VUzzer: Application-Aware Evolutionary Fuzzing
|
|
- Joy Houston
- 5 years ago
- Views:
Transcription
1 VUzzer: Application-Aware Evolutionary Fuzzing Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cocojar, Cristiano Giuffrida, Herbert Bos (Presenter: Dennis Andriesse ) Vrije Universiteit Amsterdam IIIT Hyderabad NDSS 2017
2 Introduction Fuzzing is a powerful testing technique Generate/transform inputs to trigger bugs Fuzzers like AFL very successful in finding (low-hanging) bugs Deep bugs are harder! read(fd, buf, size); 3 if(buf[5] == 0xD8 && buf[4] == 0xFF) // notice the order of CMPs 4... some useful code... 5 else 6 EXIT_ERROR("Invalid file\n") AFL spends hours trying to enter the if branch Must guess which offsets to mutate Must guess the exact sequence 0xFFD8 VUzzer: Application-Aware Evolutionary Fuzzing 1 of 11
3 Introduction 1 int main(int argc, char **argv) { 2 unsigned char buf[1000]; 3 int i, fd, size, val; 4 if((fd = open(argv[1], O_RDONLY)) == 1) 5 exit(0); 6 fstat(fd, &s); 7 size = s.st_size; 8 if(size > 1000) 9 return 1; 10 read(fd, buf, size); 11 if(buf[1] == 0xEF && buf[0] == 0xFD) // notice the order of CMPs 12 printf("magic bytes matched!\n"); 13 else 14 EXIT_ERROR("Invalid file\n"); 15 if(buf[10] == % && buf[11] ) { 16 printf("2nd stop: on the way...\n"); 17 if(strncmp(&buf[15], "MAZE", 4) == 0) // nested IF some bug here else { 20 printf("you just missed me...\n"); some other task close(fd); return 0; 23 } 24 } else { 25 ERROR("Invalid bytes"); some other task close(fd); return 0; 28 } 29 close(fd); return 0; 30 } Finding deeply nested bugs infeasible with current approaches VUzzer: Application-Aware Evolutionary Fuzzing 2 of 11
4 Overview We introduce VUzzer, a mutation-based graybox fuzzer Key idea: find out where to mutate, and what to insert Evolutionary fuzzing: mutate/select most promising paths Magic byte detection: find magic bytes in inputs (JPG, ELF, PE, BMP,...) to delve deeper into bug-prone code like parsers Limited input type detection: detect that parts of input are integers, to aid mutation Find deeply nested bugs without wasting time on boring paths Limit usage of non-scalable techniques (DTA, symbex) VUzzer: Application-Aware Evolutionary Fuzzing 3 of 11
5 The VUzzer Approach Evolutionary Fuzzing Loop BB monitoring DTA evolutionary fuzzing loop close Test case Application binary Error BBs Executed BBs Append input Static analysis BB weights CMP imm Fitness function Fitness list Interesting offsets detection Magic bytes LEA offsets Crossover Mutation 1. Lightweight intraprocedural static analysis to find magic immediates and calculate BB weights (for path prioritization) Instrument cmp to detect comparisons against magic bytes Instrument lea to find input bytes used as index Model CFG as Markov model to compute probability of reaching each BB Unlikely BBs get higher weight VUzzer: Application-Aware Evolutionary Fuzzing 4 of 11
6 The VUzzer Approach Evolutionary Fuzzing Loop BB monitoring DTA evolutionary fuzzing loop close Test case Application binary Error BBs Executed BBs Append input Static analysis BB weights CMP imm Fitness function Fitness list Interesting offsets detection Magic bytes LEA offsets Crossover Mutation 2. Run application with seed inputs to infer initial control-/data-flow features Taint analysis used to find magic bytes and integer fields in input Use this knowledge for mutating input in later steps Detect suspected error-handling BBs Covered by totally random inputs, but not by known valid inputs Given a negative weight (avoid dead ends ) VUzzer: Application-Aware Evolutionary Fuzzing 5 of 11
7 The VUzzer Approach Evolutionary Fuzzing Loop BB monitoring DTA evolutionary fuzzing loop close Test case Application binary Error BBs Executed BBs Append input Static analysis BB weights CMP imm Fitness function Fitness list Interesting offsets detection Magic bytes LEA offsets Crossover Mutation 3. Main evolutionary loop: 1 Recombine/mutate inputs to form new inputs 2 Run application with new inputs 3 New BBs seen? Use DTA to infer more structural properties 4 Calculate fitness of inputs based on likelihood of paths covered 5 Select fittest inputs for next iteration VUzzer: Application-Aware Evolutionary Fuzzing 6 of 11
