Memory corruption plagues systems since the dawn of computing. Despite the rise of strong mitigations, exploits are still prevalent. This situation calls for automatic software testing techniques that discover reachable vulnerabilities before any attacker. We will disuss types of bugs, where to find them, and how to prune them. Finding and fixing bugs is the only way to prohibit all exploitation vectors. We develop fuzzing techniques that follow an adversarial approach, focusing on the exposed attack surface and exploring potentially reachable vulnerabilities. In this talk, we will discuss two aspects of fuzzing hard to reach code: (i) learning how code is exposed to attacker-controlled input and (ii) testing drivers that interact with exposed peripherals. First, we assess the threat surface by characterizing the potential computational power that a vulnerability gives. In a multi-step process we follow the flow of information and synthesize complex fuzzing stubs to test specific code sequences. Second, by providing a custom-tailored emulation environment we create virtual mock devices that allow fuzzing the peripheral/driver interface. In these projects we develop new techniques to test different kinds of hard to reach code and exposed large amounts of vulnerabilities in Android and the Linux kernel.
Mathias Payer is a security researcher and assistant professor at EPFL, leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques. Research in the HexHive group is generously supported by the ERC, SNSF, DARPA, ONR, AFOSR, or NSF, as well as several industry partners. Follow him on Twitter @gannimo. Details about his group are at https://hexhive.epfl.ch