Fuzzing techniques & software vulnerabilities
|
|
- Arthur Stokes
- 6 years ago
- Views:
Transcription
1 Xavier Claude Mathieu Fourcroy William Robinet Conostix S.A. 17th October 2016
2 Agenda
3 Definition Definition Origins Context Why fuzzing? Fuzzing techniques Definition Automated testing technique which provide unexpected data as input for computer program to detect unanticipated behaviour.
4 Source of fuzzing Definition Origins Context Why fuzzing? Fuzzing techniques Fuzzing is inspired by casual users who: Enter dates where money amount is expected Enter digits where names belong... This often result in segfaults, stack overflows... A fuzzing test crafts such invalid inputs in order to raise exceptions
5 Input validation Definition Origins Context Why fuzzing? Fuzzing techniques $ change_password enter new passord (max 7):
6 Input validation Definition Origins Context Why fuzzing? Fuzzing techniques #i n c l u de <s t d i o. h> #i n c l u de < s t d l i b. h> i n t main ( i n t arg, char argv [ ] ) { char new pwd [ 8 ] ; char c u r u s e r = getenv ( USER ) ; p r i n t f ( Enter new p a s s f o r %s (max 7 ) :, \ c u r u s e r ) ; s c a n f ( %s, new pwd ) ; } p r i n t f ( New password f o r u s e r %s : %s \n,\ c u r u s e r, new pwd ) ;
7 Input validation Definition Origins Context Why fuzzing? Fuzzing techniques $./a.out Enter new password for xavier (min: 5 char, max 7):12345 New password for user xavier: 12345
8 Input validation Definition Origins Context Why fuzzing? Fuzzing techniques $./a.out Enter new password for xavier (min: 5 char, max 7): New password for user rminal-emulator/ yavin_time :
9 Fuzzing benefits Definition Origins Context Why fuzzing? Fuzzing techniques Every programs contain bugs, we just don t know them yet Provide results with little effort Reveal bugs that were missed in manual audit or static analysis
10 Fuzzing limitations Definition Origins Context Why fuzzing? Fuzzing techniques Do not detect all bugs Need deeper code investigation to analyse crashing test cases Not so easy with programs requiring complex inputs
11 Fuzzing techniques Definition Origins Context Why fuzzing? Fuzzing techniques Manual Fully random Guided fuzzing
12 Manual Definition Origins Context Why fuzzing? Fuzzing techniques
13 Fully random Definition Origins Context Why fuzzing? Fuzzing techniques $ bc < /dev/urandom
14 Guided fuzzing Definition Origins Context Why fuzzing? Fuzzing techniques Analyze program behaviour to adapt fuzzing
15 What is zzuf What is zzuf Easy-to-use fuzzing software Ability to reproduce behaviour Can fuzz everything
16 What is zzuf What is zzuf input appli zzuf input appli generates test cases records test cases in order to reproduce them injects test cases intercepts file reading functions checks STDOUT and exit values detects crashes output output
17 What is zzuf Input generation Original file $ cat zzuf_demo_txt ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz Hello world!! 3% randomness $ zzuf -r0.03 cat zzuf_demo_txt ABADEFGHIJKLMVOPURSTUVUXYZ ab#d%fghihklmnopqrstuvwpyz :9 Hello world!! 20% randomness $ zzuf -r0.2 cat zzuf_demo_txt ARGEEFWHIRYHMNLPQSSTUVWXQz s(cdufghijid/nnp0n3le4wxy: 01R74=. x) *}dlo gozdf!!
