Coverage-guided Fuzzing of Individual Functions Without Source Code
|
|
- Regina Greene
- 5 years ago
- Views:
Transcription
1 Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25,
2 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2
3 3 Fuzzing
4 Fuzzing 1 Generate a lot of different inputs 2 Feed them to a program 3 Wait for it to reach an invalid state 4 Collect a report for the analyst 4
5 Features Pros: Easy to setup It can find subtle bugs Cons: It might require large amount of resources Semi-decidable 5
6 A huge leap forward Coverage-guided fuzzing 6
7 A huge leap forward Coverage-guided fuzzing Privilege inputs leading to cover new code paths 7
8 A huge leap forward int main () { if (A && B) { crash (); } else { all_good (); } } 8
9 The Control-flow Graph A B 9
10 First run Input: A B 10
11 First run Input: A B 11
12 First run Input: A B 12
13 First run Input: A B 13
14 Second run Input: A B 14
15 Second run Input: A B 15
16 Second run Input: A B 16
17 Second run Input: A B 17
18 18 This input is not interesting!
19 Third run Input: A B 19
20 Third run Input: A B 20
21 Third run Input: A B 21
22 Third run Input: A B 22
23 Third run Input: A B 23
24 24 This input is interesting! It led us to discover a new basic block
25 Fourth run Input: A B 25
26 Fourth run Input: A B 26
27 Fourth run Input: A B 27
28 Fourth run Input: A B 28
29 Fourth run Input: A B 29
30 american fuzzy lop It made coverage-guided fuzzing popular Developed by lcamtuf Performs instrumentation to detect executed basic blocks Two key modes of operation: Source mode Binary mode 30
31 Source mode Instrumentation is performed at compiler-level 31
32 Source mode Instrumentation is performed at compiler-level int main () { record (1); if (A && B) { record (2); crash (); } else { record (3); all_good (); } record (4); } 32
33 Binary mode An emulator is employed to detect executed basic blocks 33
34 Binary mode An emulator is employed to detect executed basic blocks QEMU is the chosen emulator It incurs in a sensible slowdown 34
35 libfuzzer Alternative to afl It requires the source code to be available Based on LLVM 35
36 What s LLVM? LLVM is a compiler framework Famous for its C/C++ frontend (clang) and its intermediate representation (the LLVM IR) 36
37 libfuzzer can be a lot faster It doesn t fork int main () { while ( true ) { char * new_ input = random_ input (); target ( new_input ); } } 37
38 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 38
39 What is rev.ng? rev.ng is a unified framework for binary analysis based on QEMU and LLVM 39
40 What is rev.ng? rev.ng is a unified framework for binary analysis based on QEMU and LLVM Everything you ll see here is architecture-agnostic 40
41 41 How does QEMU work?
42 A dynamic binary translator 42 AArch64 ARM Alpha CRIS Unicore SPARC SPARC64 SuperH SystemZ PowerPC PowerPC64 XCore MIPS MIPS64 OpenRISC MicroBlaze x86-64 x86 RISC V QEMU IR AArch64 ARM x86 x86-64 MIPS PowerPC SystemZ SPARC TCI
43 The frontend is a lifter 43 AArch64 ARM Alpha CRIS Unicore SPARC SPARC64 SuperH SystemZ PowerPC PowerPC64 XCore MIPS MIPS64 OpenRISC MicroBlaze x86-64 x86 RISC V QEMU IR AArch64 ARM x86 x86-64 MIPS PowerPC SystemZ SPARC TCI
44 44 QEMU translates at run-time
45 QEMU translates at run-time rev.ng translates offline 45
46 rev.ng: a static binary translator md5sum.arm Collect entry points Lift to QEMU IR Collect new entry points Translate to LLVM IR Link runtime functions md5sum.x
