Upload File

typestate-guided fuzzer for discovering use-after-free

  • Home
  • Documents
  • Typestate-Guided Fuzzer for Discovering Use-after-Free
21
: 2019.07.07 Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities Haijun Wang, Xiaofei Xie, Yi Li, Cheng Wen, Yuekang Li, Yang Liu, Shengchao Qin, Hongxu Chen, Yulei Sui

Upload: others

Post on 23-Oct-2021

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Typestate-Guided Fuzzer for Discovering Use-after-Free

:

2019.07.07

Typestate-Guided Fuzzer for Discovering

Use-after-Free Vulnerabilities

Haijun Wang, Xiaofei Xie, Yi Li, Cheng Wen, Yuekang Li,

Yang Liu, Shengchao Qin, Hongxu Chen, Yulei Sui

Page 2: Typestate-Guided Fuzzer for Discovering Use-after-Free

Fuzzing Techniques

➢ Fuzzing Technique

✓ Automated software testing technique

✓ Provide invalid, unexpected, or random data to a program

✓ The program is instrumented, e.g., branch coverage

✓ The most popular technique to find vulnerabilities

e.g., AFL, libFuzzer, ClusterFuzz, OSS-Fuzz

➢ Fuzzing Technique Types

✓ Generation-based fuzzing

generate inputs from templates, e.g., grammar, specification

✓ Mutation-based fuzzing

randomly mutate inputs from seed test cases

Page 3: Typestate-Guided Fuzzer for Discovering Use-after-Free

Challenges in fuzzing techniques

Page 4: Typestate-Guided Fuzzer for Discovering Use-after-Free

Solutions in Fuzzing

Whether the existing branch coverage is enough?

e.g., use-after-free vulnerability

Page 5: Typestate-Guided Fuzzer for Discovering Use-after-Free

Challenges in Fuzzing

➢ The program has a use-after-free

vulnerability

✓ Line4: allocate the memory

✓ Line7: ptr1 and ptr2 become alias

✓ Line10: the memory is freed

✓ Line14: use the freed memory

Page 6: Typestate-Guided Fuzzer for Discovering Use-after-Free

Challenges in Fuzzing

Page 7: Typestate-Guided Fuzzer for Discovering Use-after-Free

Challenges in Fuzzing

➢ To expose the use-after-free vulnerability

✓ Line: 4 7 10 14

➢ Challenges in detecting UaF

✓ How to identify the above operation

sequence?

✓ How to cover this operation sequence?