8 Evaluation Relative number of inputs executed (%) VUzzer AFLPIN Compared VUzzer against AFL for DARPA CGC dataset VUzzer requires far fewer inputs than AFL to find bugs VUzzer: Application-Aware Evolutionary Fuzzing 7 of 11
9 Evaluation LAVA-M DATASET : PERFORMANCE OF VUZZER COMPARED TO PRIOR APPROACHES. Program Total bugs FUZZER SES VUzzer (unique bugs, total inputs) uniq (27K) base (14k) md5sum who (5.8K) LAVA-M dataset: VUzzer finds more bugs than existing coverage-based (FUZZER) and symbex/sat-based (SES) approaches VUzzer: Application-Aware Evolutionary Fuzzing 8 of 11
10 Evaluation VA DATASET : PERFORMANCE OF VUZZER VS. AFL. Application VUzzer AFL #Unique crashes #Inputs #Unique crashes #Inputs mpg K K gif2png+libpng K M pdf2svg+libpoppler 13 5K 0 923K tcpdump+libpcap K M tcptrace+libpcap K M djpeg+libjpeg 1 90K M Found more bugs with fewer inputs compared to AFL for VA dataset (various applications) VUzzer: Application-Aware Evolutionary Fuzzing 9 of 11
11 Evaluation Number of crashes time (hours) mpg time (hours) gif2png VUzzer AFL Time taken by VUzzer to find all crashes found by AFL time (hours) tcpttrace Crashes found faster, with more consistent forward progress VUzzer: Application-Aware Evolutionary Fuzzing 10 of 11
12 Conclusion Designed novel fuzzing approach based on evolutionary approach Effective DTA-based heuristics for identifying magic bytes and input structure More effective mutation of inputs BB prioritization to avoid dead ends Find more bugs with orders of magnitude fewer inputs than existing approaches VUzzer released open source VUzzer: Application-Aware Evolutionary Fuzzing 11 of 11
KLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND
Feeding the Fuzzers with KLEE Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND This presentation was created with help and commitment of the Samsung R&D Poland Mobile Security team. KLEE and
More informationGrey-box Concolic Testing on Binary Code
Grey-box Concolic Testing on Binary Code Jaeseung Choi KAIST Daejeon, Republic of Korea jschoi17@kaist.ac.kr Joonun Jang Samsung Research Seoul, Republic of Korea joonun.jang@samsung.com Choongwoo Han
More informationGuarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University
Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University http://hexhive.github.io 1 Vulnerabilities everywhere? 2 Common Languages: TIOBE 18 Jul 2018 Jul 2017 Change Language 1
More informationarxiv: v2 [cs.cr] 27 Mar 2018
To appear in the 39th IEEE Symposium on Security and Privacy, May 21 23, 2018, San Francisco, CA, USA Angora: Efficient Fuzzing by Principled Search Peng Chen ShanghaiTech University chenpeng@shanghaitech.edu.cn
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationSecurity Testing. Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT)
Security Testing TDDC90 Software Security Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular
More informationSoftware Security IV: Fuzzing
1 Software Security IV: Fuzzing Chengyu Song Slides modified from Dawn Song 2 Administrivia Homework1 Due: Friday Oct 27 11:59pm Questions regarding reading materials Talk Security R&D in a Security Company:
More informationCOMP 2355 Introduction to Systems Programming
COMP 2355 Introduction to Systems Programming Christian Grothoff christian@grothoff.org http://grothoff.org/christian/ 1 Functions Similar to (static) methods in Java without the class: int f(int a, int
More informationNEUZZ: Efficient Fuzzing with Neural Program Smoothing
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University Abstract Fuzzing has become the de facto standard
More informationAutomatic program generation for detecting vulnerabilities and errors in compilers and interpreters
Automatic program generation for detecting vulnerabilities and errors in compilers and interpreters 0368-3500 Nurit Dor Shir Landau-Feibish Noam Rinetzky Preliminaries Students will group in teams of 2-3
More informationControl Flow Hijacking Attacks. Prof. Dr. Michael Backes
