logo
allArticlesConferencesPresentations

AFL's Blindspot and How to Resist AFL Fuzzing for Arbitrary ELF Binaries

Conference:  BlackHat USA 2018

2018-08-08

Summary

The presentation discusses a tool called Harpocrates that can be used to hide bugs in software by polluting the hash table used by fuzzers.
  • Harpocrates is a tool that can be used to hide bugs in software by polluting the hash table used by fuzzers
  • The tool works by generating a piece of code that has the same hash value as the target code block
  • The generated code is then inserted into the target program to pollute the hash table
  • The tool was tested on several binaries and was found to be effective in hiding bugs from fuzzers
The tool was tested on T-Surprise and ObjectCopy, and was found to be effective in hiding bugs from fuzzers. In one case, the tool found a bug in less than five minutes, while the fuzzer took two weeks to find the same bug. In another case, the tool found a bug in one minute, while the fuzzer took nine hours to find the same bug.

Abstract

AFL has claimed many successes on fuzzing a wide range of applications. In the past few years, researchers have continuously generated new improvements to enhance AFL's ability to find bugs. However, less attentions were given on how to hide bugs from AFL. This talk is about AFL's blindspot — a limitation about AFL and how to use this limitation to resist AFL from finding specific bugs. AFL tracks code coverage through instrumentations and it uses coverage information to guide input mutations. Instead of fully recording the complete execution paths, AFL uses a compact hash bitmap to store code coverage. This compact bitmap brings high execution speed but also a constraint: new path can be masked by previous paths in the compact bitmap due to hash conflicts. The inaccuracy and incompleteness in coverage information sometimes prevents an AFL fuzzer from discovering potential paths that lead to new crashes. This presentation demonstrates such limitations with examples showing how the blindspot limits AFL's ability to find bugs, and how it prevents AFL from taking seeds generated from complementary approaches such as symbolic execution. To further illustrate this limitation, we build a software prototype called DeafL, which transforms and rewrites EFL binaries for the purpose of resisting AFL fuzzing. Without changing the functionality of a given ELF binary, the DeafL tool rewrites the input binary to a new EFL executable, so that an easy to find bug by AFL in the original binary becomes difficult to find in the rewritten binary.
Materials:
Slides
Tags:

Post a comment

Related work

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs?

Conference:  BlackHat USA 2020
Authors:
2020-08-06

Zero bugs found? Hold my Beer AFL! How To Improve Coverage-Guided Fuzzing and Find New 0days in Tough Targets

Conference:  Defcon 27
Authors:
2019-08-01

Going Beyond Coverage-Guided Fuzzing with Structured Fuzzing

Conference:  BlackHat USA 2019
Authors:
2019-08-07

hAFL1: Our Journey of Fuzzing Hyper-V and Discovering a 0-Day

Conference:  BlackHat USA 2021
Authors:
2021-08-04

Revolutionizing ELF binary patching with Shiva: A JIT binary patching system for Linux.

Conference:  Defcon 31
Authors: Ryan O'Neill CTO @ Arcana Technologies Principle Security researcher.
2023-08-01

Fuzzing Malware For Fun & Profit. Applying Coverage-guided Fuzzing to Find and Exploit Bugs in Modern Malware

Conference:  Defcon 26
Authors:
2018-08-01