what you corrupt is not what you crash challenges in
play

What You Corrupt Is Not What You Crash: Challenges in Fuzzing - PowerPoint PPT Presentation

Sep 07, 2023 •168 likes •474 views

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2 , 3 Frank Kargl 3 elien Francillon 1 Davide Balzarotti 1 Aur 1 EURECOM 2 Siemens AG 3 Ulm University Introduction Embedded

  1. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2 , 3 Frank Kargl 3 elien Francillon 1 Davide Balzarotti 1 Aur´ 1 EURECOM 2 Siemens AG 3 Ulm University

  2. Introduction • Embedded devices are becoming increasingly more important • Vulnerabilities go beyond misconfigurations, weak authentication, hard-coded keys, etc. • Fuzz testing is a popular and effective method for uncovering programming errors • A variety of work improves input generation and fault detection for fuzzing 1

  3. Problem Statement How efficient are we at fuzzing embedded devices? Can we do it better? 2

  4. Fuzzing, Corruptions & Crashes

  5. Starting Point Corruption � = Crash 3

  6. Embedded Devices: A minimalistic classification Type-I: Type-II: General purpose OS-based Embedded OS-based Type-III: No OS-Abstraction 4

  7. Challenge #1: Fault Detection • Lack of basic features, such as: • Memory Management Unit (MMU) • Heap consistency checks • Canaries • Often only solution: Basic liveness checks 5

  8. Challenge #2: Performance & Scalability • Fuzzing greatly benefits from parallelization • This would mean 1 device per instance • Frequent restarts are required • Fast for software, slow for full systems 6

  9. Challenge #3: Instrumentation • Hard to retrieve coverage information • Tools for turning silent corruptions into observable ones rarely available • Unsupported instruction set architecturess • Operation tied to OS-specific features 7

  10. Measuring the effect of memory corruptions • Five common types of memory corruptions • Insertion of artificial bugs in two popular open source programs • Expat • mbedTLS • Trigger condition inspired by LAVA [1] • Vulnerable programs are compiled for four different devices [1] Dolan-Gavitt, Brendan, et al. ”Lava: Large-scale automated vulnerability addition.” IEEE Symposium on Security and Privacy (SP), 2016. 8

  11. Effects of Corruptions accross different systems Platform Desktop Type-I Type-II Type-III Format String ✓ ✓ ✗ ✗ ! ✓ Stack-based buffer overflow ✓ ✓ (opaque) (hang) ! Heap-based buffer overflow ✓ ✗ ✗ (late crash) ✗ Double Free ✓ ✓ ✗ (malfunc.) ✓ ✗ Null Pointer Dereference ✓ ✓ (reboot) (malfunc.) 9

  12. Possible Directions for Improvement • Static Instrumentation • Binary Rewriting • Pysical Re-Hosting • Full Emulation • Partial Emulation • Hardware-Supported Instrumentation 10

  13. Possible Directions for Improvement • Static Instrumentation • Binary Rewriting • Pysical Re-Hosting • Full Emulation • Partial Emulation • Hardware-Supported Instrumentation 10

  14. Leveraging (partial) emulation to improve fuzz testing

  15. Set-up: Overview Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs Analysis Emulation MMIO Peripherals Plugis Figure 1: Setup for fuzzing utilizing partial emulation Code will be available at: https://github.com/avatartwo/ndss18_wycinwyc 11

  16. Set-up: Target • The vulnerable expat program, as seen in the last part • Focus on a Type-III device • Fuzzed in four different configurations 12

  17. Set-up: Native Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 13

  18. Set-up: PE/MF Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 14

  19. Set-up: PE/PM Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 15

  20. Set-up: FE Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 16

  21. Set-up: Fuzzer • boofuzz [2], a python-based fuzzer based on Sulley • Configured to trigger the corruptions with different ratios • Used for 100 fuzzing sessions over one hour each [2] https://github.com/jtpereyda/boofuzz 17

  22. Set-up: Corruption Detection Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 18

  23. Set-up: Corruption Detection Avatar 2 boofuzz PANDA Embedded Device Fuzz Inputs MMIO Peripherals Analysis Emula � on Plugis 1. Native (NAT) 2. Partial Emulation with Memory Forwarding (PE/MF) 3. Partial Emulation with Peripheral Modeling (PE/PM) 4. Full Emulation (FE) 19