18 American fuzzy lop
19 Description Focus on performance
20 Description Focus on performance Bruteforce with instrumentation guided genetic algorithm and edge coverage
21 Description Focus on performance Bruteforce with instrumentation guided genetic algorithm and edge coverage Try to minimize result
22 Instrumenting with source Use a GCC/Clang wrapper
23 Instrumenting with source Use a GCC/Clang wrapper Add a random identifier for each branch
24 Instrumenting with source Use a GCC/Clang wrapper Add a random identifier for each branch Compiler options to detect bad behaviour
25 Instrumenting with source Use a GCC/Clang wrapper Add a random identifier for each branch Compiler options to detect bad behaviour $ CC=/path/to/afl/afl-gcc./configure $ make clean all
26 Instrumenting blackbox Use a modified version of Qemu
27 Instrumenting blackbox Use a modified version of Qemu Slower than the source instrumentation
28 Instrumenting blackbox Use a modified version of Qemu Slower than the source instrumentation Doesn t require source
29 Record each branch jump with a random id cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1;
30 Record each branch jump with a random id cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1; This works well on standard program (< 10k branch)
31 Record each branch jump with a random id cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1; This works well on standard program (< 10k branch) This allows a fast lookup (limit perf impact during fuzzing)
32 Path discovery start select1 step1 select2 step2 finish
33 Path discovery start Paths: 1 select1 yes step1 select2 step2 finish
34 Path discovery start Paths: 2 select1 no yes step1 select2 step2 finish
35 Path discovery start Paths: 3 select1 no select2 yes yes step1 step2 finish
36 Address sanitizer Compiler extension to find invalid memory management
37 Address sanitizer Compiler extension to find invalid memory management Lot of memory consumption (20TB)
38 Example #i n c l u d e <s t d i o. h> #i n c l u d e <s t d l i b. h> i n t main ( v o i d ) { FILE fp ; char b u f f [ 1 6 ] ; f p = f o p e n ( /tmp/ t e s t. t x t, r ) ; f s c a n f ( fp, %s, b u f f ) ; f c l o s e ( f p ) ; i f ( b u f f [ 0 ] == 0 x66 ) i f ( b u f f [ 1 ] == 0 x 6 f ) i f ( b u f f [ 2 ] == 0 x 6 f ) { p r i n t f ( Password a c c e p t e d \n ) ; a b o r t ( ) ; } i f ( b u f f [ 0 ] == 0 x00 ) p r i n t f ( Password empty\n ) ; } r e t u r n 0 ;
39 Compilation $./afl-gcc -o tests/test ~/projects/centr-conf/src/testafl.c afl-cc 2.35b by afl-as 2.35b by [+] Instrumented 7 locations (64-bit, non-hardened mode, ratio 100%
40 Compilation $./afl-gcc -o tests/test ~/projects/centr-conf/src/testafl.c afl-cc 2.35b by afl-as 2.35b by [+] Instrumented 7 locations (64-bit, non-hardened mode, ratio 100% Creating test file: $ echo a > in_test/in
41 Running $./afl-fuzz -i in_test/ -o out_test/ -f /tmp/test.txt --./tests/test
42 CVE CVE Info-ZIP UnZip - Out-of-bounds Write CVE Ghostscript - Integer overflow CVE : bdfreadproperties: property count needs range check CVE : bdfreadcharacters: bailout if a char s bitmap cannot be read CVE : bdfreadcharacters: ensure metrics fit into xcharinfo struct CVE , CVE unzoo - Buffer overflow & Infinite loop
43 CVE libtiff: Divide By Zero in the tiffdither tool CVE libtiff: Out-of-bounds Read in the thumbnail tool CVE libtiff: Out-of-bounds Read in the tiff2bw tool CVE libtiff: Out-of-bounds Read in the tiff2rgba tool CVE libtiff: Out-of-bounds Read & Write in the tiff2pdf tool
44 CVE libtiff: Out-of-bounds Read & Write in the tiff2pdf tool CVE libtiff: Out-of-bounds Write in the thumbnail tool CVE libtiff: Out-of-bounds Write in the tiffdither tool CVE libtiff: Out-of-bounds Write in the tiffdither tool CVE libtiff: Out-of-bounds Write in the tiffdither tool CVE libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools CVE libtiff: Out-of-bounds Write in the tiff2pdf tool CVE libtiff: Out-of-bounds Read in the tiff2ps and tiffdither tools CVE libtiff: Out-of-bounds Read in the tiffmedian tool CVE libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools CVE libtiff: Out-of-bounds Read in the tiffset tool CVE libtiff: Out-of-bounds Writes in the tiffdither tool
45 Upstream Submitting security flaw Helping fuzzer Some developpers welcome any bug report
46 Upstream Submitting security flaw Helping fuzzer Some developpers welcome any bug report Others doesn t like when the program is not used as intended
47 Upstream Submitting security flaw Helping fuzzer Some developpers welcome any bug report Others doesn t like when the program is not used as intended Most doesn t answer at all
48 Helping fuzzer Submitting security flaw Helping fuzzer Allow entry points everywhere in the software
49 Helping fuzzer Submitting security flaw Helping fuzzer Allow entry points everywhere in the software Allow input file/stdin for every file
50 Submitting security flaw Helping fuzzer Thank you for listening! Useful links: : The Fuzzing Project:
Writing a fuzzer. for any language with american fuzzy lop. Ariel Twistlock Labs
Writing a fuzzer for any language with american fuzzy lop Ariel Zelivansky @ Twistlock Labs What is fuzzing? Technique for testing software by providing it with random, unexpected or invalid input Dumb
More informationThe Fuzzing Project https://fuzzing-project.org/
The Fuzzing Project https://fuzzing-project.org/ Hanno Böck 1 / 18 Motivation Motivation Fuzzing C Memory Bugs Invalid memory access example Do you use tools like strings, less, file, convert, ldd, unzip,...?
