The Experts below are selected from a list of 915 Experts worldwide ranked by ideXlab platform
Marcos Diaz - One of the best experts on this subject based on the ideXlab platform.
-
systematic Fuzz Testing techniques on a nanosatellite flight software for agile mission development
IEEE Access, 2021Co-Authors: Tamara Gutierrez, Alexandre Bergel, Carlos Gonzalez, Camilo J Rojas, Marcos DiazAbstract:The success of CubeSat space missions depends on the ability to perform properly in a harsh environment. A key component in space missions is the flight software, which manages all of the processes executed by the satellite on its onboard computer. Literature shows that CubeSat missions suffer high infant mortality, and many spacecraft failures are related to flight software errors, some of them resulting in complete mission loss. Extensive operation Testing is the primary technique used by CubeSats developers to ensure flight software quality and avoid such failures. The “New Space” requirements pressure to add “agility” to the software development, which could limit the capacity to test. While advanced and beneficial software Testing techniques are found in the software engineering field, CubeSat software solutions mostly rely on unit Testing, software in the loop simulation, and hardware in the loop simulation. In this work, Fuzz Testing techniques were developed, implemented, and evaluated as a manner to expedite operational Testing of CubeSats while maintaining their completeness. The impact of the tools was evaluated by using the three new 3U CubeSats under development at the University of Chile. We identified twelve bugs not covered by classic Testing strategies in less than three days. These failures were reported, fixed, and characterized by the developers in eight sprint sessions. Our results indicate that Fuzz Testing improved the completeness of flight software Testing through automation and with almost no development interruption. Although our approach has been tested on the SUCHAI flight software, it applies to systems that follow a similar architecture.
-
toward applying Fuzz Testing techniques on the suchai nanosatellites flight software
2020 IEEE Congreso Bienal de Argentina (ARGENCON), 2020Co-Authors: Tamara Gutierrez, Alexandre Bergel, Carlos Gonzalez, Camilo J Rojas, Marcos DiazAbstract:The success of the CubeSat nanosatellites space missions depends on all systems ability to perform properly in a harsh environment. A key component in every space mission is the flight software, which manages all the processes that must be performed by the satellite on its onboard computer. Literature shows that CubeSat missions suffer high infant mortality and many spacecraft failures are related to flight software errors, some of them resulting in a complete mission loss. Extensive software Testing is the primary tool used by flight software developers, to ensure code quality and avoid such failures. Nevertheless, CubeSat developers tend to use COTS or flight-proven solutions which usually have low Testing coverage. Nowadays, there is still some pending matter in the field of Testing nanosatellites flight software and some of the most used solutions do not even report unit tests. To overcome the agile CubeSat development versus delivering quality software trade-off, we propose the use of Fuzz Testing techniques applied to the SUCHAI series of nanosatellites, being developed at the University of Chile. The successful application of this technique allowed us to find and solve many bugs not covered by classic strategies, such as unit Testing and software in the loop simulation.
Alexandre Bergel - One of the best experts on this subject based on the ideXlab platform.
-
systematic Fuzz Testing techniques on a nanosatellite flight software for agile mission development
IEEE Access, 2021Co-Authors: Tamara Gutierrez, Alexandre Bergel, Carlos Gonzalez, Camilo J Rojas, Marcos DiazAbstract:The success of CubeSat space missions depends on the ability to perform properly in a harsh environment. A key component in space missions is the flight software, which manages all of the processes executed by the satellite on its onboard computer. Literature shows that CubeSat missions suffer high infant mortality, and many spacecraft failures are related to flight software errors, some of them resulting in complete mission loss. Extensive operation Testing is the primary technique used by CubeSats developers to ensure flight software quality and avoid such failures. The “New Space” requirements pressure to add “agility” to the software development, which could limit the capacity to test. While advanced and beneficial software Testing techniques are found in the software engineering field, CubeSat software solutions mostly rely on unit Testing, software in the loop simulation, and hardware in the loop simulation. In this work, Fuzz Testing techniques were developed, implemented, and evaluated as a manner to expedite operational Testing of CubeSats while maintaining their completeness. The impact of the tools was evaluated by using the three new 3U CubeSats under development at the University of Chile. We identified twelve bugs not covered by classic Testing strategies in less than three days. These failures were reported, fixed, and characterized by the developers in eight sprint sessions. Our results indicate that Fuzz Testing improved the completeness of flight software Testing through automation and with almost no development interruption. Although our approach has been tested on the SUCHAI flight software, it applies to systems that follow a similar architecture.
