DOCSLIB.ORG

Automatically Bypassing Android Malware Detection System

Automatically Bypassing Android Malware Detection System

<p><strong>FUZZIFICATION: Anti-Fuzzing Techniques </strong></p><p><strong>Jinho Jung</strong>, Hong Hu, David Solodukhin, Daniel Pagan, </p><p>Kyu Hyung Lee*, Taesoo Kim </p><p>*</p><p>1</p><p><strong>Fuzzing Discovers Many Vulnerabilities </strong></p><p>2</p><p><strong>Fuzzing Discovers Many Vulnerabilities </strong></p><p>3</p><p><strong>Testers Find Bugs with Fuzzing </strong></p><p>Detected </p><p>bugs <br>Normal users </p><p>Compilation <br>Released binary </p><p>Source </p><p>Testers </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li><li style="flex:1">Compilation </li></ul><p></p><p>4</p><p><strong>But Attackers Also Find Bugs </strong></p><p>Detected </p><p>bugs <br>Normal users </p><p>Compilation <br>Attackers </p><p>Testers <br>Released binary </p><p>Source </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li><li style="flex:1">Compilation </li></ul><p></p><p>5</p><p><strong>Our work: Make the Fuzzing Only Effective to the Testers </strong></p><p>Detected bugs </p><p>Normal users </p><p><strong>?</strong></p><p>Fuzzification </p><p>Fortified </p><p>binary <br>Attackers </p><p>Testers </p><p>Source <br>Compilation </p><p>Compilation </p><p>Binary </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li></ul><p></p><p>6</p><p><strong>Threat Model </strong></p><p>Detected bugs </p><p>Normal users </p><p>Attackers </p><p>Fuzzification </p><p>Fortified binary </p><p>Source <br>Compilation </p><p>Compilation </p><p>Testers </p><p>Binary </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li></ul><p></p><p>7</p><p><strong>Threat Model </strong></p><p>Detected bugs </p><p>Normal users </p><p>Attackers </p><p>Fuzzification </p><p>Fortified binary </p><p>Source <br>Compilation </p><p>Compilation </p><p>Testers </p><p>Binary </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li></ul><p></p><p>Adversaries try to find vulnerabilities from fuzzing </p><p>8</p><p><strong>Threat Model </strong></p><p>Detected bugs </p><p>Normal users </p><p>Attackers </p><p>Fuzzification </p><p>Fortified binary </p><p>Source <br>Compilation </p><p>Compilation </p><p>Testers </p><p>Binary </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li></ul><p></p><p>Adversaries only have a copy of fortified binary </p><p>9</p><p><strong>Threat Model </strong></p><p>Detected bugs </p><p>Normal users </p><p>Attackers </p><p>Fuzzification </p><p>Fortified binary </p><p>Source <br>Compilation </p><p>Compilation </p><p>Testers </p><p>Binary </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li></ul><p></p><p>Adversaries know Fuzzification and try to nullify </p><p>10 </p><p><strong>Research Goals </strong></p><p>Detected bugs </p><p>Normal users </p><p>Attackers </p><p>Fuzzification </p><p>Fortified binary </p><p>Source <br>Compilation </p><p>Testers </p><p>Binary </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li><li style="flex:1">Compilation </li></ul><p></p><p>11 </p><p><strong>Research Goals </strong></p><p>Detected bugs </p><p>Normal users </p><p>Attackers </p><p>Fuzzification </p><p>Fortified binary </p><p>Source <br>Compilation </p><p>Testers </p><p>Binary </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li><li style="flex:1">Compilation </li></ul><p></p><p><strong>Hinder Fuzzing&nbsp;</strong>Reduce the number of detected bugs </p><p>12 </p><p><strong>Research Goals </strong></p><p>Detected bugs </p><p>Normal users </p><p>Attackers </p><p><strong>AFL </strong></p><p><strong>HonggFuzz </strong></p><p><strong>QSym </strong></p><p>Fuzzification </p><p>Fortified binary </p><p><strong>VUzzer </strong></p><p><strong>…</strong></p><p>Source <br>Compilation </p><p></p><ul style="display: flex;"><li style="flex:1">Testers </li><li style="flex:1">Binary </li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1">Compilation </li><li style="flex:1">Fuzzing </li><li style="flex:1">Distribution </li></ul><p></p><p><strong>Generic </strong>Affect most of the fuzzers </p><p>13 </p><p><strong>Research Goals </strong></p><p>Detected bugs </p><p>Normal users </p><p>Attackers </p><p>Fuzzification </p><p>Fortified binary </p><p>Source <br>Compilation </p><p>Testers </p><p>Binary </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li><li style="flex:1">Compilation </li></ul><p></p><p><strong>Low overhead </strong>to normal user </p><p><strong>High overhead </strong>to attackers </p><p><strong>Overhead </strong></p><p>14 </p><p><strong>Research Goals </strong></p><p>Detected bugs </p><p>Normal users </p><p>Attackers </p><p>Fuzzification </p><p>Fortified binary </p><p>Source <br>Compilation </p><p>Testers </p><p>Binary </p><p></p><ul style="display: flex;"><li style="flex:1">Distribution </li><li style="flex:1">Fuzzing </li><li style="flex:1">Compilation </li></ul><p></p><p>Resilient to the adversarial analysis </p><p><strong>Resiliency </strong></p><p>15 </p><p><strong>Why Existing Methods Are Not Applicable? </strong></p><p><strong>Generic to most fuzzers&nbsp;overhead adversary </strong></p><ul style="display: flex;"><li style="flex:1"><strong>Low </strong></li><li style="flex:1"><strong>Resilient to </strong></li></ul><p><strong>Method </strong></p><p></p><ul style="display: flex;"><li style="flex:1">Packing or obfuscation </li><li style="flex:1">O</li><li style="flex:1">X</li><li style="flex:1">O</li></ul><p></p><p>16 </p><p><strong>Why Existing Methods Are Not Applicable? </strong></p><p><strong>Generic to most fuzzers&nbsp;overhead adversary </strong></p><ul style="display: flex;"><li style="flex:1"><strong>Low </strong></li><li style="flex:1"><strong>Resilient to </strong></li></ul><p><strong>Method </strong></p><p>Packing or obfuscation </p><p>Bug injection </p><p>O</p><p>O</p><p></p><ul style="display: flex;"><li style="flex:1">X</li><li style="flex:1">O</li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1">X</li><li style="flex:1">O</li></ul><p></p><p>17 </p><p><strong>Why Existing Methods Are Not Applicable? </strong></p><p><strong>Generic to most fuzzers&nbsp;overhead adversary </strong></p><ul style="display: flex;"><li style="flex:1"><strong>Low </strong></li><li style="flex:1"><strong>Resilient to </strong></li></ul><p><strong>Method </strong></p><p>Packing or obfuscation </p><p>Bug injection </p><p>O</p><p>O</p><p>X<br>X</p><p>O</p><p>O<br>O</p><p>X</p><p></p><ul style="display: flex;"><li style="flex:1">X</li><li style="flex:1">Fuzzer detection </li></ul><p></p><p>18 </p><p><strong>Why Existing Methods Are Not Applicable? </strong></p><p><strong>Generic to most fuzzers&nbsp;overhead adversary </strong></p><ul style="display: flex;"><li style="flex:1"><strong>Low </strong></li><li style="flex:1"><strong>Resilient to </strong></li></ul><p><strong>Method </strong></p><p>Packing or obfuscation </p><p>Bug injection </p><p>O</p><p>O</p><p>X</p><p>X</p><p>X</p><p>O</p><p>O</p><p>O</p><p>O</p><p>X</p><p>X</p><p>X</p><p>Fuzzer detection </p><p>Emulator detection </p><p>19 </p><p><strong>Why Existing Methods Are Not Applicable? </strong></p><p><strong>Generic to most fuzzers&nbsp;overhead adversary </strong></p><ul style="display: flex;"><li style="flex:1"><strong>Low </strong></li><li style="flex:1"><strong>Resilient to </strong></li></ul><p><strong>Method </strong></p><p>Packing or obfuscation </p><p>Bug injection </p><p>O</p><p>O</p><p>X<br>X</p><p>O</p><p>O</p><p>O</p><p>O<br>O</p><p>X</p><p>X</p><p>X</p><p>O<br>Fuzzer detection </p><p>Emulator detection </p><p><strong>Fuzzification </strong></p><p>X</p><p>O</p><p>20 </p><p><strong>Fuzzification Hinders Advanced Features </strong></p><p>• <strong>Fast execution </strong></p><p>Parallel execution <br>H/W feature </p><p>• Coverage-guidance </p><p>Fork server </p><p>• Hybrid approach </p><p>21 </p><p><strong>Fuzzification Hinders Advanced Features </strong></p><p>SpeedBump </p><p>• <strong>Fast execution </strong></p><p>Parallel execution <br>H/W feature </p><p>• Coverage-guidance </p><p>Fork server </p><p>• Hybrid approach </p><p>22 </p><p><strong>Fuzzification Hinders Advanced Features </strong></p><p>Coverage </p><p>• Fast execution </p><p>Parallel execution <br>H/W feature </p><p>• Coverage-guidance </p><p>Fork server </p><p>• Hybrid approach </p><p>23 </p><p><strong>Fuzzification Hinders Advanced Features </strong></p><p>Coverage </p><p>• Fast execution </p><p>Parallel execution <br>H/W feature </p><p>• <strong>Coverage-guidance </strong></p><p>BranchTrap </p><p>Fork server </p><p>• Hybrid approach </p><p>24 </p><p><strong>Fuzzification Hinders Advanced Features </strong></p><p>Coverage </p><p>• Fast execution </p><p>Parallel execution <br>H/W feature </p><p>• Coverage-guidance </p><p>Queue </p><p>Fork server <br>Symbolic </p><p>execution </p><p>• Hybrid approach </p><p>Dynamic </p><p>taint </p><p>analysis </p><p>25 </p><p><strong>Fuzzification Hinders Advanced Features </strong></p><p>Coverage </p><p>• Fast execution </p><p>Parallel execution <br>H/W feature </p><p>• Coverage-guidance </p><p>Anti-Hybrid </p><p>Queue </p><p>Fork server <br>Symbolic </p><p>execution </p><p>• <strong>Hybrid approach </strong></p><p>Dynamic </p><p>taint </p><p>analysis </p><p>26 </p><p><strong>SpeedBump: Selective Delay Injection </strong></p><p>Basic block </p><p>27 </p><p><strong>SpeedBump: Selective Delay Injection </strong></p><p>• Identify <strong>frequently </strong>and </p><p>rarely visited paths </p><p>Basic block Rarely visited path Frequently visited path </p><p>28 </p><p><strong>SpeedBump: Selective Delay Injection </strong></p><p>• Identify <strong>frequently </strong>and </p><p>rarely visited paths </p><p>1</p><p>• Inject delays from the most </p><p>rarely visited edges </p><p>2</p><p>Basic block Rarely visited path Frequently visited path </p><p>29 </p><p><strong>SpeedBump: Selective Delay Injection </strong></p><p>• Why this is effective? </p><p>▫ User: follows common paths ▫ Attacker: searches for new paths </p><p>1</p><p>➔ Impact of delay is more </p><p>significant to attackers </p><p>2</p><p>Basic block Rarely visited path Frequently visited path </p><p>30 </p>

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    65 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us