qs qsym ym a a p pract ctical con concol olic ex executi
play

QS QSYM YM : A : A P Pract ctical Con Concol olic Ex Executi - PowerPoint PPT Presentation

Jun 17, 2023 •387 likes •912 views

QS QSYM YM : A : A P Pract ctical Con Concol olic Ex Executi tion on En Engine Tailor ored for or Hyb Hybrid id F Fuzzin ing Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang , and Taesoo Kim Georgia Institute of Technology &

  1. QS QSYM YM : A : A P Pract ctical Con Concol olic Ex Executi tion on En Engine Tailor ored for or Hyb Hybrid id F Fuzzin ing Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang †, and Taesoo Kim Georgia Institute of Technology & Oregon State University † 27th USENIX Security Symposium August 16, 2018 1

  2. Two popular ways to find security bugs: Fuzzing & Concolic execution Fuzzing Symbolic Execution 2

  3. Fuzzing and Concolic execution have their own pros and cons • Fuzzing • Good: Finding general inputs • Bad: Finding specific inputs • Concolic execution • Good: Finding specific inputs • Bad: State explosion 3

  4. Hybrid fuzzing can address their problems • Use both techniques: Fuzzing + Concolic execution • Find specific inputs: Using concolic execution • Limit state explosion: Only fork at branches that are hard to fuzzing 4

  5. Hybrid fuzzing has achieved great success in small- scale study • e.g.) Driller: a state-of-the-art hybrid fuzzer • Won 3 rd place in CGC competition • Found 6 new crashes: cannot be found by fuzzing nor concolic execution 5

  6. However, current hybrid fuzzing suffers from problems to scale to real-world applications • Very slow to generate constraint • Cannot support complete system calls • Not effective in generating test cases 6

  7. Our system, QSYM, addresses these issues by introducing several key ideas • Discard intermediate layer for performance • Use concrete environment to support system calls • Introduce heuristics to effectively generate test cases 7

  8. QSYM is scalable to real-world software • 13 previously unknown bugs in open-source software • All applications are already fuzzed (OSS-Fuzz, AFL, …) • Including ffmpeg that is fuzzed by OSS-Fuzz for 2 years • Bugs are hard to pure fuzzing – require complex constraints 8

  9. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … … Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 9

  10. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) Performance mov ebp, esp t2 = Sub32(t1,0x00000004) overhead Program … … Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 10

  11. Overview: QSYM 1. Instruction-level execution A[0] == ‘A’ push ebp && A[1] == ‘A’ mov ebp, esp && A[2] == ‘A’ Program … … Basic block Constraints Coverage Test cases Fuzzing 11

  12. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … … Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints Incomplete State forking Fuzzing Test cases Environment modeling 12

  13. Overview: QSYM 1. Instruction-level execution 2. Concrete environment modeling A[0] == ‘A’ push ebp && A[1] == ‘A’ mov ebp, esp && A[2] == ‘A’ Program … … Basic block Constraints Coverage Test cases Fuzzing 13

  14. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … … Ineffective test case generation due to unsatisfiable paths Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 14

  15. Overview: QSYM 1. Instruction-level execution 2. Concrete environment modeling A[0] == ‘A’ push ebp && A[1] == ‘A’ 3. Optimistic Solving mov ebp, esp && A[2] == ‘A’ Program … … Basic block Constraints Coverage Test cases Fuzzing 15

  16. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … Blocked … by complex logics Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 16

  17. Overview: QSYM 1. Instruction-level execution 2. Concrete environment modeling A[0] == ‘A’ push ebp && A[1] == ‘A’ 3. Optimistic Solving mov ebp, esp && A[2] == ‘A’ Program … … Basic block Constraints 4. Basic block pruning Refer our paper Coverage Test cases Fuzzing 17

  18. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) Performance mov ebp, esp t2 = Sub32(t1,0x00000004) overhead Program … … Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 18

  19. Intermediate representations (IR) are good to make implementations easier • Provide architecture-independent interpretations • Can re-use code for all architectures • e.g. angr works on many architectures: x86, arm, and mips 19

