Configuration Fuzzing for Software Vulnerability Detection

Slides:

Advertisements

Similar presentations

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.

Advertisements

Monitoring Data Structures Using Hardware Transactional Memory Shakeel Butt 1, Vinod Ganapathy 1, Arati Baliga 2 and Mihai Christodorescu 3 1 Rutgers University,

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

The In Vivo Testing Approach Christian Murphy, Gail Kaiser, Ian Vo, Matt Chu Columbia University.

Distributed In Vivo Testing of Software Applications Matt Chu, Christian Murphy, Gail Kaiser Columbia University.

Parameterizing Random Test Data According to Equivalence Classes Chris Murphy, Gail Kaiser, Marta Arias Columbia University.

Automatic Detection of Previously-Unseen Application States for Deployment Environment Testing and Analysis Chris Murphy, Moses Vaughan, Waseem Ilahi,

09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

SQL INJECTION COUNTERMEASURES &

Approaches to Application Security – DSM

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

Replay Compilation: Improving Debuggability of a Just-in Time Complier Presenter: Jun Tao.

1 Test Selection for Result Inspection via Mining Predicate Rules Wujie Zheng

1 Introduction to Software Testing. Reading Assignment P. Ammann and J. Offutt “Introduction to Software Testing” ◦ Chapter 1 2.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Web Security Firewalls, Buffer overflows and proxy servers.

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.

Race conditions and synchronization issues Exploiting UNIX.

Evaluating the Fault Tolerance Capabilities of Embedded Systems via BDM M. Rebaudengo, M. Sonza Reorda Politecnico di Torino Dipartimento di Automatica.

MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.

UC Marco Vieira University of Coimbra

Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Event Sources and Realtime Actions

Content Coverity Static Analysis Use cases of Coverity Examples

Application Communities

Manuel Brugnoli, Elisa Heymann UAB

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Security Testing Methods

Chapter 8 – Software Testing

Outline Introduction Characteristics of intrusion detection systems

Introduction to Information Security

MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan.

CIT 480: Securing Computer Systems

Introduction to Networks

RDE: Replay DEbugging for Diagnosing Production Site Failures

Zhen Huang, Mariana D’Angelo, Dhaval Miyani, David Lie

High Coverage Detection of Input-Related Security Faults

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

A Real-time Intrusion Detection System for UNIX

Objective Explain basic fuzzing with concrete coding example

Sergiy Vilkomir January 20, 2012

Fault Tolerance Distributed Web-based Systems

Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel Roy,

Software Security Lesson Introduction

Jefferson’s Polygraph

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

File I/O in C Lecture 7 Narrator: Lecture 7: File I/O in C.

IPOG: A General Strategy for T-Way Software Testing

Introduction to Static Analyzer

Malware and Software Vulnerability Analysis Q&A of Fuzzing Programming Project 2 Cliff Zou University of Central Florida.

CSC-682 Advanced Computer Security

CS5123 Software Validation and Quality Assurance

Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou University of Central Florida.

SHELLSHOCK ATTACK.

Presentation transcript:

Configuration Fuzzing for Software Vulnerability Detection Huning Dai, Chris Murphy, Gail Kaiser Columbia University

Observation Most vulnerabilities only reveal themselves under three conditions: 1. particular inputs Fuzz Testing (Miller et al., 1988 ) A. Randomly generated inputs may fail to satisfy syntactic constraints. B. It is hard to evaluate how much of the input/configuration space is explored C. Limited information about the "failure"

Observation Most vulnerabilities only reveal themselves under three conditions: 2. particular configurations of the software Configuration Testing (Memon and Porter et al., 2004) A. Didn’t apply to security testing. B. Provide little information other than pass/fail

Observation Most vulnerabilities only reveal themselves under three conditions: 3. particular runtime environment. Fault Injection (Hsueh et al., 1997) A. Permutes the external environment. B. Relies on the faults being injected. C. Considerable false postives.

Our Solution Configuration Fuzzing A. Instead of generating random inputs, Configuration Fuzzing mutates the application configuration. B. To increase effectiveness, Configuration Fuzzing tests are carried out “In Vivo” after a software is released, with real-world inputs and runtime environment. C. Instead of only checking for failure, surveillance functions are run throughout the tests; these functions check for violations of “security invariants” and log detailed information.

