Evaluating software vulnerabilities using fuzzing methods
-
Upload
victor-ionel -
Category
Technology
-
view
207 -
download
0
Transcript of Evaluating software vulnerabilities using fuzzing methods
Author(s)
Politehnica University of
Bucharest
Automatic Control and Computers
Faculty
Computer Science
Department
Scientific Advisor
Evaluating software vulnerabilities using fuzzing methods
Victor Varză [email protected]
As. Dr. Ing. Laura Gheorghe
Presentation Session - July 2013
Content
• Introduction
• Fuzzing
• Blackbox vs Whitebox
• Architecture of HybridFuzz
• Implementation
• Evaluation
• Conclusion
2 25.06.2013 SECITC Presentation Session - July 2013
Introduction
3
• Software security bugs can be very expensive:
– Cost of each Microsoft Security Bulletin: $Millions
– Cost due to worms (Slammer, CodeRed, Blaster, etc.): $Billions
• Most security exploits are initiated via files or packets
– Ex: Internet Explorer parses dozens of file formats
• Security vulnerabilities:
– Buffer overflows
– Segmentation faults
– Memory corruption
– NULL - pointer
– division-by-zero
25.06.2013 SECITC Presentation Session - July 2013
Fuzzing
• Automated testing of software applications
• Identify security vulnerabilities
• Automated test case generation
• Blackbox, whitebox, graybox
4
Blackbox Fuzzing
Speed Fast Slow
Code C
overa
ge
Low
H
igh
Static Analysis
Hybrid Fuzzing
Concolic Execution
Whitebox Fuzzing
25.06.2013 SECITC Presentation Session - July 2013
5
Blackbox vs Whitebox
Whitebox Blackbox Code exploration
25.06.2013 SECITC Presentation Session - July 2013
• Whitebox Is capable to discover all possible unique paths
Is not scalable for large programs
• Blackbox
Generates a wide number of random test cases
May explore deeper path of code
program branch
Blackbox vs Whitebox (2)
6
• TRUST (Team for Research in Ubiquitous Secure Technology)
• Catchconv (whitebox) - 279, 953 test cases; 304,936 errors (157 unique)
• Zzuf (Blackbox) - 962,402 test cases; 1,066,000 errors (456 unique)
• Mplayer, ImageMagick Convert, Adobe Flash Player and Antiword
© M.Aslani
25.06.2013 SECITC Presentation Session - July 2013
HybridFuzz - Architecture
7
SISTEM UNDER TEST
Path predicates
collector
KLEE
Input data generator PPL
Delivery mechanism Monitoring system
Zzuf
• KLEE - whitebox fuzzer developed by Stanford University, US
• PPL – mathematical library developed by University of Parma, Italy
• Zzuf – blackbox fuzzer developed by Caca Labs
25.06.2013 SECITC Presentation Session - July 2013
Path predicates collector
8
LLVM-GCC
C/C++ application
Bytecode
KLEE
KQuery files
• C/C++ application source code
• Compile using LLVM - GCC bytecode
• Symbolic execution using KLEE query constraints
25.06.2013 SECITC Presentation Session - July 2013
Input data generator
9
Parser
KQuery constraints
Linear inequations
PPL
Input space
• Query constraints Parser linear inequations
• Numerical abstraction and convex polyhedra
• Mixted integer linear programming problem
• PPL + MIP input space
25.06.2013 SECITC Presentation Session - July 2013
Delivery and monitoring module
10
• Zzuf - blackbox mutation based fuzzer
• Mutation ratio 0%
• Segmentation fault, memory corruption
25.06.2013 SECITC Presentation Session - July 2013
Evaluation
11
1 int test(unsigned int t_a, int t_b) {
2 unsigned int a = t_a; // unsigned byte
3 int b = t_b; // signed byte 4
5 if (a >= 20) {
6 if (b <= -80) {
7 printf("PATH 1\t");
8 printf("a=%d, b=%d\n", a, b);
9 return 1;
10 } 11
12 printf("PATH 2\t");
13 printf("a=%d, b=%d\n", a, b);
14 return 2;
15 } 16
17 printf("PATH 3\t");
18 printf("a=%d, b=%d\n", a, b);
19 return -1;
20 } 21
query [(Ult 19 (ReadLSB w32 0 a))
(Eq false (Sle (ReadLSB w32 0 b) 4294967216))
]
19 < a
b > -79
Symbolic execution with KLEE
Query constraints to linear inequalities
Create input space with
PPL
25.06.2013 SECITC Presentation Session - July 2013
Evaluation (2)
12
Instrs Time(s) ICov(%) BCov(%) ICount
45 0.44 75.00 100.00 60
• Instrs - number of executed instructions
• Time - total time
• ICov - percentage of LLVM instructions that were covered
• BCov - percentage of branches that were covered
• ICount - total static instructions in the LLVM bitcode
• x86 architecture: int = 4 bytes
• Max number of tests case for PATH 2: 2147483627 x 2147483727 = 4611686142981437829
25.06.2013 SECITC Presentation Session - July 2013
Evaluation (3)
13
Coreutils code coverage
App Instrs Time(s) ICov(%) BCov(%) ICount
tr 974109 20.97 22.98 15.40 26697
ls 7581376 79.32 21.89 14.93 47197
seq 2080054 260.34 35.47 23.90 24445
mknod 566278 6.29 27.86 18.61 24137
25.06.2013 SECITC Presentation Session - July 2013
Conclusion
14
• Variable input length
• Input source (network sockets)
• Parallel execution (pipeline execution)
• Distributed architecture
25.06.2013 SECITC Presentation Session - July 2013
15
Thank you!
SECITC Presentation Session - July 2013 25.06.2013