2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... ·...
Transcript of 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... ·...
![Page 1: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/1.jpg)
Grimoire: Synthesizing Structure while Fuzzing
Usenix Security 2019, Santa ClaraAugust 16, 2019
Tim Blazytko, Cornelius Aschermann, Moritz Schlögel, Ali Abbasi,Sergej Schumilo, Simon Wörner, and Thorsten Holz
Chair for Systems SecurityRuhr-Universität Bochum
![Page 2: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/2.jpg)
Goal: Finding bugs in programs expecting structured input
libxml2
Tiny C Compiler
JavaScriptCore
Boolector
1
![Page 3: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/3.jpg)
Let’s fuzz!
![Page 4: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/4.jpg)
First attempt: Blind fuzzing
3
![Page 5: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/5.jpg)
First attempt: Blind fuzzing
State space
Interesting area
Uninteresting area
Can we do better?
4
![Page 6: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/6.jpg)
Coverage-guided fuzzing
Program instrumentation
5
![Page 7: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/7.jpg)
Coverage-guided fuzzing
5
![Page 8: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/8.jpg)
Coverage-guided fuzzing
5
![Page 9: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/9.jpg)
Coverage-guided fuzzing
0
...
1
...
0
...
1
...
5
![Page 10: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/10.jpg)
Coverage-guided fuzzing
0
...
1
...
0
...
1
...
5
![Page 11: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/11.jpg)
Small-scale mutations
• Bitflips
• Simple arithmetic• Force specific, “interesting” values• Havoc: “random” mutations• Repetition• Splicing
6
![Page 12: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/12.jpg)
Small-scale mutations
• Bitflips
• Simple arithmetic• Force specific, “interesting” values• Havoc: “random” mutations• Repetition• Splicing
A B C D
1010 1011 1100 1101
1011 1010 1101 1100
B A D C
6
![Page 13: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/13.jpg)
Small-scale mutations
• Bitflips• Simple arithmetic
• Force specific, “interesting” values• Havoc: “random” mutations• Repetition• Splicing
B A D C
1011 1010 1101 1100
1011 1010 1110 0100
B A E 4
+8
6
![Page 14: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/14.jpg)
Small-scale mutations
• Bitflips• Simple arithmetic• Force specific, “interesting” values
• Havoc: “random” mutations• Repetition• Splicing
B A E 4
1011 1010 1110 1100
1011 1010 1110 0000
B A E 0
6
![Page 15: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/15.jpg)
Small-scale mutations
• Bitflips• Simple arithmetic• Force specific, “interesting” values• Havoc: “random” mutations
• Repetition• Splicing
A B C D
1010 1011 1100 1101
1011 1010 1101 0000
B A D 0
6
![Page 16: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/16.jpg)
Small-scale mutations
• Bitflips• Simple arithmetic• Force specific, “interesting” values• Havoc: “random” mutations• Repetition
• Splicing
A B
1010 1011
1010 1011 1010 1011
A B A B
6
![Page 17: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/17.jpg)
Small-scale mutations
• Bitflips• Simple arithmetic• Force specific, “interesting” values• Havoc: “random” mutations• Repetition• Splicing
A B C D
1010 1011 1100 1100
1010 1011 1100 1101
B A D 0
6
![Page 18: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/18.jpg)
Small-scale mutations
Observation: Mutations modify the input only slightly
7
![Page 19: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/19.jpg)
While this input works well ...
000000 050045 043104 030455 032456 022412152714 152301 154305 000010 142320 005306030061 030040 067440 065142 036012 020074000020 052057 070171 020145 054057 061117062552 072143 027440 000030 072523 072142070171 020145 043057 071157 020155 043057000040 071157 052155 070171 020145 020061041057 067502 020170 000050 020133 020060020060 030061 020060 030061 020060 020135000060 046457 072141 064562 020170 020133020061 020060 020060 000070 020061 020060020060 020135 051057 071545 072557 061562
8
![Page 20: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/20.jpg)
While this input works well ...
000001 050045 043104 030455 032456 022412152714 152301 154305 000011 142320 005306030061 030040 067440 065142 036092 020074000021 052057 070171 020145 054057 061117062552 072143 027440 000031 072523 072142000000 020145 043057 071157 020155 043057000041 071157 052155 070171 020145 020061041057 067502 020170 000051 020133 020060020060 030061 020060 000000 020060 020135000061 046457 072141 064562 020170 020133020061 020060 020060 000071 020061 020060020060 020135 05105F 071545 072557 061562
8
![Page 21: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/21.jpg)
Small-scale mutations
State space
Interesting area
Uninteresting area
Mutations (cov.-guided)
9
![Page 22: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/22.jpg)
Small-scale mutations
Observation: Mutations modify the input only slightly
Caveat: Not all programs are equal
10
![Page 23: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/23.jpg)
... this one is problematic
def some_function(self):s = "hi mom! "if self.famous:
return s + "I'm famous!"else:
self.confidence = 0return s + "*crying*"
Insight: Mutation requires input’s structure
11
![Page 24: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/24.jpg)
... this one is problematic
deb1some_functioasdflf):s = "hi mom! "if ? ?``famous:
reABCDEFGH "I'm famous!"else:
self.confidence = 0return s + 0000ying*"
Insight: Mutation requires input’s structure
11
![Page 25: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/25.jpg)
... this one is problematic
deb1some_functioasdflf):s = "hi mom! "if ? ?``famous:
reABCDEFGH "I'm famous!"else:
self.confidence = 0return s + 0000ying*"
Insight: Mutation requires input’s structure
11
![Page 26: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/26.jpg)
Small-scale mutations
State space
Interesting area
Uninteresting area
Mutations (cov.-guided)
How to cross large gaps?
Solution: Grammar-based fuzzing
12
![Page 27: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/27.jpg)
Small-scale mutations
State space
Interesting area
Uninteresting area
Mutations (cov.-guided)
How to cross large gaps?
Solution: Grammar-based fuzzing
12
![Page 28: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/28.jpg)
Large-scale mutations
State space
Interesting area
Uninteresting area
Mutations (grammar)
Now crossing large gaps!
Problem: Creating a grammar requires human-effort
13
![Page 29: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/29.jpg)
Large-scale mutations
State space
Interesting area
Uninteresting area
Mutations (grammar)
Now crossing large gaps!
Problem: Creating a grammar requires human-effort
13
![Page 30: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/30.jpg)
Our approach
![Page 31: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/31.jpg)
Grimoire: Best of both worlds
• Learn structure of inputs via fuzz testing
• Apply large-scale mutations on learned structures
• Profit!
15
![Page 32: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/32.jpg)
Input generalization
pprint 'aaaa'
|pp|ri|nt|_'|aa|aa|'|
split
16
![Page 33: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/33.jpg)
Input generalization
pprint 'aaaa'
|pp|ri|nt|_'|aa|aa|'|
split
16
![Page 34: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/34.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
pprint ' '
16
![Page 35: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/35.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
rint 'aaaa'
pprint ' '
16
![Page 36: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/36.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
rint 'aaaa'
pprint ' '
16
![Page 37: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/37.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
rint 'aaaa'
pp
rint ' '
16
![Page 38: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/38.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
ppnt 'aaaa'
ppri
nt ' '
16
![Page 39: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/39.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
ppri 'aaaa'
pprint
' '
16
![Page 40: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/40.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
pprintaaaa'
pprint '
'
16
![Page 41: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/41.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
pprint 'aa'
pprint '
'
16
![Page 42: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/42.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
pprint 'aa'
pprint '
'
16
![Page 43: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/43.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
pprint 'aa'
pprint '
'
16
![Page 44: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/44.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
pprint 'aaaa
pprint ' '
16
![Page 45: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/45.jpg)
Input generalization
pp|ri|nt|_'|aa|aa|'
pprint 'aaaa
pprint ' '
pprint ' '
16
![Page 46: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/46.jpg)
Input generalization
if(x>1) then x=3 end
if(x>1)|then|x=3|end
if(x>1) then end
17
![Page 47: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/47.jpg)
Input generalization
if(x>1) then x=3 end
if(x>1)|then|x=3|end
if(x>1) then end
split
17
![Page 48: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/48.jpg)
Input generalization
if(x>1) then x=3 end
if(x>1)|then|x=3|end
if(x>1) then end
generalize
17
![Page 49: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/49.jpg)
Why do we generalize inputs?
if(x>1) then endpprint ' '
Structure-dependent mutations
18
![Page 50: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/50.jpg)
Why do we generalize inputs?
if(x>1) then endpprint ' '
if(x>1) then end
pick input
Structure-dependent mutations
18
![Page 51: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/51.jpg)
Why do we generalize inputs?
if(x>1) then endpprint ' '
if(x>1) then end
select gap
Structure-dependent mutations
18
![Page 52: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/52.jpg)
Why do we generalize inputs?
if(x>1) then endpprint ' '
if(x>1) then pprint ' ' end
replace gap
Structure-dependent mutations
18
![Page 53: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/53.jpg)
Why do we generalize inputs?
if(x>1) then endpprint ' '
if(x>1) then pprint ' ' end
replace gap
Structure-dependent mutations
18
![Page 54: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/54.jpg)
Input extension
concat
pprint ' ' x= y+
19
![Page 55: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/55.jpg)
Input extension
concat
pprint ' ' x= y+
19
![Page 56: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/56.jpg)
Input extension
concat
pprint ' ' x= y+
pprint ''x=y+
19
![Page 57: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/57.jpg)
Input extension
concat
pprint ' ' x= y+
pprint ''x=y+ x=y+pprint ''
19
![Page 58: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/58.jpg)
Recursive replacement
pprint ' ' if(x>1) then end x= y+
if(x>1)
if(x>1) pprint ' '
if(x>1) pprint ' x= y+ '
20
![Page 59: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/59.jpg)
Recursive replacement
pprint ' ' if(x>1) then end x= y+
if(x>1)
if(x>1) pprint ' '
if(x>1) pprint ' x= y+ '
20
![Page 60: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/60.jpg)
Recursive replacement
pprint ' ' if(x>1) then end x= y+
if(x>1)
if(x>1) pprint ' '
if(x>1) pprint ' x= y+ '
20
![Page 61: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/61.jpg)
Recursive replacement
pprint ' ' if(x>1) then end x= y+
if(x>1)
if(x>1) pprint ' '
if(x>1) pprint ' x= y+ '
20
![Page 62: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/62.jpg)
Recursive replacement
pprint ' ' if(x>1) then end x= y+
if(x>1)
if(x>1) pprint ' '
if(x>1) pprint ' x= y+ '
20
![Page 63: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/63.jpg)
Recursive replacement
pprint ' ' if(x>1) then end x= y+
if(x>1)
if(x>1) pprint ' '
if(x>1) pprint ' x= y+ '
20
![Page 64: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/64.jpg)
Recursive replacement
pprint ' ' if(x>1) then end x= y+
if(x>1)
if(x>1) pprint ' '
if(x>1) pprint ' x= y+ '
20
![Page 65: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/65.jpg)
Recursive replacement
pprint ' ' if(x>1) then end x= y+
if(x>1)
if(x>1) pprint ' '
if(x>1) pprint ' x= y+ '
if(x>1) pprint 'x=y+'
20
![Page 66: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/66.jpg)
String replacement
replace
pprint 'aaaa' eval
eval 'aaaa'
21
![Page 67: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/67.jpg)
String replacement
replace
pprint 'aaaa' eval
eval 'aaaa'
21
![Page 68: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/68.jpg)
String replacement
replace
pprint 'aaaa' eval
eval 'aaaa'
21
![Page 69: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/69.jpg)
Evaluation
Common fuzzers vs. Grimoire
![Page 70: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/70.jpg)
We outperform AFL, QSYM, Angora, ... on almost all targets
3 3
3
3 7libxml2 3
Tiny C Compiler 3
Boolector 3
23
![Page 71: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/71.jpg)
Evaluation
Grammar-based fuzzer vs. Grimoire
![Page 72: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/72.jpg)
Comparison to a grammar-based fuzzer
Time
#BBs
Legend
— Grammar fuzzer— Grimoire
Grammar fuzzer >> Grimoire
25
![Page 73: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/73.jpg)
Comparison to a grammar-based fuzzer
Time
#BBs
Legend
— Grammar fuzzer— Grimoire
Grammar fuzzer >> Grimoire
25
![Page 74: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/74.jpg)
Using a grammar-based fuzzer as seed
Time
#BBs
Seed
Legend
— Grammar fuzzer— Grimoire + Seed
Grammar fuzzer < Grimoire + Seed
26
![Page 75: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/75.jpg)
Using a grammar-based fuzzer as seed
Time
#BBs
Seed
Legend
— Grammar fuzzer— Grimoire + Seed
Grammar fuzzer < Grimoire + Seed
26
![Page 76: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/76.jpg)
Conclusion
![Page 77: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/77.jpg)
Take-aways
• Fuzzing structured inputs
• Common fuzzers: Small-scale mutations
• Grammar-based: Large-scale mutations
• Grimoire:
• Inference of input structure
• Large-scale mutations (extension, recursive replacement, string replacement)
• Real-world impact: 11 CVEs assigned
Thank you!
28
![Page 78: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/78.jpg)
Take-aways
• Fuzzing structured inputs
• Common fuzzers: Small-scale mutations
• Grammar-based: Large-scale mutations
• Grimoire:
• Inference of input structure
• Large-scale mutations (extension, recursive replacement, string replacement)
• Real-world impact: 11 CVEs assigned
Thank you!
28
![Page 79: 2emGrimoire: Synthesizing Structure while Fuzzing - Usenix ... · Grimoire:SynthesizingStructurewhileFuzzing UsenixSecurity2019,SantaClara August16,2019 TimBlazytko,CorneliusAschermann,MoritzSchlögel,AliAbbasi,](https://reader034.fdocuments.in/reader034/viewer/2022042110/5e8b7e9384c136683a74aef7/html5/thumbnails/79.jpg)
Take-aways
• Fuzzing structured inputs
• Common fuzzers: Small-scale mutations
• Grammar-based: Large-scale mutations
• Grimoire:
• Inference of input structure
• Large-scale mutations (extension, recursive replacement, string replacement)
• Real-world impact: 11 CVEs assigned
Thank you!
28