Control Flow Hijacking Attacks Prof. Dr. Michael Backes Control Flow Hijacking malicious.pdf Contains bug in PDF parser Control of viewer can be hijacked Control Flow Hijacking Principles Normal Control
More informationCompiler-Agnostic Function Detection in Binaries
Compiler-Agnostic Function Detection in Binaries Dennis Andriesse, Asia Slowinska, Herbert Bos Vrije Universiteit Amsterdam EuroS&P 2017 Introduction Disassembly in Systems Security Disassembly is the
More informationSoftware Vulnerability
Software Vulnerability Refers to a weakness in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationDowsing for overflows: a guided fuzzer to find buffer boundary violations
Dowsing for overflows: a guided fuzzer to find buffer boundary violations István Haller, Asia Slowinska, Matthias Neugschwandtner, Herbert Bos Usenix Security 2013 August 14, 2013 1 / 22 Bugs, bugs everywhere
More informationAutomated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar
Automated Whitebox Fuzz Testing by - Patrice Godefroid, - Michael Y. Levin and - David Molnar OUTLINE Introduction Methods Experiments Results Conclusion Introduction Fuzz testing is an effective Software
More informationReverse Engineering. Class 6. Fuzzing. Reverse Engineering Class 6 Martin Balao martin.uy/reverse v1.0 EN CC BY-SA
Reverse Engineering Class 6 Fuzzing 1 Fuzzing Grey box testing May be guided by reverse engineering Send, in an automatized way, valid and invalid inputs to an application with the goal of triggering bad
More information15-213/18-243, Spring 2011 Exam 2
Andrew login ID: Full Name: Section: 15-213/18-243, Spring 2011 Exam 2 Thursday, April 21, 2011 v2 Instructions: Make sure that your exam is not missing any sheets, then write your Andrew login ID, full
More informationAutomated Whitebox Fuzz Testing
Automated Whitebox Fuzz Testing ( Research Patrice Godefroid (Microsoft Michael Y. Levin (Microsoft Center for ( Excellence Software David Molnar (UC Berkeley & MSR) Fuzz Testing Send random data to application
More informationMoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. Shankara Pailoor, Andrew Aday, Suman Jana Columbia University
MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation Shankara Pailoor, Andrew Aday, Suman Jana Columbia University 1 OS Fuzzing Popular technique to find OS vulnerabilities Primarily
More informationAdventures in Fuzzing Instruction Selection. 1 EuroLLVM 2017 Justin Bogner
Adventures in Fuzzing Instruction Selection 1 EuroLLVM 2017 Justin Bogner Overview Hardening instruction selection using fuzzers Motivated by Global ISel Leveraging libfuzzer to find backend bugs Techniques
More informationLAVA: Large-scale Automated Vulnerability Addition
LAVA: Large-scale Automated Vulnerability Addition Engin Kirda Andrea Mambretti Wil Robertson Northeastern University Brendan Dolan-Gavitt NYU Tandon Patrick Hulin, Tim Leek, Fredrich Ulrich, Ryan Whelan
More informationTriggering Deep Vulnerabilities Using Symbolic Execution
Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the
More informationeverything is a file main.c a.out /dev/sda1 /dev/tty2 /proc/cpuinfo file descriptor int
everything is a file main.c a.out /dev/sda1 /dev/tty2 /proc/cpuinfo file descriptor int #include #include #include int open(const char *path, int flags); flagso_rdonly
More informationCSE 333 SECTION 3. POSIX I/O Functions
CSE 333 SECTION 3 POSIX I/O Functions Administrivia Questions (?) HW1 Due Tonight Exercise 7 due Monday (out later today) POSIX Portable Operating System Interface Family of standards specified by the
More informationCAP6135: Programming Project 2 (Spring 2010)
CAP6135: Programming Project 2 (Spring 2010) This project is modified from the programming project 2 in Dr. Dawn Song s course CS161: computer security in Fall 2008: http://inst.eecs.berkeley.edu/~cs161/fa08/
More informationECE264 Fall 2013 Exam 3, November 20, 2013
ECE264 Fall 2013 Exam 3, November 20, 2013 In signing this statement, I hereby certify that the work on this exam is my own and that I have not copied the work of any other student while completing it.
