CS 6V81-05: System Security and Malicious Code …zxl111930/spring2012/public/lec20.pdfBackground Symbolic Execution Whitebox Fuzzing Summary CS 6V81-05: System Security and Malicious

Background Symbolic Execution Whitebox Fuzzing Summary

CS 6V81-05: System Security and Malicious Code Analysis

Symbolic Execution and Whitebox Fuzzing

Zhiqiang Lin

Department of Computer ScienceUniversity of Texas at Dallas

April 9th, 2012


Outline

1 Background

2 Symbolic Execution

3 Whitebox Fuzzing

4 Summary

Outline

1 Background


3 Whitebox Fuzzing

4 Summary


Software security bugs can be very expensive

1 Cost of each Microsoft Security Bulletin: $Millions2 Cost due to worms (Slammer, CodeRed, Blaster, etc.):

$Billions3 Many security exploits are initiated via files or packets

Ex: MS Windows includes parsers for hundreds of fileformats

4 0-day Vulnerability means money/weapon

Security testing: “hunting for million-dollar bugs”


Hunting for Security Bugs

Black hat1 Code inspection (of binaries)2 Blackbox fuzz testing

Blackbox fuzz testing1 A form of blackbox random testing [Miller+90]2 Randomly fuzz (=modify) a well-formed input3 Grammar-based fuzzing: rules that encode

“well-formed”ness + heuristics about how to fuzz (e.g.,using probabilistic weights)

Black-box fuzzing has been heavily used in security testing –Simple yet effective: many bugs found this way


Blackbox Fuzzing

Examples1 Peach, Protos, Spike, Autodafe, etc.

Why so many blackbox fuzzers?Because anyone can write (a simple) one in a week-end!Conceptually simple, yet effectiveSophistication is in the “add-on”

Test harnesses (e.g., for packet fuzzing)Grammars (for specific input formats)

No principled test generation

No attempt to cover each state/rule in the grammarWhen probabilities, no global optimization (simply randomwalks)


Introducing Whitebox Fuzzing

Idea: mix fuzz testing with dynamic test generation1 Symbolic execution2 Collect constraints on inputs3 Negate those, solve with constraint solver, generate new

inputs4 do “systematic dynamic test generation” (=DART)

Whitebox Fuzzing = “DART meets Fuzz”

Foundation: DART (Directed Automated Random Testing)Key extensions: (“Whitebox Fuzzing”), implemented inSAGE [NDSS’08]

Outline

1 Background


3 Whitebox Fuzzing

4 Summary


What is symbolic execution

“Symbolic execution and program testing”, King [Comm.ACM 1976], Cited by 960Analysis of programs with unspecified inputs

Execute a program on symbolic inputs

Symbolic states represent sets of concrete statesInsight: code can generate its own test cases


A Complete Code Example/Demo with BitBlaze

Input1 #include <stdio.h>23 FILE *fp;45 int main ()6 {7 char buffer[10];8 char a, b;9 scanf ("%s", buffer);10 fp = fopen("/boot/input","r");11 fscanf (fp, "%c%c", &a, &b);12 fclose (fp);13 if (a == ’x’)14 {15 printf ("WE ARE IN X\n");16 if (b == ’y’)17 printf ("WE ARE IN Y\n");18 }19 return 0;20 }

Assembly080481f4 <main>:80481f4: 55 push %ebp80481f5: 89 e5 mov %esp,%ebp80481f7: 83 ec 38 sub $0x38,%esp80481fa: 83 e4 f0 and $0xfffffff0,%esp...8048243: 8d 45 e7 lea -0x19(%ebp),%eax8048246: 89 44 24 08 mov %eax,0x8(%esp)804824a: c7 44 24 04 f9 5f 0a movl $0x80a5ff9,0x4(%esp)8048251: 088048252: a1 18 50 0c 08 mov 0x80c5018,%eax8048257: 89 04 24 mov %eax,(%esp)804825a: e8 71 0c 00 00 call 8048ed0 <__fscanf>804825f: a1 18 50 0c 08 mov 0x80c5018,%eax8048264: 89 04 24 mov %eax,(%esp)8048267: e8 64 0d 00 00 call 8048fd0 <_IO_fclose>804826c: 80 7d e7 78 cmpb $0x78,-0x19(%ebp)8048270: 75 1e jne 8048290 <main+0x9c>8048272: c7 04 24 fe 5f 0a 08 movl $0x80a5ffe,(%esp)8048279: e8 02 0b 00 00 call 8048d80 <_IO_printf>804827e: 80 7d e6 79 cmpb $0x79,-0x1a(%ebp)8048282: 75 0c jne 8048290 <main+0x9c>8048284: c7 04 24 0b 60 0a 08 movl $0x80a600b,(%esp)804828b: e8 f0 0a 00 00 call 8048d80 <_IO_printf>8048290: b8 00 00 00 00 mov $0x0,%eax8048295: c9 leave8048296: c3 ret



