DOCSLIB.ORG

Periscope: an Effective Probing and Fuzzing Framework for the Hardware-OS Boundary

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Periscope: an Effective Probing and Fuzzing Framework for the Hardware-OS Boundary PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary Dokyung Song∗, Felicitas Hetzelty, Dipanjan Dasz, Chad Spenskyz, Yeoul Na∗, Stijn Volckaert∗x, Giovanni Vignaz, Christopher Kruegelz, Jean-Pierre Seiferty, Michael Franz∗ ∗Department of Computer Science, University of California, Irvine ySecurity in Telecommunications, Technische Universitat¨ Berlin zDepartment of Computer Science, University of California, Santa Barbara xDepartment of Computer Science, KU Leuven Abstract—The OS kernel is an attractive target for remote a number of peripheral devices such as a touchscreen display, attackers. If compromised, the kernel gives adversaries full system camera modules, and chipsets supporting various networking access, including the ability to install rootkits, extract sensitive protocols (cellular, Wi-Fi, Bluetooth, NFC, etc.). Peripheral information, and perform other malicious actions, all while devices by different manufacturers have different inner work- evading detection. Most of the kernel’s attack surface is situated ings, which are often proprietary. Device drivers bridge the along the system call boundary. Ongoing kernel protection efforts gap between stable and well-documented operating system have focused primarily on securing this boundary; several capable analysis and fuzzing frameworks have been developed for this interfaces on one side and peripheral devices on the other, purpose. and make the devices available to the rest of the system. However, there are additional paths to kernel compromise Device drivers are privileged kernel components that exe- that do not involve system calls, as demonstrated by several cute along two different trust boundaries of the system. One recent exploits. For example, by compromising the firmware of of these boundaries is the system call interface, which exposes a peripheral device such as a Wi-Fi chipset and subsequently kernel-space drivers to user-space adversaries. The hardware- sending malicious inputs from the Wi-Fi chipset to the Wi-Fi OS interface should also be considered a trust boundary, driver, adversaries have been able to gain control over the kernel without invoking a single system call. Unfortunately, there are however, since it exposes drivers to potentially compromised currently no practical probing and fuzzing frameworks that can peripheral hardware. These peripherals should not be trusted, help developers find and fix such vulnerabilities occurring along because they may provide a remote attack vector (e.g., network the hardware-OS boundary. devices may receive malicious packets over the air), and they typically lack basic defense mechanisms. Consequently, We present PERISCOPE, a Linux kernel based probing peripheral devices have frequently fallen victim to remote ex- framework that enables fine-grained analysis of device-driver ploitation [16], [21], [23], [28], [36], [77]. Thus, a device driver interactions. PERISCOPE hooks into the kernel’s page fault handling mechanism to either passively monitor and log traffic must robustly enforce the hardware-OS boundary, but pro- between device drivers and their corresponding hardware, or gramming errors do occur. Several recently published attacks mutate the data stream on-the-fly using a fuzzing component, demonstrated that peripheral compromise can be turned into PERIFUZZ, thus mimicking an active adversarial attack. PER- full system compromise (i.e., remote kernel code execution) by IFUZZ accurately models the capabilities of an attacker on coaxing a compromised device into generating specific outputs, peripheral devices, to expose different classes of bugs including, which in turn trigger a vulnerability when processed as an input but not limited to, memory corruption bugs and double-fetch in a device driver [22], [24]. bugs. To demonstrate the risk that peripheral devices pose, as well as the value of our framework, we have evaluated PERIFUZZ The trust boundary that separates peripheral subsystems on the Wi-Fi drivers of two popular chipset vendors, where we from kernel drivers is therefore of great interest to security discovered 15 unique vulnerabilities, 9 of which were previously researchers. In this paper, we present PERISCOPE, which to unknown. our knowledge is the first generic framework that facilitates the exploration of this boundary. PERISCOPE focuses on I. INTRODUCTION two popular device-driver interaction mechanisms: memory- Modern electronics often include subsystems manufactured mapped I/O (MMIO) and direct memory access (DMA). The by a variety of different vendors. For example, in a modern key idea is to monitor MMIO or DMA mappings set up by cellphone, besides the main application processor running a the driver, and then dynamically trap the driver’s accesses smartphone operating system such as Android, one might find to such memory regions. PERISCOPE allows developers to register hooks that it calls upon each trapped access, thereby enabling them to conduct a fine-grained analysis of device- driver interactions. For example, one can implement hooks that Network and Distributed Systems Security (NDSS) Symposium 2019 24-27 February 2019, San