Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MediaTek Fuzzing Workshop

588cbb64aaebe393fcdb3e05c1e34d6c?s=47 yuawn
November 26, 2021

MediaTek Fuzzing Workshop

MediaTek Fuzzing Workshop in HITCON 2021

588cbb64aaebe393fcdb3e05c1e34d6c?s=128

yuawn

November 26, 2021
Tweet

Transcript

  1. Building a Secure World Fuzzing 101 yuawn

  2. Outline • Product Security • Fuzz testing • Fuzzing Lab

    • AFL++ • Binary instrumentation - LLVM Pass
  3. Product Security

  4. Product Security - smart phone • Privacy • Photo, video,

    voice, SMS, notes, documents … • Credential • private keys, MFA, fi ngerprint, facial ID … • Wallet • credit cards, bank service, electronic payment …
  5. Product Security • 5G, IoT, intelligent vehicles, e-health, metaverse (VR,

    AR) • ⾞⽤晶片、航空、醫療儀器、穿戴裝置 • Cybersecurity risk
  6. Product Security • 國安 • ⼈類安全的未來

  7. 產品安全 是世界安全的第⼀線

  8. Fuzz Testing

  9. Fuzz Testing • Fuzzing • Automated software testing technique •

    bug fi nding • Fuzzer • Repeatedly provides randomly generated inputs to the program and checks the execution result.
  10. Fuzz Testing run with program execution result crash Found bugs!

    crash PoC inputs
  11. Fuzz Testing • Black-box • binary only • Grey-box •

    utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
  12. Fuzz Testing • Black-box • binary only • Grey-box •

    utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
  13. Coverage-Guided Fuzzing

  14. Coverage-Guided Fuzzing • coverage metric • compute from program information

    • utilize coverage information to guide fuzzer increasing coverage percentage
  15. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No
  16. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No
  17. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No
  18. Coverage-Guided Fuzzing • Coverage metric • code coverage • Capture

    program information • binary instrumentation • emulator • qemu, angr, qiling
  19. Binary Instrumentation

  20. Binary Instrumentation • Insert additional code into binary • Insert

    assembly • vanilla AFL • LLVM Pass - LLVM IR • AFL++ • LTO (Link Time Optimization)
  21. Code Coverage

  22. Code Coverage • coverage of code region • basic block

    • edge • Insert additional code at entries of code regions • code coverage -> bug coverage
  23. Code Coverage basic block 1 basic block 2 basic block

    3
  24. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation
  25. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
  26. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
  27. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation 0 0 1 0 0 0 0 0 1 0 bitmap
  28. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No
  29. Sanitizer

  30. Sanitizer • bug detection • binary instrumentation • overhead •

    false-negative bugs
  31. Sanitizer • AddressSanitizers (ASAN) • https://github.com/google/sanitizers • https://www.usenix.org/system/ fi les/conference/atc12/atc12-

    fi nal39.pdf • Unde fi ned Behavior Sanitizer (UBSAN) • MemorySanitizer (MSAN) • Leak-checker Sanitizer (LSAN)
  32. Sanitizer - ASAN • heap, stack, global-bu ff er over

    fl ow • UAF - use after free • shadow memory • red zone buffer red zone red zone buffer
  33. Coverage-Guided Fuzzers

  34. AFL • american fuzzy lop • https://lcamtuf.coredump.cx/a fl / •

    https://github.com/google/AFL
  35. AFL++ • https://github.com/AFLplusplus/AFLplusplus • AFL++ is a superior fork to

    Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. • cmplog: REDQUEEN • power schedule: AFLFast
  36. AFL++

  37. libfuzzer • LLVM • clang • https://llvm.org/docs/LibFuzzer.html • in-process fuzzing

    • fuzzing harness
  38. syzkaller • kernel fuzzer • https://github.com/google/syzkaller

  39. Fuzzing Research

  40. Fuzzing • seed scheduling • AFLFast: Coverage-based Greybox Fuzzing as

    Markov Chain (CCS 2016) • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019) • seed selection • seed corpus optimization • corpus minimization: OptiMin (ISSTA 2021) • initial seed selection • Seed Selection for Successful Fuzzing (ISSTA 2021)
  41. Fuzzing - mutation • FairFuzz: A Targeted Mutation Strategy for

    Increasing Greybox Fuzz Testing Coverage (ASE 2018) • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019) • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)
  42. Fuzzing - Directed Grey-box Fuzzing • AFLGo: Directed Greybox Fuzzing

    (CCS 2017) • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018) • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020) • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020) • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)
  43. Fuzzing - research topic • data fl aw analysis (DFA)

    • taint analysis • binary instrumentation • binary only • dynamic instrumentation • parallel fuzzing • ensemble fuzzing • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)
  44. Fuzzing - research topic • symbolic execution • KLEESPECTRE: Detecting

    Information Leakage through Speculative Cache Attacks via Symbolic Execution • concolic execution • hybrid fuzzing • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction (S&P 2020)
  45. Fuzz Something!

  46. Fuzzing lab • https://github.com/yuawn/Mediatek-Fuzzing-Workshop

  47. AFL++ • a fl -fuzz -i input -o output --

    ./binary • a fl -fuzz -i input -o output -- ./binary -a -b • a fl -fuzz -i input -o output -- ./binary -f @@
  48. AFL++ - dictionary • a fl -fuzz -i input -o

    output -x xml.dict -- ./binary
  49. AFL++ - parallel fuzzing • a fl -fuzz -M main

    -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary
  50. Summary

  51. Summary • Fuzzing is a novel security testing technique •

    Product Security awareness • Building a secure world
  52. Thanks!