KAIST Graduate School of Information Security

2023.05.30(화) 정보보호대학원 2023년 봄학기 콜로퀴움 - 심우철
작성일2023-05-23
정보보호대학원에서는 5월 30일 오후 4시에 아래와 같이 콜로퀴움을 개최하고자 합니다. 많은 참석 부탁드립니다. o 일 시: 23. 05. 30(화) 16:00~ o 주 제: UTOPIA: Automatic Generation of Fuzz Driver using Unit Tests o 강 사: 심우철 (Samsung Research, 상무) o 장 소: 오프라인(N1동 102호) ※ 세미나 시작시간 5분전에 준비하여 주세요. ㅡㅡㅡ ♣ Title: UTOPIA: Automatic Generation of Fuzz Driver using Unit Tests ♣ Abstract Fuzzing is arguably the most practical approach for detecting security bugs in software, but a non-trivial extent of efforts is required for its adoption. To be effective, high-quality fuzz drivers should be first formulated with a proper sequence of APIs that can exhaustively explore the program states. To alleviate this burden, existing solutions attempt to generate fuzz drivers either by inferring the valid sequences of APIs from the consumer code (i.e., actual uses of APIs) or by directly extracting them from sample executions. Unfortunately, all existing approaches suffer from a common problem: the observed API sequences, either statically inferred or dynamically monitored, are intermingled with custom application logics. However, we observed that the unit tests are carefully crafted by the actual designer of the APIs to validate their proper usages, and importantly, it is a common practice to write the unit tests during their development (e.g., over 70％ of popular GitHub projects). In this paper, we propose, UTOPIA, an open-source tool and analysis algorithm that can automatically synthesize effective fuzz drivers from existing unit tests with near-zero human involvement. To demonstrate its effectiveness, we applied UTOPIA to 55 open-source project libraries, including Tizen and Node.js, and automatically generated 5K fuzz drivers from 8K eligible unit tests. In addition, we executed the generated fuzzers for approximately 5 million per-core hours and discovered 123 bugs. More importantly, 2.4K of the generated fuzz drivers were adopted to the continuous integration process of the Tizen project, indicating the quality of the synthesized fuzz driver. The proposed tool and results are publicly available and maintained for a broader adoption among both researchers and practitioners. ♣ Bio WooChul Shim is corporate VP at Samsung Research. He is head of Security Assurance Lab. His primary objective is to minimize vulnerabilities in Samsung products by implementing robust security governance frameworks encompassing policies, processes, and systems. Along with the penetration testing team and the automated vulnerability discovery research team, he has focused on developing automated methods to detect vulnerabilities within the Continuous Integration pipeline. For any inquiries or further information, please reach out to WooChul Shim at woochul.shim＠samsung.com.

2023.05.30(화) 정보보호대학원 2023년 봄학기 콜로퀴움 - 심우철

작성일2023-05-23

정보보호대학원에서는 5월 30일 오후 4시에 아래와 같이 콜로퀴움을 개최하고자 합니다. 많은 참석 부탁드립니다.

o 일 시: 23. 05. 30(화) 16:00~
o 주 제: UTOPIA: Automatic Generation of Fuzz Driver using Unit Tests
o 강 사: 심우철 (Samsung Research, 상무)
o 장 소: 오프라인(N1동 102호)

※ 세미나 시작시간 5분전에 준비하여 주세요.

ㅡㅡㅡ

♣ Title: UTOPIA: Automatic Generation of Fuzz Driver using Unit Tests

♣ Abstract
Fuzzing is arguably the most practical approach for detecting security bugs in software, but a non-trivial extent of efforts is required for its adoption. To be effective, high-quality fuzz drivers should be first formulated with a proper sequence of APIs that can exhaustively explore the program states. To alleviate this burden, existing solutions attempt to generate fuzz drivers either by inferring the valid sequences of APIs from the consumer code (i.e., actual uses of APIs) or by directly extracting them from sample executions. Unfortunately, all existing approaches suffer from a common problem: the observed API sequences, either statically inferred or dynamically monitored, are intermingled with custom application logics. However, we observed that the unit tests are carefully crafted by the actual designer of the APIs to validate their proper usages, and importantly, it is a common practice to write the unit tests during their development (e.g., over 70％ of popular GitHub projects). In this paper, we propose, UTOPIA, an open-source tool and analysis algorithm that can automatically synthesize effective fuzz drivers from existing unit tests with near-zero human involvement. To demonstrate its effectiveness, we applied UTOPIA to 55 open-source project libraries, including Tizen and Node.js, and automatically generated 5K fuzz drivers from 8K eligible unit tests. In addition, we executed the generated fuzzers for approximately 5 million per-core hours and discovered 123 bugs. More importantly, 2.4K of the generated fuzz drivers were adopted to the continuous integration process of the Tizen project, indicating the quality of the synthesized fuzz driver. The proposed tool and results are publicly available and maintained for a broader adoption among both researchers and practitioners.

♣ Bio
WooChul Shim is corporate VP at Samsung Research. He is head of Security Assurance Lab. His primary objective is to minimize vulnerabilities in Samsung products by implementing robust security governance frameworks encompassing policies, processes, and systems. Along with the penetration testing team and the automated vulnerability discovery research team, he has focused on developing automated methods to detect vulnerabilities within the Continuous Integration pipeline. For any inquiries or further information, please reach out to WooChul Shim at woochul.shim＠samsung.com.

목록으로