Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MediaTek Fuzzing Workshop

yuawn
November 26, 2021

MediaTek Fuzzing Workshop

MediaTek Fuzzing Workshop in HITCON 2021

yuawn

November 26, 2021
Tweet

More Decks by yuawn

Other Decks in Education

Transcript

  1. Building a Secure World


    Fuzzing 101
    yuawn

    View Slide

  2. Outline
    • Product Security


    • Fuzz testing


    • Fuzzing Lab


    • AFL++


    • Binary instrumentation - LLVM Pass

    View Slide

  3. Product Security

    View Slide

  4. Product Security - smart phone
    • Privacy


    • Photo, video, voice, SMS, notes, documents …


    • Credential


    • private keys, MFA,
    fi
    ngerprint, facial ID …


    • Wallet


    • credit cards, bank service, electronic payment …

    View Slide

  5. Product Security
    • 5G, IoT, intelligent vehicles, e-health, metaverse (VR, AR)


    • ⾞⽤晶片、航空、醫療儀器、穿戴裝置


    • Cybersecurity risk

    View Slide

  6. Product Security
    • 國安


    • ⼈類安全的未來

    View Slide

  7. 產品安全


    是世界安全的第⼀線

    View Slide

  8. Fuzz Testing

    View Slide

  9. Fuzz Testing
    • Fuzzing


    • Automated software testing technique


    • bug
    fi
    nding


    • Fuzzer


    • Repeatedly provides randomly generated inputs to the program and
    checks the execution result.

    View Slide

  10. Fuzz Testing
    run with program
    execution result
    crash
    Found bugs!
    crash PoC
    inputs

    View Slide

  11. Fuzz Testing
    • Black-box


    • binary only


    • Grey-box


    • utilize some program information to guide fuzzing


    • White-box


    • get a full picture of program


    • e.g., symbolic execution

    View Slide

  12. Fuzz Testing
    • Black-box


    • binary only


    • Grey-box


    • utilize some program information to guide fuzzing


    • White-box


    • get a full picture of program


    • e.g., symbolic execution

    View Slide

  13. Coverage-Guided Fuzzing

    View Slide

  14. Coverage-Guided Fuzzing
    • coverage metric


    • compute from program information


    • utilize coverage information to guide fuzzer increasing coverage
    percentage

    View Slide

  15. Coverage-Guided Fuzzing
    seed pool
    select a seed mutation
    mutated seed
    run with

    instrumented binary
    execution result
    crash
    Found bugs!
    crash PoC
    exit normally
    new coverage?
    Yes

    save to seed pool
    No

    View Slide

  16. Coverage-Guided Fuzzing
    seed pool
    select a seed mutation
    mutated seed
    run with

    instrumented binary
    execution result
    crash
    Found bugs!
    crash PoC
    exit normally
    new coverage?
    Yes

    save to seed pool
    No

    View Slide

  17. Coverage-Guided Fuzzing
    seed pool
    select a seed mutation
    mutated seed
    run with

    instrumented binary
    execution result
    crash
    Found bugs!
    crash PoC
    exit normally
    new coverage?
    Yes

    save to seed pool
    No

    View Slide

  18. Coverage-Guided Fuzzing
    • Coverage metric


    • code coverage


    • Capture program information


    • binary instrumentation


    • emulator


    • qemu, angr, qiling

    View Slide

  19. Binary Instrumentation

    View Slide

  20. Binary Instrumentation
    • Insert additional code into binary


    • Insert assembly


    • vanilla AFL


    • LLVM Pass - LLVM IR


    • AFL++


    • LTO (Link Time Optimization)

    View Slide

  21. Code Coverage

    View Slide

  22. Code Coverage
    • coverage of code region


    • basic block


    • edge


    • Insert additional code at entries of code regions


    • code coverage -> bug coverage

    View Slide

  23. Code Coverage
    basic block 1
    basic block 2 basic block 3

    View Slide

  24. Code Coverage
    basic block 1
    basic block 2 basic block 3
    instrumentation instrumentation
    instrumentation

    View Slide

  25. Code Coverage
    basic block 1
    basic block 2 basic block 3
    instrumentation instrumentation
    instrumentation
    0 0 0 0 0 0 0 0 0 0
    bitmap

    View Slide

  26. Code Coverage
    basic block 1
    basic block 2 basic block 3
    instrumentation instrumentation
    instrumentation
    0 0 0 0 0 0 0 0 0 0
    bitmap

