Practical Methods for Fuzzing Real-World Systems

Prashast Srivastava (15353365)

27 April 2023

<p>The current software ecosystem is exceptionally complex. A key defining feature of this complexity is the vast input space that software applications must process. This feature</p> <p>inhibits fuzzing (an effective automated testing methodology) in uncovering deep bugs (i.e.,</p> <p>bugs with complex preconditions). We improve the bug-finding capabilities of fuzzers by</p> <p>reducing the input space that they have to explore. Our techniques incorporate domain</p> <p>knowledge from the software under test. In this dissertation, we research how to incorporate</p> <p>domain knowledge in different scenarios across a variety of software domains and test</p> <p>objectives to perform deep bug discovery.</p> <p>We start by focusing on language interpreters that form the backend of our web ecosystem.</p> <p>Uncovering deep bugs in these interpreters requires synthesizing inputs that perform a</p> <p>diverse set of semantic actions. To tackle this issue, we present Gramatron, a fuzzer that employs grammar automatons to speed up bug discovery. Then, we explore firmwares belonging to the rapidly growing IoT ecosystem which generally lack thorough testing. FirmFuzz infers the appropriate runtime state required to trigger vulnerabilities in these firmwares using the domain knowledge encoded in the user-facing network applications. Additionally, we showcase how our proposed strategy to incorporate domain knowledge is beneficial under alternative testing scenarios where a developer analyzes specific code locations, e.g., for patch testing. SieveFuzz leverages knowledge of targeted code locations to prohibit exploration of code regions and correspondingly parts of the input space that are irrelevant to reaching the target location. Finally, we move beyond the realm of memory-safety vulnerabilities and present how domain knowledge can be useful in uncovering logical bugs, specifically deserialization vulnerabilities in Java-based applications with Crystallizer. Crystallizer uses a hybrid analysis methodology to first infer an over-approximate set of possible payloads through static analysis (to constrain the search space). Then, it uses dynamic analysis to instantiate concrete payloads as a proof-of-concept of a deserialization vulnerability.</p> <p>Throughout these four diverse areas we thoroughly demonstrate how incorporating domain</p> <p>knowledge can massively improve bug finding capabilities. Our research has developed</p> <p>tooling that not only outperforms the existing state-of-the-art in terms of efficient bug discovery (with speeds up to 117% faster), but has also uncovered 18 previously unknown bugs,</p> <p>with five CVEs assigned.</p>

Software and application security

fuzzing

Software Security

Application Security

Web application Security

Charpentier Rojas, Jose Enrique

January 2013

Problems related to web application security comes in many ways, one example is inexperience programmers but not only in the way they code and program but also which language and structure they use to code. Not only programmers but Software companies left holes in the software they developed of course without intention.Because is proven that most of the vulnerabilities start in the web application side, as developers we need to follow certain principles, test our code and learn as much as possible about the subject, as a foundation of web application security in order to know how to prevent issues to the most significant treats.The penetration test aimed to help the IT business to discover vulnerabilities in their system ensure their integrity and continue further in the web application security process. The vulnerability research perform in this report is the introduction of a big work that is under continuity for the company.Finally the success of following security standards, process and methodologies applied on this field is considered the best approach to ensure web application security and priceless information you can benefit from.

Web Application Security

Network Security

SECURING SYSTEM AND EMBEDDED SOFTWARE VIA FUZZING

Kyungtae Kim (14212763)

