Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering.

Slides:

Advertisements

Similar presentations

Department of Electronic Engineering NUIG Direct Evolution of Patterns using Genetic Algorithms By: John Brennan Supervisor: John Maher.

Advertisements

SDMX in the Vietnam Ministry of Planning and Investment - A Data Model to Manage Metadata and Data ETV2 Component 5 – Facilitating better decision-making.

S-Curves & the Zero Bug Bounce:

Chapter 3: Modules, Hierarchy Charts, and Documentation

Systems Analysis, Prototyping and Iteration Systems Analysis.

SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Software Quality Metrics

16/13/2015 3:30 AM6/13/2015 3:30 AM6/13/2015 3:30 AMIntroduction to Software Development What is a computer? A computer system contains: Central Processing.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Genetic Algorithms Nehaya Tayseer 1.Introduction What is a Genetic algorithm? A search technique used in computer science to find approximate solutions.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Subgoal: conduct an in-depth study of critical representation, operator and other choices used for evolutionary program repair at the source code level.

Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

Managing Large RDF Graphs (Infinite Graph) Vaibhav Khadilkar Department of Computer Science, The University of Texas at Dallas FEARLESS engineering.

A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.

Presentation By Anil Kumar Marikukala, Syed Khaja Najmuddin Ahmed.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Ranga Rodrigo April 6, 2014 Most of the sides are from the Matlab tutorial. 1.

Changing Perspective… Common themes throughout past papers Repeated simple games with small number of actions Mostly theoretical papers Known available.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

` Research 2: Information Diversity through Information Flow Subgoal: Systematically and precisely measure program diversity by measuring the information.

Multimodal Optimization (Niching) A/Prof. Xiaodong Li School of Computer Science and IT, RMIT University Melbourne, Australia

1 Paper Review for ENGG6140 Memetic Algorithms By: Jin Zeng Shaun Wang School of Engineering University of Guelph Mar. 18, 2002.

Cristian Urs and Ben Riveira. Introduction The article we chose focuses on improving the performance of Genetic Algorithms by: Use of predictive models.

1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.

1 Principles of Computer Science I Prof. Nadeem Abdul Hamid CSC 120 – Fall 2005 Lecture Unit 10 - Testing.

Applicants Please use speaker notes for additional information!

Design of a real time strategy game with a genetic AI By Bharat Ponnaluri.

IPlant Collaborative Tools and Services Workshop iPlant Collaborative Tools and Services Workshop Collaborating with iPlant.

Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou.

Predictive Design Space Exploration Using Genetically Programmed Response Surfaces Henry Cook Department of Electrical Engineering and Computer Science.

GENETIC ALGORITHMS FOR THE UNSUPERVISED CLASSIFICATION OF SATELLITE IMAGES Ankush Khandelwal( ) Vaibhav Kedia( )

TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.

Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.

Software Security Without The Source Code By Matt Hargett.

1 Diversifying Sensors to Improve Network Resilience Wenliang (Kevin) Du Electrical Engineering & Computer Science Syracuse University.

CS 127 Introduction to Computer Science. What is a computer?  “A machine that stores and manipulates information under the control of a changeable program”

Week 14 Introduction to Computer Science and Object-Oriented Programming COMP 111 George Basham.

1 Software Engineering and Security DJPS April 12, 2005 Professor Richard Sinn CMPE 297: Software Security Technologies.

Coevolutionary Automated Software Correction Josh Wilkerson PhD Candidate in Computer Science Missouri S&T.

Intro to Planning Or, how to represent the planning problem in logic.

CPSC 871 John D. McGregor Module 8 Session 1 Testing.

D Nagesh Kumar, IIScOptimization Methods: M8L5 1 Advanced Topics in Optimization Evolutionary Algorithms for Optimization and Search.

GAIA (Genetic Algorithm Interface Architecture) Requirements Analysis Document (RAD) Version 1.0 Created By: Charles Hall Héctor Aybar William Grim Simone.

Fuzzing And Oracles By: Thomas Sidoti. Overview Introduction Motivation Fuzzable Exploits Oracles Implementation Fuzzing Results.

PROGRAMMING FUNDAMENTALS INTRODUCTION TO PROGRAMMING. Computer Programming Concepts. Flowchart. Structured Programming Design. Implementation Documentation.

An application of the genetic programming technique to strategy development Presented By PREMKUMAR.B M.Tech(CSE) PONDICHERRY UNIVERSITY.

` Question: How do immune systems achieve such remarkable scalability? Approach: Simulate lymphoid compartments, fixed circulatory networks, cytokine communication.

Evolutionary Computing Systems Lab (ECSL), University of Nevada, Reno 1 Authors : Siming Liu, Christopher Ballinger, Sushil Louis

An Evolutionary Algorithm for Neural Network Learning using Direct Encoding Paul Batchis Department of Computer Science Rutgers University.

Breeding Swarms: A GA/PSO Hybrid 簡明昌 Author and Source Author: Matthew Settles and Terence Soule Source: GECCO 2005, p How to get: (\\nclab.csie.nctu.edu.tw\Repository\Journals-

Genetic Algorithm. Outline Motivation Genetic algorithms An illustrative example Hypothesis space search.

