Presented by Mahadevan Vasudevan + Microsoft , *UC-Berkeley

Slides:



Advertisements
Similar presentations
Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
Advertisements

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research)‏ Michael Y. Levin (Microsoft Center for Software Excellence)‏ David Molnar (UC-Berkeley,
Automated Whitebox Fuzz Testing
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research)‏ Michael Y. Levin (Microsoft Center for Software Excellence)‏ David Molnar (UC-Berkeley,
1 Symbolic Execution Kevin Wallace, CSE
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Fuzzing and Patch Analysis: SAGEly Advice. Introduction.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Richard Johnson |  Introduction  Agenda  The Business of Fuzzing  Fuzzing Technology  Architecting a Framework  Bennu Concept.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
Software testing.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Pexxxx White Box Test Generation for
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing 2.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level.
1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.
Automating Software Testing Using Program Analysis -Patrice Godefroid, Peli de Halleux, Aditya V. Nori, Sriram K. Rajamani,Wolfram Schulte, and Nikolai.
Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
CREST Internal Yunho Kim Provable Software Laboratory CS Dept. KAIST.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
A Security Review Process for Existing Software Applications
CMSC 345 Fall 2000 Unit Testing. The testing process.
Software testing techniques 3. Software testing
Coverage – “Systematic” Testing Chapter 20. Dividing the input space for failure search Testing requires selecting inputs to try on the program, but how.
Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley
Automated Whitebox Fuzz Testing Network and Distributed System Security (NDSS) 2008 by Patrice Godefroid, ‏Michael Y. Levin, and ‏David Molnar Present.
Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.
Fundamental Programming: Fundamental Programming K.Chinnasarn, Ph.D.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.
TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.
Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.
jFuzz – Java based Whitebox Fuzzing
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
CS451 Lecture 10: Software Testing Yugi Lee STB #555 (816)
Software Quality Assurance and Testing Fazal Rehman Shamil.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Random Test Generation of Unit Tests: Randoop Experience
Week 6 MondayTuesdayWednesdayThursdayFriday Testing III Reading due Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.
Symbolic Execution in Software Engineering By Xusheng Xiao Xi Ge Dayoung Lee Towards Partial fulfillment for Course 707.
CIS-NG CASREP Information System Next Generation Shawn Baugh Amy Ramirez Amy Lee Alex Sanin Sam Avanessians.
Testing It is much better to have a plan when testing your programs than it is to just randomly try values in a haphazard fashion. Testing Strategies:
Adaptive Android Kernel Live Patching
Control Flow Testing Handouts
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 4 Control Flow Testing
Chapter 8 – Software Testing
A Security Review Process for Existing Software Applications
MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan.
Outline of the Chapter Basic Idea Outline of Control Flow Testing
Moonzoo Kim CS Dept. KAIST
RDE: Replay DEbugging for Diagnosing Production Site Failures
Moonzoo Kim CS Dept. KAIST
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim.
Project Springfield Fuzz your code before hackers do
COMPI: Concolic Testing for MPI Applications
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Automatic Test Generation SymCrete
Software visualization and analysis tool box
VUzzer: Application-aware Evolutionary Fuzzing
CUTE: A Concolic Unit Testing Engine for C
IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.
FOT: A Versatile, Configurable, Extensible Fuzzing Framework
Presentation transcript:

Presented by Mahadevan Vasudevan + Microsoft , *UC-Berkeley Automated Whitebox Fuzz Testing P. Godefroid+, M. Levin+, and D. Molnar* - Proc. of the NDSS 2008 Presented by Mahadevan Vasudevan + Microsoft , *UC-Berkeley 9/18/2018 CAP 6135

Overview Fuzz Testing Whitebox fuzzing Dynamic Test Generation Generational Search SAGE - Architecture Contributions Summary Positives Limitations Improvements References 9/18/2018 CAP 6135