More informationRabbit in the Loop. A primer on feedback directed fuzzing using American Fuzzy Lop. by Kevin Läufer
Rabbit in the Loop A primer on feedback directed fuzzing using American Fuzzy Lop Abstract by Kevin Läufer This guide aims to provide the reader with a good intuition about the
More informationAPI 퍼징을통한취약점탐지 카이스트 차상길
API 퍼징을통한취약점탐지 카이스트 차상길 API Fuzzing? void foo(int x) // This is an API function { // (side-effect-free) //... } void fuzz() { while (1) { foo(rand()); } } // Fuzzer MAIN Found a crash in foo when x = 42
More informationCMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
More informationlogistics: ROP assignment
bug-finding 1 logistics: ROP assignment 2 2013 memory safety landscape 3 2013 memory safety landscape 4 different design points memory safety most extreme disallow out of bounds usually even making out-of-bounds
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Homework 2 Due: Monday, February 22nd, at 11:59pm Instructions. This homework is due Monday, February 22nd, at 11:59pm. It must be submitted electronically
More informationWhy files? 1. Storing a large amount of data 2. Long-term data retention 3. Access to the various processes in parallel
1 File System Why files? 1. Storing a large amount of data 2. Long-term data retention 3. Access to the various processes in parallel 2 Basic Terms File Structures Field basic unit of data. Contains single
More informationTaintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 is: A Fuzzing tool Checksum-Aware Directed Why a new fuzzing
More informationFuzzing and Patch Analysis: SAGEly Advice
Fuzzing and Patch Analysis: SAGEly Advice Introduction Automated Test Generation Goal: Exercise target program to achieve full coverage of all possible states influenced by external input Code graph reachability
More informationIntroduction to Symbolic Execution
Introduction to Symbolic Execution Classic Symbolic Execution 1 Problem 1: Infinite execution path Problem 2: Unsolvable formulas 2 Problem 3: symbolic modeling External function calls and system calls
More informationCS C Primer. Tyler Szepesi. January 16, 2013
January 16, 2013 Topics 1 Why C? 2 Data Types 3 Memory 4 Files 5 Endianness 6 Resources Why C? C is exteremely flexible and gives control to the programmer Allows users to break rigid rules, which are
More informationOutline. 1 Background. 2 Symbolic Execution. 3 Whitebox Fuzzing. 4 Summary. 1 Cost of each Microsoft Security Bulletin: $Millions
CS 6V81-05: System Security and Malicious Code Analysis and Zhiqiang Lin 1 Background 2 Department of Computer Science University of Texas at Dallas 3 April 9 th, 2012 4 Software security bugs can be very
More informationEL2310 Scientific Programming
Lecture 11: Memory, Files and Bitoperations (yaseminb@kth.se) Overview Overview Lecture 11: Memory, Files and Bit operations Main function; reading and writing Bitwise Operations Lecture 11: Memory, Files
More informationComputer Science & Engineering Department I. I. T. Kharagpur
Computer Science & Engineering Department I. I. T. Kharagpur Operating System: CS33007 3rd Year CSE: 5th Semester (Autumn 2006-2007) Lecture III (Linux System Calls II) Goutam Biswas Date: 1st-7th August,
More informationCSE 333 Midterm Exam 2/12/16. Name UW ID#
Name UW ID# There are 6 questions worth a total of 100 points. Please budget your time so you get to all of the questions. Keep your answers brief and to the point. The exam is closed book, closed notes,
More informationRecitation 8: Tshlab + VM
Recitation 8: Tshlab + VM Instructor: TAs 1 Outline Labs Signals IO Virtual Memory 2 TshLab and MallocLab TshLab due Tuesday MallocLab is released immediately after Start early Do the checkpoint first,
More informationKLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware
to Detect Keystroke-Harvesting Malware Menlo Park, 21st September 2011 Stefano Ortolani - ortolani@cs.vu.nl Cristiano Giuffrida - giuffrida@cs.vu.nl Vrije Universiteit Amsterdam, The Netherlands Bruno
More informationfinding vulnerabilities
cs6 42 computer security finding vulnerabilities adam everspaugh ace@cs.wisc.edu hw1 Homework 1 will be posted after class today Due: Feb 22 Should be fun! TAs can help with setup Use Piazza as first step
More informationHyo-bong Son Computer Systems Laboratory Sungkyunkwan University
File I/O Hyo-bong Son (proshb@csl.skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Unix Files A Unix file is a sequence of m bytes: B 0, B 1,..., B k,..., B m-1 All I/O
More informationCSE484/CSE584 BLACK BOX TESTING AND FUZZING. Dr. Benjamin Livshits
CSE484/CSE584 BLACK BOX TESTING AND FUZZING Dr. Benjamin Livshits Approaches to Finding Security Bugs 2 Runtime Monitoring Black-box Testing Static Analysis Fuzzing Basics 3 A form of vulnerability analysis
More informationFuzzing: Breaking software in an automated fashion
Fuzzing: Breaking software in an automated fashion Ilja van Sprundel December 8, 2005 1 Introduction Fuzzing is the art of automatic bug finding. This is done by providing an application with semi-valid
More informationA Smart Fuzzer for x86 Executables
Università degli Studi di Milano Facoltà di Scienze Matematiche, Fisiche e Naturali A Smart Fuzzer for x86 Executables Andrea Lanzi, Lorenzo Martignoni, Mattia Monga, Roberto Paleari May 19, 2007 Lanzi,
More informationFile I/O. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
File I/O Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Unix Files A Unix file is a sequence of m bytes: B 0, B 1,..., B k,..., B m-1 All I/O devices
More informationGroups of two-state devices are used to represent data in a computer. In general, we say the states are either: high/low, on/off, 1/0,...
