SlideShare ist ein Scribd-Unternehmen logo

0-knowledge fuzzing white paper

V
Vincenzo Iozzo

White paper of 0-knowledge fuzzing presentation given at Black Hat DC 2010 by Vincenzo Iozzo

1 von 12
Downloaden Sie, um offline zu lesen
0-knowledge fuzzing Vincenzo Iozzo vincenzo.iozzo@zynamics.com February 9, 2010 Abstract and widely established methodology employed in COTS software vulnerability discovery process. Nowadays fuzzing is a pretty common technique The first appearance of fuzzing in software test- used both by attackers and software developers. ing dates back to 1988 by Professor Barton Currently known techniques usually involve Miller[1]; since then the technique has evolved knowing the protocol/format that needs to be a lot and it is not only used by attackers to dis- fuzzed and having a basic understanding of how cover vulnerabilities but also internally by many the user input is processed inside the binary. companies to find bugs in their software. In the past since fuzzing was little-used obtain- Over the course of time a lot of different imple- ing good results with a small amount of effort mentations of fuzz testing have been researched, was possible. nonetheless it is commonly believed that there Today finding bugs requires digging a lot inside are two predominant approaches to fuzzing: the code and the user-input as common vulner- Mutation-based and Generation-based. abilies are already identified and fixed by devel- The former is based on random mutations of opers. This paper will present an idea on how known well-formed data, whereas the latter cre- to effectively fuzz with no knowledge of the user- ates testing samples using templates describing input and the binary. the format of the software input. Specifically the paper will demonstrate how tech- Both approaches have their advantages and pit- niques like code coverage, data tainting and in- falls. The former requires little effort to be im- memory fuzzing allow to build a smart fuzzer plemented and it is reusable across different soft- with no need to instrument it. ware. Nonetheless given the raising interest com- panies have shown in properly testing and devel- oping products this approach will generally yield 1 Introduction worse results than generation-based fuzzers. The second approach has the advantage of ob- Fuzzing, or fuzz testing, is a software test- taining better results in terms of bugs found, al- ing methodology whose aim is to provide in- though it requires knowledge of the input format valid, unexpected or random inputs to a pro- the binary expects and its reusability is bounded gram. Although the idea behind this technique to binaries that deal with the same input format. is conceptually very simple it is a well known 2
The difficulty of creating input models can range of view. from low for public data formats to almost infea- To the best of the author‘s knowledge there are sible for proprietary formats. no public attempts at combining together these In order to ease the process of creating input techniques for fuzz-testing purposes. A notable templates various approaches have been stud- exception is Flayer which nonetheless only fo- ied, most notably evolutionary fuzzers and in- cuses on dynamic analysis and program paths memory fuzzers. manipulation in order to discover software de- Both are derived from mutation-based fuzzers fects. but for different purposes. The first type of The rest of this paper is organized as follows. fuzzers, in fact, by employing genetic algorithms In section 2 we provide basic background infor- attempts to generate sets of data which resem- mation on the metrics used. Section 3 discusses ble as precisely as possible the input format. The related work. Section 4 presents our approach latter, instead, first requires a human to manu- and implementation. Finally we conclude and ally identify specific functions inside the binary discuss future work directions in Section 5. then mutates the input in-memory in order to prevent data validation which could lead to dif- ferent code paths thus resulting in not fuzzing 2 Background crucial pieces of an application. Evolutionary based fuzzers suffer from the diffi- In this section, we present background informa- culty of identifying proper scoring and mutation tion on static analysis metrics, data tainting, and functions and for this approach to be effective it in-memory fuzzing. usually requires more time than the generation- In our implementation we use primary two static based one. In-memory fuzzing on the other hand analysis techniques: cyclomatic complexity and has a high rate of false positives and negatives loop detection. and it requires an expert reverse engineer in or- Cyclomatic complexity is a software metric used der to identify proper test cases. to determine how complex in terms of code paths In this paper the author presents an approach a function is. The computation is done on the to fuzz testing based on in-memory fuzzing aim- number of edges and nodes a function contains. ing at limiting human intervention and minimiz- Intuitively the more the structure of the function ing the number of false positives and negatives is complicated the more complex the function that currently affects this technique. The pro- is. In [2] the connection between function com- posed methodology employs a range of known plexity and bugs presence has been discussed. metrics from both static and dynamic program Although there is not always a correlation be- analysis together with a new technique for in- tween the two, it is reasonable to assume that memory fuzzing. Specifically we will use data more complex functions are prone to contain tainting for tracking user input, thus being able bugs given the amount of code they contain. to identify locations in-memory suitable for test- Another metric employed is loop detection. This ing; we will also employ static analysis metrics algorithm takes advantage of some properties of in order to identify functions in the binary that a function flowgraph and its dominator tree in can be interesting from a security testing point order to detect loops present in compiled code. 3
This technique is widely used in compilers for op- the technique so that basic blocks execution is timization purposes, and it has some interesting being traced. This implementation does not aspects from a security prospective as well. It take into account code paths and therefore might is commonly known, in fact, that memory write be imprecise in some circumstances, nonetheless often happens inside loops and that most compil- we consider this trade-off to be acceptable as it ers usually inline functions like memcpy so that avoids to overly complicating the implementa- the function will effectively result in a loop. tion and improves the fuzzer performance. Another crucial piece of infrastructure for the proposed fuzzer is the data tainting engine. The goal of data tainting is to gather information on 3 Related work how user input is propagated through a binary. In this section we will briefly describe exist- The concept of data tainting is intuitively very ing approaches to data tainting and in-memory simple, one or more markings are associated with fuzzing together with a brief description of some data supposedly representing the user in- Flayer[3] being it the closest work to the one de- put and those markings are propagated follow- scribed in this paper. ing the program flow. Although it is possible to perform data tainting using static analysis the 3.1 Existing in-memory fuzzing im- complexity of the task and the possible incom- plementations plete set of information led the author to choose a dynamic analysis approach to the problem by taking advantage of an existing dynamic data tainting framework called Dytan[6]. Using dy- namic data tainting has the benefit of obtain- ing more precise and richer information on data propagation although it will not be able to ex- plore program paths that are not executed at (a) Mutation loop insertion run-time. Given the nature of the fuzzer, ob- taining information on non-executed code paths is of no interest as in-memory fuzzing relies on the ability to reach code paths by mutating a set of known good data. Finally in order to monitor the effectiveness of our fuzzer, we employ a software testing mea- sure known as code coverage. This technique (b) Snapshot restoration verifies the degree to which the code of a pro- mutation gram has been tested by tracing the execution of the binary. Although there are many differ- Figure 1: Known implementations of in-memory ent implementations of code coverage all using fuzzing different criteria in terms of the kind of informa- tion to record, the author decided to implement To the best of the author‘s knowledge in- 4
memory fuzzing was first introduced to the pub- of software. A lot of implementations of data lic by Greg Hoglund of HBGary in [4] and later tainting frameworks exist, for this reason the further developed by Amini at al[5]. Currently author decided to use a framework previously there are two public methods: Mutation loop in- created by James Clause and Alessando Orso of sertion and snapshot restoration mutation. Gatech called Dytan[6]. The decision was made The first method works by inserting an uncon- based on a number of requirements. ditional jump from the function being tested to First and foremost the ability to instrument bi- a function responsible for mutating the data re- naries without any recompilation or access to the siding in the process address space of the fuzzed source code. binary. At the end of the mutation function an- Another very important requirement was porta- other unconditional jump to the beginning of the bility, most of the existing implementations are currently tested function is inserted. The control based on Valgrind[7] which does not support the flow graph of this approach is shown in 1(a). Windows platform. The two most appealing This approach suffers of a number of drawbacks candidates were Temu[9] and Dytan. with a high rate of false negatives and stack con- The first one is built on the top of a modified sumption being the two major ones. Another version of Qemu[8]. Although this would have disadvantage of this method is the general insta- respected both the initial requirements we think bility of the memory after a few fuzzing itera- that a data tainting framework based on a vir- tions. tual machine emulator is overkill for our goals. The second approach works by inserting an un- Besides the implementation in the author‘s opin- conditional jump from the beginning of the func- ion is not yet robust enough. tion being tested to a function responsible of tak- Dytan is implemented as a pintool[16]. It is a ing a memory snapshot. This function will later flexible framework and can run on both Linux call again the tested function. At the end of the and Windows. analyzed function another unconditional jump is inserted. The jump points to a function respon- 3.3 Additional related work sible of restoring the memory, fuzzing data and executing again the fuzzed function. A control As already mentioned in the previous section flow diagram employing this approach is shown Flayer[3] is the most similar work to the ap- in Figure 1(b). Although this method has some proach discussed in this paper. The software advantages in respect to the first one described, combines data tainting and the ability to force code paths. Differently from many other data it still suffers from a high false positives rate and it is also slower given the need of continuously tainting tools Flayer has bit-precision markings. having to restore process memory. Although this grants a higher degree of precision in obtaining information on data propagation for 3.2 Existing data tainting implemen- the purpose of our work byte-precision markings are detailed enough. tations Another limitation is the software the tool is Dynamic data tainting has gained momentum in based on; as already mentioned Valgrind does the last few years given the increase complexity not support Windows which severly impairs the 5
usefulness of the tool. should be replaced by a more sophisticated ap- Finally even if the main aim of the tool is not proach which takes into account scores coming fuzzing it has the ability of forcing code paths from various metrics and weights them in respect and therefore it can be used to test various code to their relevance from a security prospective. paths. This method has three main drawbacks; the first one is a high number of false positives, the second one is the absence of a sample which can be later used by the attacker to reproduce the bug and finally a problem known as code- path explosion. This problem arises because the number of code paths to force increases exponen- tially with the complexity of the software. Figure 3: The edge in red is missed by the ap- 4 Proposed approach and im- proximative cyclomatic complexity formula. plementation Cyclomatic complexity Cyclomatic com- plexity was first described by Robert McCabe in [10]. The purpose of this metric is to calcu- late the number of independent paths in a code section. Many formulation of this metric have been given, we briefly explain the ones that are Figure 2: Fuzzer components relevant to our fuzzer. In this section we will present the idea and Definition Let G be a flowgraph, E the num- implementation of our work. As shown in Figure ber of edges in G, N the number of nodes in G 2 our fuzzer can be divided into 4 parts. and P the number of connected components in G. Cyclomatic complexity is defined as: 4.1 Static analysis metrics M = E − N + 2P (1) Static analysis algorithms are used to determine which functions could be potentially of inter- A connected component is a subgraph in which est for our fuzzer. We assign a higher score to any two vertices are connected to each other by functions that have a high cyclomatic complex- paths. This formula originates from the cyclo- ity score and at least one loop in them; we then matic number: consider all the functions that have loops but a low cyclomatic complexity score and finally we Definition Let G be a strongly connected take into account the remaining functions. Ide- graph, E the number of edges in G, N the ally we will add more metrics to the implementa- number of nodes in G and P the number of tion, therefore this rather trivial scoring system connected components in G. 6
