Speaker: 張元
Coverage-Guided Fuzzing
- Coverage metric
- code coverage
- Capture program information
- binary instrumentation
- emulator
- qemu, angr, qiling
Binary Instrumentation
- Insert additional code into binary
- Insert assembly
- vanilla AFL
- LLVM Pass – LLVM IR
- AFL++
- LTO (Link Time Optimization)
- AFL++
Code Coverage
- coverage of code region
- basic block
- edge
- Inssert additional code at entries of code regions
- code coverage -> bug coverage (正相關)
在basic block 1 上加上 instrumentation
Sanitizer
- AddressSanitizers(ASAN)
- Undefined Behavior Sanitizer(UBSAN)
- MemorySanitizer(MSAN)
- Leak-checker Sanitizer(LSAN)
Sanitizer – ASAN
- heap, stack, global-buffer overflow
- UAF – use after free
- shadow memory
- red zone
- overhead
| red zone | buffer | red zone | buffer |
Coverage-Guided Fuzzers
- AFL
- AFL++
- libfuzzer
- syzkaller
- honggfuzz
AFL
- american fuzzy lop
- https://lcamtuf.coredump.cx/afl/
- https://github.com/google/AFL
AFL++
(張元強力推薦)
- https://github.com/AFLplusplus/AFLplusplus
- AFL++ is a superior fork to Google’s AFL – more speed, more and better mutations, more and better instrumentation, custom module support, etc.
- cmplog: REDQUEEN
- power schedule:AFLFast
libfuzzer
- LLVM
- clang
- https://llvm.org/docs/LibFuzzer.html
- in-process fuzzing
- fuzzing harness
syzkaller
- kernel fuzzer
- https://github.com/google/syzkaller
Fuzzing Research
Fuzzing
- seed scheduling
- AFLFast: Coverage-based Greybox Fuzzing as Markov Chain(CCS 2016)
- MOPT: Optimize Mutation Scheduling for Fuzzers(USENIX 2019)
- seed selection
- seed corpus optimization
- corpus minimization: OptiMin(ISSTA 2021)
- initial seed selection
- Seed Selection for Succesful Fuzzing(ISSTA 2021)
Fuzzing – nutation
Fuzzing – Directed Grey-box Fuzzing
進階版 Coverage-Guided
- AFLGo:Directed Greybox Fuzzing(CCS 2017)
- Hawkeye: Towards a Desired Directed Grey-box Fuzzer(CCS 2018)
- SAVIOR: Towards Bug-Driven Hybird Testing(S&P 2020)
- ParmeSan: Sanitizer-guided Greybox Fuzzing(USENIX 2020)
- Constraint-guided Directed Greybox Fuzzing(USENIX 2021)
Fuzzing – research topic
- data flaw analysis (DFA)
- taint analysis
- binary instrumentation
- binary only
- dynamic instrumentation
- parallel fuzzing
- ensemble fuzzing
- EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)
- ensemble fuzzing
- symbolic execution
- KLEESPECTRE: Detecting information Leakage through Speculative Cache Attacks via Symbolic Execution
- concolic execution
- hybrid fuzzing
AFL++
- afl-fuzz -i input -o output – ./binary
- alf-fuzz -i input -o output – ./binary -a -b
- afl-fuzz -i input -o
