Automatically Bypassing Android Malware Detection System
Total Page:16
File Type:pdf, Size:1020Kb
FUZZIFICATION: Anti-Fuzzing Techniques Jinho Jung, Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing Detected bugs Normal users Compilation Source Released binary Testers Compilation Distribution Fuzzing 4 But Attackers Also Find Bugs Detected bugs Normal users Compilation Attackers Source Released binary Testers Compilation Distribution Fuzzing 5 Our work: Make the Fuzzing Only Effective to the Testers Detected bugs Normal users Fuzzification ? Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing 6 Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing 7 Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing Adversaries try to find vulnerabilities from fuzzing 8 Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing Adversaries only have a copy of fortified binary 9 Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing Adversaries know Fuzzification and try to nullify 10 Research Goals Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing 11 Research Goals Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing Hinder Fuzzing Reduce the number of detected bugs 12 Research Goals Detected bugs Normal users AFL Fuzzification HonggFuzz QSym Fortified binary Attackers VUzzer … Source Compilation Binary Testers Compilation Distribution Fuzzing Generic Affect most of the fuzzers 13 Research Goals Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing Low overhead to normal user Overhead High overhead to attackers 14 Research Goals Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing Resiliency Resilient to the adversarial analysis 15 Why Existing Methods Are Not Applicable? Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O 16 Why Existing Methods Are Not Applicable? Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O Bug injection O O X 17 Why Existing Methods Are Not Applicable? Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O Bug injection O O X Fuzzer detection X O X 18 Why Existing Methods Are Not Applicable? Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O Bug injection O O X Fuzzer detection X O X Emulator detection X O X 19 Why Existing Methods Are Not Applicable? Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O Bug injection O O X Fuzzer detection X O X Emulator detection X O X Fuzzification O O O 20 Fuzzification Hinders Advanced Features • Fast execution Parallel execution H/W • Coverage-guidance feature Fork • Hybrid approach server 21 Fuzzification Hinders Advanced Features SpeedBump • Fast execution Parallel execution H/W • Coverage-guidance feature Fork • Hybrid approach server 22 Fuzzification Hinders Advanced Features Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature Fork • Hybrid approach server 23 Fuzzification Hinders Advanced Features Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature BranchTrap Fork • Hybrid approach server 24 Fuzzification Hinders Advanced Features Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature Fork Queue • Hybrid approach server Symbolic execution Dynamic taint analysis 25 Fuzzification Hinders Advanced Features Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature Anti-Hybrid Fork Queue • Hybrid approach server Symbolic execution Dynamic taint analysis 26 SpeedBump: Selective Delay Injection Basic block 27 SpeedBump: Selective Delay Injection • Identify frequently and rarely visited paths Basic block Rarely visited path Frequently visited path 28 SpeedBump: Selective Delay Injection • Identify frequently and rarely visited paths 1 • Inject delays from the most rarely visited edges 2 Basic block Rarely visited path Frequently visited path 29 SpeedBump: Selective Delay Injection • Why this is effective? ▫ User: follows common paths 1 ▫ Attacker: searches for new paths ➔ Impact of delay is more 2 significant to attackers Basic block Rarely visited path Frequently visited path 30 SpeedBump: How to delay? • Strawman: using sleep() ➔ trivially removed by adversary 31 SpeedBump: How to delay? • Strawman: using sleep() ➔ trivially removed by adversary • Counter to advanced adversary ▫ Use randomly generated code ➔ avoid static-pattern 32 SpeedBump: How to delay? • Strawman: using sleep() ➔ trivially