HITCON 2021 軟體自動化安全檢測技術 workshop 筆記

Speaker: 張元

Coverage-Guided Fuzzing

  • Coverage metric
    • code coverage
  • Capture program information
    • binary instrumentation
    • emulator
      • qemu, angr, qiling

Binary Instrumentation

  • Insert additional code into binary
  • Insert assembly
    • vanilla AFL
  • LLVM Pass – LLVM IR
    • AFL++
      • LTO (Link Time Optimization)

Code Coverage

  • coverage of code region
    • basic block
    • edge
  • Inssert additional code at entries of code regions
  • code coverage -> bug coverage (正相關)

在basic block 1 上加上 instrumentation

Sanitizer

Sanitizer – ASAN

  • heap, stack, global-buffer overflow
  • UAF – use after free
  • shadow memory
    • red zone
  • overhead
red zonebufferred zonebuffer

Coverage-Guided Fuzzers

  • AFL
  • AFL++
  • libfuzzer
  • syzkaller
  • honggfuzz

AFL

AFL++

(張元強力推薦)

  • https://github.com/AFLplusplus/AFLplusplus
  • AFL++ is a superior fork to Google’s AFL – more speed, more and better mutations, more and better instrumentation, custom module support, etc.
  • cmplog: REDQUEEN
  • power schedule:AFLFast

libfuzzer

syzkaller

Fuzzing Research

Fuzzing

  • seed scheduling
    • AFLFast: Coverage-based Greybox Fuzzing as Markov Chain(CCS 2016)
    • MOPT: Optimize Mutation Scheduling for Fuzzers(USENIX 2019)
  • seed selection
  • seed corpus optimization
    • corpus minimization: OptiMin(ISSTA 2021)
  • initial seed selection
    • Seed Selection for Succesful Fuzzing(ISSTA 2021)

Fuzzing – nutation

Fuzzing – Directed Grey-box Fuzzing

進階版 Coverage-Guided

  • AFLGo:Directed Greybox Fuzzing(CCS 2017)
  • Hawkeye: Towards a Desired Directed Grey-box Fuzzer(CCS 2018)
  • SAVIOR: Towards Bug-Driven Hybird Testing(S&P 2020)
  • ParmeSan: Sanitizer-guided Greybox Fuzzing(USENIX 2020)
  • Constraint-guided Directed Greybox Fuzzing(USENIX 2021)

Fuzzing – research topic

  • data flaw analysis (DFA)
    • taint analysis
  • binary instrumentation
    • binary only
    • dynamic instrumentation
  • parallel fuzzing
    • ensemble fuzzing
      • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)
  • symbolic execution
    • KLEESPECTRE: Detecting information Leakage through Speculative Cache Attacks via Symbolic Execution
    • concolic execution
  • hybrid fuzzing

AFL++

  • afl-fuzz -i input -o output – ./binary
  • alf-fuzz -i input -o output – ./binary -a -b
  • afl-fuzz -i input -o

apt.llvm.org

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。

4 × five =

Back To Top
error: Content is protected !!