Fuzzing Program Logic Deeply Hidden in Binary Program Stages

2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER), pp.105-116, (2019)

Cited: 0|Views102
EI WOS

Abstract

Fuzzing is an effective method to identify bugs and security vulnerabilities in software. One particular difficulty faced by fuzzing is how to effectively generate inputs to cover program paths, especially for programs with complex logic. We observe that complex programs are often composed of components, which is a natural result of softw...More

Code:

Data:

0
Introduction
  • Fuzzing is an effective testing method to identify software bugs and security vulnerabilities.
  • Applications are getting larger and more complex due to ever increasing functionality demands of users
  • As such, this trend makes it very difficult for fuzzing solutions to cover the logic deeply hidden in the program, which is guarded by complex conditions.
  • Symbolic execution does not scale well to this kind of large contexts and long-running programs due to the problem of path explosion [17]
  • This makes traditional, nonhybrid approaches unsuitable to identify deep bugs that can only be triggered in a component deeply embedded in the program
Highlights
  • Fuzzing is an effective testing method to identify software bugs and security vulnerabilities
  • Black-box fuzzers, such as Peach [23], Sulley [9] and SPIKE [8], generate cases depending on the input format without knowledge of the target binary, while grey-box fuzzers [12, 51] guide the fuzzing process with partial knowledge of the program
  • The main challenge faced by fuzzing techniques is to have good coverage of program paths
  • Our evaluation shows that it is effective in identifying program stages, and obtains a higher coverage of the program in a shorter amount time compared to American fuzzy lop (AFL)
  • To evaluate STAGEFUZZER, we conducted a set of experiments on different applications to show the improvements of code coverage, the accuracy of stage identification and the effectiveness of bug finding of our fuzzer in real-world applications
  • We demonstrated its effectiveness by comparing with AFL using binaries using different input types
Methods
  • One possible way for them to determine a stage is using source-based program analysis.
  • The authors present a method to identify the logical stage and memory interface based on the analysis of the execution trace of a program.
  • To reconstruct all memory regions used as the stage interfaces by a program, STAGEFUZZER firstly extracts memory usage behaviors of the program via memory access trace and call graph, and builds the life-cycle sequence for each memory location to mark the space and time characteristics.
  • A define instruction usually has several corresponding read instructions, so the authors chose the last read instruction to compose a life-cycle item as Figure 2- 1 shown
Results
  • To evaluate STAGEFUZZER, the authors conducted a set of experiments on different applications to show the improvements of code coverage, the accuracy of stage identification and the effectiveness of bug finding of the fuzzer in real-world applications.