The Cyclomatic number is defined as: V (G) = E − N + P (2) It should be notice that the cyclomatic num- (a) A (b) Domi- (c) The ber can be calculated only on strongly connected function nator tree nodes graphs, that is a graph in which from every pair flowgraph, of the in green of vertices there is a direct path connecting them nodes in previous dominate in both directions. McCabe proved that the flow- blue belong function, the node in to a loop nodes red in the graph of a function with a single entry point and in green dominator a single exit point can be considered a strongly correspond tree connected graph and therefore the cyclomatic to the number theorem applies and that P = 1, thus blue ones the resulting simplified formula is: highlighted in picture (a) M =E−N +2 (3) Intuitively when a flowgraph has multiple exit Figure 4: Graphs used in loop detection algo- points the aforementioned formula doesnt hold rithm true anymore. Another one should be therefore used: Loop detection algorithm As previously mentioned another metric, loop detection, is Definition Let G be a flowgraph, π the number used to select functions. The first required step of decision points in G and s the number of exit is to extract the dominator tree out of a function. points in G. Cyclomatic complexity is defined Formally: as: Definition A dominator tree is a tree where M =π−s+2 (4) each node‘s children are the nodes it immedi- ately dominates. Applying (3) to functions with multiple exit A node d is said to dominate node k if every points we will have, in fact, lower cyclomatic path from the start node s to node k must go complexity values by a minimum factor of 2. Fig- throught node d. ure 3 shows typical edges and connected com- ponents missed by using (3). To give a visual example of a dominator tree Nonetheless the author believes that the less pre- of a function please refer to Figure 4. Nodes in cise measurement can be used without impairing blue in Figure 4(a) are highlighted in the dom- the results. inator tree in green in Figure 4(b). We implemented cyclomatic complexity calcula- There are two known algorithms used to cal- tion for each function in a module by using Bin- culate the dominator tree of a flowgraph. It Navi API. A detailed explanation of the imple- is out of the scope of this paper to discuss mentation can be found in[11]. them. It should be noticed, though, that the 7
tool upon which we built our loop detection Each data tainting implementation can choose algorithm, BinNavi[12], implements Lengauer- the type of markings to use, more precisely it Tarjan[13] dominator tree algorithm which is al- is possible to determine the granularity of those most linear thus granting us a higher computa- markings. tional speed. Dytan is able to either assign a single marking to The second step is to calculate for each node its each piece of input or have byte-level markings. dominators. In Figure 4(c) the dominators of We chose to use the second type of markings as the node in red are the ones in green. it is more precise but at the same time does not The last step is to search for edges from a node cause an excessive overhead during the execu- to one of its dominators. Recalling the definition tion. of domination it is trivial to show that if there In order to make data tainting work it is impor- is an edge from a node to one of its dominators tant to define what data needs to be tracked. In a loop is present. Dytan it is possible to track user input coming Most complex assembly instruction sets have from network operations, files access and com- what are called implicit loops instruction, for in- mand line arguments passed to the main() func- stance rep movs in x86 ISA. Applying this al- tion. That is system calls and functions respon- gorithm to a flowgraph will therefore miss this sible for the aforementioned input sources are type of loops. monitored and their output is tracked through In order to overcome this problem we will trans- the binary. late the function to an intermediate language Another important factor to take into account called REIL[14] implemented in BinNavi. This while implementing a data tainting tool is a intermediate language provides a very small set propagation policy. of instructions which helps in the process of un- A propagation policy is a set of rules followed folding implicit loops. while taint markings are assigned during pro- In [15] a detailed implementation of this algo- gram execution. rithm can be found. Dytan currently is able to perform control and data-flow or data-flow only analysis. The former 4.2 Data tainting tracks direct or transitive data assignments as well as indirect propagation due to control flow As stated before the author did not implement dependencies upon user input. The latter in- the data tainting framework employed by the stead can only track direct and transitive data fuzzer, nonetheless given the critical importance assignments. In our fuzzer we use the second of data tainting for this project the author thinks approach as control flow analysis does not add it is important to briefly describe how dytan any useful information on data locations to be works and how we use this framework for our tested. purposes. Another problem to tackle while creating a prop- We previously mentioned that data tainting is a agation policy is how to deal with multiple mark- technique to track user input inside a binary. ings assigned to the same input. Dytan currently Tracking is usually performed by assigning mark- assigns to the resulting taint marking the union ings to data while executing the binary. of all the taint markings related to it. Although 8
for our fuzzer a different approach might grant At point 1 we search for the address of the func- better results we currently use the default dytan tion we are interested in fuzzing and install the policy. analysis function for that function. At point 2 Finally we make dytan provide information on we iterate through function instructions locating every instruction that assigns taint markings. the ones that are of interest in order to install an That is for each of those instructions we obtain analysis function as described in 3. the state of taint markings on machine registers The first approach consists of mutating memory and on memory locations that are tainted at that locations and registers in place. That is instead specific program point. of allocating new memory and pointing instruc- tions operands to it we modify the content of both memory locations and registers within their 4.3 In-memory fuzzing length boundaries. We presented in section 3 the two known ap- We then continue the program execution until proaches to in-memory fuzzing. In this section the program quits or new data is obtained from we are going to present two slightly different ap- a tainted source. proaches which we believe to gain better results This approach is more conservative than all the given the amount of information we can gather others as it does not change the memory layout from data tainting analysis. thus the number of false positives is reduced but We implemented our in-memory fuzzer on top at the expenses of an increased number of false of PIN[16]. PIN has the ability to add instru- negatives. mentation functions before and after a binary is The second approach works very similar to SRM loaded in memory, functions and instructions. 1(b). In addition to the first three steps we also Recalling that for each instruction that assigns add an instrumentation functions at the end of taint markings we retrieve from data tainting the tested function. This function will be re- analysis, we get the markings associated to ma- sponsible of restoring memory after fuzzing was chine registers and memory locations, we are performed. With the second approach the mem- able to precisely identify program points during ory layout is changed as the fuzzer will allocate binary execution that are suitable for fuzzing. chunks of memory to be used during the fuzzing For both approaches we perform a number of phase. steps: As for the first approach the program execution is continued until the application quits or new 1. Install an analysis function on image load- data is obtained from a tainted source. ing. Although our second approach is similar to SRM there are a few notable differences that have to 2. Install an analysis function before the func- be considered. First we do not take a full snap- tion we are interesting in fuzzing is exe- shot of the process memory but we only track cuted. modifications that occurred due to fuzzing dur- ing the execution of the tested function. The 3. Install an analysis function before each in- second difference is that memory is not totally struction that assigns taint markings. restored after the function was fuzzed, this can 9
allow us to reduce the number of false negatives The following must hold true: since possible bugs caused by a faulty execution of the function are not missed by restoring the C1 ≤ C + t (5) full process memory. The halting point is defined as: It has to be noted that both approaches de- scribed here although more effective cannot be C1 = C + t (6) used without a proper amount of information gathered by the means of data tainting analy- The code coverage score is calculated as fol- sis or some similar techniques. lows: Definition Let BBt be the totality of basic 4.4 Code coverage blocks in a binary, BBf the number of basic blocks touched in a single execution. The combination of code coverage with fuzz test- The code coverage score is defined as: ing has long been used in order to measure the effectiveness of fuzzing. We implemented code BBf coverage on the top of BinNavi debugging API. C= (7) BBt The choice of using BinNavi debugger serves a double purpose, not only we are able to imple- A detailed implementation of code coverage ment code coverage using lightwave breakpoints using BinNavi API can be found in [17]. which highly reduce execution overhead but we are also able to monitor the execution for possi- 5 Results and future work ble faults. We decided to implement code cov- erage at basic blocks level, that is a breakpoint In this paper we have described a new approach is set at the beginning of each basic block in the to fuzz testing which highly reduce instrumenta- tested binary. We perform code coverage first tion costs thus resulting very useful when dealing when the binary is executed with a known good with large proprietary applications. sample, later it is calculated again every time We have also shown how it is possible to com- the program is fuzzed. We require the fuzzing bine static and dynamic analysis techniques to sample to perform at least as good as the known triage interesting functions from a security test- good sample, we also set a threshold defining the ing point of view. upper-bound after which the sample reaches the Finally we have proposed a new approach to in- ”halting point”. The ”halting point” is the point memory fuzzing which is more precise and less where the fuzzing process is re-initialized with a prone to false negatives than previous known new known good sample as shown in Figure 2. techniques. Formally: We do not have enough data to determine whether this approach has better results com- Definition Let C be the code coverage score pared to other fuzzing techniques. of a known good sample, C1 the code coverage The author believes that compared to other score of a fuzzing sample, t a user supplied mutation-based and evolutionary-based method- delta. ologies the one proposed in this paper will have 10
better results. In comparison to generation- first USENIX workshop on Offensive Tech- based fuzzers our technique will have better re- nologies. sults when dealing with complex software but worse results when the software input is simple. [4] G. Hoglund: Runtime Decompilation: The The main direction of future work will be focused GreyBox process for Exploiting Software, on reducing false positives by employing con- Black Hat DC 2003 straint reasoners to determine whether a given [5] M. Sutton, A. Greene, P. Amini: bug is reproducible with valid but unexpected Fuzzing:brute force vulnerability discovery. input. Addison-Wesley. Another important challenge is to implement more static analysis metrics to triage functions [6] J.Clause, W. Li, A. Orso: Dytan:a generic with a higher degree of precision. dynamic taint analysis framework, Proceed- ings of the 2007 international symposium on Software testing and analysis Acknowledgments [7] Valgrind: http://www.valgrind.org The author would like to thank Thomas Dullien, [8] Qemu: http://www.qemu.org Dino Dai Zovi and Shauvik Roy Choudhary for their suggestions and help while researching the [9] Temu:http://bitblaze.cs.berkeley.edu/temu.html topic. The author would also like to thank James [10] T. J. McCabe: A Complexity measure, Clause and Alessandro Orso for having provided IEEE transactions on software engineering, access to dytan source code and their help while vol. se-2, no.4, december 1976 testing and improving the original code base. [11] V. Iozzo: Scripting with BinNavi - Cyclo- Finally we want to thank all the people who have matic Complexity reviewed the paper. [12] BinNavi: http://www.zynamics.com/binnavi.html References [13] T. Lengauer and R. E. Tarjan: A fast algo- rithm for nding dominators in a owgraph, [1] B.P. Miller, L. Fredriksen, and B. So: ”An ACM Transactions on Programming Lan- Empirical Study of the Reliability of UNIX guages and Systems Utilities”, Communications of the ACM 33, [14] T. Dullien, S. Porst: REIL: A platform- 12 (December 1990) independent intermediate representation of [2] Kan: Metrics and Models in Software disassembled code for static code analysis, Quality Engineering. Addison-Wesley. pp. CanSecWest 2009 316317. [15] V. Iozzo: Finding interesting loops us- ing(Mono)REIL [3] W. Drewry, T. Ormandy: Flayer:exposing application internals, Proceedings of the [16] PIN: http://www.pintool.org 11
[17] V. Iozzo: Code coverage and BinNavi 12

