1 / 20

Configuration Fuzzing for Software Vulnerability Detection

Configuration Fuzzing for Software Vulnerability Detection. Huning Dai, Chris Murphy, Gail Kaiser Columbia University. Introduction. 1. The importance of Security Testing 2. Existing Problems. Observation. Most vulnerabilities reveal themselves under certain conditions:

marv
Download Presentation

Configuration Fuzzing for Software Vulnerability Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Configuration Fuzzing for Software Vulnerability Detection Huning Dai, Chris Murphy, Gail Kaiser Columbia University

  2. Introduction 1. The importance of Security Testing 2. Existing Problems

  3. Observation Most vulnerabilities reveal themselves under certain conditions: A. particular inputs B. particular configurations of the software C. particular runtime environment.

  4. Related Work • Former solutions: 1. Fuzz Testing (Sutton et al., 2007) • Drawbacks:  A. Randomly generated inputs may fail to satisfy syntactic constraints. B. It is hard to evaluate how much of the input/configuration space is explored C. Limited information about the "failure"

  5. Related Work • Former solutions: 1. Fuzz Testing 2. White-box Fuzzing (Ganesh et al., 2009) • Drawbacks:  A. Randomly generated inputs may fail to satisfy syntactic constraints. (Fixed) B. It is hard to evaluate how much of the input/configuration space is explored C. Limited information about the "failure“ D. Overhead…

  6. More Related Work • Fault Injection (Hsueh et al., 1997) Fault-tolerance properties of a software system Considerable false positives • Anomaly Detection (Hangal and Lam, 2002) Based on a model of normal behavior Potentially capable of detecting zero day attack Considerable false positives

  7. Our Solution • Configuration Fuzzing A. Instead of generating random inputs, Configuration Fuzzing mutates the application configuration using a covering array algorithm. B. To increase effectiveness, Configuration Fuzzing tests are carried out “In Vivo” after a software is released, with real-world inputs and runtime environment. C. Instead of only checking for failure, surveillance functions are run throughout the tests; these functions check for violations of “security invariants” and log detailed information.

  8. Background • In Vivo Testing (Murphy et al., 2009) Executes tests in the context of the running program after the software is released. • Security Invariants (Biskup, 2009) Not merely const security; const secure; But rules…

  9. Model

  10. Introduction to ConFu • ConFu: CONfiguration FUzzing testing framework • Steps: 1. Identifying the configuration variables 2. Generating fuzzing code 3. Identifying functions to test 4. Generating test code 5. Executing tests

  11. STEP 1 • Identifying the configuration variables Part of the annotated configuration file for OpenSSH

  12. STEP 2 • Generating fuzzing code An example fuzzer for OpenSSH

  13. STEP 3 & STEP 4 • Identifying functions to test do_child()  _do_child() • Generating test code Test function for do_child()

  14. STEP 5 • Executing tests do_child(Wrapper) fork() test_do_child(test) _do_child(original) exit continue Wrapper function for do_child()

  15. Case Studies: Feasibility • Reproduce known vulnerabilities and use ConFu to detect them. CVE-2000-0525: early versions of OpenSSH do not properly drop privileges when the UseLogin option is enabled, which allow local users to execute arbitrary commands by providing the command to the ssh daemon. CVE-2009-2958: The tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request.

  16. Case Studies: Performance • Target program: OpenSSH 2.1.0 • Chosen function: do_child() • Configuration: permit root login, ignore rhosts, ignore user known hosts, strict modes, x11 forwarding … a total of 15 configuration variables. • Environment: Intel Core2Quad Q6600 server with 2.40GHz and 2GB of RAM running Ubuntu 8.04.3

  17. Case Studies: Performance • Results Overhead of instrumented do_child()(in seconds) with varying number of tests

  18. Limitations and Future Work • Testers’ intervention is required to identify the functions to test • A priori knowledge of the potential exploitation behavior is required • Each configuration is only tested with relatively few inputs

  19. Conclusion • Our contribution is an approach that checks for software vulnerability after the software is released and developed a testing framework based on this approach. • Useful in helping developers build more secure software and improve the security of existing software systems.

  20. Configuration Fuzzing for Software Vulnerability Detection Huning Dai dai@cs.columbia.edu

More Related