removed by adversary • Counter to advanced adversary ▫ Use randomly generated code ➔ avoid static-pattern ▫ Impose control-flow and data-flow dependency ➔ avoid automated analysis 33 SpeedBump: Selective Delay Injection int rarely_executed_code () { return 0; } 34 SpeedBump: Selective Delay Injection int rarely_executed_code () { return 0; } //define global variables int global1 = 1; int global2 = 2; int rarely_executed_code () { //inject delay function int pass = 20; global2 = func(pass); return 0; } 35 SpeedBump: Selective Delay Injection int rarely_executed_code () { int func(int p6) { return 0; int local1[10]; } // affect global1 variable global1 = 45; int local2 = global1; //define global variables for (int i = 0; i < 1000; i++) int global1 = 1; // affect local1 variable int global2 = 2; local1[i] = p6 + local2 + i; int rarely_executed_code () // affect global2 variable { return local1[5]; //inject delay function } int pass = 20; global2 = func(pass); return 0; } 36 BranchTrap Hinders Coverage Management Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature Fork Queue • Hybrid approach server Symbolic execution Dynamic taint analysis 37 BranchTrap#1: Fabricates Input-sensitive Paths “AAAA” 1 2 3 Coverage #1 38 BranchTrap#1: Fabricates Input-sensitive Paths “AAAA” “AAAB” 1 2 3 Coverage #1 Coverage #2 39 BranchTrap#1: Fabricates Input-sensitive Paths “AAAA” “AAAB” “AAAA” 1 1 BranchTrap 2 2 3 3 Coverage #1 Coverage #2 Coverage #1 40 BranchTrap#1: Fabricates Input-sensitive Paths “AAAA” “AAAB” “AAAA” “AAAB” 1 1 BranchTrap 2 2 3 3 Coverage #1 Coverage #2 Coverage #1 Coverage #2 41 BranchTrap#1: ROP-based Fake Paths Generation Func1 (arg1, arg2) Caller call Func1 next inst Original epilogue pop rbp pop r15 ret 42 BranchTrap#1: ROP-based Fake Paths Generation Func1 (arg1, arg2) Code snippet 1 pop rbp pop r15 ret Caller Code call Func1 snippet 2 next inst pop rbp pop r15 Original ret epilogue … pop rbp pop r15 Code ret snippet N … 43 BranchTrap#1: ROP-based Fake Paths Generation Func1 (arg1, arg2) Code snippet 1 pop rbp ① pop r15 ② index = arg1 ^ arg2 ret Caller Code call Func1 snippet 2 next inst pop rbp pop r15 Original ret epilogue … pop rbp pop r15 Code ret snippet N … 44 BranchTrap#1: ROP-based Fake Paths Generation Func1 (arg1, arg2) Code snippet 1 pop rbp ① pop r15 ② index = arg1 ^ arg2 ret Caller ③ Code call Func1 jmp table [index] ④ snippet 2 next inst pop rbp pop r15 Original ret epilogue … pop rbp pop r15 Code ret snippet N … 45 BranchTrap#1: ROP-based Fake Paths Generation Func1 (arg1, arg2) Code snippet 1 pop rbp ① pop r15 ② index = arg1 ^ arg2 ret Caller ③ Code call Func1 jmp table [index] ④ snippet 2 next inst pop rbp pop r15 Original ⑤ ret epilogue … pop rbp pop r15 Code ret snippet N … 46 BranchTrap#2: Saturate Feedback State • One-time visit makes effect 1 • BranchTrap: 2 ▫ Saturates bitmap data ▫ Prevents coverage recording 3 47 AntiHybrid Hinders Hybrid Fuzzing Coverage • Fast execution Parallel execution H/W • Coverage-guidance feature Fork Queue • Hybrid approach server Symbolic execution Dynamic taint analysis 48 Challenge of Hybrid Fuzzing • Dynamic taint analysis ▫ Expensive implicit flow Transform explicit data-flow ➔ implicit data-flow 49 Challenge of Hybrid Fuzzing • Dynamic taint analysis ▫ Expensive implicit flow Transform explicit data-flow ➔ implicit data-flow • Symbolic execution ▫ Path explosion Introduce an arbitrary path explosions 50 AntiHybrid Avoids Dynamic Taint Analysis • Transform explicit data-flow to implicit data-flow char input = ‘a’; char input = ‘a’; char anti_dta; if (input == 97) if (!strcmp(input, ‘a’)) anti_dta = ‘a’; { … } if (!strcmp(anti_dta, ‘a’)) { … } input Unable to taint anti_dta 51 AntiHybrid Incurs Path Explosions • Inject hash calculations into branches if(a == 30) if(Hash(a) == 0x300df11) { … } { … } Path Explosion 52 Fuzzification Work-flow Valid/invlid ①Run inputs Profile Binary Source 53 Fuzzification Work-flow Valid/invlid ①Run inputs Profile Binary Source ② Inject component SpeedBump LLVM IR BranchTrap AntiHybrid 54 Fuzzification Work-flow Valid/invlid ①Run inputs Profile Binary Source ② Inject component SpeedBump LLVM IR BranchTrap AntiHybrid Test run ③Measure Overhead & Inject More Component 55 Fuzzification Work-flow Valid/invlid