FUZZIFICATION: Anti-Fuzzing Techniques
Jinho Jung, Hong Hu, David Solodukhin, Daniel Pagan,
Kyu Hyung Lee*, Taesoo Kim
*
1
Fuzzing Discovers Many Vulnerabilities
2
Fuzzing Discovers Many Vulnerabilities
3
Testers Find Bugs with Fuzzing
Detected
bugs
Normal users
Compilation
Released binary
Source
Testers
- Distribution
- Fuzzing
- Compilation
4
But Attackers Also Find Bugs
Detected
bugs
Normal users
Compilation
Attackers
Testers
Released binary
Source
- Distribution
- Fuzzing
- Compilation
5
Our work: Make the Fuzzing Only Effective to the Testers
Detected bugs
Normal users
?
Fuzzification
Fortified
binary
Attackers
Testers
Source
Compilation
Compilation
Binary
- Distribution
- Fuzzing
6
Threat Model
Detected bugs
Normal users
Attackers
Fuzzification
Fortified binary
Source
Compilation
Compilation
Testers
Binary
- Distribution
- Fuzzing
7
Threat Model
Detected bugs
Normal users
Attackers
Fuzzification
Fortified binary
Source
Compilation
Compilation
Testers
Binary
- Distribution
- Fuzzing
Adversaries try to find vulnerabilities from fuzzing
8
Threat Model
Detected bugs
Normal users
Attackers
Fuzzification
Fortified binary
Source
Compilation
Compilation
Testers
Binary
- Distribution
- Fuzzing
Adversaries only have a copy of fortified binary
9
Threat Model
Detected bugs
Normal users
Attackers
Fuzzification
Fortified binary
Source
Compilation
Compilation
Testers
Binary
- Distribution
- Fuzzing
Adversaries know Fuzzification and try to nullify
10
Research Goals
Detected bugs
Normal users
Attackers
Fuzzification
Fortified binary
Source
Compilation
Testers
Binary
- Distribution
- Fuzzing
- Compilation
11
Research Goals
Detected bugs
Normal users
Attackers
Fuzzification
Fortified binary
Source
Compilation
Testers
Binary
- Distribution
- Fuzzing
- Compilation
Hinder Fuzzing Reduce the number of detected bugs
12
Research Goals
Detected bugs
Normal users
Attackers
AFL
HonggFuzz
QSym
Fuzzification
Fortified binary
VUzzer
…
Source
Compilation
- Testers
- Binary
- Compilation
- Fuzzing
- Distribution
Generic Affect most of the fuzzers
13
Research Goals
Detected bugs
Normal users
Attackers
Fuzzification
Fortified binary
Source
Compilation
Testers
Binary
- Distribution
- Fuzzing
- Compilation
Low overhead to normal user
High overhead to attackers
Overhead
14
Research Goals
Detected bugs
Normal users
Attackers
Fuzzification
Fortified binary
Source
Compilation
Testers
Binary
- Distribution
- Fuzzing
- Compilation
Resilient to the adversarial analysis
Resiliency
15
Why Existing Methods Are Not Applicable?
Generic to most fuzzers overhead adversary
- Low
- Resilient to
Method
- Packing or obfuscation
- O
- X
- O
16
Why Existing Methods Are Not Applicable?
Generic to most fuzzers overhead adversary
- Low
- Resilient to
Method
Packing or obfuscation
Bug injection
O
O
- X
- O
- X
- O
17
Why Existing Methods Are Not Applicable?
Generic to most fuzzers overhead adversary
- Low
- Resilient to
Method
Packing or obfuscation
Bug injection
O
O
X
X
O
O
O
X
- X
- Fuzzer detection
18
Why Existing Methods Are Not Applicable?
Generic to most fuzzers overhead adversary
- Low
- Resilient to
Method
Packing or obfuscation
Bug injection
O
O
X
X
X
O
O
O
O
X
X
X
Fuzzer detection
Emulator detection
19
Why Existing Methods Are Not Applicable?
Generic to most fuzzers overhead adversary
- Low
- Resilient to
Method
Packing or obfuscation
Bug injection
O
O
X
X
O
O
O
O
O
X
X
X
O
Fuzzer detection
Emulator detection
Fuzzification
X
O
20
Fuzzification Hinders Advanced Features
• Fast execution
Parallel execution
H/W feature
• Coverage-guidance
Fork server
• Hybrid approach
21
Fuzzification Hinders Advanced Features
SpeedBump
• Fast execution
Parallel execution
H/W feature
• Coverage-guidance
Fork server
• Hybrid approach
22
Fuzzification Hinders Advanced Features
Coverage
• Fast execution
Parallel execution
H/W feature
• Coverage-guidance
Fork server
• Hybrid approach
23
Fuzzification Hinders Advanced Features
Coverage
• Fast execution
Parallel execution
H/W feature
• Coverage-guidance
BranchTrap
Fork server
• Hybrid approach
24
Fuzzification Hinders Advanced Features
Coverage
• Fast execution
Parallel execution
H/W feature
• Coverage-guidance
Queue
Fork server
Symbolic
execution
• Hybrid approach
Dynamic
taint
analysis
25
Fuzzification Hinders Advanced Features
Coverage
• Fast execution
Parallel execution
H/W feature
• Coverage-guidance
Anti-Hybrid
Queue
Fork server
Symbolic
execution
• Hybrid approach
Dynamic
taint
analysis
26
SpeedBump: Selective Delay Injection
Basic block
27
SpeedBump: Selective Delay Injection
• Identify frequently and
rarely visited paths
Basic block Rarely visited path Frequently visited path
28
SpeedBump: Selective Delay Injection
• Identify frequently and
rarely visited paths
1
• Inject delays from the most
rarely visited edges
2
Basic block Rarely visited path Frequently visited path
29
SpeedBump: Selective Delay Injection
• Why this is effective?
▫ User: follows common paths ▫ Attacker: searches for new paths
1
➔ Impact of delay is more
significant to attackers
2
Basic block Rarely visited path Frequently visited path
30