Date post: | 08-Apr-2018 |
Category: |
Documents |
Upload: | jaiyachitra-jayachandran |
View: | 223 times |
Download: | 0 times |
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 1/27
A New A New FuzzingFuzzing Technique for Technique for
Software Vulnerability TestingSoftware Vulnerability Testing
IEEE CONSEG 2009IEEE CONSEG 2009
Zhiyong Wu1 J. William Atwood2 Xueyong Zhu3
1,3Network Information Center University of Science and
Technology of China
Hefei, Anhui, China
2Department of Computer Scienceand Software Engineering
Concordia University
Montreal, Quebec, Canada
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 2/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 2
ContentsContents
2
1. Introduction and Motivation
2. FTSG Model
3. Related Techniques� Static analysis
� Dynamic binary instrument and dynamic trace
� I/O analysis
4. GAMutator
5. Prototype System: DXFuzzing6. Validation
7. Experiments
8. Conclusion
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 3/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 3
1 Introduction and Motivation1 Introduction and MotivationC code of a vulnerable procedure
3
int process_chunck(char* head_str, char* data_str, char* program checksum){
char buf[60];
char buf1[32];
char buf2[32];
memset(buf, 0, 60);
if ( true == strong_check(head_str,data_str,program checksum)){if strlen(head_str) > 32 || strlen(data_str) >32)
return -1;
strcpy(buf1, head_str);
strcpy(buf2, data_str);
strcat(buf, head_str);
strcat(buf, data_str);//error return 1;
}
else
return -1;
}
knowledge-based fuzzing
could pass it easily
one-dimension m&g strategy can¶t
overflow if length(head_str) = 16
and length(data_str) = 20
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 4/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 4
2 FTSG Model2 FTSG Model
4
FTSG: Fuzzing Test Suites Generation
FTSG ( s, L, N ,C ,F ,OP,Result) ,
OP { M , Slv},
Result { sampletree, mediumtree, newtree, te stcase, te st suite}.
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 5/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 5
2 FTSG: Procedure for generating test2 FTSG: Procedure for generating test
casescases by Mutation Operators and S lv
5
M = {m1, «, mi , «, mk , GAMutator }
F = {f 1,f 2, «, f e, «,f v }
for (each mi in M except GAMutator )
{
while (!(med i umtree = mi (sampletree)) ){
newtree=S lv (med i umtree, C )
}
}
for (each f e in F )
{
while (!(med i umtree = GAMutator (sampletree, f e)) )
{
newtree=S lv (med i umtree, C )
}
}
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 6/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 6
2 FTSG: Total number of test2 FTSG: Total number of test
casescases
6
§!!!
k
ii sampletreemte st suiteT
1)(
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 7/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 7
3 Related Techniques:3 Related Techniques:Static analysisdynamic binary instrument
and dynamic trace
7
Technique Usage Tool
Static
analysis
identify insecure
functions
IDA PRO
Dynamic
binary
instrument
get insecure functions¶
dynamic input
arguments values to
calculate fitness value
Pin
Dynamic
trace
monitor buffer
coverage
Pydbg
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 8/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 8
3 Related Techniques:3 Related Techniques:I/O analysis
8
Method Instrument
Target
Characteristic
static analysis source code false alarm
execution-
orientedanalysis
binary code simple and
precise
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 9/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 9
3 Related Techniques:3 Related Techniques:I/O analysis: execution-oriented analysis
9
INPUT OUTPUT VALUE of Ok
t 1 = (a1,a2,«,as,«,an) O = {o1,o2 , «, ok , « on} V1
t 2 = (a1,a2,«,as,«,an) O = {o1,o2 , «, ok , « on} V2
t 3 = (a1,a2,«,as¶ ,«,an) O = {o1,o2 , «, ok , « on} V3
x s influences output ok if and only if
V1 =V2 �V3
where ai D( x i ), as¶ D( x i ), as�as¶
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 10/27
GAMutator GAMutator
GAMutator mutates relative l or n in sampletree
to trigger suspend vulnerability in f e.
l or n are the inputs that influence some
arguments of f e.
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 10
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 11/27
Cont.Cont.
Special Characteristics of GAMutator:
A multi-dimension mutation operator.
A demand-oriented operator.
The number of test cases that GAMutator generates isnot fixed.
Communicates with outside system.
The genetic algorithm here is used to generate test
cases to trigger vulnerability in unsafe functions The number of test cases generated by GAMutator is
O(h).
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 11
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 12/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 12
44 GAMutator GAMutator::Heuristics and fitness function
12
Heuristics are used to generate test cases more likely to trigger vulnerability in f e
in F .
TWO EXAMPLES:
1 strc py ( dst , src)
±°
±¯
®{
!
.0)(, _ _
,0)(,)(
)(
)(
slenif FI NESS DEFAULMAX
slenif slen
d size
X f
2 malloc(a)
±°
±¯
"u
u
!
