1 / 12

Fuzzing Processor

Fuzzing Processor. Performing Security Auditing In Hardware. Tony Fynn Dustin Locke. Overview. What is fuzzing? Project goals Architecture details Optimizations Performance Conclusion. What is Fuzzing?. Sending semi-random data to an application to try and make it misbehave

dinac
Download Presentation

Fuzzing Processor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fuzzing Processor Performing Security Auditing In Hardware Tony Fynn Dustin Locke

  2. Overview • What is fuzzing? • Project goals • Architecture details • Optimizations • Performance • Conclusion

  3. What is Fuzzing? • Sending semi-random data to an application to try and make it misbehave • Used to detect vulnerabilities 11010010 01010101

  4. Types of Fuzzing TCP Packet Source port Destination port Sequence number Acknowledgment number Hdr length Reserved/flags Window size Checksum Urgent pointer Intelligent fuzzing Dumb fuzzing Options Data Naively fuzzes all data Selectively fuzzes certain fields

  5. Goals • Ability to fuzz multiple types of data (robust) • Intelligent fuzzing • Using structural knowledge to our advantage • High-speed • The goal would be to have a network protocol fuzzer that accepts packets on one side, mangles them, and sends them on their way through the other side • For our purposes, we perform the fuzzing operation on data from input files 1011 0110 Fuzzer

  6. Architecture Register File – 256-bit registers, 32-bit mask New Instructions – fzlw, fzsw, fuzz, mskh, mskl Fuzzing Unit 256-bit SRAM MUX mask MUX FUZZER SRAM 32 FUZZING UNIT 256 – BIT FUZZING REGISTERS 1 data 256 addr + wr_en PC ALU GENERAL REGISTERS DATA MEMORY MUX MUX IMEM

  7. Fuzzing Unit • Takes as input a data word and a mask specifying which bytes are “fuzzable” in the data word • Generates a random number and XORs fuzzable data bytes with corresponding random number bytes 11010110 00001111 00000110 11010000 11010110

  8. Register File • 256 bit word length • Parallel 32-bit data/mask registers • Read operation puts data word as well as its corresponding mask on the data output lines Register 1 Mask 1 Register 2 Mask 2 Register 3 Mask 3 Register 4 Mask 4 … … Register 8 Mask 8

  9. Optimizations • Mask in register file is per byte, not per-bit • Each bit masks an entire byte in the data word • 256-bit random number generated from 32 parallel 8-bit random numbers • Prevents an expensive 256-bit multiply • Drastically reduces gate delay of fuzzer

  10. Data Throughput • Fuzzing unit has maximum gate delay of 21ns • Translates to maximum clock speed of about 48 MHz • Effectively fuzz 256 bits of data in 5 clock cycles (for large amounts of data and a full pipeline) • Resulting maximum throughput is ~2.5 Gbps for dedicated application • Able to keep up with line speed of OC-48 fiber line (~2.5 Gbps) 1011 0110 Fuzzer

  11. Conclusion/Summary • Able to fuzz multiple types of data? • Yes • Able to perform intelligent fuzzing? • Use of data mask allows selective fuzzing • High speed? • Able to keep up with OC-48 • It is entirely possible to perform intelligent, reconfigurable fuzzing in hardware at high speeds

  12. Questions

More Related