Diego, CA, USA record and/or mutate device-driver interactions in support of ISBN 1-891562-55-X reverse engineering, record-and-replay, fuzzing, etc. https://dx.doi.org/10.14722/ndss.2019.23176 www.ndss-symposium.org To demonstrate the risk that peripheral devices pose, as well as to showcase versatility of the PERISCOPE framework, Memory Accesses we created PERIFUZZ, a driver fuzzer that simulates attacks originating in untrusted, compromised peripherals. PERIFUZZ Virtual Address Virtual Address traps the driver’s read accesses to MMIO and DMA map- pings, and fuzzes the values being read by the driver. With MMU a compromised device, these values should be considered to Bus Address Physical Address be under an attacker’s control; the attacker can freely modify these values at any time, even in between the driver’s reads. If Physical Main Processor the driver reads the same memory location multiple times (i.e., Registers Memory overlapping fetches [79]) while the data can still be modified by the device, double-fetch bugs may be present [45], [68]. Physical Address PERIFUZZ accurately models this adversarial capability by fuzzing not only the values being read from different memory IOMMU locations, but also ones being read from the same location I/O Virtual Address multiple times. PERIFUZZ also tracks and logs all overlapping Peripheral Device fetches and warns about ones that occurred before a driver Memory-mapped I/O Direct Memory Access Interrupts crash to help identify potential double-fetch bugs. (MMIO) (DMA) Existing work on analyzing device-driver interactions typ- ically runs the entire system including device drivers in a Fig. 1. Hardware-OS interaction mechanisms controlled environment [32], [44], [47], [49], [54], [60], [62], [66], such as QEMU [20] or S2E [33]. Enabling analysis in such an environment often requires developer efforts tailored • A fuzzing framework: We extended PERISCOPE to specific drivers or devices, e.g., implementing a virtual to build PERIFUZZ, a vulnerability discovery tool device or annotating driver code to keep symbolic execution tailored to detect driver vulnerabilities occurring along tractable. In contrast, PERISCOPE uses a page fault based in- the hardware-OS boundary. The tool demonstrates the kernel monitoring mechanism, which works with all devices power of the PERISCOPE framework, and it system- and drivers in their existing testing environment. As long as atizes the exploration of the hardware-OS boundary. the kernel gets recompiled with our framework, PERISCOPE • An overlapping fetch fuzzer: PERIFUZZ fuzzes over- and PERIFUZZ can analyze device-driver interactions with lapping fetches in addition to non-overlapping fetches, relative ease, regardless of whether the underlying device is and warns about overlapping fetches that occurred virtual or physical, and regardless of the type of the device. before a driver crash. A warning observed before a Extending our framework is also straightforward; for example, driver crash may indicate the presence of double-fetch PERIFUZZ accepts any user-space fuzzer, e.g., AFL, as a plug- bugs. in, which significantly reduces the engineering effort required to implement proven fuzzing strategies [25], [26], [30], [31], • Discovered vulnerabilities: As part of our evaluation, [37]. we discovered previously known and unknown vulner- We validated our system by running experiments on the abilities in the Wi-Fi drivers of two of the most promi- software stacks shipping with the Google Pixel 2 and the nent vendors in the market. We responsibly disclosed Samsung Galaxy S6, two popular smartphones on the market at relevant details to the corresponding vendors. the time of development. To simulate remote attacks that would • An open-source tool: We open-sourced our tool1, in occur over the air in a real-world scenario, we focused on the order to facilitate further research exploration of the Wi-Fi drivers of these phones in evaluating our framework. hardware-OS boundary. The Google Pixel 2 and Samsung Galaxy S6 are equipped with Qualcomm and Broadcom chipsets, respectively. These two are arguably the most popular Wi-Fi chipset manufacturers II. BACKGROUND at the time of our experiments. In our experiments, our system identified 15 unique vulnerabilities in two device drivers, out In this section, we provide the technical background nec- of which 9 vulnerabilities were
Load more

Recommended publications
  • Automatically Bypassing Android Malware Detection System
    FUZZIFICATION: Anti-Fuzzing Techniques Jinho Jung, Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing Detected bugs Normal users Compilation Source Released binary Testers Compilation Distribution Fuzzing 4 But Attackers Also Find Bugs Detected bugs Normal users Compilation Attackers Source Released binary Testers Compilation Distribution Fuzzing 5 Our work: Make the Fuzzing Only Effective to the Testers Detected bugs Normal users Fuzzification ? Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing 6 Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing 7 Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing Adversaries try to find vulnerabilities from fuzzing 8 Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing Adversaries only have a copy of fortified binary 9 Threat Model Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation Distribution Fuzzing Adversaries know Fuzzification and try to nullify 10 Research Goals Detected bugs Normal users Fuzzification Fortified binary Attackers Source Compilation Binary Testers Compilation
