FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules

CNS-2127232 - National Science FoundationAccepted manuscrip

AppJitsu: investigating the resiliency of Android applications

The Android platform gives mobile device users the opportunity to extend the capabilities of their systems by installing developer-authored apps. Companies leverage this capability to reach their customers and conduct business operations such as financial transactions. End-users can obtain custom Android applications (apps) from the Google Play, some of which are security-sensitive due to the nature of the data that they handle, such as apps from the FINANCE category. Although there are recommendations and standardized guidelines for secure app development with various self-defense techniques, the adoption of such methods is not mandatory and is left to the discretion of developers. Unfortunately, malicious actors can tamper with the app runtime environment and then exploit the attack vectors which arise from the tampering, such as executing foreign code with elevated privileges on the mobile platform. In this paper, we present AppJITSU, a dynamic app analysis framework that evaluates the resiliency of security-critical apps. We exercise the most popular 455 financial apps in attack-specific hostile environments to demonstrate the current state of resiliency against known tampering methods. Our results indicate that 25.05% of the tested apps have no resiliency against any common hostile methods or tools, whereas only 10.77% employed all defensive methods.Accepted manuscrip

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing

Contemporary fuzz testing techniques focus on identifying memory corruption vulnerabilities that allow adversaries to achieve either remote code execution or information disclosure. Meanwhile, Algorithmic Complexity (AC)vulnerabilities, which are a common attack vector for denial-of-service attacks, remain an understudied threat. In this paper, we present HotFuzz, a framework for automatically discovering AC vulnerabilities in Java libraries. HotFuzz uses micro-fuzzing, a genetic algorithm that evolves arbitrary Java objects in order to trigger the worst-case performance for a method under test. We define Small Recursive Instantiation (SRI) as a technique to derive seed inputs represented as Java objects to micro-fuzzing. After micro-fuzzing, HotFuzz synthesizes test cases that triggered AC vulnerabilities into Java programs and monitors their execution in order to reproduce vulnerabilities outside the fuzzing framework. HotFuzz outputs those programs that exhibit high CPU utilization as witnesses for AC vulnerabilities in a Java library. We evaluate HotFuzz over the Java Runtime Environment (JRE), the 100 most popular Java libraries on Maven, and challenges contained in the DARPA Space and Time Analysis for Cybersecurity (STAC) program. We evaluate SRI's effectiveness by comparing the performance of micro-fuzzing with SRI, measured by the number of AC vulnerabilities detected, to simply using empty values as seed inputs. In this evaluation, we verified known AC vulnerabilities, discovered previously unknown AC vulnerabilities that we responsibly reported to vendors, and received confirmation from both IBM and Oracle. Our results demonstrate that micro-fuzzing finds AC vulnerabilities in real-world software, and that micro-fuzzing with SRI-derived seed inputs outperforms using empty values.Comment: Network and Distributed Systems Security (NDSS) Symposium, San Diego, CA, USA, February 202

Probabilistic Naming of Functions in Stripped Binaries

Debugging symbols in binary executables carry the names of functions and global variables. When present, they greatly simplify the process of reverse engineering, but they are almost always removed (stripped) for deployment. We present the design and implementation of punstrip, a tool which combines a probabilistic fingerprint of binary code based on high-level features with a probabilistic graphical model to learn the relationship between function names and program structure. As there are many naming conventions and developer styles, functions from different applications do not necessarily have the exact same name, even if they implement the exact same functionality. We therefore evaluate punstrip across three levels of name matching: exact; an approach based on natural language processing of name components; and using Symbol2Vec, a new embedding of function names based on random walks of function call graphs. We show that our approach is able to recognize functions compiled across different compilers and optimization levels and then demonstrate that punstrip can predict semantically similar function names based on code structure. We evaluate our approach over open source C binaries from the Debian Linux distribution and compare against the state of the art