SECURING SYSTEM AND EMBEDDED SOFTWARE VIA FUZZING

Kyungtae Kim (14212763)

05 December 2022

<p>    </p> <p>System software is a lucrative target for cyber attacks due to its high privilege and large attack surfaces. While fuzzing has been proven effective for decades, recent fuzzers still suffer from limited coverage when dealing with real-world system programs, such as OS kernels, firmware due to their unique interfaces, and large input space, etc. </p> <p>In this thesis, we aim to secure various system and embedded software, such as OS kernels, device drivers and firmware, using proposed fuzzing techniques tailored for each system software. First, we present HFL, hybrid fuzzing for the Linux kernel. HFL achieves hybrid kernel fuzzing scheme with a faithful combination of traditional fuzzing and concolic execution. Furthermore, HFL addresses essential challenges in the Linux kernel via three distinct features: 1) converting indirect control transfers to direct transfers, 2) inferring system call dependencies, and 3) identifying nested arguments structures. HFL found 24 previously unknown bugs in different Linux kernels, and achieved higher code coverage than baseline kernel fuzzers. </p> <p>While the security of USB host stacks has gotten lots of attention, USB gadget stacks are left behind, leaving their vulnerabilities unfixed. To secure USB gadget stacks, we propose the first USB gadget stack fuzzing, FuzzUSB. As a stateful fuzzer, FuzzUSB extracts USB gadget state machines from USB gadget drivers, and uses them to achieve state-guided fuzzing through multi-channel inputs. FuzzUSB has found total 34 previously-unknown bugs within the Linux and Android kernels, and demonstrated improved bug-finding efficiency with high code coverage. </p> <p>As USB Power Delievery (USBPD) is becoming prevalent, but vulnerable to cyber attacks, there is an increasing need for its security. To achieve secure USBPD communications, we propose FuzzPD, the first black-box USBPD fuzzing technique. FuzzPD leverages a dual-role state machine extracted from USBPD specifications. Guided by the dual-role state machine, FuzzPD performs multi-level mutations, not only achieving state-coverage guided mutation for inter-state exploration, but also leveraging input seeding especially for in-state mutation. FuzzPD discovered 45 USBPD bugs in total, ranging from over-charging bugs to memory access violation. </p>

Software and application security

Security, Fuzzing

ON THE AUTOMATIC REPAIR OF SMART CONTRACTS IN BLOCKCHAIN

Zhen Li (18115456)

06 March 2024

<p dir="ltr">Blockchain technology, once the backbone of Bitcoin, has burgeoned into a powerhouse of potential, signaling a revolutionary shift across various sectors, including finance, supply chains, and digital identity. This paradigm shift, which replaces trust in centralized entities with a decentralized ledger of transparency, is rapidly gaining traction among global entities. Despite the promise, blockchain's smart contract evolution has also introduced significant risks, as demonstrated by notorious breaches like the DAO hack. This research offers a dual-focused inquiry into the technological sophistication and social implications of blockchain, particularly smart contracts, assessing both their promise and their perils. It meticulously examines their design, potential vulnerabilities, and recounts sobering lessons from historical breaches.</p><p dir="ltr">To address these concerns, the study presents advanced strategies for vulnerability detection and proactive remedies, recognizing the critical need for security in our digitally convergent economy. In Chapter 3, a novel methodology is employed that uses a comprehensive dataset against advanced detection tools, aiming to address and mitigate vulnerabilities. Chapter 4 provides empirical evidence of the methodology's efficacy, underpinning a critical discussion with real-world applicability and challenges.</p><p dir="ltr">Ultimately, this paper acts as a clarion call for vigilant and innovative strides in blockchain security, emphasizing the technology's vast capabilities against the need for solidified trust. It invites the global research community to join a collaborative effort in addressing the open challenges and fostering advancements to ensure the safe expansion of blockchain technology.</p>

Software and application security

Blockchain, Smart Contracts

Practical Methods for Fuzzing Real-World Systems

Prashast Srivastava (15353365)

