· Author: Daniel Teuchert Created Date: 2/26/2019 4:37:45 PM

Fishing for Deep Bugs with Grammars

Daniel Teuchert

Fuzzing

Daniel Teuchert

Fuzzing1

Daniel Teuchert

Fuzzing1

Daniel Teuchert

Fuzzing1

Daniel Teuchert

Fuzzing

Daniel Teuchert

Fuzzing1

Daniel Teuchert

if !input.parse() { exit()}

if !input.check() { exit()}

do_stuff()

Daniel Teuchert

do_stuff()

Daniel Teuchert

do_stuff()

Daniel Teuchert

do_stuff()

Daniel Teuchert

do_stuff()

Daniel Teuchert

Grammars +

Feedback

Context-Free GrammarsPROG → STMTPROG → STMT ; PROGSTMT → return 1STMT → VAR = EXPR

VAR → aEXPR →EXPR → EXPR + EXPR

→ 1 | 2

= EXPR

Daniel Teuchert

Grammars +

Feedback

Context-Free Grammars

PROG → STMTPROG → STMT ; PROGSTMT → return 1STMT → VAR = EXPR

→ 1 | 2

= EXPR

Daniel Teuchert

Grammars +

Feedback

→ 1 | 2

= EXPR

Daniel Teuchert

Grammars +

Feedback

→ 1 | 2

= EXPR

Daniel Teuchert

Grammars +

Feedback

→ 1 | 2

= EXPR

Daniel Teuchert

Grammars +

Feedback

→ 1 | 2

= EXPR

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

𝑆 → 𝑥𝐴 | 𝑦𝑆𝐴 → 𝑦𝐴 | 𝑧𝐵𝐵 → 𝑧

Feedback

NAUTILUS

InstrumentationSource

Genera�on:

-Naive Genera�on

→ 1 | 2

-Uniform Genera�on

Minimiza�on:

-Subtree Minimiza�on

= EXPR

Subtree Minimiza�on

return 1

-Recursion Minimiza�on

= EXPR

+ EXPR

= EXPR

Recursive Minimiza�on

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

Random Recursive Mutation

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Design of Nautilus

InstrumentedBinary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Genera�on:

-Naive Genera�on

→ 1 | 2

Minimiza�on:

= EXPR

return 1

= EXPR

+ EXPR

= EXPR

Muta�on:

-Random

-Rules

-Random Recursive

= EXPR

+ EXPR

= EXPR

+ EXPR

-Splicing

= EXPR

+ EXPR

= EXPR

AFL Mutation

Daniel Teuchert

Evaluation

Targets:

-mruby-PHP-lua-ChackraCore

Baseline AFL IFuzzer Nautilus15.0%

ChakraCore

Baseline AFL Nautilus25.0%

70.0%Lua

vs. AFL / IFuzzer

Baseline No feedback Naive gen Uniform gen15.0%

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

GenerationSubtree Min.Recursion Min.Rules MutationAFL MutationSplicing MutationRandom MutationRandom Rec. Mut.

ObjectSpace.each do |a| begin a.method(...) rescue end end

Bugs?mruby:CVE-2018-10191: UAFCVE-2018-10199: UAFCVE-2018-11743: Use of Uninitialized PointerCVE-2018-12249: SEGVCVE-2018-12247: SEGVCVE-2018-12248: Heap Buffer OverflowStack Overflow

PHP:Division by ZeroSEGVStack Overflow

lua:UAF

ChakraCore:OOM Crash

Daniel Teuchert

Evaluation

Targets:

ChakraCore

70.0%Lua

vs. AFL / IFuzzer

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

lua:UAF

Daniel Teuchert

EvaluationTargets:

ChakraCore

70.0%Lua

vs. AFL / IFuzzer

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

lua:UAF

Daniel Teuchert

EvaluationTargets:

ChakraCore

70.0%Lua

vs. AFL / IFuzzer

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

lua:UAF

Daniel Teuchert

EvaluationTargets:

ChakraCore

70.0%Lua

vs. AFL / IFuzzer

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

lua:UAF

Daniel Teuchert

EvaluationTargets:

ChakraCore

70.0%Lua

vs. AFL / IFuzzer

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

lua:UAF

Daniel Teuchert

EvaluationTargets:

ChakraCore

70.0%Lua

vs. AFL / IFuzzer

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

mruby:CVE-2018-10191: UAFCVE-2018-10199: UAFCVE-2018-11743: Use of Uninitialized PointerCVE-2018-12249: SEGVCVE-2018-12247: SEGVCVE-2018-12248: Heap Buffer OverflowStack Overflow

lua:UAF

Daniel Teuchert

EvaluationTargets:

ChakraCore

70.0%Lua

vs. AFL / IFuzzer

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

mruby:CVE-2018-10191: UAFCVE-2018-10199: UAFCVE-2018-11743: Use of Uninitialized PointerCVE-2018-12249: SEGVCVE-2018-12247: SEGVCVE-2018-12248: Heap Buffer OverflowStack Overflow

lua:UAF

Daniel Teuchert

EvaluationTargets:

