Taintgrind is a Valgrind tool that performs dynamic taint analysis by tracking tainted data through a program as it is executed. It can be used to perform reverse taint analysis to identify the origin of a crash by tainting the crashing instruction and tracking the taint backwards. Rtaint is a script that analyzes Taintgrind logs to produce graphs and slices showing the propagation of tainted values. Reverse taint analysis with these tools was able to determine the root cause for many crashes by tracing tainted inputs backwards from the crash site.
배민찬(https://www.baeminchan.com) 서비스의 백엔드 시스템 중 일부가 지난 1년간 어떤 고민과 아이디어, 결과물을 만들어냈는지 공유하려고 합니다. 발표 중 언급되는 용어나 도구에 대해 일반적인 정의나 간단한 설명은 언급되나 자세히 다루지 않습니다. 사용된 도구들로 어떻게 이벤트 기반 분산 시스템을 만들었는지에 대한 이야기가 중심입니다.
배민찬(https://www.baeminchan.com) 서비스의 백엔드 시스템 중 일부가 지난 1년간 어떤 고민과 아이디어, 결과물을 만들어냈는지 공유하려고 합니다. 발표 중 언급되는 용어나 도구에 대해 일반적인 정의나 간단한 설명은 언급되나 자세히 다루지 않습니다. 사용된 도구들로 어떻게 이벤트 기반 분산 시스템을 만들었는지에 대한 이야기가 중심입니다.
VictoriaLogs: Open Source Log Management System - PreviewVictoriaMetrics
VictoriaLogs Preview - Aliaksandr Valialkin
* Existing open source log management systems
- ELK (ElasticSearch) stack: Pros & Cons
- Grafana Loki: Pros & Cons
* What is VictoriaLogs
- Open source log management system from VictoriaMetrics
- Easy to setup and operate
- Scales vertically and horizontally
- Optimized for low resource usage (CPU, RAM, disk space)
- Accepts data from Logstash and Fluentbit in Elasticsearch format
- Accepts data from Promtail in Loki format
- Supports stream concept from Loki
- Provides easy to use yet powerful query language - LogsQL
* LogsQL Examples
- Search by time
- Full-text search
- Combining search queries
- Searching arbitrary labels
* Log Streams
- What is a log stream?
- LogsQL examples: querying log streams
- Stream labels vs log labels
* LogsQL: stats over access logs
* VictoriaLogs: CLI Integration
* VictoriaLogs Recap
YouTube Link: https://youtu.be/8sFTdzz55KU
** Cloud Certification Training: https://www.edureka.co/cloud-computing-certification-courses **
This Edureka ”Azure Pipelines” session will give you a complete walkthrough to Microsoft Azure Pipelines and introduce to Agile Development on Azure Cloud platform.
Following are the offerings of this PPT:
What is Azure DevOps?
Azure DevOps Services
What is Azure Pipelines
Demo: Azure Pipelines Walkthrough
Follow us to never miss an update in the future.
YouTube: https://www.youtube.com/user/edurekaIN
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Castbox: https://castbox.fm/networks/505?country=in
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...Simplilearn
This presentation on Docker Container will help you understand what is Docker, the architecture of Docker, what is a Docker Container, how to create a Docker Container, benefits of Docker Container, basic commands of Containers and you will also see a demo on creating Docker Container. Docker is a very lightweight software container and containerization platform. Docker containers provide a way to run software in isolation. It is an open source platform that helps to package an application and its dependencies into a Docker container for the development and deployment of software and a Docker COntainer is a portable executable package which includes applications and their dependencies. With Docker Containers, applications can work efficiently in different computer environments.
Below DevOps tools are explained in this Docker Container presentation:
1. What is Docker?
2. The architecture of Docker?
3. What is a Docker Container?
4. How to create a Docker Container?
5. Benefits of Docker Containers
6. Basic commands of Containers
Simplilearn's DevOps Certification Training Course will prepare you for a career in DevOps, the fast-growing field that bridges the gap between software developers and operations. You’ll become an expert in the principles of continuous development and deployment, automation of configuration management, inter-team collaboration and IT service agility, using modern DevOps tools such as Git, Docker, Jenkins, Puppet and Nagios. DevOps jobs are highly paid and in great demand, so start on your path today.
Why learn DevOps?
