Fuzzing and Patch Analysis: SAGEly Advice presented at Shakacon 2014

by Richard Johnson,

Summary : Last year, in “Taint Nobody Got Time for Crash Analysis,” we presented implementations of analyses performed on taint traces that included a tool to help determine input leading to a crash and an exploitability evaluation tool based on symbolic execution. This year we will expand on these topics with a study of our efforts towards improving the effectiveness of binary differential analysis (bindiff) and replicating Microsoft Research’s work on the “Scalable, Automated, Guided Execution” (SAGE) fuzzer. This talk will include a short review of the topics covered last year including: taint propagation design considerations, graph slicing algorithms, and an overview of symbolic execution. Once the audience has been exposed to a quick primer of the relevant concepts, we will move on to challenges that remain when determining root cause from differential analysis of patches. This segment will include discussion of a set of internally developed heuristics as well as application of symbolic execution for equivalency testing of patch sets. This will lead into our final topic, the design and implementation of our internal SAGE prototype. We have found bugs and proven the concept to work, and we will discuss the real-world difficulties in tackling the challenge of replicating one of the most advanced approaches towards vulnerability discovery.