Fuzz Testing Randomly mutate well-formed input blackbox random testing Test program (software) – large applications Quick & Cost-effective Limitation Low code coverage (e.g. “if (x==10) then”, has only 232 chance of being executed if x is a random 32-bit input value) 9/18/2018 CAP 6135

Whitebox Fuzzing Systematic dynamic test generation (DTG) Combine fuzz testing and DTG Start with a fixed input Symbolically execute the program Gather input constraints from conditional statements Create new inputs using the constraints 9/18/2018 CAP 6135

Whitebox Fuzzing Why? Full program path coverage Symbolic Execution (e.g. If input is x = 0, then the constraint x ≠ 10, so new input (negation) x = 10 – Path tested) Automatic – discover & test corner cases 9/18/2018 CAP 6135

Dynamic Test Generation void top(char input[4]) { int cnt = 0; if (input[0] == ‘b’) cnt++; if (input[1] == ‘a’) cnt++; if (input[2] == ‘d’) cnt++; if (input[3] == ‘!’) cnt++; if (cnt >= 3) crash(); } input = “good” 9/18/2018 CAP 6135 6

Dynamic Test Generation void top(char input[4]) { int cnt = 0; if (input[0] == ‘b’) cnt++; if (input[1] == ‘a’) cnt++; if (input[2] == ‘d’) cnt++; if (input[3] == ‘!’) cnt++; if (cnt >= 3) crash(); } input = “good” I0 != ‘b’ I1 != ‘a’ I2 != ‘d’ I3 != ‘!’ Collect constraints from trace Create new constraints Solve new constraints  new input. 9/18/2018 CAP 6135 7

Depth-First Search good void top(char input[4]) { int cnt = 0; if (input[0] == ‘b’) cnt++; if (input[1] == ‘a’) cnt++; if (input[2] == ‘d’) cnt++; if (input[3] == ‘!’) cnt++; if (cnt >= 3) crash(); } I0 != ‘b’ I1 != ‘a’ I2 != ‘d’ I3 != ‘!’ good 9/18/2018 CAP 6135

Depth-First Search good goo! void top(char input[4]) { int cnt = 0; if (input[0] == ‘b’) cnt++; if (input[1] == ‘a’) cnt++; if (input[2] == ‘d’) cnt++; if (input[3] == ‘!’) cnt++; if (cnt >= 3) crash(); } I0 != ‘b’ I1 != ‘a’ I2 != ‘d’ I3 == ‘!’ good goo! 9/18/2018 CAP 6135

Depth-First Search good godd void top(char input[4]) { int cnt = 0; if (input[0] == ‘b’) cnt++; if (input[1] == ‘a’) cnt++; if (input[2] == ‘d’) cnt++; if (input[3] == ‘!’) cnt++; if (cnt >= 3) crash(); } I0 != ‘b’ I1 != ‘a’ I2 == ‘d’ I3 != ‘!’ good godd 9/18/2018 CAP 6135

Key Idea: One Trace, Many Tests Office 2007 application: Time to gather constraints: 25m30s Tainted branches/trace: ~1000 Time per branch to solve, generate new test, check for crashes: ~1s Therefore, solve+check all branches for each trace! 9/18/2018 CAP 6135

Whitebox Fuzzing Limitations of DTG Path Explosion Does not scale Use of function summaries (still not feasible) Imperfect Symbolic Execution Calls to OS and library functions Divergence 9/18/2018 CAP 6135

Generational Search bood gaod godd good goo! “Generation 1” test cases void top(char input[4]) { int cnt = 0; if (input[0] == ‘b’) cnt++; if (input[1] == ‘a’) cnt++; if (input[2] == ‘d’) cnt++; if (input[3] == ‘!’) cnt++; if (cnt >= 3) crash(); } gaod I0 == ‘b’ godd I1 == ‘a’ I2 == ‘d’ I3 == ‘!’ good goo! “Generation 1” test cases 9/18/2018 CAP 6135

