FUZZIFICATION: Anti-Fuzzing Techniques
Jinho Jung, Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim
*
1 Fuzzing Discovers Many Vulnerabilities
2 Fuzzing Discovers Many Vulnerabilities
3 Testers Find Bugs with Fuzzing
Detected bugs
Normal users
Compilation
Source Released binary
Testers
Compilation Distribution Fuzzing
4 But Attackers Also Find Bugs
Detected bugs
Normal users
Compilation Attackers Source Released binary
Testers
Compilation Distribution Fuzzing
5 Our work: Make the Fuzzing Only Effective to the Testers
Detected bugs Normal users
Fuzzification ? Fortified binary Attackers Source Compilation
Binary Testers
Compilation Distribution Fuzzing
6 Threat Model
Detected bugs Normal users
Fuzzification Fortified binary Attackers Source Compilation
Binary Testers Compilation Distribution Fuzzing
7 Threat Model
Detected bugs Normal users
Fuzzification Fortified binary Attackers Source Compilation
Binary Testers Compilation Distribution Fuzzing
Adversaries try to find vulnerabilities from fuzzing
8 Threat Model
Detected bugs Normal users
Fuzzification Fortified binary Attackers Source Compilation
Binary Testers Compilation Distribution Fuzzing
Adversaries only have a copy of fortified binary
9 Threat Model
Detected bugs Normal users
Fuzzification Fortified binary Attackers Source Compilation
Binary Testers Compilation Distribution Fuzzing
Adversaries know Fuzzification and try to nullify
10 Research Goals
Detected bugs Normal users
Fuzzification Fortified binary Attackers Source Compilation
Binary Testers Compilation Distribution Fuzzing
11 Research Goals
Detected bugs Normal users
Fuzzification Fortified binary Attackers Source Compilation
Binary Testers Compilation Distribution Fuzzing
Hinder Fuzzing Reduce the number of detected bugs
12 Research Goals
Detected bugs
Normal users AFL Fuzzification HonggFuzz QSym Fortified binary Attackers VUzzer … Source Compilation
Binary Testers
Compilation Distribution Fuzzing
Generic Affect most of the fuzzers
13 Research Goals
Detected bugs Normal users
Fuzzification Fortified binary Attackers Source Compilation
Binary Testers Compilation Distribution Fuzzing Low overhead to normal user Overhead High overhead to attackers 14 Research Goals
Detected bugs Normal users
Fuzzification Fortified binary Attackers Source Compilation
Binary Testers Compilation Distribution Fuzzing
Resiliency Resilient to the adversarial analysis
15 Why Existing Methods Are Not Applicable?
Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O
16 Why Existing Methods Are Not Applicable?
Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O
Bug injection O O X
17 Why Existing Methods Are Not Applicable?
Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O
Bug injection O O X
Fuzzer detection X O X
18 Why Existing Methods Are Not Applicable?
Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O
Bug injection O O X
Fuzzer detection X O X
Emulator detection X O X
19 Why Existing Methods Are Not Applicable?
Generic to Low Resilient to Method most fuzzers overhead adversary Packing or obfuscation O X O
Bug injection O O X
Fuzzer detection X O X
Emulator detection X O X
Fuzzification O O O
20 Fuzzification Hinders Advanced Features
• Fast execution Parallel execution
H/W • Coverage-guidance feature
Fork • Hybrid approach server
21 Fuzzification Hinders Advanced Features
SpeedBump • Fast execution Parallel execution
H/W • Coverage-guidance feature
Fork • Hybrid approach server
22 Fuzzification Hinders Advanced Features
Coverage • Fast execution Parallel execution
H/W • Coverage-guidance feature
Fork • Hybrid approach server
23 Fuzzification Hinders Advanced Features
Coverage • Fast execution Parallel execution
H/W • Coverage-guidance feature BranchTrap Fork • Hybrid approach server
24 Fuzzification Hinders Advanced Features
Coverage • Fast execution Parallel execution
H/W • Coverage-guidance feature
Fork Queue • Hybrid approach server Symbolic execution
Dynamic taint analysis
25 Fuzzification Hinders Advanced Features
Coverage • Fast execution Parallel execution
H/W • Coverage-guidance feature Anti-Hybrid
Fork Queue • Hybrid approach server Symbolic execution
Dynamic taint analysis
26 SpeedBump: Selective Delay Injection
Basic block
27 SpeedBump: Selective Delay Injection
• Identify frequently and rarely visited paths
Basic block Rarely visited path Frequently visited path 28 SpeedBump: Selective Delay Injection
• Identify frequently and rarely visited paths
1 • Inject delays from the most rarely visited edges 2
Basic block Rarely visited path Frequently visited path 29 SpeedBump: Selective Delay Injection
• Why this is effective? ▫ User: follows common paths
1 ▫ Attacker: searches for new paths
➔ Impact of delay is more 2 significant to attackers
Basic block Rarely visited path Frequently visited path 30 SpeedBump: How to delay?
