no source no problem
play

No source? No problem! High speed binary fuzzing Nspace & - PowerPoint PPT Presentation

Oct 25, 2022 •28 likes •488 views

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

  1. No source? No problem! High speed binary fuzzing Nspace & @gannimo

  2. About this talk ● Fuzzing binaries is hard! ◦ Few tools, complex setup ● Fuzzing binaries in the kernel is even harder! ● New approach based on static rewriting High Speed Binary Fuzzing - HexHive - 36C3 2

  3. Kernel + ≈ 100M LoC Libc Desktop High Speed Binary Fuzzing - HexHive - 36C3 3

  4. Fuzzing 101 OK Bug! Input generation Target High Speed Binary Fuzzing - HexHive - 36C3 4

  5. Efgective fuzzing 101 ● Test cases must trigger bugs ◦ Coverage-guided fuzzing ● The fuzzer must detect bugs ◦ Sanitization ● Speed is key (zero sum game)! High Speed Binary Fuzzing - HexHive - 36C3 5

  6. Fuzzing with source code ● Add instrumentation at compile time ● Short snippets of code for coverage tracking, sanitization, ... Instrumented Compiler Source code binary Coverage tracking, sanitization, ... High Speed Binary Fuzzing - HexHive - 36C3 6

  7. Application Application Libraries Source No source Kernel Drivers High Speed Binary Fuzzing - HexHive - 36C3 7

  8. Rewriting binaries ● Approach 0: black box fuzzing ● Approach 1: rewrite dynamically ◦ Translate target at runtime ◦ Terrible performance (10-100x slower) ● Approach 2: rewrite statically ◦ More complex analysis ◦ ...but much better performance! High Speed Binary Fuzzing - HexHive - 36C3 8

  9. Static rewriting challenges ● Simply adding code breaks the target mov [rax + rbx*8], rdi mov [rax + rbx*8], rdi < n e w c o d e > dec rbx dec rbx jnz -7 jnz -7 ● Need to fjnd all references and adjust them High Speed Binary Fuzzing - HexHive - 36C3 9

  10. Static rewriting challenges ● Scalars and references are indistinguishable ◦ Getting it wrong breaks the target m o v [ r b p - 0 x 8 ] , 0 x 4 0 0 a a e ? l o n g ( * f o o ) ( l o n g ) = & b a r ; l o n g f o o = 0 x 4 0 0 a a e ; High Speed Binary Fuzzing - HexHive - 36C3 10

  11. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 11

  12. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 12

  13. RetroWrite [Oakland ‘20] ● System for static binary instrumentation ● Symbolized assembly fjles easy to instrument ● Implements coverage tracking and binary ASan High Speed Binary Fuzzing - HexHive - 36C3 13

  14. Position-independent code ● Code that can be loaded at any address ● Required for: ASLR, shared libraries ● Cannot use hardcoded static addresses ◦ Must use relative addressing instead High Speed Binary Fuzzing - HexHive - 36C3 14

  15. Position-independent code ● On x86_64, PIC leverages RIP-relative addressing ◦ l e a r a x , [ r i p + 0 x 1 2 3 4 ] ● Distinguish references from constants in PIE binaries ◦ RIP-relative = reference, everything else = constant High Speed Binary Fuzzing - HexHive - 36C3 15

  16. Symbolization ● Symbolization replaces references with assembler labels lea rax, [rip + 0x1234] call 0x1337 dec rcx jnz -15 High Speed Binary Fuzzing - HexHive - 36C3 16

  17. Symbolization ● Symbolization replaces references with assembler labels loop1: lea rax, [rip + 0x1234] call func1 1) Relative jumps/calls dec rcx jnz loop1 High Speed Binary Fuzzing - HexHive - 36C3 17

  18. Symbolization ● Symbolization replaces references with assembler labels loop1: lea rax, [data1] call func1 1) Relative jumps/calls dec rcx 2) PC-relative addresses jnz loop1 High Speed Binary Fuzzing - HexHive - 36C3 18