.)%(,%
,)%(,0
,,
)(
B Aaand Aawhen B Aa
B Aaand Aawhen
Aawhena A
X f
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 13/27
5 Prototype System:5 Prototype System: DXFuzzingDXFuzzing
1) Locate insecure functions positions in target binary code
by Program Analyzer. Record their information into
database;
2) Analyze corresponding network protocols or file formatin target application according to related knowledge,
choose a sample file s and write a primitive xml test
script manually which contains a sampletree;
3) Scheduling Engine calls XFuzzing to fuzz target
application with mi and records runtime information withProgram Analyzer when it is necessary.
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 1313
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 14/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 14
Cont.Cont.
4) Data Mapper constructs relationships between
X and F based on collected runtime information.
5) Scheduling Engine calls XFuzzing to fuzz target
application with GAMutator.
14
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 15/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 15
6 Validation6 Validation
1) Based on application-specific knowledge,
DXFuzzing could generate test cases which
easily pass strong program checks and
validations in the program.2) The problem of finding new combinations to
trigger possible vulnerability in f e in F is
especially suitable for genetic algorithm to
solve .
15
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 16/27
Cont.Cont.
3) GAMutator does not only care about the
relationships between l i and f e , but also cares
about n j and f e. Because some f e in F is
influenced by the n j, however, the n j isneglected in general.
4) Different from combinatorial test in black-box
testing, the combination of l i or n j in DXFuzzing
is decided by the I/O analysis; the values of l i or n j in some combination are refined by every
generation.
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 16
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 17/27
Cont.Cont.
Execution-oriented I/O analysis in DXFuzzing is
preferred here.
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 17
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 18/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 18
7 Experiments7 Experiments
18
LibPng library as the target application
Some data are as follows:
Function name usePng.exe LibPng.dll v1.0.6
strcpy 1 6
memcpy 0 77
sprintf 0 16
malloc 18 113
Table I insecure functions in target application
ID INPUT ELEMENTS
101 PngFile..IHDA_CHU NK_DATA.BitDepth
102 PngFile..IHDA_CHU NK_DATA.Color Type
109 PngFile..IHDA_CHU NK_DATA.Height
111 PngFile..IHDA_CHU NK_DATA.Width
Table II Input nodes
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 19/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 19
Cont.Cont.
19
ID INSECUR E FU NCTIONS
72 pngrutil.c(2939): png _ ptr-
>row _ buf=( png _ bytep) png _ malloc( png _ ptr ,row _ bytes)
73 pngrutil.c(2945): png _ ptr-
>prev_ row=( png _ bytep) png _ malloc( png _ ptr ,
png _ uint _ 32)( png _ ptr->rowbytes + 1))
89 pngread.c(1301):info _ ptr-
>row _ pointers=( png _ bytepp) png _ malloc( png _ ptr ,info _ ptr-
>height * sizeof ( png _ bytep))
Table III Insecure functions inf luenced by input nodes
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 20/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 20
Cont.Cont.
20
Figure 4. Relationships between inputs and insecure functions by static analysis
Figure 5. Relationships between inputs and outputs by dynamic execution
simple and precise
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 21/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 21
Cont.Cont.
21
w width 111
d BitDepth 101
z Argument value of png_malloc 73
Initial Values: w = 0x20, d = 0x01 w [0,0xfffffff]d [0,0xff].
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 22/27
Cont.Cont.
Further analyzing, we got d {1,2,4}.
w and d will generate 3×0x100000000
12884901888 combination test cases.
However, there are only 262148 of them that
could trigger this vulnerability if we set B=100000
For this case png_malloc could successfully
allocate memory. So the possibility is 262148/12884901888 =
0.00002.
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 22
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 23/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 23
Cont.Cont.
23
Width, BitDepth distribution when they trigger this vulnerability
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 24/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 24
Cont.Cont.
24
Tools Number of vulnerability checked Number of test cases
Smart Fuzzer 0 1000000
GAFuzzing 0 1000000
Peach 2.3 4 31026
DXFuzzing 7 34222
Table IV Vulnerabilities Found by Different Fuzzing Tools
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 25/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 25
ConclusionConclusion
Whitebox fuzzing is complex, time costly and
there are still some problems such as path
explosion, and is hard to pass strong program
checks fully automatically. Peach is an outstanding knowledge-based
fuzzing tool.
25
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 26/27
ConclusionConclusion
DXFuzzing enriches current mutation
methodology with multi-dimension input nodes
mutation strategy without combinatorial
explosion. So DXFuzzing could find somevulnerabilities that never will been found by one-
dimension mutation fuzzing.
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 26
8/7/2019 A New Fuzzing Technique for Software Vulnerability Mining
http://slidepdf.com/reader/full/a-new-fuzzing-technique-for-software-vulnerability-mining 27/27
2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 27
9 For More Information9 For More Information
27
For More Questions and Comments: