270 likes | 295 Views
A New Fuzzing Technique for Software Vulnerability Testing. IEEE CONSEG 2009. Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3. 1,3 Network Information Center University of Science and Technology of China Hefei, Anhui, China.
E N D
A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu1 J. William Atwood2 Xueyong Zhu3 1,3Network Information Center University of Science and Technology of China Hefei, Anhui, China 2Department of Computer Science and Software Engineering Concordia University Montreal, Quebec, Canada
Contents • Introduction and Motivation • FTSG Model • Related Techniques • Static analysis • Dynamic binary instrument and dynamic trace • I/O analysis • GAMutator • Prototype System: DXFuzzing • Validation • Experiments • Conclusion Conseg 09 Fuzzing for Software Vulnerability 2
1 Introduction and MotivationC code of a vulnerable procedure int process_chunck(char* head_str, char* data_str, char* program checksum){ char buf[60]; char buf1[32]; char buf2[32]; memset(buf, 0, 60); if ( true == strong_check(head_str,data_str,program checksum)){ if(strlen(head_str) > 32 || strlen(data_str) >32) return -1; strcpy(buf1, head_str); strcpy(buf2, data_str); strcat(buf, head_str); strcat(buf, data_str);//error return 1; } else return -1; } knowledge-based fuzzing could pass it easily one-dimension m&g strategy can’t overflow if length(head_str) = 16 and length(data_str) = 20 Conseg 09 Fuzzing for Software Vulnerability 3
2 FTSG Model FTSG: Fuzzing Test Suites Generation FTSG=(s,L,N,C,F,OP,Result) , OP={M, Slv}, Result={sampletree, mediumtree, newtree, testcase, testsuite}. Conseg 09 Fuzzing for Software Vulnerability 4
2 FTSG: Procedure for generating test casesby Mutation Operators and Slv M = {m1, …, mi, …, mk, GAMutator} F = {f1,f2, …, fe, …,fv} for (each miin M except GAMutator) { while(!(mediumtree = mi(sampletree)) ) { newtree=Slv(mediumtree, C) } } for (each fe in F) { while(!(mediumtree = GAMutator (sampletree, fe)) ) { newtree=Slv(mediumtree, C) } } Conseg 09 Fuzzing for Software Vulnerability 5
2 FTSG: Total number of test cases Conseg 09 Fuzzing for Software Vulnerability 6
3 Related Techniques: Static analysis,dynamic binary instrument and dynamic trace Conseg 09 Fuzzing for Software Vulnerability 7
3 Related Techniques: I/O analysis Conseg 09 Fuzzing for Software Vulnerability 8
3 Related Techniques: I/O analysis: execution-oriented analysis xs influences output ok if and only if V1 =V2 ≠V3 where ai∈D(xi), as’∈D(xi), as≠as’ Conseg 09 Fuzzing for Software Vulnerability 9
GAMutator GAMutator mutates relative l or n in sampletree to trigger suspend vulnerability in fe. l or n are the inputs that influence some arguments of fe. Conseg 09 Fuzzing for Software Vulnerability
Cont. • Special Characteristics of GAMutator: • A multi-dimension mutation operator. • A demand-oriented operator. • The number of test cases that GAMutator generates is not fixed. • Communicates with outside system. • The genetic algorithm here is used to generate test cases to trigger vulnerability in unsafe functions • The number of test cases generated by GAMutator is O(h). Conseg 09 Fuzzing for Software Vulnerability
4 GAMutator:Heuristics and fitness function Heuristics are used to generate test cases more likely to trigger vulnerability in fe in F. TWO EXAMPLES: 1 strcpy( dst, src) 2 malloc(a) Conseg 09 Fuzzing for Software Vulnerability 12
5 Prototype System: DXFuzzing Locate insecure functions positions in target binary code by Program Analyzer. Record their information into database; Analyze corresponding network protocols or file format in target application according to related knowledge, choose a sample file s and write a primitive xml test script manually which contains a sampletree; Scheduling Engine calls XFuzzing to fuzz target application with miand records runtime information with Program Analyzer when it is necessary. Conseg 09 Fuzzing for Software Vulnerability 13
Cont. Conseg 09 Fuzzing for Software Vulnerability Data Mapper constructs relationships between X and F based on collected runtime information. Scheduling Engine calls XFuzzing to fuzz target application with GAMutator. 14
6 Validation Conseg 09 Fuzzing for Software Vulnerability Based on application-specific knowledge, DXFuzzing could generate test cases which easily pass strong program checks and validations in the program. The problem of finding new combinations to trigger possible vulnerability in fe in F is especially suitable for genetic algorithm to solve . 15
Cont. GAMutator does not only care about the relationships between li and fe , but also cares about nj and fe. Because some fe in F is influenced by the nj, however, the njis neglected in general. Different from combinatorial test in black-box testing, the combination of li or nj in DXFuzzing is decided by the I/O analysis; the values of lior nj in some combination are refined by every generation. Conseg 09 Fuzzing for Software Vulnerability
Cont. Execution-oriented I/O analysis in DXFuzzing is preferred here. Conseg 09 Fuzzing for Software Vulnerability
7 Experiments LibPng library as the target application Some data are as follows: Table I insecure functions in target application Table II Input nodes Conseg 09 Fuzzing for Software Vulnerability 18
Cont. Table III Insecure functions influenced by input nodes Conseg 09 Fuzzing for Software Vulnerability 19
Cont. Figure 4. Relationships between inputs and insecure functions by static analysis simple and precise Figure 5. Relationships between inputs and outputs by dynamic execution Conseg 09 Fuzzing for Software Vulnerability 20
Cont. Initial Values: w = 0x20, d = 0x01 w∈[0,0xfffffff],d∈[0,0xff]. Conseg 09 Fuzzing for Software Vulnerability 21
Cont. Further analyzing, we got d∈{1,2,4}. w and d will generate 3×0x100000000 = 12884901888 combination test cases. However, there are only 262148 of them that could trigger this vulnerability if we set B=100000 For this case png_malloc could successfully allocate memory. So the possibility is 262148/12884901888 = 0.00002. Conseg 09 Fuzzing for Software Vulnerability
Cont. Width, BitDepth distribution when they trigger this vulnerability Conseg 09 Fuzzing for Software Vulnerability 23
Cont. Table IV Vulnerabilities Found by Different Fuzzing Tools Conseg 09 Fuzzing for Software Vulnerability 24
Conclusion Conseg 09 Fuzzing for Software Vulnerability Whitebox fuzzing is complex, time costly and there are still some problems such as path explosion, and is hard to pass strong program checks fully automatically. Peach is an outstanding knowledge-based fuzzing tool. 25
Conclusion DXFuzzing enriches current mutation methodology with multi-dimension input nodes mutation strategy without combinatorial explosion. So DXFuzzing could find some vulnerabilities that never will been found by one-dimension mutation fuzzing. Conseg 09 Fuzzing for Software Vulnerability
9 For More Information For More Questions and Comments: wuzhiyong0127@gmail.com bill@cse.concordia.ca zhuxy@ustc.edu.cn Conseg 09 Fuzzing for Software Vulnerability 27