fuzzification anti fuzzing techniques
play

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David - PowerPoint PPT Presentation

Jun 04, 2023 •476 likes •1.13k views

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

  1. FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1

  2. Fuzzing Discovers Many Vulnerabilities 2

  3. Fuzzing Discovers Many Vulnerabilities 3

  4. Testers Find Bugs with Fuzzing Detected bugs Normal users Compilation Released Source binary Testers Compilation Distribution Fuzzing 4

  5. But Attackers Also Find Bugs Detected bugs Normal users Compilation Attackers Released Source binary Testers Compilation Distribution Fuzzing 5

  6. Our work: Make the Fuzzing Only Effective to the Testers Detected bugs Normal users ? Fuzzification Fortified binary Attackers Source Compilation Testers Binary Compilation Distribution Fuzzing 6

  7. Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Testers Binary Compilation Distribution Fuzzing 7

  8. Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Testers Binary Compilation Distribution Fuzzing Adversaries try to find vulnerabilities from fuzzing 8

  9. Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Testers Binary Compilation Distribution Fuzzing Adversaries only have a copy of fortified binary 9

  10. Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Testers Binary Compilation Distribution Fuzzing Adversaries know Fuzzification and try to nullify 10

  11. Research Goals Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Testers Binary Compilation Distribution Fuzzing 11

  12. Research Goals Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Testers Binary Compilation Distribution Fuzzing Hinder Fuzzing Reduce the number of detected bugs 12

  13. Research Goals Detected bugs Normal users AFL HonggFuzz Fuzzification QSym Fortified VUzzer binary Attackers … Source Compilation Testers Binary Compilation Distribution Fuzzing Generic Affect most of the fuzzers 13

  14. Research Goals Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Testers Binary Compilation Distribution Fuzzing Low overhead to normal user Overhead High overhead to attackers 14

  15. Research Goals Detected bugs Normal users Fuzzification Fortified Fortified binary binary Attackers Source Compilation Testers Binary Compilation Distribution Fuzzing Resilient to the adversarial analysis Resiliency 15

  16. Why Existing Methods Are Not Applicable? Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O 16

  17. Why Existing Methods Are Not Applicable? Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O Bug injection O O X 17

  18. Why Existing Methods Are Not Applicable? Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O Bug injection O O X Fuzzer detection X O X 18

  19. Why Existing Methods Are Not Applicable? Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O Bug injection O O X Fuzzer detection X O X Emulator detection X O X 19

  20. Why Existing Methods Are Not Applicable? Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O Bug injection O O X Fuzzer detection X O X Emulator detection X O X Fuzzification O O O 20

  21. Fuzzification Hinders Advanced Features • Fast execution Parallel execution H/W • Coverage-guidance feature Fork • Hybrid approach server 21

  22. Fuzzification Hinders Advanced Features SpeedBump • Fast execution Parallel execution H/W • Coverage-guidance feature Fork • Hybrid approach server 22

  23. Fuzzification Hinders Advanced Features Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature Fork • Hybrid approach server 23

  24. Fuzzification Hinders Advanced Features Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature BranchTrap Fork • Hybrid approach server 24

  25. Fuzzification Hinders Advanced Features Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature Queue Fork • Hybrid approach server Symbolic execution Dynamic taint analysis 25

  26. Fuzzification Hinders Advanced Features Coverage • Fast execution Parallel execution H/W • Coverage-guidance Anti-Hybrid feature Queue Fork • Hybrid approach server Symbolic execution Dynamic taint analysis 26

  27. SpeedBump: Selective Delay Injection Basic block 27

  28. SpeedBump: Selective Delay Injection • Identify frequently and rarely visited paths Basic block Rarely visited path Frequently visited path 28

  29. SpeedBump: Selective Delay Injection • Identify frequently and rarely visited paths 1 • Inject delays from the most rarely visited edges 2 Basic block Rarely visited path Frequently visited path 29

  30. SpeedBump: Selective Delay Injection • Why this is effective? ▫ User: follows common paths ▫ Attacker: searches for new paths 1 ➔ Impact of delay is more significant to attackers 2 Basic block Rarely visited path Frequently visited path 30

  31. SpeedBump: How to delay? • Strawman: using sleep() ➔ trivially removed by adversary 31

  32. SpeedBump: How to delay? • Strawman: using sleep() ➔ trivially removed by adversary • Counter to advanced adversary ▫ Use randomly generated code ➔ avoid static-pattern 32

  33. SpeedBump: How to delay? • Strawman: using sleep() ➔ trivially removed by adversary • Counter to advanced adversary ▫ Use randomly generated code ➔ avoid static-pattern ▫ Impose control-flow and data-flow dependency ➔ avoid automated analysis 33

  34. SpeedBump: Selective Delay Injection int rarely_executed_code () { return 0; } 34

  35. SpeedBump: Selective Delay Injection int rarely_executed_code () { return 0; } //define global variables int global1 = 1; int global2 = 2; int rarely_executed_code () { //inject delay function int pass = 20; global2 = func (pass); return 0; } 35

  36. SpeedBump: Selective Delay Injection int rarely_executed_code () { int func (int p6) { return 0; int local1[10]; } // affect global1 variable global1 = 45; int local2 = global1; //define global variables for (int i = 0; i < 1000; i++) int global1 = 1; // affect local1 variable int global2 = 2; local1[i] = p6 + local2 + i; int rarely_executed_code () // affect global2 variable { return local1[5]; //inject delay function } int pass = 20; global2 = func (pass); return 0; } 36