More informationlogistics: ROP assignment
bug-finding 1 logistics: ROP assignment 2 2013 memory safety landscape 3 2013 memory safety landscape 4 different design points memory safety most extreme disallow out of bounds usually even making out-of-bounds
More informationCopyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis
Finding security vulnerabilities by fuzzing and dynamic code analysis Security Vulnerabilities Top code security vulnerabilities don t change much: Security Vulnerabilities Top code security vulnerabilities
More informationCoverage-guided Fuzzing of Individual Functions Without Source Code
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results
More informationFuzzing For Worms 16/06/2018. Fuzzing For Worms. AFL for Linux Network Servers
1 AFL for Linux Network Servers 16/6/218 Fuzzing For Worms. About Me 2 1 16/6/218 SSL/TLS Recommendations // OWASP Switzerland 213 Dobin Rutishauser 2 BurpSentinel - Semi Automated Web Scanner // BSides
More informationSoftware Security IV: Fuzzing
1 Software Security IV: Fuzzing Chengyu Song Slides modified from Dawn Song 2 Administrivia Homework1 Due: Friday Oct 27 11:59pm Questions regarding reading materials Talk Security R&D in a Security Company:
More informationCS155: Computer Security Spring Project #1
CS155: Computer Security Spring 2018 Project #1 Due: Part 1: Thursday, April 12-11:59pm, Parts 2 and 3: Thursday, April 19-11:59pm. The goal of this assignment is to gain hands-on experience finding vulnerabilities
More informationFuzzing. compass-security.com 1
Fuzzing compass-security.com 1 Fuzzing Finding bugs by bombarding target with nonconform data Think: Flip a few bits in a PDF, then start Acrobat with that PDF Just more automated Steps: Create input corpus
More informationCSE484/CSE584 BLACK BOX TESTING AND FUZZING. Dr. Benjamin Livshits
CSE484/CSE584 BLACK BOX TESTING AND FUZZING Dr. Benjamin Livshits Approaches to Finding Security Bugs 2 Runtime Monitoring Black-box Testing Static Analysis Fuzzing Basics 3 A form of vulnerability analysis
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationBuilding Advanced Coverage-guided Fuzzer for Program Binaries
Building Advanced Coverage-guided Fuzzer for Program Binaries NGUYEN Anh Quynh WEI Lei 17/11/2017 Zero Nights, Moscow 2017 Self-introduction NGUYEN Anh Quynh, PhD
More informationBlack Hat Webcast Series. C/C++ AppSec in 2014
Black Hat Webcast Series C/C++ AppSec in 2014 Who Am I Chris Rohlf Leaf SR (Security Research) - Founder / Consultant BlackHat Speaker { 2009, 2011, 2012 } BlackHat Review Board Member http://leafsr.com
More informationKLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND
Feeding the Fuzzers with KLEE Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND This presentation was created with help and commitment of the Samsung R&D Poland Mobile Security team. KLEE and
More informationFinding media bugs in Android using file format fuzzing. Costel Maxim Intel OTC Security
Finding media bugs in Android using file format fuzzing Costel Maxim Intel OTC Security 1 Agenda File format fuzzing Generate high-quality corpus of files Fuzzing the Stagefright Framework Logging & Triage
More informationSimple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;
Simple Overflow 1 #include int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); }
More informationFuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team
Fuzzing AOSP For the Masses AOSP for the Masses Attack Android Right Out of the Box Dan Austin, Google Dan Austin Google Android SDL Research Team Exploitation: Find the Needle Needles are Interesting
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationDynamic code analysis tools
Dynamic code analysis tools Stewart Martin-Haugh (STFC RAL) Berkeley Software Technical Interchange meeting Stewart Martin-Haugh (STFC RAL) Dynamic code analysis tools 1 / 16 Overview Introduction Sanitizer
