Network function virtualization provides programmable in-network middlewares by leveraging virtualization tech-nologies and commodity hardware and has gained popularity among all mainstream network device manufacturer...Network function virtualization provides programmable in-network middlewares by leveraging virtualization tech-nologies and commodity hardware and has gained popularity among all mainstream network device manufacturers.Yet it is challenging to apply coverage-guided fuzzing,one of the state-of-the-art vulnerability discovery approaches,to those virtualized network devices,due to inevitable integrity protection adopted by those devices.In this paper,we propose a coverage-guided fuzzing framework NDFuzz for virtualized network devices with a novel integrity protec-tion bypassing method,which is able to distinguish processes of virtualized network devices from hypervisors with a carefully designed non-intrusive page global directory inference technique.We implement NDFuzz atop of two black-box fuzzers and evaluate NDFuzz with three representative network protocols,SNMP,DHCP and NTP,on nine popular virtualized network devices.NDFuzz obtains an average 36%coverage improvement in comparison with its black-box counterparts.NDFuzz discovers 2 O-Day vulnerabilities and 11-Day vulnerability with coverage guidance while the black-box fuzzer can find only one of them.All discovered vulnerabilities are confirmed by corresponding vendors.展开更多
Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and sign...Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.展开更多
Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and sign...Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.展开更多
Mutation-based greybox fuzzing has been one of the most prevalent techniques for security vulnerability discovery and a great deal of research work has been proposed to improve both its efficiency and effectiveness.Mu...Mutation-based greybox fuzzing has been one of the most prevalent techniques for security vulnerability discovery and a great deal of research work has been proposed to improve both its efficiency and effectiveness.Mutation-based greybox fuzzing generates input cases by mutating the input seed,i.e.,applying a sequence of mutation operators to randomly selected mutation positions of the seed.However,existing fruitful research work focuses on scheduling mutation operators,leaving the schedule of mutation positions as an overlooked aspect of fuzzing efficiency.This paper proposes a novel greybox fuzzing method,PosFuzz,that statistically schedules mutation positions based on their historical performance.PosFuzz makes use of a concept of effective position distribution to represent the semantics of the input and to guide the mutations.PosFuzz first utilizes Good-Turing frequency estimation to calculate an effective position distribution for each mutation operator.It then leverages two sampling methods in different mutating stages to select the positions from the distribution.We have implemented PosFuzz on top of AFL,AFLFast and MOPT,called Pos-AFL,-AFLFast and-MOPT respectively,and evaluated them on the UNIFUZZ benchmark(20 widely used open source programs)and LAVA-M dataset.The result shows that,under the same testing time budget,the Pos-AFL,-AFLFast and-MOPT outperform their counterparts in code coverage and vulnerability discovery ability.Compared with AFL,AFLFast,and MOPT,PosFuzz gets 21%more edge coverage and finds 133%more paths on average.It also triggers 275%more unique bugs on average.展开更多
As one of the most notorious programming errors,memory access errors still hurt modern software security.Particularly,they are hidden deeply in important software systems written in memory unsafe languages like C/C++....As one of the most notorious programming errors,memory access errors still hurt modern software security.Particularly,they are hidden deeply in important software systems written in memory unsafe languages like C/C++.Plenty of work have been proposed to detect bugs leading to memory access errors.However,all existing works lack the ability to handle two challenges.First,they are not able to tackle fine-grained memory access errors,e.g.,data overflow inside one data structure.These errors are usually overlooked for a long time since they happen inside one memory block and do not lead to program crash.Second,most existing works rely on source code or debugging information to recover memory boundary information,so they cannot be directly applied to detection of memory access errors in binary code.However,searching memory access errors in binary code is a very common scenario in software vulnerability detection and exploitation.In order to overcome these challenges,we propose Memory Access Integrity(MAI),a dynamic method to detect finegrained memory access errors in off-the-shelf binary executables.The core idea is to recover fine-grained accessing policy between memory access behaviors and memory ranges,and then detect memory access errors based on the policy.The key insight in our work is that memory accessing patterns reveal information for recovering the boundary of memory objects and the accessing policy.Based on these recovered information,our method maintains a new memory model to simulate the life cycle of memory objects and report errors when any accessing policy is violated.We evaluate our tool on popular CTF datasets and real world softwares.Compared with the state of the art detection tool,the evaluation result demonstrates that our tool can detect fine-grained memory access errors effectively and efficiently.As the practical impact,our tool has detected three 0-day memory access errors in an audio decoder.展开更多
