about directed fuzzing and use after free how to find
play

About Directed Fuzzing and Use-After-Free: How to Find Complex & - PowerPoint PPT Presentation

Dec 19, 2022 •91 likes •546 views

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung Nguyen, Sbastien Bardin, Matthieu Lemerre (CEA LIST) Richard Bonichon (Tweag I/O) Roland Groz (Universit Grenoble Alpes) #BHUSA @BLACKHATEVENTS

  1. About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung Nguyen, Sébastien Bardin, Matthieu Lemerre (CEA LIST) Richard Bonichon (Tweag I/O) Roland Groz (Université Grenoble Alpes) #BHUSA @BLACKHATEVENTS

  2. Who Are We? Manh-Dung Nguyen Sébastien Bardin @dungnm1710 sebastien.bardin@cea.fr manh-dung.nguyen@cea.fr Senior Researcher at CEA LIST PhD Student at CEA LIST & UGA Université Paris-Saclay #BHUSA @BLACKHATEVENTS

  3. What’s The Talk About? ● Fuzzing is great for finding vulnerabilities in the wild ● Directed fuzzing is a slightly different setting ○ Goal = reach a specific target ○ Bug reproduction, patch-oriented testing ● The problem: Current fuzzing techniques are bad for some classes of issues ○ Here: “Use-After-Free” (UAF) ○ Important: sensitive info leaks, data corruption or first step to other attacks ● Proposal: A directed fuzzing approach tailored to UAF bugs ○ and applications to patch-oriented testing ○ and a tour on UAF and (directed) fuzzing #BHUSA @BLACKHATEVENTS

  4. Use-After-Free ● Heap element is used after having been freed Critical exploits & serious consequences ● ○ Data corruption ○ Information leaks ○ Denial-of-service attacks # UAF bugs in National Vulnerability Database #BHUSA @BLACKHATEVENTS

  5. Teaser PoC: ‘AFU’ → no crash free ● Bug Target: 14 (alloc) → 17 → 6 → 3 ● (free) → 19 (use) Timeout: 6h ● AFLGo AFL-QEMU UAFuzz (source) (binary) (binary) alloc (6 hours) (6 hours) (~ 20 mins) use #BHUSA @BLACKHATEVENTS

  6. 1. Context -- about fuzzing, directed fuzzing #BHUSA @BLACKHATEVENTS

  7. Code-level Flaws: Fuzzing is The New Hype #BHUSA @BLACKHATEVENTS

  8. As Its Core, Fuzzing is Random Testing -- and it starts a long time ago #BHUSA @BLACKHATEVENTS

  9. Now: Three Shades of Fuzzing • Smart but don’t scale too much • The original taste • Scale but dumb • The new prodigy • Try to be smart & scale #BHUSA @BLACKHATEVENTS

  10. Principle of Grey/Black Fuzzing Choose “good” inputs Mutations Observe & compute score Greybox observes more The art, science, and engineering of fuzzing: A survey (Manès et al. 2019) #BHUSA @BLACKHATEVENTS

  11. No Silver Bullet Target-oriented Complex Code Structure Complex Bugs Testing? #BHUSA @BLACKHATEVENTS

  12. Directed Greybox Fuzzing (DGF) ● Input: code + target (trace, code location) ● Goal = Cover the target ● AFLGo (2017), Hawkeye (2018) ● Applications: ○ Bug reproduction ○ Patch-oriented testing ○ Static analysis report confirmation #BHUSA @BLACKHATEVENTS

  13. Coverage-guided Greybox Fuzzing AFL Initial Execution Edge ID Crash-based Testsuite characteristics Instrumentation Seed Selection Power Schedule Triage Bugs Binary Instrumentation Fuzzing Loop Triage #BHUSA @BLACKHATEVENTS

  14. Directed Greybox Fuzzing AFLGo, Hawkeye Edge ID + Execution Crash-based Distance characteristics Initial Testsuite Distance-guided Targets Seed Distance Instrumentation Seed Selection Power Schedule Triage Binary Bugs Instrumentation Fuzzing Loop Triage #BHUSA @BLACKHATEVENTS

  15. 2. Back to Use-After-Free (UAF) #BHUSA @BLACKHATEVENTS

  16. Why is Detecting UAF Hard for Fuzzing? Rarely found by fuzzers ● ○ Complexity : 3 events in sequence spanning multiple functions Temporal & Spatial constraints : ○ extremely difficult to meet in practice ○ Silence : no segmentation fault # UAF bugs found ( 1% ) by OSS-Fuzz in 2017 #BHUSA @BLACKHATEVENTS