-
Fuzz Testing in behavior based robotics
International Conference on Robotics and Automation, 2021Co-Authors: Rodrigo Delgado, Miguel Campusano, Alexandre BergelAbstract:The behavior of a robot is typically expressed as a set of source code files written using a programming language. As for any software engineering activity, programming robotic behaviors is a complex and error-prone task. This paper propose a methodology that aims to reduce the cost of producing a reliable software describing a robotic behavior by automatically Testing it.We employ a Fuzz Testing technique to stress software components with randomly generated data. By applying Fuzz Testing to a complex robotic-software, we identified errors related to the coding, the way data is handled, the logic of the robotic behavior, and the initialization of architectural components. Furthermore, a panel of experts acquainted with the analyzed behavior have highlighted the relevance and the significance of our findings. Our Fuzzer operates on the SMACH and ROS frameworks and it is available under the MIT public open source license.
-
toward applying Fuzz Testing techniques on the suchai nanosatellites flight software
2020 IEEE Congreso Bienal de Argentina (ARGENCON), 2020Co-Authors: Tamara Gutierrez, Alexandre Bergel, Carlos Gonzalez, Camilo J Rojas, Marcos DiazAbstract:The success of the CubeSat nanosatellites space missions depends on all systems ability to perform properly in a harsh environment. A key component in every space mission is the flight software, which manages all the processes that must be performed by the satellite on its onboard computer. Literature shows that CubeSat missions suffer high infant mortality and many spacecraft failures are related to flight software errors, some of them resulting in a complete mission loss. Extensive software Testing is the primary tool used by flight software developers, to ensure code quality and avoid such failures. Nevertheless, CubeSat developers tend to use COTS or flight-proven solutions which usually have low Testing coverage. Nowadays, there is still some pending matter in the field of Testing nanosatellites flight software and some of the most used solutions do not even report unit tests. To overcome the agile CubeSat development versus delivering quality software trade-off, we propose the use of Fuzz Testing techniques applied to the SUCHAI series of nanosatellites, being developed at the University of Chile. The successful application of this technique allowed us to find and solve many bugs not covered by classic strategies, such as unit Testing and software in the loop simulation.
Wei Zou - One of the best experts on this subject based on the ideXlab platform.
-
Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution
ACM Transactions on Information and System Security, 2011Co-Authors: Tielei Wang, Guofei Gu, Tao Wei, Wei ZouAbstract:Fuzz Testing has proven successful in finding security vulnerabilities in large programs. However, tradi- tional Fuzz Testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of programrunning, especially when target programs employ checksummech- anisms to verify the integrity of inputs. This article presents TaintScope, an automatic Fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has sev- eral novel features: (1) TaintScope is a checksum-aware Fuzzing tool. It can identify checksum fields in inputs, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. Furthermore, it can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. (2) TaintScope is a taint-based Fuzzing tool working at the x86 binary level. Based on fine-grained dynamic taint tracing, TaintScope identifies the “hot bytes” in a well-formed input that are used in security-sensitive operations (e.g., invoking system/library calls), and then focuses on modifying such bytes with random or boundary values. (3) TaintScope is also a symbolic- execution-based Fuzzing tool. It can symbolically evaluate a trace, reason about all possible values that can execute the trace, and then detect potential vulnerabilities on the trace. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effective- ness of Fuzz Testing. TaintScope has already found 30 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Flash Player, Google Picasa, and Microsoft Paint. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Vendor patches have been released or are in preparation based on our reports.