SOHO(small office/home office)routers provide services for end devices to connect to the Internet,playing an important role in cyberspace.Unfortunately,security vulnerabilities pervasively exist in these routers,espec...SOHO(small office/home office)routers provide services for end devices to connect to the Internet,playing an important role in cyberspace.Unfortunately,security vulnerabilities pervasively exist in these routers,especially in the web server modules,greatly endangering end users.To discover these vulnerabilities,fuzzing web server modules of SOHO routers is the most popular solution.However,its effectiveness is limited due to the lack of input specification,lack of routers’internal running states,and lack of testing environment recovery mechanisms.Moreover,existing works for device fuzzing are more likely to detect memory corruption vulnerabilities.In this paper,we propose a solution ESRFuzzer to address these issues.It is a fully automated fuzzing framework for testing physical SOHO devices.It continuously and effectively generates test cases by leveraging two input semantic models,i.e.,KEY-VALUE data model and CONF-READ communication model,and automatically recovers the testing environment with power management.It also coordinates diversified mutation rules with multiple monitoring mechanisms to trigger multi-type vulnerabilities.With the guidance of the two semantic models,ESRFuzzer can work in two ways:general mode fuzzing and D-CONF mode fuzzing.General mode fuzzing can discover both issues which occur in the CONF and READ operation,while D-CONF mode fuzzing focus on the READ-op issues especially missed by general mode fuzzing.We ran ESRFuzzer on 10 popular routers across five vendors.In total,it discovered 136 unique issues,120 of which have been confirmed as 0-day vulnerabilities we found.As an improvement of SRFuzzer,ESRFuzzer have discovered 35 previous undiscovered READ-op issues that belong to three vulnerability types,and 23 of them have been confirmed as 0-day vulnerabilities by vendors.The experimental results show that ESRFuzzer outperforms state-of-the-art solutions in terms of types and number of vulnerabilities found.展开更多
As one of the most notorious programming errors,memory access errors still hurt modern software security.Particularly,they are hidden deeply in important software systems written in memory unsafe languages like C/C++....As one of the most notorious programming errors,memory access errors still hurt modern software security.Particularly,they are hidden deeply in important software systems written in memory unsafe languages like C/C++.Plenty of work have been proposed to detect bugs leading to memory access errors.However,all existing works lack the ability to handle two challenges.First,they are not able to tackle fine-grained memory access errors,e.g.,data overflow inside one data structure.These errors are usually overlooked for a long time since they happen inside one memory block and do not lead to program crash.Second,most existing works rely on source code or debugging information to recover memory boundary information,so they cannot be directly applied to detection of memory access errors in binary code.However,searching memory access errors in binary code is a very common scenario in software vulnerability detection and exploitation.In order to overcome these challenges,we propose Memory Access Integrity(MAI),a dynamic method to detect finegrained memory access errors in off-the-shelf binary executables.The core idea is to recover fine-grained accessing policy between memory access behaviors and memory ranges,and then detect memory access errors based on the policy.The key insight in our work is that memory accessing patterns reveal information for recovering the boundary of memory objects and the accessing policy.Based on these recovered information,our method maintains a new memory model to simulate the life cycle of memory objects and report errors when any accessing policy is violated.We evaluate our tool on popular CTF datasets and real world softwares.Compared with the state of the art detection tool,the evaluation result demonstrates that our tool can detect fine-grained memory access errors effectively and efficiently.As the practical impact,our tool has detected three 0-day memory access errors in an audio decoder.展开更多
基金This work is supported in part by Chinese National Natural Science Foundation(61802394,U1836209,62032010)Strategic Priority Research Program of theCAS(XDC02040100)。
文摘Network function virtualization provides programmable in-network middlewares by leveraging virtualization tech-nologies and commodity hardware and has gained popularity among all mainstream network device manufacturers.Yet it is challenging to apply coverage-guided fuzzing,one of the state-of-the-art vulnerability discovery approaches,to those virtualized network devices,due to inevitable integrity protection adopted by those devices.In this paper,we propose a coverage-guided fuzzing framework NDFuzz for virtualized network devices with a novel integrity protec-tion bypassing method,which is able to distinguish processes of virtualized network devices from hypervisors with a carefully designed non-intrusive page global directory inference technique.We implement NDFuzz atop of two black-box fuzzers and evaluate NDFuzz with three representative network protocols,SNMP,DHCP and NTP,on nine popular virtualized network devices.NDFuzz obtains an average 36%coverage improvement in comparison with its black-box counterparts.NDFuzz discovers 2 O-Day vulnerabilities and 11-Day vulnerability with coverage guidance while the black-box fuzzer can find only one of them.All discovered vulnerabilities are confirmed by corresponding vendors.
