How do you fix 80 security issues, crashes and exceptions in Flash in one go? With 20 terabytes of SWF, 10 days on 2,000 CPU cores, and a lot of fuzz.
This is the technique that Google used to help Adobe identify security flaws and crash scenarios in its browser plugin that now ships with Chrome.
Fuzzing is a debugging and crash testing technique that uses a large number of different inputs to a program to try and find issues wherever they may arise in the code base. And because you know the inputs, the tests are repeatable and the issues are therefore much more easily reproduced and fixed. It is this technique that the Google Online Security team have used previously to identify and fix problems in Chrome, WebKit, Chrome’s PDF viewer and more.
Now, according to a post on their blog, the Online Security team have also applied this technique to the Flash component that ships with Chrome in order to reduce crashes and fix potential security issues.
Their primary technique in this process was called “corpus distillation” – whereby you find a large number of inputs for the program (in this case, SWF files for the Flash player) and reduce them to the fewest number of inputs that maximise the number of code paths executed. “”e cranked through 20 terabytes of SWF file downloads followed by 1 week of run time on 2,000 CPU cores to calculate the minimal set of about 20,000 files” writes the team. “Those same 2,000 cores plus 3 more weeks of runtime were put to good work mutating the files in the minimal set (bitflipping, etc.) and generating crash cases.”
“These crash cases included an interesting range of vulnerability categories, including buffer overflows, integer overflows, use-after-frees and object type confusions.”
Once Google had compiled a set of issues and the set of documents that caused them, Adobe (with access to the Flash symbols and source code) was able to triage the 400 unique crashes into around 100 individual bugs, which resulted in 80 code fixes which were deployed with the Flash player in Chrome earlier this week.
“Fixing so many issues in such a short time frame shows a real commitment to security from Adobe, for which we are grateful”, concludes the Google team.