Empfohlen

IEEE BE-BTECH NS2 PROJECT@ DREAMWEB TECHNO SOLUTION
IEEE BE-BTECH NS2 PROJECT@ DREAMWEB TECHNO SOLUTIONIEEE BE-BTECH NS2 PROJECT@ DREAMWEB TECHNO SOLUTION
IEEE BE-BTECH NS2 PROJECT@ DREAMWEB TECHNO SOLUTIONranjith kumar
 
Ieee transactions on 2018 TOPICS with Abstract in audio, speech, and language...
Ieee transactions on 2018 TOPICS with Abstract in audio, speech, and language...Ieee transactions on 2018 TOPICS with Abstract in audio, speech, and language...
Ieee transactions on 2018 TOPICS with Abstract in audio, speech, and language...tsysglobalsolutions
 
Sentiment analysis by deep learning approaches
Sentiment analysis by deep learning approachesSentiment analysis by deep learning approaches
Sentiment analysis by deep learning approachesTELKOMNIKA JOURNAL
 
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...Jason Papapanagiotakis
 
Machine Learning for Efficient Neighbor Selection in ...
Machine Learning for Efficient Neighbor Selection in ...Machine Learning for Efficient Neighbor Selection in ...
Machine Learning for Efficient Neighbor Selection in ...butest
 
Supervised Approach to Extract Sentiments from Unstructured Text
Supervised Approach to Extract Sentiments from Unstructured TextSupervised Approach to Extract Sentiments from Unstructured Text
Supervised Approach to Extract Sentiments from Unstructured TextInternational Journal of Engineering Inventions www.ijeijournal.com
 
L1803058388
L1803058388L1803058388
L1803058388IOSR Journals
 
2224d_final
2224d_final2224d_final
2224d_finalSeth Hildick-Smith
 

Empfohlen

IEEE BE-BTECH NS2 PROJECT@ DREAMWEB TECHNO SOLUTION
IEEE BE-BTECH NS2 PROJECT@ DREAMWEB TECHNO SOLUTIONIEEE BE-BTECH NS2 PROJECT@ DREAMWEB TECHNO SOLUTION
IEEE BE-BTECH NS2 PROJECT@ DREAMWEB TECHNO SOLUTIONranjith kumar
 
Ieee transactions on 2018 TOPICS with Abstract in audio, speech, and language...
Ieee transactions on 2018 TOPICS with Abstract in audio, speech, and language...Ieee transactions on 2018 TOPICS with Abstract in audio, speech, and language...
Ieee transactions on 2018 TOPICS with Abstract in audio, speech, and language...tsysglobalsolutions
 