27 April 2023

<p>The current software ecosystem is exceptionally complex. A key defining feature of this complexity is the vast input space that software applications must process. This feature</p> <p>inhibits fuzzing (an effective automated testing methodology) in uncovering deep bugs (i.e.,</p> <p>bugs with complex preconditions). We improve the bug-finding capabilities of fuzzers by</p> <p>reducing the input space that they have to explore. Our techniques incorporate domain</p> <p>knowledge from the software under test. In this dissertation, we research how to incorporate</p> <p>domain knowledge in different scenarios across a variety of software domains and test</p> <p>objectives to perform deep bug discovery.</p> <p>We start by focusing on language interpreters that form the backend of our web ecosystem.</p> <p>Uncovering deep bugs in these interpreters requires synthesizing inputs that perform a</p> <p>diverse set of semantic actions. To tackle this issue, we present Gramatron, a fuzzer that employs grammar automatons to speed up bug discovery. Then, we explore firmwares belonging to the rapidly growing IoT ecosystem which generally lack thorough testing. FirmFuzz infers the appropriate runtime state required to trigger vulnerabilities in these firmwares using the domain knowledge encoded in the user-facing network applications. Additionally, we showcase how our proposed strategy to incorporate domain knowledge is beneficial under alternative testing scenarios where a developer analyzes specific code locations, e.g., for patch testing. SieveFuzz leverages knowledge of targeted code locations to prohibit exploration of code regions and correspondingly parts of the input space that are irrelevant to reaching the target location. Finally, we move beyond the realm of memory-safety vulnerabilities and present how domain knowledge can be useful in uncovering logical bugs, specifically deserialization vulnerabilities in Java-based applications with Crystallizer. Crystallizer uses a hybrid analysis methodology to first infer an over-approximate set of possible payloads through static analysis (to constrain the search space). Then, it uses dynamic analysis to instantiate concrete payloads as a proof-of-concept of a deserialization vulnerability.</p> <p>Throughout these four diverse areas we thoroughly demonstrate how incorporating domain</p> <p>knowledge can massively improve bug finding capabilities. Our research has developed</p> <p>tooling that not only outperforms the existing state-of-the-art in terms of efficient bug discovery (with speeds up to 117% faster), but has also uncovered 18 previously unknown bugs,</p> <p>with five CVEs assigned.</p>

Software and application security

fuzzing

Software Security

Application Security

FUZZING DEEPER LOGIC WITH IMPEDING FUNCTION TRANSFORMATION

Rowan Brock Hart (14205404)

02 December 2022

<p>Fuzzing, a technique for negative testing of programs using randomly mutated or gen?erated input data, is responsible for the discovery of thousands of bugs in software from web browsers to video players. Advances in fuzzing focus on various methods for enhancing the number of bugs found and reducing the time spent to find them by applying various static, dynamic, and symbolic binary analysis techniques. As a stochastic process, fuzzing is an inherently inefficient method for discovering bugs residing in deep logic of programs due to the compounding complexity of preconditions as paths in programs grow in length. We propose a novel system to overcome this limitation by abstracting away path-constraining preconditions from a statement level to a function level by identifying impeding functions, functions that inhibit control flow from proceeding. REFACE is an end-to-end system for enhancing the capabilities of an existing fuzzer by generating variant binaries that present an easier-to-fuzz interface and expands an ongoing fuzzing campaign with minimal offline overhead. REFACE operates entirely on binary programs, requiring no source code or sym?bols to run, and is fuzzer-agnostic. This enhancement represents a step forward in a new direction toward abstraction of code that has historically presented a significant barrier to fuzzing and aims to make incremental progress by way of several ancillary dataflow analysis techniques with potential wide applicability. We attain a significant improvement in speed of obtaining maximum coverage, re-discover one known bug, and discover one possible new bug in a binary program during evaluation against an un-modified state-of-the-art fuzzer with no augmentation.</p>

Software and application security

Fuzzing

Symbolic Execution

Taint Analysis

Tracing

Patching

Security Properties of Virtual Remotes and Spooking their Violations

Joshua David Oetting Majors (18390504)