Simplilearn’s DevOps training course is designed to help you become a DevOps practitioner and apply the latest in DevOps methodology to automate your software development lifecycle right out of the class. You will master configuration management; continuous integration deployment, delivery and monitoring using DevOps tools such as Git, Docker, Jenkins, Puppet and Nagios in a practical, hands-on and interactive approach. The DevOps training course focuses heavily on the use of Docker containers, a technology that is revolutionizing the way apps are deployed in the cloud today and is a critical skillset to master in the cloud age.
After completing the DevOps training course you will achieve hands-on expertise in various aspects of the DevOps delivery model. The practical learning outcomes of this Devops training course are:
An understanding of DevOps and the modern DevOps toolsets
The ability to automate all aspects of a modern code delivery and deployment pipeline using:
1. Source code management tools
2. Build tools
3. Test automation tools
4. Containerization through Docker
5. Configuration management tools
6. Monitoring tools
DevOps jobs are the third-highest tech role ranked by employer demand on Indeed.com but have the second-highest talent deficit.
Learn more at https://www.simplilearn.com/cloud-computing/devops-practitioner-certification-training
CloudNative Days Tokyo 2021
Track C 2021/11/05 15:20-15:40
中級者 Operation / Monitoring / Logging
CyberAgentではプライベートクラウド上で多数のKubernetesクラスタが稼働しており、ノードの自動修復機能を実装することで運用コストを削減しました。本発表では、似たような自動修復を実現したいオンプレミスKubernetesの運用者にむけて、KubernetesにおけるノードのNotReadyの定義から、OverlayFSで実現した再起動でディスクの変更が揮発する仕組みまで紹介します。
VictoriaLogs: Open Source Log Management System - PreviewVictoriaMetrics
VictoriaLogs Preview - Aliaksandr Valialkin
* Existing open source log management systems
- ELK (ElasticSearch) stack: Pros & Cons
- Grafana Loki: Pros & Cons
* What is VictoriaLogs
- Open source log management system from VictoriaMetrics
- Easy to setup and operate
- Scales vertically and horizontally
- Optimized for low resource usage (CPU, RAM, disk space)
- Accepts data from Logstash and Fluentbit in Elasticsearch format
- Accepts data from Promtail in Loki format
- Supports stream concept from Loki
- Provides easy to use yet powerful query language - LogsQL
* LogsQL Examples
- Search by time
- Full-text search
- Combining search queries
- Searching arbitrary labels
* Log Streams
- What is a log stream?
- LogsQL examples: querying log streams
- Stream labels vs log labels
* LogsQL: stats over access logs
* VictoriaLogs: CLI Integration
* VictoriaLogs Recap
YouTube Link: https://youtu.be/8sFTdzz55KU
** Cloud Certification Training: https://www.edureka.co/cloud-computing-certification-courses **
This Edureka ”Azure Pipelines” session will give you a complete walkthrough to Microsoft Azure Pipelines and introduce to Agile Development on Azure Cloud platform.
Following are the offerings of this PPT:
What is Azure DevOps?
Azure DevOps Services
What is Azure Pipelines
Demo: Azure Pipelines Walkthrough
Follow us to never miss an update in the future.
YouTube: https://www.youtube.com/user/edurekaIN
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Castbox: https://castbox.fm/networks/505?country=in
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...Simplilearn
This presentation on Docker Container will help you understand what is Docker, the architecture of Docker, what is a Docker Container, how to create a Docker Container, benefits of Docker Container, basic commands of Containers and you will also see a demo on creating Docker Container. Docker is a very lightweight software container and containerization platform. Docker containers provide a way to run software in isolation. It is an open source platform that helps to package an application and its dependencies into a Docker container for the development and deployment of software and a Docker COntainer is a portable executable package which includes applications and their dependencies. With Docker Containers, applications can work efficiently in different computer environments.
Below DevOps tools are explained in this Docker Container presentation:
1. What is Docker?
2. The architecture of Docker?
3. What is a Docker Container?
4. How to create a Docker Container?
5. Benefits of Docker Containers
6. Basic commands of Containers
Simplilearn's DevOps Certification Training Course will prepare you for a career in DevOps, the fast-growing field that bridges the gap between software developers and operations. You’ll become an expert in the principles of continuous development and deployment, automation of configuration management, inter-team collaboration and IT service agility, using modern DevOps tools such as Git, Docker, Jenkins, Puppet and Nagios. DevOps jobs are highly paid and in great demand, so start on your path today.
Why learn DevOps?
