Not All Coverage Measurements Are Equal Fuzzing by Coverage - - PowerPoint PPT Presentation

not all coverage measurements are equal
SMART_READER_LITE
LIVE PREVIEW

Not All Coverage Measurements Are Equal Fuzzing by Coverage - - PowerPoint PPT Presentation

Jan 19, 2024 272 likes •528 views

Not All Coverage Measurements Are Equal Fuzzing by Coverage Accounting for Input Prioritization NDSS Symposium 2020 YanhaoWang, Xiangkun Jia, Yuwei Liu, Kyle Zeng, Tiffany Bao, DinghaoWu, and Purui Su 1 AFL Family and Coverage-based Fuzzing

slide-1
SLIDE 1

Fuzzing by Coverage Accounting for Input Prioritization

YanhaoWang, Xiangkun Jia, Yuwei Liu, Kyle Zeng, Tiffany Bao, DinghaoWu, and Purui Su

Not All Coverage Measurements Are Equal

NDSS Symposium 2020

1

slide-2
SLIDE 2

AFL

AFL Family and Coverage-based Fuzzing

AFLFast AFL-Sensitive CollAFL FairFuzz Driller QSYM

2

slide-3
SLIDE 3

AFL Family and Coverage-based Fuzzing

Program Fuzzer Crash Inputs

Input Coverage Feedback

3

slide-4
SLIDE 4

Coverage-based Fuzzing: The Internals

4

Queue Prioritized Queue

Queue Culling (isFavor) Prioritized input Other input Favored Input Prioritization Factors: Execution Time, Input Size, etc.

slide-5
SLIDE 5

5

Coverage Measurements are Treated Equally

Spend equal time on security-sensitive paths and security-insensitive paths

if len < 256 memcpy(x, y, len) print error msg return a b

Delay finding vulnerabilities

slide-6
SLIDE 6

Anti-Fuzzing

Inject fake coverage measurements to mislead coverage-based fuzzers

6

if len < 256 memcpy(x, y, len) print error msg return a b' n fake paths

slide-7
SLIDE 7

What then?

7

slide-8
SLIDE 8

We treat coverage measurements equally do not

8

slide-9
SLIDE 9

Coverage Accounting

The prioritization of input reflects secu

curity sensitivity

9

if len < 256 memcpy(x, y, len) print error msg return a b if len < 256 memcpy(x, y, len) print error msg return a b

slide-10
SLIDE 10

Coverage Accounting

What should be the indicators? Design a new queue culling scheme based on coverage accounting metrics

function level

10

loop level basic block level

slide-11
SLIDE 11

Function Level

Funct ction Nu Number ber Funct ction Nu Number ber

memcpy

80

free

12

strlen

35

memset

12

ReadImage

17

delete

11

malloc

15

memcmp

10

memmove

12

getString

9

We crawled call-stacks from webpages of all CVEs in the latest 4 years Some functions are inherently likely to be involved in memory corruptions

11

memcpy free malloc memset memmove ......

slide-12
SLIDE 12

Loop Level

1 2 3 4 5

Incorrect looping condition is often the root cause of memory corruption vulnerabilities

12

slide-13
SLIDE 13

Basic Block Level

1 shl [rbp+var1], 4 2 mov edx, [rbp+var1] 3 mov eax, edx 4 shl eax, 4 5 add eax, edx 6 mov [rbp+var1], eax 7 mov rdx, [rbp+var2] 8 mov rax, [rbp+i] 9 add rax, rdx 10 movzx edx, byte ptr [rax] 11 movzx eax, [rbp+var3] 12 xor eax, edx 13 movzx eax, al 14 add [rbp+var1], eax 15 movzx edx, [rbp+var3] 16 mov eax, edx 17 shl eax, 3 1 shl [rbp+var1], 4 2 mov edx, [rbp+var1] 3 mov eax, edx 4 shl eax, 4 5 add eax, edx 6 mov [rbp+var1], eax 7 mov rdx, [rbp+var2] 8 mov rax, [rbp+i] 9 add rax, rdx 10 movzx edx, byte ptr [rax] 11 movzx eax, [rbp+var3] 12 xor eax, edx 13 movzx eax, al 14 add [rbp+var1], eax 15 movzx edx, [rbp+var3] 16 mov eax, edx 17 shl eax, 3

read write

13

slide-14
SLIDE 14

Design

14

Queue

Queue Culling (isFavor) Security-insensitive prioritized input Other input Security-sensitive prioritized input

Coverage Accounting Information

Favored

Prioritized Queue

slide-15
SLIDE 15

AFL TortoiseFuzz

TortoiseFuzz: Coverage-based Fuzzer with Coverage Accounting

15

AFLFast AFL-Sensitive CollAFL FairFuzz Driller QSYM

slide-16
SLIDE 16

TortoiseFuzz: Coverage-based Fuzzer with Coverage Accounting

16

The Hare and The Tortoise Story, Bedtime Story by Kids Hut

https://www.youtube.com/watch?v=eMXmMHVNx4U

slide-17
SLIDE 17

17

Implementation

We implement co coverag age acco accounting on AFL as To TortoiseFuzz We implement To TortoiseFuzz for both source code and binaries

slide-18
SLIDE 18

Experiment Setup

Each experiment lasted for 140 hours Each experiment was done 10 times We ran TortoiseFuzz on 30 real-world programs We performed Mann-Whitney U test to measure statistical significance

18

slide-19
SLIDE 19

Vulnerability Discovery

5 10 15 20 25 30 35 40 45

TortoiseFuzz AFL AFLFast FairFuzz MOPT Angora QSYM

Average # of discovered vulnerabilities

TortoiseFuzz outperforms 5 state-of-the-art fuzzers and achieves comparable results with QSYM

19

slide-20
SLIDE 20

TortoiseFuzz uses 2% of QSYM’s memory usage on average

20

Comparison with QSYM

slide-21
SLIDE 21

Complementary to Other Fuzzers

Coverage accounting helps improve QSYM in discovering vulnerabilities

Averag age # of disco covered vulnerab abilities QSYM QSYM + coverage accounting 39.8 51.2

28.6% improvement

21

slide-22
SLIDE 22

Robustness to Anti-fuzzing

22

if len < 256 memcpy(x, y, len) print error msg return a b' n fake paths

Fake paths do not contain many coverage accounting info

slide-23
SLIDE 23

Coverage accounting metrics are more robust to anti-fuzzing

23 2000 4000 6000 8000 10000 12000 12 24 36 48 60 72

# of covered edges over time

AFL AFL+anti-fuzzing TortoiseFuzz TortoiseFuzz+anti-fuzzing

Robustness to Anti-fuzzing

slide-24
SLIDE 24

Conclusion

We propose coverage accounting which is complementary to other coverage-based fuzzers We design and implement TortoiseFuzz, and we are going to release it at https://github.com/TortoiseFuzz/TortoiseFuzz We evaluate TortoiseFuzz on 30 real-world programs and find 20 zero-day vulnerabilities TortoiseFuzz outperforms 5 state-of-the-art fuzzers and achieves comparable results with QSYM with 2% of its memory usage

24

slide-25
SLIDE 25

Thank you! Q & A

25

Kyle Zeng zengyhkyle@asu.edu

Fuzzing by Coverage Accounting for Input Prioritization

Not All Coverage Measurements Are Equal