1. InfoconDB
  2. Black Hat
  3. Black Hat USA 2020 Virtual
  4. About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs?

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs?

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 12:30 p.m. (40 minutes).

Fuzzing is a popular and effective automated approach to vulnerability detection. Directed fuzzing focuses on automatically testing specific parts of the code by taking advantage of additional information such as bug stack traces or patches. Key applications include bug reproduction and patch-oriented testing.

While very successful, recent fuzzing techniques (directed or not) are not well suited for Use-After-Free vulnerabilities (UAF), where some deallocated memory is reused through a dangling pointer (UAF represent only 1% of issues found by OSS-Fuzz in 2017). This is unfortunate as UAF possibly lead to data corruption, information leaks, or denial of service.

Fuzzing UAF is hard for two reasons: (1) UAF bugs are complex – need to find input covering three events (alloc, free, use) in sequence; (2) UAF bugs are silent – they often do not crash immediately. The obvious solution is to pair fuzzing with memory sanitizaters such as Valgrind, however the induced runtime overhead is terrible for fuzzing.

We propose UAFuzz, the first (binary-level) directed greybox fuzzer dedicated to UAF bugs. The technique features a fuzzing engine tailored to UAF specifics (adapting standard fuzzing components: seed selection, distance metric and power schedule), a lightweight code instrumentation and an efficient bug triage step allowing to send only a fraction of the generated input to the sanitizer for bug confirmation. Our technique is implemented on top of AFL-QEMU and Valgrind.

UAFuzz outperforms state-of-the-art directed fuzzers (AFLGO and Hawkeye) on bug reproduction (detection rate, time-to-exposure). UAFuzz has also been proven effective in patch-oriented testing, leading to the discovery of 30 new bugs, 7 CVEs and 4 buggy patches.

Several fuzzing talks have already been given to Black Hat. Our proposal is the first to focus on directed fuzzing and use-after-free.

Finally, we will publicly release our UAF fuzzing benchmark and the UAFuzz tool.


Presenters:

  • Sébastien Bardin - Dr, CEA LIST
    <span>Sébastien Bardin is a full-time senior researcher at CEA LIST, with research activities centered on automatic program analysis and software verification. </span><span>For a few years now, Sébastien has been interested in automating binary-level security analysis by lifting formal methods developed for the safety-critical industry. More especially, he focuses on binary-level formal methods, vulnerability detection & assessment, and malware deobfuscation. He leads the "binary-level security" group at CEA LIST as well as several related research projects, and he is one of the main designers of the (open-source) BINSEC platform for binary-level code analysis. He regularly publishes articles in top-ranked international academic conferences in Security, Formal Methods, Software Engineering and Automated Reasoning (e.g., IEEE Security & Privacy) and gives talks in international events. Sébastien obtained a PhD in 2005 from ENS Cachan, France, in the field of formal methods. </span>
  • Manh-Dung Nguyen - Mr., CEA LIST
    <span>Manh-Dung Nguyen is a PhD student at CEA LIST, France, under the supervision of Sébastien Bardin (CEA LIST), Matthieu Lemerre (CEA LIST), Richard Bonichon (Tweag I/O) and Prof. Roland Groz (Université Grenoble Alpes, France). Manh-Dung is deeply interested in security, code analysis, and vulnerability detection. His current focus is on pushing the frontiers of fuzzing.</span>

Links:

Similar Presentations: