Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
MediaTek Fuzzing Workshop
Search
yuawn
November 26, 2021
Education
2
930
MediaTek Fuzzing Workshop
MediaTek Fuzzing Workshop in HITCON 2021
yuawn
November 26, 2021
Tweet
Share
More Decks by yuawn
See All by yuawn
Kernel Exploitation
yuawn
4
2.8k
Heap Exploitation
yuawn
2
1.2k
Binary Exploitation
yuawn
2
980
Binary Exploitation - Basic
yuawn
2
2.5k
HITCON Badge 2019 - MCU ARM TrustZone Challenge
yuawn
2
340
Other Decks in Education
See All in Education
@ngrx/signals
yannickbaron
0
170
5 занятие. Разбор метода "8 кубиков"бизнес-модели #ideaNN 16.02.2024.
karlov
0
180
2024年度春学期 統計学 講義の進め方と成績評価について (2024. 4. 11)
akiraasano
PRO
0
110
第33回 JAWS-UG札幌 クラウド女子会コラボ 勉強会
nagisa53
2
360
Animaatiot opetuksessa
matleenalaakso
0
3.1k
LTをすべき100の理由
eltociear
1
280
心房細動週間ポスター(2024年3月6日)
japanstrokeassociation
0
260
Monaca Educationを活用した課題解決型の探究学習の実践
asial_edu
0
200
Introduction - Lecture 1 - Information Visualisation (4019538FNR)
signer
PRO
0
3.5k
ISMSってどんなもの?
fbei_ot
0
170
パフォーマンス・チューニング入門
oracle4engineer
PRO
2
620
令和6年度 無料トライアルキャンペーン説明会
asial_edu
0
850
Featured
See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
GraphQLとの向き合い方2022年版
quramy
32
12k
The Language of Interfaces
destraynor
151
23k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
Code Review Best Practice
trishagee
55
15k
Ruby is Unlike a Banana
tanoku
96
10k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
Visualization
eitanlees
136
14k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
The Art of Programming - Codeland 2020
erikaheidi
42
12k
A better future with KSS
kneath
231
16k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Transcript
Building a Secure World Fuzzing 101 yuawn
Outline • Product Security • Fuzz testing • Fuzzing Lab
• AFL++ • Binary instrumentation - LLVM Pass
Product Security
Product Security - smart phone • Privacy • Photo, video,
voice, SMS, notes, documents … • Credential • private keys, MFA, fi ngerprint, facial ID … • Wallet • credit cards, bank service, electronic payment …
Product Security • 5G, IoT, intelligent vehicles, e-health, metaverse (VR,
AR) • ⾞⽤晶片、航空、醫療儀器、穿戴裝置 • Cybersecurity risk
Product Security • 國安 • ⼈類安全的未來
產品安全 是世界安全的第⼀線
Fuzz Testing
Fuzz Testing • Fuzzing • Automated software testing technique •
bug fi nding • Fuzzer • Repeatedly provides randomly generated inputs to the program and checks the execution result.
Fuzz Testing run with program execution result crash Found bugs!
crash PoC inputs
Fuzz Testing • Black-box • binary only • Grey-box •
utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
Fuzz Testing • Black-box • binary only • Grey-box •
utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
Coverage-Guided Fuzzing
Coverage-Guided Fuzzing • coverage metric • compute from program information
• utilize coverage information to guide fuzzer increasing coverage percentage
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing • Coverage metric • code coverage • Capture
program information • binary instrumentation • emulator • qemu, angr, qiling
Binary Instrumentation
Binary Instrumentation • Insert additional code into binary • Insert
assembly • vanilla AFL • LLVM Pass - LLVM IR • AFL++ • LTO (Link Time Optimization)
Code Coverage
Code Coverage • coverage of code region • basic block
• edge • Insert additional code at entries of code regions • code coverage -> bug coverage
Code Coverage basic block 1 basic block 2 basic block
3
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 1 0 0 0 0 0 1 0 bitmap
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Sanitizer
Sanitizer • bug detection • binary instrumentation • overhead •
false-negative bugs
Sanitizer • AddressSanitizers (ASAN) • https://github.com/google/sanitizers • https://www.usenix.org/system/ fi les/conference/atc12/atc12-
fi nal39.pdf • Unde fi ned Behavior Sanitizer (UBSAN) • MemorySanitizer (MSAN) • Leak-checker Sanitizer (LSAN)
Sanitizer - ASAN • heap, stack, global-bu ff er over
fl ow • UAF - use after free • shadow memory • red zone buffer red zone red zone buffer
Coverage-Guided Fuzzers
AFL • american fuzzy lop • https://lcamtuf.coredump.cx/a fl / •
https://github.com/google/AFL
AFL++ • https://github.com/AFLplusplus/AFLplusplus • AFL++ is a superior fork to
Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. • cmplog: REDQUEEN • power schedule: AFLFast
AFL++
libfuzzer • LLVM • clang • https://llvm.org/docs/LibFuzzer.html • in-process fuzzing
• fuzzing harness
syzkaller • kernel fuzzer • https://github.com/google/syzkaller
Fuzzing Research
Fuzzing • seed scheduling • AFLFast: Coverage-based Greybox Fuzzing as
Markov Chain (CCS 2016) • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019) • seed selection • seed corpus optimization • corpus minimization: OptiMin (ISSTA 2021) • initial seed selection • Seed Selection for Successful Fuzzing (ISSTA 2021)
Fuzzing - mutation • FairFuzz: A Targeted Mutation Strategy for
Increasing Greybox Fuzz Testing Coverage (ASE 2018) • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019) • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)
Fuzzing - Directed Grey-box Fuzzing • AFLGo: Directed Greybox Fuzzing
(CCS 2017) • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018) • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020) • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020) • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)
Fuzzing - research topic • data fl aw analysis (DFA)
• taint analysis • binary instrumentation • binary only • dynamic instrumentation • parallel fuzzing • ensemble fuzzing • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)
Fuzzing - research topic • symbolic execution • KLEESPECTRE: Detecting
Information Leakage through Speculative Cache Attacks via Symbolic Execution • concolic execution • hybrid fuzzing • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction (S&P 2020)
Fuzz Something!
Fuzzing lab • https://github.com/yuawn/Mediatek-Fuzzing-Workshop
AFL++ • a fl -fuzz -i input -o output --
./binary • a fl -fuzz -i input -o output -- ./binary -a -b • a fl -fuzz -i input -o output -- ./binary -f @@
AFL++ - dictionary • a fl -fuzz -i input -o
output -x xml.dict -- ./binary
AFL++ - parallel fuzzing • a fl -fuzz -M main
-i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary
Summary
Summary • Fuzzing is a novel security testing technique •
Product Security awareness • Building a secure world
Thanks!