Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MediaTek Fuzzing Workshop

yuawn
November 26, 2021

MediaTek Fuzzing Workshop

MediaTek Fuzzing Workshop in HITCON 2021

yuawn

November 26, 2021
Tweet

More Decks by yuawn

Other Decks in Education

Transcript

  1. Building a Secure World


    Fuzzing 101
    yuawn

    View full-size slide

  2. Outline
    • Product Security


    • Fuzz testing


    • Fuzzing Lab


    • AFL++


    • Binary instrumentation - LLVM Pass

    View full-size slide

  3. Product Security

    View full-size slide

  4. Product Security - smart phone
    • Privacy


    • Photo, video, voice, SMS, notes, documents …


    • Credential


    • private keys, MFA,
    fi
    ngerprint, facial ID …


    • Wallet


    • credit cards, bank service, electronic payment …

    View full-size slide

  5. Product Security
    • 5G, IoT, intelligent vehicles, e-health, metaverse (VR, AR)


    • ⾞⽤晶片、航空、醫療儀器、穿戴裝置


    • Cybersecurity risk

    View full-size slide

  6. Product Security
    • 國安


    • ⼈類安全的未來

    View full-size slide

  7. 產品安全


    是世界安全的第⼀線

    View full-size slide

  8. Fuzz Testing

    View full-size slide

  9. Fuzz Testing
    • Fuzzing


    • Automated software testing technique


    • bug
    fi
    nding


    • Fuzzer


    • Repeatedly provides randomly generated inputs to the program and
    checks the execution result.

    View full-size slide

  10. Fuzz Testing
    run with program
    execution result
    crash
    Found bugs!
    crash PoC
    inputs

    View full-size slide

  11. Fuzz Testing
    • Black-box


    • binary only


    • Grey-box


    • utilize some program information to guide fuzzing


    • White-box


    • get a full picture of program


    • e.g., symbolic execution

    View full-size slide

  12. Fuzz Testing
    • Black-box


    • binary only


    • Grey-box


    • utilize some program information to guide fuzzing


    • White-box


    • get a full picture of program


    • e.g., symbolic execution

    View full-size slide

  13. Coverage-Guided Fuzzing

    View full-size slide

  14. Coverage-Guided Fuzzing
    • coverage metric


    • compute from program information


    • utilize coverage information to guide fuzzer increasing coverage
    percentage

    View full-size slide

  15. Coverage-Guided Fuzzing
    seed pool
    select a seed mutation
    mutated seed
    run with

    instrumented binary
    execution result
    crash
    Found bugs!
    crash PoC
    exit normally
    new coverage?
    Yes

    save to seed pool
    No

    View full-size slide

  16. Coverage-Guided Fuzzing
    seed pool
    select a seed mutation
    mutated seed
    run with

    instrumented binary
    execution result
    crash
    Found bugs!
    crash PoC
    exit normally
    new coverage?
    Yes

    save to seed pool
    No

    View full-size slide

  17. Coverage-Guided Fuzzing
    seed pool
    select a seed mutation
    mutated seed
    run with

    instrumented binary
    execution result
    crash
    Found bugs!
    crash PoC
    exit normally
    new coverage?
    Yes

    save to seed pool
    No

    View full-size slide

  18. Coverage-Guided Fuzzing
    • Coverage metric


    • code coverage


    • Capture program information


    • binary instrumentation


    • emulator


    • qemu, angr, qiling

    View full-size slide

  19. Binary Instrumentation

    View full-size slide

  20. Binary Instrumentation
    • Insert additional code into binary


    • Insert assembly


    • vanilla AFL


    • LLVM Pass - LLVM IR


    • AFL++


    • LTO (Link Time Optimization)

    View full-size slide

  21. Code Coverage

    View full-size slide

  22. Code Coverage
    • coverage of code region


    • basic block


    • edge


    • Insert additional code at entries of code regions


    • code coverage -> bug coverage

    View full-size slide

  23. Code Coverage
    basic block 1
    basic block 2 basic block 3

    View full-size slide

  24. Code Coverage
    basic block 1
    basic block 2 basic block 3
    instrumentation instrumentation
    instrumentation

    View full-size slide

  25. Code Coverage
    basic block 1
    basic block 2 basic block 3
    instrumentation instrumentation
    instrumentation
    0 0 0 0 0 0 0 0 0 0
    bitmap

    View full-size slide

  26. Code Coverage
    basic block 1
    basic block 2 basic block 3
    instrumentation instrumentation
    instrumentation
    0 0 0 0 0 0 0 0 0 0
    bitmap