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationEnhancing Memory Error Detection for Large-Scale Applications and Fuzz testing
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, Chengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Homework 2 Due: Monday, February 22nd, at 11:59pm Instructions. This homework is due Monday, February 22nd, at 11:59pm. It must be submitted electronically
More informationSoftware Vulnerability
Software Vulnerability Refers to a weakness in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the
More informationTI2725-C, C programming lab, course
Valgrind tutorial Valgrind is a tool which can find memory leaks in your programs, such as buffer overflows and bad memory management. This document will show per example how Valgrind responds to buggy
More informationAutomatizing vulnerability research
Innova&on & Research Symposium Cisco and Ecole Polytechnique 8-9 April 2018 CEDRIC TESSIER INSTRUMENTATION TEAM LEADER / ctessier@quarkslab.com Automatizing vulnerability research to better face new software
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationSecurity Testing. Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT)
Security Testing TDDC90 Software Security Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationLecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems
Lecture 10 Pointless Tainting? Evaluating the Practicality of Pointer Tainting Asia Slowinska, Herbert Bos Advanced Operating Systems December 15, 2010 SOA/OS Lecture 10, Pointer Tainting 1/40 Introduction
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 15: Software Security II Department of Computer Science and Engineering University at Buffalo 1 Software Vulnerabilities Buffer overflow vulnerabilities account
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationFuzzing: Breaking software in an automated fashion
Fuzzing: Breaking software in an automated fashion Ilja van Sprundel December 8, 2005 1 Introduction Fuzzing is the art of automatic bug finding. This is done by providing an application with semi-valid
More informationCSC 405 Introduction to Computer Security Fuzzing
CSC 405 Introduction to Computer Security Fuzzing Alexandros Kapravelos akaprav@ncsu.edu Let s find some bugs (again) We have a potentially vulnerable program The program has some inputs which can be controlled
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationFuzzilli. (Guided-)fuzzing for JavaScript engines. Samuel Groß
Fuzzilli (Guided-)fuzzing for JavaScript engines Samuel Groß (saelo@google.com) Motivation Cool bugs in JS engine runtime implementations, JIT compilers, etc. var a = [1, 2, 3, 4, 5]; var i = {}; i.valueof
More informationOvercoming Stagefright Integer Overflow Protections in Android
Overcoming Stagefright Integer Overflow Protections in Android Dan Austin (oblivion@google.com) May 2016 Agenda $ whoami Stagefright Sanitizers Sanitizers in Practice The Future $ whoami $ whoami Dan Austin
More informationVirtualizing IoT with Code Coverage Guided Fuzzing
Virtualizing IoT with Code Coverage Guided Fuzzing HITB2018DXB, November 2018 NGUYEN Anh Quynh, aquynh -at- gmail.com KaiJern LAU, kj -at- theshepherd.io About NGUYEN Anh Quynh > Nanyang Technological
More informationIn-Memory Fuzzing in JAVA
Your texte here. In-Memory Fuzzing in JAVA 2012.12.17 Xavier ROUSSEL Summary I. What is Fuzzing? Your texte here. Introduction Fuzzing process Targets Inputs vectors Data generation Target monitoring Advantages
More informationHow to implement SDL and don t turn gray. Andrey Kovalev, Security Engineer
How to implement SDL and don t turn gray Andrey Kovalev, Security Engineer Agenda SDL 101 Yandex approach SAST, DAST, FSR: drawbacks and solutions Summary 3 How to implement SDL and don t turn gray SDL
More informationRabbit in the Loop. A primer on feedback directed fuzzing using American Fuzzy Lop. by Kevin Läufer
