Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

Beyond Crashes: Exploiting Runtime Diversity to Uncover Semantic Bugs with NEZHA

Adrian Tang

3 vote(s)

In the past years, there have been many advances in the field of automatic vulnerability discovery. Unfortunately, most of the existing work focuses on crash-inducing bugs and is not directly applied to other types of vulnerabilities such as logic errors. In this talk, we present NEZHA, the first differential fuzzing framework targeting semantic bugs, and demonstrate how it successfully finds logic bugs in complex, real-world software like SSL/TLS libraries.

NEZHA exploits the runtime behavioral asymmetries between multiple test programs to generate inputs that are more likely to trigger semantic bugs. To do so, it utilizes similar programs as cross-referencing oracles to find errors that do not exhibit explicit erroneous behaviors like crashes or assertion failures. However, unlike existing differential testing tools, it  remains input-format agnostic and does not require large numbers of inputs to find bugs, but instead generates inputs in an evolutionary feedback-driver manner similar to modern fuzzers. Instead of adopting a traditional coverage-guided engine, however, NEZHA utilizes novel guidance metrics that build upon the notion of delta-diversity, a new technique to summarize the asymmetries observed between multiple tested applications.

In this talk we present both gray-box and black-box input generation schemes based on delta-diversity, and demonstrate how they outperform both domain-specific tools as well as coverage-guided fuzzers like AFL and  libFuzzer, when the latter are adapted for differential testing. We evaluate NEZHA on real-world, complex software, and demonstrate that delta-diversity guidance can be successful in finding logic errors, while simultaneously finding the crash-inducing bugs traditionally found through coverage-based testing. We present examples of such logic and crash-inducing bugs, as well as anti-virus evasion attacks, and vulnerabilities found by NEZHA in X.509 certificate validation implementations of popular SSL libraries. Lastly, we discuss future directions for differential testing, and provide open-source implementations of the presented schemes.

About Adrian Tang

Adrian Tang is a Ph.D. candidate in the Intrusion Detection Systems (IDS) Lab, and the Computer Architecture and Security Technologies Lab (CASTL) in Columbia University. He is broadly interested in all aspects of systems and software security. His research examines techniques that augment or diminish security at commodity hardware-software interfaces. He is an enthusiast in binary-level reverse engineering and malware analysis.

About Theofilos Petsios

Theofilos Petsios is a Ph.D. candidate in the Network Security Lab in Columbia University, advised by Prof. Angelos D. Keromytis. His research interests include systems & network security, software testing, binary instrumentation and privacy.