May the Fuzz be with you
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 132 | |
| Autor | ||
| Lizenz | CC-Namensnennung - keine kommerzielle Nutzung - Weitergabe unter gleichen Bedingungen 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben | |
| Identifikatoren | 10.5446/44947 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
EuroPython 201858 / 132
2
3
7
8
10
14
15
19
22
27
29
30
31
34
35
41
44
54
55
56
58
59
61
66
74
77
78
80
81
85
87
91
93
96
98
103
104
105
109
110
111
113
115
116
118
120
121
122
123
125
127
128
129
130
131
132
00:00
AnalogieschlussFuzzy-MengeDatenstrukturEin-AusgabeVerknüpfungsgliedInstantiierungGenerator <Informatik>Physikalisches SystemBildgebendes VerfahrenZeiger <Informatik>MultiplikationsoperatorNeuronales NetzRandomisierungSoftwareschwachstelleSoftwarePufferüberlaufsinc-FunktionAusnahmebehandlungIntelligentes NetzElektronische PublikationPatch <Software>ComputersicherheitProgrammfehlerWort <Informatik>CASE <Informatik>SignifikanztestPunktReelle ZahlVirtuelle MaschinePortal <Internet>Statistischer TestFuzzy-LogikKategorie <Mathematik>BetafunktionObjekt <Kategorie>ResamplingFuzzy-MengeClientDatenverarbeitungssystemResultanteProgrammComputerspielSchnittmengeDreiecksfreier GraphSystemzusammenbruchExpertensystemGradientBitCybersexGüte der AnpassungPuffer <Netzplantechnik>Computeranimation
06:08
Fuzzy-MengeZellularer AutomatTypentheorieSoftwareFuzzy-LogikEin-AusgabeSignifikanztestPlastikkarteDateiformatCASE <Informatik>Statistischer TestRechnernetzVerknüpfungsgliedDatennetzRekursives neuronales NetzInformationDifferenzengleichungShape <Informatik>ComputersicherheitKette <Mathematik>Neuronales NetzSoftwarePatch <Software>Mailing-ListeEin-AusgabeTypentheorieAnalogieschlussProgrammfehlerSchlussregelInstantiierungCASE <Informatik>ZahlenbereichKartesische KoordinatenMereologieFuzzy-LogikStatistischer TestDatensatzSignifikanztestDateiformatFolge <Mathematik>MultiplikationsoperatorLoopProzess <Informatik>InformationQuaderResultanteDämpfungDatennetzMessage-PassingRastertunnelmikroskopRandomisierungDifferenzengleichungHalbleiterspeicherLeistung <Physik>ProgrammschleifeKontextbezogenes SystemProgrammEinfach zusammenhängender RaumSichtenkonzeptAggregatzustandGenerator <Informatik>TermProgrammbibliothekPhysikalische TheorieFunktionalSprachsynthesePunktFuzzy-MengeWort <Informatik>Formale SpracheSoftwareschwachstelleRuhmasseSystemzusammenbruchRechnernetzPlastikkarteTeilbarkeitComputeranimation
12:15
DatennetzTermDefaultBildschirmmaskeInformationHalbleiterspeicherBimodulZellularer AutomatSchlüsselverwaltungComputeranimation
12:51
Neuronales NetzUniformer RaumZufallszahlenModul <Datentyp>Ein-AusgabeFunktion <Mathematik>LastMenütechnikVerschlingungViereckKonfigurationsraumLineares zeitinvariantes SystemTabelleBitZellularer AutomatInformationVerknüpfungsgliedGeradeMultiplikationMultiplikationsoperatorWort <Informatik>AggregatzustandEin-AusgabeRechnernetzZahlenbereichCodeDatensatzImplementierungEntscheidungstheorieEndliche ModelltheorieNichtlinearer OperatorFormale SpracheInformationsspeicherungKette <Mathematik>Folge <Mathematik>SchlüsselverwaltungGamecontrollerCASE <Informatik>RandomisierungInteraktives FernsehenSchnittmengeDatenstrukturSupport-Vektor-MaschineMereologieMAPNetzwerktopologieSignifikanztestNeuronales NetzRechenwerkGenerator <Informatik>ParametersystemÄhnlichkeitsgeometriePrimzahltestInstantiierungComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:04
Good afternoon. My name is Heidi Thorpe, and I've worked for a government agency in Australia as a data scientist. And today I'm going to be talking to you about fuzzing and how you can use this in your testing.
00:22
How you can use fuzzing to harden your systems, mainly against cyber attacks. So, first of all, I'm going to introduce the subject. What are we going to do?
00:43
What is fuzzing? It is the automated generation of data for testing. For fuzzing to work best, it has to be more than just randomly generated invalid data. So, for instance, you have an image classifier that you're going to train to look for horses.
01:02
If you were going to use random test data, then you might have pictures of an orange or a chair. Random pictures. Random data that you might use. You test the classifier with the orange, and you say, no, no, that orange is not a horse.
01:20
You test the classifier with the chair, and you say, well, it's a bit closer, it's brown, has four legs, you can sit on it, but it definitely isn't a horse. So, then you say, okay, with fuzz testing, instead of using images of an orange and a chair,
01:41
you would instead possibly use images of a donkey and a unicorn. Is a donkey a horse? Well, not really, but closer than an orange. Is a unicorn a horse? Well, still not quite, but it's still closer.
02:01
It's closer to what we're expecting, but it's still unexpected data and could cause unexpected results. So, what we're going to be doing is creating XML or JSON that looks almost right, but gives you substantially more edge cases than you would get using manual testing.
02:26
The objective is to come up with data that superficially looks correct, but is not, because it is machine learning, you can automate the generation of the data and the execution of the tests.
02:42
The greatest vulnerabilities, crashes, null pointer exceptions, buffer overflows, you can run thousands of tests, and in this way, look for more exceptions. I can't show you real client data, so what we'll be doing is we'll be using MS Word data,
03:03
because internally, it's XML. If you take an MS Word document, you'll notice that it's a zip file, and you can unzip the zip file, and this is the set of data files that you get when you unzip the zip file.
03:20
It's not a practical example, but it's a demonstration of fuzzing and how to generate XML, with the added advantage that we can import the data back and see the results at the end. This is an example of one of the XML files from a Word document,
03:46
and since many REST interfaces, portals, etc, expect XML or JSON, it's still a valid test. So what is neural fuzzing? Neural fuzzing is a technique using neural networks for fuzz testing,
04:04
in this case, using neural networks to generate test data. Why is fuzzing a good idea? Well, fuzzing can save money, but it's not just about saving money. We'll start at the programming step. The programmer makes a mistake.
04:22
The software then moves through the QA and test cycle. The bug is not found. The testers are not using fuzzing, but maybe they're not using enough testing, maybe they're not using the right data. The software is released, and at some point in the future, an attacker finds the bug, probably they're using fuzzing.
04:47
Maybe, however they do not, however they do find the vulnerability, they find it and attack the system. They send data to the software,
05:00
they cause it to crash, they can then steal money, data, property, whatever they like. It could quite literally be death and destruction if an attacker crashed the software in your car, and this has actually happened, not necessarily XML, but it has happened to people in their car.
05:22
At some point, the owner of the software realises there's something wrong. They realise that the computer vulnerability has been found. Computer security experts are consulted, and they trace the attack back to the original bug. Now it is listed as a known vulnerability, and the vendor can fix the bug.
05:43
A patch can be released, and this is the worst case scenario, and it happens all the time. A better bug lifecycle would be this. Instead of an attacker finding the bug, it is found by a security expert using fuzzing. They can responsibly, discreetly disclose the vulnerability before it is found by an attacker,
06:07
and the vendor can apply a patch and the bug is not exploited. The best case scenario would be this one. Somebody writes a bug, the QA test team finds it, the bug is fixed, and it's not part of the software release.
06:24
This lowers the cost of the software and increases the satisfaction for the software users. Functional testing alongside fuzzing increases the possibility that a bug is caught before the software is released. So, how does it work?
06:41
Fuzz testing involves inputting massive amounts of random data in an attempt to make the software crash. During fuzzing, a program is executed many times, and after each execution the result is recorded. The input is modified, sometimes the whole data input is changed, sometimes only some of it.
07:05
The modified data is then sent to the program and the result recorded, along with the input data. If the software crashes, the result can be analysed, otherwise the process just continues until a failure happens.
07:22
There are two types of software fuzzing techniques. Dumb fuzz testing, where the input data is randomly changed and the reaction to the random data is observed. This may not provide useful results, as most applications expect the data to be in a particular format.
07:44
The technique should still be employed, as it's reasonable to expect that sometimes the software will receive this random input. The other type of software fuzz testing technique is smart fuzz testing.
08:05
Changing specific values, leveraging knowledge of the underlying format, or expected behaviour. In this case, the application expects input that is all numbers, for instance a phone number.
08:21
These users all abide by the rules and input numbers. Fuzz testing systematically simulates a user who does not abide by the rules. So here we have an analogy. For instance, a security guard at a party. You send a message with your name.
08:40
He looks on the list and sends a reply. Yes or no? Will you get into the party? To fuzz test this guard, you need to do something unexpected. You say, look over there, unexpected behaviour. Look over there, is it valid input? It's not expected, but it's not random either.
09:02
The unexpected behaviour may trigger a failure. Fuzz testing systematically simulates a user who does not follow the rules and could cause a failure. A good fuzzer decides what the malformed input should look like and generates test cases. It then automatically executes the test and records any failure it needs to keep any failure.
09:28
It needs to keep records of any failures so that it can be a repeatable process. The whole point of fuzzing is to find vulnerabilities in the software before anyone else does. This is important from both a security and a robustness point of view.
09:44
The sheer power of having fuzzing generate test cases is that you're going to have useful test cases showing up. Now we're going to implement a long short-term memory network, a neural network.
10:00
This is how we're going to generate the invalid data. Specifically, I'm using recurrent neural networks and Python libraries with TensorFlow to generate new inputs. Traditional neural networks start from scratch and cannot use prior knowledge.
