1 / 27

A New Fuzzing Technique for Software Vulnerability Testing

A New Fuzzing Technique for Software Vulnerability Testing. IEEE CONSEG 2009. Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3. 1,3 Network Information Center University of Science and Technology of China Hefei, Anhui, China.

Download Presentation

A New Fuzzing Technique for Software Vulnerability Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu1 J. William Atwood2 Xueyong Zhu3 1,3Network Information Center University of Science and Technology of China Hefei, Anhui, China 2Department of Computer Science and Software Engineering Concordia University Montreal, Quebec, Canada

  2. Contents • Introduction and Motivation • FTSG Model • Related Techniques • Static analysis • Dynamic binary instrument and dynamic trace • I/O analysis • GAMutator • Prototype System: DXFuzzing • Validation • Experiments • Conclusion Conseg 09 Fuzzing for Software Vulnerability 2

  3. 1 Introduction and MotivationC code of a vulnerable procedure int process_chunck(char* head_str, char* data_str, char* program checksum){ char buf[60]; char buf1[32]; char buf2[32]; memset(buf, 0, 60); if ( true == strong_check(head_str,data_str,program checksum)){ if(strlen(head_str) > 32 || strlen(data_str) >32) return -1; strcpy(buf1, head_str); strcpy(buf2, data_str); strcat(buf, head_str); strcat(buf, data_str);//error return 1; } else return -1; } knowledge-based fuzzing could pass it easily one-dimension m&g strategy can’t overflow if length(head_str) = 16 and length(data_str) = 20 Conseg 09 Fuzzing for Software Vulnerability 3

  4. 2 FTSG Model FTSG: Fuzzing Test Suites Generation FTSG=(s,L,N,C,F,OP,Result) , OP={M, Slv}, Result={sampletree, mediumtree, newtree, testcase, testsuite}. Conseg 09 Fuzzing for Software Vulnerability 4

  5. 2 FTSG: Procedure for generating test casesby Mutation Operators and Slv M = {m1, …, mi, …, mk, GAMutator} F = {f1,f2, …, fe, …,fv} for (each miin M except GAMutator) { while(!(mediumtree = mi(sampletree)) ) { newtree=Slv(mediumtree, C) } } for (each fe in F) { while(!(mediumtree = GAMutator (sampletree, fe)) ) { newtree=Slv(mediumtree, C) } } Conseg 09 Fuzzing for Software Vulnerability 5

  6. 2 FTSG: Total number of test cases Conseg 09 Fuzzing for Software Vulnerability 6

  7. 3 Related Techniques: Static analysis,dynamic binary instrument and dynamic trace Conseg 09 Fuzzing for Software Vulnerability 7

  8. 3 Related Techniques: I/O analysis Conseg 09 Fuzzing for Software Vulnerability 8

  9. 3 Related Techniques: I/O analysis: execution-oriented analysis xs influences output ok if and only if V1 =V2 ≠V3 where ai∈D(xi), as’∈D(xi), as≠as’ Conseg 09 Fuzzing for Software Vulnerability 9

  10. GAMutator GAMutator mutates relative l or n in sampletree to trigger suspend vulnerability in fe. l or n are the inputs that influence some arguments of fe. Conseg 09 Fuzzing for Software Vulnerability

  11. Cont. • Special Characteristics of GAMutator: • A multi-dimension mutation operator. • A demand-oriented operator. • The number of test cases that GAMutator generates is not fixed. • Communicates with outside system. • The genetic algorithm here is used to generate test cases to trigger vulnerability in unsafe functions • The number of test cases generated by GAMutator is O(h). Conseg 09 Fuzzing for Software Vulnerability

  12. 4 GAMutator:Heuristics and fitness function Heuristics are used to generate test cases more likely to trigger vulnerability in fe in F. TWO EXAMPLES: 1 strcpy( dst, src) 2 malloc(a) Conseg 09 Fuzzing for Software Vulnerability 12

  13. 5 Prototype System: DXFuzzing Locate insecure functions positions in target binary code by Program Analyzer. Record their information into database; Analyze corresponding network protocols or file format in target application according to related knowledge, choose a sample file s and write a primitive xml test script manually which contains a sampletree; Scheduling Engine calls XFuzzing to fuzz target application with miand records runtime information with Program Analyzer when it is necessary. Conseg 09 Fuzzing for Software Vulnerability 13

  14. Cont. Conseg 09 Fuzzing for Software Vulnerability Data Mapper constructs relationships between X and F based on collected runtime information. Scheduling Engine calls XFuzzing to fuzz target application with GAMutator. 14

  15. 6 Validation Conseg 09 Fuzzing for Software Vulnerability Based on application-specific knowledge, DXFuzzing could generate test cases which easily pass strong program checks and validations in the program. The problem of finding new combinations to trigger possible vulnerability in fe in F is especially suitable for genetic algorithm to solve . 15

  16. Cont. GAMutator does not only care about the relationships between li and fe , but also cares about nj and fe. Because some fe in F is influenced by the nj, however, the njis neglected in general. Different from combinatorial test in black-box testing, the combination of li or nj in DXFuzzing is decided by the I/O analysis; the values of lior nj in some combination are refined by every generation. Conseg 09 Fuzzing for Software Vulnerability

  17. Cont. Execution-oriented I/O analysis in DXFuzzing is preferred here. Conseg 09 Fuzzing for Software Vulnerability

  18. 7 Experiments LibPng library as the target application Some data are as follows: Table I insecure functions in target application Table II Input nodes Conseg 09 Fuzzing for Software Vulnerability 18

  19. Cont. Table III Insecure functions influenced by input nodes Conseg 09 Fuzzing for Software Vulnerability 19

  20. Cont. Figure 4. Relationships between inputs and insecure functions by static analysis simple and precise Figure 5. Relationships between inputs and outputs by dynamic execution Conseg 09 Fuzzing for Software Vulnerability 20

  21. Cont. Initial Values: w = 0x20, d = 0x01 w∈[0,0xfffffff],d∈[0,0xff]. Conseg 09 Fuzzing for Software Vulnerability 21

  22. Cont. Further analyzing, we got d∈{1,2,4}. w and d will generate 3×0x100000000 = 12884901888 combination test cases. However, there are only 262148 of them that could trigger this vulnerability if we set B=100000 For this case png_malloc could successfully allocate memory. So the possibility is 262148/12884901888 = 0.00002. Conseg 09 Fuzzing for Software Vulnerability

  23. Cont. Width, BitDepth distribution when they trigger this vulnerability Conseg 09 Fuzzing for Software Vulnerability 23

  24. Cont. Table IV Vulnerabilities Found by Different Fuzzing Tools Conseg 09 Fuzzing for Software Vulnerability 24

  25. Conclusion Conseg 09 Fuzzing for Software Vulnerability Whitebox fuzzing is complex, time costly and there are still some problems such as path explosion, and is hard to pass strong program checks fully automatically. Peach is an outstanding knowledge-based fuzzing tool. 25

  26. Conclusion DXFuzzing enriches current mutation methodology with multi-dimension input nodes mutation strategy without combinatorial explosion. So DXFuzzing could find some vulnerabilities that never will been found by one-dimension mutation fuzzing. Conseg 09 Fuzzing for Software Vulnerability

  27. 9 For More Information For More Questions and Comments: wuzhiyong0127@gmail.com bill@cse.concordia.ca zhuxy@ustc.edu.cn Conseg 09 Fuzzing for Software Vulnerability 27

More Related