  19. Symbolization ● Symbolization replaces references with assembler labels loop1: lea rax, [data1] call func1 1) Relative jumps/calls dec rcx 2) PC-relative addresses jnz loop1 3) Data relocations High Speed Binary Fuzzing - HexHive - 36C3 19

  20. Symbolization ● Symbolization replaces references with assembler labels loop1: lea rax, [data1] < n e w c o d e > 1) Relative jumps/calls call func1 2) PC-relative addresses dec rcx 3) Data relocations jnz loop1 High Speed Binary Fuzzing - HexHive - 36C3 20

  21. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 21

  22. Coverage-guided fuzzing ● Record test coverage (e.g. input[0] == ‘P’ with instrumentation) input[1] == ‘N’ ● Inputs that trigger new paths are “interesting” input[2] == ‘G’ ● Mutate interesting inputs to do_something() fail() discover new paths High Speed Binary Fuzzing - HexHive - 36C3 22

  23. Coverage-guided fuzzing https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html High Speed Binary Fuzzing - HexHive - 36C3 23

  24. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 24

  25. Address Sanitizer (ASan) ● Instrumentation catches memory corruption at runtime ◦ Arguably most dangerous class of bugs ● Very popular sanitizer ◦ Thousands of bugs in Chrome and Linux ● About 2x slowdown High Speed Binary Fuzzing - HexHive - 36C3 25

  26. ASan red zones Red zone char buf[4]; buf strcpy (buf, “AAAAA”); Red zone High Speed Binary Fuzzing - HexHive - 36C3 26

  27. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 27

  28. RetroWrite instrumentation ● Coverage tracking: instrument basic block starts ● Binary ASan: instrument all memory accesses, link with libASan High Speed Binary Fuzzing - HexHive - 36C3 28

  29. Kernel vs. userspace fuzzing Crash Tooling Determinism handling OS handles Single-threaded Easy to use and Userspace crashes code usually widely available gracefully deterministic Need VM to keep More complex Interrupts, many Kernel the system setup, fewer concurrent stable tools threads High Speed Binary Fuzzing - HexHive - 36C3 29

  30. Kernel binary fuzzing ● Approach 0: black box fuzzing ● Approach 1: dynamic translation ◦ Slow! (10x +) ◦ No sanitization like ASan ● Approach 2: Intel Processor Trace (or similar) ◦ Requires hardware support ◦ Still no sanitization ● Approach 3: static rewriting High Speed Binary Fuzzing - HexHive - 36C3 30

  31. kRetroWrite ● Apply RetroWrite to the kernel ● Implemented so far: support for Linux modules ● Demonstrates that RetroWrite applies to the kernel High Speed Binary Fuzzing - HexHive - 36C3 31

  32. kRetroWrite ● Kernel modules are always position-independent ● Linux modules are ELF fjles ◦ Reuse RetroWrite’s symbolizer ● Implemented code coverage and binary ASan High Speed Binary Fuzzing - HexHive - 36C3 32

  33. kRetroWrite coverage ● Idea: use kCov infrastructure ◦ Can interoperate with source-based kCov ● Call coverage collector at the start of each basic block ● Integrates with, e.g., syzkaller, or debugfs High Speed Binary Fuzzing - HexHive - 36C3 33

  34. kRetroWrite coverage cmp rbx, 1234 jz block1 mov [rax], rbx mov [rax], 1234 High Speed Binary Fuzzing - HexHive - 36C3 34

  35. kRetroWrite coverage c a l l t r a c e _ p c cmp rbx, 1234 jz block1 c a l l t r a c e _ p c c a l l t r a c e _ p c mov [rax], rbx mov [rax], 1234 High Speed Binary Fuzzing - HexHive - 36C3 35