Input1 #include <stdio.h>23 FILE *fp;45 int main ()6 {7 char buffer[10];8 char a, b;9 scanf ("%s", buffer);10 fp = fopen("/boot/input","r");11 fscanf (fp, "%c%c", &a, &b);12 fclose (fp);13 if (a == ’x’)14 {15 printf ("WE ARE IN X\n");16 if (b == ’y’)17 printf ("WE ARE IN Y\n");18 }19 return 0;20 }

Assembly080481f4 <main>:80481f4: 55 push %ebp80481f5: 89 e5 mov %esp,%ebp80481f7: 83 ec 38 sub $0x38,%esp80481fa: 83 e4 f0 and $0xfffffff0,%esp...8048243: 8d 45 e7 lea -0x19(%ebp),%eax8048246: 89 44 24 08 mov %eax,0x8(%esp)804824a: c7 44 24 04 f9 5f 0a movl $0x80a5ff9,0x4(%esp)8048251: 088048252: a1 18 50 0c 08 mov 0x80c5018,%eax8048257: 89 04 24 mov %eax,(%esp)804825a: e8 71 0c 00 00 call 8048ed0 <__fscanf>804825f: a1 18 50 0c 08 mov 0x80c5018,%eax8048264: 89 04 24 mov %eax,(%esp)8048267: e8 64 0d 00 00 call 8048fd0 <_IO_fclose>804826c: 80 7d e7 78 cmpb $0x78,-0x19(%ebp)8048270: 75 1e jne 8048290 <main+0x9c>8048272: c7 04 24 fe 5f 0a 08 movl $0x80a5ffe,(%esp)8048279: e8 02 0b 00 00 call 8048d80 <_IO_printf>804827e: 80 7d e6 79 cmpb $0x79,-0x1a(%ebp)8048282: 75 0c jne 8048290 <main+0x9c>8048284: c7 04 24 0b 60 0a 08 movl $0x80a600b,(%esp)804828b: e8 f0 0a 00 00 call 8048d80 <_IO_printf>8048290: b8 00 00 00 00 mov $0x0,%eax8048295: c9 leave8048296: c3 ret



Input1 #include <stdio.h>23 FILE *fp;45 int main ()6 {7 char buffer[10];8 char a, b;9 scanf ("%s", buffer);10 fp = fopen ("/boot/input", "r");11 fscanf (fp, "%c%c", &a, &b);12 fclose (fp);13 if (a == ’x’)14 {15 printf ("WE ARE IN X\n");16 if (b == ’y’)17 printf ("WE ARE IN Y\n");18 }19 return 0;20 }

GoalThe system needs toautomatically generatethe input for /boot/input,with the content below.

/boot/inputxy000


SAT Problem

SATIn computer science, satisfiability (often written in all capitals orabbreviated SAT) is the problem of determining if the variablesof a given Boolean formula can be assigned in such a way as tomake the formula evaluate to TRUE.

In complexity theory, the satisfiability problem (SAT) is adecision problem, whose instance is a Boolean expressionwritten using only AND, OR, NOT, variables, and parentheses.The question is: given the expression, is there someassignment of TRUE and FALSE values to the variables thatwill make the entire expression true?


Decision Problem

DefinitionIn computability theory and computational complexity theory, adecision problem is a question in some formal system with ayes-or-no answer, depending on the values of some inputparameters

Background Foundation and Tools Symbolic Execution Whitebox Fuzzing Summary

Decision Problem

DefinitionIn computability theory and computational complexity theory, adecision problem is a question in some formal system with ayes-or-no answer, depending on the values of some inputparameters


Basic Concepts

LiteralA literal p is a variable x or its negation ¬x .

