a new fuzzing technique for software vulnerability testing ieee conseg 2009 zhiyong wu 1 j. william...

A New Fuzzing Technique for A New Fuzzing Technique for Software Vulnerability TestingSoftware Vulnerability Testing

IEEE CONSEG 2009IEEE CONSEG 2009

Zhiyong Wu1 J. William Atwood2 Xueyong Zhu3

1,3Network Information CenterUniversity of Science and

Technology of ChinaHefei, Anhui, China

2Department of Computer Science and Software Engineering

Concordia UniversityMontreal, Quebec, Canada

2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 2

ContentsContents

2

1. Introduction and Motivation2. FTSG Model3. Related Techniques

• Static analysis• Dynamic binary instrument and dynamic trace• I/O analysis

4. GAMutator5. Prototype System: DXFuzzing6. Validation7. Experiments8. Conclusion


1 Introduction and Motivation1 Introduction and MotivationC code of a vulnerable procedure

3

int process_chunck(char* head_str, char* data_str, char* program checksum){ char buf[60]; char buf1[32]; char buf2[32]; memset(buf, 0, 60); if ( true == strong_check(head_str,data_str,program checksum)){ if （ strlen(head_str) > 32 || strlen(data_str) >32) return -1; strcpy(buf1, head_str); strcpy(buf2, data_str); strcat(buf, head_str); strcat(buf, data_str);//error return 1; } else return -1;}

knowledge-based fuzzing could pass it easily

one-dimension m&g strategy can’t overflow if length(head_str) = 16

and length(data_str) = 20


2 FTSG Model2 FTSG Model

4

FTSG: Fuzzing Test Suites Generation

FTSG＝ (s,L,N,C,F,OP,Result) ,

OP ＝ {M, Slv},

Result ＝ {sampletree, mediumtree, newtree, testcase, testsuite}.


2 FTSG: Procedure for generating test 2 FTSG: Procedure for generating test casescases by Mutation Operators and Slv

5

M = {m1, …, mi, …, mk, GAMutator}F = {f1,f2, …, fe, …,fv}for (each mi in M except GAMutator){

while (!(mediumtree = mi (sampletree)) ){

newtree=Slv(mediumtree, C)}

}for (each fe in F){

while (!(mediumtree = GAMutator (sampletree, fe)) )

{newtree=Slv(mediumtree, C)

}}


2 FTSG: Total number of test 2 FTSG: Total number of test casescases

6

k

ii sampletreemtestsuiteT

1

)(


3 Related Techniques: 3 Related Techniques: Static analysis ， dynamic binary instrument and dynamic trace

7

Technique Usage Tool

Static analysis

identify insecure functions

IDA PRO

Dynamic binary instrument

get insecure functions’ dynamic input arguments values to calculate fitness value

Pin

Dynamic trace

monitor buffer coverage

Pydbg


3 Related Techniques: 3 Related Techniques: I/O analysis

8

Method Instrument

Target

Characteristic

static analysis source code false alarm

execution-oriented analysis

binary code simple and precise


3 Related Techniques: 3 Related Techniques: I/O analysis: execution-oriented analysis

9

INPUT OUTPUT VALUE of Ok

t1 = (a1,a2,…,as,…,an) O = {o1,o2, …, ok, … on} V1

t2 = (a1,a2,…,as,…,an) O = {o1,o2, …, ok, … on} V2

t3 = (a1,a2,…,as’,…,an) O = {o1,o2, …, ok, … on} V3

xs influences output ok if and only if

V1 =V2 ≠V3

where ai D∈ (xi), as’ D∈ (xi), as≠as’

GAMutatorGAMutator

GAMutator mutates relative l or n in sampletree to trigger suspend vulnerability in fe.

l or n are the inputs that influence some arguments of fe.


Cont. Cont.

Special Characteristics of GAMutator: A multi-dimension mutation operator. A demand-oriented operator. The number of test cases that GAMutator generates is

not fixed. Communicates with outside system. The genetic algorithm here is used to generate test

cases to trigger vulnerability in unsafe functions The number of test cases generated by GAMutator is

O(h).



4 GAMutator:4 GAMutator:Heuristics and fitness function

12

Heuristics are used to generate test cases more likely to trigger vulnerability in fe in F.