05 December 2022

<p>    </p> <p>System software is a lucrative target for cyber attacks due to its high privilege and large attack surfaces. While fuzzing has been proven effective for decades, recent fuzzers still suffer from limited coverage when dealing with real-world system programs, such as OS kernels, firmware due to their unique interfaces, and large input space, etc. </p> <p>In this thesis, we aim to secure various system and embedded software, such as OS kernels, device drivers and firmware, using proposed fuzzing techniques tailored for each system software. First, we present HFL, hybrid fuzzing for the Linux kernel. HFL achieves hybrid kernel fuzzing scheme with a faithful combination of traditional fuzzing and concolic execution. Furthermore, HFL addresses essential challenges in the Linux kernel via three distinct features: 1) converting indirect control transfers to direct transfers, 2) inferring system call dependencies, and 3) identifying nested arguments structures. HFL found 24 previously unknown bugs in different Linux kernels, and achieved higher code coverage than baseline kernel fuzzers. </p> <p>While the security of USB host stacks has gotten lots of attention, USB gadget stacks are left behind, leaving their vulnerabilities unfixed. To secure USB gadget stacks, we propose the first USB gadget stack fuzzing, FuzzUSB. As a stateful fuzzer, FuzzUSB extracts USB gadget state machines from USB gadget drivers, and uses them to achieve state-guided fuzzing through multi-channel inputs. FuzzUSB has found total 34 previously-unknown bugs within the Linux and Android kernels, and demonstrated improved bug-finding efficiency with high code coverage. </p> <p>As USB Power Delievery (USBPD) is becoming prevalent, but vulnerable to cyber attacks, there is an increasing need for its security. To achieve secure USBPD communications, we propose FuzzPD, the first black-box USBPD fuzzing technique. FuzzPD leverages a dual-role state machine extracted from USBPD specifications. Guided by the dual-role state machine, FuzzPD performs multi-level mutations, not only achieving state-coverage guided mutation for inter-state exploration, but also leveraging input seeding especially for in-state mutation. FuzzPD discovered 45 USBPD bugs in total, ranging from over-charging bugs to memory access violation. </p>

Software and application security

Security, Fuzzing

ON THE AUTOMATIC REPAIR OF SMART CONTRACTS IN BLOCKCHAIN

Zhen Li (18115456)

06 March 2024

<p dir="ltr">Blockchain technology, once the backbone of Bitcoin, has burgeoned into a powerhouse of potential, signaling a revolutionary shift across various sectors, including finance, supply chains, and digital identity. This paradigm shift, which replaces trust in centralized entities with a decentralized ledger of transparency, is rapidly gaining traction among global entities. Despite the promise, blockchain's smart contract evolution has also introduced significant risks, as demonstrated by notorious breaches like the DAO hack. This research offers a dual-focused inquiry into the technological sophistication and social implications of blockchain, particularly smart contracts, assessing both their promise and their perils. It meticulously examines their design, potential vulnerabilities, and recounts sobering lessons from historical breaches.</p><p dir="ltr">To address these concerns, the study presents advanced strategies for vulnerability detection and proactive remedies, recognizing the critical need for security in our digitally convergent economy. In Chapter 3, a novel methodology is employed that uses a comprehensive dataset against advanced detection tools, aiming to address and mitigate vulnerabilities. Chapter 4 provides empirical evidence of the methodology's efficacy, underpinning a critical discussion with real-world applicability and challenges.</p><p dir="ltr">Ultimately, this paper acts as a clarion call for vigilant and innovative strides in blockchain security, emphasizing the technology's vast capabilities against the need for solidified trust. It invites the global research community to join a collaborative effort in addressing the open challenges and fostering advancements to ensure the safe expansion of blockchain technology.</p>

Software and application security

Blockchain, Smart Contracts

LIDS: An Extended LSTM Based Web Intrusion Detection System With Active and Distributed Learning