Rabbit in the Loop A primer on feedback directed fuzzing using American Fuzzy Lop Abstract by Kevin Läufer This guide aims to provide the reader with a good intuition about the
More informationNew features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany
New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany Agenda AddressSanitizer (ASan): a quick reminder New features: Initialization-order-fiasco Stack-use-after-scope
More informationint $0x32 // call interrupt number 50
Kernel Programming: Process isolation, goal to make programs run fast and reliably o Processes should not affect others, unless there s a specific and allowed communication channel o Each process can act
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationControl Flow Hijacking Attacks. Prof. Dr. Michael Backes
Control Flow Hijacking Attacks Prof. Dr. Michael Backes Control Flow Hijacking malicious.pdf Contains bug in PDF parser Control of viewer can be hijacked Control Flow Hijacking Principles Normal Control
More informationSource level debugging. October 18, 2016
Source level debugging October 18, 2016 Source level debugging Source debugging is a nice tool for debugging execution problems; it can be particularly useful when working with crashed programs that leave
More informationWhat You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2,3 Frank Kargl 3 Aurélien Francillon 1 Davide Balzarotti 1 1 EURECOM 2 Siemens AG 3 Ulm University
More informationTraditional Smalltalk Playing Well With Others Performance Etoile. Pragmatic Smalltalk. David Chisnall. August 25, 2011
Étoilé Pragmatic Smalltalk David Chisnall August 25, 2011 Smalltalk is Awesome! Pure object-oriented system Clean, simple syntax Automatic persistence and many other great features ...but no one cares
More informationCS161 Midterm 1 Review
CS161 Midterm 1 Review Midterm 1: March 4, 18:3020:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about
More informationLecture 4 Processes. Dynamic Analysis. GDB
Lecture 4 Processes. Dynamic Analysis. GDB Computer and Network Security 23th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 1/45
More informationComputer Security Course. Midterm Review
Computer Security Course. Dawn Song Midterm Review In class: Logistics On time: 4:10-5:30pm Wed 1 8x11 page cheat sheet allowed Special requirements: see TA Part I, II, III Scope Software Security Secure
More informationSmarter fuzzing using sound and precise static analyzers
Smarter fuzzing using sound and precise static analyzers Pascal Cuoq, Chief Scientist, TrustInSoft January 31, 2017 Pascal Cuoq, Chief Scientist, TrustInSoft smarter fuzzing January 31, 2017 1 / 8 Introduction
More informationThwarting unknown bugs: hardening features in the mainline Linux kernel
Thwarting unknown bugs: hardening features in the mainline Linux kernel Mark Rutland ARM Ltd Embedded Linux Conference Europe 2016 October 11, 2016 ARM 2016 2 ARM 2016 What s the
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationCosc 242 Assignment. Due: 4pm Friday September 15 th 2017
Cosc 242 Assignment Due: 4pm Friday September 15 th 2017 Group work For this assignment we require you to work in groups of three people. You may select your own group and inform us of your choice via
More informationStructure-aware fuzzing
Structure-aware fuzzing for real-world projects Réka Kovács Eötvös Loránd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -> growing
More informationPROGRAMMING OLYMPIAD FINAL ROUND Environment Manual. 1 Introduction 2. 2 Local environment 2
PROGRAMMING OLYMPIAD FINAL ROUND 2016 Environment Manual Contents Page 1 Introduction 2 2 Local environment 2 3 Compilers and IDEs 3.1 C++ 2 3.2 Java 3 3.3 Python 3 3.4 IDEs and Text Editors 3 4 Web-based
More informationRecitation: Cache Lab & C
15-213 Recitation: Cache Lab & C Jack Biggs 16 Feb 2015 Agenda Buffer Lab! C Exercises! C Conventions! C Debugging! Version Control! Compilation! Buffer Lab... Is due soon. So maybe do it soon Agenda Buffer
More informationCS 155: Real-World Security