TWO EXAMPLES:

1 strcpy( dst, src)

.0)(,__

,0)(,)(

)()(

＝slenifFITNESSDEFAULTMAX

slenifslen

dsizeXf

2 malloc(a)

.)%(,%

,)%(,0

,,

)(

BAaandAawhenBAa

BAaandAawhen

AawhenaA

Xf

5 Prototype System: DXFuzzing5 Prototype System: DXFuzzing

1) Locate insecure functions positions in target binary code by Program Analyzer. Record their information into database;

2) Analyze corresponding network protocols or file format in target application according to related knowledge, choose a sample file s and write a primitive xml test script manually which contains a sampletree;

3) Scheduling Engine calls XFuzzing to fuzz target application with mi and records runtime information with Program Analyzer when it is necessary.



Cont.Cont.

4) Data Mapper constructs relationships between X and F based on collected runtime information.

5) Scheduling Engine calls XFuzzing to fuzz target application with GAMutator.

14


6 Validation6 Validation

1) Based on application-specific knowledge, DXFuzzing could generate test cases which easily pass strong program checks and validations in the program.

2) The problem of finding new combinations to trigger possible vulnerability in fe in F is especially suitable for genetic algorithm to solve .

15

Cont.Cont.

3) GAMutator does not only care about the relationships between li and fe , but also cares about nj and fe. Because some fe in F is influenced by the nj, however, the nj is neglected in general.

4) Different from combinatorial test in black-box testing, the combination of li or nj in DXFuzzing is decided by the I/O analysis; the values of li or nj in some combination are refined by every generation.


Cont.Cont.

Execution-oriented I/O analysis in DXFuzzing is preferred here.



7 Experiments7 Experiments

18

LibPng library as the target applicationSome data are as follows:

Function name usePng.exe LibPng.dll v1.0.6

strcpy 1 6

memcpy 0 77

sprintf 0 16

malloc 18 113

Table I insecure functions in target application

ID INPUT ELEMENTS

101 PngFile..IHDA_CHUNK_DATA.BitDepth

102 PngFile..IHDA_CHUNK_DATA.ColorType

109 PngFile..IHDA_CHUNK_DATA.Height

111 PngFile..IHDA_CHUNK_DATA.Width

Table II Input nodes


Cont.Cont.

19

ID INSECURE FUNCTIONS

72 pngrutil.c(2939):png_ptr->row_buf=(png_bytep)png_malloc(png_ptr,row_bytes)

73 pngrutil.c(2945):png_ptr->prev_row=(png_bytep)png_malloc(png_ptr, png_uint_32)( png_ptr->rowbytes + 1))

89 pngread.c(1301):info_ptr->row_pointers=(png_bytepp)png_malloc(png_ptr,info_ptr->height * sizeof(png_bytep))

Table III Insecure functions influenced by input nodes


Cont.Cont.

20

111 102 101 109

72 73 89

Figure 4. Relationships between inputs and insecure functions by static analysis

111 102 101 109

72 73 89

Figure 5. Relationships between inputs and outputs by dynamic execution

simple and precise


Cont.Cont.

21

w width 111

d BitDepth 101

z Argument value of png_malloc 73

Initial Values: w = 0x20, d = 0x01 w [0,0xfffffff]∈ ， d [0,0xff].∈

Cont.Cont.

Further analyzing, we got d {1,2,4}.∈ w and d will generate 3×0x100000000 ＝

12884901888 combination test cases. However, there are only 262148 of them that

could trigger this vulnerability if we set B=100000 For this case png_malloc could successfully

allocate memory. So the possibility is 262148/12884901888 =

0.00002.



Cont.Cont.

23

Width, BitDepth distribution when they trigger this vulnerability


Cont.Cont.

24

Tools Number of vulnerability checked Number of test cases

Smart Fuzzer 0 1000000

GAFuzzing 0 1000000

Peach 2.3 4 31026

DXFuzzing 7 34222

Table IV Vulnerabilities Found by Different Fuzzing Tools


ConclusionConclusion

Whitebox fuzzing is complex, time costly and there are still some problems such as path explosion, and is hard to pass strong program checks fully automatically.

Peach is an outstanding knowledge-based fuzzing tool.

25

ConclusionConclusion

DXFuzzing enriches current mutation methodology with multi-dimension input nodes mutation strategy without combinatorial explosion. So DXFuzzing could find some vulnerabilities that never will been found by one-dimension mutation fuzzing.



9 For More Information9 For More Information

27

For More Questions and Comments:

[email protected]

[email protected]

[email protected]

a new fuzzing technique for software vulnerability testing ieee conseg 2009 zhiyong wu 1 j. william...

Documents