Logs:

Sep 7th 2023

Fuzztruction: Using Fault Injection-based Fuzzing to Leverage Implicit Domain Knowledge

https://www.usenix.org/system/files/usenixsecurity23-bars.pdf

Overview:

Paper focuses on fuzzing programs accepting structured inputs by using fault-injection. Assuming we have a generator program, this technique intelligently mutates the instructions in the generator program to generate *mostly* well-formed inputs. Next, these inputs will be used to test target programs (i.e., those that accept structured input).

Cons:

Requires availability of the generator.
Input structure should be simple, i.e., linear.

4th March 2022

USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation

Overview:

Paper focuses on finding software vulnerabilities to which a host OS can be exposed due to a malicious USB device. An emulated device is used to feed in input to USB device drivers to fuzz them using coverage guided or dumb fuzzing techniques. It has been successful in finding a number of Bugs in different operating systems

Cons:

Cannot completely overtake syzkaller when it comes to bug funding:

Scope of improvements in coverage
Focuses on the USB host system

Possibility of missing out bugs - If fuzzer generated input is consumed, it cannot fuzz the driver further
Device driver functionality fuzzing still needs manual intervention and understanding of its functions.

18th Feb 2022

PTAuth: Temporal Memory Safety via Robust Points-to Authentication, PDF

Overview:

Categories:

Pros:

Cons:

11th Feb 2022

Retrofitting Fine Grain Isolation in the Firefox Renderer, PDF

Overview:

Categories:

Pros:

Cons:

4th Feb 2022

Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing PDF

Overview:

The paper is about creating an approach to automatically create hardware models to facilitate firmware re-hosting. The approach is to use localised symbolic execution in order to classify the MMIO access into an abstract hardware model.

Cons:

No real results on COTS binaries
Models don’t actually all types of hardware behaviours

28th Jan 2022

SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask PDF

Overview:

The paper looks at the effectiveness of binary analysis tools on x86/x64 binaries. The ground truth information was collected by modifying the compiler and assembler, this information was then used to evaluate the tools.

Pros:

Some comprehensive points about the algorithms and heuristics used by the available tools
Lot of data is presented, knowing false positives and false negatives for example is valuable knowledge

Cons:

The evaluation could have been run on a set of binaries/libraries that are more common in the real world
Doesn’t describe in enough detail how exactly the compiler and linker has been modified to collect the ground truth
Language is a bit vague, thus conclusions may seem a little far fetched/ hard to understand.

Months Theme: Using Transformers on Code

(Aravind Machiry)

27th Aug 2021

XDA: Accurate, Robust Disassembly with Transfer Learning PDF

20th Aug 2021

No reading group.

13th Aug 2021

No reading group.

6 Aug 2021

Neural Transfer Learning for Repairing Security Vulnerabilities in C Code, PDF

Categories:

Machine Learning, Vulnerability Recovery, Defense

Overview:

The paper presents a technique based on transfer learning to automatically repair security vulnerabilities. Specifically, they train a transformer model to learn bug fixes and then use th trained model for fixing vulnerabilities.

Pros:

Use of transfer learning to offset dataset size.

Cons:

Low accuracy -- ~20% there are techniques (non ML based) that perform better.

30 July 2021

Binary Rewriting without Control Flow Recovery, PDF

Categories:

BinaryAnalysis, Tooling

Overview:

The paper presents techniques to introduce trampoline based patches i.e., jumps (opcode: e9) into x86 binaries. Their techniques do not depend on recovering control flow, which is considered as a hard problem on binaries.

Pros:

Simple and effective techniques.
Well-written paper.

Cons:

No explanation of the approach used to identify these tactics.
Missing explanation of a common theme tying these tactics together.

23 July 2021

An Electromagnetic Fault Injection Sensor using Hogge Phase-Detector, PDF

Categories:

Hardware defense, Defense

Overview:

The paper presents a sensor to detect EM Fault Injections on hardware. The paper proposes an all digital solution to effectively detect changes in a Ring Oscillator.

Pros:

All Digital circuits, make it easier to add to circuits
Smaller footprint compared to other works using analog components (PLLs)
Better results compared to earlier works using PLLs

Cons:

Delay route calculations can get complex for bigger designs
Location of the sensors need to be near the critical components

16 July 2021

The Seven Sins: Security Smells in Infrastructure as Code Scripts, PDF

Categories:

Software engineering suggestions, Defense

Overview:

The paper identifies security smells in Infrastructure as Code Scripts i.e.Puppet script.

They basically parse Puppet scripts to get key value pairs and pattern matches for specific security smells.

Pros:

Simple and effective idea with impressive results.

Cons:

Lack of novelty: They just use a simple regex to implement their rules, although rules are novel it was surprising to see that it boiled down to few regexes.

9 July 2021

Examiner: Automatically Locating Inconsistent Instructions Between Real Devices And Cpu Emulators For Arm, PDF

Categories:

Differential Testing, Vulnerability Detection

Overview:

The paper uses differential testing to automatically locate inconsistent instructions, which behave differently between emulators and real devices targeting ARM processors.

They use ARM instruction xml to understand the possible instruction encodings and use constraint solver to generate valid instructions i.e., instruction which will always be decoded.

Pros:

Intelligent use of constraint solver to generate mostly valid instructions.
Impressive results: They found various inconsistent instructions across different processors.

Cons:

Given that the search space is so small i.e., 4 bytes, why didn’t they just enumerate all possible instructions i.e., 2^32 and test them?

2 July 2021

Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses, PDF

Categories:

Side-channel attack, Attacks

Overview:

The paper explores the possibilities of performing side channel attacks in scenarios where access to the conventional timers are restricted. It relies on performing network requests to attacker controlled servers to obtain similar information.

Pros:

Interesting approach to fingerprint users using ‘memory grams’
These attacks can later on be combined with other attacks to create more sophisticated attacks.

Cons:

Network jitter can hamper the accuracy of the attacks
Less information is provided about the experiment conditions.

25 June 2021

NTFUZZ: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis, PDF

Categories:

Fuzzing, Vulnerability Detection

Overview:

This paper uses static analysis (abstract interpretation) to determine the data types of the arguments accepted by Windows system calls.

Later, it uses these data types to mutate system call arguments.

Fuzzing methodology:

They use runtime mutation to fuzz system call arguments. Specifically, first they select some seed applications that trigger the target system call. Second, these system calls are hooked and their arguments are mutated at runtime using their types determined in the first step.

Pros:

Practical paper that works on binaries.

Cons:

Few decisions seem arbitrary without proper justification. E.g., why do they need to wait before they start fuzzing?

26th March 2021

ARBITRAR : User-Guided API Misuse Detection, IEEE Security and Privacy (2021), PDF