    [Show full text]
  • Open Thesis Final.Pdf
    The Pennsylvania State University The Graduate School College of Communications EVALUATIO OF FOSS VIDEO GAMES I COMPARISO TO THEIR COMMERCIAL COUTERPARTS A Thesis in Media Studies By Jesse A. Clark © 2008 Jesse A. Clark Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Arts August 2008 ii The thesis of Jesse A. Clark was reviewed and approved* by the following:: John Nichols Professor of Communications Associate Dean for Graduate Studies and Research Matt Jackson Associate Professor of Communications Head of Department of Telecommunications Thesis Advisor Robert Frieden Professor; Pioneers Chair in Telecommunications Ronald Bettig Associate Professor of Communications *Signatures are on file in the Graduate School. iii Abstract The topic of copyrights and copyright law is a crucial component in understanding today's media landscape. The purpose for having a copyright system as outlined in the U.S. Constitution is to provide content creators with an incentive to create. The copyright system allows revenue to be generated through sales of copies of works; thus allowing for works to be created which otherwise would not be created. Yet it is entirely possible that not all large creative projects require the same legal framework as an incentive. The so called “copyleft” movement (which will be defined and explained in depth later) offers an alternative to the industrial mode of cultural production. Superficially, “copylefted” works can be divided into two broad categories: artistic/creative works (which are often protected by “Creative Commons” licenses), and Free/Open Source Software. This thesis evaluates how open source video games compare to their commercial counterparts and discusses the reasons for any difference in overall quality.
    [Show full text]
  • Markdown Markup Languages What Is Markdown? Symbol
    Markdown What is Markdown? ● Markdown is a lightweight markup language with plain text formatting syntax. Péter Jeszenszky – See: https://en.wikipedia.org/wiki/Markdown Faculty of Informatics, University of Debrecen [email protected] Last modified: October 4, 2019 3 Markup Languages Symbol ● Markup languages are computer languages for annotating ● Dustin Curtis. The Markdown Mark. text. https://dcurt.is/the-markdown-mark – They allow the association of metadata with parts of text in a https://github.com/dcurtis/markdown-mark clearly distinguishable way. ● Examples: – TeX, LaTeX https://www.latex-project.org/ – Markdown https://daringfireball.net/projects/markdown/ – troff (man pages) https://www.gnu.org/software/groff/ – XML https://www.w3.org/XML/ – Wikitext https://en.wikipedia.org/wiki/Help:Wikitext 2 4 Characteristics Usage (2) ● An easy-to-read and easy-to-write plain text ● Collaboration platforms and tools: format that. – GitHub https://github.com/ ● Can be converted to various output formats ● See: Writing on GitHub (e.g., HTML). https://help.github.com/en/categories/writing-on-github – Trello https://trello.com/ ● Specifically targeted at non-technical users. ● See: How To Format Your Text in Trello ● The syntax is mostly inspired by the format of https://help.trello.com/article/821-using-markdown-in-trell o plain text email. 5 7 Usage (1) Usage (3) ● Markdown is widely used on the web for ● Blogging platforms and content management entering text. systems: – ● The main application areas include: Ghost https://ghost.org/
    [Show full text]
  • Moonshine: Optimizing OS Fuzzer Seed Selection with Trace Distillation
    MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation Shankara Pailoor, Andrew Aday, and Suman Jana Columbia University Abstract bug in system call implementations might allow an un- privileged user-level process to completely compromise OS fuzzers primarily test the system-call interface be- the system. tween the OS kernel and user-level applications for secu- OS fuzzers usually start with a set of synthetic seed rity vulnerabilities. The effectiveness of all existing evo- programs , i.e., a sequence of system calls, and itera- lutionary OS fuzzers depends heavily on the quality and tively mutate their arguments/orderings using evolution- diversity of their seed system call sequences. However, ary guidance to maximize the achieved code coverage. generating good seeds for OS fuzzing is a hard problem It is well-known that the performance of evolutionary as the behavior of each system call depends heavily on fuzzers depend critically on the quality and diversity of the OS kernel state created by the previously executed their seeds [31, 39]. Ideally, the synthetic seed programs system calls. Therefore, popular evolutionary OS fuzzers for OS fuzzers should each contain a small number of often rely on hand-coded rules for generating valid seed system calls that exercise diverse functionality in the OS sequences of system calls that can bootstrap the fuzzing kernel. process. Unfortunately, this approach severely restricts However, the behavior of each system call heavily de- the diversity of the seed system call sequences and there- pends on the shared kernel state created by the previous fore limits the effectiveness of the fuzzers.
