S2E: A Platform for In Vivo Multi-Path Analysis of Software Systems. Vitaly Chipounov, Volodymyr Kuznetsov, George Candea. 16th Intl. Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Newport Beach, CA, March 2011.
The document summarizes various techniques for automated software testing using fuzzing, including coverage-based fuzzing (AFL), directed greybox fuzzing (AflGO), and neural network-based approaches (FuzzGuard). It discusses how genetic algorithms and simulated annealing are used in AFL and AflGO respectively to guide test case mutation towards new code areas. It also provides examples of vulnerabilities found using these fuzzing tools.
S2E: A Platform for In Vivo Multi-Path Analysis of Software Systems. Vitaly Chipounov, Volodymyr Kuznetsov, George Candea. 16th Intl. Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Newport Beach, CA, March 2011.
The document summarizes various techniques for automated software testing using fuzzing, including coverage-based fuzzing (AFL), directed greybox fuzzing (AflGO), and neural network-based approaches (FuzzGuard). It discusses how genetic algorithms and simulated annealing are used in AFL and AflGO respectively to guide test case mutation towards new code areas. It also provides examples of vulnerabilities found using these fuzzing tools.
「C言語のポインタ(型の変数)は、可変長配列を扱うために使う」という点に絞って、50分間程度の解説をしています。
最終的に下記の12行のプログラムを47分間使って解説します。
(7行目、11行目の”<”は除いています)
1: int size = N;
2: int x[size];
3: int *p;
4:
5: p = x;
6:
7: for ( int = 0; i size; i++)
8: p[i] = i;
9:
10: int y = 0
11: for ( int i = 0; i size; i++)
12: y = y + p[i];
https://www.youtube.com/watch?v=KLFlk1dohKQ&t=1496s
1. The model is a polynomial regression model that fits a polynomial function to the training data.
2. The loss function used is the sum of squares of the differences between the predicted and actual target values.
3. The optimizer used is GradientDescentOptimizer which minimizes the loss function to fit the model parameters.
2. 概要 _emit 擬似命令を用いた
VM active monitor
■ 本論文では、 _emit 擬似命令を用いた仮想マシン上のセ
キュリティインシデントの能動的観測と可視化手法を提
案する。
■ 提案手法では、フィルタドライバによるレジストリアク
セスを _emit 擬似命令を用いてハイパーバイザー側へ通
知し、可視化を行う。
■ 可視化(次元削減)には、自己組織化マップを用いた。
■ 仮想 Windows OS をレジストリが定義するステートマシ
ンとすると、各種ソフトウェアのインストール、マル
ウェア感染などの状態遷移可視化は直感的な結果となっ
た。
3. 仮想化 vs Malware
■ 仮想化技術を用いたマルウェアの挙動の動的解
析
[ccs 2008] Ether: Malware Analysis via Hardware
Virtualization Extensions
[ACSAC 2009]MAVMM: Lightweight and Purpose
Built
VMM for Malware Analysis
[NDSS 2011]
Practical Protection of Kernel Integrity for
4. 関連研究 セマンティック・ギャップ
仮想マシンのイベントをいかに捕捉するか?
■ セマンティック・ギャップとは:仮想マシンのイベントは、仮想マ
シンモニタ側では IO 要求として発行される。
■ 仮想マシンモニタ側では、上でなにがおきているのか通常はわから
ない。
セマンティックギャップを埋める研究
①Lionel Litty, H. Andrés Lagar-Cavilla, David Lie: Hypervisor Support
for Identifying Covertly Executing Binaries. USENIX Security
Symposium 2008: 243-258
②Lares: An Architecture for Secure Active Monitoring Using
Virtualization 2008 IEEE Symposium on Security and Privacy
table of contents Bryan D. Payne, Martim Carbone, Monirul
Sharif, Wenke Lee
受動的観測⇒スナップ解析は計算時間、コストがかかるので、 Active
Monitor 方式を選択した。
5. Classification of cloud computing
on-premise, HaaS, PaaS and SaaS
Four deployment style
1 On-Premise
2 HaaS Hardware | OS
Creating service
3 PaaS Platform | App
Creating backend
application (DB)
4 SaaS App | Script
Creating frontend
application (Web, etc)
Private Cloud
Own and manage all
laysers
6. Classification of Virtualizations (structural)
There are 5 kinds of virtualization
methods.
[1][2]Logical / physical partition:
Multiboot. Operating systems
cannot run in at the Same time.
Grub bootloader, BIOS firmware
[3][4]VM / VMM OS or VM runs
virtually at the same time.
Qemu, VMWare, Virtual Box
XEN, Kernel Virtual Machine
[5]HOSTING / virtual OS
Multiprogramming.
Application and virtulized OS
runs on the same kernel
at same the time.
OpenVZ, Application Proxy,
VMM is new in the point that a thin
layer is inserted below the operating
system. VM and resource monitor is
constructed on OS.
HaaS is deployed on [3][4].
11. Windows OS as huge state machine
SDT
・ ・ ・
・ ・ ・
ZwCreateKey
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwQueryKey
ZwQueryValueKey
ZwSetValueKey
・ ・ ・
・ ・ ・
Registry access table
Registry value
Represents state
of Windows OS