weizz automatic grey box fuzzing for structured binary
play

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats - PowerPoint PPT Presentation

Feb 03, 2024 •36 likes •666 views

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono DElia and Emilio Coppa @andreafioraldi andreafioraldi@gmail.com Format-aware Fuzzing Input Input Program Crashes Format Generation Under

  1. WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono D’Elia and Emilio Coppa @andreafioraldi andreafioraldi@gmail.com

  2. Format-aware Fuzzing Input Input Program Crashes Format Generation Under Test Model 2 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  3. Format-aware Fuzzing ● LangFuzz ● Peach ● Spike ● CSmith ● ... 3 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  4. Problems ● Impossible if the input structure is unknown 4 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  5. Problems ● Impossible if the input structure is unknown ● May fail to find bugs related to syntactically invalid inputs in parsers 5 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  6. Problems ● Impossible if the input structure is unknown ● May fail to find bugs related to syntactically invalid inputs in parsers ● Parser implementations do not always closely mirror format specifications 6 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  7. Problems ● Impossible if the input structure is unknown ● May fail to find bugs related to syntactically invalid inputs in parsers ● Parser implementations do not always closely mirror format specifications ● Models take some time to be written by a human (and contains simplifications) 7 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  8. Problems ● Impossible if the input structure is unknown ● May fail to find bugs related to syntactically invalid inputs in parsers ● Parser implementations do not always closely mirror format specifications ● Models take some time to be written by a human (and contain simplifications) ● Wrong models make fuzzing ineffective 8 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  9. Solutions? ● Automatically learn the model from the actual implementation of the parser 9 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  10. Solutions? ● Automatically learn the model from the actual implementation of the parser ● Generate not always syntactically valid inputs 10 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  11. Solutions? ● Automatically learn the model from the actual implementation of the parser ○ (Approximation of) Taint Tracking ■ [Tupni] [Autogram] [Polyglot] [Grimoire] ○ Machine Learning ■ [Learn&Fuzz] [REINAM] ○ Oracle based ■ [GLADE] ● Generate not always syntactically valid inputs 11 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  12. Coverage-guided Fuzzing Coverage Corpus Input Program Mutation Under Test Crashes 12 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  13. Problems ● Fail to explore deep paths behind parsers 13 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  14. Problems ● Fail to explore deep paths behind parsers ● Affected by roadblocks (multi-byte comparisons, checksums, hashes, … ) if (hash(input[0:8]) != input[8:12]) exit(1) if (input[12:16] == 0xABADCAFE) bug() 14 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  15. Structured Fuzzing Corpus Coverage Input Program Input Mutation Under Test Format Model Crashes 15 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  16. Structured Fuzzing ● AFLSmart ● Nautilus ● Superion ● Libprotobuf-Mutator ● Zest ● ... 16 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  17. Bypass Roadblocks ● Concolic Fuzzing ○ [Driller] [QSYM] [Eclipser] ● (Approximation of) Taint Tracking ○ [TaintScope] [Vuzzer] [Angora] [Redqueen ] ● Sensitive feedbacks ○ [LAF-Intel] [CompareCoverage] [FuzzFactory] [IJON] 17 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  18. Bypass Roadblocks ● Concolic Fuzzing ○ [Driller] [QSYM] [Eclipser] ● (Approximation of) Taint Tracking ○ [TaintScope] [Vuzzer] [Angora] [Redqueen ] ● Sensitive feedbacks ○ [LAF-Intel] [CompareCoverage] [FuzzFactory] [IJON] 18 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  19. Idea #1 ● Reuse expensive analysis to bypass roadblocks previously explored in past works to enable Structure-aware mutations 19 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  