Generational Search 9/18/2018 CAP 6135

Generational Search 9/18/2018 CAP 6135

Generational Search 9/18/2018 CAP 6135

Key Features Systematically explore state spaces of large applications Maximize the number of new tests Heuristics to maximize code coverage Best-First Search of EXE Picks the best from WorkList Resilient to divergences 9/18/2018 CAP 6135

SAGE Scalable Automated Guided Execution File-reading programs (Windows) Constraint Generation Trace-based Offline x86 binary level – symbolic execution 9/18/2018 CAP 6135

Constraint Generation Constraints are relations over symbolic variables Example Symbolic tags input[0] … input[4] Variable x corresponding to input[4] Constraint x < 10 9/18/2018 CAP 6135

Constraints (Disolver) SAGE Architecture Input0 Trace File Constraints TESTER Check for Crashes (AppVerifier)‏ TRACER Trace Program (Nirvana)‏ COVERAGE COLLECTOR Gather Constraints (Truscan)‏ SYMBOLIC EXECUTOR Solve Constraints (Disolver) Input1 Input2 … InputN 9/18/2018 CAP 6135

SAGE Constraint Generation Why Trace-based? Multitude of source languages Compilation and post processing tools Unavailability of source Why Offline? OS dependent binary component Non determinism in large targets 9/18/2018 CAP 6135

Example System call to read 10 byte file into memory Memory range 1000 – 1009 9/18/2018 CAP 6135

Important Result Detects critical MS07-017 ANI vulnerability MS SDL Policy Weblog fails to uncover the bug Root cause: Failure to validate a size parameter – anih record Requires a test case with atleast 2 records 9/18/2018 CAP 6135

ANI Parsing - MS07-017 RIFF...ACONLIST B...INFOINAM.... 3D Blue Alternat e v1.1..IART.... ................ 1996..anih$...$. ..rate.......... ..........seq .. ..LIST....framic on......... .. RIFF...ACONB B...INFOINAM.... 3D Blue Alternat e v1.1..IART.... ................ 1996..anih$...$. ..rate.......... ..........seq .. ..anih....framic on......... .. Initial input Crashing test case

ANI Parsing - MS07-017 RIFF...ACONLIST B...INFOINAM.... 3D Blue Alternat e v1.1..IART.... ................ 1996..anih$...$. ..rate.......... ..........seq .. ..LIST....framic on......... .. RIFF...ACONB B...INFOINAM.... 3D Blue Alternat e v1.1..IART.... ................ 1996..anih$...$. ..rate.......... ..........seq .. ..anih....framic on......... .. Only 1 in 232 chance at random! Initial input Crashing test case

Results ANI – ANI Parser for ANI format animated cursors Media <#> - Media file parsers OfficeApp – Office 2007 Application 9/18/2018 CAP 6135

Results & Observations Symbolic Execution is slow Divergences are common Different files find different bugs Bugs found are shallow Effect of block coverage heuristic 9/18/2018 CAP 6135

Positives Information about Tools (e.g. Disolver, TruScan, Nirvana, etc.) No specific knowledge about the input format Automated Full program coverage Extension to network-facing applications 9/18/2018 CAP 6135

Limitations Well-formed inputs SAGE - symbolic pointer dereferencing SAGE – Online?? Symbolic executor and constraint solver Cost α Program Defect triage problem Remedy but no avoidance 9/18/2018 CAP 6135

Suggestions Design limited to Windows based SAGE Generalized to Linux based applications 9/18/2018 CAP 6135

References P Godefroid, MY Levin, D Molnar, Automated Whitebox Fuzz Testing, NDSS, 2008. www.truststc.org/pubs/366/15%20-%20Molnar.ppt http://channel9.msdn.com/posts/Peli/Automated-Whitebox-Fuzz-Testing-with-SAGE/ 9/18/2018 CAP 6135

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.