Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MediaTek Fuzzing Workshop

yuawn
November 26, 2021

MediaTek Fuzzing Workshop

MediaTek Fuzzing Workshop in HITCON 2021

yuawn

November 26, 2021
Tweet

More Decks by yuawn

Other Decks in Education

Transcript

  1. Outline • Product Security • Fuzz testing • Fuzzing Lab

    • AFL++ • Binary instrumentation - LLVM Pass
  2. Product Security - smart phone • Privacy • Photo, video,

    voice, SMS, notes, documents … • Credential • private keys, MFA, fi ngerprint, facial ID … • Wallet • credit cards, bank service, electronic payment …
  3. Product Security • 5G, IoT, intelligent vehicles, e-health, metaverse (VR,

    AR) • ⾞⽤晶片、航空、醫療儀器、穿戴裝置 • Cybersecurity risk
  4. Fuzz Testing • Fuzzing • Automated software testing technique •

    bug fi nding • Fuzzer • Repeatedly provides randomly generated inputs to the program and checks the execution result.
  5. Fuzz Testing • Black-box • binary only • Grey-box •

    utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
  6. Fuzz Testing • Black-box • binary only • Grey-box •

    utilize some program information to guide fuzzing • White-box • get a full picture of program • e.g., symbolic execution
  7. Coverage-Guided Fuzzing • coverage metric • compute from program information

    • utilize coverage information to guide fuzzer increasing coverage percentage
  8. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No
  9. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No
  10. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No
  11. Coverage-Guided Fuzzing • Coverage metric • code coverage • Capture

    program information • binary instrumentation • emulator • qemu, angr, qiling
  12. Binary Instrumentation • Insert additional code into binary • Insert

    assembly • vanilla AFL • LLVM Pass - LLVM IR • AFL++ • LTO (Link Time Optimization)
  13. Code Coverage • coverage of code region • basic block

    • edge • Insert additional code at entries of code regions • code coverage -> bug coverage
  14. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation
  15. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
  16. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation 0 0 0 0 0 0 0 0 0 0 bitmap
  17. Code Coverage basic block 1 basic block 2 basic block

    3 instrumentation instrumentation instrumentation 0 0 1 0 0 0 0 0 1 0 bitmap
  18. Coverage-Guided Fuzzing seed pool select a seed mutation mutated seed

    run with
 instrumented binary execution result crash Found bugs! crash PoC exit normally new coverage? Yes
 save to seed pool No
  19. Sanitizer • AddressSanitizers (ASAN) • https://github.com/google/sanitizers • https://www.usenix.org/system/ fi les/conference/atc12/atc12-

    fi nal39.pdf • Unde fi ned Behavior Sanitizer (UBSAN) • MemorySanitizer (MSAN) • Leak-checker Sanitizer (LSAN)
  20. Sanitizer - ASAN • heap, stack, global-bu ff er over

    fl ow • UAF - use after free • shadow memory • red zone buffer red zone red zone buffer
  21. AFL++ • https://github.com/AFLplusplus/AFLplusplus • AFL++ is a superior fork to

    Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. • cmplog: REDQUEEN • power schedule: AFLFast
  22. Fuzzing • seed scheduling • AFLFast: Coverage-based Greybox Fuzzing as

    Markov Chain (CCS 2016) • MOPT: Optimize Mutation Scheduling for Fuzzers (USENIX 2019) • seed selection • seed corpus optimization • corpus minimization: OptiMin (ISSTA 2021) • initial seed selection • Seed Selection for Successful Fuzzing (ISSTA 2021)
  23. Fuzzing - mutation • FairFuzz: A Targeted Mutation Strategy for

    Increasing Greybox Fuzz Testing Coverage (ASE 2018) • REDQUEEN: Fuzzing with Input-to-State Correspondence (NDSS2019) • GREYONE Data Flow Sensitive Fuzzing (USENIX 2020)
  24. Fuzzing - Directed Grey-box Fuzzing • AFLGo: Directed Greybox Fuzzing

    (CCS 2017) • Hawkeye: Towards a Desired Directed Grey-box Fuzzer (CCS 2018) • SAVIOR: Towards Bug-Driven Hybrid Testing (S&P 2020) • ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX 2020) • Constraint-guided Directed Greybox Fuzzing (USENIX 2021)
  25. Fuzzing - research topic • data fl aw analysis (DFA)

    • taint analysis • binary instrumentation • binary only • dynamic instrumentation • parallel fuzzing • ensemble fuzzing • EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers (USENIX 2019)
  26. Fuzzing - research topic • symbolic execution • KLEESPECTRE: Detecting

    Information Leakage through Speculative Cache Attacks via Symbolic Execution • concolic execution • hybrid fuzzing • PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction (S&P 2020)
  27. AFL++ • a fl -fuzz -i input -o output --

    ./binary • a fl -fuzz -i input -o output -- ./binary -a -b • a fl -fuzz -i input -o output -- ./binary -f @@
  28. AFL++ - dictionary • a fl -fuzz -i input -o

    output -x xml.dict -- ./binary
  29. AFL++ - parallel fuzzing • a fl -fuzz -M main

    -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer2 -i input -o sync_dir -- ./binary • a fl -fuzz -S fuzzer3 -i input -o sync_dir -- ./binary
  30. Summary • Fuzzing is a novel security testing technique •

    Product Security awareness • Building a secure world