基金This work is supported by the Key Laboratory of Network Assessment Technology,Chinese Academy of Sciences and Beijing Key Laboratory of Network Security and Protection Technology,as well as Beijing Municipal Science and Technology Project(No.Z181100002718002)National Natural Science Foundation of China(No.61572481 and 61602470,61772308,61472209,61502536,and U1736209)and Young Elite Scientists Sponsorship Program by CAST(No.2016QNRC001).
文摘Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.
基金supported by the Key Laboratory of Network Assessment TechnologyChinese Academy of Sciences and Beijing Key Laboratory of Network Security and Protection Technology+2 种基金Beijing Municipal Science and Technology Project(No.Z181100002718002)National Natural Science Foundation of China(No.61572481 and 61602470,61772308,61472209,61502536,and U1736209)Young Elite Scientists Sponsorship Program by CAST(No.2016QNRC001).
文摘Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.
基金This research was supported by National Key R&D Program of China(2022YFB3103900)National Natural Science Foundation of China(62032010,62202462)Strategic Priority Research Program of the CAS(XDC02030200).
文摘Mutation-based greybox fuzzing has been one of the most prevalent techniques for security vulnerability discovery and a great deal of research work has been proposed to improve both its efficiency and effectiveness.Mutation-based greybox fuzzing generates input cases by mutating the input seed,i.e.,applying a sequence of mutation operators to randomly selected mutation positions of the seed.However,existing fruitful research work focuses on scheduling mutation operators,leaving the schedule of mutation positions as an overlooked aspect of fuzzing efficiency.This paper proposes a novel greybox fuzzing method,PosFuzz,that statistically schedules mutation positions based on their historical performance.PosFuzz makes use of a concept of effective position distribution to represent the semantics of the input and to guide the mutations.PosFuzz first utilizes Good-Turing frequency estimation to calculate an effective position distribution for each mutation operator.It then leverages two sampling methods in different mutating stages to select the positions from the distribution.We have implemented PosFuzz on top of AFL,AFLFast and MOPT,called Pos-AFL,-AFLFast and-MOPT respectively,and evaluated them on the UNIFUZZ benchmark(20 widely used open source programs)and LAVA-M dataset.The result shows that,under the same testing time budget,the Pos-AFL,-AFLFast and-MOPT outperform their counterparts in code coverage and vulnerability discovery ability.Compared with AFL,AFLFast,and MOPT,PosFuzz gets 21%more edge coverage and finds 133%more paths on average.It also triggers 275%more unique bugs on average.
文摘As one of the most notorious programming errors,memory access errors still hurt modern software security.Particularly,they are hidden deeply in important software systems written in memory unsafe languages like C/C++.Plenty of work have been proposed to detect bugs leading to memory access errors.However,all existing works lack the ability to handle two challenges.First,they are not able to tackle fine-grained memory access errors,e.g.,data overflow inside one data structure.These errors are usually overlooked for a long time since they happen inside one memory block and do not lead to program crash.Second,most existing works rely on source code or debugging information to recover memory boundary information,so they cannot be directly applied to detection of memory access errors in binary code.However,searching memory access errors in binary code is a very common scenario in software vulnerability detection and exploitation.In order to overcome these challenges,we propose Memory Access Integrity(MAI),a dynamic method to detect finegrained memory access errors in off-the-shelf binary executables.The core idea is to recover fine-grained accessing policy between memory access behaviors and memory ranges,and then detect memory access errors based on the policy.The key insight in our work is that memory accessing patterns reveal information for recovering the boundary of memory objects and the accessing policy.Based on these recovered information,our method maintains a new memory model to simulate the life cycle of memory objects and report errors when any accessing policy is violated.We evaluate our tool on popular CTF datasets and real world softwares.Compared with the state of the art detection tool,the evaluation result demonstrates that our tool can detect fine-grained memory access errors effectively and efficiently.As the practical impact,our tool has detected three 0-day memory access errors in an audio decoder.
