Tweet
FROM ZERO OVERHEAD TO MANY VULNERABILITIES:
ESCALATING FUZZING EFFECTIVENESS AND EFFICIENCY WITH INTEL PT
通过INTEL PT实现模糊测试提速
Dr. Xinyu Xing
Assistant Professor, Penn State University. Research Scientist, JD.com
Yaohui Chen PhD student, Northeastern University’s College of Computer and Information Science
Dr. Jun Xu Assistant Professor, Stevens Institute of Technology
Dr. Jimmy Su Head of security center, JD.com Silicon Valley
In practice, AFL typically exhibits high-performance overhead, particularly when stress-testing target software without access to their source code. Given a commercial off-the-shelf (COTS) binary, AFL needs to perform a black box on-the-fly instrumentation through a customized version of QEMU running in “user space emulation” mode. Despite the best effort of systematic optimization, however, QEMU still incurs substantial overhead to binary-only fuzzing. According to the AFL white paper, the overhead of QEMU based AFL is approximately 2-5x, which significantly surpasses those fuzzing tasks performed through lightweight static instrumentation.
FAST-AFL is a new fuzzing tool to enhance performance for binary-only fuzzing. Technically speaking, the tool is designed and prototyped with Intel PT - a newly available hardware feature -- along with a path-sensitive feedback scheme. With this hardware and software co-design principle, the tool could not only accelerate a binary-only fuzzing task for about 29x but, more importantly, explore deeper program behaviors.
当使用AFL测试无源码软件时,AFL需要使用QEMU并对程序进行黑盒插装。这往往为模糊测试带来极高负 载。尽管目前已有大量工作尝试减少测试压力,但不幸的是AFL仍然表现出2-5倍的额外负担。在此次演示 中,我 们 介 绍 F A S T - A F L ,一 种 快 速 模 糊 测 试 工 具 。该工具使用INTEL新型硬件PT来完成对AFL加速及减负。通过此次展示,我们将对AFL在有PT和无 PT条件下的性能进行对比。除此之外,我们还将展示如何使用FAST-AFL找到隐藏在软件深处的漏洞。我们将在此次演示中,开源FAST-AFL以供听众测试并使用。
Dr. Xinyu Xing is an Assistant Professor at the Pennsylvania State University, and currently working at JD Inc. as a visiting researcher. His research interest includes exploring, designing and developing tools to automate vulnerability discovery, failure reproduction, vulnerability diagnosis (and triage), exploit and security patch generation. He was the speaker at BlackHat USA, BlackHat Europe and many academic conferences (e.g., USENIX Security and CSS). He has also received best paper awards from academic conferences such as CCS and ACSAC. His works have been featured by many mainstream media, such as Technology Review, New Scientists and NYTimes etc. He was also the organizer of NSA memory corruption forensics competition.
Yaohui Chen is a PhD student in the Computer System Security program at Northeastern University’s College of Computer and Information Science, advised by Professor Long Lu. Originally from Sanya, China, Chen earned his bachelor’s degree at Tongji University in Shanghai before coming to Northeastern, where he now works in Professor Lu’s Research in Software and Systems Security (RiS3) lab. Chen’s research centers on security in Android and Linux systems. One of Chen’s primary takeaways from his research thus far is the massive vulnerability that exists in cyberspace. By developing defense systems that help to prevent cyberattack, he hopes to address complex issues in system security and help to combat this vulnerability.
Dr. Jun Xu is an Assistant Professor in the Department of Computer Science at Stevens Institute of Technology. He received his PhD from Penn State University, with a focus on cyber security. His research spans the areas of software security, system security, and binary analysis. He has developed new methodologies and techniques for vulnerability finding, analysis, exploitation, and mitigation. His research has led to the discovery of hundreds of previously unknown security defects. Jun is a recipient of ACM CCS Outstanding Paper Award, Penn State Alumni Association Dissertation Award, and RSA Security Scholarship.
Dr. Jimmy Su leads the JD security research center in Silicon Valley. He joined JD in January 2017. Before joining JD, he was the director of advanced threat research at FireEye Labs. He led the research and development of multiple world-leading security products at FireEye, including network security, email security, mobile security, fraud detection, and end-point security. He led a global team including members from the United States, Pakistan, and Singapore from research to product releases on the FireEye’s first machine learning based malware similarity analysis Cloud platform. This key technology advance was released on all core FireEye products including network security, email security, and mobile security. He won the Q2 2016 FireEye innovation award for his seminal work on similarity analysis. He earned his PhD degree in Computer Science at the University of California, Berkeley in 2010. After his graduation, he joined Professor Dawn Song’s team as a postdoc focusing on similarity analysis of x86 and Android applications. In 2011, he joined Professor Song in the mobile security startup Ensighta, leading the research and development of the automatic malware analysis platform. Ensighta was acquired by FireEye in December of 2012. He joined FireEye through the acquisition. JD security research center in Silicon Valley focuses on these seven areas: account security, APT detection, bot detection, data security, AI applications in security, Big Data applications in security, and IoT security.
