6 research outputs found
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing
Contemporary fuzz testing techniques focus on identifying memory corruption
vulnerabilities that allow adversaries to achieve either remote code execution
or information disclosure. Meanwhile, Algorithmic Complexity
(AC)vulnerabilities, which are a common attack vector for denial-of-service
attacks, remain an understudied threat. In this paper, we present HotFuzz, a
framework for automatically discovering AC vulnerabilities in Java libraries.
HotFuzz uses micro-fuzzing, a genetic algorithm that evolves arbitrary Java
objects in order to trigger the worst-case performance for a method under test.
We define Small Recursive Instantiation (SRI) as a technique to derive seed
inputs represented as Java objects to micro-fuzzing. After micro-fuzzing,
HotFuzz synthesizes test cases that triggered AC vulnerabilities into Java
programs and monitors their execution in order to reproduce vulnerabilities
outside the fuzzing framework. HotFuzz outputs those programs that exhibit high
CPU utilization as witnesses for AC vulnerabilities in a Java library. We
evaluate HotFuzz over the Java Runtime Environment (JRE), the 100 most popular
Java libraries on Maven, and challenges contained in the DARPA Space and Time
Analysis for Cybersecurity (STAC) program. We evaluate SRI's effectiveness by
comparing the performance of micro-fuzzing with SRI, measured by the number of
AC vulnerabilities detected, to simply using empty values as seed inputs. In
this evaluation, we verified known AC vulnerabilities, discovered previously
unknown AC vulnerabilities that we responsibly reported to vendors, and
received confirmation from both IBM and Oracle. Our results demonstrate that
micro-fuzzing finds AC vulnerabilities in real-world software, and that
micro-fuzzing with SRI-derived seed inputs outperforms using empty values.Comment: Network and Distributed Systems Security (NDSS) Symposium, San Diego,
CA, USA, February 202
Automated Repair of Resource Leaks in Android Applications
Resource leaks -- a program does not release resources it previously acquired
-- are a common kind of bug in Android applications. Even with the help of
existing techniques to automatically detect leaks, writing a leak-free program
remains tricky. One of the reasons is Android's event-driven programming model,
which complicates the understanding of an application's overall control flow.
In this paper, we present PlumbDroid: a technique to automatically detect and
fix resource leaks in Android applications. PlumbDroid uses static analysis to
find execution traces that may leak a resource. The information built for
detection also undergirds automatically building a fix -- consisting of release
operations performed at appropriate locations -- that removes the leak and does
not otherwise affect the application's usage of the resource. An empirical
evaluation on resource leaks from the DroidLeaks curated collection
demonstrates that PlumbDroid's approach is scalable and produces correct fixes
for a variety of resource leak bugs. This indicates it can provide valuable
support to enhance the quality of Android applications in practice
Formal Verification of a Constant-Time Preserving C Compiler
Timing side-channels are arguably one of the main sources of
vulnerabilities in cryptographic implementations. One effective
mitigation against timing side-channels is to write programs that do
not perform secret-dependent branches and memory accesses. This
mitigation, known as \u27\u27cryptographic constant-time\u27\u27, is
adopted by several popular cryptographic libraries.
This paper focuses on compilation of cryptographic constant-time
programs, and more specifically on the following question: is the
code generated by a realistic compiler for a constant-time source
program itself provably constant-time? Surprisingly, we answer the
question positively for a mildly modified version of the CompCert
compiler, a formally verified and moderately optimizing compiler for
C. Concretely, we modify the CompCert compiler to eliminate sources
of potential leakage. Then, we instrument the operational semantics
of CompCert intermediate languages so as to be able to capture
cryptographic constant-time. Finally, we prove that the modified
CompCert compiler preserves constant-time. Our mechanization
maximizes reuse of the CompCert correctness proof, through the use
of new proof techniques for proving preservation of constant-time.
These techniques achieve complementary trade-offs between generality
and tractability of proof effort, and are of independent interest
Oracle Assessment, Improvement and Placement
The oracle problem remains one of the key challenges in software testing, for which little automated support has been developed so far. This thesis analyses the prevalence of failed error propagation in programs with real faults to address the oracle placement problem and introduces an approach for iterative assessment and improvement of the oracles. To analyse failed error propagation in programs with real faults, we have conducted an empirical study, considering Defects4J, a benchmark of Java programs, of which we used all 6 projects available, 384 real bugs and 528 methods fixed to correct such bugs. The results indicate that the prevalence of failed error propagation is negligible. Moreover, the results on real faults differ from the results on mutants, indicating that if failed error propagation is taken into account, mutants are not a good surrogate of real faults. When measuring failed error propagation, for each method we use the strongest possible oracle as postcondition, which checks all externally observable program variables. The low prevalence of failed error propagation is caused by the presence of such a strong oracle, which usually is not available in practice. Therefore, there is a need for a technique to assess and improve existing weaker oracles. We propose a technique for assessing and improving test oracles, which necessarily places the human tester in the loop and is based on reducing the incidence of both false positives and false negatives. A proof showing that this approach results in an increase in the mutual information between the actual and perfect oracles is provided. The application of the approach to five real-world subjects shows that the fault detection rate of the oracles after improvement increases, on average, by 48.6%. The further evaluation with 39 participants assessed the ability of humans to detect false positives and false negatives manually, without any tool support. The correct classification rate achieved by humans in this case is poor (29%) indicating how helpful our automated approach can be for developers. The comparison of humans’ ability to improve oracles with and without the tool in a study with 29 other participants also empirically validates the effectiveness of the approach