• Strawman: using sleep() ➔ trivially removed by adversary
31 SpeedBump: How to delay?
• Strawman: using sleep() ➔ trivially removed by adversary
• Counter to advanced adversary ▫ Use randomly generated code ➔ avoid static-pattern
32 SpeedBump: How to delay?
• Strawman: using sleep() ➔ trivially removed by adversary
• Counter to advanced adversary ▫ Use randomly generated code ➔ avoid static-pattern ▫ Impose control-flow and data-flow dependency ➔ avoid automated analysis
33 SpeedBump: Selective Delay Injection int rarely_executed_code () { return 0; }
34 SpeedBump: Selective Delay Injection int rarely_executed_code () { return 0; }
//define global variables int global1 = 1; int global2 = 2; int rarely_executed_code () { //inject delay function int pass = 20; global2 = func(pass); return 0; } 35 SpeedBump: Selective Delay Injection int rarely_executed_code () { int func(int p6) { return 0; int local1[10]; } // affect global1 variable global1 = 45; int local2 = global1; //define global variables for (int i = 0; i < 1000; i++) int global1 = 1; // affect local1 variable int global2 = 2; local1[i] = p6 + local2 + i; int rarely_executed_code () // affect global2 variable { return local1[5]; //inject delay function } int pass = 20; global2 = func(pass); return 0; } 36 BranchTrap Hinders Coverage Management
Coverage • Fast execution Parallel execution
H/W • Coverage-guidance feature
Fork Queue • Hybrid approach server Symbolic execution
Dynamic taint analysis
37 BranchTrap#1: Fabricates Input-sensitive Paths
“AAAA”
1
2
3
Coverage #1
38 BranchTrap#1: Fabricates Input-sensitive Paths
“AAAA” “AAAB”
1
2
3
Coverage #1 Coverage #2
39 BranchTrap#1: Fabricates Input-sensitive Paths
“AAAA” “AAAB” “AAAA”
1 1 BranchTrap
2 2
3 3
Coverage #1 Coverage #2 Coverage #1
40 BranchTrap#1: Fabricates Input-sensitive Paths
“AAAA” “AAAB” “AAAA” “AAAB”
1 1 BranchTrap
2 2
3 3
Coverage #1 Coverage #2 Coverage #1 Coverage #2
41 BranchTrap#1: ROP-based Fake Paths Generation
Func1 (arg1, arg2)
Caller
call Func1 next inst
Original epilogue
pop rbp pop r15 ret
42 BranchTrap#1: ROP-based Fake Paths Generation
Func1 (arg1, arg2) Code snippet 1 pop rbp pop r15 ret Caller
Code call Func1 snippet 2 next inst pop rbp pop r15 Original ret epilogue … pop rbp pop r15 Code ret snippet N … 43 BranchTrap#1: ROP-based Fake Paths Generation
Func1 (arg1, arg2) Code snippet 1 pop rbp ① pop r15 ② index = arg1 ^ arg2 ret Caller
Code call Func1 snippet 2 next inst pop rbp pop r15 Original ret epilogue … pop rbp pop r15 Code ret snippet N … 44 BranchTrap#1: ROP-based Fake Paths Generation
Func1 (arg1, arg2) Code snippet 1 pop rbp ① pop r15 ② index = arg1 ^ arg2 ret Caller
③ Code call Func1 jmp table [index] ④ snippet 2 next inst pop rbp pop r15 Original ret epilogue … pop rbp pop r15 Code ret snippet N … 45 BranchTrap#1: ROP-based Fake Paths Generation
Func1 (arg1, arg2) Code snippet 1 pop rbp ① pop r15 ② index = arg1 ^ arg2 ret Caller
③ Code call Func1 jmp table [index] ④ snippet 2 next inst pop rbp pop r15 Original ⑤ ret epilogue … pop rbp pop r15 Code ret snippet N … 46 BranchTrap#2: Saturate Feedback State
• One-time visit makes effect 1 • BranchTrap: 2 ▫ Saturates bitmap data ▫ Prevents coverage recording 3
47 AntiHybrid Hinders Hybrid Fuzzing
Coverage • Fast execution Parallel execution