  20. Problem1: IR incurs significant performance overhead • Increase the number of instructions • 4.7 times in VEX (IR used by angr) • Need to execute a whole basic block symbolically • Due to caching and optimization • Only 30% of instructions need to be symbolically executed 20

  21. Solution1: Execute instructions directly without using intermediate layer • Remove the IR translation layer • Pay for the implementation complexity 21

  22. QSYM reduces the number of instructions to execute symbolically • 126 CGC binaries 4x less 22

  23. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … … Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints Incomplete State forking Fuzzing Test cases Environment modeling 23

  24. State forking can reduce re-execution overhead for constraint generation • No need to re-execute to reach the state • Recover from the snapshot 24

  25. State forking for kernel is non-trivial • State in concolic execution = Program state + Kernel state • Forking program state is trivial • Save application memory + register • Save constraints • Forking kernel state is non-trivial • Need to maintain all kernel data structures • e.g., file system, network state, memory system … 25

  26. Problem2: State forking introduces problems in either completeness or performance • Kernel modeling • e.g.) angr • Pros: Small performance overhead • Cons: Incompleteness – angr supports only 22 system calls in Linux • Full kernel emulation • e.g.) S2E • Pros: Completeness • Cons: Large performance overhead 26

  27. Solution2: Re-execute to use concrete environment instead of kernel state forking • Instead of state forking, re-execute from start • High re-execution overhead • Instruction-level execution • Basic block pruning • Limit constraint solving: Based on coverage from fuzzing 27

  28. Models minimal system calls and uses concrete values • Only model system calls that are relevant to user interactions • e.g.) standard input, file read, … • Other system calls: Call system call using concrete values • e.g.) mprotect(addr, sym_size , PROT_R) à mprotect(addr, conc_size , PROT_R) 28

  29. Problem: Concrete environment results in incomplete constraints • Add implicit constraints • e.g.) mprotect(addr, sym_size , PROT_R) à mprotect(addr, conc_size , PROT_R) • Without knowing semantics of system calls • Concretize: Over-constrained • Ignore: Under-constrained 29

  30. Unrelated constraint elimination can tolerate incomplete constraints x = int(input()) Constraints for x (Incomplete) y = int(input()) && y * y == 1337 * 1337 Path constraints # Incomplete constraints mprotect(addr, x, PROT_R) y * y == 1337 * 1337 if y * y == 1337 * 1337: Branch dependent constraints bug() x = Use concrete value y = 1337 30

  31. Overview: Hybrid fuzzing in general t0 = GET:I32(ebp ) push ebp t1 = GET:I32(esp ) mov ebp, esp t2 = Sub32(t1,0x00000004) Program … Ineffective test case generation … due to unsatisfiable paths Basic block Intermediate Representations A[0] == ‘A’ Coverage && A[1] == ‘A’ && A[2] == ‘A’ … Constraints State forking Fuzzing Test cases 31

  32. Problem3: Over-constrained paths results in no test cases type = int(input()) type = int(input()) if type == TYPE1: parse_TYPE1() type == TYPE1 type != TYPE1 … …. + long time if type == TYPE2: parse_TYPE2() type == TYPE2 Unsatisfiable: No test case 32

  33. Problem3: Over-constrained paths results in no test cases If these branches are independent type = int(input()) type = int(input()) if type == TYPE1: parse_TYPE1() type == TYPE1 type != TYPE1 … …. + long time if type == TYPE2: parse_TYPE2() type == TYPE2 33

  34. Solution3: Solve constraints optimistically type = int(input()) type = int(input()) if type == TYPE1: parse_TYPE1() type == TYPE1 type != TYPE1 … …. + long time if type == TYPE2: parse_TYPE2() type == TYPE2 34

Recommend

Pract ctical Cybersecu curity Ri Risk a and C Control Ma Maturi urity A y Asse ssessme

Pract ctical Cybersecu curity Ri Risk a and C Control Ma Maturi urity A y Asse ssessme