Sentiment analysis by deep learning approaches
Sentiment analysis by deep learning approachesSentiment analysis by deep learning approaches
Sentiment analysis by deep learning approachesTELKOMNIKA JOURNAL
 
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...Jason Papapanagiotakis
 
Machine Learning for Efficient Neighbor Selection in ...
Machine Learning for Efficient Neighbor Selection in ...Machine Learning for Efficient Neighbor Selection in ...
Machine Learning for Efficient Neighbor Selection in ...butest
 
Supervised Approach to Extract Sentiments from Unstructured Text
Supervised Approach to Extract Sentiments from Unstructured TextSupervised Approach to Extract Sentiments from Unstructured Text
Supervised Approach to Extract Sentiments from Unstructured TextInternational Journal of Engineering Inventions www.ijeijournal.com
 
L1803058388
L1803058388L1803058388
L1803058388IOSR Journals
 
2224d_final
2224d_final2224d_final
2224d_finalSeth Hildick-Smith
 
ScalaItaly 2015 - Your Microservice as a Function
ScalaItaly 2015 - Your Microservice as a FunctionScalaItaly 2015 - Your Microservice as a Function
ScalaItaly 2015 - Your Microservice as a FunctionPhil Calçado
 
IRJET - Mobile Chatbot for Information Search
IRJET - Mobile Chatbot for Information Search IRJET - Mobile Chatbot for Information Search
IRJET - Mobile Chatbot for Information SearchIRJET Journal
 
A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...
A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...
A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...IJNSA Journal
 
Meetup 22/2/2018 - Artificiële Intelligentie & Human Resources
Meetup 22/2/2018 - Artificiële Intelligentie & Human ResourcesMeetup 22/2/2018 - Artificiële Intelligentie & Human Resources
Meetup 22/2/2018 - Artificiële Intelligentie & Human ResourcesDigipolis Antwerpen
 
Applying Machine Learning to Software Clustering
Applying Machine Learning to Software ClusteringApplying Machine Learning to Software Clustering
Applying Machine Learning to Software Clusteringbutest
 
IRJET- Survey for Amazon Fine Food Reviews
IRJET- Survey for Amazon Fine Food ReviewsIRJET- Survey for Amazon Fine Food Reviews
IRJET- Survey for Amazon Fine Food ReviewsIRJET Journal
 
Sentence compression via clustering of dependency graph nodes - NLP-KE 2012
Sentence compression via clustering of dependency graph nodes - NLP-KE 2012Sentence compression via clustering of dependency graph nodes - NLP-KE 2012
Sentence compression via clustering of dependency graph nodes - NLP-KE 2012Ayman El-Kilany
 
Bayesian distance metric learning and its application in automatic speaker re...
Bayesian distance metric learning and its application in automatic speaker re...Bayesian distance metric learning and its application in automatic speaker re...
Bayesian distance metric learning and its application in automatic speaker re...IJECEIAES
 
IRJET-A Novel Approaches for Motif Discovery using Data Mining Algorithm
IRJET-A Novel Approaches for Motif Discovery using Data Mining AlgorithmIRJET-A Novel Approaches for Motif Discovery using Data Mining Algorithm
IRJET-A Novel Approaches for Motif Discovery using Data Mining AlgorithmIRJET Journal
 
Impact of design complexity on software quality - A systematic review
Impact of design complexity on software quality - A systematic reviewImpact of design complexity on software quality - A systematic review
Impact of design complexity on software quality - A systematic reviewAnh Nguyen Duc
 
Failure of A Mix Network
Failure of A Mix NetworkFailure of A Mix Network
Failure of A Mix NetworkIJNSA Journal
 
Finding Bad Code Smells with Neural Network Models
Finding Bad Code Smells with Neural Network Models Finding Bad Code Smells with Neural Network Models
Finding Bad Code Smells with Neural Network Models IJECEIAES
 
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...ijaia
 
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...gerogepatton
 
Performance analysis of linkage learning techniques in genetic algorithms
Performance analysis of linkage learning techniques in genetic algorithmsPerformance analysis of linkage learning techniques in genetic algorithms
Performance analysis of linkage learning techniques in genetic algorithmseSAT Journals
 
Performance analysis of linkage learning techniques
Performance analysis of linkage learning techniquesPerformance analysis of linkage learning techniques
Performance analysis of linkage learning techniqueseSAT Publishing House
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malwarezynamics GmbH
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish codejduart
 
ShaREing is Caring
ShaREing is CaringShaREing is Caring
ShaREing is Caringzynamics GmbH
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzingVincenzo Iozzo
 
Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversingjduart
 
Uni mannheim debuggers
Uni mannheim debuggersUni mannheim debuggers
Uni mannheim debuggerszynamics GmbH
 

Weitere ähnliche Inhalte

Was ist angesagt?

ScalaItaly 2015 - Your Microservice as a Function
ScalaItaly 2015 - Your Microservice as a FunctionScalaItaly 2015 - Your Microservice as a Function
ScalaItaly 2015 - Your Microservice as a FunctionPhil Calçado
 
IRJET - Mobile Chatbot for Information Search
IRJET - Mobile Chatbot for Information Search IRJET - Mobile Chatbot for Information Search
IRJET - Mobile Chatbot for Information SearchIRJET Journal
 
A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...
A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...
A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...IJNSA Journal
 
Meetup 22/2/2018 - Artificiële Intelligentie & Human Resources
Meetup 22/2/2018 - Artificiële Intelligentie & Human ResourcesMeetup 22/2/2018 - Artificiële Intelligentie & Human Resources
Meetup 22/2/2018 - Artificiële Intelligentie & Human ResourcesDigipolis Antwerpen
 
Applying Machine Learning to Software Clustering
Applying Machine Learning to Software ClusteringApplying Machine Learning to Software Clustering
Applying Machine Learning to Software Clusteringbutest
 
IRJET- Survey for Amazon Fine Food Reviews
IRJET- Survey for Amazon Fine Food ReviewsIRJET- Survey for Amazon Fine Food Reviews
IRJET- Survey for Amazon Fine Food ReviewsIRJET Journal
 
Sentence compression via clustering of dependency graph nodes - NLP-KE 2012
Sentence compression via clustering of dependency graph nodes - NLP-KE 2012Sentence compression via clustering of dependency graph nodes - NLP-KE 2012
Sentence compression via clustering of dependency graph nodes - NLP-KE 2012Ayman El-Kilany
 
Bayesian distance metric learning and its application in automatic speaker re...
Bayesian distance metric learning and its application in automatic speaker re...Bayesian distance metric learning and its application in automatic speaker re...
Bayesian distance metric learning and its application in automatic speaker re...IJECEIAES
 
IRJET-A Novel Approaches for Motif Discovery using Data Mining Algorithm
IRJET-A Novel Approaches for Motif Discovery using Data Mining AlgorithmIRJET-A Novel Approaches for Motif Discovery using Data Mining Algorithm
IRJET-A Novel Approaches for Motif Discovery using Data Mining AlgorithmIRJET Journal
 
Impact of design complexity on software quality - A systematic review
Impact of design complexity on software quality - A systematic reviewImpact of design complexity on software quality - A systematic review
Impact of design complexity on software quality - A systematic reviewAnh Nguyen Duc
 
Failure of A Mix Network
Failure of A Mix NetworkFailure of A Mix Network
Failure of A Mix NetworkIJNSA Journal
 
Finding Bad Code Smells with Neural Network Models
Finding Bad Code Smells with Neural Network Models Finding Bad Code Smells with Neural Network Models
Finding Bad Code Smells with Neural Network Models IJECEIAES
 
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...ijaia
 
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...gerogepatton
 
Performance analysis of linkage learning techniques in genetic algorithms
Performance analysis of linkage learning techniques in genetic algorithmsPerformance analysis of linkage learning techniques in genetic algorithms
Performance analysis of linkage learning techniques in genetic algorithmseSAT Journals
 
Performance analysis of linkage learning techniques
Performance analysis of linkage learning techniquesPerformance analysis of linkage learning techniques
Performance analysis of linkage learning techniqueseSAT Publishing House
 

Was ist angesagt? (16)

ScalaItaly 2015 - Your Microservice as a Function
ScalaItaly 2015 - Your Microservice as a FunctionScalaItaly 2015 - Your Microservice as a Function
ScalaItaly 2015 - Your Microservice as a Function
 
IRJET - Mobile Chatbot for Information Search
IRJET - Mobile Chatbot for Information Search IRJET - Mobile Chatbot for Information Search
IRJET - Mobile Chatbot for Information Search
 
A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...
A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...
A MULTI-LAYER HYBRID TEXT STEGANOGRAPHY FOR SECRET COMMUNICATION USING WORD T...
 
