Detecting and mitigating software security vulnerabilities through secure environment programming

Blair, William

26 March 2024

Adversaries continue to exploit software in order to infiltrate organizations’ networks, extract sensitive information, and hijack control of computing resources. Given the grave threat posed by unknown security vulnerabilities, continuously monitoring for vulnerabilities during development and evidence of exploitation after deployment is now standard practice. While the tools that perform this analysis and monitoring have evolved significantly in the last several decades, many approaches require either directly modifying a program’s source code or its intermediate representation. In this thesis, I propose methods for efficiently detecting and mitigating security vulnerabilities in software without requiring access to program source code or instrumenting individual programs. At the core of this thesis is a technique called secure environment programming (SEP). SEP enhances execution environments, which may be CPUs, language interpreters, or computing clouds, to detect security vulnerabilities in production software artifacts. Furthermore, environment based security features allow SEP to mitigate certain memory corruption and system call based attacks. This thesis’ key insight is that a program’s execution environment may be augmented with functionality to detect security vulnerabilities or protect workloads from specific attack vectors. I propose a novel vulnerability detection technique called micro-fuzzing which automatically detects algorithmic complexity (AC) vulnerabilities in both time and space. The detected bugs and vulnerabilities were confirmed by vendors of real-world Java libraries. Programs implemented in memory unsafe languages like C/C++ are popular targets for memory corruption exploits. In order to protect programs from these exploits, I enhance memory allocators with security features available in modern hardware environments. I use efficient hash algorithm implementations and memory protection keys (MPKs) available on recent CPUs to enforce security policies on application memory. Finally, I deploy a microservice-aware policy monitor (MPM) that detects security policy deviations in container telemetry. These security policies are generated from binary analysis over container images. Embedding MPMs derived from binary analysis in micro-service environments allows operators to detect compromised components without modifying container images or incurring high performance overhead. Applying SEP at varying levels of the computing stack, from individual programs to popular micro-service architectures, demonstrates that SEP efficiently protects diverse workloads without requiring program source or instrumentation.

Computer science

Architectural security

Cloud security

Fuzz testing

Micro-execution

Micro-fuzzing

Microservices

Fuzzing tool for industrial communication

Köhler Djurberg, Markus, Heen, Isak

January 2024

Unit testing is a fundamental practice in software development and the goal is to create a test suite that tests the robustness of the software. It is challenging to create a test suite that covers every possible input to a system which can lead to security flaws not being detected. Fuzz testing is a technique that creates randomly generated, or fuzzy, input with the goal to uncover these areas of the input space potentially missed by the unit test suite.  EtherNet/IP is an industrial communications protocol built on top of the TCP/IP suite. HMS Anybus develops hardware to use in secure networks in industrial settings utilizing the EtherNet/IP protocol.  This report outlines the development of a Scapy-based fuzz testing tool capable of testing the implementation of the protocol on HMS devices. Additionally we propose a strategy for how the tool can be deployed in future testing. The resulting fuzz testing tool is capable of creating packets containing selected commands’ encapsulation headers and layering them with command specific data fields. These packets can be filled with static or fuzzy input depending on user configuration. The tool is implemented with the intention of providing HMS the capability for conducting fuzz testing. The report mentions multiple improvements that can be made using A.I. assisted generation of test cases and how the tool can be scaled in the future. This thesis project is a proof of concept that using Scapy to create a fuzz testing tool tailored to the EtherNet/IP protocol is possible.

Security

Fuzz testing

Python

Industrial Networks

IIoT

EtherNet/IP

HMS

Embedded

Wireshark

Computer Sciences

Datavetenskap (datalogi)