Pract ctical Cybersecu curity Ri Risk a and C Control Ma Maturi urity A y Asse ssessme ssments Brian Fricke, CISSP, CISM Chief Information Security Officer None of the data presented in this presentation represents the actual security

140 views • 13 slides
Practic Pra ctical al Experi perience ence to He o Help lp You our r Bu Busi siness

Practic Pra ctical al Experi perience ence to He o Help lp You our r Bu Busi siness

Reopening opening the e Wor orkplac kplace: e: Resour source ces, s, Be Best st Pra Practices, ctices, and Practic Pra ctical al Experi perience ence to He o Help lp You our r Bu Busi siness ness Th Thriv rive May 20,

389 views • 24 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes & memory leaks)

417 views • 17 slides
QSym over Sym has a stable basis Aaron Lauve and Sarah Mason 3 August 2010 Aaron Lauve and Sarah

QSym over Sym has a stable basis Aaron Lauve and Sarah Mason 3 August 2010 Aaron Lauve and Sarah

Overview Symmetric and quasisymmetric polynomials The Bergeron-Reutenauer basis QSym over Sym has a stable basis Aaron Lauve and Sarah Mason 3 August 2010 Aaron Lauve and Sarah Mason QSym/Sym Overview Symmetric and quasisymmetric

736 views • 62 slides
Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide

Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide

Dr. med. Christina Czeschik www.serapion.de Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide ide BalCCon 2k17 Sept 16, 2017, Novi Sad How to Make Users Behave Safely? Explain things to them?

566 views • 52 slides
COURSE ELEMENTS NGA ARIA I ROTO NGA TIKANGA NGA TIKANGA THEORY PRA PRACTICA CTICAL

COURSE ELEMENTS NGA ARIA I ROTO NGA TIKANGA NGA TIKANGA THEORY PRA PRACTICA CTICAL

COURSE ELEMENTS NGA ARIA I ROTO NGA TIKANGA NGA TIKANGA THEORY PRA PRACTICA CTICAL DEVELOPMENT OF TRADITIONAL PERFORMANCE AND DANCE TECHNIQUES RESEARCH SKILLS SELF-CONFIDENCE COLLATION OF WHAIKORERO/VOCAL

287 views • 6 slides
Case S Studie dies a and P Practica ctical Inte terpreta tatio tions ns o of ISO

Case S Studie dies a and P Practica ctical Inte terpreta tatio tions ns o of ISO

QTS Confidential Case S Studie dies a and P Practica ctical Inte terpreta tatio tions ns o of ISO SO11607 07 Todd Engelken Gerry Gunderson, CPP March 11-13, 2013 Louisville, KY QTS is a Medical Device Outsourcing company

1.21k views • 61 slides
AA AAV9. 9. L LAM AMP-2B R 2B Reverses M Metabol olic a and Ph Physiologic Mu Multiorgan

AA AAV9. 9. L LAM AMP-2B R 2B Reverses M Metabol olic a and Ph Physiologic Mu Multiorgan

AA AAV9. 9. L LAM AMP-2B R 2B Reverses M Metabol olic a and Ph Physiologic Mu Multiorgan Dy Dysfunc uncti tion n in n a Mur urine ne Mo Model el of Da Dano non Di Disease Ana Maria Manso, Emily Gault, Sherin Hashem, Bradley

463 views • 17 slides
Act Active S Shoot ooter Be Best P Pract ctice ces With Special G Wit h Special Gues

Act Active S Shoot ooter Be Best P Pract ctice ces With Special G Wit h Special Gues

Act Active S Shoot ooter Be Best P Pract ctice ces With Special G Wit h Special Gues uest St Star ar: Y : YouT uTube ube Ron LaPedis Bay Area Emergency Managers Conference 2018 Act Active S Shoot ooter Be Best P Pract ctice

351 views • 31 slides
T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y

T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y

T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y Po inte Be ha vio ra l He a lth Se rvic e , I nc . Pre side nt, Ca uc us o f Bla c k Psyc hia trists, APA PHYSI CI AN, K NOW T HYSE L F