Chapter 9 Computer Arithmetic Reading: Section 9.1 on pp. 290-296 Computer Representation of Data Groups of two-state devices are used to represent data in a computer. In general, we say the states are
More informationAdvanced Systems Security: Symbolic Execution
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationUNIVERSITY OF TORONTO SCARBOROUGH Computer and Mathematical Sciences. APRIL 2016 EXAMINATIONS CSCB09H3S Software Tools & Systems Programming
UNIVERSITY OF TORONTO SCARBOROUGH Computer and Mathematical Sciences APRIL 2016 EXAMINATIONS CSCB09H3S Software Tools & Systems Programming Instructor: Bianca Schroeder and Naureen Nizam Duration: 3 hours
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationProcess Creation in UNIX
Process Creation in UNIX int fork() create a child process identical to parent Child process has a copy of the address space of the parent process On success: Both parent and child continue execution at
More informationA Hybrid Symbolic Execution Assisted Fuzzing Method
A Hybrid Symbolic Execution Assisted Fuzzing Method Li Zhang Institute for Infocomm Research A*STAR Singapore zhang-li@i2r.a-star.edu.sg Vrizlynn L. L. Thing Institute for Infocomm Research A*STAR Singapore
More informationAnalysis/Bug-finding/Verification for Security
Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information
More informationCS Operating Systems Lab 3: UNIX Processes
CS 346 - Operating Systems Lab 3: UNIX Processes Due: February 15 Purpose: In this lab you will become familiar with UNIX processes. In particular you will examine processes with the ps command and terminate
More informationCSC209H Lecture 7. Dan Zingaro. February 25, 2015
CSC209H Lecture 7 Dan Zingaro February 25, 2015 Inter-process Communication (IPC) Remember that after a fork, the two processes are independent We re going to use pipes to let the processes communicate
More informationIt was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to
1 2 It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to keep putting garbage characters into the command
More informationWriting a fuzzer. for any language with american fuzzy lop. Ariel Twistlock Labs
Writing a fuzzer for any language with american fuzzy lop Ariel Zelivansky @ Twistlock Labs What is fuzzing? Technique for testing software by providing it with random, unexpected or invalid input Dumb
More informationOperating systems. Lecture 7
Operating systems. Lecture 7 Michał Goliński 2018-11-13 Introduction Recall Plan for today History of C/C++ Compiler on the command line Automating builds with make CPU protection rings system calls pointers
More informationFile I/O. Dong-kun Shin Embedded Software Laboratory Sungkyunkwan University Embedded Software Lab.