    Benchmarks.
  • To evaluate STAGEFUZZER, the authors conducted a set of experiments on different applications to show the improvements of code coverage, the accuracy of stage identification and the effectiveness of bug finding of the fuzzer in real-world applications.
  • The authors chose 14 eal-world C programs as benchmarks for the main evaluation based on the following features: popularity in the community, development activeness and diversity of categories.
  • The authors used the popular coverage-guided greybox fuzzer American fuzzy lop (AFL) [51].
  • The authors use AFL to represent AFL QEMU-mode
Conclusion
  • Threats to Validity.
  • Like many other input generation techniques founded in a genetic algorithm-style model, STAGEFUZZER relies on heuristics to produce inputs that achieve its testing goal, which is used to test the logical stages hidden in a binary.
  • In combination with the fact that STAGEFUZZER uses a dynamic technique, this means that STAGEFUZZER is not guaranteed to find and test all internal stages for a program.
  • STAGEFUZZER presents a method to make a full use of an input seed to explore the internal program behaviors
Tables
  • Table1: INSTRUCTION COVERAGE. STF AND AFL REPRESENT THE NUMBER OF INSTRUCTIONS ONLY COVERED BY STAGEFUZZER AND AFL. COM REPRESENTS THE INSTRUCTIONS COVERED BY BOTH FUZZERS. AFL+COM REPRESENTS ALL THE INSTRUCTIONS COVERED BY AFL
  • Table2: RESULT OF STAGE IDENTIFICATION. TRACE SIZE REPRESENTS THE LENGTH OF AN EXECUTION TRACE. TIME REPRESENTS THE TIME CONSUMPTION OF THE STAGE IDENTIFICATION. NUMBER OF STAGES REPRESENTS THE CANDIDATE STAGES THAT STAGEFUZZER REPORTED. VERIFIED
  • Table3: CRASHES DETECTED BY STAGEFUZZER AND AFL
Download tables as Excel
Related work
  • A large body of related work focuses on improving the efficiency of fuzzing. Most of them tried to optimize the seed selection [31, 40], search strategies [11, 12, 32] and fuzz configuration scheduling [49]. However, they cannot bypass complex modules or logics, such as the data transformation and sanity check, to test the deep modules directly and effectively. HI-CFG [17] proposed the similar method with STAGEFUZZER, which identifies data transformation structures and use them to isolate the logic components of a program. However, its target is efficiently producing new attacks for a vulnerability. STAGEFUZZER also provides more approaches than HI-CFG to identify the input transformations. In this section, we focus our discussion on related work that improves in testing the code that hides in the execution.
Funding
  • This research was supported in part by the National Natural Science Foundation of China (Grant No U1736209, U1836117, 61572483, 61502468 and 61502469). REFERENCE [1] Libtiff. http://www.libtiff.org/tools.html, 1999. [2] The xslt c library for gnome. http://xmlsoft.org/libxslt/, 2003. [3] wv. http://wvware.sourceforge.net/, 2005. [4] The gnu binutils website. https://www.gnu.org/s/binutils/, 2007. [5] Imagemagick. https://www.imagemagick.org/, 2008. [6] Libpng. http://www.libpng.org/pub/png/libpng.html, 2018. [7] Libxml2. http://xmlsoft.org/, 2018. [8] D Aitel. SPIKE fuzzing platform. https://www.blackhat.com/presentations/bh-usa-02/bh-us-
Reference
  • Libtiff. http://www.libtiff.org/tools.html, 1999.
    Findings
  • The xslt c library for gnome. http://xmlsoft.org/libxslt/, 2003.
    Findings
  • wv. http://wvware.sourceforge.net/, 2005.
    Findings
  • The gnu binutils website. https://www.gnu.org/s/binutils/, 2007.
    Findings
  • Imagemagick. https://www.imagemagick.org/, 2008.
    Findings
  • Libpng. http://www.libpng.org/pub/png/libpng.html, 2018.
    Findings
  • Libxml2. http://xmlsoft.org/, 2018. https://www.blackhat.com/presentations/bh-usa-02/bh-us-
    Findings
  • 02-aitel-spike.ppt, 2002.
    Google ScholarFindings
  • Pedram Amini and Aaron Portnoy. Sulley fuzzing framework., 2010.
    Google ScholarLocate open access versionFindings
  • Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley. Enhancing symbolic execution with veritesting. In Proceedings of the 36th International Conference on Software
    Google ScholarLocate open access versionFindings
  • Engineering, pages 1083–1094. ACM, 2014.
    Google ScholarFindings
  • [11] Marcel Bohme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and
    Google ScholarLocate open access versionFindings
  • Communications Security, pages 2329–2344. ACM, 2017.
    Google ScholarFindings
  • [12] Marcel Bohme, Van-Thuan Pham, and Abhik Roychoudhury. Coverage-based greybox fuzzing as markov chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and
    Google ScholarLocate open access versionFindings
  • Communications Security, pages 1032–1043. ACM, 2016.
    Google ScholarFindings
  • [13] Derek Bruening and Saman Amarasinghe. Efficient, transparent, and comprehensive runtime code manipulation. 2004.
    Google ScholarFindings
  • [14] Cristian Cadar, Daniel Dunbar, Dawson R Engler, et al. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Operating Systems Design and Implementation, volume 8, pages 209–224, 2008.
    Google ScholarLocate open access versionFindings
  • [15] Cristian Cadar, Vijay Ganesh, Peter Pawlowski, David Dill, and Dawson Engler. EXE: A system for automatically generating inputs of death using symbolic execution. In Proceedings of the
    Google ScholarLocate open access versionFindings
  • ACM Conference on Computer and Communications Security, 2006.
    Google ScholarFindings
  • [16] Gabriel Campana. Fuzzgrind: an automatic fuzzing tool. http://seclab.sogeti.com/dotclear/index.php?pages/Fuzzgrind, 2009.
    Findings
  • [17] Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen Mc-Camant, and Dawn Song. Hi-CFG: Construction by binary analysis and application to attack polymorphism. In European
    Google ScholarLocate open access versionFindings
  • [18] Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. Unleashing mayhem on binary code. In 2012
    Google ScholarLocate open access versionFindings
  • [19] Sang Kil Cha, Maverick Woo, and David Brumley. Programadaptive mutational fuzzing. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 725–741. IEEE, 2015.
