Hendra Gunadi

Adrian Herrera, Hendra Gunadi, Liam Hayes et al.

Mutation-based fuzzing typically uses an initial set of non-crashing seed inputs (a corpus) from which to generate new inputs by mutation. A corpus of potential seeds will often contain thousands of similar inputs. This lack of diversity can lead to wasted fuzzing effort by exhaustive mutation from all available seeds. To address this, fuzzers come with distillation tools (e.g., afl-cmin) that select the smallest subset of seeds that triggers the same range of instrumentation data points as the full corpus. Common practice suggests that minimizing the number and cumulative size of the seeds leads to more efficient fuzzing, which we explore systematically. We present results of 34+ CPU-years of fuzzing with five distillation approaches to understand their impact in finding bugs in real-world software. We evaluate a number of techniques, includibng the existing afl-cmin and Minset, and also MoonLight---a freely available, configurable, state-of-the-art, open-source, tool. Our experiments compare the effectiveness of distillation approaches, targeting the Google Fuzzer Test Suite and a diverse set of six real-world libraries and programs, covering 13 different input file formats across 16 programs. Our results show that distillation is a necessary precursor to any fuzzing campaign when starting with a large initial corpus. We compare the effectiveness of alternative distillation approaches. Notably, our experiments reveal that state-of-the-art distillation tools (such as MoonLight and Minset) do not exclusively find all of the 33 bugs (in the real-world targets) exposed by our combined campaign: each technique appears to have its own strengths. We find (and report) new bugs with MoonLight that are not found by Minset, and vice versa. Moreover, afl-cmin fails to reveal many of these bugs. Of the 33 bugs revealed in our campaign, seven new bugs have received CVEs.

Hendra Gunadi, Alwen Tiu

We present a design and an implementation of a security policy specification language based on metric linear-time temporal logic (MTL). MTL features temporal operators that are indexed by time intervals, allowing one to specify timing-dependent security policies. The design of the language is driven by the problem of runtime monitoring of applications in mobile devices. A main case the study is the privilege escalation attack in the Android operating system, where an app gains access to certain resource or functionalities that are not explicitly granted to it by the user, through indirect control flow. To capture these attacks, we extend MTL with recursive definitions, that are used to express call chains betwen apps. We then show how the metric operators of MTL, in combination with recursive definitions, can be used to specify policies to detect privilege escalation, under various fine grained constraints. We present a new algorithm, extending that of linear time temporal logic, for monitoring safety policies written in our specification language. The monitor does not need to store the entire history of events generated by the apps, something that is crucial for practical implementations. We modified the Android OS kernel to allow us to insert our generated monitors modularly. We have tested the modified OS on an actual device, and show that it is effective in detecting policy violations.