![Sources - Fuzzing
4 years of research on black box security analysis and exploitation
"Clusterfuzz - Chrome's Fuzzing Infrastructure." Clusterfuzz - Chrome's
Fuzzing Infrastructure. Google. Web. 31 Mar. 2015.
Valotta, Rosario. "Taking Browsers Fuzzing To The Next "DOM" Level."
DeepSec. DeepSec, 1 Jan. 2012. Web. 31 Mar. 2015.
Kerrisk, Michael. "LCA: The Trinity Fuzz Tester." [LWN.net]. LWN, 6 Feb.
2013. Web. 31 Mar. 2015.
Godefroid, Patrice. "Random Fuzzing for Security: Blackbox vs
Whitebox Fuzzing." ACM. ACM, 1 Jan. 2007. Web. 31 Mar. 2015.
"NetBSD Toaster with the TS-7200 ARM9 SBC." NetBSD Toaster with the
TS-7200 ARM9 SBC. Technologic Systems. Web. 31 Mar. 2015.
The Computer toaster is real!](https://image.slidesharecdn.com/montecarlomethodsingraphicsandhacking-150413140349-conversion-gate01/85/Monte-carlo-methods-in-graphics-and-hacking-19-320.jpg)
Monte carlo methods in graphics and hacking
- 1. Monte Carlo Methods in Graphics and Hacking HIMANSHU GOEL HIMANSHU.GOEL@STONYBROOK.EDU
- 2. Computer Graphics GLOBAL ILLUMINATION AND THE RENDERING EQUATION
- 3. But first, lets see some images CAN YOU TELL THE DIFFERENCE?
- 5. Original from CCD Photometric Camera Rendered Image - Path Tracing
- 6. What’s Path Tracing? Need to understand two important terms first: Global Illumination The Rendering Equation Light can roughly be described as having two components: Diffuse Lighting – Light hits a surface and scatters in various directions Specular Lighting – Bounces almost directly back However, light bounces around a lot, often off of multiple surfaces before entering our retina. This creates a sort of ambient lighting, this is called Global Illumination in the graphics industry.
- 7. The Rendering Equation By James Kajiya Describes every possible light-surface interaction (simplified version): 𝐿 𝑜 𝑝, 𝜔 𝑜 = Ω 𝑓𝑟 𝑝, 𝜔𝑖, 𝜔 𝑜 ∗ 𝐿𝑖 𝑝, 𝜔𝑖 𝑛 ∙ 𝜔𝑖 𝑑𝜔𝑖 𝐿 𝑂 is a function which defines the amount of energy emitted by the surface (outgoing radiance) 𝐿𝑖 represents the energy received by the surface (incoming radiance) 𝑓𝑟 here represents the Bi-directional Reflection Distribution Function (BRDF) Every light surface interaction is the sum of all the energy received over all the points on its surface Why Monte Carlo methods? 𝐿𝑖 depends on the 𝐿 𝑜 of all other surfaces – Recursive integral – cannot be solved analytically
- 8. The Rendering Equation By James Kajiya 𝐿 𝑜 𝑝, 𝜔 𝑜 = Ω 𝑓𝑟 𝑝, 𝜔𝑖, 𝜔 𝑜 ∗ 𝐿𝑖 𝑝, 𝜔𝑖 𝑛 ∙ 𝜔𝑖 𝑑𝜔𝑖 Integral of the incoming radiant energy from all directions (thus a sphere) at a point. 𝜙 represents the radiant flux – The total energy emitted by a light source – in more technical terms, the area under the spectral distribution 𝐿(𝑝, 𝜔) is also called the radiance or the radiant flux per unit area 𝑛 ∙ 𝜔𝑖 is the dot product and is used to account for the angle at which the energy strikes the surface
- 9. Introducing Path Tracing and Ray Tracing Models the physical interaction of light in the real world. Ray tracing – A ray of ‘light’ is emitted straight from the camera(for speed reasons) Ray is traversed across the ‘scene’ until it intersects an object The BRDF is evaluated to determine the color and direction of the ray The ray is bounced off of the object Repeat until a number of bounces have happened or the ray intersects a light source, set final ray color as the color of the pixel if it intersects a light source, else set it to black
- 10. Introducing Path Tracing and Ray Tracing Path Tracing- Improvement over ray tracing Uses Monte Carlo techniques to evaluate the full rendering equation At every intersection, multiple rays are emitted in all directions All are traversed through the scene. All rays but one are randomly killed “Russian Roulette” Repeated multiple times per pixel color values are averaged Similar to performing a random tree search
- 11. Path Tracing Speed – Horrible performance, can take hours for extremely simple images on a modern computer However, ‘embarrassingly parallel’ – multiple rays can be traversed at the same time independently of each other. Enter the GPU – Graphics Processing Unit, a highly parallel stream vector processing unit – basically a personal supercomputer. Modern GPUs can run thousands of threads in parallel, achieving numbers in the millions of rays per second on ray tracing. Path tracing is only recently becoming feasible in real time with new hardware and branching improvements.