Evolutionary Computation Evolving Neural Network Topologies.

CHAPTER 4 Methodology.

USING MICROBIAL GENETIC ALGORITHM TO SOLVE CARD SPLITTING PROBLEM.

Hands-On Microsoft Windows Server 2008

Introduction to Information Security

*current controlled assessment plans are unknown

Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou

CS240: Advanced Programming Concepts

Software Testing: A Research Travelogue

Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou

Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou

VUzzer: Application-aware Evolutionary Fuzzing

Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou

Coevolutionary Automated Software Correction

Presentation transcript:

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering Supported by Applied Security, Inc. Jared DeMott Richard EnbodyWilliam Punch Goal Find security vulnerabilities in software, particularly those not found by standard testing methods. Previous Work In our previous work, The Evolving Art of Fuzzing [1], we defined fuzzing, showed how it relates to testing and security, explained the field as it is currently, and suggested incorporating genetic algorithms Current Work CONCEPT: We want to better test the vulnerability of binary code (no source code) to inputs that potentially might either “break” that code or make it vulnerable to further attack. We pre-analyze the binary code to identify function addresses that can potentially be called. We track progress by measuring how much code on the attack surface (that part of the code available to be tested via program inputs) we have tested. APPROACH: The research here is the use of a genetic algorithm to generate inputs to attack the binary code. Evolutionary algorithms are adaptable in ways that humans are not and may discover new or better test cases. Previously, developed is a general purpose fuzzer (GPF) to automatically fuzz arbitrary network protocols using a capture file as the base, and fuzzing heuristics as the method to generate semi-valid (partially mutated capture file) data. TEST: We have designed and implemented an Evolutionary Fuzzing System (EFS) that marries a GA with GPF and modified version of PaiMei (Figure 1). From a high level, data sessions (Figure 2) of semi-random data are delivered to a debugger-monitored target application. Target hits, the code coverage statistics from each session, are stored to a database. At the end of each generation the fitness for each session is calculated based on hits, and the sessions with the best fitness are allowed to breed (Figure 3). The resulting sessions are used in the next iteration. While in its infancy, initial tests are impressive (Figures 4 & 5). EFS was able to learn a target protocol and discover previously unknown bugs. First results and complete system design are included in [2]. Future Work A major challenge is to understand the complex interactions of the genetic algorithm with the target. For example, we’ve developed a way of organizing data into pools of sessions to allow a novel type of co-evolution. If multiple paths through code exist, initial results show that pools help us better cover them. It’s unknown what the optimal number of pools and number of sessions/pool is, plus we believe further niching is required for optimal coverage. Niching would allow sessions that are somewhat different from the most fit sessions to be carried over to the next generation regardless of fitness. Currently we’re testing against software whose internal design is unknown to us. Thus, it’s difficult to measure the actual effectiveness, in terms of path coverage and bugs found. We propose to design and build a benchmarking application. This benchmarking application will allow us to research various grey-box testing approaches, further study EFS, and answer the above questions. The application would also be released to the community at large to allow very interesting studies such as fuzzer “shoot offs” or competitions. The current paper under way, Benchmarking Grey-box Robustness Testing Tools, is an initial design for the application and the process [3]. [1] Jared DeMott, “The Evolving Art of Fuzzing”, Defcon 14 - August 2006 & Toorcon 8 – September 2006, [2] J. DeMott, R. Enbody, W. Punch, “Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing”, Candidate for BlackHat & Defcon 2007 [3] Jared DeMott, “Benchmarking Grey-box Robustness Testing Tools”, work in progress. March, Figure 1: The Evolving Fuzzer System (EFS) Figure 3: Basic Genetic Operators, Session (left) and Pool (right) Crossover Figure 2: Data Structure Looking for Application Bugs or Vulnerabilities by Attack Surface Fuzzing High Level Fuzzing Flow Chart Fuzzing BasicsEFS in Action Exercising the set of all possible combinations of inputs on all possible arcs or paths through code is in infinite set. Testing in is an NP-hard problem Still more analysis of code coverage, path coverage, input space, error heuristics, etc. is prudent for improving application robustness. Particularly in the face of rising security threats. White-box testing analyzes source code. Black-box testing exercises a target program or process without examining any code, whether source code or binary/assembly code. Grey-box testing falls in between by allowing access to binary code. For example, in basic grey-box testing one might attach a debugger to target code and monitor various statistics (crashes, code coverage, memory usage, etc.). Fuzzing, or security/robustness testing, is an important and growing field of interest to software developers and security researchers alike. Figure 4: Average fitness (left) and best (right) of pool and session over 6 runs Figure 5: 10-pool Crash Total; 4-pool Crash Total; 1-pool Crash Total (all runs) Initial Test Results against the Golden FTP server The graphs show the number of functions covered by the best session and the best pool of session discovered as the GA progresses over time (x axis). Note that the best pool is outperforming the best session, indicating that multiple sessions in a pool are cooperating to find a more complete fuzzing set, as indicated by covering more of the attack surface (y axis). The pie charts show the diversity in bugs (crash addresses) discovered. Notice that the runs with multiple pools have greater diversity.