Post on 29-Jun-2020
AI Guided FuzzingAI Guided Fuzzing
Jonathon MartinJonathon Martin
Supervisors: Charles Gretton, Alwen Tiu, Adrian Herrera
AI Guided Fuzzing
Jonathon Martin
Presentation Outline:Presentation Outline:
1. A more specific project title2. Explanation of specific title3. Progress so far4. Timeline for Semester 2
AI Guided Fuzzing
Jonathon Martin
More specifically ...More specifically ...
"Machine learning (ML) for directed fuzzing
with American Fuzzy Lop (AFL)"
ML for directed fuzzing with AFL
Jonathon Martin
FuzzingFuzzing"Fuzzing is the process of finding security
vulnerabilities in input-parsing code byrepeatedly testing the parser with
modified, or fuzzed, inputs."
Godefroid, Peleg, Singh (2017)
ML for directed fuzzing with AFL
Jonathon Martin
The Infinite Monkey TheoremThe Infinite Monkey Theorem
A million monkeys typing on a milliontypewriters will eventually replicate the
works of Shakespeare.
ML for directed fuzzing with AFL
Jonathon Martin
The Infinite Input TheoryThe Infinite Input Theory
Running a program with every conceivableinput will eventually uncover any possible
crashes.
ML for directed fuzzing with AFL
Jonathon Martin
American Fuzzy LopAmerican Fuzzy LopIs a security-oriented fuzzer that
employs a novel type of compile-timeinstrumentation and genetic algorithms
to automatically discover clean,interesting test cases that trigger newinternal states in the targeted binary.
http://lcamtuf.coredump.cx/afl/
ML for directed fuzzing with AFL
Jonathon Martin
AFL Internal RepresentationsAFL Internal RepresentationsAFL uses a "bitmap" torepresent the internalstate of its target programduring execution. An inputgenerating a previouslyunseen bitmap is savedfor continued fuzzing.
= 65536 locations
ML for directed fuzzing with AFL
Jonathon Martin
Progress so far ...Progress so far ...
ML for directed fuzzing with AFL
Jonathon Martin
DatasetDataset
Generated a labelled dataset of bitmapsgenerated by a modified AFL.
ML for directed fuzzing with AFL
Jonathon Martin
seed
ML for directed fuzzing with AFL
Jonathon Martin
seed
ML for directed fuzzing with AFL
Jonathon Martin
seed
ML for directed fuzzing with AFL
Jonathon Martin
seed
crash!
ML for directed fuzzing with AFL
Jonathon Martin
predecessors
ML for directed fuzzing with AFL
Jonathon Martin
Dataset PropertiesDataset Properties
ML for directed fuzzing with AFL
Jonathon Martin
PredictionPredictionPredecessor bitmaps principle
components can be distinguished fromother bitmaps using a logistic regression
model with accuracy:
97.85%
ML for directed fuzzing with AFL
Jonathon Martin
Next steps ...Next steps ...
ML for directed fuzzing with AFL
Jonathon Martin
Build prediction modelBuild prediction model
ML for directed fuzzing with AFL
Jonathon Martin
Integrate model into AFLIntegrate model into AFL
ML for directed fuzzing with AFL
Jonathon Martin
See dramatic improvementSee dramatic improvementin AFLs ability to findin AFLs ability to find
crashes ...crashes ...maybe ...
ML for directed fuzzing with AFL
Jonathon Martin
Thank you!Thank you!
Alwen TiuCharles Gretton Adrian Herrera