The Hare, the Tortoise and the Fox : Extending Anti-Fuzzing

Dewitz, Anton, Olofsson, William

January 2022

Background. The goal of our master's thesis is to reduce the effectiveness of fuzzers using coverage accounting. The method we chose to carry out our goal is based on how the coverage accounting in TortoiseFuzz rates code paths to find memory corruption bugs. It simply looks for functions that tend to cause vulnerabilities and considers more to be better. Our approach is to insert extra function calls to these memory functions inside fake code paths generated by anti-fuzzing. Objectives. Our thesis researches the current anti-fuzzing techniques to figure out which tool to extend with our counter to coverage accounting. We conduct an experiment where we run several fuzzers on different benchmark programs to evaluate our tool. Methods. The foundation for the anti-fuzzing tool will be obtained by conducting a literature review, to evaluate current anti-fuzzing techniques, and how coverage accounting prioritizes code paths. Afterward, an experiment will be conducted to evaluate the created tool. To evaluate fuzzers the FuzzBench platform will be used, a homogeneous test environment that allows future research to easier compare to old research using a standard platform. Benchmarks representative of real-world applications will be chosen from within this platform. Each benchmark will be executed in three versions, the original, one protected by a prior anti-fuzzing tool, and one protected by our new anti-fuzzing tool. Results. This experiment showed that our anti-fuzzing tool successfully lowered the number of unique found bugs by TortoiseFuzz, even when the benchmark is protected by a prior developed anti-fuzzing tool. Conclusions. We can conclude, based on our results, that our tool shows promise against a fuzzer using coverage accounting. Further study will push fuzzers to become even better to overcome new anti-fuzzing methods. / Bakgrund. Målet med vår masteruppsats är att försöka reducera effektiviteten hos fuzzers som använder sig av täckningsrapportering (coverage accounting). Metoden vi använde för att genomföra vårt mål baserades på hur täckningsrapportering i TortoiseFuzz betygsätter kodvägar för att hitta minneskorruptionsbuggar. Den letar helt enkelt efter funktioner som tenderar att orsaka sårbarheter och anser att fler är bättre. Vår idé var att föra in extra funktionsanrop till dessa minnesfunktioner inuti de fejkade kodgrenarna som blivit genererade av anti-fuzzningen. Syfte. Vår uppsats undersöker nuvarande anti-fuzzningstekniker för att evaluera vilket verktyg som vår kontring mot täckningsrapportering ska baseras på. Vi utför ett experiment där vi kör flera fuzzers på olika riktmärkesprogram för att utvärdera vårt verktyg. Metod. Den teoretiska grunden för anti-fuzzningsverktyget erhålls genom genomförandet av en litteraturstudie, med syfte att evaluera befintliga tekniker inom anti-fuzzning, och erhålla förståelse över hur täckningsrapportering prioriterar kodgrenar. Därefter kommer ett experiment att genomföras för att evaluera det framtagna verktyget. För att sedan evaluera vårt verktyg mot TortoiseFuzz kommer FuzzBench att användas, en homogen testmiljö utformad för att evaluera och jämföra fuzzers mot varandra. Den är utformad för att underlätta för vidare forskning, där reproduktion av ett experiment är enkelt, och resultat från tidigare forskning går att enkelt slå samman. Riktmärkesprogrammen som är representativa av verkliga program kommer väljas i denna plattform. Varje riktmärkesprogram kommer bli kopierad i tre versioner, originalet, ett som är skyddat av ett tidigare anti-fuzzningsverktyg, och ett skyddat av vårt nya anti-fuzzningsverktyg. Resultat. Detta experiment visade att vårt anti-fuzzningsverktyg framgångsrikt sänkte antalet unika funna buggar av TortoiseFuzz, även när riktmärkesprogrammen skyddades av ett tidigare anti-fuzzningsverktyg. Slutsatser. Vi drar slutsatsen, baserat på våra resultat, att vårt verktyg ser lovande ut mot en fuzzer som använder täckningsrapportering. Vidare studier kommer trycka på utvecklingen av fuzzers att bli ännu bättre för att överkomma nya anti-fuzzing-metoder.

anti-fuzzing

fuzz testing

benchmarking

coverage-accounting

fuzzing

anti-fuzzning

fuzz-testande

benchmarking

täckningsrapportering

fuzzning

Computer Sciences

Datavetenskap (datalogi)

Compiler Testing by Random Source Code Generation / Kompilatortestning genom slumpmässig källkodsgenerering

Löfgren, Victor

January 2023

Most software projects today are written using programming languages. Compilers in turn translate programs written in these higher level languages into machine code, executable on actual hardware. Ensuring that these compilers function correctly is therefore paramount. Manually written test suites make sure that compilers functions correctly for some inputs, but can never hope to cover every possible use case. Thus, it is of interest to find out how other testing techniques can be applied. This project aimed to implement a random test program generator for Configura Magic (CM), a proprietary programming language used at Configura. Our tool is inspired by the widely successful C program generator Csmith. It is implemented by randomly generating an abstract syntax tree (AST) and unparsing it to produce correct code. Our tool found about 3 bugs in the CM compiler, Configura Virtual Machine (CVM), during its development.CVM was instrumented to get code coverage data after compiling programs. Compiling the CVM test suite (CTS) and Configura's main product CET (Configura Extension Technology)cover about 23% and 19% of the compiler respectively, while compiling programs generated by our tool only cover about 6%. But on the other hand, our generated programs uniquely cover about 0.2% that is not covered by CTS and CET. A backend for our tool that generates C-code was also implemented, to compare it against Csmith. The results show that on average (100 program generations 30 times, for a total of 3000 programs), our tool gets about 45% coverage while Csmith gets about 50% on the small C compiler TinyCC. Although our tool was mildly successful in finding bugs, the comparison between it and Csmith shows its potential to be even more effective.

