLIDE 14

Leveraging (partial) emulation to improve fuzz testing

slide-15
SLIDE 15

Set-up: Overview

Avatar2 PANDA boofuzz Embedded Device

Analysis Plugis Emulation MMIO Peripherals Fuzz Inputs

Figure 1: Setup for fuzzing utilizing partial emulation

Code will be available at: https://github.com/avatartwo/ndss18_wycinwyc 11

slide-16
SLIDE 16

Set-up: Target

  • The vulnerable expat program, as seen in the last part
  • Focus on a Type-III device
  • Fuzzed in four different configurations

12

slide-17
SLIDE 17

Set-up: Native

Avatar2 PANDA boofuzz Embedded Device

Analysis Plugis Emulaon MMIO Peripherals Fuzz Inputs

  • 1. Native (NAT)
  • 2. Partial Emulation with Memory Forwarding (PE/MF)
  • 3. Partial Emulation with Peripheral Modeling (PE/PM)
  • 4. Full Emulation (FE)

13

slide-18
SLIDE 18

Set-up: PE/MF

Avatar2 PANDA boofuzz Embedded Device

Analysis Plugis Emulaon MMIO Peripherals Fuzz Inputs

  • 1. Native (NAT)
  • 2. Partial Emulation with Memory Forwarding (PE/MF)
  • 3. Partial Emulation with Peripheral Modeling (PE/PM)
  • 4. Full Emulation (FE)

14

slide-19
SLIDE 19

Set-up: PE/PM

Avatar2 PANDA boofuzz Embedded Device

Analysis Plugis Emulaon MMIO Peripherals Fuzz Inputs

  • 1. Native (NAT)
  • 2. Partial Emulation with Memory Forwarding (PE/MF)
  • 3. Partial Emulation with Peripheral Modeling (PE/PM)
  • 4. Full Emulation (FE)

15

slide-20
SLIDE 20

Set-up: FE

Avatar2 PANDA boofuzz Embedded Device

Analysis Plugis Emulaon MMIO Peripherals Fuzz Inputs

  • 1. Native (NAT)
  • 2. Partial Emulation with Memory Forwarding (PE/MF)
  • 3. Partial Emulation with Peripheral Modeling (PE/PM)
  • 4. Full Emulation (FE)

16

slide-21
SLIDE 21

Set-up: Fuzzer

  • boofuzz [2], a python-based fuzzer based on Sulley
  • Configured to trigger the corruptions with different ratios
  • Used for 100 fuzzing sessions over one hour each

[2] https://github.com/jtpereyda/boofuzz 17

slide-22
SLIDE 22

Set-up: Corruption Detection

Avatar2 PANDA boofuzz Embedded Device

Analysis Plugis Emulaon MMIO Peripherals Fuzz Inputs

  • 1. Native (NAT)
  • 2. Partial Emulation with Memory Forwarding (PE/MF)
  • 3. Partial Emulation with Peripheral Modeling (PE/PM)
  • 4. Full Emulation (FE)

18

slide-23
SLIDE 23

Set-up: Corruption Detection

Avatar2 PANDA boofuzz Embedded Device

Analysis Plugis Emulaon MMIO Peripherals Fuzz Inputs

  • 1. Native (NAT)
  • 2. Partial Emulation with Memory Forwarding (PE/MF)
  • 3. Partial Emulation with Peripheral Modeling (PE/PM)
  • 4. Full Emulation (FE)

19

slide-24
SLIDE 24

Set-up: Corruption detection

  • 6 simple heuristics, monitoring the execution:
  • 1. Segment Tracking
  • 2. Format Specifier Tracking
  • 3. Heap Object Tracking
  • 4. Call Stack Tracking
  • 5. Call Frame Tracking
  • 6. Stack Object Tracking

20

slide-25
SLIDE 25

Measuring Fuzzing Throughput

5 10 Corruption Ratio [%] 102 103 104 #Inputs No Heuristics: Native Partial Emulation/Memory Forwarding Partial Emulation/Peripheral Modeling Full Emulation Combined Heuristics: Partial Emulation/Memory Forwarding' Partial Emulation/Peripheral Modeling' Full Emulation'

21

slide-26
SLIDE 26

Discussion, Future Work & Conclusion

slide-27
SLIDE 27

Insights from the experiments

  • Liveness checks only is a poor strategy
  • Full emulation is good - but rarely possible
  • Partial emulation can already help
  • But introduces significant performance overhead

22

slide-28
SLIDE 28

Limitations and Future Work

  • We focused on improving fault detection
  • Other challenges of fuzzing (e.g., input generation) not

addressed in this work

  • Our experiments focused on artificial vulnerabilities
  • Good for improving our initial understanding
  • We investigated solutions based on partial emulation
  • Other approaches still open for research

23

slide-29
SLIDE 29

Conclusion

  • Fuzzing embedded devices requires a paradigm shift
  • (Partial) emulation can improve fault detection
  • We need good emulators
  • Fuzzing of embedded devices needs more investigation

24