  17. Recall: Motivation PoC: ‘AFU’ → no crash ● Bug Target: 14 (alloc) → 17 → 6 → 3 ● (free) → 19 (use) Timeout: 6h ● AFLGo AFL-QEMU UAFuzz (source) (binary) (binary) (6 hours) (6 hours) (~ 20 mins) #BHUSA @BLACKHATEVENTS

  18. #BHUSA @BLACKHATEVENTS

  19. 3. UAFuzz: Directed Fuzzing for UAF #BHUSA @BLACKHATEVENTS

  20. Existing DGF: #1 No Ordering & No Prioritization Treat everything equally Initial Testsuite No Treat edges order equally Targets Seed Distance Instrumentation Seed Selection Power Schedule Triage Binary UAF Bugs Instrumentation Fuzzing Loop Triage Slow #BHUSA @BLACKHATEVENTS

  21. Existing DGF: #2 Crash Assumption Treat everything equally Initial Testsuite Expensive No Treat edges sanitizer-based order equally Targets triage Seed Distance Instrumentation Seed Selection Power Schedule Triage Binary UAF Bugs Instrumentation Fuzzing Loop Triage Slow #BHUSA @BLACKHATEVENTS

  22. Overview of UAFuzz [tailor every fuzzing step to UAF] Edge ID + Pre-triage Execution Distance (UAF-based) for free characteristics Initial Targets Cut-edge Testsuite Similarity Coverage Binary Seed Distance Targets Instrumentation Seed Selection Power Schedule Triage UAF Bugs Instrumentation Fuzzing Loop Triage #BHUSA @BLACKHATEVENTS Fast

  23. Key Insights of UAFuzz Seed Selection: based on similarity and ordering of input trace ★ Power Schedule: based on 3 seed metrics dedicated to UAF ★ ○ [function level] UAF-based Distance: Prioritize call traces covering UAF events ○ [edge level] Cut-edge Coverage: Cover edge destinations reaching targets ○ [basic block level] Target Similarity: Cover targets Triage only potential inputs covering all locations & pre-filter for free ★ Fast precomputation at binary-level ★ #BHUSA @BLACKHATEVENTS

  24. UAF Bug Target Dynamic Calling Tree Stack Traces of CVE-2018-20623 // stack trace for the bad Use ==4440== Invalid read of size 1 ==4440== at 0x40A8383: vfprintf (vfprintf.c:1632) ==4440== by 0x40A8670: buffered_vfprintf (vfprintf.c:2320) ==4440== by 0x40A62D0: vfprintf (vfprintf.c:1293) [6] ==4440== by 0x80AA58A: error (elfcomm.c:43) [5] ==4440== by 0x8085384: process_archive (readelf.c:19063) [1] ==4440== by 0x8085A57: process_file (readelf.c:19242) [0] ==4440== by 0x8085C6E: main (readelf.c:19318) // stack trace for the Free ==4440== Address 0x421fdc8 is 0 bytes inside a block of size 86 free'd ==4440== at 0x402D358: free (in vgpreload_memcheck-x86-linux.so) [4] ==4440== by 0x80857B4: process_archive (readelf.c:19178) [1] ==4440== by 0x8085A57: process_file (readelf.c:19242) Bug Trace Flattening [0] ==4440== by 0x8085C6E: main (readelf.c:19318) // stack trace for the Alloc UAF Bug Target: ==4440== Block was alloc'd at 0 (0x8085C6E, main) → 1 (0x8085A57, process_file) → 2 (0x80854BD, ==4440== at 0x402C17C: malloc (in vgpreload\_memcheck-x86-linux.so) process_archive) → 3 (0x80AC687, make_qualified_name) → 4 (0x80857B4, [3] ==4440== by 0x80AC687: make_qualified_name (elfcomm.c:906) [2] ==4440== by 0x80854BD: process_archive (readelf.c:19089) process_archive) → 5 (0x8085384, process_archive) → 6 (0x80AA58A, error) [1] ==4440== by 0x8085A57: process_file (readelf.c:19242) [0] ==4440== by 0x8085C6E: main (readelf.c:19318) #BHUSA @BLACKHATEVENTS

  25. UAF-based Distance Metric Existing works compute seed distance ● ○ regardless of target ordering regardless of UAF characteristic: call traces may contain ○ in sequence alloc/free function and reach use function ● Intuition: UAFuzz favors the shortest path that is likely to cover more than 2 UAF events in sequence Example of Call Graph, favored pairs (caller, callee) are in red Statically identify and decrease weights of (caller, callee) ○ in Call Graph Ex: favored call traces <main, f 2 , f use >, <main, f 1 , f 3 , f use > ○ #BHUSA @BLACKHATEVENTS

