Slide 1

Slide 1 text

Building a Secure World Fuzzing 101 yuawn

Slide 2

Slide 2 text

Outline • Product Security • Fuzz testing • Fuzzing Lab • AFL++ • Binary instrumentation - LLVM Pass

Slide 3

Slide 3 text

Product Security

Slide 4

Slide 4 text

Product Security - smart phone • Privacy • Photo, video, voice, SMS, notes, documents … • Credential • private keys, MFA, fi ngerprint, facial ID … • Wallet • credit cards, bank service, electronic payment …

Slide 5

Slide 5 text

Product Security • 5G, IoT, intelligent vehicles, e-health, metaverse (VR, AR) • ⾞⽤晶片、航空、醫療儀器、穿戴裝置 • Cybersecurity risk

Slide 6

Slide 6 text

Product Security • 國安 • ⼈類安全的未來

Slide 7

Slide 7 text

產品安全 是世界安全的第⼀線

Slide 8

Slide 8 text

Fuzz Testing

Slide 9

Slide 9 text

Fuzz Testing • Fuzzing • Automated software testing technique • bug fi nding • Fuzzer • Repeatedly provides randomly generated inputs to the program and checks the execution result.

Slide 10

Slide 10 text

Fuzz Testing run with program execution result crash Found bugs! crash PoC inputs

Slide 11

Slide 11 text

Fuzz Testing • Black-box • binary only • Grey-box • utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution

Slide 12

Slide 12 text

Fuzz Testing • Black-box • binary only • Grey-box • utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution

Slide 13

Slide 13 text

Coverage-Guided Fuzzing

Slide 14

Slide 14 text

Coverage-Guided Fuzzing • coverage metric • compute from program information • utilize coverage information to guide fuzzer increasing coverage percentage

Slide 15

Slide 15 text

Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No

Slide 16

Slide 16 text

Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No

Slide 17

Slide 17 text

Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No

Slide 18

Slide 18 text

Coverage-Guided Fuzzing • Coverage metric • code coverage • Capture program information • binary instrumentation • emulator • qemu, angr, qiling

Slide 19

Slide 19 text

Binary Instrumentation

Slide 20

Slide 20 text

Binary Instrumentation • Insert additional code into binary • Insert assembly • vanilla AFL • LLVM Pass - LLVM IR • AFL++ • LTO (Link Time Optimization)

Slide 21

Slide 21 text

Code Coverage

Slide 22

Slide 22 text

Code Coverage • coverage of code region • basic block • edge • Insert additional code at entries of code regions • code coverage -> bug coverage

Slide 23

Slide 23 text

Code Coverage basic block 1 basic block 2 basic block 3

Slide 24

Slide 24 text

Code Coverage basic block 1 basic block 2 basic block 3 instrumentation instrumentation instrumentation

Slide 25

Slide 25 text

Code Coverage basic block 1 basic block 2 basic block 3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap

Slide 26

Slide 26 text

Code Coverage basic block 1 basic block 2 basic block 3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap

Slide 27

Slide 27 text

Code Coverage basic block 1 basic block 2 basic block 3 instrumentation instrumentation instrumentation 0 0 1 0 0 0 0 0 1 0 bitmap

Slide 28

Slide 28 text

Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No

Slide 29

Slide 29 text

Sanitizer

Slide 30

Slide 30 text

Sanitizer • bug detection • binary instrumentation • overhead • false-negative bugs

Slide 31

Slide 31 text

Sanitizer • AddressSanitizers (ASAN) • https://github.com/google/sanitizers • https://www.usenix.org/system/ fi les/conference/atc12/atc12- fi nal39.pdf • Unde fi ned Behavior Sanitizer (UBSAN) • MemorySanitizer (MSAN) • Leak-checker Sanitizer (LSAN)

Slide 32

Slide 32 text

Sanitizer - ASAN • heap, stack, global-bu ff er over fl ow • UAF - use after free • shadow memory • red zone buffer red zone red zone buffer

Slide 33

Slide 33 text

Coverage-Guided Fuzzers

Slide 34

Slide 34 text

AFL • american fuzzy lop • https://lcamtuf.coredump.cx/a fl / • https://github.com/google/AFL

Slide 35

Slide 35 text

AFL++ • https://github.com/AFLplusplus/AFLplusplus • AFL++ is a superior fork to Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. • cmplog: REDQUEEN • power schedule: AFLFast

Slide 36

Slide 36 text

AFL++

Slide 37

Slide 37 text

libfuzzer • LLVM • clang • https://llvm.org/docs/LibFuzzer.html • in-process fuzzing • fuzzing harness

Slide 38

Slide 38 text

syzkaller • kernel fuzzer • https://github.com/google/syzkaller

Slide 39

Slide 39 text

Fuzzing Research

Slide 40

Slide 40 text

Fuzzing • seed scheduling • AFLFast: Coverage-based Greybox Fuzzing as Markov Chain (CCS 2016) • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019) • seed selection • seed corpus optimization • corpus minimization: OptiMin (ISSTA 2021) • initial seed selection • Seed Selection for Successful Fuzzing (ISSTA 2021)

Slide 41

Slide 41 text

Fuzzing - mutation • FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage (ASE 2018) • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019) • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)

Slide 42

Slide 42 text

Fuzzing - Directed Grey-box Fuzzing • AFLGo: Directed Greybox Fuzzing (CCS 2017) • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018) • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020) • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020) • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)

Slide 43

Slide 43 text

Fuzzing - research topic • data fl aw analysis (DFA) • taint analysis • binary instrumentation • binary only • dynamic instrumentation • parallel fuzzing • ensemble fuzzing • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)

Slide 44

Slide 44 text

Fuzzing - research topic • symbolic execution • KLEESPECTRE: Detecting Information Leakage through Speculative Cache Attacks via Symbolic Execution • concolic execution • hybrid fuzzing • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction (S&P 2020)

Slide 45

Slide 45 text

Fuzz Something!

Slide 46

Slide 46 text

Fuzzing lab • https://github.com/yuawn/Mediatek-Fuzzing-Workshop

Slide 47

Slide 47 text

AFL++ • a fl -fuzz -i input -o output -- ./binary • a fl -fuzz -i input -o output -- ./binary -a -b • a fl -fuzz -i input -o output -- ./binary -f @@

Slide 48

Slide 48 text

AFL++ - dictionary • a fl -fuzz -i input -o output -x xml.dict -- ./binary

Slide 49

Slide 49 text

AFL++ - parallel fuzzing • a fl -fuzz -M main -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary

Slide 50

Slide 50 text

Summary

Slide 51

Slide 51 text

Summary • Fuzzing is a novel security testing technique • Product Security awareness • Building a secure world

Slide 52

Slide 52 text

Thanks!