ChakraCore

70.0%Lua

vs. AFL / IFuzzer

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

lua:UAF

Daniel Teuchert

EvaluationTargets:

ChakraCore

70.0%Lua

vs. AFL / IFuzzer

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

lua:UAF

Daniel Teuchert

EvaluationTargets:

ChakraCore

70.0%Lua

vs. AFL / IFuzzer

ChakraCore

Configurations

03m 6m 9m 12m

51m 1h

5m 2h2h

45m 3h

0m 4h4h

30m 5h

0m 6h 7h 8h 9h 10h

lua:UAF

Daniel Teuchert

Conclusion

- Grammars & Feedback ++

- Splicing is important!

Daniel Teuchert

Conclusion

Daniel Teuchert

Conclusion

Daniel Teuchert

OverviewGeneration

Minimization

MutationsInstrumented

Binary

Parser

InputGeneration

Minimization

Mutation

Scheduler

trigger

Grammar

Feedback

NAUTILUS

Daniel Teuchert

· Author: Daniel Teuchert Created Date: 2/26/2019 4:37:45 PM

Documents

15/7/37 English Daniel Curley Papers, 1932-91 · 15/7/37 Liberal Arts and Sciences English Daniel Curley Papers, 1932-91 Table of Contents MATERIAL PAGES BOXES Correspondence, 1956-61

A Pipelined IP Address Lookup Module for 100Gbps Line ...content.ikr.uni-stuttgart.de/Content/Publications/Archive/Hg_teuchert... · Domenic Teuchert and Simon Hauger Institute of

RESULTS BOOK - tirolimpico.orgRPSH+GER+2016+Results+Book.pdf · RESULTS BOOK . Index . ... Martin TEUCHERT, GER : Range Officer . Gerhard ANGERMANN, GER : Range Officer . ... Karl-Heinz

TTB week 37 - Daniel, Ezra and Ps. 137files.downvictoryrd.com/200000128-12e8e13e2f/TTB... · Title: Microsoft Word - TTB week 37 - Daniel, Ezra and Ps. 137 Author: Kayann Created

Issue Number 37 February 2000...Gavin’s Woodpile – The Bruce Cockburn Newsletter Edited by Daniel Keebler Issue Number 37 February 2000 Success Without Compromise The following

· Stewart Service Trauma 25 36 Trauma 37 37 Trauma 38 38 Trauma 41 39 Daniel Sherington Hippo in Plastic (Summer Inﬂation) 40 ... INKJET PRINT ON ARCHES PAPER 36. Stewart Service

Prelude in D Minor - Fugue in a Minor (Teuchert)

September 2019 Fire Fighter Advisory committee meeting ... 4. 37 TAC, A motion was made by Jason Collier and seconded by Daniel Buford to accept the Chapter 429 amendments to 37 TAC,

Andreas Teuchert, Arrow Central Europe GmbH Munich, 21st January, 2014 Encryption Export Controls

Yamaha News,ENG,No.4,2001,8月,8月,Wet and Wind and ... · Assen,MotoGP,Max Biaggi,Assen,Norick Abe,Shinya Nakano,Teuchert wins hot contest at Misano,WSS,J. G. Teuchert,Misano,James

BWV 997, Lute Suite No 2, Ar Teuchert

DANIEL CAFE-RI-A Graphic Oesiller · DANIEL CAFE-RI-A Graphic Oesiller . Title: Daniel LaFerla - Resume Created Date: 7/7/2018 3:55:37 PM

Barroco Teuchert

DANIEL Daniel, Daniel, Daniel, Daniel. Daniel in the La la la la Daniel in the Lions, Daniel in the Lions, Daniel in the lions Den. 3x

Navigating the motivic world Daniel Dugger · 2012. 1. 10. · Chapter 2. Topological interlude: the cohomology of algebraic varieties 37 1. Lefschetz theory 37 2. The Hard Lefschetz

Nature Genetics 37, 77 - 83 (2004) Modular epistasis in yeast metabolism Daniel Segr � 1, Alexander DeLuna2, George M Church1 & Roy Kishony2

USAW-NJ Kids Qualifier N. Burlington Tot 37 · USAW-NJ Kids Qualifier N. Burlington Tot 37. XXXXX Daniel Sharp Williamstown Mighty Braves BYE 1 Dane Gounaris Mat warriors Isaiah Stinger

Daniel Negreanu and Phil Ivey (Round 37)

Teuchert€¦ · Bearbeitung: Heinz Teuchert i Edition RICORDI i m . cresc. im i m Edition RICORDI i m sys 2251 P i m i m i P m P . 10 Matteo Carcassi (1792-1853) Carcassi war ein

15/7/37 English Daniel Curley Papers, 1932-91