  26. Cut-edge Coverage Metric ep ● Existing works treat edges equally in terms of reaching in sequence targets ● Cut-edge ○ Edge destinations are more likely to reach the next target in the bug trace ➀ call f 1 ○ Approximately identify via static intraprocedural analysis of CFGs ● Intuition: UAFuzz favors inputs exercising more cut edges via a score depending on # covered cut edges and their hit counts ➁ call f 2 Control Flow Graph, cut edges are in blue #BHUSA @BLACKHATEVENTS

  27. Target Similarity Metric ● Existing works select seeds to be mutated regardless of trace of input s: 0 → 1 → 2 → 3 → 7 → 8 → 5 number of covered target locations 0 alloc 1 ... Target Similarity Metric ● 2 free ○ Prefix: more precise 3 4 ○ Bag: less precise, but consider the whole trace 5 Intuition: Seed Selection heuristic based on both ● u s e prefix and bag metrics Bug Trace : 0 (alloc) → 1 → 2 (free) → 3 → 4 → 5 (use) ○ Select more frequently max-reaching inputs that have highest value of this metric (most similar to the bug trace) so far #BHUSA @BLACKHATEVENTS

  28. Power Schedule Intuition: UAFuzz assigns more energy (a.k.a, # mutants) to seeds that are closer (using UAF-based Distance ) ● ● seeds that are more similar to the bug trace (using Target Similarity Metric ) ● seeds that make better decisions at critical code junctions (using Cut-edge Coverage Metric ) #BHUSA @BLACKHATEVENTS

  29. Pre-filter Existing works simply send all fuzzed inputs to the bug triager ● Potential inputs: cover in sequence all target locations in the bug trace ● ● UAFuzz triages only potential inputs & safely discards others ○ Available for free after the fuzzing process via Target Similarity Metric Saving a huge amount of time in bug triaging ○ #BHUSA @BLACKHATEVENTS

  30. Implementation AFL-QEMU Support more open-source binary disassemblers #BHUSA @BLACKHATEVENTS

Recommend

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope Taintscope is: A Fuzzing tool

742 views • 42 slides
Fuzzing Clang to find ABI Bugs David Majnemer Whats in an ABI? The size, alignment, etc.

Fuzzing Clang to find ABI Bugs David Majnemer Whats in an ABI? The size, alignment, etc.

Fuzzing Clang to find ABI Bugs David Majnemer Whats in an ABI? The size, alignment, etc. of types Layout of records, RTTI, virtual tables, etc. The decoration of types, functions, etc. To generalize: anything that you need N

632 views • 36 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler 2 whoami Security engineer, Solidity team Semantic testing of Solidity compiler Find

441 views • 28 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&amp;D firstname dot lastname at orange-ftgroup dot com research &amp; development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Find and fix security vulnerabilities and bugs in free soware (Fuzzing Project,

693 views • 44 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging &amp; Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
Syntax Directed Analysis Chapter 5 1 Compiler Construction Syntax Directed Analysis

Syntax Directed Analysis Chapter 5 1 Compiler Construction Syntax Directed Analysis

Syntax Directed Analysis Chapter 5 1 Compiler Construction Syntax Directed Analysis Syntax-Directed Definitions Generalizes a context-free grammar Each grammar symbol has an associated set of attributes Synthesized attributes

3.06k views • 30 slides
CSE 311: Foundations of Computing Lecture 20: Context-Free Grammars, Relations and Directed

CSE 311: Foundations of Computing Lecture 20: Context-Free Grammars, Relations and Directed

CSE 311: Foundations of Computing Lecture 20: Context-Free Grammars, Relations and Directed Graphs Parse Trees Suppose that grammar G generates a string x A parse tree of x for G has Root labeled S (start symbol of G) The children

434 views • 39 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
Adventures in Fuzzing Instruction Selection EuroLLVM 2017 Justin Bogner 1 Overview

Adventures in Fuzzing Instruction Selection EuroLLVM 2017 Justin Bogner 1 Overview

Adventures in Fuzzing Instruction Selection EuroLLVM 2017 Justin Bogner 1 Overview Hardening instruction selection using fuzzers Motivated by Global ISel Leveraging libFuzzer to find backend bugs Techniques applicable to

835 views • 41 slides
No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

Taking Browsers Fuzzing To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms ) Rosario Valotta Agenda Browser fuzzing: state of the art Memory corruption bugs: an overview Fuzzing

792 views • 40 slides
Structure-aware fuzzing for Clang and LLVM with libprotobuf-mutator Kostya Serebryany, Vitaly

Structure-aware fuzzing for Clang and LLVM with libprotobuf-mutator Kostya Serebryany, Vitaly

Structure-aware fuzzing for Clang and LLVM with libprotobuf-mutator Kostya Serebryany, Vitaly Buka, Matt Morehouse; Google October 2017 Agenda Fuzzing Fuzzing Clang/LLVM Fuzzing Clang/LLVM better (structure-aware)

914 views • 35 slides

More recommend