ClauseA clause C is a disjunction of literals: x1 ∨ x2 ∨ x3

CNFA CNF is a conjunction of clauses:(x2 ∨ x41 ∨ x15) ∧ (x6 ∨ x2) ∧ (x31 ∨ x41 ∨ x6 ∨ x156)


SAT is a NP-complete problem

SAT ProblemThe SAT-problem is:

1 Find a boolean assignment2 such that each clause has a true literal

First problem shown to be NP-complete (1971)


Yices Example/Demo

1 #include<stdio.h>2 #include"yices_c.h"3 int main(){4 yices_context ctx = yices_mk_context();5 yices_type ty = yices_mk_type(ctx, "int");6 yices_var_decl xdecl = yices_mk_var_decl(ctx, "x", ty);7 yices_var_decl ydecl = yices_mk_var_decl(ctx, "y", ty);8 yices_expr x = yices_mk_var_from_decl(ctx, xdecl);9 yices_expr y = yices_mk_var_from_decl(ctx, ydecl);10 yices_expr n1 = yices_mk_num(ctx, 2);11 yices_expr n2 = yices_mk_num(ctx, 1);12 yices_expr args[2];13 args[0] = x; args[1] = n1;14 yices_expr e1 = yices_mk_sum(ctx, args, 2); //x + 215 args[0] = y; args[1] = n2;16 yices_expr e2 = yices_mk_sub(ctx, args, 2); //y - 117 yices_expr c1 = yices_mk_le(ctx, e1, e2); // x + 2 <= y - 118 yices_assert(ctx, c1);19 switch (yices_check(ctx)) {20 case l_true:21 printf("satisfiable\n");22 yices_model m = yices_get_model(ctx);23 yices_display_model(m);24 break;25 case l_false:26 printf("unsatisfiable\n");27 break;28 }29 return 0;30 }

1 (define x::int)2 (define y::int)3 (assert

(<= (+ x 2)(- y 1)

))

4 (check)

Resultsatisfiable(= x -3)(= y 0)


Yices Example/Demo

1 #include<stdio.h>2 #include"yices_c.h"3 int main(){4 yices_context ctx = yices_mk_context();5 yices_type ty = yices_mk_type(ctx, "int");6 yices_var_decl xdecl = yices_mk_var_decl(ctx, "x", ty);7 yices_var_decl ydecl = yices_mk_var_decl(ctx, "y", ty);8 yices_expr x = yices_mk_var_from_decl(ctx, xdecl);9 yices_expr y = yices_mk_var_from_decl(ctx, ydecl);10 yices_expr n1 = yices_mk_num(ctx, 2);11 yices_expr n2 = yices_mk_num(ctx, 1);12 yices_expr args[2];13 args[0] = x; args[1] = n1;14 yices_expr e1 = yices_mk_sum(ctx, args, 2); //x + 215 args[0] = y; args[1] = n2;16 yices_expr e2 = yices_mk_sub(ctx, args, 2); //y - 117 yices_expr c1 = yices_mk_le(ctx, e1, e2); // x + 2 <= y - 118 yices_assert(ctx, c1);19 switch (yices_check(ctx)) {20 case l_true:21 printf("satisfiable\n");22 yices_model m = yices_get_model(ctx);23 yices_display_model(m);24 break;25 case l_false:26 printf("unsatisfiable\n");27 break;28 }29 return 0;30 }

1 (define x::int)2 (define y::int)3 (assert

(<= (+ x 2)(- y 1)

))

4 (check)

Resultsatisfiable(= x -3)(= y 0)


STP Example

Input1 x0 : BITVECTOR(8);2 x1 : BITVECTOR(8);3 x2 : BITVECTOR(8);4 x3 : BITVECTOR(8);5 QUERY(NOT(NOT((~((IF (((x3@(x2@(x1@x0))) = 0h64616221))

THEN (0b1)ELSE (0b0) ENDIF)) = 0b1))));

ResultInvalid.ASSERT( x3 = 0hex64 );ASSERT( x0 = 0hex21 );ASSERT( x2 = 0hex61 );ASSERT( x1 = 0hex62 );


STP Example

Input1 x0 : BITVECTOR(8);2 x1 : BITVECTOR(8);3 x2 : BITVECTOR(8);4 x3 : BITVECTOR(8);5 QUERY(NOT(NOT((~((IF (((x3@(x2@(x1@x0))) = 0h64616221))

THEN (0b1)ELSE (0b0) ENDIF)) = 0b1))));

ResultInvalid.ASSERT( x3 = 0hex64 );ASSERT( x0 = 0hex21 );ASSERT( x2 = 0hex61 );ASSERT( x1 = 0hex62 );


STP Example

Input...char x , y ;if ( x * y == 16 )...