20. Bypass Roadblocks [Redqueen] ● Mutations targeting magic byte comparisons (Input-To-State) 20 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  21. Bypass Roadblocks [Redqueen] ● Mutations targeting magic byte comparisons (Input-To-State) input: AAAABBBBCCCCBBBB cmp eax, FFFF → eax = BBBB 21 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  22. Bypass Roadblocks [Redqueen] ● Mutations targeting magic byte comparisons (Input-To-State) input: AAAABBBBDDCCDDCC (equivalent in coverage) cmp eax, FFFF → eax = BBBB 22 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  23. Bypass Roadblocks [Redqueen] ● Mutations targeting magic byte comparisons (Input-To-State) input: AAAABBBBDDCCDDCC (equivalent in coverage) cmp eax, FFFF → eax = BBBB new input: AAAAFFFFDDCCDDCC 23 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  24. Bypass Roadblocks [Redqueen] ● Mutations targeting magic byte comparisons (Input-To-State) ● Patch out checksum checks 24 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  25. Formats as an AST [Grimoire] + / 5 = 12 3 25 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  26. Not all formats are parsed into an AST 26 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  27. Comparisons for validation if (chunk->size_field > SIZE_MAX) error(“Invalid Chunk Size”); 27 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  28. Idea #2 ● Instead of using memory accesses to reconstruct the format ([Tupni] [Autogram]) use the comparisons instructions that are likely validation checks 28 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  29. Idea #3 ● Don’t learn a model and use it to guide the fuzzer, but reconstruct each time the structure and apply mutations. This avoids the problem of having errors in the learning process. 29 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  30. Weizz ● Based on AFL 2.52b ● Binary-only (QEMU) ● Approximate Taint to bypass Roadblocks and learn information about validation checks ● Structural mutations based on that information (inspired by [AFLSmart]) 30 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  31. Architecture 31 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  32. Architecture 32 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  33. Architecture 33 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  34. GetDeps: Approximating Taint Tracking Input: AAAABBBBCCCCDDDD cmp eax, FFFF → eax = AAAA 34 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  35. GetDeps: Approximating Taint Tracking Input: AAAABBBBCCCCDDDD cmp eax, FFFF → eax = AAAA Bitflip #1: BAAABBBBCCCCDDDD cmp eax, FFFF → eax = BAAA 35 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  36. Detect Checksum Checks ● One operand is I2S ● The other operand is not I2S and GetDeps revealed dependencies on some input bytes ● The sets of their byte dependencies are disjoint 36 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  37. Input Tags ● Comparison ID ● Timestamp ● Parent ID ● Number of tags with the same ID ● The Comparison ID of the inner checksum that guard this byte ● Flags (which CMP operand, if this is a checksum field, … ) 37 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  38. Many Comparisons affected by the same byte 1. Prioritize Checksum fields 38 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  39. Many Comparisons affected by the same byte 1. Prioritize Checksum fields 2. Prioritize comparisons appeared earlier in time (possible validation checks) 39 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  40. Many Comparisons affected by the same byte 1. Prioritize Checksum fields 2. Prioritize comparisons appeared earlier in time (possible validation checks) 3. Prioritize if the number of bytes influencing the comparison are low 40 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  41. Fixing Checksum ● Late-stage repair ● Topological Sort (Tags have the info for this) ● Unpatch false positives 41 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  42. Locating Fields 42 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  43. Locating Chunks struct { int type; int x , y; int cksm; }; 43 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  44. Locating Chunks struct { 1. Pick a tag type int type; int x , y; int cksm; }; 44 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