Simplilearn’s DevOps training course is designed to help you become a DevOps practitioner and apply the latest in DevOps methodology to automate your software development lifecycle right out of the class. You will master configuration management; continuous integration deployment, delivery and monitoring using DevOps tools such as Git, Docker, Jenkins, Puppet and Nagios in a practical, hands-on and interactive approach. The DevOps training course focuses heavily on the use of Docker containers, a technology that is revolutionizing the way apps are deployed in the cloud today and is a critical skillset to master in the cloud age.
After completing the DevOps training course you will achieve hands-on expertise in various aspects of the DevOps delivery model. The practical learning outcomes of this Devops training course are:
An understanding of DevOps and the modern DevOps toolsets
The ability to automate all aspects of a modern code delivery and deployment pipeline using:
1. Source code management tools
2. Build tools
3. Test automation tools
4. Containerization through Docker
5. Configuration management tools
6. Monitoring tools
DevOps jobs are the third-highest tech role ranked by employer demand on Indeed.com but have the second-highest talent deficit.
Learn more at https://www.simplilearn.com/cloud-computing/devops-practitioner-certification-training
CloudNative Days Tokyo 2021
Track C 2021/11/05 15:20-15:40
中級者 Operation / Monitoring / Logging
CyberAgentではプライベートクラウド上で多数のKubernetesクラスタが稼働しており、ノードの自動修復機能を実装することで運用コストを削減しました。本発表では、似たような自動修復を実現したいオンプレミスKubernetesの運用者にむけて、KubernetesにおけるノードのNotReadyの定義から、OverlayFSで実現した再起動でディスクの変更が揮発する仕組みまで紹介します。
Breaking Antivirus Software
Joxean Koret, COSEINC
SYSCAN 2014
I'm not sure whether i'm allowed to upload this slide somewhere else or not, but this is a nice and fun read
"If your application runs with the highest privileges,
installs kernel drivers, a packet filter and tries to
handle anything your computer may do...
- Your attack surface dramatically increased."
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...Andrey Karpov
A Zero-day (0-day) vulnerability is a computer-software vulnerability introduced during the development process and not yet discovered by the developers. Zero-day vulnerabilities can be exploited by hackers, thus affecting the company's reputation. Developers should seek to minimize the number of defects leading to such vulnerabilities. PVS-Studio, a static code analyzer for C, C++, C#, and Java code, is one of the tools capable of detecting security issues.
Debugging and optimization of multi-thread OpenMP-programsPVS-Studio
The task of familiarizing programmers with the sphere of developing parallel applications is getting more and more urgent. This article is a brief introduction into creation of multi-thread applications based on OpenMP technology. The approaches to debugging and optimization of parallel applications are described.
A Smart Fuzzing Approach for Integer Overflow DetectionITIIIndustries
Fuzzing is one of the most commonly used methods to detect software vulnerabilities, a major cause of information security incidents. Although it has advantages of simple design and low error report, its efficiency is usually poor. In this paper we present a smart fuzzing approach for integer overflow detection and a tool, SwordFuzzer, which implements this approach. Unlike standard fuzzing techniques, which randomly change parts of the input file with no information about the underlying syntactic structure of the file, SwordFuzzer uses online dynamic taint analysis to identify which bytes in the input file are used in security sensitive operations and then focuses on mutating such bytes. Thus, the generated inputs are more likely to trigger potential vulnerabilities. We evaluated SwordFuzzer with an example program and a number of real-world applications. The experimental results show that SwordFuzzer can accurately locate the key bytes of the input file and dramatically improve the effectiveness of fuzzing in detecting real-world vulnerabilities
The article describes a new direction in development of static code analyzers - verification of parallel programs. The article reviews several static analyzers which can claim to be called "Parallel Lint".
How to find 56 potential vulnerabilities in FreeBSD code in one eveningPVS-Studio
It's high time to recheck FreeBSD project and to show that even in such serious and qualitative projects PVS-Studio easily finds errors. This time I decided to take a look at the analysis process in terms of detecting potential vulnerabilities. PVS-Studio has always been able to identify defects that could potentially be used for a hacker attack. However, we haven't focused on this aspect of the analyzer and described the errors as typos, consequences of sloppy Copy-Paste and so on, but have never classified them according to CWE, for example. Nowadays it is very popular to speak about security and vulnerabilities that's why I will try to broaden at the perception of our analyzer. PVS-Studio helps not only to search for bugs, but it is also a tool that improves the code security.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
2. whoami
Security Researcher @
Interested in fuzzing and vulnerability finding
Fan of The Matrix and Hacker movies
Co-organizer of “H4x0r5 %40 Warsaw” meetings
4. Crash Analysis with Reverse Taint
- What is a crash?