400 views • 14 slides
RE DUCI NG JUDI CI AL ST RE SS WI T H RE F L E CT I VE PRACT I CE Ho n. Eliza b

RE DUCI NG JUDI CI AL ST RE SS WI T H RE F L E CT I VE PRACT I CE Ho n. Eliza b

RE DUCI NG JUDI CI AL ST RE SS WI T H RE F L E CT I VE PRACT I CE Ho n. Eliza b e th C rnko vic h Je nnie C o le -Mo ssm a n LIMHP I ntro duc tio ns I n the I nte re st o f . Stre ss a nd judg ing L o ne line ss

254 views • 21 slides
West w ard H Ho A Apart m ent s Phoenix, A AZ Healt hy H Hom es Best Pract ct ice ces

West w ard H Ho A Apart m ent s Phoenix, A AZ Healt hy H Hom es Best Pract ct ice ces

West w ard H Ho A Apart m ent s Phoenix, A AZ Healt hy H Hom es Best Pract ct ice ces I nt egrat ing Healt h Care Wit h Housing Cat hedral Developm ent Group Ari rizona St at e Univers rsit y Aug Augus ust 2016 Introductions

323 views • 16 slides
(OPG) Meeting Welcome and Introductions OPG Executi utives es Chair ( ) Evelyn Hii Past

(OPG) Meeting Welcome and Introductions OPG Executi utives es Chair ( ) Evelyn Hii Past

Osler Parent Group Sept 26, 2018 (OPG) Meeting Welcome and Introductions OPG Executi utives es Chair ( ) Evelyn Hii Past Chair ( ) Robin Halpern Secretary ( ) Jessie Yu Treasurers ( ) Crystal Xu & Maggie

272 views • 26 slides
(OPG) Meeting Welcome and Introductions OPG Executi utives es Chair Evelyn Hii Past Chair

(OPG) Meeting Welcome and Introductions OPG Executi utives es Chair Evelyn Hii Past Chair

Osler Parent Group Nov 28, 2018 (OPG) Meeting Welcome and Introductions OPG Executi utives es Chair Evelyn Hii Past Chair Robin Halpern Secretary Jessie Yu Treasurers Crystal Xu & Maggie Wang Members-At-Large Susnita Lynch &

244 views • 23 slides
PRESENTATI ON OF JACQUELI NE COKE-LLOYD, EXECUTI VE DI RECTOR OF THE JAMAI CA EMPLOYERS

PRESENTATI ON OF JACQUELI NE COKE-LLOYD, EXECUTI VE DI RECTOR OF THE JAMAI CA EMPLOYERS

PRESENTATI ON OF JACQUELI NE COKE-LLOYD, EXECUTI VE DI RECTOR OF THE JAMAI CA EMPLOYERS FEDERATI ON ON THE ROLE OF ENTERPRI SE DEVELOPMENT I N PROMOTI NG DECENT WORK AT THE PREPARATORY MEETI NG OF THE HI GH LEVEL SEGMENT OF THE ECONOMI

315 views • 19 slides
DE F INING BE ST PRACT ICE F OR ADVE RSE E VE NT RE PORT ING WIT H INDUST RY-

DE F INING BE ST PRACT ICE F OR ADVE RSE E VE NT RE PORT ING WIT H INDUST RY-

1 1 TH A N N U A L M EETI N G O F I S M P P DE F INING BE ST PRACT ICE F OR ADVE RSE E VE NT RE PORT ING WIT H INDUST RY- SPONSORE D CL INICAL T RIAL MANUSCRIPT S April 28, 2015 Hya tt Re g e nc y Crysta l City

414 views • 17 slides
We Welcome To To EX EXECUTI UTIVE E SUM UMMARY CW Petroleum Corp was founded as a Texas

We Welcome To To EX EXECUTI UTIVE E SUM UMMARY CW Petroleum Corp was founded as a Texas

We Welcome To To EX EXECUTI UTIVE E SUM UMMARY CW Petroleum Corp was founded as a Texas corporation by Christopher Williams and began operations in 2011. It reincorporated in Wyoming as a C corporation in April 2018. CW supplies