Path Constraintx : BITVECTOR ( 8 ) ;y : BITVECTOR ( 8 ) ;QUERY(NOT(BVMULT( 8 , x , y ) = 0h10 )

ResultsInvalid . ASSERT( y = 0hex05 ) ; ASSERT( x = 0hexD0 )


STP Example





STP Example





Mostly used SMT Solvers

Z3

A high-performance theorem prover beingdeveloped at Microsoft Research. Z3 supportslinear real and integer arithmetic, fixed-sizebit-vectors, extensional arrays, uninterpretedfunctions, and quantifiers.

YicesAn efficient SMT solver that decides thesatisfiability of arbitrary formulas containinguninterpreted function symbols with equality,linear real and integer arithmetic, scalar types,recursive datatypes, tuples, records,extensional arrays, fixed-size bit-vectors,quantifiers, and lambda expressions



MiniSmtMiniSmt is a simple SMT solver for non-linear arithmetic basedon MiniSat and Yices

CVC3CVC3 is an automatic theorem prover forSatisfiability Modulo Theories (SMT)problems. It can be used to prove the validity(or, dually, the satisfiability) of first-orderformulas in a large number of built-in logicaltheories and their combination.



STPSTP is a constraint solver (also referred to as a decisionprocedure or automated prover) aimed at solving constraintsgenerated by program analysis tools, theorem provers,automated bug finders, biology, cryptography, intelligent fuzzersand model checkers. STP has been used in many researchprojects at Stanford, Berkeley, MIT, CMU and other universities.


Symbolic Execution

For each path, build a path conditionCondition on inputs, for the execution to follow that pathCheck path condition satisfiability (SAT-problem), exploreonly feasible pathsWhen execution path diverges, fork, adding constraints onsymbolic valuesWhen we terminate (or crash), use a constraint solver togenerate concrete input

Symbolic stateSymbolic values/expressions for variablesPath conditionProgram counter


Symbolic Execution

For each path, build a path conditionCondition on inputs, for the execution to follow that pathCheck path condition satisfiability (SAT-problem), exploreonly feasible pathsWhen execution path diverges, fork, adding constraints onsymbolic valuesWhen we terminate (or crash), use a constraint solver togenerate concrete input

Symbolic stateSymbolic values/expressions for variablesPath conditionProgram counter


Symbolic Execution

IntroductionValgrind and STP

ImplementationConclusion

State of the artGoalConcept

Symbolic execution: example

input = "\x06\x00\x00\x00\x0f\x00\x00\x00"

Fuzzgrind: an automatic fuzzing tool 10/55

In courtesy of Gabriel Campana for this great example


Symbolic Execution





input = "\x06\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x06\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x06\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x06\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x06\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x28\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x28\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x28\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x28\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x28\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x28\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x28\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x28\x00\x00\x00\x0f\x00\x00\x00"




Symbolic Execution





input = "\x28\x00\x00\x00\x21\x00\x00\x00"

Fuzzgrind: an automatic fuzzing tool 24/55In courtesy of Gabriel Campana for this great example


Symbolic Execution





input = "\x28\x00\x00\x00\x21\x00\x00\x00"

Fuzzgrind: an automatic fuzzing tool 25/55In courtesy of Gabriel Campana for this great example

Outline

1 Background


3 Whitebox Fuzzing

4 Summary


Fuzzing

Basic IdeaSearch for software implementation errors by injecting invaliddata

Test generationRandomInput mutationModel-based


Fuzzing

Basic IdeaSearch for software implementation errors by injecting invaliddata

Test generationRandomInput mutationModel-based


Fuzzing

How it worksMake fuzzing be completely automatic.Give a target program and an input,New inputs generated automatically,Wait for crashes.


