A New Fuzzing Technique for Software Vulnerability Mining

8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining

http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 1/27

A New A New FuzzingFuzzing Technique for Technique for

Software Vulnerability TestingSoftware Vulnerability Testing

IEEE CONSEG 2009IEEE CONSEG 2009

Zhiyong Wu1 J. William Atwood2 Xueyong Zhu3

1,3Network Information Center University of Science and

Technology of China

Hefei, Anhui, China

2Department of Computer Scienceand Software Engineering

Concordia University

Montreal, Quebec, Canada



2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 2

ContentsContents

2

1. Introduction and Motivation

2. FTSG Model

3. Related Techniques� Static analysis

� Dynamic binary instrument and dynamic trace

� I/O analysis

4. GAMutator

5. Prototype System: DXFuzzing6. Validation

7. Experiments

8. Conclusion




1 Introduction and Motivation1 Introduction and MotivationC code of a vulnerable procedure

3

int process_chunck(char* head_str, char* data_str, char* program checksum){

char buf[60];

char buf1[32];

char buf2[32];

memset(buf, 0, 60);

if ( true == strong_check(head_str,data_str,program checksum)){if strlen(head_str) > 32 || strlen(data_str) >32)

return -1;

strcpy(buf1, head_str);

strcpy(buf2, data_str);

strcat(buf, head_str);

strcat(buf, data_str);//error return 1;

}

else

return -1;

}

knowledge-based fuzzing

could pass it easily

one-dimension m&g strategy can¶t

overflow if length(head_str) = 16

and length(data_str) = 20




2 FTSG Model2 FTSG Model

4

FTSG: Fuzzing Test Suites Generation

FTSG ( s, L, N ,C ,F ,OP,Result) ,

OP { M , Slv},

Result { sampletree, mediumtree, newtree, te stcase, te st suite}.




2 FTSG: Procedure for generating test2 FTSG: Procedure for generating test

casescases by Mutation Operators and S lv

5

M = {m1, «, mi , «, mk , GAMutator }

F = {f 1,f 2, «, f e, «,f v }

for (each mi in M except GAMutator )

{

while (!(med i umtree = mi (sampletree)) ){

newtree=S lv (med i umtree, C )

}

}

for (each f e in F )

{

while (!(med i umtree = GAMutator (sampletree, f e)) )

{

newtree=S lv (med i umtree, C )

}

}




2 FTSG: Total number of test2 FTSG: Total number of test

casescases

6

§!!!

k

ii sampletreemte st suiteT

1)(




3 Related Techniques:3 Related Techniques:Static analysisdynamic binary instrument

and dynamic trace

7

Technique Usage Tool

Static

analysis

identify insecure

functions

IDA PRO

Dynamic

binary

instrument

get insecure functions¶

dynamic input

arguments values to

calculate fitness value

Pin

Dynamic

trace

monitor buffer

coverage

Pydbg




3 Related Techniques:3 Related Techniques:I/O analysis

8

Method Instrument

Target

Characteristic

static analysis source code false alarm

execution-

orientedanalysis

binary code simple and

precise




3 Related Techniques:3 Related Techniques:I/O analysis: execution-oriented analysis

9

INPUT OUTPUT VALUE of Ok

t 1 = (a1,a2,«,as,«,an) O = {o1,o2 , «, ok , « on} V1

t 2 = (a1,a2,«,as,«,an) O = {o1,o2 , «, ok , « on} V2

t 3 = (a1,a2,«,as¶ ,«,an) O = {o1,o2 , «, ok , « on} V3

x s influences output ok if and only if

V1 =V2 �V3

where ai D( x i ), as¶ D( x i ), as�as¶



GAMutator GAMutator

GAMutator mutates relative l or n in sampletree

to trigger suspend vulnerability in f e.

l or n are the inputs that influence some

arguments of f e.




Cont.Cont.

Special Characteristics of GAMutator:

A multi-dimension mutation operator.

A demand-oriented operator.

The number of test cases that GAMutator generates isnot fixed.

Communicates with outside system.

The genetic algorithm here is used to generate test

cases to trigger vulnerability in unsafe functions The number of test cases generated by GAMutator is

O(h).





44 GAMutator GAMutator::Heuristics and fitness function

12

Heuristics are used to generate test cases more likely to trigger vulnerability in f e

in F .

TWO EXAMPLES:

1 strc py ( dst , src)

±°

±¯

®{

!

.0)(, _ _

,0)(,)(

)(

)(

slenif FI NESS DEFAULMAX

slenif slen

d size

X f

2 malloc(a)

±°

±¯

"u

u

!