基金Chinese National Natural Science Foundation(61802394,U1836209,62032010)National Key Research and Development Program of China(2016QY071405)+2 种基金Strategic Priority Research Program of the CAS(XDC02040100,XDC02030200,XDC02020200)Program No.2017-JCJQ-ZD-043-01BNRist Network and Software Security Research Program(BNR2019TD01004,BNR2019RC01-009).
文摘SOHO(small office/home office)routers provide services for end devices to connect to the Internet,playing an important role in cyberspace.Unfortunately,security vulnerabilities pervasively exist in these routers,especially in the web server modules,greatly endangering end users.To discover these vulnerabilities,fuzzing web server modules of SOHO routers is the most popular solution.However,its effectiveness is limited due to the lack of input specification,lack of routers’internal running states,and lack of testing environment recovery mechanisms.Moreover,existing works for device fuzzing are more likely to detect memory corruption vulnerabilities.In this paper,we propose a solution ESRFuzzer to address these issues.It is a fully automated fuzzing framework for testing physical SOHO devices.It continuously and effectively generates test cases by leveraging two input semantic models,i.e.,KEY-VALUE data model and CONF-READ communication model,and automatically recovers the testing environment with power management.It also coordinates diversified mutation rules with multiple monitoring mechanisms to trigger multi-type vulnerabilities.With the guidance of the two semantic models,ESRFuzzer can work in two ways:general mode fuzzing and D-CONF mode fuzzing.General mode fuzzing can discover both issues which occur in the CONF and READ operation,while D-CONF mode fuzzing focus on the READ-op issues especially missed by general mode fuzzing.We ran ESRFuzzer on 10 popular routers across five vendors.In total,it discovered 136 unique issues,120 of which have been confirmed as 0-day vulnerabilities we found.As an improvement of SRFuzzer,ESRFuzzer have discovered 35 previous undiscovered READ-op issues that belong to three vulnerability types,and 23 of them have been confirmed as 0-day vulnerabilities by vendors.The experimental results show that ESRFuzzer outperforms state-of-the-art solutions in terms of types and number of vulnerabilities found.
文摘As one of the most notorious programming errors,memory access errors still hurt modern software security.Particularly,they are hidden deeply in important software systems written in memory unsafe languages like C/C++.Plenty of work have been proposed to detect bugs leading to memory access errors.However,all existing works lack the ability to handle two challenges.First,they are not able to tackle fine-grained memory access errors,e.g.,data overflow inside one data structure.These errors are usually overlooked for a long time since they happen inside one memory block and do not lead to program crash.Second,most existing works rely on source code or debugging information to recover memory boundary information,so they cannot be directly applied to detection of memory access errors in binary code.However,searching memory access errors in binary code is a very common scenario in software vulnerability detection and exploitation.In order to overcome these challenges,we propose Memory Access Integrity(MAI),a dynamic method to detect finegrained memory access errors in off-the-shelf binary executables.The core idea is to recover fine-grained accessing policy between memory access behaviors and memory ranges,and then detect memory access errors based on the policy.The key insight in our work is that memory accessing patterns reveal information for recovering the boundary of memory objects and the accessing policy.Based on these recovered information,our method maintains a new memory model to simulate the life cycle of memory objects and report errors when any accessing policy is violated.We evaluate our tool on popular CTF datasets and real world softwares.Compared with the state of the art detection tool,the evaluation result demonstrates that our tool can detect fine-grained memory access errors effectively and efficiently.As the practical impact,our tool has detected three 0-day memory access errors in an audio decoder.
