whitebox fuzzing
play

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security - PowerPoint PPT Presentation

Dec 01, 2023 •123 likes •493 views

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds of file formats are supported in Windows, Office, et al. Many written in C/C++ Programming errors security bugs! Random choice of x: one

  1. Whitebox Fuzzing David Molnar Microsoft Research

  2. Problem: Security Bugs in File Parsers Hundreds of file formats are supported in Windows, Office, et al. Many written in C/C++ Programming errors  security bugs!

  4. Random choice of x: one chance in 2^32 to find error “Fuzz testing” Widely used, remarkably effective!

  5. Core idea: 1) Pick an arbitrary “seed” input 2) Record path taken by program executing on “seed” 3) Create symbolic abstraction of path and generate tests

  6. Example: 1) Pick x to be 5 2) Record y = 5+3 = 8, record program tests “8 ?= 13” 3) Symbolic path condition : “x + 3 != 13”

  7. How SAGE Works void top(char input[4]) input = “good” Gen 1 { Path th con constrai straint: nt: int cnt = 0; bood  I 0 =‘b’ I 0 !=‘b’ if (input[0] == ‘b’) cnt++; gaod  I 1 =‘a’ I 1 !=‘a’ if (input[1] == ‘a’) cnt++;  I 2 =‘d’ godd if (input[2] == ‘d’) cnt++; I 2 !=‘d’  I 3 =‘!’ if (input[3] == ‘!’) cnt++; I 3 !=‘!’ goo ! if (cnt >= 4) crash(); MSR’s Z3 good constraint solver } Create new constraints to cover new paths Solve new constraints  new inputs

  8. How SAGE Works void top(char input[4]) input in input in in input input in ut = ut = ut = ut = = “ badd ” = “ baod ” = “ bad! ” = “ bood ” Gen 1 Gen 2 Gen 3 Gen 4 { Path th con constrai straint: nt: int cnt = 0; bood …  I 0 =‘b’ I 0 !=‘b’ if (input[0] == ‘b’) cnt++; gaod baod …  I 1 =‘a’ I 1 !=‘a’ if (input[1] == ‘a’) cnt++;  I 2 =‘d’ godd … badd … if (input[2] == ‘d’) cnt++; I 2 !=‘d’  I 3 =‘!’ if (input[3] == ‘!’) cnt++; I 3 !=‘!’ goo ! … bad ! if (cnt >= 4) crash(); } SAGE finds the crash! Create new constraints to cover new paths Solve new constraints  new inputs

  10. Work with x86 binary code on Windows Leverage full-instruction-trace recording Pros: • If you can run it, you can analyze it • Don’t care about build processes • Don’t care if source code available Cons: • Lose programmer’s intent (e.g. types) • Hard to “see” string manipulation, memory object graph manipulation, etc.

  11. Hand-written models (so far) Uses Z3 support for non-linear operations Normally “concretize” memory accesses where address is symbolic

  13. SAGE: A Whitebox Fuzzing Tool Coverage Constraints Input0 Data Binary Check for Code Analysis to Solve Crashes Coverage Generate Constraints (AppVerifier) (Nirvana) Constraints (Z3) (TruScan) Input1 Input2 … InputN

  16. Research Behind SAGE • Precision in symbolic execution: PLDI’05, PLDI’11 • Scaling to billions of instructions: NDSS’08 • Checking many properties together: EMSOFT’08 • Grammars for complex input formats: PLDI’08 • Strategies for dealing with path explosion: POPL’07, TACAS’08, POPL’10, SAS’11 • Reasoning precisely about pointers: ISSTA’09 • Floating-point instructions: ISSTA’10 • Input-dependent loops: ISSTA’11 + research on constraint solvers (Z3)

  17. Challenges: from Research to Production 1) Symbolic execution on long traces 2) Fast constraint generation and solving 3) Months-long searches 4) Hundreds of test drivers & file formats 5) Fault-tolerance

  18. A Single Symbolic Execution of an Office App # of instructions executed 1.45 billion # instructions after reading from file 928 million # constraints in path constraint 25,958 # constraints dropped due to optimizations 438,123 # of satisfiable constraints  new tests 2,980 # of unsatisfiable constraints 22,978 # of constraint solver timeouts (> 5 seconds) 0 Symbolic execution time 45 minutes 45 seconds Constraint solving time 15 minutes 53 seconds

  19. SAGAN and SAGECloud for Telemetry and Management Hundreds of machines / VMs on average Hundreds of applications on thousands of “seed files” Over 500 machine-years of whitebox fuzzing!

  20. Challenges: From Research to Production 1) Symbolic execution on long traces SAGAN telemetry points out imprecision 2) Fast constraint generation and solving SAGAN sends back long-running constraints 3) Months-long searches JobCenter monitors progress of search 4) Hundreds of test drivers & file formats JobCenter provisions apps and configurations in SAGECloud 5) Fault-tolerance SAGAN telemetry enables quick response

  21. Feedback From Telemetry At Scale How much sharing 20000 between symbolic 15000 execution of different 10000 programs run on 5000 Windows? 0 1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81 86 91 96

  22. Key Analyses Enabled by Data

  23. Imprecision in Symbolic Execution

  24. Distribution of crashes in the search # New crashes found Days

  25. Constraints generated by symbolic execution # symbolic executions # constraints

  26. Time to solve constraints # constraints Seconds

  27. Optimizations In Constraint Generation • Sound • Common subexpression elimination on every new constraint • Crucial for memory usage • “Related Constraint Optimization” • Unsound • Constraint subsumption • Syntactic check for implication, take strongest constraint • Drop constraints at same instruction pointer after threshold