Crash, or system crash, occurs when a computer program (...) stops functioning properly
and exits. *
An application typically crashes when it performs an operation that is not allowed by the
operating system. The operating system then triggers an exception or signal in the
application. Unix applications traditionally responded to the signal by dumping core. *
- Why is it important to identify a crash?
“performs an operation that is not allowed”. This indicate that inside the application a bug
exists. When the crash is identified and recurrent the bug can be found.
*https://en.wikipedia.org/wiki/Crash_(computing)
5. Crash Analysis with Reverse Taint
- How to identify a crash?
“operating system then triggers an exception or signal” Different operating
systems contain different mechanisms to “collect” crashes. Some perform core
dump, store the memory (Linux), other attach the debugger to allow user the
debugging session with the crashed application (Windows).
- How do we get crashes?
“That, Detective, is the ‘right question.’”
“I, Robot” (2004)
6. Hunting in the wild
- How can a crash be found?
By accident or by one of the most popular techniques that we will be also
mentioned here, fuzzing. The sooner the bug is found in the production
process, the less the costs are.
- So what is ‘fuzzing’?
The idea behind fuzzing is very simple. Let’s take an malformed input and feed it
to the application. Maybe it will crash. Of course, how the input is “chosen” and
how the crashes are caught is a topic for another presentation(s).
7. Fuzzers
The godfather of all is, of course, AFL.
However, recent years brought multiple
fuzzers used for different purposes. Some
of them are different clones of AFL, some of
them try to do things differently.
Everyone can find something for
themselves.
American Fuzzy Lop
HonggFuzz
AFL++
Angora
QSYM
WinAFL
8. Real Example - Fuzzing
jhead is used to display and manipulate data contained in the Exif header of
JPEG images from digital cameras. By default, jhead displays the more useful
camera settings from the file in a user-friendly format.
The version used here is 3.03.
http://www.sentex.net/~mwandel/jhead/
11. Crash vs Bug
- What is the difference between Crash and Bug?
Crash is a result of incorrectly working code caused by a bug. Sometimes it
happens, that the crashing place and the bug place are “the same”. And
sometimes not ...
- Is one crash caused by one bug?
No.
12. Crash vs Bug
Case 1.
One bug causes one crash.
This is the easiest situation as the identification
is straightforward.
13. Crash vs Bug
Case 2.
One bug can cause a few
crashes.
This happens quite often especially
with simple buffer overflows where
the “size” variable is used. Direct
read or write and access different
memory regions cause different
crashes.
14. Crash vs Bug
Case 3.
A few bugs can cause one crash.
This depends on how we identify crash. The
simplest example can be a frame processor.
For the different types of frame, the size
parser works incorrectly and may cause
different crashes for different paths.
15. Crash vs Bug
In an additional experiment we computed a portion of groundtruth. We applied all patches to cxxfilt
from the version we fuzzed up until the present. We grouped together all inputs that a particular patch
caused to now gracefully exit [11], confirming that the patch represented a single conceptual bugfix. We
found that all 57,142 crashing inputs deemed “unique” by coverage profiles were addressed by 9
distinct patches.
Stack hashes did better, but still over-counted bugs. Instead of the bug mapping to, say 500 AFL
coverage-unique crashes in a given trial, it would map to about 46 stack hashes, on average.
Stackhashes were also subject to false negatives: roughly 16% of hashesfor crashes from one bug
were shared by crashes from another bug.In five cases, a distinct bug was found by only one crash,
and that crash had a non-unique hash, meaning that evidence of a distinct bug would have been
dropped by “de-duplication.”
“Evaluating Fuzz Testing” https://arxiv.org/pdf/1808.09700.pdf
18. Crash Analysis with Reverse Taint
- What is crash analysis and why do we need that?
Crash analysis is a process of evaluating exploitability of the crash and
identifying the root cause of this crash. If you are fuzzing something, the number
of crashes can be huge. Also the impact and consequences (criticality) the bug
might have, depends on the application technology and the system.
- So what exactly do we analyze?
There are two major things to analyze: the crash and the bug.
19. Analysis - Crash
- What type of the crash is it?