18 April 2024

<p dir="ltr">As Smart TV devices become more prevalent in our lives, it becomes increasingly important to evaluate the security of these devices. In addition to a smart and connected ecosystem through apps, Smart TV devices expose a WiFi remote protocol, that provides a virtual remote capability and allows a WiFi enabled device (e.g. a Smartphone) to control the Smart TV. The WiFi remote protocol might pose certain security risks that are not present in traditional TVs. In this paper, we assess the security of WiFi remote protocols by first identifying the desired security properties so that we achieve the same level of security as in traditional TVs. Our analysis of four popular Smart TV platforms, Android TV, Amazon FireOS, Roku OS, and WebOS (for LG TVs), revealed that <i>all these platforms violate one or more of the identified security properties</i>. To demonstrate the impact of these flaws, we develop Spook, which uses one of the commonly violated properties of a secure WiFi remote protocol to pair an Android mobile as a software remote to an Android TV. Subsequently, we hijack the Android TV device through the device debugger, enabling complete remote control of the device. All our findings have been communicated to the corresponding vendors. Google <i>acknowledged our findings</i> as a security vulnerability, assigned it a CVE, and released patches to the Android TV OS to partially mitigate the attack. We argue that these patches provide a stopgap solution without ensuring that WiFi remote protocol has all the desired security properties. We design and implement a WiFi remote protocol in the Android ecosystem using ARM TrustZone. Our evaluation shows that the proposed defense satisfies all the security properties and ensures that we have the flexibility of virtual remote without compromising security.</p>

Software and application security

security analysis shows

smart tv

Novel System Compartmentalization and Reverse Engineering Methods

Derrick P Mckee (12868367)

14 June 2022

<p>The need to secure software systems is more important than ever. However, while a lot of work exists to design and implement secure systems, a fundamental weakness remains. Instead of implementing software with least privilege policies, developers create monolithic systems that allow any instruction near universal memory access. This dissertation attempts to rectify this fundamental weakness to software design through three different contributions.</p> <p>First, I address the monolithic software design problem by proposing and evaluating a novel compartmentalization enforcement mechanism called Hardware-Assisted Kernel Compartmentalization (HAKC). HAKC is capable of enforcing an arbitrary compartmentalization policy using features of the ARMv9 ISA, without the need of any extra virtualization or trusted software layer. I then introduce a method of determining an optimal compartmentalization policy based on user performance and security constraints called FlexC, which is tested using HAKC as the enforcement mechanism. The end result is a hardened, com-partmentalized kernel, customized to a user’s needs, which enforces a least privilege policy that minimizes overhead. Finally, as an avenue for further compartmentalization policy generation, I introduce a novel program analysis framework called IOVec Function Identifier (IOVFI), which foregoes the use of language processing and model learning, but instead uses program state changes as a unique function fingerprint. I show that IOVFI is a more stable and accurate function identifier than the state-of-the-art, even in the presence of differing compilation environments, purposeful obfuscations, and even architecture changes.</p>

Software and application security

System and network security

Compartmentalization

Reverse engineering

Computer security

APEX-ICS: Automated Protocol Exploration And Fuzzing For Closed Source ICS Protocols

Parvin Kumar (15354694)

28 April 2023

<p>A closed-source ICS communication is a fundamental component of supervisory software and PLCs operating critical infrastructure or configuring devices. As this is a vital communication, a compromised protocol can allow attackers to take over the entire critical infrastructure network and maliciously manipulate field device values. Thus, it is crucial to conduct security assessments of these closed-source protocol communications before deploy?ing them in a production environment to ensure the safety of critical infrastructure. However, Fuzzing closed-source communication without understanding the protocol structure or state is ineffective, making testing such closed-source communications a challenging task. </p> <p><br></p> <p>This research study introduces the APEX-ICS framework, which consists of two significant components: Automatic closed-source ICS protocol reverse-engineering and stateful black-box fuzzing. The former aims to reverse-engineer the protocol communication, which is critical to effectively performing the fuzzing technique. The latter component leverages the generated grammar to detect vulnerabilities in communication between supervisory software and PLCs. The framework prototype was implemented using the Codesys v3.0 closed-source protocol communication to conduct reverse engineering and fuzzing and successfully identified 4 previously unknown vulnerabilities, which were found to impact more than 400 manufacturer’s devices. </p>

Hardware security

Software and application security

System and network security

Fuzzng

reverse engineering concept

Codesys

ICS

APEX-ICS: Automated Protocol Exploration and Fuzzing For Closed-Source ICS Protocols

Parvin Kumar (15354694)