1 File I/O Dong-kun Shin Embedded Software Laboratory Sungkyunkwan University http://nyx.skku.ac.kr Unix files 2 A Unix file is a sequence of m bytes: B 0, B 1,..., B k,..., B m-1 All I/O devices are represented
More informationCSC 405 Introduction to Computer Security Fuzzing
CSC 405 Introduction to Computer Security Fuzzing Alexandros Kapravelos akaprav@ncsu.edu Let s find some bugs (again) We have a potentially vulnerable program The program has some inputs which can be controlled
More informationTesting, code coverage and static analysis. COSC345 Software Engineering
Testing, code coverage and static analysis COSC345 Software Engineering Outline Various testing processes ad hoc / formal / automatic Unit tests and test driven development Code coverage metrics Integration
More informationUNIX System Calls. Sys Calls versus Library Func
UNIX System Calls Entry points to the kernel Provide services to the processes One feature that cannot be changed Definitions are in C For most system calls a function with the same name exists in the
More informationRequired reading: StackGuard: Simple Stack Smash Protection for GCC
Continuing with Software Security Writing & testing for Secure Code Required reading: StackGuard: Simple Stack Smash Protection for GCC Optional reading: Basic Integer Overflows Exploiting Format String
More informationSlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities
SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities Theofilos Petsios, Jason Zhao, Angelos D. Keromytis, and Suman Jana Columbia University ACM Conference on Computer
More information5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.
Feb 23, 2009 CSE, 409/509 Mitigation of Bugs, Life of an exploit 1) Bug inserted into code 2) Bug passes testing 3) Attacker triggers bug 4) The Attacker gains control of the program 5) Attacker causes
More informationADVENTURE_IO Input/Output format and libraries for ADVENTURE modules List of Input/Output Functions February 17, 2006
ADVENTURE_IO Input/Output format and libraries for ADVENTURE modules List of Input/Output Functions February 17, 2006 ADVENTURE Project Contents 1. Open/Close of Adv file... 3 2. Open/Close of AdvDocument...
More informationCSE 333 SECTION 3. POSIX I/O Functions
CSE 333 SECTION 3 POSIX I/O Functions Administrivia Questions (?) HW1 Due Tonight HW2 Due Thursday, July 19 th Midterm on Monday, July 23 th 10:50-11:50 in TBD (And regular exercises in between) POSIX
More informationRelated reading: Effectively Prioritizing Tests in Development Environment Introduction to Software Engineering Jonathan Aldrich
Test Prioritization Related reading: Effectively Prioritizing Tests in Development Environment 15-413 Introduction to Software Engineering Jonathan Aldrich Test Prioritization: Motivation Goal: find and
More informationAutomated Extraction of Network Protocol Specifications
Automated Extraction of Network Protocol Specifications ARO MURI on Cyber Situation Awareness Kick Off Meeting Christopher Kruegel Computer Security Group, Motivation Stateful protocol specifications are
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationJared DeMott Crucial Security, Inc. Black Hat Special thanks to ISE for smoking me with this test once upon an interview
Jared DeMott Crucial Security, Inc. Black Hat 2008 Special thanks to ISE for smoking me with this test once upon an interview Why? To make software better, or to hack software How? With automated tools
More informationBuilding Advanced Coverage-guided Fuzzer for Program Binaries
Building Advanced Coverage-guided Fuzzer for Program Binaries NGUYEN Anh Quynh WEI Lei 17/11/2017 Zero Nights, Moscow 2017 Self-introduction NGUYEN Anh Quynh, PhD
More informationCSE 410: Systems Programming
CSE 410: Systems Programming Input and Output Ethan Blanton Department of Computer Science and Engineering University at Buffalo I/O Kernel Services We have seen some text I/O using the C Standard Library.
More informationFile Descriptors and Piping
File Descriptors and Piping CSC209: Software Tools and Systems Programming Furkan Alaca & Paul Vrbik University of Toronto Mississauga https://mcs.utm.utoronto.ca/~209/ Week 8 Today s topics File Descriptors
More informationFuzzing. compass-security.com 1
Fuzzing compass-security.com 1 Fuzzing Finding bugs by bombarding target with nonconform data Think: Flip a few bits in a PDF, then start Acrobat with that PDF Just more automated Steps: Create input corpus
More informationCollAFL: Path Sensitive Fuzzing
CollAFL: Path Sensitive Fuzzing Shuitao Gan 1, Chao Zhang 2, Xiaojun Qin 1, Xuwen Tu 1, Kang Li 3, Zhongyu Pei 2, Zuoning Chen 4 1 State Key Laboratory of Mathematical Engineering and Advanced Computing.
