Bindle: Automatic Harness Generation

ABSTRACT

We present work done at GrammaTech to automatically generate a harness for an arbitrary piece of software for use in fuzz testing (“fuzzing”).  Fuzzing is a popular vulnerability iscovery technique which has seen increasing adoption within the cybersecurity industry over two decades.  Fuzzers commonly produce a single large “blob” of input which is passed to the target software.  Because most software does not operate on a single input source, a harness is needed to translate the input corpus in a meaningful way and transmit it to the target.  This could be something as simple as redirecting the input to a single TCP socket, or something as complicated as de-multiplexing the corpus into thousands of individual UDP packets, command line arguments, and hardware devices accesses.

Bindle is a technology developed by GrammaTech allowing rapid, automatic creation of harnesses.  By observing the execution of a piece of software, Bindle will identify input sources and data matching each input channel.  This observation is done at the library and system call levels.  The comprehensive input data of the target software is then analyzed, and the user is presented with choices about which inputs are “of interest” – where so-designated input sources are ultimately exposed via the harness to the fuzzer for mutation.  Finally, Bindle will generate a harness application which will de-multiplex a single blob of input in a way that matches both the software expectations, as well as the user’s chosen preferences.  Bindle will also generate seed inputs based on recorded data for use in fuzzing.

To our knowledge, this is a unique approach.  This technique is highly relevant for testing and security of cyber physical systems.  Recording hardware inputs allows fuzzing of hardware input to firmware, even with multiple hardware devices.  Syntactically and semantically valid seed inputs are also made from the recordings.
Rapid development means more efficient use of analyst time.  Harnesses are created in minutes, rather than manually created over days or weeks.  Junior analysts lacking experience in reverse engineering can now create harnesses independently without having to wait for a senior analyst. Additionally, shorter harness creation time means more time for fuzzing and therefore improved results.

We will discuss a practical example of how Bindle-enabled SIL testing of firmware could have revealed a flaw in an unmanned aerial vehicle which resulted in a high-profile compromise and theft by an adversary in 2011.  The exploit is believed to be a combination of malicious payloads across multiple sensors, where any one payload by itself would not have resulted in a compromise.  Only when the system is analyzed as a whole is the flaw revealed.

Our presentation is a relevant technical talk for HCSS in that it describes innovation on multiple emerging techniques for assessment of cyber physical systems and how harnessing can allow discovery of difficult-to-predict conditions for exploitation.
 

BIO

Bill Bierman has been a software engineer and program manager in the cyber security and defense industry for more than a decade.  Bill has multiple degrees in Computer Science and Mathematics.  For the past eight years, Bill has been with GrammaTech as an engineer of innovative dynamic software analysis tools.  These tools cover fuzzing, symbolic execution, binary rewriting, memory safety validation, and the emergent properties inherent to their cooperation.  A priority of Bill's work has been to guide cyber security tooling towards accessibility, reducing the threshold of expertise required to conduct meaningful analyses.