Amazon Web Services Open Sources a KVM-Based Fuzzing Framework
Amazon Web Services has released an open source framework for running fuzzing tests against software applications, in which the state of the application is caught within a virtual machine for easier inspection and remediation.
Fuzzing is a security mechanism and programming technique that pummels a program with a wide range of random input in order to see if the program misbehaves or otherwise crashes, which is good for security and regression testing.
Released as open source this week, Snapchange is a fuzzing framework written in Rust. It provides a library of utilities for running the fuzzing process and can be controlled by the command line.
This fuzzer is unique in that it can replay physical memory snapshots in a KVM virtual machine, thus reducing labor and supporting introspection. This approach has been of growing interest to security researchers, according to the company.
A snapshot is the pairing of a physical memory dump and a register state. Fuzzing with a snapshot allows for granular execution in order to reach code blocks that are traditionally difficult to fuzz without the complexities of managing state within the target, said AWS Security Engineer Cory Duplantis, in an interview with The New Stack.
In a demonstration for TNS, Duplantis ran a fuzz test against LibTIFF, an open source library for creating TIFF files.
The idea is to feed the program random and purposefully mutated data in order to understand where problems may occur, with special attention to those edge cases. Each application instance is given a mutated TIFF file to run multiple times in isolated KVMs, which the memory of each instance, along with the register state for that machine, is captured. Snapchange provides metrics such as the number of executions, the time-per-execution, and the number of software crashes it has caused.
Such gives the developer or security professional useful information, such as where a bug may be, Duplantis said. Developers can rewrite memory chunks to test software. They can access the register state, and add hooks to functions.
Snapchange is run from the command line and offers many configuration settings, such as the number of cores that can be used to run the program. The program can be run across multiple cores, with each core running a separate copy of the application separately. The software then can aggregate the results. The software captures which portions of the code are executed during the runtime.
“If we find anything new, we keep that input for future cases,” Duplantis said. Those will be reused for future tests, with the idea to find as many paths through the target application as possible.
The KVM Advantage
The KVM is advantageous in that it brings a “pseudo-determinism,” in which the developer knows what the memory range is for a given execution, and so can test changes, Duplantis explained. “This could be really useful for something like a race condition bug, where you might not be able to reproduce it in the real world as easily, but if you can reproduce it in the snapshot, it makes it easier to triage.”
Snapchange is already used in-house at AWS. The company’s find-and-fix debugging team, of which Duplantis is part, uses the software for internal application, and they are introducing the software to develop other teams within AWS.
Open Source
AWS created the tool because there were no KVM-based equivalents. The closest was What the Fuzz, though that library focuses on Windows, whereas SnapChange works in Linux environments.
AWS debuted the tool at the Linux Foundation’s Open Source Summit, being held this week in Vancouver. At the show, the cloud services giant also released Cedar, an open source language and software development kit (SDK) for writing and enforcing authorization policies for AWS applications.
