Technology Showcase

AFLSmart: Smart Greybox Fuzzing

Contact Person: Abhik Roychoudhury

Coverage-based greybox fuzzing (CGF) is one of the most successful methods for automated vulnerability detection. Given a seed file (as a sequence of bits), CGF randomly flips, deletes or bits to generate new files. CGF iteratively constructs (and fuzzes) a seed corpus by retaining those generated files which enhance coverage. However, random bitflips are unlikely to produce valid files (or valid chunks in files), for applications processing complex file formats.

In this work, we introduce smart greybox fuzzing (SGF) which leverages a high-level structural representation of the seed file to generate new files. We define innovative mutation operators that work on the virtual file structure rather than on the bit level which allows SGF to explore completely new input domains while maintaining file validity. We introduce a novel validity-based power schedule that enables SGF to spend more time generating files that are more likely to pass the parsing stage of the program, which can expose vulnerabilities much deeper in the processing logic.

Our evaluation demonstrates the effectiveness of SGF. On several libraries that parse structurally complex files, our tool AFLSMART explores substantially more paths (up to 200%) and exposes more vulnerabilities than baseline AFL. Our tool AFLSMART has discovered 42 zero-day vulnerabilities in widely-used, well-tested tools and libraries; so far 17 CVEs were assigned.

The tool is available at https://github.com/aflsmart/aflsmart.

oo7: Spectre Attack Defender

Contact Person: Abhik Roychoudhury


The Spectre vulnerability in modern processors has been reported earlier this year (2018). The key insight in this vulnerability is that speculative execution in processors can be misused to access secrets speculatively. Subsequently even though the speculatively executed states are squashed, the secret may linger in micro-architectural data structures such as cache, and hence can be potentially accessed by an attacker via side channels. In this report, we propose oo7, a binary analysis framework to check and fix code snippets against potential vulnerability to Spectre attacks. Our solution employs control flow extraction, taint analysis and address analysis to detect tainted conditional branches and their ability to impact memory accesses. Fixing is achieved by selectively inserting a small number of fences, instead of inserting fences after every conditional branch. Due to the accuracy of our analysis, oo7 suggests inserting less fences, and is shown experimentally to impose acceptably low performance overheads; less than 2% performance overhead is observed in our experiments on GNU Core utilities. Moreover, the accuracy of the analysis allows oo7 to effectively detect fourteen (14) out of the fifteen (15) Spectre vulnerable code patterns proposed by Paul Kocher fifteen (15) Spectre vulnerable code patterns proposed by Paul Kocher, a feat that could not be achieved by the Spectre mitigation in C/C++ compiler proposed by Microsoft. The news coverage is available at http://www.comp.nus.edu.sg/~abhik/News/TheRegister2018.pdf.



Zilliqa

Contact Person: Prateek Saxena


A spinoff called “Zilliqa Research” has launched a new blockchain protocol based on secure sharding, derived from a paper that appeared at ACM CCS'16 and it is one of the intellectual contributions out of Tsunami project.

Zlliqa is the world's first high-throughput public blockchain platform - designed to scale to thousands ​of transactions per second. It brings the theory of sharding to practice with its novel protocol that increases transaction rates as its network expands. The platform is tailored towards enabling secure data-driven decentralised apps, designed to meet the scaling requirements of machine learning and financial algorithms. It has been under research and development for two years, and powered several ground-breaking deployments commercially. More details are available at https://www.zilliqa.com/.



Automated Program Repair

Contact Person: Abhik Roychoudhury