    View Slide

  27. Code Coverage
    basic block 1
    basic block 2 basic block 3
    instrumentation instrumentation
    instrumentation
    0 0 1 0 0 0 0 0 1 0
    bitmap

    View Slide

  28. Coverage-Guided Fuzzing
    seed pool
    select a seed mutation
    mutated seed
    run with

    instrumented binary
    execution result
    crash
    Found bugs!
    crash PoC
    exit normally
    new coverage?
    Yes

    save to seed pool
    No

    View Slide

  29. Sanitizer

    View Slide

  30. Sanitizer
    • bug detection


    • binary instrumentation


    • overhead


    • false-negative bugs

    View Slide

  31. Sanitizer
    • AddressSanitizers (ASAN)


    • https://github.com/google/sanitizers


    • https://www.usenix.org/system/
    fi
    les/conference/atc12/atc12-
    fi
    nal39.pdf


    • Unde
    fi
    ned Behavior Sanitizer (UBSAN)


    • MemorySanitizer (MSAN)


    • Leak-checker Sanitizer (LSAN)

    View Slide

  32. Sanitizer - ASAN
    • heap, stack, global-bu
    ff
    er over
    fl
    ow


    • UAF - use after free


    • shadow memory


    • red zone
    buffer
    red zone red zone buffer

    View Slide

  33. Coverage-Guided Fuzzers

    View Slide

  34. AFL
    • american fuzzy lop


    • https://lcamtuf.coredump.cx/a
    fl
    /


    • https://github.com/google/AFL

    View Slide

  35. AFL++
    • https://github.com/AFLplusplus/AFLplusplus


    • AFL++ is a superior fork to Google's AFL - more speed, more and better
    mutations, more and better instrumentation, custom module support,
    etc.


    • cmplog: REDQUEEN


    • power schedule: AFLFast

    View Slide

  36. AFL++

    View Slide

  37. libfuzzer
    • LLVM


    • clang


    • https://llvm.org/docs/LibFuzzer.html


    • in-process fuzzing


    • fuzzing harness

    View Slide

  38. syzkaller
    • kernel fuzzer


    • https://github.com/google/syzkaller

    View Slide

  39. Fuzzing Research

    View Slide

  40. Fuzzing
    • seed scheduling


    • AFLFast: Coverage-based Greybox Fuzzing as Markov Chain (CCS 2016)


    • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019)


    • seed selection


    • seed corpus optimization


    • corpus minimization: OptiMin (ISSTA 2021)


    • initial seed selection


    • Seed Selection for Successful Fuzzing (ISSTA 2021)

    View Slide

  41. Fuzzing - mutation
    • FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz
    Testing Coverage (ASE 2018)


    • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019)


    • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)

    View Slide

  42. Fuzzing - Directed Grey-box Fuzzing
    • AFLGo: Directed Greybox Fuzzing (CCS 2017)


    • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018)


    • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020)


    • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020)


    • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)

    View Slide

  43. Fuzzing - research topic
    • data
    fl
    aw analysis (DFA)


    • taint analysis


    • binary instrumentation


    • binary only


    • dynamic instrumentation


    • parallel fuzzing


    • ensemble fuzzing


    • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers
    (USENIX 2019)

    View Slide

  44. Fuzzing - research topic
    • symbolic execution


    • KLEESPECTRE: Detecting Information Leakage through Speculative
    Cache Attacks via Symbolic Execution


    • concolic execution


    • hybrid fuzzing


    • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path
    Abstraction (S&P 2020)

    View Slide

  45. Fuzz Something!

    View Slide

  46. Fuzzing lab
    • https://github.com/yuawn/Mediatek-Fuzzing-Workshop

    View Slide

  47. AFL++
    • a
    fl
    -fuzz -i input -o output -- ./binary


    • a
    fl
    -fuzz -i input -o output -- ./binary -a -b


    • a
    fl
    -fuzz -i input -o output -- ./binary -f @@

    View Slide

  48. AFL++ - dictionary
    • a
    fl
    -fuzz -i input -o output -x xml.dict -- ./binary

    View Slide

  49. AFL++ - parallel fuzzing
    • a
    fl
    -fuzz -M main -i input -o sync_dir -- ./binary


    • a
    fl
    -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary


    • a
    fl
    -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary

    View Slide

  50. Summary

    View Slide

  51. Summary
    • Fuzzing is a novel security testing technique


    • Product Security awareness


    • Building a secure world

    View Slide

  52. Thanks!

    View Slide