Upload
hoangxuyen
View
225
Download
4
Embed Size (px)
Citation preview
Background Symbolic Execution Whitebox Fuzzing Summary
CS 6V81-05: System Security and Malicious Code Analysis
Symbolic Execution and Whitebox Fuzzing
Zhiqiang Lin
Department of Computer ScienceUniversity of Texas at Dallas
April 9th, 2012
Background Symbolic Execution Whitebox Fuzzing Summary
Outline
1 Background
2 Symbolic Execution
3 Whitebox Fuzzing
4 Summary
Outline
1 Background
2 Symbolic Execution
3 Whitebox Fuzzing
4 Summary
Background Symbolic Execution Whitebox Fuzzing Summary
Software security bugs can be very expensive
1 Cost of each Microsoft Security Bulletin: $Millions2 Cost due to worms (Slammer, CodeRed, Blaster, etc.):
$Billions3 Many security exploits are initiated via files or packets
Ex: MS Windows includes parsers for hundreds of fileformats
4 0-day Vulnerability means money/weapon
Security testing: “hunting for million-dollar bugs”
Background Symbolic Execution Whitebox Fuzzing Summary
Hunting for Security Bugs
Black hat1 Code inspection (of binaries)2 Blackbox fuzz testing
Blackbox fuzz testing1 A form of blackbox random testing [Miller+90]2 Randomly fuzz (=modify) a well-formed input3 Grammar-based fuzzing: rules that encode
“well-formed”ness + heuristics about how to fuzz (e.g.,using probabilistic weights)
Black-box fuzzing has been heavily used in security testing –Simple yet effective: many bugs found this way
Background Symbolic Execution Whitebox Fuzzing Summary
Blackbox Fuzzing
Examples1 Peach, Protos, Spike, Autodafe, etc.
Why so many blackbox fuzzers?Because anyone can write (a simple) one in a week-end!Conceptually simple, yet effectiveSophistication is in the “add-on”
Test harnesses (e.g., for packet fuzzing)Grammars (for specific input formats)
No principled test generation
No attempt to cover each state/rule in the grammarWhen probabilities, no global optimization (simply randomwalks)
Background Symbolic Execution Whitebox Fuzzing Summary
Introducing Whitebox Fuzzing
Idea: mix fuzz testing with dynamic test generation1 Symbolic execution2 Collect constraints on inputs3 Negate those, solve with constraint solver, generate new
inputs4 do “systematic dynamic test generation” (=DART)
Whitebox Fuzzing = “DART meets Fuzz”
Foundation: DART (Directed Automated Random Testing)Key extensions: (“Whitebox Fuzzing”), implemented inSAGE [NDSS’08]
Outline
1 Background
2 Symbolic Execution
3 Whitebox Fuzzing
4 Summary
Background Symbolic Execution Whitebox Fuzzing Summary
What is symbolic execution
“Symbolic execution and program testing”, King [Comm.ACM 1976], Cited by 960Analysis of programs with unspecified inputs
Execute a program on symbolic inputs
Symbolic states represent sets of concrete statesInsight: code can generate its own test cases
Background Symbolic Execution Whitebox Fuzzing Summary
A Complete Code Example/Demo with BitBlaze
Input1 #include <stdio.h>23 FILE *fp;45 int main ()6 {7 char buffer[10];8 char a, b;9 scanf ("%s", buffer);10 fp = fopen("/boot/input","r");11 fscanf (fp, "%c%c", &a, &b);12 fclose (fp);13 if (a == ’x’)14 {15 printf ("WE ARE IN X\n");16 if (b == ’y’)17 printf ("WE ARE IN Y\n");18 }19 return 0;20 }