For example: Out-of-bound read, NULL Pointer Dereference, Buffer Overflow, etc.
- Is the crash exploitable?
It is a part of identification process to find out if the crash can be used to achieve
something more than just crash the application - read a piece data, overwrite
memory or execute code.
- Critical or exploitable - what is the difference?
The exploitability related only to bug and crash itself. The criticality is related to
the whole environment. A Safe NULL Pointer Dereference is different for a nuclear
power plant software and a kids game.
20. Analysis - Bug
The second important analysis part is to identify the bug. As this was mentioned
before, there can be different relations between bug and crash.
It is also important to how inputs (which bits and bytes) correlate with the bug.
This of course may influence the crash later and its exploitability.
- What different relation are here?
User data can control the crash directly (e: offset inside the table is calculated
based on user data) or indirectly (e: the incorrect branch is taken)
For example: NULL Pointer Dereference vs Safe NULL Pointer Dereference
21. Analysis - Bug (Direct vs. Indirect)
void *pointer = NULL
char table[100]
int index = 0
char user_data
user_data>100
pointer[index] = 0
table[user_data] = 0
22. Analysis - Few Interesting Tools
It runs crash files with instrumentation and outputs results in various formats.
It summarizes crashes in a crashwalk database by major / minor stack hash.
Although AFL (for example) already de-dupes crashes, bucketing summarizes
those crashes by an order of magnitude or more. Crashes that bucket the same
have exactly the same stack contents, so they're likely (not guaranteed) to be
the same bug.
It is a simple utility to output the filenames of all crashes matching a given hash. I
use it in combination with xargs to bulk delete / move crash files.
crashwalk
- cwtriage
- cwdump
- cwfind
https://github.com/bnagy/crashwalk
23. Analysis - Few Interesting Tools
afl-utils
- afl-collect
- afl-minimize
Copies all crash sample files from an afl synchronisation
directory (used by multiple afl instances when run in parallel)
into a single location providing easy access for further crash
analysis. Also executes exploitable on them and remove
uninteresting crashes.
Helps to create a minimized corpus from samples of a parallel
fuzzing job.
https://github.com/rc0r/afl-utils
26. Analysis - Few Interesting Tools
afl-analyze It takes an input file, attempts to
sequentially flip bytes, and observes
the behavior of the tested program. It
then color-codes the input based on
which sections appear to be critical,
and which are not.
While not bulletproof, it can often offer
quick insights into complex file
formats.
https://lcamtuf.blogspot.com/2016/02/say-hello-to-afl-analyze.html
29. Tainting
- What is tainting?
The purpose of dynamic taint analysis is to track information flow between
sources and sinks. Any program value whose computation depends on data
derived from a taint source is considered tainted. Any other value is considered
untainted.
- What are the types of tainting?
● The direct value is tainted
● Indirect/Control flow
● Address/Pointer relation
https://users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf
30. Tainting - Types
Indirect/ Control Flow
if (X > 2)
Y = 5
else
Y = 10
Address/Pointer
Y = A[X]
Direct Value
Y = X + 2
31. Tainting Propagation (Policy)
Depends on the application, different rules can be used to propagate the taint. It
is a set of rules how the source operants are propagated to destination. In
standard taint analysis, the destination operand is typically marked as tainted if
any of the source operands is tainted regardless of how the specific semantics
of s affects its destination operands.
32. Tainting - Issues
- What is over-tainting?
Overtainting occurs when code or data identified by the analysis as tainted is
not in fact influenced by any taint source (false-positive).
- What is under-tainting?
Under-tainting occurs when code or data that is influenced by a taint source is
not identified by the analysis as tainted. Such imprecision can be problematic,
especially in systems where the result of the taint analysis is critically important
(false-negative).
35. Valgrind
It is an instrumentation framework for
building dynamic analysis tools. It comes with
a set of tools each of which performs some
kind of debugging, profiling, or similar task
that helps you improve your programs.
Valgrind's architecture is modular, so new
tools can be created easily and without
disturbing the existing structure.
http://valgrind.org
36. Valgrind IR
Valgrind had an x86-specific,part D&R, part
C&A, assembly-code-like IR in which the
units of translation were basic blocks. Since
then Valgrind has had anarchitecture-
neutral, D&R, single-static-assignment
(SSA) IR that is more similar to what might
be used in a compiler. IR blocks are
superblocks: single-entry, multiple-exit
stretches of code.
