105 research outputs found
Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle
Nowadays automated dynamic analysis frameworks for continuous testing are in
high demand to ensure software safety and satisfy the security development
lifecycle~(SDL) requirements. The security bug hunting efficiency of
cutting-edge hybrid fuzzing techniques outperforms widely utilized
coverage-guided fuzzing. We propose an enhanced dynamic analysis pipeline to
leverage productivity of automated bug detection based on hybrid fuzzing. We
implement the proposed pipeline in the continuous fuzzing toolset Sydr-Fuzz
which is powered by hybrid fuzzing orchestrator, integrating our DSE tool Sydr
with libFuzzer and AFL++. Sydr-Fuzz also incorporates security predicate
checkers, crash triaging tool Casr, and utilities for corpus minimization and
coverage gathering. The benchmarking of our hybrid fuzzer against alternative
state-of-the-art solutions demonstrates its superiority over coverage-guided
fuzzers while remaining on the same level with advanced hybrid fuzzers.
Furthermore, we approve the relevance of our approach by discovering 85 new
real-world software flaws within the OSS-Sydr-Fuzz project. Finally, we open
Casr source code to the community to facilitate examination of the existing
crashes
SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities
Algorithmic complexity vulnerabilities occur when the worst-case time/space
complexity of an application is significantly higher than the respective
average case for particular user-controlled inputs. When such conditions are
met, an attacker can launch Denial-of-Service attacks against a vulnerable
application by providing inputs that trigger the worst-case behavior. Such
attacks have been known to have serious effects on production systems, take
down entire websites, or lead to bypasses of Web Application Firewalls.
Unfortunately, existing detection mechanisms for algorithmic complexity
vulnerabilities are domain-specific and often require significant manual
effort. In this paper, we design, implement, and evaluate SlowFuzz, a
domain-independent framework for automatically finding algorithmic complexity
vulnerabilities. SlowFuzz automatically finds inputs that trigger worst-case
algorithmic behavior in the tested binary. SlowFuzz uses resource-usage-guided
evolutionary search techniques to automatically find inputs that maximize
computational resource utilization for a given application.Comment: ACM CCS '17, October 30-November 3, 2017, Dallas, TX, US
Stateful Greybox Fuzzing
Many bugs in protocol implementations may only manifest when the system is in
a particular "state". For instance, to trigger one of the bugs we found in an
RTSP implementation, the fuzzer must first send two different types of messages
to usher the protocol implementation from the INIT via the READY to the PLAY
state where the bug is exposed. Without knowledge of the protocol, it is
inherently difficult for a fuzzer to discover such stateful bugs. A key
challenge in fuzzing stateful systems, therefore, is to cover the state space
without an explicit specification of the protocol.
So, how can we help our fuzzer navigate an unknown state space? In our
analysis of the Top-50 most widely used open-source protocol implementations,
we found that every implementation uses state variables that are assigned named
constants (such as INIT, READY) to represent the current state. In this work,
we propose to automatically identify such state variables and track the
sequence of values assigned to them during fuzzing to produce a "map" of the
explored state space. Our stateful greybox fuzzing approach uses this map to
focus on the most promising regions of the code and state space.
Our experiments confirm that our stateful fuzzer discovers stateful bugs
twice as fast as the baseline greybox fuzzer that we extended. The state
sequence for an input is determined by the sequence of values assigned to the
state variables during its execution. Starting from the initial state, our
fuzzer exercises one order of magnitude more state sequences and covers the
same code two times faster than the baseline fuzzer. Several zero-day bugs in
prominent protocol implementations were found by our fuzzer, and 8 CVEs have
been assigned
Same Coverage, Less Bloat: Accelerating Binary-only Fuzzing with Coverage-preserving Coverage-guided Tracing
Coverage-guided fuzzing's aggressive, high-volume testing has helped reveal
tens of thousands of software security flaws. While executing billions of test
cases mandates fast code coverage tracing, the nature of binary-only targets
leads to reduced tracing performance. A recent advancement in binary fuzzing
performance is Coverage-guided Tracing (CGT), which brings orders-of-magnitude
gains in throughput by restricting the expense of coverage tracing to only when
new coverage is guaranteed. Unfortunately, CGT suits only a basic block
coverage granularity -- yet most fuzzers require finer-grain coverage metrics:
edge coverage and hit counts. It is this limitation which prohibits nearly all
of today's state-of-the-art fuzzers from attaining the performance benefits of
CGT.
This paper tackles the challenges of adapting CGT to fuzzing's most
ubiquitous coverage metrics. We introduce and implement a suite of enhancements
that expand CGT's introspection to fuzzing's most common code coverage metrics,
while maintaining its orders-of-magnitude speedup over conventional always-on
coverage tracing. We evaluate their trade-offs with respect to fuzzing
performance and effectiveness across 12 diverse real-world binaries (8 open-
and 4 closed-source). On average, our coverage-preserving CGT attains
near-identical speed to the present block-coverage-only CGT, UnTracer; and
outperforms leading binary- and source-level coverage tracers QEMU, Dyninst,
RetroWrite, and AFL-Clang by 2-24x, finding more bugs in less time.Comment: CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer
and Communications Securit
- …