Assembly080481f4 <main>:80481f4: 55 push %ebp80481f5: 89 e5 mov %esp,%ebp80481f7: 83 ec 38 sub $0x38,%esp80481fa: 83 e4 f0 and $0xfffffff0,%esp...8048243: 8d 45 e7 lea -0x19(%ebp),%eax8048246: 89 44 24 08 mov %eax,0x8(%esp)804824a: c7 44 24 04 f9 5f 0a movl $0x80a5ff9,0x4(%esp)8048251: 088048252: a1 18 50 0c 08 mov 0x80c5018,%eax8048257: 89 04 24 mov %eax,(%esp)804825a: e8 71 0c 00 00 call 8048ed0 <__fscanf>804825f: a1 18 50 0c 08 mov 0x80c5018,%eax8048264: 89 04 24 mov %eax,(%esp)8048267: e8 64 0d 00 00 call 8048fd0 <_IO_fclose>804826c: 80 7d e7 78 cmpb $0x78,-0x19(%ebp)8048270: 75 1e jne 8048290 <main+0x9c>8048272: c7 04 24 fe 5f 0a 08 movl $0x80a5ffe,(%esp)8048279: e8 02 0b 00 00 call 8048d80 <_IO_printf>804827e: 80 7d e6 79 cmpb $0x79,-0x1a(%ebp)8048282: 75 0c jne 8048290 <main+0x9c>8048284: c7 04 24 0b 60 0a 08 movl $0x80a600b,(%esp)804828b: e8 f0 0a 00 00 call 8048d80 <_IO_printf>8048290: b8 00 00 00 00 mov $0x0,%eax8048295: c9 leave8048296: c3 ret
Background Symbolic Execution Whitebox Fuzzing Summary
A Complete Code Example/Demo with BitBlaze
Input1 #include <stdio.h>23 FILE *fp;45 int main ()6 {7 char buffer[10];8 char a, b;9 scanf ("%s", buffer);10 fp = fopen("/boot/input","r");11 fscanf (fp, "%c%c", &a, &b);12 fclose (fp);13 if (a == ’x’)14 {15 printf ("WE ARE IN X\n");16 if (b == ’y’)17 printf ("WE ARE IN Y\n");18 }19 return 0;20 }
Assembly080481f4 <main>:80481f4: 55 push %ebp80481f5: 89 e5 mov %esp,%ebp80481f7: 83 ec 38 sub $0x38,%esp80481fa: 83 e4 f0 and $0xfffffff0,%esp...8048243: 8d 45 e7 lea -0x19(%ebp),%eax8048246: 89 44 24 08 mov %eax,0x8(%esp)804824a: c7 44 24 04 f9 5f 0a movl $0x80a5ff9,0x4(%esp)8048251: 088048252: a1 18 50 0c 08 mov 0x80c5018,%eax8048257: 89 04 24 mov %eax,(%esp)804825a: e8 71 0c 00 00 call 8048ed0 <__fscanf>804825f: a1 18 50 0c 08 mov 0x80c5018,%eax8048264: 89 04 24 mov %eax,(%esp)8048267: e8 64 0d 00 00 call 8048fd0 <_IO_fclose>804826c: 80 7d e7 78 cmpb $0x78,-0x19(%ebp)8048270: 75 1e jne 8048290 <main+0x9c>8048272: c7 04 24 fe 5f 0a 08 movl $0x80a5ffe,(%esp)8048279: e8 02 0b 00 00 call 8048d80 <_IO_printf>804827e: 80 7d e6 79 cmpb $0x79,-0x1a(%ebp)8048282: 75 0c jne 8048290 <main+0x9c>8048284: c7 04 24 0b 60 0a 08 movl $0x80a600b,(%esp)804828b: e8 f0 0a 00 00 call 8048d80 <_IO_printf>8048290: b8 00 00 00 00 mov $0x0,%eax8048295: c9 leave8048296: c3 ret
Background Symbolic Execution Whitebox Fuzzing Summary
A Complete Code Example/Demo with BitBlaze
Input1 #include <stdio.h>23 FILE *fp;45 int main ()6 {7 char buffer[10];8 char a, b;9 scanf ("%s", buffer);10 fp = fopen ("/boot/input", "r");11 fscanf (fp, "%c%c", &a, &b);12 fclose (fp);13 if (a == ’x’)14 {15 printf ("WE ARE IN X\n");16 if (b == ’y’)17 printf ("WE ARE IN Y\n");18 }19 return 0;20 }
GoalThe system needs toautomatically generatethe input for /boot/input,with the content below.
/boot/inputxy000
Background Symbolic Execution Whitebox Fuzzing Summary
SAT Problem
SATIn computer science, satisfiability (often written in all capitals orabbreviated SAT) is the problem of determining if the variablesof a given Boolean formula can be assigned in such a way as tomake the formula evaluate to TRUE.
In complexity theory, the satisfiability problem (SAT) is adecision problem, whose instance is a Boolean expressionwritten using only AND, OR, NOT, variables, and parentheses.The question is: given the expression, is there someassignment of TRUE and FALSE values to the variables thatwill make the entire expression true?