Sagayam, Arul Thileeban

24 May 2021

Intrusion detection systems are an integral part of web application security. As Internet use continues to increase, the demand for fast, accurate intrusion detection systems has grown. Various IDSs like Snort, Zeek, Solarwinds SEM, and Sleuth9, detect malicious intent based on existing patterns of attack. While these systems are widely deployed, there are limitations with their approach, and anomaly-based IDSs that classify baseline behavior and trigger on deviations were developed to address their shortcomings. Existing anomaly-based IDSs have limitations that are typical of any machine learning system, including high false-positive rates, a lack of clear infrastructure for deployment, the requirement for data to be centralized, and an inability to add modules tailored to specific organizational threats. To address these shortcomings, our work proposes a system that is distributed in nature, can actively learn and uses experts to improve accuracy. Our results indicate that the integrated system can operate independently as a holistic system while maintaining an accuracy of 99.03%, a false positive rate of 0.5%, and speed of processing 160,000 packets per second for an average system. / Master of Science / Intrusion detection systems are an integral part of web application security. The task of an intrusion detection system is to identify attacks on web applications. As Internet use continues to increase, the demand for fast, accurate intrusion detection systems has grown. Various IDSs like Snort, Zeek, Solarwinds SEM, and Sleuth9, detect malicious intent based on existing attack patterns. While these systems are widely deployed, there are limitations with their approach, and anomaly-based IDSs that learn a system's baseline behavior and trigger on deviations were developed to address their shortcomings. Existing anomaly-based IDSs have limitations that are typical of any machine learning system, including high false-positive rates, a lack of clear infrastructure for deployment, the requirement for data to be centralized, and an inability to add modules tailored to specific organizational threats. To address these shortcomings, our work proposes a system that is distributed in nature, can actively learn and uses experts to improve accuracy. Our results indicate that the integrated system can operate independently as a holistic system while maintaining an accuracy of 99.03%, a false positive rate of 0.5%, and speed of processing 160,000 packets per second for an average system.

IDS

Distributed active learning

Web application security

Secure Application Development / Static Application Security Testing (SAST)

Alwan, Alaa

January 2022

Security testing is a widely applied measure to evaluate and improve software security by identifying vulnerabilities and ensuring security requirements related to properties like confidentiality, integrity, and availability. A confidentiality policy guarantees that attackers will not be able to expose secret information. In the context of software programs, the output that attackers observe will not carry any information about the confidential input information. Integrity is the dual of confidentiality, i.e., unauthorized and untrusted data provided to the system will not affect or modify the system’s data. Availability means that systems must be available at a reasonable time. Information flow control is a mechanism to enforce confidentiality and integrity. An accurate security assessment is critical in an age when the open nature of modern software-based systems makes them vulnerable to exploitation. Security testing that verifies and validates software systems is prone to false positives, false negatives, and other such errors, requiring more resilient tools to provide an efficient way to evaluate the threats and vulnerabilities of a given system. Therefore, the newly developed tool Reax controls information flow in Java programs by synthesizing conditions under which a method or an application is secure. Reax is a command-line application, and it is hard to be used by developers. This project has its primary goal to integrate Reax by introducing a plugin for Java IDEs to perform an advanced analysis of security flaws. Specifically, by design, a graphical plugin performs advanced security analysis that detects and reacts directly to security flaws within the graphical widget toolkit environment (SWT). The project proposed a new algorithm to find the root cause of security violations through a graphical interface as a second important goal. As a result, developers will be able to detect security violations and fix their code during the implementation phase, reducing costs.

secure development

application security

static application security testing

SAST

Computer Systems

Datorsystem

A Model-driven Penetration Test Framework for Web Applications

Xiong, Pulei

12 January 2012

Penetration testing is widely used in industry as a test method for web application security assessment. However, penetration testing is often performed late in a software development life cycle as an isolated task and usually requires specialized security experts. There is no well-defined test framework providing guidance and support to general testers who usually do not have in-depth security expertise to perform a systematic and cost-efficient penetration test campaign throughout a security-oriented software development life cycle. In this thesis, we propose a model-driven penetration test framework for web applications that consists of a penetration test methodology, a grey-box test architecture, a web security knowledge base, a test campaign model, and a knowledge-based PenTest workbench. The test framework enables general testers to perform a penetration test campaign in a model-driven approach that is fully integrated into a security-oriented software development life cycle. Security experts are still required to build up and maintain a web security knowledgebase for test campaigns, but the general testers are capable of developing and executing penetration test campaigns with reduced complexity and increased reusability in a systematic and cost-efficient approach. A prototype of the framework has been implemented and applied to three web applications: the benchmark WebGoat web application, a hospital adverse event management system (AEMS), and a palliative pain and symptom management system (PAL-IS). An evaluation of the test framework prototype based on the case studies indicates the potential of the proposed test framework to improve how penetration test campaigns are performed and integrated into a security-oriented software development life cycle.

