Debugger-driven Embedded Fuzzing

Embedded Systems – the hidden computers in our lives – are deployed in the billionths and are already in the focus of attackers. They pose security risks when not tested and maintained thoroughly. In recent years, fuzzing has become a promising technique for automated security testing of programs, which can generate tons of test inputs for a program. Fuzzing is hardly applied to embedded systems, because of their high diversity and closed character. During my research I want tackle that gap in fuzzing embedded systems – short: “Embedded Fuzzing”. My goal is to obtain insights of the embedded system during execution, by using common debugging interfaces and hardware breakpoints to enable guided fuzzing in a generic and widely applicable way. Debugging interfaces and hardware breakpoints are available for most common microcontrollers, generating a potential industry impact. Preliminary results show that the approach covers basic blocks faster than blackbox fuzzing. Additionally, it is source code agnostic and leaves the embedded firmware unaltered

Revisiting Neural Program Smoothing for Fuzzing

Testing with randomly generated inputs (fuzzing) has gained significant traction due to its capacity to expose program vulnerabilities automatically. Fuzz testing campaigns generate large amounts of data, making them ideal for the application of machine learning (ML). Neural program smoothing (NPS), a specific family of ML-guided fuzzers, aims to use a neural network as a smooth approximation of the program target for new test case generation. In this paper, we conduct the most extensive evaluation of NPS fuzzers against standard gray-box fuzzers (>11 CPU years and >5.5 GPU years), and make the following contributions: (1) We find that the original performance claims for NPS fuzzers do not hold; a gap we relate to fundamental, implementation, and experimental limitations of prior works. (2) We contribute the first in-depth analysis of the contribution of machine learning and gradient-based mutations in NPS. (3) We implement Neuzz++, which shows that addressing the practical limitations of NPS fuzzers improves performance, but that standard gray-box fuzzers almost always surpass NPS-based fuzzers. (4) As a consequence, we propose new guidelines targeted at benchmarking fuzzing based on machine learning, and present MLFuzz, a platform with GPU access for easy and reproducible evaluation of ML-based fuzzers. Neuzz++, MLFuzz, and all our data are public.Comment: Accepted as conference paper at ESEC/FSE 202

Revisiting Neural Program Smoothing for Fuzzing

Testing with randomly generated inputs (fuzzing) has gained significant traction due to its capacity to expose program vulnerabilities automatically. Fuzz testing campaigns generate large amounts of data, making them ideal for the application of machine learning (ML). Neural program smoothing, a specific family of ML-guided fuzzers, aims to use a neural network as a smooth approximation of the program target for new test case generation. In this paper, we conduct the most extensive evaluation of neural program smoothing (NPS) fuzzers against standard gray-box fuzzers (>11 CPU years and >5.5 GPU years), and make the following contributions: (1) We find that the original performance claims for NPS fuzzers do not hold; a gap we relate to fundamental, implementation, and experimental limitations of prior works. (2) We contribute the first in-depth analysis of the contribution of machine learning and gradient-based mutations in NPS . (3) We implement Neuzz++, which shows that addressing the practical limitations of NPS fuzzers improves performance, but standard gray-box fuzzers almost always surpass NPS-based fuzzers. (4) As a consequence, we propose new guidelines targeted at benchmarking fuzzing based on machine learning, and present a platform, MLFuzz, with GPU access for easy and reproducible evaluation of ML -based fuzzers. Neuzz++, MLFuzz, and all our data are public

Highly coherent electron beam from a laser-triggered tungsten needle tip

We report on a quantitative measurement of the spatial coherence of electrons emitted from a sharp metal needle tip. We investigate the coherence in photoemission using near-ultraviolet laser triggering with a photon energy of 3.1 eV and compare it to DC-field emission. A carbon-nanotube is brought in close proximity to the emitter tip to act as an electrostatic biprism. From the resulting electron matter wave interference fringes we deduce an upper limit of the effective source radius both in laser-triggered and DC-field emission mode, which quantifies the spatial coherence of the emitted electron beam. We obtain $(0.80\pm 0.05)\,$nm in laser-triggered and $(0.55\pm 0.02)\,$nm in DC-field emission mode, revealing that the outstanding coherence properties of electron beams from needle tip field emitters are largely maintained in laser-induced emission. In addition, the relative coherence width of 0.36 of the photoemitted electron beam is the largest observed so far. The preservation of electronic coherence during emission as well as ramifications for time-resolved electron imaging techniques are discussed