邢新宇(助理教授)目前任职于京东安全北美研究中心及宾州州立大学。其研究工作常发表于BlackHat, DEFCON, USENIX Security, CCS,研究成果曾被多家国际知名媒体报道。Jimmy苏(博士)毕业于美国加州大学伯克利分校,目前担任 京东安全北美研究中心负责人。他所领导的团队在企业安全领域取得卓越贡献。其研究成果发表于BLACK HAT(USA),DEFCON,HITB等等。
ESCALATING FUZZING EFFECTIVENESS AND EFFICIENCY WITH INTEL PT
通过INTEL PT实现模糊测试提速
Dr. Xinyu Xing
Assistant Professor, Penn State University. Research Scientist, JD.com
Yaohui Chen PhD student, Northeastern University’s College of Computer and Information Science
Dr. Jun Xu Assistant Professor, Stevens Institute of Technology
Dr. Jimmy Su Head of security center, JD.com Silicon Valley
In practice, AFL typically exhibits high-performance overhead, particularly when stress-testing target software without access to their source code. Given a commercial off-the-shelf (COTS) binary, AFL needs to perform a black box on-the-fly instrumentation through a customized version of QEMU running in “user space emulation” mode. Despite the best effort of systematic optimization, however, QEMU still incurs substantial overhead to binary-only fuzzing. According to the AFL white paper, the overhead of QEMU based AFL is approximately 2-5x, which significantly surpasses those fuzzing tasks performed through lightweight static instrumentation.
FAST-AFL is a new fuzzing tool to enhance performance for binary-only fuzzing. Technically speaking, the tool is designed and prototyped with Intel PT - a newly available hardware feature -- along with a path-sensitive feedback scheme. With this hardware and software co-design principle, the tool could not only accelerate a binary-only fuzzing task for about 29x but, more importantly, explore deeper program behaviors.
当使用AFL测试无源码软件时,AFL需要使用QEMU并对程序进行黑盒插装。这往往为模糊测试带来极高负 载。尽管目前已有大量工作尝试减少测试压力,但不幸的是AFL仍然表现出2-5倍的额外负担。在此次演示 中,我 们 介 绍 F A S T - A F L ,一 种 快 速 模 糊 测 试 工 具 。该工具使用INTEL新型硬件PT来完成对AFL加速及减负。通过此次展示,我们将对AFL在有PT和无 PT条件下的性能进行对比。除此之外,我们还将展示如何使用FAST-AFL找到隐藏在软件深处的漏洞。我们将在此次演示中,开源FAST-AFL以供听众测试并使用。
Dr. Xinyu Xing is an Assistant Professor at the Pennsylvania State University, and currently working at JD Inc. as a visiting researcher. His research interest includes exploring, designing and developing tools to automate vulnerability discovery, failure reproduction, vulnerability diagnosis (and triage), exploit and security patch generation. He was the speaker at BlackHat USA, BlackHat Europe and many academic conferences (e.g., USENIX Security and CSS). He has also received best paper awards from academic conferences such as CCS and ACSAC. His works have been featured by many mainstream media, such as Technology Review, New Scientists and NYTimes etc. He was also the organizer of NSA memory corruption forensics competition.
Yaohui Chen is a PhD student in the Computer System Security program at Northeastern University’s College of Computer and Information Science, advised by Professor Long Lu. Originally from Sanya, China, Chen earned his bachelor’s degree at Tongji University in Shanghai before coming to Northeastern, where he now works in Professor Lu’s Research in Software and Systems Security (RiS3) lab. Chen’s research centers on security in Android and Linux systems. One of Chen’s primary takeaways from his research thus far is the massive vulnerability that exists in cyberspace. By developing defense systems that help to prevent cyberattack, he hopes to address complex issues in system security and help to combat this vulnerability.
Dr. Jun Xu is an Assistant Professor in the Department of Computer Science at Stevens Institute of Technology. He received his PhD from Penn State University, with a focus on cyber security. His research spans the areas of software security, system security, and binary analysis. He has developed new methodologies and techniques for vulnerability finding, analysis, exploitation, and mitigation. His research has led to the discovery of hundreds of previously unknown security defects. Jun is a recipient of ACM CCS Outstanding Paper Award, Penn State Alumni Association Dissertation Award, and RSA Security Scholarship.
Dr. Jimmy Su leads the JD security research center in Silicon Valley. He joined JD in January 2017. Before joining JD, he was the director of advanced threat research at FireEye Labs. He led the research and development of multiple world-leading security products at FireEye, including network security, email security, mobile security, fraud detection, and end-point security. He led a global team including members from the United States, Pakistan, and Singapore from research to product releases on the FireEye’s first machine learning based malware similarity analysis Cloud platform. This key technology advance was released on all core FireEye products including network security, email security, and mobile security. He won the Q2 2016 FireEye innovation award for his seminal work on similarity analysis. He earned his PhD degree in Computer Science at the University of California, Berkeley in 2010. After his graduation, he joined Professor Dawn Song’s team as a postdoc focusing on similarity analysis of x86 and Android applications. In 2011, he joined Professor Song in the mobile security startup Ensighta, leading the research and development of the automatic malware analysis platform. Ensighta was acquired by FireEye in December of 2012. He joined FireEye through the acquisition. JD security research center in Silicon Valley focuses on these seven areas: account security, APT detection, bot detection, data security, AI applications in security, Big Data applications in security, and IoT security.
邢新宇(助理教授)目前任职于京东安全北美研究中心及宾州州立大学。其研究工作常发表于BlackHat, DEFCON, USENIX Security, CCS,研究成果曾被多家国际知名媒体报道。Jimmy苏(博士)毕业于美国加州大学伯克利分校,目前担任 京东安全北美研究中心负责人。他所领导的团队在企业安全领域取得卓越贡献。其研究成果发表于BLACK HAT(USA),DEFCON,HITB等等。