Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
MediaTek Fuzzing Workshop
Search
yuawn
November 26, 2021
Education
2
1.2k
MediaTek Fuzzing Workshop
MediaTek Fuzzing Workshop in HITCON 2021
yuawn
November 26, 2021
Tweet
Share
More Decks by yuawn
See All by yuawn
Kernel Exploitation
yuawn
4
3.3k
Heap Exploitation
yuawn
2
1.4k
Binary Exploitation
yuawn
2
1.6k
Binary Exploitation - Basic
yuawn
2
3.1k
HITCON Badge 2019 - MCU ARM TrustZone Challenge
yuawn
2
380
Other Decks in Education
See All in Education
Introduction - Lecture 1 - Information Visualisation (4019538FNR)
signer
PRO
0
4.3k
OCIでインスタンス構築してみた所感
masakiokuda
0
140
Use Cases and Course Review - Lecture 8 - Human-Computer Interaction (1023841ANR)
signer
PRO
0
880
Image compression
hachama
0
400
The Prison Industrial Complex by Billy Dee
oripsolob
0
650
Informasi Program Coding Camp 2025 powered by DBS Foundation
codingcamp2025
0
160
統計学に必要な数学(線形代数含む)
kosugitti
0
260
Diseño de estrategia de analítica del aprendizaje en tu centro educativo.
tecuribarri
0
150
Казармы и гарнизоны
pnuslide
0
180
Security, Privacy and Trust - Lecture 11 - Web Technologies (1019888BNR)
signer
PRO
0
2.7k
Human Perception and Colour Theory - Lecture 2 - Information Visualisation (4019538FNR)
signer
PRO
0
2.3k
リバースバケットリスト 〜 「死ぬまでにやることリスト」の欠点と対処法
takibi333
0
120
Featured
See All Featured
The Pragmatic Product Professional
lauravandoore
32
6.4k
A Tale of Four Properties
chriscoyier
158
23k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
30
4.6k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
640
Rebuilding a faster, lazier Slack
samanthasiow
80
8.8k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
27
1.6k
A better future with KSS
kneath
238
17k
RailsConf 2023
tenderlove
29
1k
Building Applications with DynamoDB
mza
93
6.2k
Visualization
eitanlees
146
15k
GitHub's CSS Performance
jonrohan
1030
460k
Transcript
Building a Secure World Fuzzing 101 yuawn
Outline • Product Security • Fuzz testing • Fuzzing Lab
• AFL++ • Binary instrumentation - LLVM Pass
Product Security
Product Security - smart phone • Privacy • Photo, video,
voice, SMS, notes, documents … • Credential • private keys, MFA, fi ngerprint, facial ID … • Wallet • credit cards, bank service, electronic payment …
Product Security • 5G, IoT, intelligent vehicles, e-health, metaverse (VR,
AR) • ⾞⽤晶片、航空、醫療儀器、穿戴裝置 • Cybersecurity risk
Product Security • 國安 • ⼈類安全的未來
產品安全 是世界安全的第⼀線
Fuzz Testing
Fuzz Testing • Fuzzing • Automated software testing technique •
bug fi nding • Fuzzer • Repeatedly provides randomly generated inputs to the program and checks the execution result.
Fuzz Testing run with program execution result crash Found bugs!
crash PoC inputs
Fuzz Testing • Black-box • binary only • Grey-box •
utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
Fuzz Testing • Black-box • binary only • Grey-box •
utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
Coverage-Guided Fuzzing
Coverage-Guided Fuzzing • coverage metric • compute from program information
• utilize coverage information to guide fuzzer increasing coverage percentage
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing • Coverage metric • code coverage • Capture
program information • binary instrumentation • emulator • qemu, angr, qiling
Binary Instrumentation
Binary Instrumentation • Insert additional code into binary • Insert
assembly • vanilla AFL • LLVM Pass - LLVM IR • AFL++ • LTO (Link Time Optimization)
Code Coverage
Code Coverage • coverage of code region • basic block
• edge • Insert additional code at entries of code regions • code coverage -> bug coverage
Code Coverage basic block 1 basic block 2 basic block
3
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 1 0 0 0 0 0 1 0 bitmap
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Sanitizer
Sanitizer • bug detection • binary instrumentation • overhead •
false-negative bugs
Sanitizer • AddressSanitizers (ASAN) • https://github.com/google/sanitizers • https://www.usenix.org/system/ fi les/conference/atc12/atc12-
fi nal39.pdf • Unde fi ned Behavior Sanitizer (UBSAN) • MemorySanitizer (MSAN) • Leak-checker Sanitizer (LSAN)
Sanitizer - ASAN • heap, stack, global-bu ff er over
fl ow • UAF - use after free • shadow memory • red zone buffer red zone red zone buffer
Coverage-Guided Fuzzers
AFL • american fuzzy lop • https://lcamtuf.coredump.cx/a fl / •
https://github.com/google/AFL
AFL++ • https://github.com/AFLplusplus/AFLplusplus • AFL++ is a superior fork to
Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. • cmplog: REDQUEEN • power schedule: AFLFast
AFL++
libfuzzer • LLVM • clang • https://llvm.org/docs/LibFuzzer.html • in-process fuzzing
• fuzzing harness
syzkaller • kernel fuzzer • https://github.com/google/syzkaller
Fuzzing Research
Fuzzing • seed scheduling • AFLFast: Coverage-based Greybox Fuzzing as
Markov Chain (CCS 2016) • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019) • seed selection • seed corpus optimization • corpus minimization: OptiMin (ISSTA 2021) • initial seed selection • Seed Selection for Successful Fuzzing (ISSTA 2021)
Fuzzing - mutation • FairFuzz: A Targeted Mutation Strategy for
Increasing Greybox Fuzz Testing Coverage (ASE 2018) • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019) • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)
Fuzzing - Directed Grey-box Fuzzing • AFLGo: Directed Greybox Fuzzing
(CCS 2017) • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018) • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020) • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020) • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)
Fuzzing - research topic • data fl aw analysis (DFA)
• taint analysis • binary instrumentation • binary only • dynamic instrumentation • parallel fuzzing • ensemble fuzzing • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)
Fuzzing - research topic • symbolic execution • KLEESPECTRE: Detecting
Information Leakage through Speculative Cache Attacks via Symbolic Execution • concolic execution • hybrid fuzzing • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction (S&P 2020)
Fuzz Something!
Fuzzing lab • https://github.com/yuawn/Mediatek-Fuzzing-Workshop
AFL++ • a fl -fuzz -i input -o output --
./binary • a fl -fuzz -i input -o output -- ./binary -a -b • a fl -fuzz -i input -o output -- ./binary -f @@
AFL++ - dictionary • a fl -fuzz -i input -o
output -x xml.dict -- ./binary
AFL++ - parallel fuzzing • a fl -fuzz -M main
-i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary
Summary
Summary • Fuzzing is a novel security testing technique •
Product Security awareness • Building a secure world
Thanks!