47 RISC V AArch64 ARM Alpha CRIS Unicore SPARC64 Hexagon SPARC x86 QEMU IR SuperH x86-64 SystemZ MicroBlaze PowerPC OpenRISC MIPS64 MIPS XCore PowerPC64 47
48 RISC V AArch64 ARM Alpha CRIS Unicore SPARC64 Hexagon SPARC x86 LLVM IR SuperH x86-64 SystemZ MicroBlaze PowerPC OpenRISC MIPS64 MIPS XCore PowerPC64 48
49 RISC V AArch64 ARM Alpha CRIS Unicore SPARC64 Hexagon SPARC x86 rev.ng SuperH x86-64 SystemZ MicroBlaze PowerPC OpenRISC MIPS64 MIPS XCore PowerPC64 49
50 RISC V AArch64 ARM Alpha CRIS Unicore SPARC64 Hexagon SPARC x86 rev.ng SuperH x86-64 SystemZ MicroBlaze PowerPC OpenRISC MIPS64 MIPS XCore PowerPC64 50
51 51 We produce LLVM IR
52 We produce LLVM IR We can employ libfuzzer directly 52
53 Steps 1 Lift the program to LLVM IR 2 Identify all the functions 3 Identify a function to fuzz 4 Create the fuzzing function 5 Compile fuzzing function 6 Instrument using libfuzzer 7 Launch the fuzzer 53
54 Steps 1 Lift the program to LLVM IR 2 Identify all the functions 3 Identify a function to fuzz MANUAL 4 Create the fuzzing function MANUAL 5 Compile fuzzing function 6 Instrument using libfuzzer 7 Launch the fuzzer 54
55 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 55
56 56 We are sensibly faster than QEMU
57 We are sensibly faster than QEMU 1 The LLVM optimizer has a wider view on the code 2 The translation is performed offline 57
58 Runtime (seconds) Native QEMU rev.ng 458.sjeng 464.h264ref 400.perlbench 471.omnetpp 462.libquantum 473.astar bzip2 483.xalancbmk 429.mcf 403.gcc 445.gobmk 456.hmmer
59 59 On average, 68% faster than QEMU
60 A practical case study We want to fuzz the PCRE library 60
61 A practical case study We want to fuzz the PCRE library Not directly, but embedded in another program (less) 61
62 Steps (again) 1 Lift the program to LLVM IR 2 Identify all the functions 3 Identify a function to fuzz 4 Create the fuzzing function 5 Compile fuzzing function 6 Instrument using libfuzzer 7 Launch the fuzzer 62
63 Steps (again) 1 Lift the program to LLVM IR 2 Identify all the functions 3 Identify a function to fuzz 4 Create the fuzzing function 5 Compile fuzzing function 6 Instrument using libfuzzer 7 Launch the fuzzer 63
64 Fuzzing function (simplified) int LLVMFuzzerTestOneInput ( uint8_ t * data, size_ t size ) { char input_string [] = " Test string!"; void * compiled_ re ; compiled_ re = pcre_ compile ( data ); pcre_exec ( compiled_re, input_ string, strlen ( input_ string )); } pcre_free ( compiled_re ); return 0; 64
65 65 We were able to find a known vulnerability in PCRE
66 Comparing with afl Are we faster than afl? afl fuzzing worked directly on PCRE (without less) Used black-box mode 66
67 Performances Execs per second Total execs 1 min 10 min 60 min 60 min afl rev.ng
68 Summary We do not require the source code We can fuzz any entry point We are sensibly faster than existing techniques 68
69 Future works Improve performances Perform symbolic execution (through KLEE) 69
70 Future works Backup slides 70
71 Very effective! 71
72 License This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license, visit or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. 72
A Fast Instruction Set Simulator for RISC-V
A Fast Instruction Set Simulator for RISC-V Maxim.Maslov@esperantotech.com Vadim.Gimpelson@esperantotech.com Nikita.Voronov@esperantotech.com Dave.Ditzel@esperantotech.com Esperanto Technologies, Inc.
More informationKLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND
Feeding the Fuzzers with KLEE Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND This presentation was created with help and commitment of the Samsung R&D Poland Mobile Security team. KLEE and
More informationIntroduction to Symbolic Execution
Introduction to Symbolic Execution Classic Symbolic Execution 1 Problem 1: Infinite execution path Problem 2: Unsolvable formulas 2 Problem 3: symbolic modeling External function calls and system calls
More informationKruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring
NDSS 2012 Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring Donghai Tian 1,2, Qiang Zeng 2, Dinghao Wu 2, Peng Liu 2 and Changzhen Hu 1 1 Beijing Institute of Technology
More informationWriting a fuzzer. for any language with american fuzzy lop. Ariel Twistlock Labs
Writing a fuzzer for any language with american fuzzy lop Ariel Zelivansky @ Twistlock Labs What is fuzzing? Technique for testing software by providing it with random, unexpected or invalid input Dumb
More informationCS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines
CS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines Sreepathi Pai UTCS September 14, 2015 Outline 1 Introduction 2 Out-of-order Scheduling 3 The Intel Haswell
More informationBuilding Advanced Coverage-guided Fuzzer for Program Binaries
Building Advanced Coverage-guided Fuzzer for Program Binaries NGUYEN Anh Quynh WEI Lei 17/11/2017 Zero Nights, Moscow 2017 Self-introduction NGUYEN Anh Quynh, PhD
More informationFuzzing techniques & software vulnerabilities
Xavier Claude Mathieu Fourcroy William Robinet Conostix S.A. 17th October 2016 Agenda 1 2 3 4 Definition Definition Origins Context Why fuzzing? Fuzzing techniques Definition Automated testing technique
More informationCopyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis
Finding security vulnerabilities by fuzzing and dynamic code analysis Security Vulnerabilities Top code security vulnerabilities don t change much: Security Vulnerabilities Top code security vulnerabilities
More informationFuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team
Fuzzing AOSP For the Masses AOSP for the Masses Attack Android Right Out of the Box Dan Austin, Google Dan Austin Google Android SDL Research Team Exploitation: Find the Needle Needles are Interesting
More informationSuper-optimizing LLVM IR
Super-optimizing LLVM IR Duncan Sands DeepBlueCapital / CNRS Thanks to Google for sponsorship Super optimization Optimization Improve code Super optimization Optimization Improve code Super-optimization
More informationAdventures in Fuzzing Instruction Selection. 1 EuroLLVM 2017 Justin Bogner
Adventures in Fuzzing Instruction Selection 1 EuroLLVM 2017 Justin Bogner Overview Hardening instruction selection using fuzzers Motivated by Global ISel Leveraging libfuzzer to find backend bugs Techniques
More informationAutomatizing vulnerability research
Innova&on & Research Symposium Cisco and Ecole Polytechnique 8-9 April 2018 CEDRIC TESSIER INSTRUMENTATION TEAM LEADER / ctessier@quarkslab.com Automatizing vulnerability research to better face new software
More informationLLVM Performance Improvements and Headroom
LLVM Performance Improvements and Headroom Gerolf Hoflehner Apple LLVM Developers Meeting 2015 San Jose, CA Messages Tuning and focused local optimizations Advancing optimization technology Getting inspired
More informationlogistics: ROP assignment
bug-finding 1 logistics: ROP assignment 2 2013 memory safety landscape 3 2013 memory safety landscape 4 different design points memory safety most extreme disallow out of bounds usually even making out-of-bounds
More informationLightweight Memory Tracing
Lightweight Memory Tracing Mathias Payer*, Enrico Kravina, Thomas Gross Department of Computer Science ETH Zürich, Switzerland * now at UC Berkeley Memory Tracing via Memlets Execute code (memlets) for
More informationIntroduction to LLVM. UG3 Compiling Techniques Autumn 2018
Introduction to LLVM UG3 Compiling Techniques Autumn 2018 Contact Information Instructor: Aaron Smith Email: aaron.l.smith@ed.ac.uk Office: IF 1.29 TA for LLVM: Andrej Ivanis Email: andrej.ivanis@ed.ac.uk
More informationEvaluation of RISC-V RTL with FPGA-Accelerated Simulation
Evaluation of RISC-V RTL with FPGA-Accelerated Simulation Donggyu Kim, Christopher Celio, David Biancolin, Jonathan Bachrach, Krste Asanovic CARRV 2017 10/14/2017 Evaluation Methodologies For Computer