  45. Locating Chunks struct { 1. Pick a tag type int type; 2. Recurse if next Timestamp (ts) > current int x , y; int cksm; }; 45 WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats

Recommend

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2 , Sang Kil Cha 2 1 CSRC, KAIST 2 KAIST The Success of Grey-box Fuzzing OSS-Fuzz has found over 20,000 bugs in 300 open source projects.

458 views • 24 slides
No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
From Binary to Multiclass Classification CS 6355: Structured Prediction 1 We have seen binary

From Binary to Multiclass Classification CS 6355: Structured Prediction 1 We have seen binary

From Binary to Multiclass Classification CS 6355: Structured Prediction 1 We have seen binary classification We have seen linear models Learning algorithms Perceptron SVM Logistic Regression Prediction is simple Given

1.41k views • 78 slides
Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing antti.levomaki@forcepoint.com opi@forcepoint.com WHO? ANTTI LEVOMKI OLLI-PEKKA NIEMI Research Scientist Director of Research WHAT? NETWORK EVASIONS +

463 views • 18 slides
Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Taintscope Taintscope is: A Fuzzing tool

742 views • 42 slides
A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE

A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE

A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE by Kirk Gittings Note: Kirk Gittings has been photographing the prehistor- coast, but m aking a real living as an art photographer ic,

1.16k views • 8 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Automatic Georeferencing and Search on Structured Georeferenced Bibliographic Data c 1 Marjan

Automatic Georeferencing and Search on Structured Georeferenced Bibliographic Data c 1 Marjan

Introduction Challenges Automatic Georeferencing and Search on Structured Georeferenced Bibliographic Data c 1 Marjan Ceh 2 Dragan Ivanovi 1 University of Novi Sad, Serbia 2 University of Ljubljana, Slovenia 1st International KEYSTONE

492 views • 13 slides
Chapter 4 Tree-Structured Indexing ISAM and B + -trees Binary Search ISAM Architecture and

Chapter 4 Tree-Structured Indexing ISAM and B + -trees Binary Search ISAM Architecture and

Tree-Structured Indexing Torsten Grust Chapter 4 Tree-Structured Indexing ISAM and B + -trees Binary Search ISAM Architecture and Implementation of Database Systems Multi-Level ISAM Too Static? Summer 2016 Search Efficiency B + -trees

1.26k views • 68 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Introduction DBT principle Design flow Intermediate Representation Generation Conclusion Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc Michel and Nicolas Fournel Tima Laboratory , Grenoble,

686 views • 25 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
First look at structures CS 6355: Structured Prediction 1 So far Binary classifiers

First look at structures CS 6355: Structured Prediction 1 So far Binary classifiers

First look at structures CS 6355: Structured Prediction 1 So far Binary classifiers Output: 0/1 Multiclass classifiers Output: one of a set of labels Linear classifiers for both Learning algorithms Winner-take-all

1.05k views • 75 slides
Course Information CS 6355: Structured Prediction Building up structured output prediction

Course Information CS 6355: Structured Prediction Building up structured output prediction

Course Information CS 6355: Structured Prediction Building up structured output prediction Refresher of binary classification Inference: Predicting structures, and introduction to multiclass complexity of inference and

213 views • 9 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
Structured Output Learning for Automatic Geophysical Feature Detection Chiyuan Zhang, Charlie

Structured Output Learning for Automatic Geophysical Feature Detection Chiyuan Zhang, Charlie

Structured Output Learning for Automatic Geophysical Feature Detection Chiyuan Zhang, Charlie Frogner, Tomaso Poggio, Mauricio Araya, Detlef Hohl 1 Outline Motivation Methods Results Conclusion & Outlook 2 Motivation:

525 views • 21 slides
Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang

Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang

Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang Lin Department of Computer Science

738 views • 53 slides
Automatic Generation of Minimal and Reduced Models for Structured Parametric Dynamical Systems

Automatic Generation of Minimal and Reduced Models for Structured Parametric Dynamical Systems

Automatic Generation of Minimal and Reduced Models for Structured Parametric Dynamical Systems Igor Pontes Duff Joint work with Peter Benner (MPI, Magdeburg) Pawan Goyal (MPI, Magdeburg) ICERM Workshop - Mathematics of Reduced Order Models

1.46k views • 108 slides
Automatic Strengthening of Graph-Structured Knowledge Bases Vinay K. Chaudhri Nikhil Dinesh

Automatic Strengthening of Graph-Structured Knowledge Bases Vinay K. Chaudhri Nikhil Dinesh

Automatic Strengthening of Graph-Structured Knowledge Bases Vinay K. Chaudhri Nikhil Dinesh Stijn Heymans Michael A. Wessel Acknowledgment This work has been funded by Paul Allens Vulcan Inc. http://www.vulcan.com

782 views • 20 slides

More recommend