- 12. Realtime Path Tracing Demo Video – Brigade Renderer: https://www.youtube.com/watch?v=BpT6MkCeP7Y Real time (60 frames per second) path tracing at 720p: GPU = 2 NVIDIA GTX Titans Was the most powerful GPU at the time the video was made However, simple renders can be done in real time on a modern mid range GPU Path tracer rendering the Cornell Box in real time on an AMD Radeon 275X in a custom rendering framework
- 13. System security analysis THE ART OF FUZZING AND THE CUTTING EDGE APPLICATION OF MONTE CARLO METHODS
- 14. Fuzzing – What is it? The art of finding serious security flaws in software without human intervention More like without human interference Naïve technique – generate random input and try to crash the program being fuzzed Very slow
- 15. Fuzzing – What is it? Bleeding Edge Technique – A combination of symbolic analysis, genetic algorithms and Monte Carlo methods Symbolic analysis – essentially determining the flow of a program by assigning symbols to parts in order to produce a graph of the possible branches the program can make Genetic algorithms are used to mutate the sample data Monte Carlo Tree Search like methods are used to determine vulnerable routes given the success rates from the genetic algorithm The success condition in this case is to crash the application The advantage of MCTS lies in that it acts like a black box and does not require any information besides the conditions for success and the rules Ideal for fuzzing, where the fuzzing target is also like a black box.
- 16. Fuzzing – What is it? The Monte Carlo fuzzing algorithm significantly increases fuzzing speed Regular fuzzing is now common place in all high security applications The WebKit Browser Engine Is present on every device that can show web pages Android, iOS, Chrome, Safari Security is critical – One serious vulnerability can compromise billions of devices The Linux Kernel/BSD/Anything that’s Unix based Present on virtually everything that doesn’t run Windows Android, iOS, OSX, Linux distros, Routers, Cars, Video game consoles, DVD players, TVs, Servers, even Toasters! The list is growing every day A serious vulnerability is even more dangerous
- 17. Informational Entropy How secure is secure? Monte Carlo methods rely on random sampling More accurate as more uniform randomness Entropy – Measure of much information something contains Encryption – Disguising information so it appears random Strength of a cryptosystem measured by the ratio between the entropy of the plaintext and the entropy of the ciphertext Perform Monte Carlo integration with data to be examined as random variable and compare to known value of the intergral Demo
- 18. Sources – Computer Graphics 2 years of real time interactive graphics research and photorealistic game engine development Alamia, Marco. "Article - Physically Based Rendering." Coding Labs. Coding Labs. Web. 31 Mar. 2015. Kajiya, James. "The Rendering Equation." The Rendering Equation. SIGGRAPH Proceeding 1986, 18 Aug. 1986. Web. 31 Mar. 2015. The defining paper of computer graphics "The Cornell Box." The Cornell Box. Cornell University Program of Computer Graphics, 2 Jan. 1998. Web. 31 Mar. 2015.
- 19. Sources - Fuzzing 4 years of research on black box security analysis and exploitation "Clusterfuzz - Chrome's Fuzzing Infrastructure." Clusterfuzz - Chrome's Fuzzing Infrastructure. Google. Web. 31 Mar. 2015. Valotta, Rosario. "Taking Browsers Fuzzing To The Next "DOM" Level." DeepSec. DeepSec, 1 Jan. 2012. Web. 31 Mar. 2015. Kerrisk, Michael. "LCA: The Trinity Fuzz Tester." [LWN.net]. LWN, 6 Feb. 2013. Web. 31 Mar. 2015. Godefroid, Patrice. "Random Fuzzing for Security: Blackbox vs Whitebox Fuzzing." ACM. ACM, 1 Jan. 2007. Web. 31 Mar. 2015. "NetBSD Toaster with the TS-7200 ARM9 SBC." NetBSD Toaster with the TS-7200 ARM9 SBC. Technologic Systems. Web. 31 Mar. 2015. The Computer toaster is real!
- 20. Sources - Fuzzing Spinellis, Diomidis, Vassilios Karakoidas, and Panagiotis Louridas. "Comparative Language Fuzz Testing Programming Languages vs. Fat Fingers." Comparative Language Fuzz Testing. ACM, 1 Oct. 2012. Web. 31 Mar. 2015. Walker, John. "Pseudorandom Number Sequence Test Program." Pseudorandom Number Sequence Test Program. Fourmilab, 28 Jan. 2008. Web. 05 Apr. 2015.
- 21. The End QUESTIONS? http://git.io/hgoel Himanshu.goel@stonybrook.edu Check out my work at http://git.io/hgoel