More informationFuzzing. compass-security.com 1
Fuzzing compass-security.com 1 Fuzzing Finding bugs by bombarding target with nonconform data Think: Flip a few bits in a PDF, then start Acrobat with that PDF Just more automated Steps: Create input corpus
More informationRabbit in the Loop. A primer on feedback directed fuzzing using American Fuzzy Lop. by Kevin Läufer
Rabbit in the Loop A primer on feedback directed fuzzing using American Fuzzy Lop Abstract by Kevin Läufer This guide aims to provide the reader with a good intuition about the
More informationLLVM performance optimization for z Systems
LLVM performance optimization for z Systems Dr. Ulrich Weigand Senior Technical Staff Member GNU/Linux Compilers & Toolchain Date: Mar 27, 2017 2017 IBM Corporation Agenda LLVM on z Systems Performance
More informationEnhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,
More informationSmarter fuzzing using sound and precise static analyzers
Smarter fuzzing using sound and precise static analyzers Pascal Cuoq, Chief Scientist, TrustInSoft January 31, 2017 Pascal Cuoq, Chief Scientist, TrustInSoft smarter fuzzing January 31, 2017 1 / 8 Introduction
More informationHigh System-Code Security with Low Overhead
High System-Code Security with Low Overhead Jonas Wagner, Volodymyr Kuznetsov, George Candea, and Johannes Kinder École Polytechnique Fédérale de Lausanne Royal Holloway, University of London High System-Code
More informationStructure-aware fuzzing
Structure-aware fuzzing for real-world projects Réka Kovács Eötvös Loránd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -> growing
More informationThe Fuzzing Project https://fuzzing-project.org/
The Fuzzing Project https://fuzzing-project.org/ Hanno Böck 1 / 18 Motivation Motivation Fuzzing C Memory Bugs Invalid memory access example Do you use tools like strings, less, file, convert, ldd, unzip,...?
More informationMcSema: Static Translation of X86 Instructions to LLVM
McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM ANDREW RUEF, ANDREW@TRAILOFBITS.COM About Us Artem Security Researcher blog.dinaburg.org Andrew PhD Student,
More informationMicroarchitecture Overview. Performance
Microarchitecture Overview Prof. Scott Rixner Duncan Hall 3028 rixner@rice.edu January 15, 2007 Performance 4 Make operations faster Process improvements Circuit improvements Use more transistors to make
More informationWhat run-time services could help scientific programming?
1 What run-time services could help scientific programming? Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge Contrariwise... 2 Some difficulties of software performance!
More informationLLVM, Clang and Embedded Linux Systems. Bruno Cardoso Lopes University of Campinas
LLVM, Clang and Embedded Linux Systems Bruno Cardoso Lopes University of Campinas What s LLVM? What s LLVM Compiler infrastructure Frontend (clang) IR Optimizer Backends JIT Tools Assembler Disassembler
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Homework 2 Due: Monday, February 22nd, at 11:59pm Instructions. This homework is due Monday, February 22nd, at 11:59pm. It must be submitted electronically
More informationSoftware Security IV: Fuzzing
1 Software Security IV: Fuzzing Chengyu Song Slides modified from Dawn Song 2 Administrivia Homework1 Due: Friday Oct 27 11:59pm Questions regarding reading materials Talk Security R&D in a Security Company:
More informationCoverage-guided fuzzing using LLVM on Postgres code to find security issues in database functions and operators.
Coverage-guided fuzzing using LLVM on Postgres code to find security issues in database functions and operators. Or. What I did for fun during my summer vacation! What is fuzzing? Issues Fuzzing Postgres
More informationJOE ROZNER RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION
JOE ROZNER / @JROZNER RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION 2 TESTING PARSERS IS HARD 3 HOW WE GOT HERE Mostly black box (ish) implementation of complex languages (context-free-ish) ~35k lines
More informationResource-Conscious Scheduling for Energy Efficiency on Multicore Processors
Resource-Conscious Scheduling for Energy Efficiency on Andreas Merkel, Jan Stoess, Frank Bellosa System Architecture Group KIT The cooperation of Forschungszentrum Karlsruhe GmbH and Universität Karlsruhe
More informationUse of the LLVM framework for the MSIL code generation
Use of the LLVM framework for the code generation Artur PIETREK artur.pietrek@imag.fr VERIMAG Kalray (Montbonnot) DCS seminar March 27, 2009 1 2 3 4 5 6 7 Outline The code generator is a part of the thesis:
More informationPerformance. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Performance Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Defining Performance (1) Which airplane has the best performance? Boeing 777 Boeing
More informationInception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati
Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati (EURECOM) Aurélien Francillon (EURECOM) 08/15/18 Embedded
More informationCross-compiling Linux Kernels on x86_64: A tutorial on How to Get Started
Cross-compiling Linux Kernels on x86_64: A tutorial on How to Get Started Shuah Khan Senior Linux Kernel Developer Open Source Group Samsung Research America (Silicon Valley) shuah.kh@samsung.com Agenda
More informationIntroduction. CS 2210 Compiler Design Wonsun Ahn
Introduction CS 2210 Compiler Design Wonsun Ahn What is a Compiler? Compiler: A program that translates source code written in one language to a target code written in another language Source code: Input
More informationLightweight Memory Tracing
Lightweight Memory Tracing Mathias Payer ETH Zurich Enrico Kravina ETH Zurich Thomas R. Gross ETH Zurich Abstract Memory tracing (executing additional code for every memory access of a program) is a powerful
More informationArchitectural Supports to Protect OS Kernels from Code-Injection Attacks
Architectural Supports to Protect OS Kernels from Code-Injection Attacks 2016-06-18 Hyungon Moon, Jinyong Lee, Dongil Hwang, Seonhwa Jung, Jiwon Seo and Yunheung Paek Seoul National University 1 Why to
More informationTransitioning from uclibc to musl for embedded development. Embedded Linux Conference 2015 Rich Felker, maintainer, musl libc March 24, 2015
Transitioning from uclibc to musl for embedded development Embedded Linux Conference 2015 Rich Felker, maintainer, musl libc March 24, 2015 What is musl? musl is a libc, an implementation of the user-space
More informationCS155: Computer Security Spring Project #1
CS155: Computer Security Spring 2018 Project #1 Due: Part 1: Thursday, April 12-11:59pm, Parts 2 and 3: Thursday, April 19-11:59pm. The goal of this assignment is to gain hands-on experience finding vulnerabilities
More informationUnicorn: Next Generation CPU Emulator Framework
Unicorn: Next Generation CPU Emulator Framework www.unicorn-engine.org NGUYEN Anh Quynh Syscan360 Beijing - October 21st, 2015 1 / 38 NGUYEN Anh Quynh Unicorn: Next Generation CPU
More informationFast, precise dynamic checking of types and bounds in C
Fast, precise dynamic checking of types and bounds in C Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge p.1 Tool wanted if (obj >type == OBJ COMMIT) { if (process commit(walker,
More informationLecture 4: Instruction Set Design/Pipelining
Lecture 4: Instruction Set Design/Pipelining Instruction set design (Sections 2.9-2.12) control instructions instruction encoding Basic pipelining implementation (Section A.1) 1 Control Transfer Instructions
More informationPorting OpenVMS to x Update
Porting OpenVMS to x86-64 Update October 16, 2015 Porting OpenVMS to x86-64 Update This information contains forward looking statements and is provided solely for your convenience. While the information
More informationBuilding opensuse with link-time optimizations. Jan Hubička and Martin Liška SUSElabs
Building opensuse with link-time optimizations Jan Hubička and Martin Liška SUSElabs jh@suse.cz, mliska@suse.cz Outlilne What is link-time optimization? Link-time optimization and GCC Benchmarks Can we
More informationGentoo Linux. Software Freedom Day 2010 Charleston, SC Linux User Group. Presentation by Kevin Bowling
Gentoo Linux Software Freedom Day 2010 Charleston, SC Linux User Group Presentation by Kevin Bowling http://bit.ly/9xywlx Gentoo Linux - Software Freedom Day 2010 1 Source Based Distro Gentoo is prepared
More informationComputer Components. Software{ User Programs. Operating System. Hardware
Computer Components Software{ User Programs Operating System Hardware What are Programs? Programs provide instructions for computers Similar to giving directions to a person who is trying to get from point
More informationINTRODUCTION TO LLVM Bo Wang SA 2016 Fall
INTRODUCTION TO LLVM Bo Wang SA 2016 Fall LLVM Basic LLVM IR LLVM Pass OUTLINE What is LLVM? LLVM is a compiler infrastructure designed as a set of reusable libraries with well-defined interfaces. Implemented
More informationA Smart Fuzzer for x86 Executables
