Follow the White Rabbit: Simplifying Fuzz Testing Using FuzzExMachina

Presented at Black Hat USA 2018, Aug. 9, 2018, 5 p.m. (60 minutes).

Setting up a fuzzing pipeline takes time and manual effort for identifying fuzzable programs and configuring the fuzzer.

Usually only large software projects with dedicated testing teams at their disposal are equipped to use fuzz testing in their Security Development Lifecycle. Other projects with limited resources cannot easily use this effective technique in their SDL. This renders the software landscape unnecessarily insecure. Especially less popular software applications are not being fuzzed due to a lack of resources and easy to use tooling.

Lowering the required skill level and effort to set up a fuzzing pipeline therefore results in a significant increase of today's software's security. To tackle this challenge, we developed an easy to use framework, FuzzExMachina (FExM), that reduces manual effort to a minimum.

Using clever input inference methods and containerization, we automate the fuzzing pipeline from start to end in a scalable fashion. We support acquiring binaries from a variety of sources, including blackbox binaries and source code repositories.

In cases for which FExM cannot automatically achieve a high coverage, it drops users to a novel AFL mode, "Afl-TimeWarp", in which they can set up testcases without the need to alter or understand the underlying code. AFL-TimeWarp mode allows to fuzz deeper program states without writing a single line of code, fitting FExM's philosophy to keep it simple for users.

To test the viability of our framework, we fuzzed over one hundred packages from the Arch Linux package repository with essentially zero effort. After only a few days, we already found 11 crashes, six of which were exploitable. This shows how FExM permits automated distributed fuzzing of applications; crash exploitability classification; and is equipped with a web front end for navigating security issues in a convenient way. Our work automatically retrofits fuzzing into the security development lifecycle.


Presenters:

  • Dominik Maier - M.Sc., TU Berlin
    Dominik Maier works as Program Manager Security with AVM GmbH and pursues his PhD at TU Berlin with Prof. Dr. Jean-Pierre Seifert. During his Masters at FAU Erlangen-Nürnberg, he conducted security research at NECST-lab of Politecnico di Milano (Italy) and at SecLab UC Santa Barbara, CA (USA). His Bachelor's Thesis, "Obfuscation Techniques for Android Malware to Bypass Sandboxes" was awarded with the CAST-Förderpreis for best Bachelor's thesis in the field of IT security in Germany. He worked on security development projects, consulting and pentesting for large German companies. In his spare-time, he likes to travel and participate in CTFs with ENOFLAG.
  • Bhargava Shastry - Independent security researcher, Independent
    <div>Bhargava Shastry is a security researcher who spends most of his time developing tools and techniques for software vulnerability discovery. Bhargava is interested in applying static program analysis and compiler technology to make vulnerability assessment more effective. He is a PhD candidate at the TU Berlin and obtained his M.Sc. in computer science from EPFL and B.Tech in electrical engineering from NITK.</div>
  • Vincent Ulitzsch - B.Sc., TU Berlin
    Vincent Ulitzsch, graduate student at TU Berlin, is currently interning at Security Research Labs, a Berlin based Security Consulting & Research company. He graduated from Technical University of Berlin with outstanding results, including an exchange semester at ETH Zurich. He conducted a research project at the chair Security in Telecommunications (SecT) at TU Berlin. During his Bachelor, he held the "Deutschlandstipendium"-scholarship. He is an enthusiastic CTF player with high interest in security research.

Links:

Similar Presentations: