taintscope a checksum aware directed fuzzing tool for
play

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic - PowerPoint PPT Presentation

May 04, 2023 •316 likes •742 views

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope Taintscope is: A Fuzzing tool

  1. Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  2. Taintscope is: ◮ A Fuzzing tool ◮ Checksum-Aware ◮ Directed Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  3. Why a new fuzzing tool? Fuzzing tools already exist. They can be sorted in two categories: ◮ Mutation based Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  4. Why a new fuzzing tool? Fuzzing tools already exist. They can be sorted in two categories: ◮ Mutation based ◮ Not very efficient Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  5. Why a new fuzzing tool? Fuzzing tools already exist. They can be sorted in two categories: ◮ Mutation based ◮ Not very efficient ◮ Cannot generate valid input if a checksum mechanism is used Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  6. Why a new fuzzing tool? Fuzzing tools already exist. They can be sorted in two categories: ◮ Mutation based ◮ Not very efficient ◮ Cannot generate valid input if a checksum mechanism is used ◮ Generation based Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  7. Why a new fuzzing tool? Fuzzing tools already exist. They can be sorted in two categories: ◮ Mutation based ◮ Not very efficient ◮ Cannot generate valid input if a checksum mechanism is used ◮ Generation based ◮ Better performances Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  8. Why a new fuzzing tool? Fuzzing tools already exist. They can be sorted in two categories: ◮ Mutation based ◮ Not very efficient ◮ Cannot generate valid input if a checksum mechanism is used ◮ Generation based ◮ Better performances ◮ Often implies having input specification, or source code. ◮ Tools exist to automatically get input format, but cannot reverse engineer checksum algorithms. Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  9. Why a new fuzzing tool? Example of input using checksum: int format int fileSize int width int height ... int checksum void decode_input(File * f){ int recomputed_checksum = checksum(f); int checksum_in_file = get_checksum(f); if (recomputed_checksum != checksum_in_file) exit(); width = get_width(f); ... Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  10. Contributions Taintscope offers several major contributions: ◮ Checksum-aware ◮ Detect checksum test in tested program ◮ Bypass checksum test when fuzz-testing ◮ Reconstruct input with valid checksum Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  11. Contributions Taintscope offers several major contributions: ◮ Checksum-aware ◮ Detect checksum test in tested program ◮ Bypass checksum test when fuzz-testing ◮ Reconstruct input with valid checksum ◮ Directed ◮ Reduces the space of parameters to mutate Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  12. Checksum-awareness Checksum-aware fuzz-testing is done in 3 steps: Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  13. Checksum-awareness Checksum-aware fuzz-testing is done in 3 steps: 1. Pre-processing: locate checksum check points in the program Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  14. Checksum-awareness Checksum-aware fuzz-testing is done in 3 steps: 1. Pre-processing: locate checksum check points in the program 2. Fuzz-testing: mutate input without touching the checksum data Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  15. Checksum-awareness Checksum-aware fuzz-testing is done in 3 steps: 1. Pre-processing: locate checksum check points in the program 2. Fuzz-testing: mutate input without touching the checksum data 3. Post-processing: for a crashing input, rebuild valid checksum Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  16. Checksum-awareness How to locate checksum test in program? Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  17. Checksum-awareness How to locate checksum test in program? Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  18. Checksum-awareness How to locate checksum test in program? Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  19. Checksum-awareness How to locate checksum test in program? Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  20. Checksum-awareness How to locate checksum test in program? Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  21. Checksum-awareness How to locate checksum test in program? Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  22. Checksum-awareness How to locate checksum test in program? Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  23. Checksum-awareness How to fuzz-test knowing the checksum-point? Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  24. Checksum-awareness How to fuzz-test knowing the checksum-point? Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  25. Checksum-awareness Using the checksum locator it is possible to: ◮ Bypass checksum test by modifying the program ◮ Test input on the modified program to find crashing cases Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  26. Checksum-awareness Using the checksum locator it is possible to: ◮ Bypass checksum test by modifying the program ◮ Test input on the modified program to find crashing cases But how to use those inputs on the real program? ◮ Need to reconstruct valid checksum Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  27. Checksum-awareness Using our previous example: int format int fileSize int width int height ... int checksum void decode_input(File * f){ int recomputed_checksum = checksum(f); int checksum_in_file = get_checksum(f); if (recomputed_checksum != checksum_in_file) exit(); width = get_width(f); ... Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  28. Checksum-awareness Using our previous example: int format int fileSize int width int height ... int checksum void decode_input(File * f){ int recomputed_checksum = checksum(f); int checksum_in_file = get_checksum(f); if (recomputed_checksum != checksum_in_file) exit(); width = get_width(f); ... Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  29. Checksum-awareness Why not use that checksum everytime instead of modifying the program? ◮ In practice, finding back the checksum is more complicated ◮ That step is too expensive to do it thousands of time Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  30. Checksum-awareness So Taintscope is a checksum-aware fuzzing tool: ◮ Detects checksum tests ◮ Bypasses them for fuzz-testing ◮ Corrects input so they can work on original program Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  31. Directed fuzzing Fuzz-testing is expensive ◮ Large size of input ◮ Hundreds or thousands of bytes to mutate ◮ Very likely to generate rejected input Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  32. Directed fuzzing Directed fuzzing allows to find hot bytes in the input, which are: ◮ Are more likely to trigger bugs or crashes ◮ Are less likely to be the cause of rejected input What is a hot byte ? ◮ An input byte that will be used in a security-sensitive call (such as malloc or strcpy ) Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  33. Directed fuzzing How to find hot bytes? ◮ Start from a valid input ◮ Give all byte in the input a unique label ◮ Use a taint-tracer to see where the input bytes are used If an input byte is used (directly or indirectly) in a sensitive function call, this byte is a hot byte. Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  34. Directed fuzzing Taintscope finds those hot bytes and focuses on them for fuzz-testing. The hot-byte detection can be done simultaneously with the checksum pre-processing step, leading to less overhead. Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  35. Evaluation and results Taintscope was evaluated on real-world applications such as: ◮ Image viewer ◮ Google Picasa ◮ Adobe Acrobat ◮ Image magick ◮ Media Players ◮ MPlayer ◮ Winamp ◮ Web Browsers ◮ libtiff ◮ XEmacs Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  36. Evaluation and results First test on hot bytes identification. Application Input size # Hot bytes Run time ImageMagick (png) 5149 9 1m54s ImageMagick (jpg) 6617 11 1m13s Picasa (png) 2730 18 5m16s Acrobat (png) 770 21 3m8s Acrobat (jpg 1012 13 4m14s Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  37. Evaluation and results Second test on Checksum localization # points (1 st ) # points (2 nd ) Application Detected Picasa (png) 830 1 Yes Acrobat (png) 5805 1 Yes TCPDump (pcap) 5 2 Yes Tar 9 1 Yes In practice : Around twenty runs to find the checksum location. Done in tens of minutes. Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  38. Evaluation and results Third test on checksum reconstruction: Format # checksum size time PNG 4 4 271.9 PCAP 8 2 455.6 TAR 3 8 572.8 Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