  36. kRetroWrite binary ASan ● In userspace: link with libASan ● In kernel: build kernel with KASan (kernel ASan) ● Reuse modifjed userspace instrumentation pass High Speed Binary Fuzzing - HexHive - 36C3 36

  37. kRetroWrite binary ASan ● Instrument each memory access with a check ● Failed checks print a bug report ● Compatible with source-based kASan High Speed Binary Fuzzing - HexHive - 36C3 37

  38. Fuzzing with kRetroWrite ● Rewritten modules can be loaded and fuzzed with standard kernel fuzzers ● So far: tested with syzkaller High Speed Binary Fuzzing - HexHive - 36C3 38

  39. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 39

  40. Our experiments ● Userspace: SPEC2006 runtime performance ◦ RetroWrite ASan ◦ Source ASan ◦ Valgrind memcheck ● Kernel: fuzz fjlesystems/drivers with syzkaller ◦ Source KASan + kCov ◦ kRetroWrite KASan + kCov High Speed Binary Fuzzing - HexHive - 36C3 40

  41. Results - Userspace High Speed Binary Fuzzing - HexHive - 36C3 41

  42. Preliminary results - kernel Exec/s - BTRFS Source kRetroWrite High Speed Binary Fuzzing - HexHive - 36C3 42

  43. Demo

  44. Let’s test kRetroWrite on a fjlesystem High Speed Binary Fuzzing - HexHive - 36C3 44

  45. Instrumenting binaries in the kernel Sanitization Coverage-guided fuzzing Instrumenting binaries High Speed Binary Fuzzing - HexHive - 36C3 45

Recommend

Source:

Source:

We are Here Source: Max Pixel Source: David Dixon Source: Google Earth Source: Arpingstone Source: Lee Cannon Source: Richard Drdul Source: Nicolas Nova

467 views • 20 slides
THEIA GPU Open Source multicore programmable GPU Problem Statement Develop an open source 3D

THEIA GPU Open Source multicore programmable GPU Problem Statement Develop an open source 3D

THEIA GPU Open Source multicore programmable GPU Problem Statement Develop an open source 3D Graphic Processor (GPU). Develop a high level language to program the GPU. Provide all of the necessary tools, test-bench and regressions.

411 views • 18 slides
BFS and DFS Problem Solving Club Nov 2 2016 Breadth First Search (BFS) Review What is the

BFS and DFS Problem Solving Club Nov 2 2016 Breadth First Search (BFS) Review What is the

BFS and DFS Problem Solving Club Nov 2 2016 Breadth First Search (BFS) Review What is the main problem that BFS solves? Single Source Shortest Path (SSSP) on an unweighted graph - find shortest paths from a source vertex to all other

579 views • 6 slides
and Retrieval Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H.

and Retrieval Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H.

Semantic Image Indexing and Retrieval Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Source: H. Jegou Outline State of the nation Early description methods

2.13k views • 130 slides
Increasing stability in the inverse source problem with attenuation and many frequencies Shuai

Increasing stability in the inverse source problem with attenuation and many frequencies Shuai

Introduction Increasing stability with attenuation Numerical algorithm for source identification Ongoing works Increasing stability in the inverse source problem with attenuation and many frequencies Shuai Lu (Fudan University) Joint work

825 views • 46 slides
The Bait &amp; Switch of Open Source Katrina Owen @kytrinyx GitHub an irresistible

The Bait &amp; Switch of Open Source Katrina Owen @kytrinyx GitHub an irresistible

The Bait &amp; Switch of Open Source Katrina Owen @kytrinyx GitHub an irresistible problem a perfect problem a perfect solution an irritating problem a tricky little hack a trivial problem annoying friction (irresistible)

1.33k views • 95 slides
Lecture 4 Matthieu Bloch 1 Source coding As shown in Fig. 1, the problem of source coding with

Lecture 4 Matthieu Bloch 1 Source coding As shown in Fig. 1, the problem of source coding with