10:22
People don't start from scratch and every time they read or hear something they use knowledge that they have from prior experience. Recurrent neural networks are networks with loops allowing information to flow between layers and to persist.
10:41
The most important factor with an RNN is the recurrence, the loop to the internal state, also known as the hidden layer. You just keep looking for as long as there are inputs. Consider what happens when the loop is unrolled. There is a box for each time step or input in the sequence.
11:04
LSTMs are a special type of RNN and this is what we're using in this instance. The chain reveals that recurrent neural networks are related to lists and sequences. Consider when trying to predict the last word in some text.
11:22
I grew up in France but I do not speak something. Recent information implies the next word would be that of a language. But which language? We need the context of France from further back. As the gap grows between the relevant data, RNNs are unable to learn the connected information.
11:45
In theory, RNNs are capable of connecting these long-term dependencies but in practice this is not the case. This is an example of an LSTM network. X of t is given where t is time.
12:03
Y of t is what we're trying to find and h of t is the hidden layer. Long short-term memory networks, usually just LSTMs, are a special form of RNN.
12:24
They're designed to avoid the long-term dependency problem that RNNs have. Remembering long-term information is their default behaviour. The repeating module of an RNN contains a single layer. This is the four interacting layers of an LSTM.
12:52
The key to the LSTM is the cell state, the horizontal line running through the unit. The cell state runs straight down the entire chain with only some minor linear interactions.
13:04
It's easy for information to just flow along it unchanged. The LSTM has the ability to forget or remember information. This is carefully regulated by the structures called gates. Gates are a way of optionally remembering or forgetting information.
13:23
They're composed of a sigmoid neural net layer and a pointwise multiplication operation. The first step in our LSTM is to decide what information we're going to throw away from the cell state. This decision is made by the sigmoid layer, the forget gate layer.
13:44
It looks at T minus one, one step in the past, and inputs a number between zero and one to decide how much it's going to forget and how much it's going to remember. A one represents completely keep and a zero means completely forget.
14:03
The cell state may, for instance, remember the name of the present subject. When it finds a new subject, it may throw away the old subject and just remember the new one. The next step is to decide which information we're going to store in the cell state.
14:24
This has two parts. First, the sigmoid layer called the input gate decides what value we're going to update. Next, the tan layer creates a vector of the new candidate values. This could be added to the state. In the next step, we're going to combine these two to create an update to the state.
14:47
In the example of our language model, we'd want to add the name of the new subject to the cell state to replace the old one that we're forgetting. It's now time to update the old cell state, C of T minus one, into the new cell state, C of T.
15:06
The previous steps already decided what we're going to do. We just need to actually do it. We multiply the old cell state by F of T, forgetting the things that we decided to forget earlier, and then we add C of T.
15:23
This is the new candidate values, scaled by how much we decided to update them. In the case of the language model, this is where we actually decide what information we're forgetting or remembering. This is the actual implementation of the previous step,
15:43
where we actually implement what we're forgetting and what we're remembering. Now we're going to look at some code. Because most people are not really very good at looking at XML and deciding whether it's correct,
16:01
we're going to look at some Shakespeare sonnet, and we're going to generate some Shakespeare sonnets using LSTMs.
19:12
What we've got here is we've got the Keras model, the sequential model.
19:57
We're loading some sonnet text.
20:05
What we've got to do first is turn the sonnets into sequences. In this case, we're turning them into sequences of 10 characters. This is what the neural network is going to use to learn.
20:21
We build the model, we're using a hyperparameter called temperature, which, depending on the value of it, is used to predict the controller randomness. What we've got is all of the different characters that we're using.
20:48
That is our character set. Usually, if you're using words, then you'd use Word2Vec or something that's already been trained. In this case, we're just using characters, and we're going to generate the sonnet one character at a time.
21:04
We have the neural network, and you can see it's pretty gibberish. There's just random letters, and then as it's learning, it discovers the word the.
21:22
We've found a word, and we're learning a bit more and a bit more. This is just one character at a time. We're learning. Then when we get to about here, we say something,
21:43
death not to me, so furlerness, dibnent. It's finding words, and it's almost kind of like a sonnet. Then as we go further down here, we say,
22:02
okay, the stars of summer state, and then betreeth of all two, sir, one gives and sing. This is one character at a time generating sonnets as it goes. Then as we get towards the end, so we say here,
22:29
we've got something that actually looks kind of like Shakespeare. The brave day sunk in hideous night, when I behold the violet past prime,
22:41
and sable curls all silvered o'erwith white, when lofty trays I see barren. You say, well, that's one character at a time. This, of course, is the code that I used for XML, is exactly this code.
23:09
As you can see, with sonnets, you can actually see it doing something. But with XML, it's just that much harder.
23:42
This is exactly the same code, but instead of having the sonnet, it has some XML as input. You can see it has gibberish, gibberish, and then as it gets towards the end, it's actually looking like real XML.
24:10
So that is what I've used, not exactly this code, not exactly this data, but something similar, and that's how I've been generating data for testing,
24:24
because generating it manually is just too hard, whereas generating it automatically generates thousands of records. And that's all. Thank you.