Penetration Testing

Test Framework

Web Application Security

Model-Driven

A Model-driven Penetration Test Framework for Web Applications

Xiong, Pulei

12 January 2012

Penetration testing is widely used in industry as a test method for web application security assessment. However, penetration testing is often performed late in a software development life cycle as an isolated task and usually requires specialized security experts. There is no well-defined test framework providing guidance and support to general testers who usually do not have in-depth security expertise to perform a systematic and cost-efficient penetration test campaign throughout a security-oriented software development life cycle. In this thesis, we propose a model-driven penetration test framework for web applications that consists of a penetration test methodology, a grey-box test architecture, a web security knowledge base, a test campaign model, and a knowledge-based PenTest workbench. The test framework enables general testers to perform a penetration test campaign in a model-driven approach that is fully integrated into a security-oriented software development life cycle. Security experts are still required to build up and maintain a web security knowledgebase for test campaigns, but the general testers are capable of developing and executing penetration test campaigns with reduced complexity and increased reusability in a systematic and cost-efficient approach. A prototype of the framework has been implemented and applied to three web applications: the benchmark WebGoat web application, a hospital adverse event management system (AEMS), and a palliative pain and symptom management system (PAL-IS). An evaluation of the test framework prototype based on the case studies indicates the potential of the proposed test framework to improve how penetration test campaigns are performed and integrated into a security-oriented software development life cycle.

Penetration Testing

Test Framework

Web Application Security

Model-Driven

A Model-driven Penetration Test Framework for Web Applications

Xiong, Pulei

12 January 2012

Penetration testing is widely used in industry as a test method for web application security assessment. However, penetration testing is often performed late in a software development life cycle as an isolated task and usually requires specialized security experts. There is no well-defined test framework providing guidance and support to general testers who usually do not have in-depth security expertise to perform a systematic and cost-efficient penetration test campaign throughout a security-oriented software development life cycle. In this thesis, we propose a model-driven penetration test framework for web applications that consists of a penetration test methodology, a grey-box test architecture, a web security knowledge base, a test campaign model, and a knowledge-based PenTest workbench. The test framework enables general testers to perform a penetration test campaign in a model-driven approach that is fully integrated into a security-oriented software development life cycle. Security experts are still required to build up and maintain a web security knowledgebase for test campaigns, but the general testers are capable of developing and executing penetration test campaigns with reduced complexity and increased reusability in a systematic and cost-efficient approach. A prototype of the framework has been implemented and applied to three web applications: the benchmark WebGoat web application, a hospital adverse event management system (AEMS), and a palliative pain and symptom management system (PAL-IS). An evaluation of the test framework prototype based on the case studies indicates the potential of the proposed test framework to improve how penetration test campaigns are performed and integrated into a security-oriented software development life cycle.

Penetration Testing

Test Framework

Web Application Security

Model-Driven

A Model-driven Penetration Test Framework for Web Applications

Xiong, Pulei

January 2012

Penetration testing is widely used in industry as a test method for web application security assessment. However, penetration testing is often performed late in a software development life cycle as an isolated task and usually requires specialized security experts. There is no well-defined test framework providing guidance and support to general testers who usually do not have in-depth security expertise to perform a systematic and cost-efficient penetration test campaign throughout a security-oriented software development life cycle. In this thesis, we propose a model-driven penetration test framework for web applications that consists of a penetration test methodology, a grey-box test architecture, a web security knowledge base, a test campaign model, and a knowledge-based PenTest workbench. The test framework enables general testers to perform a penetration test campaign in a model-driven approach that is fully integrated into a security-oriented software development life cycle. Security experts are still required to build up and maintain a web security knowledgebase for test campaigns, but the general testers are capable of developing and executing penetration test campaigns with reduced complexity and increased reusability in a systematic and cost-efficient approach. A prototype of the framework has been implemented and applied to three web applications: the benchmark WebGoat web application, a hospital adverse event management system (AEMS), and a palliative pain and symptom management system (PAL-IS). An evaluation of the test framework prototype based on the case studies indicates the potential of the proposed test framework to improve how penetration test campaigns are performed and integrated into a security-oriented software development life cycle.

Penetration Testing

Test Framework

Web Application Security

Model-Driven