  28. Ratio between SAT and UNSAT constraints # symbolic executions % constraints SAT

  29. Long-running tasks can be pruned!

  30. Sharing Between Symbolic Executions Sampled runs on Windows, many different file-reading applications Max frequency 17761 , min frequency 592 Total of 290430 branches flipped, 3360 distinct branches

  31. Summaries Leverage Sharing • Redundancy in searches • Redundancy in paths IF…THEN…ELSE • Redundancy in different versions of same application • Redundancy across applications • How many times does Excel/Word/PPT/… call mso.dll ? • Summaries (POPL 2007): avoid re-doing this unnecessary work • SAGAN data shows redundancy exists in practice

  32. Reflections • Data invaluable for driving investment priorities • Can’t cover all x86 instructions by hand – look at which ones are used! • Recent: synthesizing circuits from templates (Godefroid & Taly PLDI 2012) • Plus finds configuration errors, compiler changes, etc. impossible otherwise • Data can reveal test programs have special structure • Scaling to long traces needs careful attention to representation • Sometimes run out of memory on 4 GB machine with large programs • Even incomplete, unsound analysis useful because whole-program • SAGE finds bugs missed by all other methods • Supporting users & partners super important, a lot of work!

  33. Impact In Numbers • 100s of apps, 100s of bugs fixed • 3.5+ billion constraints • Largest computational usage ever for any SMT solver • 500+ machine-years

  34. SAGE-like tools outside Microsoft • KLEE http://klee.github.io/klee/ • FuzzGrind http://esec-lab.sogeti.com/pages/Fuzzgrind • SmartFuzz

  35. Thanks to all SAGE contributors! MSR  CSE Interns Z3 (MSR): Windows Office MSEC SAGE users all across Microsoft! Questions? dmolnar@microsoft.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 ,

Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 ,

Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 , Baptiste Lambin 1 , Brice Minaud 2 1 Univ Rennes, CNRS, IRISA 2 Royal Holloway University of London Patrick Derbez Yet another attack on whitebox AES

626 views • 51 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
Coding Sprints From 4pm we will have a Practical session based on the Sage software. Depending on

Coding Sprints From 4pm we will have a Practical session based on the Sage software. Depending on

Coding Sprints From 4pm we will have a Practical session based on the Sage software. Depending on your goals/experience, you can program in any of the following languages: Sage (the easiest way if you do not have a c compiler) Python (the

181 views • 5 slides
New Customer Acquisition at Sage: A More Scientific Approach Dan Taylor, Customer Insights

New Customer Acquisition at Sage: A More Scientific Approach Dan Taylor, Customer Insights

New Customer Acquisition at Sage: A More Scientific Approach Dan Taylor, Customer Insights Manager UKI Jen Unwin, Customer Insights Analyst UKI What are we going to cover? About Sage Our Analytics Team Preparing to Model Using Enterprise

199 views • 16 slides
Global Observations of Aerosol and Ozone from SAGE III ISS A First Year Showcase 46 th Global

Global Observations of Aerosol and Ozone from SAGE III ISS A First Year Showcase 46 th Global

Global Observations of Aerosol and Ozone from SAGE III ISS A First Year Showcase 46 th Global Monitoring Annual Conference SAGE III ISS Global Perspective Kevin Leavor Kevin R. Leavor 1 SAGE Overview NDACC kevin.r.leavor@nasa.gov

349 views • 15 slides
SAGE : Can we detect gravitational waves with CubeSats? S . Lacour, P . Bourget, M. Nowak, F .

SAGE : Can we detect gravitational waves with CubeSats? S . Lacour, P . Bourget, M. Nowak, F .

SAGE : Can we detect gravitational waves with CubeSats? S . Lacour, P . Bourget, M. Nowak, F . Vincent, V . Lapeyrere, L. David, A. Le Tiec, A. Kellerer, O. S traub, J. Woillez PICSAT Photometer 100ppm Technology demonstrator for

561 views • 27 slides
Project Presentations CT @ VT Project Presentations Daniel Almeida Airport Locator

Project Presentations CT @ VT Project Presentations Daniel Almeida Airport Locator

Introduction to Computational Thinking Project Presentations CT @ VT Project Presentations Daniel Almeida Airport Locator Robert Ashton Political Representation Zachary Barbaria Drug Usage Kyle Bentley - Hospital

758 views • 64 slides
Auto-sizing for Stream Processing Applications at LinkedIn Rayman Preet Singh, Bharath

Auto-sizing for Stream Processing Applications at LinkedIn Rayman Preet Singh, Bharath

Auto-sizing for Stream Processing Applications at LinkedIn Rayman Preet Singh, Bharath Kumarasubramanian, Prateek Maheshwari, and Samarth Shetty Stream Processing @ LinkedIn Stream Processing Skills Top App Skills Jobs Streaming input,

520 views • 37 slides
Debian and (large scale) System Administration Alexander Zangerl Bond University az@

Debian and (large scale) System Administration Alexander Zangerl Bond University az@

Debian and (large scale) System Administration Alexander Zangerl Bond University az@ debian.org,bond.edu.au Debian and (large scale) System Administration p.1 Last Minute Yuck If you find that the paper in the

879 views • 48 slides
gravitational-wave bursts with memory Marc Favata UWM Objectives: Provide a general

gravitational-wave bursts with memory Marc Favata UWM Objectives: Provide a general

gravitational-wave bursts with memory Marc Favata UWM Objectives: Provide a general overview of the memory effect applicable to all GW sources ( not just compact-object binaries). Understand how to describe memory signals and make rough

514 views • 17 slides

More recommend