    [Show full text]
  • Active Fuzzing for Testing and Securing Cyber-Physical Systems
    Active Fuzzing for Testing and Securing Cyber-Physical Systems Yuqi Chen Bohan Xuan Christopher M. Poskitt Singapore Management University Zhejiang University Singapore Management University Singapore China Singapore [email protected] [email protected] [email protected] Jun Sun Fan Zhang∗ Singapore Management University Zhejiang University Singapore China [email protected] [email protected] ABSTRACT KEYWORDS Cyber-physical systems (CPSs) in critical infrastructure face a per- Cyber-physical systems; fuzzing; active learning; benchmark gen- vasive threat from attackers, motivating research into a variety of eration; testing defence mechanisms countermeasures for securing them. Assessing the effectiveness of ACM Reference Format: these countermeasures is challenging, however, as realistic bench- Yuqi Chen, Bohan Xuan, Christopher M. Poskitt, Jun Sun, and Fan Zhang. marks of attacks are difficult to manually construct, blindly testing 2020. Active Fuzzing for Testing and Securing Cyber-Physical Systems. In is ineffective due to the enormous search spaces and resource re- Proceedings of the 29th ACM SIGSOFT International Symposium on Software quirements, and intelligent fuzzing approaches require impractical Testing and Analysis (ISSTA ’20), July 18–22, 2020, Virtual Event, USA. ACM, amounts of data and network access. In this work, we propose active New York, NY, USA, 13 pages. https://doi.org/10.1145/3395363.3397376 fuzzing, an automatic approach for finding test suites of packet- level CPS network attacks, targeting scenarios in which attackers 1 INTRODUCTION can observe sensors and manipulate packets, but have no existing knowledge about the payload encodings. Our approach learns re- Cyber-physical systems (CPSs), characterised by their tight and gression models for predicting sensor values that will result from complex integration of computational and physical processes, are sampled network packets, and uses these predictions to guide a often used in the automation of critical public infrastructure [78].
    [Show full text]
  • BSD UNIX Toolbox 1000+ Commands for Freebsd, Openbsd
    76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iii BSD UNIX® TOOLBOX 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®Power Users Christopher Negus François Caen 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page ii 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page i BSD UNIX® TOOLBOX 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page ii 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iii BSD UNIX® TOOLBOX 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®Power Users Christopher Negus François Caen 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iv BSD UNIX® Toolbox: 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD® Power Users Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-37603-4 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 Library of Congress Cataloging-in-Publication Data is available from the publisher. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permis- sion should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.
    [Show full text]
  • The Art, Science, and Engineering of Fuzzing: a Survey
    1 The Art, Science, and Engineering of Fuzzing: A Survey Valentin J.M. Manes,` HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo Abstract—Among the many software vulnerability discovery techniques available today, fuzzing has remained highly popular due to its conceptual simplicity, its low barrier to deployment, and its vast amount of empirical evidence in discovering real-world software vulnerabilities. At a high level, fuzzing refers to a process of repeatedly running a program with generated inputs that may be syntactically or semantically malformed. While researchers and practitioners alike have invested a large and diverse effort towards improving fuzzing in recent years, this surge of work has also made it difficult to gain a comprehensive and coherent view of fuzzing. To help preserve and bring coherence to the vast literature of fuzzing, this paper presents a unified, general-purpose model of fuzzing together with a taxonomy of the current fuzzing literature. We methodically explore the design decisions at every stage of our model fuzzer by surveying the related literature and innovations in the art, science, and engineering that make modern-day fuzzers effective. Index Terms—software security, automated software testing, fuzzing. ✦ 1 INTRODUCTION Figure 1 on p. 5) and an increasing number of fuzzing Ever since its introduction in the early 1990s [152], fuzzing studies appear at major security conferences (e.g. [225], has remained one of the most widely-deployed techniques [52], [37], [176], [83], [239]). In addition, the blogosphere is to discover software security vulnerabilities. At a high level, filled with many success stories of fuzzing, some of which fuzzing refers to a process of repeatedly running a program also contain what we consider to be gems that warrant a with generated inputs that may be syntactically or seman- permanent place in the literature.
