You are on page 1of 27

IEEE CONSEG 2009

A New Fuzzing Technique for Software Vulnerability Testing
Zhiyong Wu1
1,3Network

J. William Atwood2

Xueyong Zhu3

Information Center University of Science and Technology of China Hefei, Anhui, China

2Department

of Computer Science and Software Engineering Concordia University Montreal, Quebec, Canada

Contents
1. Introduction and Motivation 2. FTSG Model 3. Related Techniques
‡ ‡ ‡ Static analysis Dynamic binary instrument and dynamic trace I/O analysis

4. 5. 6. 7. 8.

GAMutator Prototype System: DXFuzzing Validation Experiments Conclusion
Conseg 09 Fuzzing for Software Vulnerability 2

2009/12/19

overflow if length(head_str) = 16 strcat(buf.program checksum)){ if strlen(head_str) > 32 || strlen(data_str) >32) return -1. head_str).data_str.1 Introduction and Motivation C code of a vulnerable procedure int process_chunck(char* head_str. } 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 3 . one-dimension m&g strategy can¶t strcpy(buf2.//error return 1. } else return -1. if ( true == strong_check(head_str. data_str). strcpy(buf1. and length(data_str) = 20 strcat(buf. char buf1[32]. data_str). char* program checksum){ char buf[60]. head_str). could pass it easily memset(buf. char* data_str. knowledge-based fuzzing char buf2[32]. 0. 60).

OP. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 4 .Result) . OP {M. newtree.2 FTSG Model FTSG: Fuzzing Test Suites Generation FTSG (s.C. mediumtree.F.N.L. testsuite}. Result {sampletree. Slv}. testcase.

mi.f2. «. «. fe)) ) { newtree=Slv(mediumtree. C) } } 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 5 .fv} for (each mi in M except GAMutator) { while (!(mediumtree = mi (sampletree)) ) { newtree=Slv(mediumtree. GAMutator} F = {f1. C) } } for (each fe in F) { while (!(mediumtree = GAMutator (sampletree. «.2 FTSG: Procedure for generating test cases by Mutation Operators and Slv M = {m1. mk. «. fe.

2 FTSG: Total number of test cases k T ! testsuite ! § mi ( sampletree ) i !1 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 6 .

3 Related Techniques: Static analysis dynamic binary instrument and dynamic trace Technique Static analysis Dynamic binary instrument Dynamic trace Usage identify insecure functions Tool IDA PRO get insecure functions¶ Pin dynamic input arguments values to calculate fitness value monitor buffer Pydbg coverage 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 7 .

3 Related Techniques: I/O analysis Method static analysis executionoriented analysis Instrument Target source code binary code Characteristic false alarm simple and precise 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 8 .

ok.3 Related Techniques: I/O analysis: execution-oriented analysis INPUT t1 = (a1.as.o2.«. «.a2.«.as.an) t2 = (a1. ok.an) OUTPUT O = {o1. « on} O = {o1.as¶.«. « on} VALUE of Ok V1 V2 V3 xs influences output ok if and only if V1 =V2 V3 where ai D(xi).«. «. as¶ D(xi).«.an) t3 = (a1.o2. ok. asas¶ 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 9 .a2.«.o2. « on} O = {o1.a2. «.

l or n are the inputs that influence some arguments of fe.GAMutator GAMutator mutates relative l or n in sampletree to trigger suspend vulnerability in fe. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 10 .

 The genetic algorithm here is used to generate test cases to trigger vulnerability in unsafe functions  The number of test cases generated by GAMutator is O(h).  The number of test cases that GAMutator generates is not fixed.Cont. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 11 . Special Characteristics of GAMutator:  A multi-dimension mutation operator.  Communicates with outside system.  A demand-oriented operator.

if len( s ) 0. ° if len(s ) { 0. ± f ( X ) ! ¯0. 2 malloc(a) A a .4 GAMutator: GAMutator: Heuristics and fitness function Heuristics are used to generate test cases more likely to trigger vulnerability in fe in F. when a u A and (a% A) " B. ± f (X ) ! ¯ len(s ) ± MAX _ DEFAUL _ FI NESS . ±% A  B. when a u A and (a% A) B. src) size(d ) ® . TWO EXAMPLES: 1 strcpy( dst. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 12 . a ° when a A.

2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 13 . Scheduling Engine calls XFuzzing to fuzz target application with mi and records runtime information with Program Analyzer when it is necessary. Record their information into database. choose a sample file s and write a primitive xml test script manually which contains a sampletree.5 Prototype System: DXFuzzing 1) 2) 3) Locate insecure functions positions in target binary code by Program Analyzer. Analyze corresponding network protocols or file format in target application according to related knowledge.

Cont. Scheduling Engine calls XFuzzing to fuzz target application with GAMutator. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 14 . 4) 5) Data Mapper constructs relationships between X and F based on collected runtime information.

The problem of finding new combinations to trigger possible vulnerability in fe in F is especially suitable for genetic algorithm to solve .6 Validation 1) 2) Based on application-specific knowledge. DXFuzzing could generate test cases which easily pass strong program checks and validations in the program. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 15 .

but also cares about nj and fe.Cont. Conseg 09 Fuzzing for Software Vulnerability 16 2009/12/19 . Because some fe in F is influenced by the nj. the nj is neglected in general. the combination of li or nj in DXFuzzing is decided by the I/O analysis. the values of li or nj in some combination are refined by every generation. 3) 4) GAMutator does not only care about the relationships between li and fe . Different from combinatorial test in black-box testing. however.

Execution-oriented I/O analysis in DXFuzzing is preferred here. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 17 .Cont.

.7 Experiments LibPng library as the target application Some data are as follows: Table I insecure functions in target application Function name usePng.IHDA_CHUNK_DATA..Height PngFile.6 strcpy memcpy sprintf malloc 1 0 0 18 6 77 16 113 ID 101 102 109 111 2009/12/19 Table II Input nodes INPUT ELEMENTS PngFile.0.IHDA_CHUNK_DATA.dll v1..exe LibPng.IHDA_CHUNK_DATA..BitDepth PngFile.IHDA_CHUNK_DATA.ColorType PngFile.Width Conseg 09 Fuzzing for Software Vulnerability 18 .

info_ptr>height * sizeof(png_bytep)) 89 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 19 .row_bytes) pngrutil.c(2939):png_ptr>row_buf=(png_bytep)png_malloc(png_ptr.c(2945):png_ptr>prev_row=(png_bytep)png_malloc(png_ptr. Table III Insecure functions influenced by input nodes ID 72 73 INSECURE FUNCTIONS pngrutil.c(1301):info_ptr>row_pointers=(png_bytepp)png_malloc(png_ptr. png_uint_32)( png_ptr->rowbytes + 1)) pngread.Cont.

Cont. Relationships between inputs and insecure functions by static analysis simple and precise Figure 5. Figure 4. Relationships between inputs and outputs by dynamic execution 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 20 .

w width d BitDepth z Argument value of png_malloc 111 101 73 Initial Values: w = 0x20.Cont.0xff]. d = 0x01 w [0.0xfffffff] d [0. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 21 .

2. w and d will generate 3×0x100000000 12884901888 combination test cases. However.4}.00002. we got d {1. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 22 . So the possibility is 262148/12884901888 = 0. there are only 262148 of them that could trigger this vulnerability if we set B=100000 For this case png_malloc could successfully allocate memory.Cont. Further analyzing.

Width.Cont. BitDepth distribution when they trigger this vulnerability 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 23 .

Table IV Vulnerabilities Found by Different Fuzzing Tools Tools Smart Fuzzer GAFuzzing Peach 2.Cont.3 DXFuzzing Number of vulnerability checked 0 0 4 7 Number of test cases 1000000 1000000 31026 34222 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 24 .

Conclusion Whitebox fuzzing is complex. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 25 . time costly and there are still some problems such as path explosion. and is hard to pass strong program checks fully automatically. Peach is an outstanding knowledge-based fuzzing tool.

Conclusion DXFuzzing enriches current mutation methodology with multi-dimension input nodes mutation strategy without combinatorial explosion. So DXFuzzing could find some vulnerabilities that never will been found by onedimension mutation fuzzing. 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 26 .

edu.cn 2009/12/19 Conseg 09 Fuzzing for Software Vulnerability 27 .com bill@cse.ca zhuxy@ustc.9 For More Information For More Questions and Comments: wuzhiyong0127@gmail.concordia.