    View full-size slide

  27. Code Coverage
    basic block 1
    basic block 2 basic block 3
    instrumentation instrumentation
    instrumentation
    0 0 1 0 0 0 0 0 1 0
    bitmap

    View full-size slide

  28. Coverage-Guided Fuzzing
    seed pool
    select a seed mutation
    mutated seed
    run with

    instrumented binary
    execution result
    crash
    Found bugs!
    crash PoC
    exit normally
    new coverage?
    Yes

    save to seed pool
    No

    View full-size slide

  29. Sanitizer
    • bug detection


    • binary instrumentation


    • overhead


    • false-negative bugs

    View full-size slide

  30. Sanitizer
    • AddressSanitizers (ASAN)


    • https://github.com/google/sanitizers


    • https://www.usenix.org/system/
    fi
    les/conference/atc12/atc12-
    fi
    nal39.pdf


    • Unde
    fi
    ned Behavior Sanitizer (UBSAN)


    • MemorySanitizer (MSAN)


    • Leak-checker Sanitizer (LSAN)

    View full-size slide

  31. Sanitizer - ASAN
    • heap, stack, global-bu
    ff
    er over
    fl
    ow


    • UAF - use after free


    • shadow memory


    • red zone
    buffer
    red zone red zone buffer

    View full-size slide

  32. Coverage-Guided Fuzzers

    View full-size slide

  33. AFL
    • american fuzzy lop


    • https://lcamtuf.coredump.cx/a
    fl
    /


    • https://github.com/google/AFL

    View full-size slide

  34. AFL++
    • https://github.com/AFLplusplus/AFLplusplus


    • AFL++ is a superior fork to Google's AFL - more speed, more and better
    mutations, more and better instrumentation, custom module support,
    etc.


    • cmplog: REDQUEEN


    • power schedule: AFLFast

    View full-size slide

  35. libfuzzer
    • LLVM


    • clang


    • https://llvm.org/docs/LibFuzzer.html


    • in-process fuzzing


    • fuzzing harness

    View full-size slide

  36. syzkaller
    • kernel fuzzer


    • https://github.com/google/syzkaller

    View full-size slide

  37. Fuzzing Research

    View full-size slide

  38. Fuzzing
    • seed scheduling


    • AFLFast: Coverage-based Greybox Fuzzing as Markov Chain (CCS 2016)


    • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019)


    • seed selection


    • seed corpus optimization


    • corpus minimization: OptiMin (ISSTA 2021)


    • initial seed selection


    • Seed Selection for Successful Fuzzing (ISSTA 2021)

    View full-size slide

  39. Fuzzing - mutation
    • FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz
    Testing Coverage (ASE 2018)


    • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019)


    • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)

    View full-size slide

  40. Fuzzing - Directed Grey-box Fuzzing
    • AFLGo: Directed Greybox Fuzzing (CCS 2017)


    • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018)


    • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020)


    • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020)


    • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)

    View full-size slide

  41. Fuzzing - research topic
    • data
    fl
    aw analysis (DFA)


    • taint analysis


    • binary instrumentation


    • binary only


    • dynamic instrumentation


    • parallel fuzzing


    • ensemble fuzzing


    • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers
    (USENIX 2019)

    View full-size slide

  42. Fuzzing - research topic
    • symbolic execution


    • KLEESPECTRE: Detecting Information Leakage through Speculative
    Cache Attacks via Symbolic Execution


    • concolic execution


    • hybrid fuzzing


    • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path
    Abstraction (S&P 2020)

    View full-size slide

  43. Fuzz Something!

    View full-size slide

  44. Fuzzing lab
    • https://github.com/yuawn/Mediatek-Fuzzing-Workshop

    View full-size slide

  45. AFL++
    • a
    fl
    -fuzz -i input -o output -- ./binary


    • a
    fl
    -fuzz -i input -o output -- ./binary -a -b


    • a
    fl
    -fuzz -i input -o output -- ./binary -f @@

    View full-size slide

  46. AFL++ - dictionary
    • a
    fl
    -fuzz -i input -o output -x xml.dict -- ./binary

    View full-size slide

  47. AFL++ - parallel fuzzing
    • a
    fl
    -fuzz -M main -i input -o sync_dir -- ./binary


    • a
    fl
    -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary


    • a
    fl
    -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary

    View full-size slide

  48. Summary
    • Fuzzing is a novel security testing technique


    • Product Security awareness


    • Building a secure world

    View full-size slide