Meetup 22/2/2018 - Artificiële Intelligentie & Human Resources
Meetup 22/2/2018 - Artificiële Intelligentie & Human ResourcesMeetup 22/2/2018 - Artificiële Intelligentie & Human Resources
Meetup 22/2/2018 - Artificiële Intelligentie & Human Resources
 
Applying Machine Learning to Software Clustering
Applying Machine Learning to Software ClusteringApplying Machine Learning to Software Clustering
Applying Machine Learning to Software Clustering
 
IRJET- Survey for Amazon Fine Food Reviews
IRJET- Survey for Amazon Fine Food ReviewsIRJET- Survey for Amazon Fine Food Reviews
IRJET- Survey for Amazon Fine Food Reviews
 
Sentence compression via clustering of dependency graph nodes - NLP-KE 2012
Sentence compression via clustering of dependency graph nodes - NLP-KE 2012Sentence compression via clustering of dependency graph nodes - NLP-KE 2012
Sentence compression via clustering of dependency graph nodes - NLP-KE 2012
 
Bayesian distance metric learning and its application in automatic speaker re...
Bayesian distance metric learning and its application in automatic speaker re...Bayesian distance metric learning and its application in automatic speaker re...
Bayesian distance metric learning and its application in automatic speaker re...
 
IRJET-A Novel Approaches for Motif Discovery using Data Mining Algorithm
IRJET-A Novel Approaches for Motif Discovery using Data Mining AlgorithmIRJET-A Novel Approaches for Motif Discovery using Data Mining Algorithm
IRJET-A Novel Approaches for Motif Discovery using Data Mining Algorithm
 
Impact of design complexity on software quality - A systematic review
Impact of design complexity on software quality - A systematic reviewImpact of design complexity on software quality - A systematic review
Impact of design complexity on software quality - A systematic review
 
Failure of A Mix Network
Failure of A Mix NetworkFailure of A Mix Network
Failure of A Mix Network
 
Finding Bad Code Smells with Neural Network Models
Finding Bad Code Smells with Neural Network Models Finding Bad Code Smells with Neural Network Models
Finding Bad Code Smells with Neural Network Models
 
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
 
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
 
Performance analysis of linkage learning techniques in genetic algorithms
Performance analysis of linkage learning techniques in genetic algorithmsPerformance analysis of linkage learning techniques in genetic algorithms
Performance analysis of linkage learning techniques in genetic algorithms
 
Performance analysis of linkage learning techniques
Performance analysis of linkage learning techniquesPerformance analysis of linkage learning techniques
Performance analysis of linkage learning techniques
 

Andere mochten auch

How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malwarezynamics GmbH
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish codejduart
 
Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversingjduart
 
Uni mannheim debuggers
Uni mannheim debuggersUni mannheim debuggers
Uni mannheim debuggerszynamics GmbH
 
Formale Methoden im Reverse Engineering
Formale Methoden im Reverse EngineeringFormale Methoden im Reverse Engineering
Formale Methoden im Reverse Engineeringzynamics GmbH
 
Architectural Diversity (German)
Architectural Diversity (German)Architectural Diversity (German)
Architectural Diversity (German)zynamics GmbH
 

Andere mochten auch (8)

How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
 
ShaREing is Caring
ShaREing is CaringShaREing is Caring
ShaREing is Caring
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversing
 
Uni mannheim debuggers
Uni mannheim debuggersUni mannheim debuggers
Uni mannheim debuggers
 
Formale Methoden im Reverse Engineering
Formale Methoden im Reverse EngineeringFormale Methoden im Reverse Engineering
Formale Methoden im Reverse Engineering
 
Architectural Diversity (German)
Architectural Diversity (German)Architectural Diversity (German)
Architectural Diversity (German)
 

Ähnlich wie 0-knowledge fuzzing white paper

Implementation of reducing features to improve code change based bug predicti...
Implementation of reducing features to improve code change based bug predicti...Implementation of reducing features to improve code change based bug predicti...
Implementation of reducing features to improve code change based bug predicti...eSAT Journals
 
Elements of legacy program complexity
Elements of legacy program complexityElements of legacy program complexity
Elements of legacy program complexityeSAT Journals
 
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...SBGC
 
A review paper: optimal test cases for regression testing using artificial in...
A review paper: optimal test cases for regression testing using artificial in...A review paper: optimal test cases for regression testing using artificial in...
A review paper: optimal test cases for regression testing using artificial in...IJECEIAES
 
IRJET - Neural Network based Leaf Disease Detection and Remedy Recommenda...
IRJET - Neural Network based Leaf Disease Detection and Remedy Recommenda...IRJET - Neural Network based Leaf Disease Detection and Remedy Recommenda...
IRJET - Neural Network based Leaf Disease Detection and Remedy Recommenda...IRJET Journal
 
Data mining for_java_and_dot_net 2016-17
Data mining for_java_and_dot_net 2016-17Data mining for_java_and_dot_net 2016-17
Data mining for_java_and_dot_net 2016-17redpel dot com
 
The International Journal of Engineering and Science (IJES)
The International Journal of Engineering and Science (IJES)The International Journal of Engineering and Science (IJES)
The International Journal of Engineering and Science (IJES)theijes
 
IRJET- A Detailed Analysis on Windows Event Log Viewer for Faster Root Ca...
IRJET- A Detailed Analysis on Windows Event Log Viewer for Faster Root Ca...IRJET- A Detailed Analysis on Windows Event Log Viewer for Faster Root Ca...
IRJET- A Detailed Analysis on Windows Event Log Viewer for Faster Root Ca...IRJET Journal
 
Automatic binary deobfuscation
Automatic binary deobfuscationAutomatic binary deobfuscation
Automatic binary deobfuscationUltraUploader
 
IRJET- Detection and Recognition of Hypertexts in Imagery using Text Reco...
IRJET- Detection and Recognition of Hypertexts in Imagery using Text Reco...IRJET- Detection and Recognition of Hypertexts in Imagery using Text Reco...
IRJET- Detection and Recognition of Hypertexts in Imagery using Text Reco...IRJET Journal
 
IRJET- Plagiarism Checker
IRJET- Plagiarism CheckerIRJET- Plagiarism Checker
IRJET- Plagiarism CheckerIRJET Journal
 
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...butest
 
Whitepaper- User Behavior-Based Anomaly Detection for Cyber Network Security
Whitepaper- User Behavior-Based Anomaly Detection for Cyber Network SecurityWhitepaper- User Behavior-Based Anomaly Detection for Cyber Network Security
Whitepaper- User Behavior-Based Anomaly Detection for Cyber Network SecurityHappiest Minds Technologies
 
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...ijtsrd
 
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCEANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCEijesajournal
 
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCEANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCEijesajournal
 
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCEANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCEijesajournal
 

Ähnlich wie 0-knowledge fuzzing white paper (20)

Implementation of reducing features to improve code change based bug predicti...
Implementation of reducing features to improve code change based bug predicti...Implementation of reducing features to improve code change based bug predicti...
Implementation of reducing features to improve code change based bug predicti...
 
Elements of legacy program complexity
Elements of legacy program complexityElements of legacy program complexity
Elements of legacy program complexity
 
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
 
A review paper: optimal test cases for regression testing using artificial in...
A review paper: optimal test cases for regression testing using artificial in...A review paper: optimal test cases for regression testing using artificial in...
A review paper: optimal test cases for regression testing using artificial in...
 
IRJET - Neural Network based Leaf Disease Detection and Remedy Recommenda...
IRJET - Neural Network based Leaf Disease Detection and Remedy Recommenda...IRJET - Neural Network based Leaf Disease Detection and Remedy Recommenda...
IRJET - Neural Network based Leaf Disease Detection and Remedy Recommenda...
 
