Technology Showcase

Coverage-based greybox fuzzing (CGF) is one of the most successful methods for automated vulnerability detection. Given a seed file (as a sequence of bits), CGF randomly flips, deletes or bits to generate new files. CGF iteratively constructs (and fuzzes) a seed corpus by retaining those generated files which enhance coverage. However, random bitflips are unlikely to produce valid files (or valid chunks in files), for applications processing complex file formats.

In this work, we introduce smart greybox fuzzing (SGF) which leverages a high-level structural representation of the seed file to generate new files. We define innovative mutation operators that work on the virtual file structure rather than on the bit level which allows SGF to explore completely new input domains while maintaining file validity. We introduce a novel validity-based power schedule that enables SGF to spend more time generating files that are more likely to pass the parsing stage of the program, which can expose vulnerabilities much deeper in the processing logic.

Our evaluation demonstrates the effectiveness of SGF. On several libraries that parse structurally complex files, our tool AFLSMART explores substantially more paths (up to 200%) and exposes more vulnerabilities than baseline AFL. Our tool AFLSMART has discovered 42 zero-day vulnerabilities in widely-used, well-tested tools and libraries; so far 17 CVEs were assigned.

The tool is available at https://github.com/aflsmart/aflsmart.

oo7: Spectre Attack Defender

Contact Person: Abhik Roychoudhury

The Spectre vulnerability in modern processors has been reported earlier this year (2018). The key insight in this vulnerability is that speculative execution in processors can be misused to access secrets speculatively. Subsequently even though the speculatively executed states are squashed, the secret may linger in micro-architectural data structures such as cache, and hence can be potentially accessed by an attacker via side channels. In this report, we propose oo7, a binary analysis framework to check and fix code snippets against potential vulnerability to Spectre attacks. Our solution employs control flow extraction, taint analysis and address analysis to detect tainted conditional branches and their ability to impact memory accesses. Fixing is achieved by selectively inserting a small number of fences, instead of inserting fences after every conditional branch. Due to the accuracy of our analysis, oo7 suggests inserting less fences, and is shown experimentally to impose acceptably low performance overheads; less than 2% performance overhead is observed in our experiments on GNU Core utilities. Moreover, the accuracy of the analysis allows oo7 to effectively detect fourteen (14) out of the fifteen (15) Spectre vulnerable code patterns proposed by Paul Kocher fifteen (15) Spectre vulnerable code patterns proposed by Paul Kocher, a feat that could not be achieved by the Spectre mitigation in C/C++ compiler proposed by Microsoft. The news coverage is available at http://www.comp.nus.edu.sg/~abhik/News/TheRegister2018.pdf.

Zilliqa

Contact Person: Prateek Saxena

A spinoff called “Zilliqa Research” has launched a new blockchain protocol based on secure sharding, derived from a paper that appeared at ACM CCS'16 and it is one of the intellectual contributions out of Tsunami project.

Zlliqa is the world's first high-throughput public blockchain platform - designed to scale to thousands of transactions per second. It brings the theory of sharding to practice with its novel protocol that increases transaction rates as its network expands. The platform is tailored towards enabling secure data-driven decentralised apps, designed to meet the scaling requirements of machine learning and financial algorithms. It has been under research and development for two years, and powered several ground-breaking deployments commercially. More details are available at https://www.zilliqa.com/.

Automated Program Repair

Contact Person: Abhik Roychoudhury

Software almost always has bugs. Many of these bugs cause serious problems such as software crash and leakage of sensitive user information. To fix bugs, software engineers have been fighting an endless battle with bugs. The cost of this battle is enormous—$312 billion per year globally as of 2012 according to Cambridge University research (in comparison, the GDP of Singapore is $308 billion as of 2014). Clearly, there is a strong need for more economical debugging methods.

In our group, we have been conducting research on how to automatically fix bugs. Our latest tool, Angelix, can automatically fix the bugs of real-world software such as PHP and OpenSSL. For example, Angelix can fix the Heartbleed bug automatically.

Our program repair tool is available at http://angelix.io/. The source code of our repair tool is available along with installation instructions and a tutorial. If you want to quickly see how the tool works without the hassle of installation, a VirtualBox image can be requested in the same URL.

Getting a fast website reliably across different browsers and devices is extremely hard. Dexecure integrates into your existing build pipeline to generate an optimised website every single time! We generate multiple versions of your website specifically optimised for each browser. By serving the appropriate version to each browser, we are able to ensure best possible experience for each user!

The security of software systems is extremely important. Software controls our financial systems, drives our cars, builds our tools, and entertains our kids. It is paramount that we expose and fix vulnerabilities before they are exploited with malicious intent and before they cause disastrous incidents or economic loss. In recent years, automated test generation and specifically fuzzing has gained much traction and is now used routinely in the security practice. Fuzzing is a technique that stresses a software system with huge amounts of random inputs in an attempt to make it crash. We have taken the state-of-the-art fuzzer American Fuzzy Lop (AFL) and made it even better. Our fuzzer outperforms the traditional AFL by an order of magnitude. Our tool, AFLFast exposed several unreported vulnerabilities that could not be exposed by AFL in 24 hours and otherwise exposes vulnerabilities significantly faster than AFL and generating orders of magnitude more crashing test cases. More details about the technique can be discussed with partners interested in using our technology. It is available at https://github.com/mboehme/aflfast.

Directed greybox fuzzing tool, AFLGo which integrated with OSS-Fuzz. AFLGo is more effective and efficient in terms of detecting more vulnerabilities and reach more targets in the same time as compared to the directed white box fuzzing and the existing greybox fuzzer which cannot be directed. AFLGo makes the fuzz tester reach the specific locations.

Popular low-level languages such as C and C++ allow directly manipulation of pointers and arbitrary access to memory. This is great for efficiency but it also allows for memory bugs -- and memory bugs are the main source of software security vulnerabilities.

Efforts to prevent memory bugs in low-level languages have produced mixed results. Popular memory safety systems, such as AddressSanitizer, are very heavyweight and are only intended for software testing rather than to be deployed in hardened production code. A lightweight solution is needed. Another important requirement is that of binary compatibility. Ideally code in libraries can be used "as is" without additional effort.

Low fat pointers are a method for encoding meta information into native machine pointers without incurring additional memory overheads. This meta information can be used to store useful information, such as information regarding object bounds, that can be used to harden software against memory bugs. Since low fat pointers are just regular machine pointers, the low overheads and high compatibility with existing legacy software components (a.k.a. libraries) and environments makes it the ideal technology for production level code.

We have developed a low fat pointer hardening tool -- called LowFat -- based on an LLVM compiler transformation and supporting runtime environment. Low fat hardened binaries incur near zero memory overheads, are binary compatible, and have minimal time overhead compared to existing memory error detection systems. It is available at https://github.com/GJDuck/LowFat.

You are here

Technology Showcase