Fuzzing Embedded Systems Using Debug Interfaces

Fuzzing embedded systems is hard. Their key components - microcontrollers - are highly diverse and cannot be easily virtualized; their software may not be changed or instrumented. However, we observe that many, if not most, microcontrollers feature a debug interface through which a debug probe (typically controllable via GDB, the GNU debugger) can set a limited number of hardware breakpoints. Using these, we extract partial coverage feedback even for uninstrumented binary code; and thus enable effective fuzzing for embedded systems through a generic, widespread mechanism. In its evaluation on four different microcontroller boards, our prototypical implementation GDBFuzz quickly reaches high code coverage and detects known and new vulnerabilities. As it can be applied to any program and system that GDB can debug, GDBFuzz is one of the least demanding and most versatile coverage-guided fuzzers

Ultrafast Infrared Nanoscopy with Sub-Cycle Temporal Resolution

n/

Rapio-scan acousto-optical delay line with 34 kHz scan rate and 15 as precision

An optical fast scan delay exploiting the near-collinear interaction between a train of ultrashort optical pulses and an acoustic wave propagating in a birefringent crystal is introduced. In combination with a femtosecond Er:fiber laser, the scheme is shown to delay few femtosecond pulses by up to 6 ps with a precision of 15 as. A resolution of 5 fs is obtained for a single sweep at a repetition rate of 34 kHz. This value can be improved to 39 as for multiple scans at a total rate of 0.3 kHz

Bewertung der Adaptivität von Geschossbauten für den städtischen Raum

Demografische Veränderungen, ein sich wandelnder Arbeitsmarkt und konjunkturelle Schwankungen mit unterschiedlich dominierenden Gewerbezweigen erfordern Gebäude, die sich an verändernde Nutzeranforderungen anpassen können. Zur Erhöhung der Ressourceneffizienz sind Gebäude nicht nur hinsichtlich des Materialeinsatzes und Energieverbrauchs zu optimieren, sondern darüber hinaus für einen langen Nutzungshorizont auszulegen. Um die Anpassungsfähigkeit von Geschossbauten an verschiedene Nutzungsformen bewerten zu können, wurde im Rahmen des Innovationsprogramms „Zukunft Bau“ das Forschungsprojekt „Adaptive Gebäudestrukturen zur Erhöhung der Ressourceneffizienz von Geschossbauten im städtischen Raum“ durchgeführt. Im folgenden Beitrag werden die Motivation zum Forschungsprojekt, eine Übersicht zu wesentlichen Fragestellungen und die Ergebnisse in einer zusammenfassenden Darstellung vorgestellt.Demographic changes, a transforming labour market and economic volatility with different dominant industries require buildings that can adapt to changing user requirements. In order to increase resource efficiency, buildings must not only be optimised in terms of material use and energy consumption, but also designed for a long horizon of use. In order to be able to evaluate the adaptability of multi-storey buildings to different forms of use, the research project “Adaptive building structures to increase the resource efficiency of multi-storey buildings in urban areas” was carried out within the framework of the „Zukunft Bau“ research initiative. In the following article, the motivation for the research project, an overview of the main aspects and the results are presented in a summarising form

Diagnostic Testing of Pediatric Fevers: Meta-Analysis of 13 National Surveys Assessing Influences of Malaria Endemicity and Source of Care on Test Uptake for Febrile Children under Five Years.

In 2010, the World Health Organization revised guidelines to recommend diagnosis of all suspected malaria cases prior to treatment. There has been no systematic assessment of malaria test uptake for pediatric fevers at the population level as countries start implementing guidelines. We examined test use for pediatric fevers in relation to malaria endemicity and treatment-seeking behavior in multiple sub-Saharan African countries in initial years of implementation. We compiled data from national population-based surveys reporting fever prevalence, care-seeking and diagnostic use for children under five years in 13 sub-Saharan African countries in 2009-2011/12 (n = 105,791). Mixed-effects logistic regression models quantified the influence of source of care and malaria endemicity on test use after adjusting for socioeconomic covariates. Results were stratified by malaria endemicity categories: low (PfPR2-10<5%), moderate (PfPR2-10 5-40%), high (PfPR2-10>40%). Among febrile under-fives surveyed, 16.9% (95% CI: 11.8%-21.9%) were tested. Compared to hospitals, febrile children attending non-hospital sources (OR: 0.62, 95% CI: 0.56-0.69) and community health workers (OR: 0.31, 95% CI: 0.23-0.43) were less often tested. Febrile children in high-risk areas had reduced odds of testing compared to low-risk settings (OR: 0.51, 95% CI: 0.42-0.62). Febrile children in least poor households were more often tested than in poorest (OR: 1.63, 95% CI: 1.39-1.91), as were children with better-educated mothers compared to least educated (OR: 1.33, 95% CI: 1.16-1.54). Diagnostic testing of pediatric fevers was low and inequitable at the outset of new guidelines. Greater testing is needed at lower or less formal sources where pediatric fevers are commonly managed, particularly to reach the poorest. Lower test uptake in high-risk settings merits further investigation given potential implications for diagnostic scale-up in these areas. Findings could inform continued implementation of new guidelines to improve access to and equity in point-of-care diagnostics use for pediatric fevers