CS 155: Real-World Security April 14, 2016 Alex Stamos CSO, Facebook Why are you here? Agenda We are going to discuss: How bugs are found How defense works in the real world We will walk through some:
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More informationUsing static analysis to detect use-after-free on binary code
Using static analysis to detect use-after-free on binary code Josselin Feist Laurent Mounier Marie-Laure Potet Verimag / University of Grenoble - Alpes France SDTA 2014 - Clermont-Ferrand 5 décembre 2014
More informationREFERENCES, POINTERS AND STRUCTS
REFERENCES, POINTERS AND STRUCTS Problem Solving with Computers-I https://ucsb-cs16-sp17.github.io/ Pointer assignment 2 int *p1, *p2, x; p1 = &x; p2 = p1; Q: Which of the following pointer diagrams best
More informationProgramming in C. Lecture 9: Tooling. Dr Neel Krishnaswami. Michaelmas Term
Programming in C Lecture 9: Tooling Dr Neel Krishnaswami Michaelmas Term 2017-2018 1 / 24 Undefined and Unspecified Behaviour 2 / 24 Undefined and Unspecified Behaviour We have seen that C is an unsafe
More informationCSE 303: Concepts and Tools for Software Development
CSE 303: Concepts and Tools for Software Development Hal Perkins Winter 2009 Lecture 7 Introduction to C: The C-Level of Abstraction CSE 303 Winter 2009, Lecture 7 1 Welcome to C Compared to Java, in rough
More informationLecture 7: file I/O, more Unix
CIS 330: / / / / (_) / / / / _/_/ / / / / / \/ / /_/ / `/ \/ / / / _/_// / / / / /_ / /_/ / / / / /> < / /_/ / / / / /_/ / / / /_/ / / / / / \ /_/ /_/_/_/ _ \,_/_/ /_/\,_/ \ /_/ \ //_/ /_/ Lecture 7: file
More informationQiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016
Qiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016 Who are we Security researcher in Qihoo 360 Inc(Gear Team) Vulnerability discovery and analysis Specialize in QEMU currently 50+ security issues, 33
More informationLast week. Data on the stack is allocated automatically when we do a function call, and removed when we return
Last week Data can be allocated on the stack or on the heap (aka dynamic memory) Data on the stack is allocated automatically when we do a function call, and removed when we return f() {... int table[len];...
More informationCSE 333 Midterm Exam 5/10/13
Name There are 5 questions worth a total of 100 points. Please budget your time so you get to all of the questions. Keep your answers brief and to the point. The exam is closed book, closed notes, closed
More informationEnhancing Memory Error Detection for Larg e-scale Applications and Fuzz testing
Enhancing Memory Error Detection for Larg e-scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, C hengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock
More informationInfecting the Embedded Supply Chain
SESSION ID: PDAC-F01 Infecting the Embedded Supply Chain Zach Miller Security Researcher in8 Solutions (Formerly Somerset Recon) @bit_twidd1er Inspiration Inspiration Countless embedded devices exist Each
More informationCSci 4061 Introduction to Operating Systems. Programs in C/Unix
CSci 4061 Introduction to Operating Systems Programs in C/Unix Today Basic C programming Follow on to recitation Structure of a C program A C program consists of a collection of C functions, structs, arrays,
More informationBuffer Overflow Attacks
Buffer Overflow Attacks 1. Smashing the Stack 2. Other Buffer Overflow Attacks 3. Work on Preventing Buffer Overflow Attacks Smashing the Stack An Evil Function void func(char* inp){ } char buffer[16];
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationDigging Deep: Finding 0days in Embedded Systems with Code Coverage Guided Fuzzing
Digging Deep: Finding 0days in Embedded Systems with Code Coverage Guided Fuzzing NGUYEN Anh Quynh Kai Jern LAU HackInTheBox - Beijing, November 2nd, 2018
More informationMidterm Exam Nov 8th, COMS W3157 Advanced Programming Columbia University Fall Instructor: Jae Woo Lee.
