ISP Crusher: a dynamic analysis toolset
ISP Crusher is a toolset that combines various dynamic analysis approaches. It includes ISP Fuzzer, a fuzzing tool, and Sydr, an automatic test generation tool for complex programs. Two other ISP RAS analyzers, BinSide and Casr, will be included in Crusher within the next two years. Crusher allows organizing a development process that is fully compliant with GOST R 56939-2016 and other regulatory requirements of FSTEC of Russia.
ISP Fuzzer, a testing tool
ISP Fuzzer is a fuzzing tool that is essential for any software development phase, be it coding, testing, or deployment. The fuzzer finds errors and backdoors in programs either with or without source code. It solves the same problems as its global competitors (Synopsys Codenomicon, beSTORM, Peach Fuzzer), but it is more convenient for Russian companies in the import substitution context.
ISP Fuzzer provides:
- Fuzzing various input data sources (files, command line arguments, standard input stream, environment variable arguments, network sockets);
- Adding custom mutational transformations (for new input data generation and increasing fuzzing efficiency);
- Input data pre- and post-processing plugins for performing data transformations before feeding the data to the software being analyzed;
- Multicore and distributed parallel analysis support;
- Custom network plugins support allowing to interact with a client or a server and to send mutated data;
- Integration with other ISP RAS security development lifecycle tools, such as:
- using Anxiety or Sydr dynamic symbolic execution analyzers for improving fuzzing efficiency;
- generating input data that triggers errors found by the BinSide static analysis tool;
- using Svace analyzer GUI to show a function call trace that resulted in a crash;
- using the ANTLR parser generator to create an input data corpora.
- Integration with the IDA PRO disassembler (exporting coverage data to the Lighthouse plugin for displaying covered basic blocks and showing the percentage of the coverage achieved);
- Client/server software analysis operating via stateless or stateful protocols;
- Running dynamic analyzers on generated input (Valgrind, DrMemory, QASan);
- Easy extension via adding new analysis algorithms to the existing infrastructure as well as fast adaptation to new fuzzing problems;
- Distributing input data between the fuzzer processes for more effective work;
- Estimating severity for the crashes found;
- Using the Radamsa fuzzer for new input data generation;
- Supporting various instrumentation tools such as DynamoRIO, QemuUserMode, GCC or LLVM static instrumentation, QemuSystemArm.
Sydr, a dynamic symbolic execution tool
Sydr is an automatic test generation tool for complex programs that finds errors and increases code coverage during testing. Sydr constructs the program’s mathematical model that allows a fuzzer to explore new execution paths that are hard to follow via genetic mutation approaches. The tool advances further the dynamic symbolic execution approach used earlier in Avalanche and Anxiety analyzers developed in ISP RAS. In contrast with similar open source tools, Sydr ensures the correctness of generated input data by checking whether the newly found execution path has the target conditional branches inverted.
- Given an execution path, Sydr inverts all conditional branches that depend on input data. It also supports parallel branches inversion;
- ISP Fuzzer integration to reach the code behind the branches depending on comparisons with constants;
- Reverse engineering automation such as assisting an expert in reaching a given program point or collecting a trace of instructions that depend on input data;
- Support for various input data sources (files, network sockets, environment variables, standard input stream, command line arguments);
- Security predicates that are used to find errors and to generate input data to reproduce them (for division by zero, null pointer dereference, out of bounds access, integer overflow);
- Symbolic execution of multithreaded programs;
- Indirect jumps inversion (in switch statements);
- Formula slicing. Sydr eliminates redundant formulas (not influencing the conditional branch being inverted) from the path predicate. This feature solves the problem of undertainting and speeds up SMT solver work for generated queries.
Who is ISP Crusher target audience?
- Companies developing highly reliable and secure software.
- Companies auditing or certifying software.
Linux and Windows OS family support. Crusher can also fuzz embedded devices (controllers, IoT devices) as well as Windows services and COM objects.
ISP Crusher deployment stories
ISP Crusher is used in more than 20 companies and certification labs, including RusBITech, Postgres Professional, Security Code, Swemel and others.