modern fuzzing of media processing projects
play

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 - PowerPoint PPT Presentation

Jun 14, 2023 •357 likes •551 views

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

  1. Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017

  2. Agenda ● Fuzzing ○ what is fuzzing, why fuzz, fuzzing types ● How to fuzz ○ fuzz target, fuzzing engine, libFuzzer ● Media processing as a target ○ motivation, scary stories ● OSS-Fuzz ○ Fuzzing-as-a-Service for Open Source Software 2

  3. What is Fuzzing ● Somehow generate a test input ● Feed it to the code under test ● Repeat 3

  4. Why Fuzz ● Bugs specific to C/C++ that require the sanitizers to catch: ○ Use-after-free, buffer overflows, Uses of uninitialized memory, Memory leaks ● Arithmetic bugs: ○ Div-by-zero, Int/float overflows, bitwise shifts by invalid amount ● Plain crashes: ○ NULL dereferences, Uncaught exceptions ● Concurrency bugs: ○ Data races, Deadlocks ● Resource usage bugs: ○ Memory exhaustion, hangs or infinite loops, infinite recursion (stack overflows) ● Logical bugs: ○ Discrepancies between two implementations of the same protocol (example) ○ Assertion failures ● Timeouts and Out-Of-Memory are BUGS (*in most of the cases) ○ And super bad for fuzzing 4

  5. Fuzzing Types ● Generation-based fuzzing ○ Usually a target-specific grammar-based generator ● Mutation-based fuzzing ○ Acquire a corpus of test inputs ○ Apply random mutations to the inputs ● Guided mutation-based fuzzing ○ Execute mutations with coverage instrumentation ○ If new coverage is observed the mutation is permanently added to the corpus 5

  6. Fuzz Target bool TargetAPI(const uint8_t* Data, size_t Size) { bool Result = false; if (Size >= 3) { Result = Data[0] == 'F' && Data[1] == 'U' && Data[2] == 'Z' && Data[3] == 'Z'; } return Result; } extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) { TargetAPI(Data, Size); return 0; } 6

  7. libFuzzer - an engine for guided in-process fuzzing ● libFuzzer: a library; provides main() ● Build your target code with extra compiler flags ● Link your target with libFuzzer ● Pass a directory with the initial test corpus and run % clang++ -g my-code.cc libFuzzer.a -o my-fuzzer \ -fsanitize=address -fsanitize-coverage=trace-pc-guard % ./my-fuzzer MY_TEST_CORPUS_DIR 7

  8. Media is a great target to Fuzz [1 / 2] ● Lots of code working with raw pointers 8

  9. Media is a great target to Fuzz [2 / 2] ● Being used everywhere ○ Video hosting services ○ Media players ○ Mobile devices ○ Embedded entertainment systems ■ In planes ■ In cars ■ In space? :) ○ etc. Example: GStreamer in the living room and in outer space , FOSDEM 2015 9

  10. Recent security breaches ● FFmpeg and a thousand fixes, Jan 2014 ● Stagefright, Apr 2015 ● Viral Video, Nov 2015 ● ImageTragick, Apr 2016 ● A scriptless 0day exploit against Linux desktops, Nov 2016 10

  11. Present Perfect → Present Continuous ● “The project X has been fuzzed, hence it is somewhat secure” ● False: ○ Bug discovery techniques evolve ○ The project X evolves ○ Fuzzing is CPU intensive and needs time to find bugs ● “The project X is being continuously fuzzed, the code coverage is monitored.” ○ Much better! Case Study from OSS-Fuzz : CVE-2017-3732 took more than 1 CPU year to find 11

  12. OSS-Fuzz: Fuzzing-as-a-Service ● Based on ClusterFuzz, the fuzzing backend used for fuzzing Chrome components ○ Supported engines: libFuzzer, AFL, Radamsa, … ● Thousands of CPU cores for free ● https://github.com/google/oss-fuzz ○ 55+ projects ■ 180+ fuzz targets ○ 450+ bugs (~150 vulnerabilities) ■ 320+ fixed 12

  13. Bug Report sample [1 / 2] ● Filed automatically: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=151 13

  14. Bug Report sample [2 / 2] ● Verified automatically: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=151 14

  15. Fuzzer Stats Dashboard 15

  16. Coverage Report 16

  17. Performance Analysis 17

  18. Fuzz Targets examples ● Chromium: https://cs.chromium.org/search/?q=file:.*media.*fuzzer.*+package: %5Echromium$&type=cs ● OSS-Fuzz: https://git.ffmpeg.org/gitweb/ffmpeg.git/blob_plain/HEAD:/tools/targ et_dec_fuzzer.c ● Thousands of random examples: https://github.com/search?l=C%2B%2B&q=%22LLVMFuzzerTest OneInput%22&ref=searchresults&type=Code&utf8=%E2%9C%93 18

  19. Q & A Useful links: ● OSS-Fuzz project ● libFuzzer.info ● tutorial.libFuzzer.info ● libFuzzer workshop ○ Live at BSidesMunich’2017 on 3rd of April Contacts: ● mmoroz@chromium.org ● twitter.com/Dor3s ● github.com/Dor1s 19

Recommend

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

598 views • 29 slides
File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda Intel OTC Security SQE Agenda File format fuzzing in Android Fuzzing the Stagefright media framework Fuzzing the Android application

614 views • 40 slides
Media redirection for Spice remote computing solution Optimizing media stream processing for

Media redirection for Spice remote computing solution Optimizing media stream processing for

Media redirection for Spice remote computing solution Optimizing media stream processing for media players and VoIP clients in virtual desktop infrastructures Lyakhov F.A., Mazur E.S., Kuzin A.M., Semenov S.K. 1 Common media processing

599 views • 17 slides
Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University,

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University,

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -> growing number of bugs

387 views • 27 slides
Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2 , Sang Kil Cha 2 1 CSRC, KAIST 2 KAIST The Success of Grey-box Fuzzing OSS-Fuzz has found over 20,000 bugs in 300 open source projects.

458 views • 24 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Research on Ultra Low Power SoC for Media Processing SoC for Media Processing August 1, 2011 g

Research on Ultra Low Power SoC for Media Processing SoC for Media Processing August 1, 2011 g

Research on Ultra Low Power SoC for Media Processing SoC for Media Processing August 1, 2011 g , S t Satoshi Goto hi G t Waseda University y ISLPED2011 1 Multimedia Applications in Ambient Multimedia Applications in Ambient Society

1.08k views • 63 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Imagine: Media Processing with Streams Brucek Khailany et al. and a little bit of Evaluating

Imagine: Media Processing with Streams Brucek Khailany et al. and a little bit of Evaluating

Imagine: Media Processing with Streams Brucek Khailany et al. and a little bit of Evaluating the Imagine Stream Architecture Jung Ho Ahn et al. Presented by Dan Amelang Background Digital media processing has become pervasive

177 views • 14 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
1 Previously, we looked at random tes.ng, or fuzzing, as

1 Previously, we looked at random tes.ng, or fuzzing, as

{HEADSHOT} Wri.ng and maintaining tests is a tedious and error-prone process. Modern technology has come a long way to help automate parts of

619 views • 50 slides
No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

Taking Browsers Fuzzing To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms ) Rosario Valotta Agenda Browser fuzzing: state of the art Memory corruption bugs: an overview Fuzzing

792 views • 40 slides

More recommend