Midterm Exam Nov 8th, 2012 COMS W3157 Advanced Programming Columbia University Fall 2012 Instructor: Jae Woo Lee About this exam: - There are 4 problems totaling 100 points: problem 1: 30 points problem
More informationAdditional Guidelines and Suggestions for Project Milestone 1 CS161 Computer Security, Spring 2008
Additional Guidelines and Suggestions for Project Milestone 1 CS161 Computer Security, Spring 2008 Some students may be a little vague on what to cover in the Milestone 1 submission for the course project,
More informationDebugging. Erwan Demairy Dream
1 Debugging Erwan Demairy Dream 2 Where are we? Tools Requirements Global architecture UML Local architecture Implementation Compilation Link Editor Compiler Linker Tests Debug Profiling Build IDE Debugger
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationReviewing gcc, make, gdb, and Linux Editors 1
Reviewing gcc, make, gdb, and Linux Editors 1 Colin Gordon csgordon@cs.washington.edu University of Washington CSE333 Section 1, 3/31/11 1 Lots of material borrowed from 351/303 slides Colin Gordon (University
More informationCSE 12 Spring 2016 Week One, Lecture Two
CSE 12 Spring 2016 Week One, Lecture Two Homework One and Two: hw2: Discuss in section today - Introduction to C - Review of basic programming principles - Building from fgetc and fputc - Input and output
More informationSoftware Robustness Testing Service
Software Robustness Testing Service http://www.ices.cmu.edu/ballista John P. DeVale devale@cmu.edu - (412) 268-4264 - http://www.ece.cmu.edu/~jdevale,qvwlwxwh IRU &RPSOH[ (QJLQHHUHG 6\VWHPV Overview: Ballista
More informationCS 3113 Introduction to Operating Systems Midterm October 11, 2018
General instructions: CS 3113 Introduction to Operating Systems Midterm October 11, 2018 Please wait to open this exam booklet until you are told to do so. This examination booklet has 10 pages. You also
More informationCS 3113 Introduction to Operating Systems Midterm October 11, 2018
General instructions: CS 3113 Introduction to Operating Systems Midterm October 11, 2018 Please wait to open this exam booklet until you are told to do so. This examination booklet has 10 pages. You also
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationQemu code fault automatic discovery with symbolic search. Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel
Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel Goals of this presentation Introduction of KLEE (symbolic execution tool) Qemu fault/patch
More informationTest Automation. 20 December 2017
Test Automation 20 December 2017 The problem of test automation Testing has repetitive components, so automation is justified The problem is cost-benefit evaluation of automation [Kaner] Time for: test
More informationfinding vulnerabilities
cs6 42 computer security finding vulnerabilities adam everspaugh ace@cs.wisc.edu hw1 Homework 1 will be posted after class today Due: Feb 22 Should be fun! TAs can help with setup Use Piazza as first step
More informationCMPSC 497 Other Memory Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationMessage Passing Interface (MPI)
CS 220: Introduction to Parallel Computing Message Passing Interface (MPI) Lecture 13 Today s Schedule Parallel Computing Background Diving in: MPI The Jetson cluster 3/7/18 CS 220: Parallel Computing
More informationReflections on using C(++) Root Cause Analysis
Hacking in C Reflections on using C(++) Root Cause Analysis Abstractions Complexity Assumptions Trust hic 1 There are only two kinds of programming languages: the ones people complain about and the ones
More informationChangelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part
1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems
More informationSystematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky
Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 1 Transport Layer Security The most important crypto protocol HTTP, SMTP, IMAP 2 2 Secure Sockets Layer (SSL), SSLv2 SSLv3 Trasnsport
More informationAutomatic program generation for detecting vulnerabilities and errors in compilers and interpreters
Automatic program generation for detecting vulnerabilities and errors in compilers and interpreters 0368-3500 Nurit Dor Shir Landau-Feibish Noam Rinetzky Preliminaries Students will group in teams of 2-3
More informationLimitations of the stack
The heap hic 1 Limitations of the stack int *table_of(int num, int len) { int table[len+1]; for (int i=0; i
More informationCS 220: Introduction to Parallel Computing. Input/Output. Lecture 7
CS 220: Introduction to Parallel Computing Input/Output Lecture 7 Input/Output Most useful programs will provide some type of input or output Thus far, we ve prompted the user to enter their input directly
More informationC Review. MaxMSP Developers Workshop Summer 2009 CNMAT
C Review MaxMSP Developers Workshop Summer 2009 CNMAT C Syntax Program control (loops, branches): Function calls Math: +, -, *, /, ++, -- Variables, types, structures, assignment Pointers and memory (***
More informationCS 222: More File I/O, Bits, Masks, Finite State Problems
CS 222: More File I/O, Bits, Masks, Finite State Problems Chris Kauffman Week 6-1 Logistics Reading Ch 9 (file i/o) Ch 11 finish (practical programming) Homework HW 5 due tonight HW 6 up by Thursday Exam
More informationHigh Performance Computing MPI and C-Language Seminars 2009
High Performance Computing - Seminar Plan Welcome to the High Performance Computing seminars for 2009. Aims: Introduce the C Programming Language. Basic coverage of C and programming techniques needed
More information