    [Show full text]
  • Openstreetmap History for Intrinsic Quality Assessment: Is OSM Up-To-Date? Marco Minghini1,3* and Francesco Frassinelli2,3
    Minghini and Frassinelli Open Geospatial Data, Software and Standards (2019) 4:9 Open Geospatial Data, https://doi.org/10.1186/s40965-019-0067-x Software and Standards SOFTWARE Open Access OpenStreetMap history for intrinsic quality assessment: Is OSM up-to-date? Marco Minghini1,3* and Francesco Frassinelli2,3 Abstract OpenStreetMap (OSM) is a well-known crowdsourcing project which aims to create a geospatial database of the whole world. Intrinsic approaches based on the analysis of the history of data, i.e. its evolution over time, have become an established way to assess OSM quality. After a comprehensive review of scientific as well as software applications focused on the visualization, analysis and processing of OSM history, the paper presents “Is OSM up-to-date?”, an open source web application addressing the need of OSM contributors, community leaders and researchers to quickly assess OSM intrinsic quality based on the object history for any specific region. The software, mainly written in Python, can be also run in the command line or inside a Docker container. The technical architecture, sample applications and future developments of the software are also presented in the paper. Keywords: Crowdsourcing, Data history, Data quality, Open source, OpenStreetMap, up-to-dateness Introduction of software tools, services and applications allows a wide OpenStreetMap (OSM) is the most successful crowd- number of developers, humanitarian operators, industry sourced geographic information project to date [1]. It was and governmental actors to exploit OSM data on a daily initiated in 2004 in response to the mainstream pres- basis and for a variety of purposes [6].
    [Show full text]
  • Psofuzzer: a Target-Oriented Software Vulnerability Detection Technology Based on Particle Swarm Optimization
    applied sciences Article PSOFuzzer: A Target-Oriented Software Vulnerability Detection Technology Based on Particle Swarm Optimization Chen Chen 1,2,*, Han Xu 1 and Baojiang Cui 1 1 School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China; [email protected] (H.X.); [email protected] (B.C.) 2 School of Information and Navigation, Air Force Engineering University, Xi’an 710077, China * Correspondence: [email protected] Abstract: Coverage-oriented and target-oriented fuzzing are widely used in vulnerability detection. Compared with coverage-oriented fuzzing, target-oriented fuzzing concentrates more computing resources on suspected vulnerable points to improve the testing efficiency. However, the sample generation algorithm used in target-oriented vulnerability detection technology has some problems, such as weak guidance, weak sample penetration, and difficult sample generation. This paper proposes a new target-oriented fuzzer, PSOFuzzer, that uses particle swarm optimization to generate samples. PSOFuzzer can quickly learn high-quality features in historical samples and implant them into new samples that can be led to execute the suspected vulnerable point. The experimental results show that PSOFuzzer can generate more samples in the test process to reach the target point and can trigger vulnerabilities with 79% and 423% higher probability than AFLGo and Sidewinder, respectively, on tested software programs. Keywords: fuzzing; model-based fuzzing; vulnerability detection; code coverage; open-source program; directed fuzzing; static instrumentation; source code instrumentation Citation: Chen, C.; Han, X.; Cui, B. PSOFuzzer: A Target-Oriented 1. Introduction Software Vulnerability Detection The appearance of an increasing number of software vulnerabilities has made auto- Technology Based on Particle Swarm matic vulnerability detection technology a widespread concern in industry and academia.
