ANTIFUZZ: Impeding Fuzzing Audits of Binary Executables

Abstract

A ge­ne­ral de­fen­se stra­te­gy in com­pu­ter se­cu­ri­ty is to in­crea­se the cost of suc­cess­ful at­tacks in both com­pu­ta­tio­nal re­sour­ces as well as human time. In the area of bi­na­ry se­cu­ri­ty, this is com­mon­ly done by using ob­fu­s­ca­ti­on me­thods to hin­der re­ver­se en­gi­nee­ring and the se­arch for soft­ware vul­nerabi­li­ties. Howe­ver, re­cent trends in au­to­ma­ted bug fin­ding chan­ged the modus ope­ran­di. No­wa­days it is very com­mon for bugs to be found by va­rious fuz­zing tools. Due to ever-in­crea­sing amounts of au­to­ma­ti­on and re­se­arch on bet­ter fuz­zing stra­te­gies, lar­ge-sca­le, dragnet-style fuz­zing of many hund­reds of tar­gets be­co­mes via­ble. As we show, cur­rent ob­fu­s­ca­ti­on tech­ni­ques are aimed at in­crea­sing the cost of human un­der­stan­ding and do litt­le to slow down fuz­zing.

In this paper, we in­tro­du­ce se­ver­al tech­ni­ques to pro­tect a bi­na­ry exe­cu­ta­ble against an ana­ly­sis with au­to­ma­ted bug fin­ding ap­proa­ches that are based on fuz­zing, sym­bo­lic/con­co­lic exe­cu­ti­on, and taint-as­sis­ted fuz­zing (com­mon­ly known as hy­brid fuz­zing). More spe­ci­fi­cal­ly, we per­form a sys­te­ma­tic ana­ly­sis of the fun­da­men­tal as­sump­ti­ons of bug fin­ding tools and de­ve­lop ge­ne­ral coun­ter­me­a­su­res for each as­sump­ti­on. Note that these tech­ni­ques are not de­si­gned to tar­get spe­ci­fic im­ple­men­ta­ti­ons of fuz­zing tools, but ad­dress ge­ne­ral as­sump­ti­ons that bug fin­ding tools ne­ces­sa­ri­ly de­pend on. Our eva­lua­ti­on de­mons­tra­tes that these tech­ni­ques ef­fec­tive­ly im­pe­de fuz­zing au­dits, while in­tro­du­cing a ne­gli­gi­b­le per­for­mance over­head. Just as ob­fu­s­ca­ti­on tech­ni­ques in­crea­se the amount of human labor nee­ded to find a vul­nerabi­li­ty, our tech­ni­ques ren­der au­to­ma­ted fuz­zing-ba­sed ap­proa­ches fu­ti­le.