Compiler testing

random testing

fuzz testing

random program generation

automated testing

Computer Sciences

Datavetenskap (datalogi)

Software Engineering

Programvaruteknik

Functional and Security Testing of a Mobile Client-Server Application / Funktionell och säkerhetstestning av en mobilapplikation bestående av en klient- och serversida

Holmberg, Daniel, Nyberg, Victor

January 2018

Today’s massive usage of smartphones has put a high demand on all application developers in the matter of security. For us to be able to keep using all existing and new applications, a process that removes significant security vulnerabilities is essential. To remove these vulnerabilities, the applications have to be tested. In this thesis, we identify six methods for functional and security testing of client-server applications running Android and Python Flask. Regarding functional testing, we implement Espresso testing and RESTful API testing. In regards to the security testing of the system, we do not only implement fuzz testing, sniffing, reverse engineering and SQL injection testing on a system developed by a student group in a parallel project, but also discover a significant security vulnerability that directly affects the integrity and reliability of this system. Out of the six identified testing techniques, reverse engineering exposed the vulnerability. In conjunction with this, we verified that the system’s functionality works as it is supposed to.

Security

Android

Mobile application

Python

Flask

Server

Software testing

Functional testing

Reverse engineering

Fuzz testing

Monkey testing

RESTful API testing

Sniffing

SQL injection

Confidentiality

Integrity

Availability

Reliability

Espresso

Postman

Wireshark

dex2jar

Apktool

JD-GUI

Computer and Information Sciences

Data- och informationsvetenskap

Fuzz testování REST API / Fuzz Testing of REST API

Segedy, Patrik

January 2020

Táto práca sa zaoberá fuzz testovaním REST API. Po prezentovaní prehľadu techník používaných pri fuzz testovaní a posúdení aktuálnych nástrojov a výskumu zameraného na REST API fuzz testovanie, sme pristúpili k návrhu a implementácii nášho REST API fuzzeru. Základom nášho riešenia je odvodzovanie závislostí z OpenAPI formátu popisu REST API, umožňujúce stavové testovanie aplikácie. Náš fuzzer minimalizuje počet po sebe nasledujúcich 404 odpovedí od aplikácie a testuje aplikáciu viac do hĺbky. Problém prehľadávania dostupných stavov aplikácie je riešený pomocou usporiadania závislostí tak, aby sa maximalizovala pravdepodobnosť získania potrebných vstupných dát pre povinné parametre, v kombinácii s rozhodovaním, ktoré povinné parametre môžu využívať aj náhodne generované hodnoty. Implementácia je rozšírením Schemathesis projektu, ktorý generuje vstupy za pomoci Hypothesis knižnice. Implementovaný fuzzer je použitý na testovanie Red Hat Insights aplikácie, kde našiel 32 chýb, z čoho jednu chybu je možné reprodukovať len za pomoci stavového testovania.

Black-box analýza zabezpečení Wi-Fi / Black-Box Analysis of Wi-Fi Stacks Security

Venger, Adam

January 2021

Zariadenia, na ktoré sa každodenne spoliehame, sú stále zložitejšie a využívajú zložitejšie protokoly. Jedným z týchto protokolov je Wi-Fi. S rastúcou zložitosťou sa zvyšuje aj potenciál pre implementačné chyby. Táto práca skúma Wi-Fi protokol a použitie fuzz testingu pre generovanie semi-validných vstupov, ktoré by mohli odhaliť zraniteľné miesta v zariadeniach. Špeciálna pozornosť bola venovaná testovaniu Wi-Fi v systéme ESP32 a ESP32-S2. Výsledkom práce je fuzzer vhodný pre testovanie akéhokoľvek Wi-Fi zariadenia, monitorovací nástroj špeciálne pre ESP32 a sada testovacích programov pre ESP32. Nástroj neodhalil žiadne potenciálne zraniteľnosti.