Overview Background Model ConFu Framework Case Studies Limitations and Conclusion

Background In Vivo Testing (Murphy et al., 2009) Executes tests in the context of the running program after the software is released without affecting the main process. Security Invariants (Biskup, 2009) Not merely const int security; const char secure; But rules once broken indicates …

Approach Configuration Fuzzing Configuration Fuzzing mutates the application configuration under predefined configuration constraints of the software-under-test to look for potential vulnerabilities. Surveillance functions using security invariants are executed throughout the test in order to detect vulnerabilities. Tests are executed in the deployment process while the application is running, “in vivoly”.

Model

Introduction to ConFu ConFu: CONfiguration FUzzing testing framework Steps: 1. Identifying the configuration variables 2. Generating fuzzing code 3. Identifying functions to test 4. Generating test code 5. Executing tests

STEP 1 Identifying the configuration variables X11Forwarding yes #[options.x11_forwarding]@{0,1} TCPKeepAlive yes #[options.tcp_keep_alive]@{0,1} UseLogin no #[options.use_login]@{0,1} Protocol 1 #[options.permit_root_login]@{1,2,3} … … Part of the annotated configuration file of OpenSSH

STEP 2 Generating fuzzing code An example fuzzer for OpenSSH typedef struct { int x11_forward; int tcp_keep_alive; … } result; void fuzz_config() { /* generate a set of values */ result r=covering_array(); options.x11_forward = r.x11_forward; options.tcp_keep_alive = r.tcp_keep_alive; ... } An example fuzzer for OpenSSH

STEP 3 & STEP 4 Identifying functions to test Generating test code do_child()  ConFu_do_child() Generating test code void ConFu_test_do_child(…) { fuzz_config(); /*Fuzz configuration*/ ConFu_do_child(…); /*Call the original function*/ check_invariants(); } Test function for do_child()

STEP 5 Executing tests fork() void do_child(…) { do_child(Wrapper) void do_child(…) { /*Create new process*/ int pid = fork(); if(pid == 0){ /*Test function*/ ConFu_test_do_child(…); exit(0); } /*Original function*/ return ConFu_do_child(); fork() test_do_child(test) _do_child(original) exit continue Wrapper function for do_child()

Case Studies: Feasibility Reproduce known vulnerabilities and use ConFu to detect them. CVE-2000-0525: early versions of OpenSSH do not properly drop privileges when the UseLogin option is enabled, which allow local users to execute arbitrary commands by providing the command to the ssh daemon. CVE-2009-2958: The tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request.

Case Studies: Performance Target program: OpenSSH 2.1.0 Chosen function: do_child() Configuration: permit root login, ignore rhosts, ignore user known hosts, strict modes, x11 forwarding … a total of 15 configuration variables. Environment: Intel Core2Quad Q6600 server with 2.40GHz and 2GB of RAM running Ubuntu 8.04.3

Case Studies: Performance Results # of tests Overhead introduced by fuzz_config Per test introduced by _do_child Per test Check_invariants Per test Total Avg. Additional Time Per test 100 0.034 0.0027 0.00001 0.037 1000 0.042 0.0024 0.045 10000 0.038 0.0029 0.041 100000 0.0023 0.039 Overhead of instrumented do_child()(in seconds) with varying number of tests

Limitations and Future Work Testers’ intervention is required to identify the functions to test A priori knowledge of the potential exploitation behavior is required

Conclusion Our contribution is an approach that checks for software vulnerability after the software is released and developed a testing framework based on this approach. Useful in helping developers build more secure software and improve the security of existing software systems.

Configuration Fuzzing for Software Vulnerability Detection Huning Dai dai@cs.columbia.edu

What is Covering Array? A B C 0 0 0 0 1 1 1 0 1 1 1 0 0 0 0 0 1 1 1 0 1 1 1 0 A 2-way covering array for three variables We notice that whichever two columns out of the three columns are chosen, all possible pairs of values appear. Specifically, the pairs 00, 01, 10 and 11 all appear in the rows when we look at the columns of AB only, AC only and BC only.