ConFu : Configuration Fuzzing Framework for Software Vulnerability Detection

1. ConFu: Configuration Fuzzing Framework for Software Vulnerability Detection HuningDai Advisor: Gail E. Kaiser Department of Computer ScienceColumbia UniversityNew York, NY 10027 USA

2. Introduction • 1. The importance of Security Testing • 2. Existing Problems

3. Introduction • Former solutions: 1. Fuzz Testing • Drawbacks: A. Randomly generated inputs may fail to satisfy syntactic constraints. B. It is hard to evaluate how much of the input/configuration space is explored C. Limited information about "failure"

4. Introduction • Former solutions: 1. Fuzz Testing 2. White-box Fuzzing • Drawbacks:  A. Randomly generated inputs may fail to satisfy syntactic constraints. (Fixed) B. It is hard to evaluate how much of the input/configuration space is explored C. Limited information about the "failure"

5. Introduction • Observation Most vulnerabilities reveal themselves under certain conditions: A. particular inputs B. particular configurations of the software C. particular runtime environment.

6. Approach • Configuration Fuzzing A. Instead of generating random inputs, Configuration Fuzzing mutates the application configuration using a covering array algorithm. B. To increase effectiveness, Configuration Fuzzing tests are carried out “In Vivo” after a software is released, with real-world inputs and runtime environment. C. Instead of only checking for failure, surveillance functions are run throughout the tests; these functions check for violations of “security invariants” and log detailed information.

7. Background • Security Invariants Not merely const security; const secure; But rules… • In Vivo Testing Executes tests in the context of the running program after the software is released.

8. ConFu(Configuration Fuzzing framework) • Steps: 1. Identifying the configuration variables 2. Generating fuzzing code 3. Identifying functions to test 4. Generating test code 5. Executing tests

9. STEP 1 • Identifying the configuration variables A sample annotated .conf file

10. STEP 2 • Generating fuzzing code A Sample Fuzzer

11. STEP 3&4 • Identifying functions to test • Generating test code A sample test function for function psftp_connect ()

12. STEP 5 • Executing tests A sample wrapper function

13. Feasibility • Reproduce a known vulnerability and use ConFu to detect it. CVE-2000-0525: early versions of OpenSSH do not properly drop privileges when the UseLogin option is enabled, which allow local users to execute arbitrary commands by providing the command to the ssh daemon. The CVSS Severity of this vulnerability is 10.

14. Feasibility • Target program: OpenSSH 2.1.0 • Chosen function: do_child() • Configuration: permit root login, ignore rhosts, ignore user known hosts, strict modes, x11 forwarding … In total 15 configuration variables.

15. Results

16. Evaluation • Target program: psftp in Putty 0.60 • Chosen function: psftp_connect() • Configuration: cfg.passive_telnet, cfg.x11_forward, cfg.agentfwd, cfg.tcp_nodelay, cfg.ssh_no_userauth • Environment: Intel Core2Quad Q6600 server with 2.40GHz and 2GB of RAM running Ubuntu 8.04.3

17. Evaluation

18. Expected Contributions • At the conclusion of this work, we will mainly make two contributions: 1. Prove that ConFu is efficient and effective in detecting common vulnerabilities 2. Prove that ConFu can ensure reasonable degree of coverage of both the configuration and user input space in the lifetime of the software

19. Immediate Future Work • Automate the process of locating configuration variables. • Automate the process of identifying functions to test.

20. Long-Term Future Directions • Find the best variable predictors of vulnerability exploitation by collecting general telemetry stream. • Create parallel sandboxes that can include file systems, network I/O, etc.