1 Figure 1: Source coding with side information. assignments. can then analyze the probability of reconstruction error averaged over the set of all possible random sequences by assigning them a label drawn uniformly at random from a set of

456 views • 6 slides
Greedy algorithms Problem. Given a digraph G = ( V , E ) , edge lengths e 0 , source s

Greedy algorithms Problem. Given a digraph G = ( V , E ) , edge lengths e 0 , source s

Shortest-paths problem Greedy algorithms Problem. Given a digraph G = ( V , E ) , edge lengths e 0 , source s V , and destination t V , find the shortest directed path from s to t . Shortest paths in weighted graphs Tyler Moore

641 views • 6 slides
Source localization in electromyography: The Inverse Potential Problem Kees van den Doel Dept.

Source localization in electromyography: The Inverse Potential Problem Kees van den Doel Dept.

Source localization in electromyography: The Inverse Potential Problem Kees van den Doel Dept. of Computer Science, University of British Columbia, Vancouver, Canada with Uri Ascher, Dinesh Pai, Benjamin Gilles, Armin Curt, John Steeves

313 views • 15 slides
A Parallel Algorithm for the Single-Source Shortest Path Problem Kevin Kelley, Tao Schardl May

A Parallel Algorithm for the Single-Source Shortest Path Problem Kevin Kelley, Tao Schardl May

A Parallel Algorithm for the Single-Source Shortest Path Problem Kevin Kelley, Tao Schardl May 12, 2010 Outline The Problem Dijkstras Algorithm Gabows Scaling Algorithm Optimizing Gabow Parallelizing Gabow

342 views • 23 slides
Dijkstra s Algorithm Shortest Path Problem Directed graph G = (V , E) Source s l e = length

Dijkstra s Algorithm Shortest Path Problem Directed graph G = (V , E) Source s l e = length

Dijkstra s Algorithm Shortest Path Problem Directed graph G = (V , E) Source s l e = length of edge e l e 0 for all edges e Shortest path problem: (Google Maps!) find shortest path from s to all other nodes 1 a c 2 3 1 1 1 e

882 views • 18 slides
Individuals as Source of Social Order Marx The Problem How do humans achieve

Individuals as Source of Social Order Marx The Problem How do humans achieve

Individuals as Source of Social Order Marx The Problem How do humans achieve predictability (COORDINATION) overcome urge to self-serve (COOPERATION) In other words: what mechanisms lead to coordination and

561 views • 34 slides
February 27, 2013 Source: CBRE Source: CBRE Source: CBRE Source: CBRE Source: CBRE Miami

February 27, 2013 Source: CBRE Source: CBRE Source: CBRE Source: CBRE Source: CBRE Miami

MIAMI DADE INDUSTRIAL MARKET OVERVIEW February 27, 2013 Source: CBRE Source: CBRE Source: CBRE Source: CBRE Source: CBRE Miami Hialeah Infill $65/SF Total Space Available: 26,000 SF Rental Rate: $6 - $7.80 /SF/Year Min.

384 views • 14 slides
= k w ( p ) w v ( , v ) i 1 i Single Single- -destination shortest

= k w ( p ) w v ( , v ) i 1 i Single Single- -destination shortest

Single Single- -Source Shortest Paths Source Shortest Paths Single Single- -Source Shortest Paths Problem: Source Shortest Paths Problem: Given a Given a weighted graph ((G=( ((G=(V,E),w V,E),w), ), find a shortest path find a shortest

431 views • 4 slides
1. Invent Yourself source: www.dilbert.com Byung Hoon Cho New Zealand 2016 1 The Problem

1. Invent Yourself source: www.dilbert.com Byung Hoon Cho New Zealand 2016 1 The Problem

1. Invent Yourself source: www.dilbert.com Byung Hoon Cho New Zealand 2016 1 The Problem Truly random numbers are a very valuable and rare resource. Design, produce, and test a mechanical device for producing random numbers. Analyse to