Background Symbolic Execution Whitebox Fuzzing Summary
Decision Problem
DefinitionIn computability theory and computational complexity theory, adecision problem is a question in some formal system with ayes-or-no answer, depending on the values of some inputparameters
Background Foundation and Tools Symbolic Execution Whitebox Fuzzing Summary
Decision Problem
DefinitionIn computability theory and computational complexity theory, adecision problem is a question in some formal system with ayes-or-no answer, depending on the values of some inputparameters
Background Symbolic Execution Whitebox Fuzzing Summary
Basic Concepts
LiteralA literal p is a variable x or its negation ¬x .
ClauseA clause C is a disjunction of literals: x1 ∨ x2 ∨ x3
CNFA CNF is a conjunction of clauses:(x2 ∨ x41 ∨ x15) ∧ (x6 ∨ x2) ∧ (x31 ∨ x41 ∨ x6 ∨ x156)
Background Symbolic Execution Whitebox Fuzzing Summary
SAT is a NP-complete problem
SAT ProblemThe SAT-problem is:
1 Find a boolean assignment2 such that each clause has a true literal
First problem shown to be NP-complete (1971)
Background Symbolic Execution Whitebox Fuzzing Summary
Yices Example/Demo
1 #include<stdio.h>2 #include"yices_c.h"3 int main(){4 yices_context ctx = yices_mk_context();5 yices_type ty = yices_mk_type(ctx, "int");6 yices_var_decl xdecl = yices_mk_var_decl(ctx, "x", ty);7 yices_var_decl ydecl = yices_mk_var_decl(ctx, "y", ty);8 yices_expr x = yices_mk_var_from_decl(ctx, xdecl);9 yices_expr y = yices_mk_var_from_decl(ctx, ydecl);10 yices_expr n1 = yices_mk_num(ctx, 2);11 yices_expr n2 = yices_mk_num(ctx, 1);12 yices_expr args[2];13 args[0] = x; args[1] = n1;14 yices_expr e1 = yices_mk_sum(ctx, args, 2); //x + 215 args[0] = y; args[1] = n2;16 yices_expr e2 = yices_mk_sub(ctx, args, 2); //y - 117 yices_expr c1 = yices_mk_le(ctx, e1, e2); // x + 2 <= y - 118 yices_assert(ctx, c1);19 switch (yices_check(ctx)) {20 case l_true:21 printf("satisfiable\n");22 yices_model m = yices_get_model(ctx);23 yices_display_model(m);24 break;25 case l_false:26 printf("unsatisfiable\n");27 break;28 }29 return 0;30 }
1 (define x::int)2 (define y::int)3 (assert
(<= (+ x 2)(- y 1)
))
4 (check)
Resultsatisfiable(= x -3)(= y 0)
Background Symbolic Execution Whitebox Fuzzing Summary
Yices Example/Demo
1 #include<stdio.h>2 #include"yices_c.h"3 int main(){4 yices_context ctx = yices_mk_context();5 yices_type ty = yices_mk_type(ctx, "int");6 yices_var_decl xdecl = yices_mk_var_decl(ctx, "x", ty);7 yices_var_decl ydecl = yices_mk_var_decl(ctx, "y", ty);8 yices_expr x = yices_mk_var_from_decl(ctx, xdecl);9 yices_expr y = yices_mk_var_from_decl(ctx, ydecl);10 yices_expr n1 = yices_mk_num(ctx, 2);11 yices_expr n2 = yices_mk_num(ctx, 1);12 yices_expr args[2];13 args[0] = x; args[1] = n1;14 yices_expr e1 = yices_mk_sum(ctx, args, 2); //x + 215 args[0] = y; args[1] = n2;16 yices_expr e2 = yices_mk_sub(ctx, args, 2); //y - 117 yices_expr c1 = yices_mk_le(ctx, e1, e2); // x + 2 <= y - 118 yices_assert(ctx, c1);19 switch (yices_check(ctx)) {20 case l_true:21 printf("satisfiable\n");22 yices_model m = yices_get_model(ctx);23 yices_display_model(m);24 break;25 case l_false:26 printf("unsatisfiable\n");27 break;28 }29 return 0;30 }