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationLAVA: Large-scale Automated Vulnerability Addition
2016 IEEE Symposium on Security and Privacy LAVA: Large-scale Automated Vulnerability Addition Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich,
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationImportant Dates. October 27 th Homework 2 Due. October 29 th Midterm
CSE333 SECTION 5 Important Dates October 27 th Homework 2 Due October 29 th Midterm String API vs. Byte API Recall: Strings are character arrays terminated by \0 The String API (functions that start with
More informationTowards Efficient Heap Overflow Discovery
Towards Efficient Heap Overflow Discovery Xiangkun Jia, TCA/SKLCS, Institute of Software, Chinese Academy of Sciences; Chao Zhang, Institute for Network Science and Cyberspace, Tsinghua University; Purui
More informationSmarter fuzzing using sound and precise static analyzers
Smarter fuzzing using sound and precise static analyzers Pascal Cuoq, Chief Scientist, TrustInSoft January 31, 2017 Pascal Cuoq, Chief Scientist, TrustInSoft smarter fuzzing January 31, 2017 1 / 8 Introduction
More informationCS 3113 Introduction to Operating Systems Midterm October 11, 2018
General instructions: CS 3113 Introduction to Operating Systems Midterm October 11, 2018 Please wait to open this exam booklet until you are told to do so. This examination booklet has 10 pages. You also
More informationCS 3113 Introduction to Operating Systems Midterm October 11, 2018
General instructions: CS 3113 Introduction to Operating Systems Midterm October 11, 2018 Please wait to open this exam booklet until you are told to do so. This examination booklet has 10 pages. You also
More informationWhen you add a number to a pointer, that number is added, but first it is multiplied by the sizeof the type the pointer points to.
Refresher When you add a number to a pointer, that number is added, but first it is multiplied by the sizeof the type the pointer points to. i.e. char *ptr1 = malloc(1); ptr1 + 1; // adds 1 to pointer
More informationCAN STRACE MAKE YOU FAIL?
CAN STRACE MAKE YOU FAIL? Nahim El Atmani @brokenpi_pe July 15, 2016 1 DEFINITION 1.0 strace is a diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor interactions
More informationAutomatizing vulnerability research
Innova&on & Research Symposium Cisco and Ecole Polytechnique 8-9 April 2018 CEDRIC TESSIER INSTRUMENTATION TEAM LEADER / ctessier@quarkslab.com Automatizing vulnerability research to better face new software
More informationPath Testing + Coverage. Chapter 8
Path Testing + Coverage Chapter 8 Structural Testing n Also known as glass/white/open box testing n A software testing technique whereby explicit knowledge of the internal workings of the item being tested
More informationInput and Output System Calls
Chapter 2 Input and Output System Calls Internal UNIX System Calls & Libraries Using C --- 1011 OBJECTIVES Upon completion of this unit, you will be able to: Describe the characteristics of a file Open
More informationWhat You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2,3 Frank Kargl 3 Aurélien Francillon 1 Davide Balzarotti 1 1 EURECOM 2 Siemens AG 3 Ulm University
More informationProspex: Protocol Specification Extraction
Prospex: Protocol Specification Extraction Paolo Milani Comparetti paolo@iseclab.org, Vienna University of Technology Gilbert Wondracek gilbert@iseclab.org, Vienna University of Technology Christopher
More informationRecent Trends in Program Analysis for Bug Hunting and Exploitation. ben-holland.com
Recent Trends in Program Analysis for Bug Hunting and Exploitation ben-holland.com Recent Two Positive Trends in Program Analysis for Bug Hunting and Exploitation ben-holland.com $ whoami 2005 2010 B.S.
More informationFILE IO AND DATA REPRSENTATION. Problem Solving with Computers-I
FILE IO AND DATA REPRSENTATION Problem Solving with Computers-I Midterm next Thursday (Oct 25) No class on Tuesday (Oct 23) Announcements I/O in programs Different ways of reading data into programs cin
More informationThe course that gives CMU its Zip! I/O Nov 15, 2001
15-213 The course that gives CMU its Zip! I/O Nov 15, 2001 Topics Files Unix I/O Standard I/O A typical hardware system CPU chip register file ALU system bus memory bus bus interface I/O bridge main memory
More informationBasic C Program: Print to stdout. Basic C Program. Basic C Program: Print to stdout. Header Files. Read argument and print. Read argument and print
CSC 4304 - Systems Programming Fall 2010 Lecture - II Basics of C Programming Summary of Last Class Basics of UNIX: logging in, changing password text editing with vi, emacs and pico file and directory
More informationTaint Nobody Got Time for Crash Analysis
Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What code paths were executed What parts of the execution interacted with external data Input Determination Which input
More information