  24. Set-up: Corruption detection • 6 simple heuristics, monitoring the execution: 1. Segment Tracking 2. Format Specifier Tracking 3. Heap Object Tracking 4. Call Stack Tracking 5. Call Frame Tracking 6. Stack Object Tracking 20

  25. Measuring Fuzzing Throughput No Heuristics: Native Partial Emulation/Memory Forwarding Partial Emulation/Peripheral Modeling Full Emulation 10 4 Combined Heuristics: Partial Emulation/Memory Forwarding' Partial Emulation/Peripheral Modeling' #Inputs Full Emulation' 10 3 10 2 0 5 10 Corruption Ratio [%] 21

  26. Discussion, Future Work & Conclusion

  27. Insights from the experiments • Liveness checks only is a poor strategy • Full emulation is good - but rarely possible • Partial emulation can already help • But introduces significant performance overhead 22

  28. Limitations and Future Work • We focused on improving fault detection • Other challenges of fuzzing (e.g., input generation) not addressed in this work • Our experiments focused on artificial vulnerabilities • Good for improving our initial understanding • We investigated solutions based on partial emulation • Other approaches still open for research 23

  29. Conclusion • Fuzzing embedded devices requires a paradigm shift • (Partial) emulation can improve fault detection • We need good emulators • Fuzzing of embedded devices needs more investigation 24

Recommend

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared 6/3/2020 1- Crash Identification Block The month, day and hour should be when the crash occurred Not when reported Not when you arrived 2- General

561 views • 15 slides
PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location System Website Address: http://pueblo.ms2soft.com Quick Search By: Study Location Location Crash Data Crash ID Date Crash Type LOG

555 views • 31 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides
A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure RNA DNA Replication Encoding Proteins Protein Folding Types of DNA Manipulating DNA PCR Biological Computation CPSC

378 views • 36 slides
Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

@amchamwatch| @HofstedeInsight @RudPedersenFIN Country Manager Network Breakfast: Crash Course into the New Finnish Government and HQ Communication Crash Course into the New Finnish Government and HQ Communication Esa Suominen Managing

262 views • 25 slides
CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain Landscape Architecture & Regional and Community Planning Kansas State University DLA Conference 2015 June 6, 2015 BACKGROUND AND CONTEXT

702 views • 31 slides
Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N. McDonough Archivist and Library Manager at the Kettering Foundation Owned by one cat Crash and Burn One fails toward success.

434 views • 7 slides
Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What code paths were executed What parts of the execution interacted with external data Input Determination Which input bytes influence the crash

583 views • 45 slides
Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants

Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants

Entrepreneurship Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants to become your own boss, set your own schedule, work from anywhere in the world, make a lot of money, love what you do, AND

1.06k views • 79 slides
The Foreign Corrupt Practices Act US legislation with global implications Illustration:

The Foreign Corrupt Practices Act US legislation with global implications Illustration:

The Foreign Corrupt Practices Act US legislation with global implications Illustration: Getty Images Dick Thornburgh, Edward J Fishman, Michael J Missal, Jeffrey B Maletta and Matt T Morley of K&L Gates LLP examine anti-corruption

304 views • 6 slides
MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash

MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash

MATLAB crash course 1 / 27 MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash course 2 / 27 Program Program I Interface: layout, menus, help, etc.. I Vectors and matrices I Graphics: I Plots,

2k views • 27 slides
Previous Studies Crash Reports Reviewed 2005-2013 crash reports 91% of crashes were

Previous Studies Crash Reports Reviewed 2005-2013 crash reports 91% of crashes were

Previous Studies Crash Reports Reviewed 2005-2013 crash reports 91% of crashes were motor vehicles vs. bikes resulting in injury to at least one person Mostly St. Augustine residents, not tourists Most people involved in

193 views • 6 slides
Towards Better Crash Frequency Modeling: Fusing Machine Learning & Econometric Methods

Towards Better Crash Frequency Modeling: Fusing Machine Learning & Econometric Methods

Towards Better Crash Frequency Modeling: Fusing Machine Learning & Econometric Methods Presenter: Behram Wali Ph.D. Student TSITE 2017 Summer Meeting Morning Session July 26, 2017 Contents Background/Challenges Conceptual

693 views • 44 slides
PAHOKEE ELEMENTARY CRASH SCENE INVESTIGATION TUES., MAY 15, 2018 The Crash--Kikis Silver Car