  39. Evaluation and results Out of those tests, Taintscope has found 27 severe vulnerabilities in common applications caused by: ◮ Buffer overflow ◮ Integer overflow ◮ Double free ◮ Null pointer dereference ◮ Infinite loop Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope

Recommend

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A Checksum-Aware Background Directed Fuzzing Tool for Automatic Motivation Software Vulnerability Detection TaintScope Intuition Tielei Wang 1 ,

427 views • 5 slides
Structure-aware fuzzing for Clang and LLVM with libprotobuf-mutator Kostya Serebryany, Vitaly

Structure-aware fuzzing for Clang and LLVM with libprotobuf-mutator Kostya Serebryany, Vitaly

Structure-aware fuzzing for Clang and LLVM with libprotobuf-mutator Kostya Serebryany, Vitaly Buka, Matt Morehouse; Google October 2017 Agenda Fuzzing Fuzzing Clang/LLVM Fuzzing Clang/LLVM better (structure-aware)

914 views • 35 slides
Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung Nguyen, Sbastien Bardin, Matthieu Lemerre (CEA LIST) Richard Bonichon (Tweag I/O) Roland Groz (Universit Grenoble Alpes) #BHUSA @BLACKHATEVENTS

546 views • 44 slides
Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University,

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University,

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -> growing number of bugs

387 views • 27 slides
Lecture 9 When The CRC and TCP Checksum Disagree Jonathan Stone, Craig Partridge Advanced

Lecture 9 When The CRC and TCP Checksum Disagree Jonathan Stone, Craig Partridge Advanced

Lecture 9 When The CRC and TCP Checksum Disagree Jonathan Stone, Craig Partridge Advanced Operating Systems 30 November, 2011 SOA/OS Lecture 9, When The CRC and TCP Checksum Disagree 1/26 Introduction Looking for errors Results

309 views • 26 slides
WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono DElia and Emilio Coppa @andreafioraldi andreafioraldi@gmail.com Format-aware Fuzzing Input Input Program Crashes Format Generation Under

666 views • 63 slides
A Topology-Aware Performance Monitoring Tool for Shared Resource Management in Multicore Systems

A Topology-Aware Performance Monitoring Tool for Shared Resource Management in Multicore Systems

A Topology-Aware Performance Monitoring Tool for Shared Resource Management in Multicore Systems TADaaM Team - Nicolas Denoyelle - Brice Goglin - Emmanuel Jeannot August 24, 2015 1. Context/Motivations 2. Fast presentation of the tool 3.

446 views • 29 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security Engineer 1 Agenda Context Fuzzing tool implementation Results and vulnerabilities 2 Context Intro to System Services System services

446 views • 31 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

Taking Browsers Fuzzing To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms ) Rosario Valotta Agenda Browser fuzzing: state of the art Memory corruption bugs: an overview Fuzzing

792 views • 40 slides

More recommend