1.06k views • 66 slides
1 Data Quality Issues Modeling Tools Most probabilistic record linkage DQ Problem :

1 Data Quality Issues Modeling Tools Most probabilistic record linkage DQ Problem :

Modeling Intruder behavior Partial Data Source 1 Pointers from Research on Data Confidentiality and Data Quality Partial Data Source 2 ? Re-identification Intruders model Prediction Ashish Sanil Partial Data Source m

409 views • 4 slides
The development sector has a problem Map of mHealth Pilots in Uganda Source: Sean Blaschke,

The development sector has a problem Map of mHealth Pilots in Uganda Source: Sean Blaschke,

The development sector has a problem Map of mHealth Pilots in Uganda Source: Sean Blaschke, Technology for Development Specialist at UNICEF Uganda ... and ICT4D has made it more visible The he increase crease i in t total al O

138 views • 13 slides
Byzantine Generals Problem August 26, 2019 source: Department of Homeland Security, Science &amp;

Byzantine Generals Problem August 26, 2019 source: Department of Homeland Security, Science &amp;

Byzantine Generals Problem August 26, 2019 source: Department of Homeland Security, Science &amp; Technology Directorate https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8202.pdf source: Department of Homeland Security, Science &amp; Technology

822 views • 60 slides
Source Coding with Lists and Rnyi Entropy or The Honey-Do Problem Amos Lapidoth ETH Zurich

Source Coding with Lists and Rnyi Entropy or The Honey-Do Problem Amos Lapidoth ETH Zurich

Source Coding with Lists and Rnyi Entropy or The Honey-Do Problem Amos Lapidoth ETH Zurich October 8, 2013 Joint work with Christoph Bunte. A Task from your Spouse Using a fixed number of bits, your spouse reminds you of one of the

770 views • 54 slides
Inverse Scattering Problems Chaiwoot Boonyasiriwat October 14, 2020 Direct Scattering Problem

Inverse Scattering Problems Chaiwoot Boonyasiriwat October 14, 2020 Direct Scattering Problem

Inverse Scattering Problems Chaiwoot Boonyasiriwat October 14, 2020 Direct Scattering Problem Given the velocity model c ( x ), the source locations x s , and the source function w ( t ), find the wave field u ( x , t ) that satisfies the

1.08k views • 29 slides
ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows Buffer overflows are the source of many of the common vulnerabilities in modern software Caused by not checking the source length when writing to a

1.88k views • 130 slides
Tier 1 Water Budget CTC SPC Meeting # 2/09 Agenda Item # 6.1 February 17, 2009 Gayle

Tier 1 Water Budget CTC SPC Meeting # 2/09 Agenda Item # 6.1 February 17, 2009 Gayle

CTC Source Protection Region CTC Source Protection Region CTC Source Protection Region CTC Source Protection Region www.ctcswp.ca CTC Source Protection Region CTC Source Protection Region CTC Source Protection Region CTC Source Protection

645 views • 48 slides
GUIDE : Prof. Amitabha Mukerjee Ankit Modi (10104) Chirag Gupta (10212) ? SOURCE TARGET S

GUIDE : Prof. Amitabha Mukerjee Ankit Modi (10104) Chirag Gupta (10212) ? SOURCE TARGET S

GUIDE : Prof. Amitabha Mukerjee Ankit Modi (10104) Chirag Gupta (10212) ? SOURCE TARGET S 1 , S 2 , S 3 ,...S n TARGET S j SOURCE S i S 1 , S 2 , S 3 ,...S n Problem ? Tackling information overload Problem ? Tackling

465 views • 21 slides
Algorithm Design An algorithm can be written out in pseudo code Then turned into source code

Algorithm Design An algorithm can be written out in pseudo code Then turned into source code

Algorithm Design An algorithm can be written out in pseudo code Then turned into source code Which is then compiled to machine code Problem Solving Algorithm: set of unambiguous instructions to solve a problem Breaking down a

459 views • 25 slides

More recommend