401 views • 23 slides
and Symb mbolic olic Ve Verif rification ication Kim Ki m G. . La Lars rsen Aa Aalb

and Symb mbolic olic Ve Verif rification ication Kim Ki m G. . La Lars rsen Aa Aalb

Dec ecidab idability ility and Symb mbolic olic Ve Verif rification ication Kim Ki m G. . La Lars rsen Aa Aalb lborg org Univ iversity ersity, , DENMARK NMARK Dec Decid idabi ability lity Reachability chability ? a b

723 views • 70 slides
Ca Cali liforni ornia: a: Pol olic icie ies, s, Pr Prac acti tices ces an and Preven

Ca Cali liforni ornia: a: Pol olic icie ies, s, Pr Prac acti tices ces an and Preven

Ca Cali liforni ornia: a: Pol olic icie ies, s, Pr Prac acti tices ces an and Preven d Preventi tion on Ef Effor orts ts Affe fecti cting ng Yout uth. h. Joe Eberstein, CCPS Program Manager Center for Community Research

469 views • 30 slides
DRAFT BEACON MINERALS LIMITED 1 ASX:BCN EXE EXECUTI TIVE TE TEAM AM Geoff Greenhill

DRAFT BEACON MINERALS LIMITED 1 ASX:BCN EXE EXECUTI TIVE TE TEAM AM Geoff Greenhill

AUSTRALIAS NEWEST GOLD PRODUCER 20 FEBRUARY 2020 PRESENTATION DRAFT BEACON MINERALS LIMITED 1 ASX:BCN EXE EXECUTI TIVE TE TEAM AM Geoff Greenhill graduated from the Western Australian School of Mines obtaining an Associateship in

623 views • 17 slides
2019 Executi tive D Direct ector or Lea Leadership ip S Survey R Res esult lts Regional

2019 Executi tive D Direct ector or Lea Leadership ip S Survey R Res esult lts Regional

2019 Executi tive D Direct ector or Lea Leadership ip S Survey R Res esult lts Regional al C Center o of O Oran ange C County Conducted by the Thompson Policy Institute on Disability Chapman University Audri Gomez, PhD & Don

581 views • 14 slides
AST HMA BE ST PRACT I CE S F OR SCHOOL NURSE S Sc ho o l Nurse s No ve m b e r 2015 1

AST HMA BE ST PRACT I CE S F OR SCHOOL NURSE S Sc ho o l Nurse s No ve m b e r 2015 1

AST HMA BE ST PRACT I CE S F OR SCHOOL NURSE S Sc ho o l Nurse s No ve m b e r 2015 1 BACK GROUND AND CURRE NT ST AT S Ge ne ra l de finitio ns a nd e xpla na tio ns 2 I nc ide nc e o f Asthma Ce nte rs fo r Dise a se

843 views • 58 slides
DIV IVERSIT ERSITY Y OF OF NU NUCLEAR LEAR POWER ER POL OLIC ICIES IES IN IN EU EUROP

DIV IVERSIT ERSITY Y OF OF NU NUCLEAR LEAR POWER ER POL OLIC ICIES IES IN IN EU EUROP

PUN UNCTU TUATIO TIONS, NS, IN INSTITU TITUTIONS, TIONS, AND TH THE E DIV IVERSIT ERSITY Y OF OF NU NUCLEAR LEAR POWER ER POL OLIC ICIES IES IN IN EU EUROP OPE E Peter Z. Grossman Butler University (USA) Central question:

353 views • 17 slides
The P e Pract ctic ice of of and T Thou oughts on on th the S Synergy Between E Exchan

The P e Pract ctic ice of of and T Thou oughts on on th the S Synergy Between E Exchan

The P e Pract ctic ice of of and T Thou oughts on on th the S Synergy Between E Exchan ange-Traded ed a and O OTC Markets Mr. W Wang ng Zhe henyin ing, P Preside ident Sha hang nghai G Gold E d Excha hange June 10, 10,

284 views • 12 slides

More recommend