    Google ScholarLocate open access versionFindings
  • [20] Zheng Leong Chua, Shiqi Shen, Prateek Saxena, and Zhenkai
    Google ScholarFindings
  • [21] Steve Cornett. https://www.bullseye.com/coverage.html, 1996.
    Findings
  • [22] Will Drewry and Tavis Ormandy. Flayer: exposing application internals. In Usenix Workshop on Offensive Technologies, 2007.
    Google ScholarLocate open access versionFindings
  • [23] Michael. Eddington. Peach fuzzing platform., 2011.
    Google ScholarFindings
  • [24] Vijay Ganesh, Tim Leek, and Martin Rinard. Taint-based directed whitebox fuzzing. In Proceedings of the 31st International Conference on Software Engineering, pages 474–484. IEEE Computer Society, 2009.
    Google ScholarLocate open access versionFindings
  • [25] Patrice Godefroid. Micro execution. In Proceedings of the 36th
    Google ScholarLocate open access versionFindings
  • [26] Patrice Godefroid, Nils Klarlund, and Koushik Sen. DART: directed automated random testing. In ACM Sigplan Notices, volume 40, pages 213–223. ACM, 2005.
    Google ScholarLocate open access versionFindings
  • [27] Patrice Godefroid, Michael Y. Levin, and David Molnar. Automated whitebox fuzz testing. In Network and Distributed System Security Symposium, 2008.
    Google ScholarLocate open access versionFindings
  • [28] Google. TriforceAFL. https://www.nccgroup.trust/us/aboutus/newsroom-and-events/blog/2016/june/project-triforce-runafl-on-everything/, 2016.
    Findings
  • [29] Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, and Herbert Bos. Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In USENIX Security Symposium, pages 49–64, 2013.
    Google ScholarLocate open access versionFindings
  • [30] Xiangkun Jia, Chao Zhang, Purui Su, Yi Yang, Huafeng Huang, and Dengguo Feng. Towards efficient heap overflow discovery. In 26th USENIX Security Symposium, 2017.
    Google ScholarLocate open access versionFindings
  • [31] Caroline Lemieux, Rohan Padhye, Koushik Sen, and Dawn Song. Perffuzz: automatically generating pathological inputs. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 254–265. ACM, 2018.
    Google ScholarLocate open access versionFindings
  • [32] Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. Steelix: program-state based binary fuzzing. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, pages 627–637. ACM, 2017.
    Google ScholarLocate open access versionFindings
  • [33] Xiaozhu Meng and Barton P Miller. Binary code is not easy. In Proceedings of the 25th International Symposium on Software Testing and Analysis, pages 24–35. ACM, 2016.
    Google ScholarLocate open access versionFindings
  • [34] David Molnar, X. C. Li, and David Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. In 18th USENIX Security Symposium, volume 9, pages 67–82, 2009.
    Google ScholarLocate open access versionFindings
  • [35] David A Molnar and David Wagner. Catchconv: Symbolic execution and run-time type inference for integer conversion errors. Technical report, University of California Berkeley, 2007.
    Google ScholarFindings
  • [36] Yannic Noller, Rody Kersten, and Corina S Pasareanu. Badger: Complexity analysis with fuzzing and symbolic execution. arXiv preprint arXiv:1806.03283, 2018.
    Findings
  • [37] Hui Peng, Yan Shoshitaishvili, and Mathias Payer. T-Fuzz: fuzzing by program transformation. In 2018 IEEE Symposium on Security and Privacy, pages 697–710. IEEE, 2018.
    Google ScholarLocate open access versionFindings
  • [38] David A. Ramos and Dawson Engler. Under-constrained symbolic execution: Correctness checking for real code. In 24th
    Google ScholarFindings
  • 64. USENIX Association, 2015.
    Google ScholarFindings
  • [39] Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. Vuzzer: Applicationaware evolutionary fuzzing. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2017.
    Google ScholarLocate open access versionFindings
  • [40] Alexandre Rebert, Sang Kil Cha, Thanassis Avgerinos, Jonathan M Foote, David Warren, Gustavo Grieco, and David Brumley. Optimizing seed selection for fuzzing. USENIX, 2014.
    Google ScholarFindings
  • [41] Koushik Sen, Darko Marinov, and Gul Agha. CUTE: a concolic unit testing engine for c. In ACM SIGSOFT Software Engineering Notes, volume 30, pages 263–272. ACM, 2005.
    Google ScholarLocate open access versionFindings
  • [42] Kosta Serebryany. Continuous fuzzing with libfuzzer and addresssanitizer. In Cybersecurity Development (SecDev), IEEE, pages 157–157. IEEE, 2016.
    Google ScholarLocate open access versionFindings
  • [43] Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Binary Analysis. In IEEE Symposium on Security and Privacy, 2016.
    Google ScholarLocate open access versionFindings
  • [44] Nick Stephens, John Grosen, Christopher Salls, Andrew https://www.corelan.be/index.php/2010/10/20/in-memoryfuzzing/, 2010.
    Findings
  • http://taviso.decsystem.org/making software dumber.pdf, 2009.
    Findings
  • [47] Shuai Wang and Dinghao Wu. In-memory fuzzing for binary code similarity analysis. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, pages 319–330. IEEE Press, 2017.
    Google ScholarLocate open access versionFindings
  • [48] Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In IEEE Symposium on Security & Privacy, 2010.
    Google ScholarLocate open access versionFindings
  • [49] Maverick Woo, Sang Kil Cha, Samantha Gottlieb, and David Brumley. Scheduling black-box mutational fuzzing. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pages 511–522. ACM, 2013.
    Google ScholarLocate open access versionFindings
  • [50] Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Security 18). USENIX, 2018.
    Google ScholarFindings
  • [51] Michal Zalewski. American fuzzy lop (AFL) fuzzer. http://lcamtuf.coredump.cx/afl/technical details.t, 2013.
    Findings
  • [52] Michal Zalewski. http://lcamtuf.coredump.cx/afl/#bugs, 2017.
    Findings
Author
Yanhao Wang
Yanhao Wang
Yuwei Liu
Yuwei Liu
Purui Su
Purui Su
0
Your rating :

No Ratings

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn