AntiFuzz: Impeding Fuzzing Audits of Binary Executables

Related tags

Deep Learningantifuzz
Overview

AntiFuzz: Impeding Fuzzing Audits of Binary Executables

Get the paper here: https://www.usenix.org/system/files/sec19-guler.pdf

Usage:

The python script antifuzz_generate.py generates a "antifuzz.h" file that you need to include in your C project (see chapter below). The script takes multiple arguments to define which features you want to activate.

To disable all features, supply:

  --disable-all

To break assumption (A), i.e. to break coverage-guided fuzzing, use:

  --enable-anti-coverage

You can specify how many random BBs and random constrain functions you want to have by supplying "--anti-coverage [num]" (default: 10000).

To break assumption (B), i.e. to prevent fuzzers from detecting crashes, use:

  --signal --crash-action exit

To break assumption (C), i.e. to decrease the performance of the application when being fuzzed, use:

  --enable-sleep --signal

Additionaly, you can supply "--sleep [ms]" to set the length of the sleep in milliseconds (default: 750). You can also replace the crash behavior by supplying "--crash-action timeout" to replace every crash with a timeout.

To break assumption (D), i.e. to boggle down symbolic execution engines, use:

  --hash-cmp --enable-encrypt-decrypt

To enable all features, use:

  --enable-anti-coverage --signal --crash-action exit --enable-sleep --signal --hash-cmp --enable-encrypt-decrypt

Demo

To test it out, we supplied a demo application called antifuzz_test.c that just checks for "crsh" with single byte comparisons, and crashes if that's the case. It configures itself to fit the generated antifuzz header file, i.e. when hash comparisons are demanded via antifuzz_generate.py, antifuzz_test will compare the hashes instead of the plain constants.

First, generate the antifuzz.h file:

python antifuzz_generate.py --enable-anti-coverage --signal --crash-action exit --enable-sleep --signal --hash-cmp --enable-encrypt-decrypt

Next, compile the demo application with afl-gcc after installing AFL 2.52b (note that this may take minutes (!) depending on the number of random BBs added):

afl-gcc antifuzz_test.c -o antifuzz_test 

Run it in AFL to test it out:

mkdir inp; echo 1234 > inp/a.txt; afl-fuzz -i inp/ -o /dev/shm/out -- ./antifuzz_test @@

If you enabled all options, AFL may take a long time to start because the application is slowed down (to break assumption (C))

Protecting Applications

To include it in your own C project, follow these instructions (depending on your use-case and application, you might want to skip some of them):

1.

Add

#include "antifuzz.h"

to the header.

2.

Jump to the line that opens the (main) input file, the one that an attacker might target as an attack vector, and call

antifuzz_init("file_name_here", FLAG_ALL); 

This initializes AntiFuzz, checks if overwriting signals is possible, checks if the application is ptrace'd, puts the input through encryption and decryption, jumps through random BBs, etc.

3.

Find all lines and blocks of code that deal with malformed input files or introduce those yourself. It's often the case that these lines already exist to print some kind of error or warning message (e.g. "this is not a valid ... file"). Add a call to

antifuzz_onerror()

everywhere you deem appropriate.

4.

Find comparisons to constants (e.g. magic bytes) that you think are important for this file format, and change the comparison to hash comparisons. Add your constant to antifuzz_constants.tpl.h like this:

char *antifuzzELF = "ELF";

Our generator script will automatically change these lines to their respective SHA512 hashes when generating the final header file, you do not have to do this manually. Now change the lines from (as an example):

if(strcmp(header, "ELF") == 0)

to

if(antifuzz_str_equal(header, antifuzzELF))

See antifuzz.tpl.h for more comparison functions.

5.

If you have more data that you want to protect from symbolic execution, use:

antifuzz_encrypt_decrypt_buf(char *ptr, size_t fileSize) 
Owner
Chair for Sys­tems Se­cu­ri­ty
Chair for Sys­tems Se­cu­ri­ty
Image augmentation library in Python for machine learning.

Augmentor is an image augmentation library in Python for machine learning. It aims to be a standalone library that is platform and framework independe

Marcus D. Bloice 4.8k Jan 07, 2023
Image-based Navigation in Real-World Environments via Multiple Mid-level Representations: Fusion Models Benchmark and Efficient Evaluation

Image-based Navigation in Real-World Environments via Multiple Mid-level Representations: Fusion Models Benchmark and Efficient Evaluation This reposi

First Person Vision @ Image Processing Laboratory - University of Catania 1 Aug 21, 2022
LIMEcraft: Handcrafted superpixel selectionand inspection for Visual eXplanations

LIMEcraft LIMEcraft: Handcrafted superpixel selectionand inspection for Visual eXplanations The LIMEcraft algorithm is an explanatory method based on

MI^2 DataLab 4 Aug 01, 2022
PyTorch implementation of the R2Plus1D convolution based ResNet architecture described in the paper "A Closer Look at Spatiotemporal Convolutions for Action Recognition"

R2Plus1D-PyTorch PyTorch implementation of the R2Plus1D convolution based ResNet architecture described in the paper "A Closer Look at Spatiotemporal

Irhum Shafkat 342 Dec 16, 2022
Stacked Recurrent Hourglass Network for Stereo Matching

SRH-Net: Stacked Recurrent Hourglass Introduction This repository is supplementary material of our RA-L submission, which helps reviewers to understan

28 Jan 03, 2023
Implementation of FitVid video prediction model in JAX/Flax.

FitVid Video Prediction Model Implementation of FitVid video prediction model in JAX/Flax. If you find this code useful, please cite it in your paper:

Google Research 62 Nov 25, 2022
Differentiable Prompt Makes Pre-trained Language Models Better Few-shot Learners

DART Implementation for ICLR2022 paper Differentiable Prompt Makes Pre-trained Language Models Better Few-shot Learners. Environment

ZJUNLP 83 Dec 27, 2022
Official PyTorch implementation of "Improving Face Recognition with Large AgeGaps by Learning to Distinguish Children" (BMVC 2021)

Inter-Prototype (BMVC 2021): Official Project Webpage This repository provides the official PyTorch implementation of the following paper: Improving F

Jungsoo Lee 16 Jun 30, 2022
Linear Variational State Space Filters

Linear Variational State Space Filters To set up the environment, use the provided scripts in the docker/ folder to build and run the codebase inside

0 Dec 13, 2021
PyTorch implementation(s) of various ResNet models from Twitch streams.

pytorch-resnet-twitch PyTorch implementation(s) of various ResNet models from Twitch streams. Status: ResNet50 currently not working. Will update in n

Daniel Bourke 3 Jan 11, 2022
Neon-erc20-example - Example of creating SPL token and wrapping it with ERC20 interface in Neon EVM

Example of wrapping SPL token by ERC2-20 interface in Neon Requirements Install

7 Mar 28, 2022
BarcodeRattler - A Raspberry Pi Powered Barcode Reader to load a game on the Mister FPGA using MBC

Barcode Rattler A Raspberry Pi Powered Barcode Reader to load a game on the Mist

Chrissy 29 Oct 31, 2022
This is the official code for the paper "Tracker Meets Night: A Transformer Enhancer for UAV Tracking".

SCT This is the official code for the paper "Tracker Meets Night: A Transformer Enhancer for UAV Tracking" The spatial-channel Transformer (SCT) enhan

Intelligent Vision for Robotics in Complex Environment 27 Nov 23, 2022
OpenGAN: Open-Set Recognition via Open Data Generation

OpenGAN: Open-Set Recognition via Open Data Generation ICCV 2021 (oral) Real-world machine learning systems need to analyze novel testing data that di

Shu Kong 90 Jan 06, 2023
A python library for time-series smoothing and outlier detection in a vectorized way.

tsmoothie A python library for time-series smoothing and outlier detection in a vectorized way. Overview tsmoothie computes, in a fast and efficient w

Marco Cerliani 517 Dec 28, 2022
Lipschitz-constrained Unsupervised Skill Discovery

Lipschitz-constrained Unsupervised Skill Discovery This repository is the official implementation of Seohong Park, Jongwook Choi*, Jaekyeom Kim*, Hong

Seohong Park 17 Dec 18, 2022
This repository includes different versions of the prescribed-time controller as Simulink blocks and MATLAB script codes for engineering applications.

Prescribed-time Control Prescribed-time control (PTC) blocks in Simulink environment, MATLAB R2020b. For more theoretical details, refer to the papers

Amir Shakouri 1 Mar 11, 2022
MOOSE (Multi-organ objective segmentation) a data-centric AI solution that generates multilabel organ segmentations to facilitate systemic TB whole-person research

MOOSE (Multi-organ objective segmentation) a data-centric AI solution that generates multilabel organ segmentations to facilitate systemic TB whole-person research.The pipeline is based on nn-UNet an

QIMP team 30 Jan 01, 2023
Official PyTorch Implementation of "AgentFormer: Agent-Aware Transformers for Socio-Temporal Multi-Agent Forecasting".

AgentFormer This repo contains the official implementation of our paper: AgentFormer: Agent-Aware Transformers for Socio-Temporal Multi-Agent Forecast

Ye Yuan 161 Dec 23, 2022
Interpretable and Generalizable Person Re-Identification with Query-Adaptive Convolution and Temporal Lifting

QAConv Interpretable and Generalizable Person Re-Identification with Query-Adaptive Convolution and Temporal Lifting This PyTorch code is proposed in

Shengcai Liao 166 Dec 28, 2022