-
TaintScope: A checksum-aware directed Fuzzing tool for automatic software vulnerability detection
Proceedings - IEEE Symposium on Security and Privacy, 2010Co-Authors: Tielei Wang, Guofei Gu, Tao Wei, Wei ZouAbstract:Fuzz Testing has proven successful in finding security vulnerabilities in large programs. However, traditional Fuzz Testing tools have a well-known common drawback: they are ineffective if most generated malformed inputs are rejected in the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. In this paper, we present TaintScope, an automatic Fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel contributions: 1) TaintScope is the first checksum-aware Fuzzing tool to the best of our knowledge. It can identify checksum fields in input instances, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. 2) TaintScope is a directed Fuzzing tool working at X86 binary level (on both Linux and Window). Based on fine-grained dynamic taint tracing, TaintScope identifies which bytes in a well-formed input are used in security-sensitive operations (e.g., invoking system/library calls) and then focuses on modifying such bytes. Thus, generated inputs are more likely to trigger potential vulnerabilities. 3) TaintScope is fully automatic, from detecting checksum, directed Fuzzing, to repairing crashed samples. It can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of Fuzz Testing. TaintScope has already found 27 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Google Picasa, Microsoft Paint, and ImageMagick. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-200-\n-\n9-2688). Corresponding patches from vendors are released or in progress based on our reports.
Yu Jiang - One of the best experts on this subject based on the ideXlab platform.
-
hdtest differential Fuzz Testing of brain inspired hyperdimensional computing
Design Automation Conference, 2021Co-Authors: Jianmin Guo, Yu Jiang, Xun JiaoAbstract:Brain-inspired hyperdimensional computing (HDC) is an emerging computational paradigm that mimics brain cognition and leverages hyperdimensional vectors with fully distributed holographic representation and (pseudo)randomness. Compared to other machine learning (ML) methods such as deep neural networks (DNNs), HDC offers several advantages including high energy efficiency, low latency, and one-shot learning, making it a promising alternative candidate on a wide range of applications. However, the reliability and robustness of HDC models have not been explored yet. In this paper, we design, implement, and evaluate HDTest to test HDC model by automatically exposing unexpected or incorrect behaviors under rare inputs. The core idea of HDTest is based on guided differential Fuzz Testing. Guided by the distance between query hypervector and reference hypervector in HDC, HDTest continuously mutates original inputs to generate new inputs that can trigger incorrect behaviors of HDC model. Compared to traditional ML Testing methods, HDTest does not need to manually label the original input. Using handwritten digit classification as an example, we show that HDTest can generate thousands of adversarial inputs with negligible perturbations that can successfully fool HDC models. On average, HDTest can generate around 400 adversarial inputs within one minute running on a commodity computer. Finally, by using the HDTest-generated inputs to retrain HDC models, we can strengthen the robustness of HDC models. To the best of our knowledge, this paper presents the first effort in systematically Testing this emerging brain-inspired computational model.
-
intelligen automatic driver synthesis for Fuzz Testing
International Conference on Software Engineering, 2021Co-Authors: Mingrui Zhang, Jianzhong Liu, Huafeng Zhang, Yu JiangAbstract:Fuzzing is a technique widely used in vulnerability detection. The process usually involves writing effective Fuzz driver programs, which, when done manually, can be extremely labor intensive. Previous attempts at automation leave much to be desired, in either degree of automation or quality of output. In this paper, we propose IntelliGen, a framework that constructs valid Fuzz drivers automatically. First, IntelliGen determines a set of entry functions and evaluates their respective chance of exhibiting a vulnerability. Then, IntelliGen generates Fuzz drivers for the entry functions through hierarchical parameter replacement and type inference. We implemented IntelliGen and evaluated its effectiveness on real-world programs selected from the Android Open-Source Project, Google's Fuzzer-testsuite and industrial collaborators. IntelliGen covered on average 1.08X-2.03X more basic blocks and 1.36X-2.06X more paths over state-of-the-art Fuzz driver synthesizers FUDGE and FuzzGen. IntelliGen performed on par with manually written drivers and found 10 more bugs.
