-
FuzzSplore: Visualizing Feedback-Driven Fuzzing Techniques
Authors:
Andrea Fioraldi,
Luigi Paolo Pileggi
Abstract:
Fuzz Testing techniques are the state of the art in software testing for security issues nowadays. Their great effectiveness attracted the attention of researchers and hackers and involved them in develo** a lot of new techniques to improve Fuzz Testing. The evaluation and the cross-comparison of these techniques is an almost open problem. In this paper, we propose a human-driven approach to thi…
▽ More
Fuzz Testing techniques are the state of the art in software testing for security issues nowadays. Their great effectiveness attracted the attention of researchers and hackers and involved them in develo** a lot of new techniques to improve Fuzz Testing. The evaluation and the cross-comparison of these techniques is an almost open problem. In this paper, we propose a human-driven approach to this problem based on information visualization. We developed a prototype upon the AFL++ fuzzing framework, FuzzSplore, that an analyst can use to get useful insights about different fuzzing configurations applied to a specific target in order to choose or tune the best technique during a fuzzing campaign.
△ Less
Submitted 6 February, 2021; v1 submitted 4 February, 2021;
originally announced February 2021.
-
Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants
Authors:
Andrea Fioraldi
Abstract:
Fuzz testing proved its great effectiveness in finding software bugs in the latest years, however, there are still open challenges. Coverage-guided fuzzers suffer from the fact that covering a program point does not ensure the trigger of a fault. Other more sensitive techniques that in theory should cope with this problem, such as the coverage of the memory values, easily lead to path explosion. I…
▽ More
Fuzz testing proved its great effectiveness in finding software bugs in the latest years, however, there are still open challenges. Coverage-guided fuzzers suffer from the fact that covering a program point does not ensure the trigger of a fault. Other more sensitive techniques that in theory should cope with this problem, such as the coverage of the memory values, easily lead to path explosion. In this thesis, we propose a new feedback for Feedback-driven Fuzz testing that combines code coverage with the "shape" of the data. We learn likely invariants for each basic block in order to divide into regions the space described by the variables used in the block. The goal is to distinguish in the feedback when a block is executed with values that fall in different regions of the space. This better approximates the program state coverage and, on some targets, improves the ability of the fuzzer in finding faults. We developed a prototype using LLVM and AFL++ called InvsCov.
△ Less
Submitted 21 December, 2020;
originally announced December 2020.
-
Symbolic Execution and Debugging Synchronization
Authors:
Andrea Fioraldi
Abstract:
In this thesis, we introduce the idea of combining symbolic execution with dynamic analysis for reverse engineering. Differently from DSE, we devise an approach where the reverse engineer can use a debugger to drive and inspect a concrete execution engine of the application code and then, when needed, transfer the execution into a symbolic executor in order to automatically identify the input valu…
▽ More
In this thesis, we introduce the idea of combining symbolic execution with dynamic analysis for reverse engineering. Differently from DSE, we devise an approach where the reverse engineer can use a debugger to drive and inspect a concrete execution engine of the application code and then, when needed, transfer the execution into a symbolic executor in order to automatically identify the input values required to reach a target point in the code. After that, the user can also transfer back the correct input values found with symbolic execution in order to continue the debugging. The synchronization between a debugger and a symbolic executor can enhance manual dynamic analysis and allow a reverser to easily solve small portions of code without leaving the debugger. We implemented a synchronization mechanism on top of the binary analysis framework angr, allowing for transferring the state of the debugged process to the angr environment and back. The backend library is debugger agnostic and can be extended to work with various frontends. We implemented a frontend for the IDA Pro debugger and one for the GNU Debugger, which are both widely popular among reverse engineers.
△ Less
Submitted 30 June, 2020;
originally announced June 2020.
-
WEIZZ: Automatic Grey-box Fuzzing for Structured Binary Formats
Authors:
Andrea Fioraldi,
Daniele Cono D'Elia,
Emilio Coppa
Abstract:
Fuzzing technologies have evolved at a fast pace in recent years, revealing bugs in programs with ever increasing depth and speed. Applications working with complex formats are however more difficult to take on, as inputs need to meet certain format-specific characteristics to get through the initial parsing stage and reach deeper behaviors of the program. Unlike prior proposals based on manually…
▽ More
Fuzzing technologies have evolved at a fast pace in recent years, revealing bugs in programs with ever increasing depth and speed. Applications working with complex formats are however more difficult to take on, as inputs need to meet certain format-specific characteristics to get through the initial parsing stage and reach deeper behaviors of the program. Unlike prior proposals based on manually written format specifications, in this paper we present a technique to automatically generate and mutate inputs for unknown chunk-based binary formats. We propose a technique to identify dependencies between input bytes and comparison instructions, and later use them to assign tags that characterize the processing logic of the program. Tags become the building block for structure-aware mutations involving chunks and fields of the input. We show that our techniques performs comparably to structure-aware fuzzing proposals that require human assistance. Our prototype implementation WEIZZ revealed 16 unknown bugs in widely used programs.
△ Less
Submitted 12 August, 2020; v1 submitted 1 November, 2019;
originally announced November 2019.