H/W • Coverage-guidance feature
Fork Queue • Hybrid approach server Symbolic execution
Dynamic taint analysis
48 Challenge of Hybrid Fuzzing • Dynamic taint analysis ▫ Expensive implicit flow Transform explicit data-flow ➔ implicit data-flow
49 Challenge of Hybrid Fuzzing • Dynamic taint analysis ▫ Expensive implicit flow Transform explicit data-flow ➔ implicit data-flow
• Symbolic execution ▫ Path explosion Introduce an arbitrary path explosions
50 AntiHybrid Avoids Dynamic Taint Analysis • Transform explicit data-flow to implicit data-flow
char input = ‘a’; char input = ‘a’; char anti_dta; if (input == 97) if (!strcmp(input, ‘a’)) anti_dta = ‘a’; { … } if (!strcmp(anti_dta, ‘a’)) { … } input Unable to taint
anti_dta 51 AntiHybrid Incurs Path Explosions
• Inject hash calculations into branches
if(a == 30) if(Hash(a) == 0x300df11) { … } { … }
Path Explosion
52 Fuzzification Work-flow
Valid/invlid ①Run inputs Profile Binary
Source
53 Fuzzification Work-flow
Valid/invlid ①Run inputs Profile Binary
Source ② Inject component SpeedBump LLVM IR BranchTrap
AntiHybrid
54 Fuzzification Work-flow
Valid/invlid ①Run inputs Profile Binary
Source ② Inject component SpeedBump LLVM IR BranchTrap
AntiHybrid Test run
③Measure Overhead & Inject More Component 55 Fuzzification Work-flow
Valid/invlid ①Run inputs Profile Binary
Source ② Inject component SpeedBump LLVM IR BranchTrap ④Release AntiHybrid Test run fortified binary
③Measure Overhead & Inject More Component 56 Evaluation Summary
• Implementation ▫ 6,599 lines of Python and 758 lines of C++
• Evaluation questions: ▫ Effective in “Reducing discovered paths and bugs?” ▫ Effective on “Various fuzzers? ▫ Impose “Low overhead” to the normal user?
57 Reduced the Discovered Coverage By 71%
Discovered PathsDiscovered objdump (binutils) No Fuzzification
BranchTrap AntiHybrid SpeedBump
All Fuzzifications
* Fuzzing result on AFL-QEMU 58 Reduced the Discovered Coverage By 71%
Other binaries
* Fuzzing result on AFL-QEMU 59 Fuzzification is Effective on Various Fuzzers
Fuzzer Result
AFL (QEMU) 74%
HonggFuzz (PT) 61% Reduced code coverage
QSym (AFL-QEMU) 80%
Average 71%
60 Reduced the Discovered Bugs
binutils v2.3.0 LAVA-M dataset
Fuzzer Result Fuzzer Result
AFL (QEMU) 88% Vuzzer 56%
HonggFuzz (PT) 98% QSym (AFL-QEMU) 78%
QSym (AFL-QEMU) 94% Average 67%
Average 93%
61 File size & CPU Overheads
binutils v2.3.0 Real-world applications (e.g., GUI)
Overhead Result Overhead Result File Size 1.4MB (62.1%) File Size 1.3MB (5.4%) CPU Overhead 3.7% CPU Overhead 0.73%
* Both overheads are configurable
62 Discussion
• Best-effort protections against adversarial analysis
• Complementary to other defense techniques ▫ Not hiding all vulnerabilities ▫ But introducing significant cost on attacker
63 Comparison: Fuzzification vs. AntiFuzz
Component Fuzzification AntiFuzz
Delay execution ● (+ cold path) ●
Fake coverage ● (randomized return) ● (fake code)
Saturate coverage ● ○
Prevent crash ○ ●
Anti-hybrid ● (+ anti-DTA) ●
Countermeasures ◐ ○ 64 Conclusion
Make the fuzzing only effective to the testers
• SpeedBump: Inject delays and only affects attackers
• BranchTrap: Insert input-sensitive branches
• AntiHybrid: Hinder hybrid fuzzing techniques
https://github.com/sslab-gatech/fuzzification
65