Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
MediaTek Fuzzing Workshop
Search
yuawn
November 26, 2021
Education
2
1.3k
MediaTek Fuzzing Workshop
MediaTek Fuzzing Workshop in HITCON 2021
yuawn
November 26, 2021
Tweet
Share
More Decks by yuawn
See All by yuawn
Kernel Exploitation
yuawn
4
3.5k
Heap Exploitation
yuawn
2
1.5k
Binary Exploitation
yuawn
2
1.7k
Binary Exploitation - Basic
yuawn
2
3.3k
HITCON Badge 2019 - MCU ARM TrustZone Challenge
yuawn
2
420
Other Decks in Education
See All in Education
Gaps in Therapy in IBD - IBDInnovate 2025 CCF
higgi13425
0
500
i-GIP 2025 中高生のみなさんへ資料
202200
0
500
The Art of Note Taking
kanaya
1
140
Education-JAWS #3 ~教育現場に、AWSのチカラを~
masakiokuda
0
180
モンテカルロ法(3) 発展的アルゴリズム / Simulation 04
kaityo256
PRO
7
1.3k
2025年度春学期 統計学 第10回 分布の推測とは ー 標本調査,度数分布と確率分布 (2025. 6. 12)
akiraasano
PRO
0
150
View Manipulation and Reduction - Lecture 9 - Information Visualisation (4019538FNR)
signer
PRO
1
2.1k
推しのコミュニティはなんぼあってもいい / Let's join a lot of communities.
kaga
2
1.8k
2025年度春学期 統計学 第6回 データの関係を知る(1)ー相関関係 (2025. 5. 15)
akiraasano
PRO
0
100
マネジメント「される側」 こそ覚悟を決めろ
nao_randd
10
5.4k
生成AIとの上手な付き合い方【公開版】/ How to Get Along Well with Generative AI (Public Version)
handlename
0
500
新卒研修に仕掛ける 学びのサイクル / Implementing Learning Cycles in New Graduate Training
takashi_toyosaki
1
170
Featured
See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.4k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
A Modern Web Designer's Workflow
chriscoyier
695
190k
4 Signs Your Business is Dying
shpigford
184
22k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.6k
The Pragmatic Product Professional
lauravandoore
35
6.7k
How to Think Like a Performance Engineer
csswizardry
25
1.7k
Thoughts on Productivity
jonyablonski
69
4.7k
Writing Fast Ruby
sferik
628
62k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Transcript
Building a Secure World Fuzzing 101 yuawn
Outline • Product Security • Fuzz testing • Fuzzing Lab
• AFL++ • Binary instrumentation - LLVM Pass
Product Security
Product Security - smart phone • Privacy • Photo, video,
voice, SMS, notes, documents … • Credential • private keys, MFA, fi ngerprint, facial ID … • Wallet • credit cards, bank service, electronic payment …
Product Security • 5G, IoT, intelligent vehicles, e-health, metaverse (VR,
AR) • ⾞⽤晶片、航空、醫療儀器、穿戴裝置 • Cybersecurity risk
Product Security • 國安 • ⼈類安全的未來
產品安全 是世界安全的第⼀線
Fuzz Testing
Fuzz Testing • Fuzzing • Automated software testing technique •
bug fi nding • Fuzzer • Repeatedly provides randomly generated inputs to the program and checks the execution result.
Fuzz Testing run with program execution result crash Found bugs!
crash PoC inputs
Fuzz Testing • Black-box • binary only • Grey-box •
utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
Fuzz Testing • Black-box • binary only • Grey-box •
utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
Coverage-Guided Fuzzing
Coverage-Guided Fuzzing • coverage metric • compute from program information
• utilize coverage information to guide fuzzer increasing coverage percentage
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing • Coverage metric • code coverage • Capture
program information • binary instrumentation • emulator • qemu, angr, qiling
Binary Instrumentation
Binary Instrumentation • Insert additional code into binary • Insert
assembly • vanilla AFL • LLVM Pass - LLVM IR • AFL++ • LTO (Link Time Optimization)
Code Coverage
Code Coverage • coverage of code region • basic block
• edge • Insert additional code at entries of code regions • code coverage -> bug coverage
Code Coverage basic block 1 basic block 2 basic block
3
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 1 0 0 0 0 0 1 0 bitmap
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Sanitizer
Sanitizer • bug detection • binary instrumentation • overhead •
false-negative bugs
Sanitizer • AddressSanitizers (ASAN) • https://github.com/google/sanitizers • https://www.usenix.org/system/ fi les/conference/atc12/atc12-
fi nal39.pdf • Unde fi ned Behavior Sanitizer (UBSAN) • MemorySanitizer (MSAN) • Leak-checker Sanitizer (LSAN)
Sanitizer - ASAN • heap, stack, global-bu ff er over
fl ow • UAF - use after free • shadow memory • red zone buffer red zone red zone buffer
Coverage-Guided Fuzzers
AFL • american fuzzy lop • https://lcamtuf.coredump.cx/a fl / •
https://github.com/google/AFL
AFL++ • https://github.com/AFLplusplus/AFLplusplus • AFL++ is a superior fork to
Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. • cmplog: REDQUEEN • power schedule: AFLFast
AFL++
libfuzzer • LLVM • clang • https://llvm.org/docs/LibFuzzer.html • in-process fuzzing
• fuzzing harness
syzkaller • kernel fuzzer • https://github.com/google/syzkaller
Fuzzing Research
Fuzzing • seed scheduling • AFLFast: Coverage-based Greybox Fuzzing as
Markov Chain (CCS 2016) • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019) • seed selection • seed corpus optimization • corpus minimization: OptiMin (ISSTA 2021) • initial seed selection • Seed Selection for Successful Fuzzing (ISSTA 2021)
Fuzzing - mutation • FairFuzz: A Targeted Mutation Strategy for
Increasing Greybox Fuzz Testing Coverage (ASE 2018) • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019) • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)
Fuzzing - Directed Grey-box Fuzzing • AFLGo: Directed Greybox Fuzzing
(CCS 2017) • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018) • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020) • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020) • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)
Fuzzing - research topic • data fl aw analysis (DFA)
• taint analysis • binary instrumentation • binary only • dynamic instrumentation • parallel fuzzing • ensemble fuzzing • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)
Fuzzing - research topic • symbolic execution • KLEESPECTRE: Detecting
Information Leakage through Speculative Cache Attacks via Symbolic Execution • concolic execution • hybrid fuzzing • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction (S&P 2020)
Fuzz Something!
Fuzzing lab • https://github.com/yuawn/Mediatek-Fuzzing-Workshop
AFL++ • a fl -fuzz -i input -o output --
./binary • a fl -fuzz -i input -o output -- ./binary -a -b • a fl -fuzz -i input -o output -- ./binary -f @@
AFL++ - dictionary • a fl -fuzz -i input -o
output -x xml.dict -- ./binary
AFL++ - parallel fuzzing • a fl -fuzz -M main
-i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary
Summary
Summary • Fuzzing is a novel security testing technique •
Product Security awareness • Building a secure world
Thanks!