1 (define x::int)2 (define y::int)3 (assert
(<= (+ x 2)(- y 1)
))
4 (check)
Resultsatisfiable(= x -3)(= y 0)
Background Symbolic Execution Whitebox Fuzzing Summary
STP Example
Input1 x0 : BITVECTOR(8);2 x1 : BITVECTOR(8);3 x2 : BITVECTOR(8);4 x3 : BITVECTOR(8);5 QUERY(NOT(NOT((~((IF (((x3@(x2@(x1@x0))) = 0h64616221))
THEN (0b1)ELSE (0b0) ENDIF)) = 0b1))));
ResultInvalid.ASSERT( x3 = 0hex64 );ASSERT( x0 = 0hex21 );ASSERT( x2 = 0hex61 );ASSERT( x1 = 0hex62 );
Background Symbolic Execution Whitebox Fuzzing Summary
STP Example
Input1 x0 : BITVECTOR(8);2 x1 : BITVECTOR(8);3 x2 : BITVECTOR(8);4 x3 : BITVECTOR(8);5 QUERY(NOT(NOT((~((IF (((x3@(x2@(x1@x0))) = 0h64616221))
THEN (0b1)ELSE (0b0) ENDIF)) = 0b1))));
ResultInvalid.ASSERT( x3 = 0hex64 );ASSERT( x0 = 0hex21 );ASSERT( x2 = 0hex61 );ASSERT( x1 = 0hex62 );
Background Symbolic Execution Whitebox Fuzzing Summary
STP Example
Input...char x , y ;if ( x * y == 16 )...
Path Constraintx : BITVECTOR ( 8 ) ;y : BITVECTOR ( 8 ) ;QUERY(NOT(BVMULT( 8 , x , y ) = 0h10 )
ResultsInvalid . ASSERT( y = 0hex05 ) ; ASSERT( x = 0hexD0 )
Background Symbolic Execution Whitebox Fuzzing Summary
STP Example
Input...char x , y ;if ( x * y == 16 )...
Path Constraintx : BITVECTOR ( 8 ) ;y : BITVECTOR ( 8 ) ;QUERY(NOT(BVMULT( 8 , x , y ) = 0h10 )
ResultsInvalid . ASSERT( y = 0hex05 ) ; ASSERT( x = 0hexD0 )
Background Symbolic Execution Whitebox Fuzzing Summary
STP Example
Input...char x , y ;if ( x * y == 16 )...
Path Constraintx : BITVECTOR ( 8 ) ;y : BITVECTOR ( 8 ) ;QUERY(NOT(BVMULT( 8 , x , y ) = 0h10 )
ResultsInvalid . ASSERT( y = 0hex05 ) ; ASSERT( x = 0hexD0 )
Background Symbolic Execution Whitebox Fuzzing Summary
Mostly used SMT Solvers
Z3
A high-performance theorem prover beingdeveloped at Microsoft Research. Z3 supportslinear real and integer arithmetic, fixed-sizebit-vectors, extensional arrays, uninterpretedfunctions, and quantifiers.
YicesAn efficient SMT solver that decides thesatisfiability of arbitrary formulas containinguninterpreted function symbols with equality,linear real and integer arithmetic, scalar types,recursive datatypes, tuples, records,extensional arrays, fixed-size bit-vectors,quantifiers, and lambda expressions
Background Symbolic Execution Whitebox Fuzzing Summary
Mostly used SMT Solvers
MiniSmtMiniSmt is a simple SMT solver for non-linear arithmetic basedon MiniSat and Yices
CVC3CVC3 is an automatic theorem prover forSatisfiability Modulo Theories (SMT)problems. It can be used to prove the validity(or, dually, the satisfiability) of first-orderformulas in a large number of built-in logicaltheories and their combination.
Background Symbolic Execution Whitebox Fuzzing Summary
Mostly used SMT Solvers
STPSTP is a constraint solver (also referred to as a decisionprocedure or automated prover) aimed at solving constraintsgenerated by program analysis tools, theorem provers,automated bug finders, biology, cryptography, intelligent fuzzersand model checkers. STP has been used in many researchprojects at Stanford, Berkeley, MIT, CMU and other universities.
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
For each path, build a path conditionCondition on inputs, for the execution to follow that pathCheck path condition satisfiability (SAT-problem), exploreonly feasible pathsWhen execution path diverges, fork, adding constraints onsymbolic valuesWhen we terminate (or crash), use a constraint solver togenerate concrete input
Symbolic stateSymbolic values/expressions for variablesPath conditionProgram counter
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
For each path, build a path conditionCondition on inputs, for the execution to follow that pathCheck path condition satisfiability (SAT-problem), exploreonly feasible pathsWhen execution path diverges, fork, adding constraints onsymbolic valuesWhen we terminate (or crash), use a constraint solver togenerate concrete input
Symbolic stateSymbolic values/expressions for variablesPath conditionProgram counter
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 10/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 11/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 12/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 13/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 14/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 15/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 16/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 17/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 18/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 19/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 20/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 21/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 22/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 23/55
In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x28\x00\x00\x00\x21\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 24/55In courtesy of Gabriel Campana for this great example
Background Symbolic Execution Whitebox Fuzzing Summary
Symbolic Execution
IntroductionValgrind and STP
ImplementationConclusion
State of the artGoalConcept
Symbolic execution: example
input = "\x28\x00\x00\x00\x21\x00\x00\x00"
Fuzzgrind: an automatic fuzzing tool 25/55In courtesy of Gabriel Campana for this great example
Outline
1 Background
2 Symbolic Execution
3 Whitebox Fuzzing
4 Summary
Background Symbolic Execution Whitebox Fuzzing Summary
Fuzzing
Basic IdeaSearch for software implementation errors by injecting invaliddata
Test generationRandomInput mutationModel-based
Background Symbolic Execution Whitebox Fuzzing Summary
Fuzzing
Basic IdeaSearch for software implementation errors by injecting invaliddata
Test generationRandomInput mutationModel-based
Background Symbolic Execution Whitebox Fuzzing Summary
Fuzzing
How it worksMake fuzzing be completely automatic.Give a target program and an input,New inputs generated automatically,Wait for crashes.
Background Symbolic Execution Whitebox Fuzzing Summary
Tools for fuzzing
Open SourceSulley http://code.google.com/p/sulleySPIKEhttp://www.immunitysec.com/resources-freesoftware.shtml.Peach Fuzzing http://peachfuzz.sourceforge.net...
AcademiaWhitebox Fuzzing [NDSS 2008]IntScope [NDSS 2009]SmartFuzz [USENIX Security 2009]BuzzFuzz [ICSE 2009]Checksum-aware Fuzz [Oakland 2010]...
Background Symbolic Execution Whitebox Fuzzing Summary
Tools for fuzzing
Open SourceSulley http://code.google.com/p/sulleySPIKEhttp://www.immunitysec.com/resources-freesoftware.shtml.Peach Fuzzing http://peachfuzz.sourceforge.net...
AcademiaWhitebox Fuzzing [NDSS 2008]IntScope [NDSS 2009]SmartFuzz [USENIX Security 2009]BuzzFuzz [ICSE 2009]Checksum-aware Fuzz [Oakland 2010]...
Background Symbolic Execution Whitebox Fuzzing Summary
Whitebox Fuzzing
Insight
Use of algebraic expressions to represent the variable valuesthroughout the execution of the program.
Basic IdeaSymbolically execute the target program on a given input,Analyze execution path and extract path conditionsdepending on the inputNegate each path conditionSolve constraints and generate new test inputsThis algorithm is repeated until all executions path are(ideally) covered
