AntiFuzz: Impeding Fuzzing Audits of Binary Executables
Reviewed by Paschal Amusuo / 2022-02-21
Keywords: Fuzz Testing, Security
Fuzzing is one of the most widely used and successful methods of finding security vulnerabilities in software programs. Fuzzing tools automatically and randomly generates input to a program, and run the program using these inputs until it crashes. These crashes usually indicate the presence of a security vulnerability that can be exploited by an attacker.
But fuzzing can also be used by attackers who want to exploit the program. Can we therefore make our program difficult to fuzz so an attacker can not detect any hidden vulnerability in our program? To find out, the authors of this paper developed strategies that make fuzzing a program difficult. They identified some assumptions that existing fuzzing tools depend on to work successfully then developed a tool, AntiFuzz, that can be used to modify the target program and impede fuzzing. Some assumptions and counter-measures include:
-
Fuzzers try to generate inputs that can transverse all parts of the program code using coverage information. Hence, if we can make our program return false coverage information, fuzzing would be significantly impeded. To achieve this, AntiFuzz returns different, fake coverage information for each input to the program.
-
Fuzzers monitor the operating system in order to detect program crashes. To counter this, AntiFuzz sends fake crash signals to the operating systems.
-
Fuzzers need to execute the program many times per second in order to operate efficiently. Since most of the input generated by the fuzzers is malformed, AntiFuzz slows the program down when it detects such inputs. While this slowdown would not be noticed by a normal user, it can significantly impede the efficient operation of the fuzzer.
To see if their approach actually worked, the authors used four different state-of-the-art fuzzers to fuzz a set of target programs which contained several bugs. Their results show that AntiFuzz successfully prevented the detection of all bugs previously detected when all the counter-measures were applied.
I love their approach to impeding fuzzing because it combines multiple measures. However, by making the publicly deployed and accessible version of a program resistant to fuzzing, this would restrict the fuzzing operation to only the program developers, impeding the detection of security vulnerabilities by security researchers and white hat hackers who also rely on fuzzing.
Guler2019 Emre Güler, Cornelius Aschermann, Ali Abbasi, and Thorsten Holz: "AntiFuzz: Impeding Fuzzing Audits of Binary Executables". 2019 USENIX Security Symposium.
A general defense strategy in computer security is to increase the cost of successful attacks in both computational resources as well as human time. In the area of binary security, this is commonly done by using obfuscation methods to hinder reverse engineering and the search for software vulnerabilities. However, recent trends in automated bug finding changed the modus operandi. Nowadays it is very common for bugs to be found by various fuzzing tools. Due to ever-increasing amounts of automation and research on better fuzzing strategies, large-scale, dragnet-style fuzzing of many hundreds of targets becomes viable. As we show, current obfuscation techniques are aimed at increasing the cost of human understanding and do little to slow down fuzzing.
In this paper, we introduce several techniques to protect a binary executable against an analysis with automated bug f inding approaches that are based on fuzzing, symbolic/concolic execution, and taint-assisted fuzzing (commonly known as hybrid fuzzing). More specifically, we perform a systematic analysis of the fundamental assumptions of bug finding tools and develop general countermeasures for each assumption. Note that these techniques are not designed to target specific implementations of fuzzing tools, but address general assumptions that bug finding tools necessarily depend on. Our evaluation demonstrates that these techniques effectively impede fuzzing audits, while introducing a negligible performance overhead. Just as obfuscation techniques increase the amount of human labor needed to find a vulnerability, our techniques render automated fuzzing-based approaches futile.