-
poster Fuzz Testing of quantum program
International Conference on Software Testing Verification and Validation, 2021Co-Authors: Jiyuan Wang, Yu JiangAbstract:Nowadays, quantum program is widely used and quickly developed. However, the absence of Testing methodology restricts their quality. Different input format and operator from traditional program make this issue hard to resolve. In this paper, we present QuanFuzz, a search-based test input generator for quantum program. We define the quantum sensitive information to evaluate test input for quantum program and use matrix generator to generate test cases with higher coverage. Because of the impossibility of copying qubit, we record the operations which lead initial seeds to test inputs instead of recording qubits themselves. First, we extract quantum sensitive information – measurement operations on those quantum registers and the sensitive branches associated with those measurement results, from the quantum source code. Then, we use the sensitive information guided algorithm to mutate the initial input matrix and select those matrices which improve the probability weight for a value of the quantum register to trigger the sensitive branch. QuanFuzz on benchmarks and acquired 20% - 60% more coverage compared to traditional Testing methods.
-
Polar: Function Code Aware Fuzz Testing of ICS Protocol
ACM Transactions in Embedded Computing Systems, 2019Co-Authors: Zhengxiong Luo, Yu Jiang, Feilong Zuo, Jian Gao, Xun Jiao, Jiaguang SunAbstract:Industrial Control System (ICS) protocols are widely used to build communications among system components. Compared with common internet protocols, ICS protocols have more control over remote devices by carrying a specific field called “function code”, which assigns what the receive end should do. Therefore, it is of vital importance to ensure their correctness. However, traditional vulnerability detection techniques such as Fuzz Testing are challenged by the increasing complexity of these diverse ICS protocols. In this paper, we present a function code aware Fuzzing framework — Polar, which automatically extracts semantic information from the ICS protocol and utilizes this information to accelerate security vulnerability detection. Based on static analysis and dynamic taint analysis, Polar initiates the values of the function code field and identifies some vulnerable operations. Then, novel semantic aware mutation and selection strategies are designed to optimize the Fuzzing procedure. For evaluation, we implement Polar on top of two popular Fuzzers — AFL and AFLFast, and conduct experiments on several widely used ICS protocols such as Modbus, IEC104, and IEC 61850. Results show that, compared with AFL and AFLFast, Polar achieves the same code coverage and bug detection numbers at the speed of 1.5X-12X. It also gains increase with 0%--91% more paths within 24 hours. Furthermore, Polar has exposed 10 previously unknown vulnerabilities in those protocols, 6 of which have been assigned unique CVE identifiers in the US National Vulnerability Database.
-
evmFuzzer detect evm vulnerabilities via Fuzz Testing
Foundations of Software Engineering, 2019Co-Authors: Meng Ren, Yu Jiang, Heyuan Shi, Xin Yang, Xiang ShiAbstract:Ethereum Virtual Machine (EVM) is the run-time environment for smart contracts and its vulnerabilities may lead to serious problems to the Ethereum ecology. With lots of techniques being continuously developed for the validation of smart contracts, the Testing of EVM remains challenging because of the special test input format and the absence of oracles. In this paper, we propose EVMFuzzer, the first tool that uses differential Fuzzing technique to detect vulnerabilities of EVM. The core idea is to continuously generate seed contracts and feed them to the target EVM and the benchmark EVMs, so as to find as many inconsistencies among execution results as possible, eventually discover vulnerabilities with output cross-referencing. Given a target EVM and its APIs, EVMFuzzer generates seed contracts via a set of predefined mutators, and then employs dynamic priority scheduling algorithm to guide seed contracts selection and maximize the inconsistency. Finally, EVMFuzzer leverages benchmark EVMs as cross-referencing oracles to avoid manual checking. With EVMFuzzer, we have found several previously unknown security bugs in four widely used EVMs, and 5 of which had been included in Common Vulnerabilities and Exposures (CVE) IDs in U.S. National Vulnerability Database. The video is presented at https://youtu.be/9Lejgf2GSOk.