PAHOKEE ELEMENTARY CRASH SCENE INVESTIGATION TUES., MAY 15, 2018 The Crash--Kikis Silver Car

PAHOKEE ELEMENTARY CRASH SCENE INVESTIGATION TUES., MAY 15, 2018 The Crash--Kikis Silver Car 1. Silver Mazda License Plate: 879RYZ Car hit by front right bumper near headlight 2. Driver KIKI 3. Passengers BRITTNEY

530 views • 15 slides
Carleton University Crash Dummy Crash-Test Dummy Mainly used to improve automotive safety

Carleton University Crash Dummy Crash-Test Dummy Mainly used to improve automotive safety

Carleton University Crash Dummy Crash-Test Dummy Mainly used to improve automotive safety No dummies available for cycling accidents Load Cell Accelerometer http://blog.al.com/living-

236 views • 7 slides
You Only Live Multiple Times Black box re-use of Crash-Stop Algorithms In Realistic Crash-Recovery

You Only Live Multiple Times Black box re-use of Crash-Stop Algorithms In Realistic Crash-Recovery

You Only Live Multiple Times Black box re-use of Crash-Stop Algorithms In Realistic Crash-Recovery Settings DAVID KOZHAYA 1 , OGNJEN MARIC 2 , AND YVONNE-ANNE PIGNOLET 1 1 ABB CORPORATE RESEARCH SWITZERLAND , 2 DIGITAL ASSET SWITZERLAND A

555 views • 19 slides
Foreign Corrupt Practices Act in Latin America Implementing FCPA Compliance Programs and

Foreign Corrupt Practices Act in Latin America Implementing FCPA Compliance Programs and

Presenting a live 90-minute webinar with interactive Q&A Foreign Corrupt Practices Act in Latin America Implementing FCPA Compliance Programs and Mitigating Legal Risks TUES DAY, FEBRUARY 14, 2012 1pm East ern | 12pm Cent ral |

983 views • 54 slides
Foreign Corrupt Practices Act Reform: A Path Toward Practical Compliance December 6, 2011

Foreign Corrupt Practices Act Reform: A Path Toward Practical Compliance December 6, 2011

Foreign Corrupt Practices Act Reform: A Path Toward Practical Compliance December 6, 2011 Squire, Sanders & Dempsey 1200 19 th Street, NW Suite 300 Washington, DC 20036 +1.202.626.6600 Beijing Berlin Birmingham Bratislava

625 views • 21 slides
Foreign Corrupt Practices Act in India Compliance Strategies for India's Unique Cultural and

Foreign Corrupt Practices Act in India Compliance Strategies for India's Unique Cultural and

Presenting a live 90 minute webinar with interactive Q&A Foreign Corrupt Practices Act in India Compliance Strategies for India's Unique Cultural and Governmental Intricacies THURS DAY, MAY 26, 2011 1pm Eastern | 12pm Central |

518 views • 47 slides
TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting Zhu, Ian Neal, Youngjin Kwon, Tianyu Chen, Vijay Chidambaram, Emmett Witchel The University of Texas at Austin 1 Crash Applications need crash

819 views • 30 slides
Cool Cisco IOS Commands: test crash test crash test crash is an undocumented Cisco IOS command

Cool Cisco IOS Commands: test crash test crash test crash is an undocumented Cisco IOS command

Cool Cisco IOS Commands: test crash test crash test crash is an undocumented Cisco IOS command that will simulate a router crash. An undocumented IOS command is exactly that: one that does not appear in Cisco documentation or in IOS help. test

308 views • 5 slides
Corrupt but legal: Institutionalised corruption and development finance Nicholas Hildyard, The

Corrupt but legal: Institutionalised corruption and development finance Nicholas Hildyard, The

Corrupt but legal: Institutionalised corruption and development finance Nicholas Hildyard, The Corner House, UK Presentation to Counter Balance symposium on Inequalities, wealth extraction and legal corruption in the large

533 views • 15 slides
Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and

Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and

Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and Public Works Committee January 22, 2019 Todays topics Context for Vision Zero Crash Study Key crash study information Next steps for

690 views • 37 slides
Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types

Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types

Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types The following crash types are eligible for submission to the program. Struck in the Rear type of crash when the CMV was struck: in the rear; or

211 views • 20 slides

More recommend