*http://valgrind.org/docs/valgrind2007.pdf
37. Single-Static-Assignment (SSA)
It is a property of an intermediate representation (IR),
which requires that each variable is assigned exactly
once, and every variable is defined before it is used.
Existing variables in the original IR are split into
versions, new variables typically indicated by the
original name with a subscript in textbooks, so that
every definition gets its own version. In SSA form, use-
def chains are explicit and each contains a single
element.
*https://en.wikipedia.org/wiki/Static_single_assignment_form
39. Taintgrind
Taintgrind is based on Valgrind's MemCheck and Flayer plugin.
Taintgrind borrows the bit-precise shadow memory from MemCheck and only
propagates explicit data flow. This means that Taintgrind will not propagate taint
in control structures such as if-else, for-loops and while-loops. Taintgrind will also
not propagate taint in dereferenced tainted pointers.
http://valgrind.org/docs/memcheck2005.pdf
40. Taintgrind - Propagation Rules
1. The direct value is tainted
2. Indirect/Control flow
3. Address/Pointer relation
41. Taintgrind - Propagation Rules
- What are the Taintgrind propagation rules?
The granularity for the memory operation is 1 byte.
For the registry operation it is the size related to the operand. Even if one byte
is used there, the whole register will still be tainted. In such case, the Taintgrind
is overtainting.
However, because the Taintgrind is handling first type, it is also under-tainting.
43. Taintgrind
Here is the example of logs and how
the taint is propagated over the file.
The job is to find all the patch from
the end of the file to the beginning.
One instruction can be tainted with
multiple input.
44. Taintgrind
The original Taintgrind was not useful for the purpose of the reverse taint. It was
missing a few parts.
- What was changed?
The “Read” function was not showing the size of data that was read.
The “Load” and “Store” functions were also not presenting the size of the operation.
49. Taintgrind
/work/taint-analysis/valgrind-
3.15.0/build/bin/valgrind --tool=taintgrind
Calling the Taintgrind tool.
---file-filter=/work/taint-analysis/CRASH This is the name of the file that needs
to be tainted. It must be FULL path.
--compact=yes Makes the log file smaller.
--taint-start=0 Offset inside the file.
--taint-len=1504 Taint size
/work/taint-analysis/jhead-3.03/jhead
/work/taint-analysis/CRASH
Command
54. rtaint
- -f
This is the name of the log file created by Taintgrind. It can be in the compact
version.
- -g
The script can also produce the file in dot format used to generate a graph.
- -s
This is the name of the file with the slice. Later, this can be used to display what
operations where tainted with the values.
- -k
This is the directory path where the KaiTai struct will be stored inside files.
57. Reverse Tainting the Value
- With or without the file size?
What is the probability that different size files with the same KaiTai Struct will
have different root cause?
- What is the relation between AFL Unique Algorithm and the Tainted
Input?
It is an open question...
58. Reverse Tainting the Value - Results
413 total crashes found by 4 instances (1 master and 3 slaves)
- master - 44 crashes
- slave1 - 116 crashes
- slave2 - 124 crashes
- slave3 - 129 crashes
349 crashes were reproduced under Taintgraind
177 crashes had unique KaiTai structure.
59. Slicing
It is the computation of the set of program
statements, the program slice, that may
affect the values at some point of interest,
referred to as a slicing criterion.*
https://en.wikipedia.org/wiki/Program_slicing
64. What Next?
The tainting starts from the last line inside the file. This is
useful when there is a crash. But there is no way to taint any
arbitrary instruction if the application doesn’t crash.
IDA Pro/Ghidra/Binary Ninja script for highlighting the tainted
instruction. This will help to easy identified the data flow.
The way as it is written currently makes it slow. Optimization
or the language change (thinking about Rust) is required.
Updates
- Address
- Scripts
- Speed
65. What Next?
Issues Currently the Taintgrind doesn't work on the ARM
processors. This is caused by the Valgrind itself. It is missing
some of the ARM conversions. The bug was already
reported.
66. Summary
The solution is based on the Valgrind/Taintgrind. It means that supports all the
system supported by Valgrind itself (+) But it also suffers from the Valgrind issues
(-)
The process of creating taint log is time consuming (-)
rtaint can be used in most of the cases making the analysis “faster” and
automated. Easy to incorporate to other tools. (+)
The Python may not be the best solution for the rtaint. Too slow? (-)
It requires more testing on the real live application. I’m happy to receive any
feedback :) (+)