Università degli Studi di Milano Facoltà di Scienze Matematiche, Fisiche e Naturali A Smart Fuzzer for x86 Executables Andrea Lanzi, Lorenzo Martignoni, Mattia Monga, Roberto Paleari May 19, 2007 Lanzi,
More informationWelcome to CSE131b: Compiler Construction
Welcome to CSE131b: Compiler Construction Lingjia Tang pic from: http://xkcd.com/303/ Course Information What are compilers? Why do we learn about them? History of compilers Structure of compilers A bit
More informationHow to implement SDL and don t turn gray. Andrey Kovalev, Security Engineer
How to implement SDL and don t turn gray Andrey Kovalev, Security Engineer Agenda SDL 101 Yandex approach SAST, DAST, FSR: drawbacks and solutions Summary 3 How to implement SDL and don t turn gray SDL
More informationSoftware Vulnerability
Software Vulnerability Refers to a weakness in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the
More informationBaikal-T1 Microprocessor Performance Tests
Baikal-T1 Microprocessor Performance Tests Revision list Revision Date Author Description 1.0 15.03.2017 Initial version 1.1 08.08.2017 Added SPEC CPU2006 Int, iperf results Revision list... 1 1. List
More informationDynamic Binary Instrumentation: Introduction to Pin
Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects instrumentation code into a binary to collect run-time information 2 Instrumentation A technique that injects
More informationIncremental Linking with Gold
Incremental Linking with Gold Linux Foundation Collaboration Summit April 5, 2012 Cary Coutant This work is licensed under the Creative Commons Attribution-NoDerivs 3.0 Unported License. To view a copy
More informationKai Nacke DConf 2016
Kai Nacke Agenda Introduction LDC internals Porting and extending druntime Porting and optimizing Phobos Testing with Continuous Integration 2 / 25 Introduction D is a systems programming language Should
More informationMutation Testing. Leaving the Stone Age
Mutation Testing Leaving the Stone Age 2017 whoami ios Developer by day compiler hacker by night https://twitter.com/1101_debian https://lowlevelbits.org https://systemundertest.org Outline Quality of
More informationSVF: Static Value-Flow Analysis in LLVM
SVF: Static Value-Flow Analysis in LLVM Yulei Sui, Peng Di, Ding Ye, Hua Yan and Jingling Xue School of Computer Science and Engineering The University of New South Wales 2052 Sydney Australia March 18,
More informationLLVM An Introduction. Linux Collaboration Summit, April 7, 2011 David Kipping, Qualcomm Incorporated
LLVM An Introduction Linux Collaboration Summit, April 7, 2011 David Kipping, Qualcomm Incorporated 2 LLVM An Introduction LLVM Vision and Approach Primary mission: build a set of modular compiler components:
More informationBlack Hat Webcast Series. C/C++ AppSec in 2014
Black Hat Webcast Series C/C++ AppSec in 2014 Who Am I Chris Rohlf Leaf SR (Security Research) - Founder / Consultant BlackHat Speaker { 2009, 2011, 2012 } BlackHat Review Board Member http://leafsr.com
More informationOpenPrefetch. (in-progress)
OpenPrefetch Let There Be Industry-Competitive Prefetching in RISC-V Processors (in-progress) Bowen Huang, Zihao Yu, Zhigang Liu, Chuanqi Zhang, Sa Wang, Yungang Bao Institute of Computing Technology(ICT),
More informationEfficient and Effective Misaligned Data Access Handling in a Dynamic Binary Translation System
Efficient and Effective Misaligned Data Access Handling in a Dynamic Binary Translation System JIANJUN LI, Institute of Computing Technology Graduate University of Chinese Academy of Sciences CHENGGANG
More informationSystem Simulator for x86
MARSS Micro Architecture & System Simulator for x86 CAPS Group @ SUNY Binghamton Presenter Avadh Patel http://marss86.org Present State of Academic Simulators Majority of Academic Simulators: Are for non
More informationNightWatch: Integrating Transparent Cache Pollution Control into Dynamic Memory Allocation Systems
NightWatch: Integrating Transparent Cache Pollution Control into Dynamic Memory Allocation Systems Rentong Guo 1, Xiaofei Liao 1, Hai Jin 1, Jianhui Yue 2, Guang Tan 3 1 Huazhong University of Science
More informationProtecting Dynamic Code by Modular Control-Flow Integrity
Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State Univ. At International Workshop on Modularity Across the System Stack (MASS) Mar 14 th, 2016, Malaga, Spain
More informationINSTRUCTION LEVEL PARALLELISM
INSTRUCTION LEVEL PARALLELISM Slides by: Pedro Tomás Additional reading: Computer Architecture: A Quantitative Approach, 5th edition, Chapter 2 and Appendix H, John L. Hennessy and David A. Patterson,
More informationHexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer
HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer Motivation C++ is a popular programming language Google Chrome, Firefox,
More informationLecture Notes: FIE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution
Lecture Notes: FIE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution Rui Zhang March 6, 2017 1 Embedded microprocessors, Firmware Typical low-power embedded systems combine
More informationCS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017
CS 31: Intro to Systems ISAs and Assembly Martin Gagné Swarthmore College February 7, 2017 ANNOUNCEMENT All labs will meet in SCI 252 (the robot lab) tomorrow. Overview How to directly interact with hardware
More informationDigging Deep: Finding 0days in Embedded Systems with Code Coverage Guided Fuzzing
Digging Deep: Finding 0days in Embedded Systems with Code Coverage Guided Fuzzing NGUYEN Anh Quynh Kai Jern LAU HackInTheBox - Beijing, November 2nd, 2018
More informationCSE484/CSE584 BLACK BOX TESTING AND FUZZING. Dr. Benjamin Livshits
CSE484/CSE584 BLACK BOX TESTING AND FUZZING Dr. Benjamin Livshits Approaches to Finding Security Bugs 2 Runtime Monitoring Black-box Testing Static Analysis Fuzzing Basics 3 A form of vulnerability analysis
More informationHW/SW Co-designed Processors: Challenges, Design Choices and a Simulation Infrastructure for Evaluation
HW/SW Co-designed Processors: Challenges, Design Choices and a Simulation Infrastructure for Evaluation Rakesh Kumar, José Cano, Aleksandar Brankovic, Demos Pavlou, Kyriakos Stavrou, Enric Gibert, Alejandro
More informationGreg Morrisett Dartmouth -- April 2014
Trustworthy Hardened Code Greg Morrisett Dartmouth -- April 2014 Much Help Gang Tan (Lehigh) Vikram Adve (Illinois) Andrew Myers (Cornell) Stephen Chong (Harvard) Jean-Baptiste Tristan (Oracle) Paul Govereau
More informationEnergy-centric DVFS Controlling Method for Multi-core Platforms
Energy-centric DVFS Controlling Method for Multi-core Platforms Shin-gyu Kim, Chanho Choi, Hyeonsang Eom, Heon Y. Yeom Seoul National University, Korea MuCoCoS 2012 Salt Lake City, Utah Abstract Goal To
More informationLDC: The LLVM-based D Compiler
LDC: The LLVM-based D Compiler Using LLVM as backend for a D compiler Kai Nacke 02/02/14 LLVM devroom @ FOSDEM 14 Agenda Brief introduction to D Internals of the LDC compiler Used LLVM features Possible
More informationfinding vulnerabilities
cs6 42 computer security finding vulnerabilities adam everspaugh ace@cs.wisc.edu hw1 Homework 1 will be posted after class today Due: Feb 22 Should be fun! TAs can help with setup Use Piazza as first step
More informationSymbolic Execution for Bug Detection and Automated Exploit Generation
Symbolic Execution for Bug Detection and Automated Exploit Generation Daniele Cono D Elia Credits: Emilio Coppa SEASON Lab season-lab.github.io May 27, 2016 1 / 29 Daniele Cono D Elia Symbolic Execution
More informationEnhancing Memory Error Detection for Large-Scale Applications and Fuzz testing
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, Chengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock
More informationPydgin for RISC-V: A Fast and Productive Instruction-Set Simulator
Pydgin for RISC-V: A Fast and Productive Instruction-Set Simulator Berkin Ilbeyi, Derek Lockhart, and Christopher Batten School of Electrical and Computer Engineering, Cornell University, Ithaca, NY {bi45,dml257,cbatten}@cornell.edu
More informationIntegration of the softscheck Security Testing Process into the V-Modell
Integration of the softscheck Security Testing Process into the V-Modell Wilfried Kirsch, Prof. Dr. Hartmut Pohl softscheck GmbH Köln Büro: Bonnerstr. 108. 53757 Sankt Augustin www. softscheck.com Products
More informationEnergy Proportional Datacenter Memory. Brian Neel EE6633 Fall 2012
Energy Proportional Datacenter Memory Brian Neel EE6633 Fall 2012 Outline Background Motivation Related work DRAM properties Designs References Background The Datacenter as a Computer Luiz André Barroso
More informationNon 8-bit byte support in Clang and LLVM Ed Jones, Simon Cook
Non 8-bit byte support in Clang and LLVM Ed Jones, Simon Cook CHAR_BIT From C99 standard 6.2.6.1 A byte contains CHAR_BIT bits, and the values of type unsigned char range from 0 to 2^CHAR_BIT 1 CHAR_BIT
More informationImproving Cache Performance by Exploi7ng Read- Write Disparity. Samira Khan, Alaa R. Alameldeen, Chris Wilkerson, Onur Mutlu, and Daniel A.
