Presentation Material
Abstract
Setting up a fuzzing pipeline takes time and manual effort for identifying fuzzable programs and configuring the fuzzer. Usually only large software projects with dedicated testing teams at their disposal are equipped to use fuzz testing in their Security Development Lifecycle. Other projects with limited resources cannot easily use this effective technique in their SDL. This renders the software landscape unnecessarily insecure. Especially less popular software applications are not being fuzzed due to a lack of resources and easy to use tooling.
Lowering the required skill level and effort to set up a fuzzing pipeline therefore results in a significant increase of today’s software’s security. To tackle this challenge, we developed an easy to use framework, FuzzExMachina (FExM), that reduces manual effort to a minimum.
Using clever input inference methods and containerization, we automate the fuzzing pipeline from start to end in a scalable fashion. We support acquiring binaries from a variety of sources, including blackbox binaries and source code repositories. In cases for which FExM cannot automatically achieve a high coverage, it drops users to a novel AFL mode, “Afl-TimeWarp”, in which they can set up testcases without the need to alter or understand the underlying code. AFL-TimeWarp mode allows to fuzz deeper program states without writing a single line of code, fitting FExM’s philosophy to keep it simple for users.
To test the viability of our framework, we fuzzed over one hundred packages from the Arch Linux package repository with essentially zero effort. After only a few days, we already found 11 crashes, six of which were exploitable. This shows how FExM permits automated distributed fuzzing of applications; crash exploitability classification; and is equipped with a web front end for navigating security issues in a convenient way. Our work automatically retrofits fuzzing into the security development lifecycle.
AI Generated Summarymay contain errors
The speaker is discussing a fully automated fuzzing test framework for identifying bugs in software. The framework uses containerization and can be used with various binaries or distributions. It has already found numerous bugs, , including crashes and out-of-bounds reads, , in popular tools like Bash and Lib PNG.
The speaker demonstrates the framework’s capabilities by showing how it can interact with a command prompt and crash a binary after entering a test input. They also highlight the challenges of getting bug reports addressed, by developers and maintainers, citing examples where fixes were not implemented or responses were unhelpful.
The goal of the project is to improve the framework and scale it to more repositories, such as GitHub, to identify and fix bugs more efficiently. The speaker emphasizes that while fully automated solutions are valuable , human intervention is still necessary to improve the tool and make it more effective.
Finally, the speaker announces the release of the framework to the public and invites others to contribute to the project on GitHub. They conclude by emphasizing the importance of addressing simple memory corruptions and encouraging the audience to try out the framework.