Data mining for_java_and_dot_net 2016-17
Data mining for_java_and_dot_net 2016-17Data mining for_java_and_dot_net 2016-17
Data mining for_java_and_dot_net 2016-17
 
Observability
ObservabilityObservability
Observability
 
The International Journal of Engineering and Science (IJES)
The International Journal of Engineering and Science (IJES)The International Journal of Engineering and Science (IJES)
The International Journal of Engineering and Science (IJES)
 
FuzzyDbg_Report.pdf
FuzzyDbg_Report.pdfFuzzyDbg_Report.pdf
FuzzyDbg_Report.pdf
 
IRJET- A Detailed Analysis on Windows Event Log Viewer for Faster Root Ca...
IRJET- A Detailed Analysis on Windows Event Log Viewer for Faster Root Ca...IRJET- A Detailed Analysis on Windows Event Log Viewer for Faster Root Ca...
IRJET- A Detailed Analysis on Windows Event Log Viewer for Faster Root Ca...
 
Automatic binary deobfuscation
Automatic binary deobfuscationAutomatic binary deobfuscation
Automatic binary deobfuscation
 
IRJET- Detection and Recognition of Hypertexts in Imagery using Text Reco...
IRJET- Detection and Recognition of Hypertexts in Imagery using Text Reco...IRJET- Detection and Recognition of Hypertexts in Imagery using Text Reco...
IRJET- Detection and Recognition of Hypertexts in Imagery using Text Reco...
 
IRJET- Plagiarism Checker
IRJET- Plagiarism CheckerIRJET- Plagiarism Checker
IRJET- Plagiarism Checker
 
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
 
Whitepaper- User Behavior-Based Anomaly Detection for Cyber Network Security
Whitepaper- User Behavior-Based Anomaly Detection for Cyber Network SecurityWhitepaper- User Behavior-Based Anomaly Detection for Cyber Network Security
Whitepaper- User Behavior-Based Anomaly Detection for Cyber Network Security
 
Ijetr012045
Ijetr012045Ijetr012045
Ijetr012045
 
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
 
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCEANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
 
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCEANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
 
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCEANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
ANALYSIS OF SYSTEM ON CHIP DESIGN USING ARTIFICIAL INTELLIGENCE
 

Mehr von Vincenzo Iozzo

A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threatsVincenzo Iozzo
 
Stale pointers are the new black
Stale pointers are the new blackStale pointers are the new black
Stale pointers are the new blackVincenzo Iozzo
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paperVincenzo Iozzo
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperVincenzo Iozzo
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyVincenzo Iozzo
 
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Vincenzo Iozzo
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Vincenzo Iozzo
 
Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Vincenzo Iozzo
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Vincenzo Iozzo
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 

Mehr von Vincenzo Iozzo (11)

A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
 
Stale pointers are the new black
Stale pointers are the new blackStale pointers are the new black
Stale pointers are the new black
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paper
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paper
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPpery
 