Improving Cache Performance by Exploi7ng Read- Write Disparity Samira Khan, Alaa R. Alameldeen, Chris Wilkerson, Onur Mutlu, and Daniel A. Jiménez Summary Read misses are more cri?cal than write misses
More informationLIEF: Library to Instrument Executable Formats
RMLL 2017 Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview Demo Conclusion About Romain Thomas (rthomas@quarkslab.com)
More informationFuzzilli. (Guided-)fuzzing for JavaScript engines. Samuel Groß
Fuzzilli (Guided-)fuzzing for JavaScript engines Samuel Groß (saelo@google.com) Motivation Cool bugs in JS engine runtime implementations, JIT compilers, etc. var a = [1, 2, 3, 4, 5]; var i = {}; i.valueof
More informationIntFlow: Integer Error Handling With Information Flow Tracking
mpomonis@cs.columbia.edu IntFlow Columbia University 1 / 29 IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D.
More informationSlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities
SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities Theofilos Petsios, Jason Zhao, Angelos D. Keromytis, and Suman Jana Columbia University ACM Conference on Computer
More informationMan-In-The-Disk. Slava Makkaveev DEF CON 2018
Man-In-The-Disk Slava Makkaveev DEF CON 2018 Me Slava Makkaveev Security Researcher Check Point Software Technologies Ltd. PhD in Computer Science Reverse engineering and vulnerability research Android
More informationRecovering Types from Binaries
Recovering Types from Binaries Teodora Baluta Shiqi Shen Alexandros Dimos Advised by prof. Prateek Saxena School of Computing, NUS {teobaluta, shensq04, alexandros.dimos95}@gmail.com Decompilation Load
More informationNear-Threshold Computing: How Close Should We Get?
Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on Near-Threshold Computing June 14, 2014 Overview High-level talk summarizing my architectural perspective on
More informationCall Paths for Pin Tools
, Xu Liu, and John Mellor-Crummey Department of Computer Science Rice University CGO'14, Orlando, FL February 17, 2014 What is a Call Path? main() A() B() Foo() { x = *ptr;} Chain of function calls that
More informationCSC 405 Introduction to Computer Security Fuzzing
CSC 405 Introduction to Computer Security Fuzzing Alexandros Kapravelos akaprav@ncsu.edu Let s find some bugs (again) We have a potentially vulnerable program The program has some inputs which can be controlled
More informationImproving Cache Performance by Exploi7ng Read- Write Disparity. Samira Khan, Alaa R. Alameldeen, Chris Wilkerson, Onur Mutlu, and Daniel A.
Improving Cache Performance by Exploi7ng Read- Write Disparity Samira Khan, Alaa R. Alameldeen, Chris Wilkerson, Onur Mutlu, and Daniel A. Jiménez Summary Read misses are more cri?cal than write misses
More informationUCB CS61C : Machine Structures
inst.eecs.berkeley.edu/~cs61c UCB CS61C : Machine Structures Lecture 36 Performance 2010-04-23 Lecturer SOE Dan Garcia How fast is your computer? Every 6 months (Nov/June), the fastest supercomputers in
More informationSecurity Testing of Software on Embedded Devices Using x86 Platform
Security Testing of Software on Embedded Devices Using x86 Platform Yesheng Zhi( ), Yuanyuan Zhang, Juanru Li, and Dawu Gu Lab of Cryptology and Computer Security, Shanghai Jiao Tong University, Shanghai,
More information