Chaojing Tang - One of the best experts on this subject based on the ideXlab platform.
-
fFuzz towards full system high coverage Fuzz Testing on binary executables
PLOS ONE, 2018Co-Authors: Bin Zhang, Chao Feng, Chaojing TangAbstract:Bugs and vulnerabilities in binary executables threaten cyber security. Current discovery methods, like Fuzz Testing, symbolic execution and manual analysis, both have advantages and disadvantages when exercising the deeper code area in binary executables to find more bugs. In this paper, we designed and implemented a hybrid automatic bug finding tool—FFuzz—on top of Fuzz Testing and selective symbolic execution. It targets full system software stack Testing including both the user space and kernel space. Combining these two mainstream techniques enables us to achieve higher coverage and avoid getting stuck both in Fuzz Testing and symbolic execution. We also proposed two key optimizations to improve the efficiency of full system Testing. We evaluated the efficiency and effectiveness of our method on real-world binary software and 844 memory corruption vulnerable programs in the Juliet test suite. The results show that FFuzz can discover software bugs in the full system software stack effectively and efficiently.
-
discover deeper bugs with dynamic symbolic execution and coverage based Fuzz Testing
IET Software, 2018Co-Authors: Bin Zhang, Chao Feng, Adrian Herrera, Vitaly Chipounov, George Candea, Chaojing TangAbstract:Coverage-based Fuzz Testing and dynamic symbolic execution are both popular program Testing techniques. However, on their own, both techniques suffer from scalability problems when considering the complexity of modern software. Hybrid Testing methods attempt to mitigate these problems by leveraging dynamic symbolic execution to assist Fuzz Testing. Unfortunately, the efficiency of such methods is still limited by specific program structures and the schedule of seed files. In this study, the authors introduce a novel lazy symbolic pointer concretisation method and a symbolic loop bucket optimisation to mitigate path explosion caused by dynamic symbolic execution in hybrid Testing. They also propose a distance-based seed selection method to rearrange the seed queue of the Fuzzer engine in order to achieve higher coverage. They implemented a prototype and evaluate its ability to find vulnerabilities in software and cover new execution paths. They show on different benchmarks that it can find more crashes than other off-the-shelf vulnerability detection tools. They also show that the proposed method can discover 43% more unique paths than vanilla Fuzz Testing.
-
S2F: Discover Hard-to-Reach Vulnerabilities by Semi-Symbolic Fuzz Testing
2017 13th International Conference on Computational Intelligence and Security (CIS), 2017Co-Authors: Bin Zhang, Jiaxi Ye, Chao Feng, Chaojing TangAbstract:Fuzz Testing is a popular program Testing technique. However, it is difficult to find hard-to-reach vulnerabilities that are nested with complex branches. In this paper, we propose semi-symbolic Fuzz Testing to discover hard-to-reach vulnerabilities. Our method groups inputs into high frequency and low frequency ones. Then symbolic execution is utilized to solve only uncovered branches to mitigate the path explosion problem. Especially, in order to play the advantages of Fuzz Testing, our method locates critical branch for each low frequency input and corrects the generated test cases to comfort the branch condition. We also implemented a prototype|S2F, and the experimental results show that S2F can gain 17.70% coverage performance and discover more hard-to-reach vulnerabilities than other vulnerability detection tools for our benchmark.
