MediaTek Fuzzing Workshop

Transcript

1. Building a Secure World Fuzzing 101 yuawn

2. Outline • Product Security • Fuzz testing • Fuzzing Lab

   • AFL++ • Binary instrumentation - LLVM Pass

3. Product Security

4. Product Security - smart phone • Privacy • Photo, video,

   voice, SMS, notes, documents … • Credential • private keys, MFA, fi ngerprint, facial ID … • Wallet • credit cards, bank service, electronic payment …

5. Product Security • 5G, IoT, intelligent vehicles, e-health, metaverse (VR,

   AR) • ⾞⽤晶片、航空、醫療儀器、穿戴裝置 • Cybersecurity risk

6. Product Security • 國安 • ⼈類安全的未來

7. 產品安全 是世界安全的第⼀線

8. Fuzz Testing

9. Fuzz Testing • Fuzzing • Automated software testing technique •

   bug fi nding • Fuzzer • Repeatedly provides randomly generated inputs to the program and checks the execution result.

10. Fuzz Testing run with program execution result crash Found bugs!

    crash PoC inputs

11. Fuzz Testing • Black-box • binary only • Grey-box •

    utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution

12. Fuzz Testing • Black-box • binary only • Grey-box •

    utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution

13. Coverage-Guided Fuzzing

14. Coverage-Guided Fuzzing • coverage metric • compute from program information

    • utilize coverage information to guide fuzzer increasing coverage percentage

15. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No

16. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No

17. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No

18. Coverage-Guided Fuzzing • Coverage metric • code coverage • Capture

    program information • binary instrumentation • emulator • qemu, angr, qiling

19. Binary Instrumentation

20. Binary Instrumentation • Insert additional code into binary • Insert

    assembly • vanilla AFL • LLVM Pass - LLVM IR • AFL++ • LTO (Link Time Optimization)

21. Code Coverage

22. Code Coverage • coverage of code region • basic block

    • edge • Insert additional code at entries of code regions • code coverage -> bug coverage

23. Code Coverage basic block 1 basic block 2 basic block

    3

24. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation

25. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap

26. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap

27. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation 0 0 1 0 0 0 0 0 1 0 bitmap

28. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No

29. Sanitizer

30. Sanitizer • bug detection • binary instrumentation • overhead •

    false-negative bugs

31. Sanitizer • AddressSanitizers (ASAN) • https://github.com/google/sanitizers • https://www.usenix.org/system/ fi les/conference/atc12/atc12-

    fi nal39.pdf • Unde fi ned Behavior Sanitizer (UBSAN) • MemorySanitizer (MSAN) • Leak-checker Sanitizer (LSAN)

32. Sanitizer - ASAN • heap, stack, global-bu ff er over

    fl ow • UAF - use after free • shadow memory • red zone buffer red zone red zone buffer

33. Coverage-Guided Fuzzers

34. AFL • american fuzzy lop • https://lcamtuf.coredump.cx/a fl / •

    https://github.com/google/AFL

35. AFL++ • https://github.com/AFLplusplus/AFLplusplus • AFL++ is a superior fork to

    Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. • cmplog: REDQUEEN • power schedule: AFLFast

36. AFL++

37. libfuzzer • LLVM • clang • https://llvm.org/docs/LibFuzzer.html • in-process fuzzing

    • fuzzing harness

38. syzkaller • kernel fuzzer • https://github.com/google/syzkaller

39. Fuzzing Research

40. Fuzzing • seed scheduling • AFLFast: Coverage-based Greybox Fuzzing as

    Markov Chain (CCS 2016) • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019) • seed selection • seed corpus optimization • corpus minimization: OptiMin (ISSTA 2021) • initial seed selection • Seed Selection for Successful Fuzzing (ISSTA 2021)

41. Fuzzing - mutation • FairFuzz: A Targeted Mutation Strategy for

    Increasing Greybox Fuzz Testing Coverage (ASE 2018) • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019) • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)

42. Fuzzing - Directed Grey-box Fuzzing • AFLGo: Directed Greybox Fuzzing

    (CCS 2017) • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018) • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020) • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020) • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)

43. Fuzzing - research topic • data fl aw analysis (DFA)

    • taint analysis • binary instrumentation • binary only • dynamic instrumentation • parallel fuzzing • ensemble fuzzing • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)

44. Fuzzing - research topic • symbolic execution • KLEESPECTRE: Detecting

    Information Leakage through Speculative Cache Attacks via Symbolic Execution • concolic execution • hybrid fuzzing • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction (S&P 2020)

45. Fuzz Something!

46. Fuzzing lab • https://github.com/yuawn/Mediatek-Fuzzing-Workshop

47. AFL++ • a fl -fuzz -i input -o output --

    ./binary • a fl -fuzz -i input -o output -- ./binary -a -b • a fl -fuzz -i input -o output -- ./binary -f @@

48. AFL++ - dictionary • a fl -fuzz -i input -o

    output -x xml.dict -- ./binary

49. AFL++ - parallel fuzzing • a fl -fuzz -M main

    -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary

50. Summary

51. Summary • Fuzzing is a novel security testing technique •

    Product Security awareness • Building a secure world

52. Thanks!