Tools for fuzzing

Open SourceSulley http://code.google.com/p/sulleySPIKEhttp://www.immunitysec.com/resources-freesoftware.shtml.Peach Fuzzing http://peachfuzz.sourceforge.net...

AcademiaWhitebox Fuzzing [NDSS 2008]IntScope [NDSS 2009]SmartFuzz [USENIX Security 2009]BuzzFuzz [ICSE 2009]Checksum-aware Fuzz [Oakland 2010]...


Tools for fuzzing

Open SourceSulley http://code.google.com/p/sulleySPIKEhttp://www.immunitysec.com/resources-freesoftware.shtml.Peach Fuzzing http://peachfuzz.sourceforge.net...

AcademiaWhitebox Fuzzing [NDSS 2008]IntScope [NDSS 2009]SmartFuzz [USENIX Security 2009]BuzzFuzz [ICSE 2009]Checksum-aware Fuzz [Oakland 2010]...


Whitebox Fuzzing

Insight

Use of algebraic expressions to represent the variable valuesthroughout the execution of the program.

Basic IdeaSymbolically execute the target program on a given input,Analyze execution path and extract path conditionsdepending on the inputNegate each path conditionSolve constraints and generate new test inputsThis algorithm is repeated until all executions path are(ideally) covered


A Complete Code Example with Fuzzgrind

Input1 #include <stdio.h>2 #include <stdlib.h>3 #include <fcntl.h>4 #include <unistd.h>5 #define ERROR(x) do { perror(x); \

exit(-1); } while (0);6 int main(int argc, char *argv[]) {7 char buffer[5] = { 0 };8 int fd;9 if (argc != 2) {10 printf("Usage: %s <file>\n", argv[0]);11 exit(-1);12 }13 if ((fd = open(argv[1], O_RDONLY)) == -1) {14 ERROR("open");15 }16 if (read(fd, buffer, 4) != 4) {17 ERROR("read");18 }19 if (*(int *)buffer == 0x64616221) {20 printf("ok, vulnerability\n");21 }22 return 0;23 }

Path Constraint1 x0 : BITVECTOR(8);2 x1 : BITVECTOR(8);3 x2 : BITVECTOR(8);4 x3 : BITVECTOR(8);5 QUERY(NOT(NOT((~((IF

(((x3@(x2@(x1@x0)))= 0h64616221))

THEN (0b1)ELSE (0b0) ENDIF))

= 0b1))));

ResultsInvalid.ASSERT( x3 = 0hex64 );ASSERT( x0 = 0hex21 );ASSERT( x2 = 0hex61 );ASSERT( x1 = 0hex62 );






(((x3@(x2@(x1@x0)))= 0h64616221))


= 0b1))));







(((x3@(x2@(x1@x0)))= 0h64616221))


= 0b1))));



Internals of Whitebox Fuzzing

1 Dynamic Binary Instrumentation

At run-time disassemble instructions, and capture thesemantics and constraints

2 Data Flow (Taint) Capturing and Analysis

Associate constraint with input

3 Constraint Solving

Query and solve the constraint to generate new input

4 System-events, control flow handler (Optional)

Run the program with new state

Outline

1 Background


3 Whitebox Fuzzing

4 Summary


Summary

Advantages1 Symboic execution is promissing in vulnerabiliity discovery2 It can drive the program to run desired path

Research Problems1 Symbolic execution cannot handle complicated constraint2 It doesn’t provide clues on how to fuzz and get the

vulnerability3 Vulnerable code identification is still needed


References

http://en.wikipedia.org/wiki/Fuzz_testinghttp://en.wikipedia.org/wiki/Symbolic_executionJames C. King,Symbolic execution and program testing,Communications of the ACM, volume 19, number 7, 1976,385–394DART: Directed Automated Random Testing, PLDI 2005Automated Whitebox Fuzz Testing, with Levin and Molnar,NDSS 2008Grammar-Based Whitebox Fuzzing, PLDI 2008http://research.microsoft.com/en-us/um/people/pg/public_psfiles/talk-rt2007.pdf

Documents

CS 6V81-05: System Security and Malicious Code …zxl111930/spring2012/public/lec20.pdfBackground Symbolic Execution Whitebox Fuzzing Summary CS 6V81-05: System Security and Malicious