Page 8: Typestate-Guided Fuzzer for Discovering Use-after-Free

Challenges in Fuzzing

Page 9: Typestate-Guided Fuzzer for Discovering Use-after-Free

UAFL: Typestate-Guided Fuzzer for Discovering

Use-after-Free Vulnerabilities

Page 10: Typestate-Guided Fuzzer for Discovering Use-after-Free

Overview of UAFL

Page 11: Typestate-Guided Fuzzer for Discovering Use-after-Free

Static Typestate Analysis

➢ Typtestate property

➢ Static Analysis

✓ Lightweight path-insensitive static

analysis

✓ SVF: inter-procedural static value-

flow analysis

➢ Operation Sequence

✓ Line: 4 7 10 14

Page 12: Typestate-Guided Fuzzer for Discovering Use-after-Free

Program Instrumentation

➢ Operation Sequences

✓ ∀𝑠𝑖 ∈ (𝑠1, ⋯ , 𝑠𝑛 ), instrument

whether si is executed

✓ ∀𝑠𝑖 ∈ (𝑠1, ⋯ , 𝑠𝑛 ), retrieve the

execution information of ∀𝑠𝑗 ∈

𝑠1, ⋯ , 𝑠𝑖

➢ Information Flow

✓ I

Page 13: Typestate-Guided Fuzzer for Discovering Use-after-Free

Fuzzing loop

➢ Seed Selection

✓ Seeds that cover more

operation sequences

➢ Mutation Strategies

✓ Input fields related to

operation sequences are more

important

✓ Information flow analysis

based mutation

➢ Feedback

✓ Gradually cover the operation sequences

Page 14: Typestate-Guided Fuzzer for Discovering Use-after-Free

Evaluations for UAFL

Page 15: Typestate-Guided Fuzzer for Discovering Use-after-Free

Overhead of Static Analysis

Page 16: Typestate-Guided Fuzzer for Discovering Use-after-Free

Time to Expose UaF

Page 17: Typestate-Guided Fuzzer for Discovering Use-after-Free

Statistical Tests

Page 18: Typestate-Guided Fuzzer for Discovering Use-after-Free

Operation Sequence Coverage

Page 19: Typestate-Guided Fuzzer for Discovering Use-after-Free

Operation Sequence Coverage

Page 20: Typestate-Guided Fuzzer for Discovering Use-after-Free

Operation Sequence Coverage

Page 21: Typestate-Guided Fuzzer for Discovering Use-after-Free

Typestate Verification: Abstraction Techniques and Complexity Results

MoonShine: Optimizing OS Fuzzer Seed Selection with Trace ... · MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation ShankaraPailoor, Andrew Aday, Suman Jana Columbia

Fusil the fuzzer -

PEACH FUZZER FOR DRIVER FUZZING WHITEPAPER · peachtech peach fuzzer for driver fuzzing whitepaper peach.tech

Writing a fuzzer - Twistlock...Writing a fuzzer Ariel Zelivansky @ Twistlock Labs with american fuzzy lop Technique for testing software by providing it with random, unexpected or

A Foundations of Typestate-Oriented Programming

safe Effective typestate verification in the presence of aliasing

[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer

Building Advanced Coverage-guided Fuzzer for Program Binariesgroundx.io/docs/ZeroNights2017-darko-fuzzer.pdf · 2019-01-30 · Building Advanced Coverage-guided Fuzzer for Program

Aliasing Control With View-Based TypeState

IMF: Inferred Model-based Fuzzer

Automatic Fuzzer Generation FuzzGen

MultiFuzz: A Coverage-based Multiparty-protocol Fuzzer for

HyperFuzzer: An Efficient Hybrid Fuzzer for Virtual CPUs

Typechecking Protocols with Mungo and StMungo · Session types, object-oriented programming, typestate, protocols, typestate inference. 1. ... important idea, this earlier work lacked

BackREST: A Model-Based Feedback-Driven Greybox Fuzzer for

Design and develop a fuzzer framework to security test a

Typestate Verification: Abstraction Techniques and ...pages.cs.wisc.edu/~ramali/Papers/SCP04.pdf · Typestate Verification: Abstraction Techniques and Complexity Results ... properties.A

DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)

ImmuniWeb® Self-Fuzzer Firefox Extension

ClusterFuzz - Nullcon · PDF fileClusterFuzz architect Fuzzer author and facilitator ... Glusterfs 1. Fuzzer data bundles 2. Build Cache 3. Code Coverage Appengine Local Storage 1

Dowsing for over ows: a guided fuzzer to nd bu er boundary violations · Introduction Dowsing Input reduction Code reduction Summary Dowsing for over ows: a guided fuzzer to nd bu

In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer

Chizpurfle: A Gray-Box Android Fuzzer for Vendor Service

Letting your fuzzer know about target’s internals · Letting your fuzzer know about target’s internals Rodrigo Rubira Branco (BSDaemon) Senior Vulnerability Researcher rodrigo

BanditFuzz: A Reinforcement-Learning based Performance Fuzzer …fmora/vstte20.pdf · 2020. 9. 5. · BanditFuzz: A Reinforcement-Learning based Performance Fuzzer for SMT Solvers

Periodic Properties: Groups 5A, 6A, and 7A Group 5A Elements and SymbolsElement TypeState

Hack%Box%%with%DotDotPwn%Directory%Traversal%Fuzzer% · conducting! tests! with! the! powerfull fuzzer! tool! dotdotpwn! (), finda url!prone!to! Directory!Traversal, which

Typestate-Guided Fuzzer for Discovering Use-after-Free ... · in detecting memory-related vulnerabilities. Specially, AFL [47], libFuzzer [24] and the fuzzing infrastructure ClusterFuzz

Harvey: A Greybox Fuzzer for Smart Contracts · HARVEY: A Greybox Fuzzer for Smart Contracts Valentin Wustholz¨ ConsenSys Diligence, Germany [email protected] Maria

LZfuzz: a fast compression-based fuzzer for poorly documented protocolstrdata/reports/TR2008-634.pdf · 2013-12-23 · LZfuzz: a fast compression-based fuzzer for poorly documented

1 Lecture 08(b) – Typestate Verification Eran Yahav

SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr - NMSL

Hyntrospect: a fuzzer for Hyper-V devices

Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running