MediaTek Fuzzing Workshop

Building a Secure World

Fuzzing 101
yuawn

View Slide

Outline
• Product Security

• Fuzz testing

• Fuzzing Lab

• AFL++

• Binary instrumentation - LLVM Pass

View Slide

Product Security

View Slide

Product Security - smart phone
• Privacy

• Photo, video, voice, SMS, notes, documents …

• Credential

• private keys, MFA,
fi
ngerprint, facial ID …

• Wallet

• credit cards, bank service, electronic payment …

View Slide

Product Security
• 5G, IoT, intelligent vehicles, e-health, metaverse (VR, AR)

• ⾞⽤晶片、航空、醫療儀器、穿戴裝置

• Cybersecurity risk

View Slide

Product Security
• 國安

• ⼈類安全的未來

View Slide

產品安全

是世界安全的第⼀線

View Slide

Fuzz Testing

View Slide

Fuzz Testing
• Fuzzing

• Automated software testing technique

• bug
fi
nding

• Fuzzer

• Repeatedly provides randomly generated inputs to the program and
checks the execution result.

View Slide

Fuzz Testing
run with program
execution result
crash
Found bugs!
crash PoC
inputs

View Slide

Fuzz Testing
• Black-box

• binary only

• Grey-box

• utilize some program information to guide fuzzing

• White-box

• get a full picture of program

• e.g., symbolic execution

View Slide

Coverage-Guided Fuzzing

View Slide

• coverage metric

• compute from program information

• utilize coverage information to guide fuzzer increasing coverage
percentage

View Slide

seed pool
select a seed mutation
mutated seed
run with 
instrumented binary
execution result
crash
Found bugs!
crash PoC
exit normally
new coverage?
Yes 
save to seed pool
No

View Slide

• Coverage metric

• code coverage

• Capture program information

• binary instrumentation

• emulator

• qemu, angr, qiling

View Slide

Binary Instrumentation

View Slide

Binary Instrumentation
• Insert additional code into binary

• Insert assembly

• vanilla AFL

• LLVM Pass - LLVM IR

• AFL++

• LTO (Link Time Optimization)

View Slide

Code Coverage

View Slide

Code Coverage
• coverage of code region

• basic block

• edge

• Insert additional code at entries of code regions

• code coverage -> bug coverage

View Slide

Code Coverage
basic block 1
basic block 2 basic block 3

View Slide

Code Coverage
basic block 1
instrumentation instrumentation
instrumentation

View Slide

Code Coverage
basic block 1
instrumentation
0 0 0 0 0 0 0 0 0 0
bitmap

View Slide

Code Coverage
basic block 1
instrumentation
0 0 1 0 0 0 0 0 1 0
bitmap

View Slide

seed pool
select a seed mutation
mutated seed
run with 
instrumented binary
execution result
crash
Found bugs!
crash PoC
exit normally
new coverage?
Yes 
save to seed pool
No

View Slide

Sanitizer

View Slide

Sanitizer
• bug detection


• overhead

• false-negative bugs

View Slide

Sanitizer
• AddressSanitizers (ASAN)

• https://github.com/google/sanitizers

• https://www.usenix.org/system/
fi
les/conference/atc12/atc12-
fi
nal39.pdf

• Unde
fi
ned Behavior Sanitizer (UBSAN)

• MemorySanitizer (MSAN)

• Leak-checker Sanitizer (LSAN)

View Slide

Sanitizer - ASAN
• heap, stack, global-bu
ff
er over
fl
ow

• UAF - use after free

• shadow memory

• red zone
buffer
red zone red zone buffer

View Slide

Coverage-Guided Fuzzers

View Slide

AFL
• american fuzzy lop

• https://lcamtuf.coredump.cx/a
fl
/

• https://github.com/google/AFL

View Slide

AFL++
• https://github.com/AFLplusplus/AFLplusplus

• AFL++ is a superior fork to Google's AFL - more speed, more and better
mutations, more and better instrumentation, custom module support,
etc.

• cmplog: REDQUEEN

• power schedule: AFLFast

View Slide

AFL++

View Slide

libfuzzer
• LLVM

• clang

• https://llvm.org/docs/LibFuzzer.html

• in-process fuzzing

• fuzzing harness

View Slide

syzkaller
• kernel fuzzer

• https://github.com/google/syzkaller

View Slide

Fuzzing Research

View Slide

Fuzzing
• seed scheduling

• AFLFast: Coverage-based Greybox Fuzzing as Markov Chain (CCS 2016)

• MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019)

• seed selection

• seed corpus optimization

• corpus minimization: OptiMin (ISSTA 2021)

• initial seed selection

• Seed Selection for Successful Fuzzing (ISSTA 2021)

View Slide

Fuzzing - mutation
• FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz
Testing Coverage (ASE 2018)

• REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019)

• GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)

View Slide

Fuzzing - Directed Grey-box Fuzzing
• AFLGo: Directed Greybox Fuzzing (CCS 2017)

• Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018)

• SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020)

• ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020)

• Constraint-guided Directed Greybox Fuzzing (USENIX 2021)

View Slide

Fuzzing - research topic
• data
fl
aw analysis (DFA)

• taint analysis


• binary only

• dynamic instrumentation

• parallel fuzzing

• ensemble fuzzing

• EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers
(USENIX 2019)

View Slide

Fuzzing - research topic
• symbolic execution

• KLEESPECTRE: Detecting Information Leakage through Speculative
Cache Attacks via Symbolic Execution

• concolic execution

• hybrid fuzzing

• PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path
Abstraction (S&P 2020)

View Slide

Fuzz Something!

View Slide

Fuzzing lab
• https://github.com/yuawn/Mediatek-Fuzzing-Workshop

View Slide

AFL++
• a
fl
-fuzz -i input -o output -- ./binary

• a
fl
-fuzz -i input -o output -- ./binary -a -b

• a
fl
-fuzz -i input -o output -- ./binary -f @@

View Slide

AFL++ - dictionary
• a
fl
-fuzz -i input -o output -x xml.dict -- ./binary

View Slide

AFL++ - parallel fuzzing
• a
fl
-fuzz -M main -i input -o sync_dir -- ./binary

• a
fl
-fuzz -S fuzzer2 -i input -o sync_dir -- ./binary

• a
fl
-fuzz -S fuzzer3 -i input -o sync_dir -- ./binary

View Slide

Summary

View Slide

Summary
• Fuzzing is a novel security testing technique

• Product Security awareness

• Building a secure world

View Slide

Thanks!

View Slide

MediaTek Fuzzing Workshop

MediaTek Fuzzing Workshop

yuawn

More Decks by yuawn

Other Decks in Education

Featured

Transcript