Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
MediaTek Fuzzing Workshop
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
yuawn
November 26, 2021
Education
1.5k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
MediaTek Fuzzing Workshop
MediaTek Fuzzing Workshop in HITCON 2021
yuawn
November 26, 2021
More Decks by yuawn
See All by yuawn
Kernel Exploitation
yuawn
4
3.9k
Heap Exploitation
yuawn
2
1.8k
Binary Exploitation
yuawn
2
1.9k
Binary Exploitation - Basic
yuawn
2
3.9k
HITCON Badge 2019 - MCU ARM TrustZone Challenge
yuawn
2
490
Other Decks in Education
See All in Education
プロポーザルを書く技術とアンチパターン/proposal-writing-and-antipatterns
moriyuya
13
3.5k
Estimating Group × Time Interaction in Scale-Transformed CEFR-J Self-Assessment Scores: A Case in Study-Abroad Research
uranoken
0
130
Interaction - Lecture 10 - Information Visualisation (4019538FNR)
signer
PRO
0
2.7k
データマネジメント試験対策教材1〜データマネジメント基礎〜
yoshimura_datam
1
320
Case Studies - Lecture 12 - Information Visualisation (4019538FNR)
signer
PRO
0
170
生成AI時代の情報発信
molmolken
0
140
AI-Based Speaking Assessment of a Short-Term Study Abroad Program
uranoken
0
370
0513
cbtlibrary
0
220
2026年度春学期 統計学 第4回 データを「分布」で見る (2026. 4. 30)
akiraasano
PRO
0
180
Soluciones al examen de Geografía 2026. JUNIO (Convocatoria Ordinaria)
juanmartin2026
1
5.8k
Gitがない時代 インターネットがない時代の 開発話
sapi_kawahara
0
320
生成AI時代のエンジニア育成について考えてみた
akasan
0
170
Featured
See All Featured
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
1
560
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.3k
How to Ace a Technical Interview
jacobian
281
24k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
28
3.6k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.6k
Bootstrapping a Software Product
garrettdimon
PRO
307
120k
Prompt Engineering for Job Search
mfonobong
0
370
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
2k
Color Theory Basics | Prateek | Gurzu
gurzu
0
390
Building Adaptive Systems
keathley
44
3.1k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
WENDY [Excerpt]
tessaabrams
11
38k
Transcript
Building a Secure World Fuzzing 101 yuawn
Outline • Product Security • Fuzz testing • Fuzzing Lab
• AFL++ • Binary instrumentation - LLVM Pass
Product Security
Product Security - smart phone • Privacy • Photo, video,
voice, SMS, notes, documents … • Credential • private keys, MFA, fi ngerprint, facial ID … • Wallet • credit cards, bank service, electronic payment …
Product Security • 5G, IoT, intelligent vehicles, e-health, metaverse (VR,
AR) • ⾞⽤晶片、航空、醫療儀器、穿戴裝置 • Cybersecurity risk
Product Security • 國安 • ⼈類安全的未來
產品安全 是世界安全的第⼀線
Fuzz Testing
Fuzz Testing • Fuzzing • Automated software testing technique •
bug fi nding • Fuzzer • Repeatedly provides randomly generated inputs to the program and checks the execution result.
Fuzz Testing run with program execution result crash Found bugs!
crash PoC inputs
Fuzz Testing • Black-box • binary only • Grey-box •
utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
Fuzz Testing • Black-box • binary only • Grey-box •
utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
Coverage-Guided Fuzzing
Coverage-Guided Fuzzing • coverage metric • compute from program information
• utilize coverage information to guide fuzzer increasing coverage percentage
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Coverage-Guided Fuzzing • Coverage metric • code coverage • Capture
program information • binary instrumentation • emulator • qemu, angr, qiling
Binary Instrumentation
Binary Instrumentation • Insert additional code into binary • Insert
assembly • vanilla AFL • LLVM Pass - LLVM IR • AFL++ • LTO (Link Time Optimization)
Code Coverage
Code Coverage • coverage of code region • basic block
• edge • Insert additional code at entries of code regions • code coverage -> bug coverage
Code Coverage basic block 1 basic block 2 basic block
3
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
Code Coverage basic block 1 basic block 2 basic block
3 instrumentation instrumentation instrumentation 0 0 1 0 0 0 0 0 1 0 bitmap
Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed
run with instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes save to seed pool No
Sanitizer
Sanitizer • bug detection • binary instrumentation • overhead •
false-negative bugs
Sanitizer • AddressSanitizers (ASAN) • https://github.com/google/sanitizers • https://www.usenix.org/system/ fi les/conference/atc12/atc12-
fi nal39.pdf • Unde fi ned Behavior Sanitizer (UBSAN) • MemorySanitizer (MSAN) • Leak-checker Sanitizer (LSAN)
Sanitizer - ASAN • heap, stack, global-bu ff er over
fl ow • UAF - use after free • shadow memory • red zone buffer red zone red zone buffer
Coverage-Guided Fuzzers
AFL • american fuzzy lop • https://lcamtuf.coredump.cx/a fl / •
https://github.com/google/AFL
AFL++ • https://github.com/AFLplusplus/AFLplusplus • AFL++ is a superior fork to
Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. • cmplog: REDQUEEN • power schedule: AFLFast
AFL++
libfuzzer • LLVM • clang • https://llvm.org/docs/LibFuzzer.html • in-process fuzzing
• fuzzing harness
syzkaller • kernel fuzzer • https://github.com/google/syzkaller
Fuzzing Research
Fuzzing • seed scheduling • AFLFast: Coverage-based Greybox Fuzzing as
Markov Chain (CCS 2016) • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019) • seed selection • seed corpus optimization • corpus minimization: OptiMin (ISSTA 2021) • initial seed selection • Seed Selection for Successful Fuzzing (ISSTA 2021)
Fuzzing - mutation • FairFuzz: A Targeted Mutation Strategy for
Increasing Greybox Fuzz Testing Coverage (ASE 2018) • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019) • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)
Fuzzing - Directed Grey-box Fuzzing • AFLGo: Directed Greybox Fuzzing
(CCS 2017) • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018) • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020) • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020) • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)
Fuzzing - research topic • data fl aw analysis (DFA)
• taint analysis • binary instrumentation • binary only • dynamic instrumentation • parallel fuzzing • ensemble fuzzing • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)
Fuzzing - research topic • symbolic execution • KLEESPECTRE: Detecting
Information Leakage through Speculative Cache Attacks via Symbolic Execution • concolic execution • hybrid fuzzing • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction (S&P 2020)
Fuzz Something!
Fuzzing lab • https://github.com/yuawn/Mediatek-Fuzzing-Workshop
AFL++ • a fl -fuzz -i input -o output --
./binary • a fl -fuzz -i input -o output -- ./binary -a -b • a fl -fuzz -i input -o output -- ./binary -f @@
AFL++ - dictionary • a fl -fuzz -i input -o
output -x xml.dict -- ./binary
AFL++ - parallel fuzzing • a fl -fuzz -M main
-i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary
Summary
Summary • Fuzzing is a novel security testing technique •
Product Security awareness • Building a secure world
Thanks!