SaBRe: load-time selective binary rewriting

Arras, Paul-Antoine; Andronidis, Anastasios; Pina, Luís; Mituzas, Karolis; Shu, Qianyi; Grumberg, Daniel; Cadar, Cristian

doi:10.1007/s10009-021-00644-w

Cited by 10 publications

(5 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Using the in-memory filesystem tmpfs under UNIX is a well-known optimisation in the context of fuzzing. 1,2,3 SnapFuzz uses an in-memory filesystem both for efficiency and for removing the need for clean-up scripts involving filesystem state. However, we are not using tmpfs, but a custom in-memory filesystem that uses the memfd_create system call for files and the Libsqlfs library for directories (see §4.2 for details).…”

Section: Efficient State Resetmentioning

confidence: 99%

See 1 more Smart Citation

SnapFuzz: high-throughput fuzzing of network applications

Andronidis¹,

Cadar²

2022

Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

In recent years, fuzz testing has benefited from increased computational power and important algorithmic advances, leading to systems that have discovered many critical bugs and vulnerabilities in production software. Despite these successes, not all applications can be fuzzed efficiently. In particular, stateful applications such as network protocol implementations are constrained by a low fuzzing throughput and the need to develop complex fuzzing harnesses that involve custom time delays and clean-up scripts.In this paper, we present SnapFuzz, a novel fuzzing framework for network applications. SnapFuzz offers a robust architecture that transforms slow asynchronous network communication into fast synchronous communication, snapshots the target at the latest point at which it is safe to do so, speeds up file operations by redirecting them to a custom in-memory filesystem, and removes the need for many fragile modifications, such as configuring time delays or writing clean-up scripts.Using SnapFuzz, we fuzzed five popular networking applications: LightFTP, TinyDTLS, Dnsmasq, LIVE555 and Dcmqrscp. We report impressive performance speedups of 62.8 x, 41.2 x, 30.6 x, 24.6 x, and 8.4 x, respectively, with significantly simpler fuzzing harnesses in all cases. Due to its advantages, SnapFuzz has also found 12 extra crashes compared to AFLNet in these applications. CCS CONCEPTS• Software and its engineering → Software testing and debugging; • Security and privacy → Systems security.

show abstract

Section: Efficient State Resetmentioning

confidence: 99%

“…As the normal execution of the loader progresses, SnapFuzz intercepts its mmap system calls used to load libraries into memory, and scans these libraries in order to recursively rewrite their system calls and redirect them to the SnapFuzz plugin. The SnapFuzz rewriter is based on the open-source load-time binary rewriter SaBRe [1].…”

Section: Binary Rewritingmentioning

confidence: 99%

SnapFuzz: high-throughput fuzzing of network applications

Andronidis¹,

Cadar²

2022

Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

show abstract

“…To deal with attacks that target the in-process monitor, we could implement the in-process monitor in a safe language like Rust, or use PKU to isolate the in-process monitor from the untrusted code [64,80]. Alternatively, we could also extend Cerberus to support alternative system call interposition techniques that leverage binary rewriting [5,8,37], virtualization [10,44], or syscall user dispatch [4].…”

Section: Signal Context Attacks a Concurrent Work With Oursmentioning

confidence: 99%

You shall not (by)pass!

Voulimeneas

Vinck

Mechelinck

et al. 2022

Proceedings of the Seventeenth European Conference on Computer Systems

View full text Add to dashboard Cite

Memory Protection Keys for Userspace (PKU) is a recent hardware feature that allows programs to assign virtual memory pages to protection domains, and to change domain access permissions using inexpensive, unprivileged instructions. Several in-process memory isolation approaches leverage this feature to prevent untrusted code from accessing sensitive program state and data. Typically, PKU-based isolation schemes need to be used in conjunction with mitigations such as CFI because untrusted code, when compromised, can otherwise bypass the PKU access permissions using unprivileged instructions or operating system APIs.Recently, researchers proposed fully self-contained PKUbased memory isolation schemes that do not rely on other mitigations. These systems use exploit-proof call gates to transfer control between trusted and untrusted code, as well as a sandbox that prevents tampering with the PKU infrastructure from untrusted code.In this paper, we show that these solutions are not complete. We first develop two proof-of-concept attacks against a state-of-the-art PKU-based memory isolation scheme. We then present Cerberus, a PKU-based sandboxing framework that can overcome limitations of existing sandboxes. We apply Cerberus to several memory isolation schemes, and show that it is practical, efficient, and secure.

show abstract

“…Binary memory dependence analysis, which determines whether two machine instructions in an executable can access the same memory location, is critical for many security-sensitive tasks, including detecting vulnerabilities [18,37,86], analyzing malware [39,95], hardening binaries [4,29,45,92], and forensics [19,35,58,93]. The key challenge behind memory dependence analysis is that machine instructions often leverage indirect addressing or indirect controlflow transfer (i.e., involving dynamically computed targets) to access the memory.…”

Section: Introductionmentioning

confidence: 99%

NeuDep: Neural Binary Memory Dependence Analysis

Pei,

She,

Wang

et al. 2022

Preprint

View full text Add to dashboard Cite

Determining whether multiple instructions can access the same memory location is a critical task in binary analysis. It is challenging as statically computing precise alias information is undecidable in theory. The problem aggravates at the binary level due to the presence of compiler optimizations and the absence of symbols and types. Existing approaches either produce significant spurious dependencies due to conservative analysis or scale poorly to complex binaries.We present a new machine-learning-based approach to predict memory dependencies by exploiting the model's learned knowledge about how binary programs execute. Our approach features (i) a self-supervised procedure that pretrains a neural net to reason over binary code and its dynamic value flows through memory addresses, followed by (ii) supervised finetuning to infer the memory dependencies statically. To facilitate efficient learning, we develop dedicated neural architectures to encode the heterogeneous inputs (i.e., code, data values, and memory addresses from traces) with specific modules and fuse them with a composition learning strategy.We implement our approach in NEUDEP and evaluate it on 41 popular software projects compiled by 2 compilers, 4 optimizations, and 4 obfuscation passes. We demonstrate that NEUDEP is more precise (1.5×) and faster (3.5×) than the current state-of-the-art. Extensive probing studies on security-critical reverse engineering tasks suggest that NEUDEP understands memory access patterns, learns function signatures, and is able to match indirect calls. All these tasks either assist or benefit from inferring memory dependencies. Notably, NEUDEP also outperforms the current state-of-the-art on these tasks.

show abstract

SaBRe: load-time selective binary rewriting

Cited by 10 publications

References 46 publications

SnapFuzz: high-throughput fuzzing of network applications

SnapFuzz: high-throughput fuzzing of network applications

You shall not (by)pass!

NeuDep: Neural Binary Memory Dependence Analysis

Contact Info

Product

Resources

About