    [Show full text]
  • Configuration Fuzzing Testing Framework for Software Vulnerability Detection
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Columbia University Academic Commons CONFU: Configuration Fuzzing Testing Framework for Software Vulnerability Detection Huning Dai, Christian Murphy, Gail Kaiser Department of Computer Science Columbia University New York, NY 10027 USA ABSTRACT Many software security vulnerabilities only reveal themselves under certain conditions, i.e., particular configurations and inputs together with a certain runtime environment. One approach to detecting these vulnerabilities is fuzz testing. However, typical fuzz testing makes no guarantees regarding the syntactic and semantic validity of the input, or of how much of the input space will be explored. To address these problems, we present a new testing methodology called Configuration Fuzzing. Configuration Fuzzing is a technique whereby the configuration of the running application is mutated at certain execution points, in order to check for vulnerabilities that only arise in certain conditions. As the application runs in the deployment environment, this testing technique continuously fuzzes the configuration and checks "security invariants'' that, if violated, indicate a vulnerability. We discuss the approach and introduce a prototype framework called ConFu (CONfiguration FUzzing testing framework) for implementation. We also present the results of case studies that demonstrate the approach's feasibility and evaluate its performance. Keywords: Vulnerability; Configuration Fuzzing; Fuzz testing; In Vivo testing; Security invariants INTRODUCTION As the Internet has grown in popularity, security testing is undoubtedly becoming a crucial part of the development process for commercial software, especially for server applications. However, it is impossible in terms of time and cost to test all configurations or to simulate all system environments before releasing the software into the field, not to mention the fact that software distributors may later add more configuration options.
    [Show full text]
  • Fuzzing with Code Fragments
    Fuzzing with Code Fragments Christian Holler Kim Herzig Andreas Zeller Mozilla Corporation∗ Saarland University Saarland University [email protected] [email protected] [email protected] Abstract JavaScript interpreter must follow the syntactic rules of JavaScript. Otherwise, the JavaScript interpreter will re- Fuzz testing is an automated technique providing random ject the input as invalid, and effectively restrict the test- data as input to a software system in the hope to expose ing to its lexical and syntactic analysis, never reaching a vulnerability. In order to be effective, the fuzzed input areas like code transformation, in-time compilation, or must be common enough to pass elementary consistency actual execution. To address this issue, fuzzing frame- checks; a JavaScript interpreter, for instance, would only works include strategies to model the structure of the de- accept a semantically valid program. On the other hand, sired input data; for fuzz testing a JavaScript interpreter, the fuzzed input must be uncommon enough to trigger this would require a built-in JavaScript grammar. exceptional behavior, such as a crash of the interpreter. Surprisingly, the number of fuzzing frameworks that The LangFuzz approach resolves this conflict by using generate test inputs on grammar basis is very limited [7, a grammar to randomly generate valid programs; the 17, 22]. For JavaScript, jsfunfuzz [17] is amongst the code fragments, however, partially stem from programs most popular fuzzing tools, having discovered more that known to have caused invalid behavior before. LangFuzz 1,000 defects in the Mozilla JavaScript engine. jsfunfuzz is an effective tool for security testing: Applied on the is effective because it is hardcoded to target a specific Mozilla JavaScript interpreter, it discovered a total of interpreter making use of specific knowledge about past 105 new severe vulnerabilities within three months of and common vulnerabilities.
    [Show full text]
  • Seed Selection for Successful Fuzzing
    Seed Selection for Successful Fuzzing Adrian Herrera Hendra Gunadi Shane Magrath ANU & DST ANU DST Australia Australia Australia Michael Norrish Mathias Payer Antony L. Hosking CSIRO’s Data61 & ANU EPFL ANU & CSIRO’s Data61 Australia Switzerland Australia ABSTRACT ACM Reference Format: Mutation-based greybox fuzzing—unquestionably the most widely- Adrian Herrera, Hendra Gunadi, Shane Magrath, Michael Norrish, Mathias Payer, and Antony L. Hosking. 2021. Seed Selection for Successful Fuzzing. used fuzzing technique—relies on a set of non-crashing seed inputs In Proceedings of the 30th ACM SIGSOFT International Symposium on Software (a corpus) to bootstrap the bug-finding process. When evaluating a Testing and Analysis (ISSTA ’21), July 11–17, 2021, Virtual, Denmark. ACM, fuzzer, common approaches for constructing this corpus include: New York, NY, USA, 14 pages. https://doi.org/10.1145/3460319.3464795 (i) using an empty file; (ii) using a single seed representative of the target’s input format; or (iii) collecting a large number of seeds (e.g., 1 INTRODUCTION by crawling the Internet). Little thought is given to how this seed Fuzzing is a dynamic analysis technique for finding bugs and vul- choice affects the fuzzing process, and there is no consensus on nerabilities in software, triggering crashes in a target program by which approach is best (or even if a best approach exists). subjecting it to a large number of (possibly malformed) inputs. To address this gap in knowledge, we systematically investigate Mutation-based fuzzing typically uses an initial set of valid seed and evaluate how seed selection affects a fuzzer’s ability to find bugs inputs from which to generate new seeds by random mutation.
    [Show full text]