VUzzer: Application-aware Evolutionary Fuzzing

Slides:



Advertisements
Similar presentations
Saumya Debray The University of Arizona Tucson, AZ
Advertisements

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Effectively Prioritizing Tests in Development Environment
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:
1 Objectives You should be able to describe: Relational Expressions The if-else Statement Nested if Statements The switch Statement Common Programming.
Object-Oriented Analysis and Design Lecture 10 Implementation (from Schach, “O-O and Classical Software Engineering”)
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
C++ for Engineers and Scientists Third Edition
Testing Dr. Andrew Wallace PhD BEng(hons) EurIng
Group practice in problem design and problem solving
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Language Evaluation Criteria
A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.
Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering.
What is Software Testing? And Why is it So Hard J. Whittaker paper (IEEE Software – Jan/Feb 2000) Summarized by F. Tsui.
1 Chapter 4: Selection Structures. In this chapter, you will learn about: – Selection criteria – The if-else statement – Nested if statements – The switch.
Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley
1 Conditions Logical Expressions Selection Control Structures Chapter 5.
2 Objectives You should be able to describe: Relational Expressions Relational Expressions The if-else Statement The if-else Statement Nested if Statements.
Automated Whitebox Fuzz Testing Network and Distributed System Security (NDSS) 2008 by Patrice Godefroid, ‏Michael Y. Levin, and ‏David Molnar Present.
Testing Testing Techniques to Design Tests. Testing:Example Problem: Find a mode and its frequency given an ordered list (array) of with one or more integer.
TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.
Static Program Analysis of Embedded Software Ramakrishnan Venkitaraman Graduate Student, Computer Science Advisor: Dr. Gopal Gupta
Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.
Lecture Notes - Copyright © S. C. Kothari, All rights reserved.1 Efficient Debugging CPRE 556 Lecture 19.
jFuzz – Java based Whitebox Fuzzing
Finding Errors in.NET with Feedback-Directed Random Testing Carlos Pacheco (MIT) Shuvendu Lahiri (Microsoft) Thomas Ball (Microsoft) July 22, 2008.
Automating Configuration Troubleshooting with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
The Potential of Sampling for Dynamic Analysis Joseph L. GreathouseTodd Austin Advanced Computer Architecture Laboratory University of Michigan PLAS, San.
Structural Coverage. Measurement of structural coverage of code is a means of assessing the thoroughness of testing. Such metrics do not constitute testing.
C++ for Engineers and Scientists Second Edition Chapter 4 Selection Structures.
TOPIC: Web Application Firewall & Fuzzers
Regression Testing with its types
White-Box Testing Techniques IV
Automatic Network Protocol Analysis
White-Box Testing Techniques IV
Python: Control Structures
It’s All About Me From Big Data Models to Personalized Experience
Cyber Grand Challenge “Cyber Grand Challenge (CGC) is a contest to build high-performance computers capable of playing in a Capture-the-Flag style cyber-security.
Secure Software Development: Theory and Practice
Chapter 5 Decisions. Chapter 5 Decisions ssential uestion: How are Boolean expressions or operators used in everyday life?
Presented by Mahadevan Vasudevan + Microsoft , *UC-Berkeley
*Acknowledgements: Suman Jana, Dawn Song, Kostya Serebryany,
Exception Handling Chapter 9.
Lesson 8: Boolean Expressions and "if" Statements
Selection CIS 40 – Introduction to Programming in Python
Improving Test Suites for Efficient Fault Localization
Exception Handling.
CS 1430: Programming in C++ No time to cover HiC.
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Structural Coverage.
Software Testing: A Research Travelogue
Risk Management CSCE 489/689 (Software Security) Fall 2018
Fundamentals of visual basic
VUzzer: Application-aware Evolutionary Fuzzing
Structural Coverage.
Software Development Process
CSE403 Software Engineering Autumn 2000 More Testing
PYTHON: BUILDING BLOCKS Sequencing & Selection
CSC-682 Advanced Computer Security
CUTE: A Concolic Unit Testing Engine for C
CPRE 416-Software Evolution and Maintenance-Lecture 11
George Mason University
Whitebox Testing.
FOT: A Versatile, Configurable, Extensible Fuzzing Framework
Presentation transcript:

VUzzer: Application-aware Evolutionary Fuzzing Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos Victor van der Veen 32 year old from Amsterdam 3rd year PhD student with Herbert Bos ETA: summer 2018

VUzzer Smart fuzzing without symbolic execution Your takeaway message of today Smart fuzzing without symbolic execution Extract application features for meaningful mutation VUzzer 30K inputs: 403 crashes AFL 30.000K inputs: 238 crashes VUzzer @ NDSS – March 1, 2017

What are we trying to solve anyway? PROBLEM STATEMENT What are we trying to solve anyway? VUzzer @ NDSS – March 1, 2017

AFL AFL will run for hours on this ... read(fd, buf, size); if (buf[5] == 0xD8 && buf[4] == 0xFF) // interesting code here else pr_exit(“Invalid file”); AFL will run for hours on this VUzzer @ NDSS – March 1, 2017