.)%(,%

,)%(,0

,,

)(

B Aaand Aawhen B Aa

B Aaand Aawhen

Aawhena A

X f



5 Prototype System:5 Prototype System: DXFuzzingDXFuzzing

1) Locate insecure functions positions in target binary code

by Program Analyzer. Record their information into

database;

2) Analyze corresponding network protocols or file formatin target application according to related knowledge,

choose a sample file s and write a primitive xml test

script manually which contains a sampletree;

3) Scheduling Engine calls XFuzzing to fuzz target

application with mi and records runtime information withProgram Analyzer when it is necessary.





Cont.Cont.

4) Data Mapper constructs relationships between

X and F based on collected runtime information.

5) Scheduling Engine calls XFuzzing to fuzz target

application with GAMutator.

14




6 Validation6 Validation

1) Based on application-specific knowledge,

DXFuzzing could generate test cases which

easily pass strong program checks and

validations in the program.2) The problem of finding new combinations to

trigger possible vulnerability in f e in F is

especially suitable for genetic algorithm to

solve .

15



Cont.Cont.

3) GAMutator does not only care about the

relationships between l i and f e , but also cares

about n j and f e. Because some f e in F is

influenced by the n j, however, the n j isneglected in general.

4) Different from combinatorial test in black-box

testing, the combination of l i or n j in DXFuzzing

is decided by the I/O analysis; the values of l i or n j in some combination are refined by every

generation.




Cont.Cont.

Execution-oriented I/O analysis in DXFuzzing is

preferred here.





7 Experiments7 Experiments

18

LibPng library as the target application

Some data are as follows:

Function name usePng.exe LibPng.dll v1.0.6

strcpy 1 6

memcpy 0 77

sprintf 0 16

malloc 18 113

Table I insecure functions in target application

ID INPUT ELEMENTS

101 PngFile..IHDA_CHU NK_DATA.BitDepth

102 PngFile..IHDA_CHU NK_DATA.Color Type

109 PngFile..IHDA_CHU NK_DATA.Height

111 PngFile..IHDA_CHU NK_DATA.Width

Table II Input nodes




Cont.Cont.

19

ID INSECUR E FU NCTIONS

72 pngrutil.c(2939): png _ ptr-

>row _ buf=( png _ bytep) png _ malloc( png _ ptr ,row _ bytes)

73 pngrutil.c(2945): png _ ptr-

>prev_ row=( png _ bytep) png _ malloc( png _ ptr ,

png _ uint _ 32)( png _ ptr->rowbytes + 1))

89 pngread.c(1301):info _ ptr-

>row _ pointers=( png _ bytepp) png _ malloc( png _ ptr ,info _ ptr-

>height * sizeof ( png _ bytep))

Table III Insecure functions inf luenced by input nodes




Cont.Cont.

20

Figure 4. Relationships between inputs and insecure functions by static analysis

Figure 5. Relationships between inputs and outputs by dynamic execution

simple and precise




Cont.Cont.

21

w width 111

d BitDepth 101

z Argument value of png_malloc 73

Initial Values: w = 0x20, d = 0x01 w [0,0xfffffff]d [0,0xff].



Cont.Cont.

Further analyzing, we got d {1,2,4}.

w and d will generate 3×0x100000000

12884901888 combination test cases.

However, there are only 262148 of them that

could trigger this vulnerability if we set B=100000

For this case png_malloc could successfully

allocate memory. So the possibility is 262148/12884901888 =

0.00002.





Cont.Cont.

23

Width, BitDepth distribution when they trigger this vulnerability




Cont.Cont.

24

Tools Number of vulnerability checked Number of test cases

Smart Fuzzer 0 1000000

GAFuzzing 0 1000000

Peach 2.3 4 31026

DXFuzzing 7 34222

Table IV Vulnerabilities Found by Different Fuzzing Tools




ConclusionConclusion

Whitebox fuzzing is complex, time costly and

there are still some problems such as path

explosion, and is hard to pass strong program

checks fully automatically. Peach is an outstanding knowledge-based

fuzzing tool.

25



ConclusionConclusion

DXFuzzing enriches current mutation

methodology with multi-dimension input nodes

mutation strategy without combinatorial

explosion. So DXFuzzing could find somevulnerabilities that never will been found by one-

dimension mutation fuzzing.





9 For More Information9 For More Information

27

For More Questions and Comments:

[email protected]

[email protected]

[email protected]

Date post:	08-Apr-2018
Category:	Documents
Upload:	jaiyachitra-jayachandran
View:	223 times
Download:	0 times

A New Fuzzing Technique for Software Vulnerability Mining

Documents