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
 
Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 

0-knowledge fuzzing white paper

  • 1.
  • 2. 0-knowledge fuzzing Vincenzo Iozzo vincenzo.iozzo@zynamics.com February 9, 2010 Abstract and widely established methodology employed in COTS software vulnerability discovery process. Nowadays fuzzing is a pretty common technique The first appearance of fuzzing in software test- used both by attackers and software developers. ing dates back to 1988 by Professor Barton Currently known techniques usually involve Miller[1]; since then the technique has evolved knowing the protocol/format that needs to be a lot and it is not only used by attackers to dis- fuzzed and having a basic understanding of how cover vulnerabilities but also internally by many the user input is processed inside the binary. companies to find bugs in their software. In the past since fuzzing was little-used obtain- Over the course of time a lot of different imple- ing good results with a small amount of effort mentations of fuzz testing have been researched, was possible. nonetheless it is commonly believed that there Today finding bugs requires digging a lot inside are two predominant approaches to fuzzing: the code and the user-input as common vulner- Mutation-based and Generation-based. abilies are already identified and fixed by devel- The former is based on random mutations of opers. This paper will present an idea on how known well-formed data, whereas the latter cre- to effectively fuzz with no knowledge of the user- ates testing samples using templates describing input and the binary. the format of the software input. Specifically the paper will demonstrate how tech- Both approaches have their advantages and pit- niques like code coverage, data tainting and in- falls. The former requires little effort to be im- memory fuzzing allow to build a smart fuzzer plemented and it is reusable across different soft- with no need to instrument it. ware. Nonetheless given the raising interest com- panies have shown in properly testing and devel- oping products this approach will generally yield 1 Introduction worse results than generation-based fuzzers. The second approach has the advantage of ob- Fuzzing, or fuzz testing, is a software test- taining better results in terms of bugs found, al- ing methodology whose aim is to provide in- though it requires knowledge of the input format valid, unexpected or random inputs to a pro- the binary expects and its reusability is bounded gram. Although the idea behind this technique to binaries that deal with the same input format. is conceptually very simple it is a well known 2
  • 3. The difficulty of creating input models can range of view. from low for public data formats to almost infea- To the best of the author‘s knowledge there are sible for proprietary formats. no public attempts at combining together these In order to ease the process of creating input techniques for fuzz-testing purposes. A notable templates various approaches have been stud- exception is Flayer which nonetheless only fo- ied, most notably evolutionary fuzzers and in- cuses on dynamic analysis and program paths memory fuzzers. manipulation in order to discover software de- Both are derived from mutation-based fuzzers fects. but for different purposes. The first type of The rest of this paper is organized as follows. fuzzers, in fact, by employing genetic algorithms In section 2 we provide basic background infor- attempts to generate sets of data which resem- mation on the metrics used. Section 3 discusses ble as precisely as possible the input format. The related work. Section 4 presents our approach latter, instead, first requires a human to manu- and implementation. Finally we conclude and ally identify specific functions inside the binary discuss future work directions in Section 5. then mutates the input in-memory in order to prevent data validation which could lead to dif- ferent code paths thus resulting in not fuzzing 2 Background crucial pieces of an application. Evolutionary based fuzzers suffer from the diffi- In this section, we present background informa- culty of identifying proper scoring and mutation tion on static analysis metrics, data tainting, and functions and for this approach to be effective it in-memory fuzzing. usually requires more time than the generation- In our implementation we use primary two static based one. In-memory fuzzing on the other hand analysis techniques: cyclomatic complexity and has a high rate of false positives and negatives loop detection. and it requires an expert reverse engineer in or- Cyclomatic complexity is a software metric used der to identify proper test cases. to determine how complex in terms of code paths In this paper the author presents an approach a function is. The computation is done on the to fuzz testing based on in-memory fuzzing aim- number of edges and nodes a function contains. ing at limiting human intervention and minimiz- Intuitively the more the structure of the function ing the number of false positives and negatives is complicated the more complex the function that currently affects this technique. The pro- is. In [2] the connection between function com- posed methodology employs a range of known plexity and bugs presence has been discussed. metrics from both static and dynamic program Although there is not always a correlation be- analysis together with a new technique for in- tween the two, it is reasonable to assume that memory fuzzing. Specifically we will use data more complex functions are prone to contain tainting for tracking user input, thus being able bugs given the amount of code they contain. to identify locations in-memory suitable for test- Another metric employed is loop detection. This ing; we will also employ static analysis metrics algorithm takes advantage of some properties of in order to identify functions in the binary that a function flowgraph and its dominator tree in can be interesting from a security testing point order to detect loops present in compiled code. 3
  • 4. This technique is widely used in compilers for op- the technique so that basic blocks execution is timization purposes, and it has some interesting being traced. This implementation does not aspects from a security prospective as well. It take into account code paths and therefore might is commonly known, in fact, that memory write be imprecise in some circumstances, nonetheless often happens inside loops and that most compil- we consider this trade-off to be acceptable as it ers usually inline functions like memcpy so that avoids to overly complicating the implementa- the function will effectively result in a loop. tion and improves the fuzzer performance. Another crucial piece of infrastructure for the proposed fuzzer is the data tainting engine. The goal of data tainting is to gather information on 3 Related work how user input is propagated through a binary. In this section we will briefly describe exist- The concept of data tainting is intuitively very ing approaches to data tainting and in-memory simple, one or more markings are associated with fuzzing together with a brief description of some data supposedly representing the user in- Flayer[3] being it the closest work to the one de- put and those markings are propagated follow- scribed in this paper. ing the program flow. Although it is possible to perform data tainting using static analysis the 3.1 Existing in-memory fuzzing im- complexity of the task and the possible incom- plementations plete set of information led the author to choose a dynamic analysis approach to the problem by taking advantage of an existing dynamic data tainting framework called Dytan[6]. Using dy- namic data tainting has the benefit of obtain- ing more precise and richer information on data propagation although it will not be able to ex- plore program paths that are not executed at (a) Mutation loop insertion run-time. Given the nature of the fuzzer, ob- taining information on non-executed code paths is of no interest as in-memory fuzzing relies on the ability to reach code paths by mutating a set of known good data. Finally in order to monitor the effectiveness of our fuzzer, we employ a software testing mea- sure known as code coverage. This technique (b) Snapshot restoration verifies the degree to which the code of a pro- mutation gram has been tested by tracing the execution of the binary. Although there are many differ- Figure 1: Known implementations of in-memory ent implementations of code coverage all using fuzzing different criteria in terms of the kind of informa- tion to record, the author decided to implement To the best of the author‘s knowledge in- 4
  • 5. memory fuzzing was first introduced to the pub- of software. A lot of implementations of data lic by Greg Hoglund of HBGary in [4] and later tainting frameworks exist, for this reason the further developed by Amini at al[5]. Currently author decided to use a framework previously there are two public methods: Mutation loop in- created by James Clause and Alessando Orso of sertion and snapshot restoration mutation. Gatech called Dytan[6]. The decision was made The first method works by inserting an uncon- based on a number of requirements. ditional jump from the function being tested to First and foremost the ability to instrument bi- a function responsible for mutating the data re- naries without any recompilation or access to the siding in the process address space of the fuzzed source code. binary. At the end of the mutation function an- Another very important requirement was porta- other unconditional jump to the beginning of the bility, most of the existing implementations are currently tested function is inserted. The control based on Valgrind[7] which does not support the flow graph of this approach is shown in 1(a). Windows platform. The two most appealing This approach suffers of a number of drawbacks candidates were Temu[9] and Dytan. with a high rate of false negatives and stack con- The first one is built on the top of a modified sumption being the two major ones. Another version of Qemu[8]. Although this would have disadvantage of this method is the general insta- respected both the initial requirements we think bility of the memory after a few fuzzing itera- that a data tainting framework based on a vir- tions. tual machine emulator is overkill for our goals. The second approach works by inserting an un- Besides the implementation in the author‘s opin- conditional jump from the beginning of the func- ion is not yet robust enough. tion being tested to a function responsible of tak- Dytan is implemented as a pintool[16]. It is a ing a memory snapshot. This function will later flexible framework and can run on both Linux call again the tested function. At the end of the and Windows. analyzed function another unconditional jump is inserted. The jump points to a function respon- 3.3 Additional related work sible of restoring the memory, fuzzing data and executing again the fuzzed function. A control As already mentioned in the previous section flow diagram employing this approach is shown Flayer[3] is the most similar work to the ap- in Figure 1(b). Although this method has some proach discussed in this paper. The software advantages in respect to the first one described, combines data tainting and the ability to force code paths. Differently from many other data it still suffers from a high false positives rate and it is also slower given the need of continuously tainting tools Flayer has bit-precision markings. having to restore process memory. Although this grants a higher degree of precision in obtaining information on data propagation for 3.2 Existing data tainting implemen- the purpose of our work byte-precision markings are detailed enough. tations Another limitation is the software the tool is Dynamic data tainting has gained momentum in based on; as already mentioned Valgrind does the last few years given the increase complexity not support Windows which severly impairs the 5
  • 6. usefulness of the tool. should be replaced by a more sophisticated ap- Finally even if the main aim of the tool is not proach which takes into account scores coming fuzzing it has the ability of forcing code paths from various metrics and weights them in respect and therefore it can be used to test various code to their relevance from a security prospective. paths. This method has three main drawbacks; the first one is a high number of false positives, the second one is the absence of a sample which can be later used by the attacker to reproduce the bug and finally a problem known as code- path explosion. This problem arises because the number of code paths to force increases exponen- tially with the complexity of the software. Figure 3: The edge in red is missed by the ap- 4 Proposed approach and im- proximative cyclomatic complexity formula. plementation Cyclomatic complexity Cyclomatic com- plexity was first described by Robert McCabe in [10]. The purpose of this metric is to calcu- late the number of independent paths in a code section. Many formulation of this metric have been given, we briefly explain the ones that are Figure 2: Fuzzer components relevant to our fuzzer. In this section we will present the idea and Definition Let G be a flowgraph, E the num- implementation of our work. As shown in Figure ber of edges in G, N the number of nodes in G 2 our fuzzer can be divided into 4 parts. and P the number of connected components in G. Cyclomatic complexity is defined as: 4.1 Static analysis metrics M = E − N + 2P (1) Static analysis algorithms are used to determine which functions could be potentially of inter- A connected component is a subgraph in which est for our fuzzer. We assign a higher score to any two vertices are connected to each other by functions that have a high cyclomatic complex- paths. This formula originates from the cyclo- ity score and at least one loop in them; we then matic number: consider all the functions that have loops but a low cyclomatic complexity score and finally we Definition Let G be a strongly connected take into account the remaining functions. Ide- graph, E the number of edges in G, N the ally we will add more metrics to the implementa- number of nodes in G and P the number of tion, therefore this rather trivial scoring system connected components in G. 6