AFL AFL will run for hours on this ... read(fd, buf, size); if (buf[5] == 0xD8 && buf[4] == 0xFF) // interesting code here else pr_exit(“Invalid file”); AFL will run for hours on this Has to figure out that offset 4 and 5 are of interest (where) VUzzer @ NDSS – March 1, 2017

AFL AFL will run for hours on this ... read(fd, buf, size); if (buf[5] == 0xD8 && buf[4] == 0xFF) // interesting code here else pr_exit(“Invalid file”); AFL will run for hours on this Has to figure out that offset 4 and 5 are of interest (where) Needs to guess 0xFFD8 (what) VUzzer @ NDSS – March 1, 2017

More Problems Handling ‘Complex’ Code Structures Magic bytes Certain values shall be placed at pre-determined offsets Deeper execution Many inputs will end up in less interesting error-handling code (multibyte) Markers Not at fixed offsets: if (strstr(&buf, “MAZE”)) ... VUzzer @ NDSS – March 1, 2017

Our mutation-, coverage-based, greybox fuzzer VUZZER Our mutation-, coverage-based, greybox fuzzer VUzzer @ NDSS – March 1, 2017

VUzzer Where to mutate, what to insert Avoid non-scalable techniques Evolutionary fuzzing Mutate/select most promising paths Magic byte detection Find possible magic byte values to reach deeper into the binary (limited) Input type detection Aid mutation by detecting input bytes of certain types (integers) Avoid non-scalable techniques No symbolic execution Limited use of Dynamic Taint Analysis VUzzer @ NDSS – March 1, 2017

Feature Extraction Data-flow features Control-flow features VUzzer @ NDSS – March 1, 2017

Feature Extraction Data-flow features Control-flow features Information about relationship between input data and program computations Extracted using static analysis / dynamic taint analysis Example: cmp instructions on x86 Offsets: which input bytes are compared against? (taint analysis) Magic values: immediate operands for cmp (static analysis) Example: lea instructions Integer types: is index operand tainted? Control-flow features VUzzer @ NDSS – March 1, 2017

Feature Extraction Data-flow features Control-flow features Information about importance of certain execution paths Identify error-handling blocks (heuristics based) Rank basic blocks to prioritize hard-to-reach code Each basic block gets a weight depending on how deep it is nested Error-handling blocks get a negative weight VUzzer @ NDSS – March 1, 2017

VUzzer @ NDSS – March 1, 2017

CMP Immediates Rank Basic Blocks VUzzer @ NDSS – March 1, 2017

Seed Inputs (known valid)

Dynamic Taint Analysis Seed Inputs (known valid)

Dynamic Taint Analysis + Error-handling code + Magic bytes + LEA offsets VUzzer @ NDSS – March 1, 2017

Fitness(executed code) High scores for inputs that execute highly ranked basic blocks

Mutate and loop Dynamic Taint Analysis only when new code is covered VUzzer @ NDSS – March 1, 2017

VUZZER VUzzer @ NDSS – March 1, 2017

AFL: 22k inputs VUzzer: 400 inputs Evaluation Darpa Cyber Grand Challenge VUzzer / AFL 13 binaries, 6 hours per binary Far fewer VUzzer inputs VUzzer: 400 inputs VUzzer @ NDSS – March 1, 2017

Evaluation LAVA-M Dataset LAVA: inject hard-to-reach faults to (e.g.,) evaluate fuzzers VUzzer hits significantly more bugs than FUZZER: coverage-based SES: symbolic execution / SAT-based Program Total Bugs FUZZER SES VUzzer uniq 28 7 27 base64 44 9 17 md5sum 57 2 1 who 2136 18 50 VUzzer @ NDSS – March 1, 2017

Evaluation Various Applications Comparison against AFL on vanilla Ubuntu 14.04 More bugs with fewer inputs Program Crashes (AFL) Crashes (VUzzer) Inputs (AFL) Inputs (VUzzer) mpg321 19 337 883K 24K gif2png 7 127 1.84M 43K pdf2svg 13 923K 5K tcpdump 3 2.89M 78K tcptrace 238 403 3.29M 30K Djpeg 1 35.9M 90K VUzzer @ NDSS – March 1, 2017

Evaluation Various Applications Comparison against AFL on vanilla Ubuntu 14.04 More bugs with fewer inputs Program Crashes (AFL) Crashes (VUzzer) Inputs (AFL) Inputs (VUzzer) mpg321 19 337 883K 24K gif2png 7 127 1.84M 43K pdf2svg 13 923K 5K tcpdump 3 2.89M 78K tcptrace 238 403 3.29M 30K Djpeg 1 35.9M 90K VUzzer @ NDSS – March 1, 2017

Evaluation Various Applications Comparison against AFL on vanilla Ubuntu 14.04 Crash faster Consistent progress VUzzer @ NDSS – March 1, 2017

Conclusion VUzzer Novel fuzzing technique based on evolutionary approach Application-aware fuzzer by exploiting data-flow and control-flow features Prioritize hard-to-reach code paths Deprioritize error-handling code Significantly more bugs with orders of magnitude fewer inputs in less time VUzzer @ NDSS – March 1, 2017

https://github.com/vusec/vuzzer Final Remarks Open Source VUSec Project Page https://github.com/vusec/vuzzer https://vusec.net/projects/fuzzing s.rawat@vu.nl

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.