  37. BranchTrap Hinders Coverage Management Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature Queue Fork • Hybrid approach server Symbolic execution Dynamic taint analysis 37

  38. BranchTrap#1: Fabricates Input-sensitive Paths “AAAA” 1 2 3 Coverage #1 38

  39. BranchTrap#1: Fabricates Input-sensitive Paths “AAAB” “AAAA” 1 2 3 Coverage #1 Coverage #2 39

  40. BranchTrap#1: Fabricates Input-sensitive Paths “AAAA” “AAAB” “AAAA” 1 1 BranchTrap 2 2 3 3 Coverage #1 Coverage #2 Coverage #1 40

  41. BranchTrap#1: Fabricates Input-sensitive Paths “AAAB” “AAAA” “AAAB” “AAAA” 1 1 BranchTrap 2 2 3 3 Coverage #1 Coverage #2 Coverage #1 Coverage #2 41

  42. BranchTrap#1: ROP-based Fake Paths Generation Func1 ( arg1 , arg2 ) Caller call Func1 next inst Original epilogue pop rbp pop r15 ret 42

  43. BranchTrap#1: ROP-based Fake Paths Generation Code Func1 ( arg1 , arg2 ) snippet 1 pop rbp pop r15 ret Caller Code call Func1 snippet 2 next inst pop rbp pop r15 Original ret epilogue … pop rbp pop r15 Code ret snippet N … 43

  44. BranchTrap#1: ROP-based Fake Paths Generation Code Func1 ( arg1 , arg2 ) snippet 1 pop rbp ① pop r15 ② index = arg1 ^ arg2 ret Caller Code call Func1 snippet 2 next inst pop rbp pop r15 Original ret epilogue … pop rbp pop r15 Code ret snippet N … 44

  45. BranchTrap#1: ROP-based Fake Paths Generation Code Func1 ( arg1 , arg2 ) snippet 1 pop rbp ① pop r15 ② index = arg1 ^ arg2 ret Caller ③ ④ Code jmp table [index] call Func1 snippet 2 next inst pop rbp pop r15 Original ret epilogue … pop rbp pop r15 Code ret snippet N … 45

  46. BranchTrap#1: ROP-based Fake Paths Generation Code Func1 ( arg1 , arg2 ) snippet 1 pop rbp ① pop r15 ② index = arg1 ^ arg2 ret Caller ③ ④ Code jmp table [index] call Func1 snippet 2 next inst pop rbp pop r15 ⑤ Original ret epilogue … pop rbp pop r15 Code ret snippet N … 46

  47. BranchTrap#2: Saturate Feedback State • One-time visit makes effect 1 • BranchTrap: 2 ▫ Saturates bitmap data ▫ Prevents coverage recording 3 47

  48. AntiHybrid Hinders Hybrid Fuzzing Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature Queue Fork • Hybrid approach server Symbolic execution Dynamic taint analysis 48

Recommend

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk WarCon 2016, Warsaw PS&gt; whoami Project Zero @ Google Part time developer and frequent user of the fuzzing infrastructure. Dragon Sector CTF

2.26k views • 184 slides
Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black Hat Europe 2016, London PS&gt; whoami Project Zero @ Google Part time developer and frequent user of the fuzzing infrastructure. Dragon

1.57k views • 133 slides
anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an executable 2 anti-virus techniques last time: signature-based detection regular expression-like matching snippets of virus(-like) code heuristic

1.79k views • 139 slides
Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and Windows Servers About the presentation Whoami Introduction 0days and the rush for public vulnerabilities And Advanced fuzzing techniques

432 views • 31 slides
Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate School What is Anti-Forensics? Computer Forensics: Scientific Knowledge for collecting, analyzing, and presenting evidence to the courts

322 views • 15 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus Techniques } Virus writers have devised numerous methods of resisting anti-virus software and making life difficult for anti-virus researchers }

554 views • 53 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&amp;D firstname dot lastname at orange-ftgroup dot com research &amp; development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
From Fuzzification and Resulting Formalism: Idea K -Vectors Towards K -Covectors Intervalization

From Fuzzification and Resulting Formalism: Idea K -Vectors Towards K -Covectors Intervalization

Physics: 5D Geometry . . . The Physical Model is . . . Geometry Needed Natural Idea and Its . . . What We Suggest From Fuzzification and Resulting Formalism: Idea K -Vectors Towards K -Covectors Intervalization to K -Covectors K -Tensors:

294 views • 18 slides
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden SECURE SOFTWARE ENGINEERING GROUP 2 This we would still hope for @Override

589 views • 20 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging &amp; Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
Adventures in Fuzzing Instruction Selection EuroLLVM 2017 Justin Bogner 1 Overview

Adventures in Fuzzing Instruction Selection EuroLLVM 2017 Justin Bogner 1 Overview

Adventures in Fuzzing Instruction Selection EuroLLVM 2017 Justin Bogner 1 Overview Hardening instruction selection using fuzzers Motivated by Global ISel Leveraging libFuzzer to find backend bugs Techniques applicable to

835 views • 41 slides
No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

Taking Browsers Fuzzing To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms ) Rosario Valotta Agenda Browser fuzzing: state of the art Memory corruption bugs: an overview Fuzzing

792 views • 40 slides

More recommend