  • 7. The Cyclomatic number is defined as: V (G) = E − N + P (2) It should be notice that the cyclomatic num- (a) A (b) Domi- (c) The ber can be calculated only on strongly connected function nator tree nodes graphs, that is a graph in which from every pair flowgraph, of the in green of vertices there is a direct path connecting them nodes in previous dominate in both directions. McCabe proved that the flow- blue belong function, the node in to a loop nodes red in the graph of a function with a single entry point and in green dominator a single exit point can be considered a strongly correspond tree connected graph and therefore the cyclomatic to the number theorem applies and that P = 1, thus blue ones the resulting simplified formula is: highlighted in picture (a) M =E−N +2 (3) Intuitively when a flowgraph has multiple exit Figure 4: Graphs used in loop detection algo- points the aforementioned formula doesnt hold rithm true anymore. Another one should be therefore used: Loop detection algorithm As previously mentioned another metric, loop detection, is Definition Let G be a flowgraph, π the number used to select functions. The first required step of decision points in G and s the number of exit is to extract the dominator tree out of a function. points in G. Cyclomatic complexity is defined Formally: as: Definition A dominator tree is a tree where M =π−s+2 (4) each node‘s children are the nodes it immedi- ately dominates. Applying (3) to functions with multiple exit A node d is said to dominate node k if every points we will have, in fact, lower cyclomatic path from the start node s to node k must go complexity values by a minimum factor of 2. Fig- throught node d. ure 3 shows typical edges and connected com- ponents missed by using (3). To give a visual example of a dominator tree Nonetheless the author believes that the less pre- of a function please refer to Figure 4. Nodes in cise measurement can be used without impairing blue in Figure 4(a) are highlighted in the dom- the results. inator tree in green in Figure 4(b). We implemented cyclomatic complexity calcula- There are two known algorithms used to cal- tion for each function in a module by using Bin- culate the dominator tree of a flowgraph. It Navi API. A detailed explanation of the imple- is out of the scope of this paper to discuss mentation can be found in[11]. them. It should be noticed, though, that the 7
  • 8. tool upon which we built our loop detection Each data tainting implementation can choose algorithm, BinNavi[12], implements Lengauer- the type of markings to use, more precisely it Tarjan[13] dominator tree algorithm which is al- is possible to determine the granularity of those most linear thus granting us a higher computa- markings. tional speed. Dytan is able to either assign a single marking to The second step is to calculate for each node its each piece of input or have byte-level markings. dominators. In Figure 4(c) the dominators of We chose to use the second type of markings as the node in red are the ones in green. it is more precise but at the same time does not The last step is to search for edges from a node cause an excessive overhead during the execu- to one of its dominators. Recalling the definition tion. of domination it is trivial to show that if there In order to make data tainting work it is impor- is an edge from a node to one of its dominators tant to define what data needs to be tracked. In a loop is present. Dytan it is possible to track user input coming Most complex assembly instruction sets have from network operations, files access and com- what are called implicit loops instruction, for in- mand line arguments passed to the main() func- stance rep movs in x86 ISA. Applying this al- tion. That is system calls and functions respon- gorithm to a flowgraph will therefore miss this sible for the aforementioned input sources are type of loops. monitored and their output is tracked through In order to overcome this problem we will trans- the binary. late the function to an intermediate language Another important factor to take into account called REIL[14] implemented in BinNavi. This while implementing a data tainting tool is a intermediate language provides a very small set propagation policy. of instructions which helps in the process of un- A propagation policy is a set of rules followed folding implicit loops. while taint markings are assigned during pro- In [15] a detailed implementation of this algo- gram execution. rithm can be found. Dytan currently is able to perform control and data-flow or data-flow only analysis. The former 4.2 Data tainting tracks direct or transitive data assignments as well as indirect propagation due to control flow As stated before the author did not implement dependencies upon user input. The latter in- the data tainting framework employed by the stead can only track direct and transitive data fuzzer, nonetheless given the critical importance assignments. In our fuzzer we use the second of data tainting for this project the author thinks approach as control flow analysis does not add it is important to briefly describe how dytan any useful information on data locations to be works and how we use this framework for our tested. purposes. Another problem to tackle while creating a prop- We previously mentioned that data tainting is a agation policy is how to deal with multiple mark- technique to track user input inside a binary. ings assigned to the same input. Dytan currently Tracking is usually performed by assigning mark- assigns to the resulting taint marking the union ings to data while executing the binary. of all the taint markings related to it. Although 8
  • 9. for our fuzzer a different approach might grant At point 1 we search for the address of the func- better results we currently use the default dytan tion we are interested in fuzzing and install the policy. analysis function for that function. At point 2 Finally we make dytan provide information on we iterate through function instructions locating every instruction that assigns taint markings. the ones that are of interest in order to install an That is for each of those instructions we obtain analysis function as described in 3. the state of taint markings on machine registers The first approach consists of mutating memory and on memory locations that are tainted at that locations and registers in place. That is instead specific program point. of allocating new memory and pointing instruc- tions operands to it we modify the content of both memory locations and registers within their 4.3 In-memory fuzzing length boundaries. We presented in section 3 the two known ap- We then continue the program execution until proaches to in-memory fuzzing. In this section the program quits or new data is obtained from we are going to present two slightly different ap- a tainted source. proaches which we believe to gain better results This approach is more conservative than all the given the amount of information we can gather others as it does not change the memory layout from data tainting analysis. thus the number of false positives is reduced but We implemented our in-memory fuzzer on top at the expenses of an increased number of false of PIN[16]. PIN has the ability to add instru- negatives. mentation functions before and after a binary is The second approach works very similar to SRM loaded in memory, functions and instructions. 1(b). In addition to the first three steps we also Recalling that for each instruction that assigns add an instrumentation functions at the end of taint markings we retrieve from data tainting the tested function. This function will be re- analysis, we get the markings associated to ma- sponsible of restoring memory after fuzzing was chine registers and memory locations, we are performed. With the second approach the mem- able to precisely identify program points during ory layout is changed as the fuzzer will allocate binary execution that are suitable for fuzzing. chunks of memory to be used during the fuzzing For both approaches we perform a number of phase. steps: As for the first approach the program execution is continued until the application quits or new 1. Install an analysis function on image load- data is obtained from a tainted source. ing. Although our second approach is similar to SRM there are a few notable differences that have to 2. Install an analysis function before the func- be considered. First we do not take a full snap- tion we are interesting in fuzzing is exe- shot of the process memory but we only track cuted. modifications that occurred due to fuzzing dur- ing the execution of the tested function. The 3. Install an analysis function before each in- second difference is that memory is not totally struction that assigns taint markings. restored after the function was fuzzed, this can 9
  • 10. allow us to reduce the number of false negatives The following must hold true: since possible bugs caused by a faulty execution of the function are not missed by restoring the C1 ≤ C + t (5) full process memory. The halting point is defined as: It has to be noted that both approaches de- scribed here although more effective cannot be C1 = C + t (6) used without a proper amount of information gathered by the means of data tainting analy- The code coverage score is calculated as fol- sis or some similar techniques. lows: Definition Let BBt be the totality of basic 4.4 Code coverage blocks in a binary, BBf the number of basic blocks touched in a single execution. The combination of code coverage with fuzz test- The code coverage score is defined as: ing has long been used in order to measure the effectiveness of fuzzing. We implemented code BBf coverage on the top of BinNavi debugging API. C= (7) BBt The choice of using BinNavi debugger serves a double purpose, not only we are able to imple- A detailed implementation of code coverage ment code coverage using lightwave breakpoints using BinNavi API can be found in [17]. which highly reduce execution overhead but we are also able to monitor the execution for possi- 5 Results and future work ble faults. We decided to implement code cov- erage at basic blocks level, that is a breakpoint In this paper we have described a new approach is set at the beginning of each basic block in the to fuzz testing which highly reduce instrumenta- tested binary. We perform code coverage first tion costs thus resulting very useful when dealing when the binary is executed with a known good with large proprietary applications. sample, later it is calculated again every time We have also shown how it is possible to com- the program is fuzzed. We require the fuzzing bine static and dynamic analysis techniques to sample to perform at least as good as the known triage interesting functions from a security test- good sample, we also set a threshold defining the ing point of view. upper-bound after which the sample reaches the Finally we have proposed a new approach to in- ”halting point”. The ”halting point” is the point memory fuzzing which is more precise and less where the fuzzing process is re-initialized with a prone to false negatives than previous known new known good sample as shown in Figure 2. techniques. Formally: We do not have enough data to determine whether this approach has better results com- Definition Let C be the code coverage score pared to other fuzzing techniques. of a known good sample, C1 the code coverage The author believes that compared to other score of a fuzzing sample, t a user supplied mutation-based and evolutionary-based method- delta. ologies the one proposed in this paper will have 10
  • 11. better results. In comparison to generation- first USENIX workshop on Offensive Tech- based fuzzers our technique will have better re- nologies. sults when dealing with complex software but worse results when the software input is simple. [4] G. Hoglund: Runtime Decompilation: The The main direction of future work will be focused GreyBox process for Exploiting Software, on reducing false positives by employing con- Black Hat DC 2003 straint reasoners to determine whether a given [5] M. Sutton, A. Greene, P. Amini: bug is reproducible with valid but unexpected Fuzzing:brute force vulnerability discovery. input. Addison-Wesley. Another important challenge is to implement more static analysis metrics to triage functions [6] J.Clause, W. Li, A. Orso: Dytan:a generic with a higher degree of precision. dynamic taint analysis framework, Proceed- ings of the 2007 international symposium on Software testing and analysis Acknowledgments [7] Valgrind: http://www.valgrind.org The author would like to thank Thomas Dullien, [8] Qemu: http://www.qemu.org Dino Dai Zovi and Shauvik Roy Choudhary for their suggestions and help while researching the [9] Temu:http://bitblaze.cs.berkeley.edu/temu.html topic. The author would also like to thank James [10] T. J. McCabe: A Complexity measure, Clause and Alessandro Orso for having provided IEEE transactions on software engineering, access to dytan source code and their help while vol. se-2, no.4, december 1976 testing and improving the original code base. [11] V. Iozzo: Scripting with BinNavi - Cyclo- Finally we want to thank all the people who have matic Complexity reviewed the paper. [12] BinNavi: http://www.zynamics.com/binnavi.html References [13] T. Lengauer and R. E. Tarjan: A fast algo- rithm for nding dominators in a owgraph, [1] B.P. Miller, L. Fredriksen, and B. So: ”An ACM Transactions on Programming Lan- Empirical Study of the Reliability of UNIX guages and Systems Utilities”, Communications of the ACM 33, [14] T. Dullien, S. Porst: REIL: A platform- 12 (December 1990) independent intermediate representation of [2] Kan: Metrics and Models in Software disassembled code for static code analysis, Quality Engineering. Addison-Wesley. pp. CanSecWest 2009 316317. [15] V. Iozzo: Finding interesting loops us- ing(Mono)REIL [3] W. Drewry, T. Ormandy: Flayer:exposing application internals, Proceedings of the [16] PIN: http://www.pintool.org 11
  • 12. [17] V. Iozzo: Code coverage and BinNavi 12