SAFTE: A self-injection based anti-fuzzing technique

Abstract

Fuzzing refers to a collection of software testing methodologies that have been specifically developed to automatically detect implementation bugs, and is utilized by developers as a means of evaluating the security and stability of applications. Unfortunately, hacker can also exploit fuzzing techniques to crash bugs, and analyze zero-day vulnerabilities from it to carry out cyber attacks. As a result, researchers make use of anti-fuzzing technologies to slow down and frustrate these malicious aggressors. However, the main aim of these methods is to design a source-level defense strategy, which means this work requires not only the source codes but also considering the programming language. This restricts users from protecting the released binary executable they do not own from malicious analysis.In this paper, we perform a systematic analysis of software protection techniques and design a novel self-injection based anti-fuzzing techniques, called SAFTE. Different from the former research, SAFTE proposes a new way to hide the feedback or crash-related information by the means of dynamic loading and execution. First, a memory block is allocated, followed by the duplication of the image that is stored in the .data into the allocated local memory. Second, the memory is altered to enable execution permissions, thereby facilitating the execution of the image that is stored in the memory. As a consequence of this approach, let the operational and procedural status of the program is hidden, thereby precluding the fuzzer from obtaining accurate feedback or crash-related information. Therefore, it makes the fuzzer completely useless. Our evaluation on popular fuzzers demonstrates that SAFTE is capable of obviating the majority of extant fuzzers, and exhibits higher efficacy in comparison to the most advanced anti-fuzzing techniques presently available. Meanwhile, the size of the program is better than the other methods(size:18048KB,average run time per run:0.056ms), which was modified by SATFE only increases no more than 85% and the running time only increases 30%.