Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
MediaTek Fuzzing Workshop
Search
yuawn
November 26, 2021
Education
2
1.3k
MediaTek Fuzzing Workshop
MediaTek Fuzzing Workshop in HITCON 2021
yuawn
November 26, 2021
Tweet
Share
More Decks by yuawn
See All by yuawn
Kernel Exploitation
yuawn
4
3.6k
Heap Exploitation
yuawn
2
1.6k
Binary Exploitation
yuawn
2
1.8k
Binary Exploitation - Basic
yuawn
2
3.5k
HITCON Badge 2019 - MCU ARM TrustZone Challenge
yuawn
2
430
Other Decks in Education
See All in Education
みんなのコードD&I推進レポート2025 テクノロジー分野のジェンダーギャップとその取り組みについて
codeforeveryone
0
260
教える側は、初学者に谷越えまで伴走すべき(ダニング・クルーガー効果からの考察)
hysmrk
3
140
附属科学技術高等学校の概要|Science Tokyo(東京科学大学)
sciencetokyo
PRO
0
860
社外コミュニティの歩き方
masakiokuda
2
200
Introduction - Lecture 1 - Web Technologies (1019888BNR)
signer
PRO
0
5.6k
GitHubとAzureを使って開発者になろう
ymd65536
1
170
[FUN Open Campus 2025] 何でもセンシングしていいですか?
pman0214
0
240
~キャラ付け考えていますか?~ AI時代だからこそ技術者に求められるセルフブランディングのすゝめ
masakiokuda
7
480
2025年度春学期 統計学 第15回 分布についての仮説を検証する ー 仮説検定(2) (2025. 7. 17)
akiraasano
PRO
0
110
The knowledge panel is your new homepage
bradwetherall
0
150
チーム開発における責任と感謝の話
ssk1991
0
310
サンキッズゾーン 春日井駅前 ご案内
sanyohomes
0
1.1k
Featured
See All Featured
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.9k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
285
14k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.1k
Testing 201, or: Great Expectations
jmmastey
45
7.7k
Docker and Python
trallard
46
3.6k
A designer walks into a library…
pauljervisheath
208
24k
Writing Fast Ruby
sferik
629
62k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Scaling GitHub
holman
463
140k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Side Projects
sachag
455
43k
Rails Girls Zürich Keynote
gr2m
95
14k
Transcript
Building a Secure World Fuzzing 101 yuawn
Outline • Product Security • Fuzz testing • Fuzzing Lab
• AFL++ • Binary instrumentation - LLVM Pass
Product Security
Product Security - smart phone • Privacy • Photo, video,
voice, SMS, notes, documents … • Credential • private keys, MFA, fi ngerprint, facial ID … • Wallet • credit cards, bank service, electronic payment …
Product Security • 5G, IoT, intelligent vehicles, e-health, metaverse (VR,
AR) • ⾞⽤晶片、航空、醫療儀器、穿戴裝置 • Cybersecurity risk
Product Security • 國安 • ⼈類安全的未來
產品安全 是世界安全的第⼀線
Fuzz Testing
Fuzz Testing • Fuzzing • Automated software testing technique •
bug fi nding • Fuzzer • Repeatedly provides randomly generated inputs to the program and checks the execution result.
Fuzz Testing run with program execution result crash Found bugs!
crash PoC inputs
Fuzz Testing • Black-box • binary only • Grey-box •
utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
Fuzz Testing • Black-box • binary only • Grey-box •
utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
Coverage-Guided Fuzzing
Coverage-Guided Fuzzing • coverage metric • compute from program information
• utilize coverage information to guide fuzzer increasing coverage percentage
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing • Coverage metric • code coverage • Capture
program information • binary instrumentation • emulator • qemu, angr, qiling
Binary Instrumentation
Binary Instrumentation • Insert additional code into binary • Insert
assembly • vanilla AFL • LLVM Pass - LLVM IR • AFL++ • LTO (Link Time Optimization)
Code Coverage
Code Coverage • coverage of code region • basic block
• edge • Insert additional code at entries of code regions • code coverage -> bug coverage
Code Coverage basic block 1 basic block 2 basic block
3
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 1 0 0 0 0 0 1 0 bitmap
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Sanitizer
Sanitizer • bug detection • binary instrumentation • overhead •
false-negative bugs
Sanitizer • AddressSanitizers (ASAN) • https://github.com/google/sanitizers • https://www.usenix.org/system/ fi les/conference/atc12/atc12-
fi nal39.pdf • Unde fi ned Behavior Sanitizer (UBSAN) • MemorySanitizer (MSAN) • Leak-checker Sanitizer (LSAN)
Sanitizer - ASAN • heap, stack, global-bu ff er over
fl ow • UAF - use after free • shadow memory • red zone buffer red zone red zone buffer
Coverage-Guided Fuzzers
AFL • american fuzzy lop • https://lcamtuf.coredump.cx/a fl / •
https://github.com/google/AFL
AFL++ • https://github.com/AFLplusplus/AFLplusplus • AFL++ is a superior fork to
Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. • cmplog: REDQUEEN • power schedule: AFLFast
AFL++
libfuzzer • LLVM • clang • https://llvm.org/docs/LibFuzzer.html • in-process fuzzing
• fuzzing harness
syzkaller • kernel fuzzer • https://github.com/google/syzkaller
Fuzzing Research
Fuzzing • seed scheduling • AFLFast: Coverage-based Greybox Fuzzing as
Markov Chain (CCS 2016) • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019) • seed selection • seed corpus optimization • corpus minimization: OptiMin (ISSTA 2021) • initial seed selection • Seed Selection for Successful Fuzzing (ISSTA 2021)
Fuzzing - mutation • FairFuzz: A Targeted Mutation Strategy for
Increasing Greybox Fuzz Testing Coverage (ASE 2018) • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019) • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)
Fuzzing - Directed Grey-box Fuzzing • AFLGo: Directed Greybox Fuzzing
(CCS 2017) • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018) • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020) • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020) • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)
Fuzzing - research topic • data fl aw analysis (DFA)
• taint analysis • binary instrumentation • binary only • dynamic instrumentation • parallel fuzzing • ensemble fuzzing • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)
Fuzzing - research topic • symbolic execution • KLEESPECTRE: Detecting
Information Leakage through Speculative Cache Attacks via Symbolic Execution • concolic execution • hybrid fuzzing • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction (S&P 2020)
Fuzz Something!
Fuzzing lab • https://github.com/yuawn/Mediatek-Fuzzing-Workshop
AFL++ • a fl -fuzz -i input -o output --
./binary • a fl -fuzz -i input -o output -- ./binary -a -b • a fl -fuzz -i input -o output -- ./binary -f @@
AFL++ - dictionary • a fl -fuzz -i input -o
output -x xml.dict -- ./binary
AFL++ - parallel fuzzing • a fl -fuzz -M main
-i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary
Summary
Summary • Fuzzing is a novel security testing technique •
Product Security awareness • Building a secure world
Thanks!