28 April 2023

<p> A closed-source ICS communication is a fundamental component of supervisory software and PLCs operating critical infrastructure or configuring devices. As this is a vital communication, a compromised protocol can allow attackers to take over the entire critical infrastructure network and maliciously manipulate field device values. Thus, it is crucial to conduct security assessments of these closed-source protocol communications before deploying them in a production environment to ensure the safety of critical infrastructure. However, Fuzzing closed-source communication without understanding the protocol structure or state is ineffective, making testing such closed-source communications a challenging task.</p> <p><br> This research study introduces the APEX-ICS framework, which consists of two significant components: Automatic closed-source ICS protocol reverse-engineering and stateful black-box fuzzing. The former aims to reverse-engineer the protocol communication, which is critical to effectively performing the fuzzing technique. The latter component leverages the generated grammar to detect vulnerabilities in communication between supervisory software and PLCs. The framework prototype was implemented using the Codesys v3.0 closed-source protocol communication to conduct reverse engineering and fuzzing and successfully identified 4 previously unknown vulnerabilities, which were found to impact more than 400 manufacturer’s devices. </p>

Hardware security

Software and application security

System and network security

Fuzzing

Reverse Engineering

ICS

Revamping Binary Analysis with Sampling and Probabilistic Inference

Zhuo Zhang (16398420)

19 June 2023

<p>Binary analysis, a cornerstone technique in cybersecurity, enables the examination of binary executables, irrespective of source code availability.</p> <p>It plays a critical role in understanding program behaviors, detecting software bugs, and mitigating potential vulnerabilities, specially in situations where the source code remains out of reach.</p> <p>However, aligning the efficacy of binary analysis with that of source-level analysis remains a significant challenge, primarily due to the uncertainty caused by the loss of semantic information during the compilation process.</p> <p><br></p> <p>This dissertation presents an innovative probabilistic approach, termed as <em>probabilistic binary analysis</em>, designed to combat the intrinsic uncertainty in binary analysis.</p> <p>It builds on the fundamental principles of program sampling and probabilistic inference, enhanced further by an iterative refinement architecture.</p> <p>The dissertation suggests that a thorough and practical method of sampling program behaviors can yield a substantial quantity of hints which could be instrumental in recovering lost information, despite the potential inclusion of some inaccuracies.</p> <p>Consequently, a probabilistic inference technique is applied to systematically incorporate and process the collected hints, suppressing the incorrect ones, thereby enabling the interpretation of high-level semantics.</p> <p>Furthermore, an iterative refinement mechanism is deployed to augment the efficiency of the probabilistic analysis in subsequent applications, facilitating the progressive enhancement of analysis outcomes through an automated or human-guided feedback loop.</p> <p><br></p> <p>This work offers an in-depth understanding of the challenges and solutions related to assessing low-level program representations and systematically handling the inherent uncertainty in binary analysis. </p> <p>It aims to contribute to the field by advancing the development of precise, reliable, and interpretable binary analysis solutions, thereby setting the groundwork for future exploration in this domain.</p>

Software and application security

Automated software engineering

Binary Analysis

Reverse Engineering

Probabilistic Analysis

Fuzzing

SUNNYMILKFUZZER - AN OPTIMIZED FUZZER FOR JVM-BASED LANGUAGE

Junyang Shao (16649343)

27 July 2023

<p>This thesis presents an in-depth investigation into the opportunities of optimizing the performance (throughput) of fuzzing on Java Virtual Machine (JVM)-based languages. The study identifies five main areas for potential optimization, each of which contributes to the performance bottlenecks in the existing state-of-the-art Java fuzzer, Jazzer.</p> <p><br></p> <p>Firstly, the use of coverage probes is recognized as costly due to the native method call, including call frame generation and destruction, while it only performs a simple byte increment. Secondly, the probes may become exhausted, which subsequently cease to generate signals for new interesting inputs, while the associated costs persist. Thirdly, the scanning of the coverage map is expensive, particularly for targets with a large loaded bytecode. Given that test inputs can only execute a portion of these, the probes for most bytecodes are scanned repeatedly without generating any signals, indicating a need for a more structured coverage map design to skip the code probes effectively. Lastly, exception handling in JVM is costly as it automatically fills in the stack trace whenever an exception object is created, even when most targets don't utilize this information. </p> <p><br></p> <p>The study then designs and implements optimization techniques for these opportunities. We believe we provide the optimal solution for the first opportunity, while better optimizations could be proposed for the second, third, and fourth. The collective improvement brought about by these implementations is on average 138% and up to 441% in throughput. This work, thus, offers valuable insights into enhancing the efficiency of fuzz testing in JVM languages and paves the way for further research in optimizing other areas of JVM-based-language fuzzing performance.</p>

Software and application security

Performance evaluation

Java and Virtual Machine Semantics

Java Fuzzing

Fuzzing

JVM

JIT

Jazzer