Background Symbolic Execution Whitebox Fuzzing Summary
A Complete Code Example with Fuzzgrind
Input1 #include <stdio.h>2 #include <stdlib.h>3 #include <fcntl.h>4 #include <unistd.h>5 #define ERROR(x) do { perror(x); \
exit(-1); } while (0);6 int main(int argc, char *argv[]) {7 char buffer[5] = { 0 };8 int fd;9 if (argc != 2) {10 printf("Usage: %s <file>\n", argv[0]);11 exit(-1);12 }13 if ((fd = open(argv[1], O_RDONLY)) == -1) {14 ERROR("open");15 }16 if (read(fd, buffer, 4) != 4) {17 ERROR("read");18 }19 if (*(int *)buffer == 0x64616221) {20 printf("ok, vulnerability\n");21 }22 return 0;23 }
Path Constraint1 x0 : BITVECTOR(8);2 x1 : BITVECTOR(8);3 x2 : BITVECTOR(8);4 x3 : BITVECTOR(8);5 QUERY(NOT(NOT((~((IF
(((x3@(x2@(x1@x0)))= 0h64616221))
THEN (0b1)ELSE (0b0) ENDIF))
= 0b1))));
ResultsInvalid.ASSERT( x3 = 0hex64 );ASSERT( x0 = 0hex21 );ASSERT( x2 = 0hex61 );ASSERT( x1 = 0hex62 );
Background Symbolic Execution Whitebox Fuzzing Summary
A Complete Code Example with Fuzzgrind
Input1 #include <stdio.h>2 #include <stdlib.h>3 #include <fcntl.h>4 #include <unistd.h>5 #define ERROR(x) do { perror(x); \
exit(-1); } while (0);6 int main(int argc, char *argv[]) {7 char buffer[5] = { 0 };8 int fd;9 if (argc != 2) {10 printf("Usage: %s <file>\n", argv[0]);11 exit(-1);12 }13 if ((fd = open(argv[1], O_RDONLY)) == -1) {14 ERROR("open");15 }16 if (read(fd, buffer, 4) != 4) {17 ERROR("read");18 }19 if (*(int *)buffer == 0x64616221) {20 printf("ok, vulnerability\n");21 }22 return 0;23 }
Path Constraint1 x0 : BITVECTOR(8);2 x1 : BITVECTOR(8);3 x2 : BITVECTOR(8);4 x3 : BITVECTOR(8);5 QUERY(NOT(NOT((~((IF
(((x3@(x2@(x1@x0)))= 0h64616221))
THEN (0b1)ELSE (0b0) ENDIF))
= 0b1))));
ResultsInvalid.ASSERT( x3 = 0hex64 );ASSERT( x0 = 0hex21 );ASSERT( x2 = 0hex61 );ASSERT( x1 = 0hex62 );
Background Symbolic Execution Whitebox Fuzzing Summary
A Complete Code Example with Fuzzgrind
Input1 #include <stdio.h>2 #include <stdlib.h>3 #include <fcntl.h>4 #include <unistd.h>5 #define ERROR(x) do { perror(x); \
exit(-1); } while (0);6 int main(int argc, char *argv[]) {7 char buffer[5] = { 0 };8 int fd;9 if (argc != 2) {10 printf("Usage: %s <file>\n", argv[0]);11 exit(-1);12 }13 if ((fd = open(argv[1], O_RDONLY)) == -1) {14 ERROR("open");15 }16 if (read(fd, buffer, 4) != 4) {17 ERROR("read");18 }19 if (*(int *)buffer == 0x64616221) {20 printf("ok, vulnerability\n");21 }22 return 0;23 }
Path Constraint1 x0 : BITVECTOR(8);2 x1 : BITVECTOR(8);3 x2 : BITVECTOR(8);4 x3 : BITVECTOR(8);5 QUERY(NOT(NOT((~((IF
(((x3@(x2@(x1@x0)))= 0h64616221))
THEN (0b1)ELSE (0b0) ENDIF))
= 0b1))));
ResultsInvalid.ASSERT( x3 = 0hex64 );ASSERT( x0 = 0hex21 );ASSERT( x2 = 0hex61 );ASSERT( x1 = 0hex62 );
Background Symbolic Execution Whitebox Fuzzing Summary
Internals of Whitebox Fuzzing
1 Dynamic Binary Instrumentation
At run-time disassemble instructions, and capture thesemantics and constraints
2 Data Flow (Taint) Capturing and Analysis
Associate constraint with input
3 Constraint Solving
Query and solve the constraint to generate new input
4 System-events, control flow handler (Optional)
Run the program with new state
Outline
1 Background
2 Symbolic Execution
3 Whitebox Fuzzing
4 Summary
Background Symbolic Execution Whitebox Fuzzing Summary
Summary
Advantages1 Symboic execution is promissing in vulnerabiliity discovery2 It can drive the program to run desired path
Research Problems1 Symbolic execution cannot handle complicated constraint2 It doesn’t provide clues on how to fuzz and get the
vulnerability3 Vulnerable code identification is still needed
Background Symbolic Execution Whitebox Fuzzing Summary
References
http://en.wikipedia.org/wiki/Fuzz_testinghttp://en.wikipedia.org/wiki/Symbolic_executionJames C. King,Symbolic execution and program testing,Communications of the ACM, volume 19, number 7, 1976,385–394DART: Directed Automated Random Testing, PLDI 2005Automated Whitebox Fuzz Testing, with Levin and Molnar,NDSS 2008Grammar-Based Whitebox Fuzzing, PLDI 2008http://research.microsoft.com/en-us/um/people/pg/public_psfiles/talk-rt2007.pdf