How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
No change in plans, though we will keep an eye on the situation.
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
What recent turmoil?
Open Source / Security / Software Testing

Amazon Web Services Open Sources a KVM-Based Fuzzing Framework

The open source Snapchange can replay an application execution in a KVM virtual machine, making for easier debugging and security checks.
May 11th, 2023 1:03pm by
Featued image for: Amazon Web Services Open Sources a KVM-Based Fuzzing Framework

Amazon Web Services has released an open source framework for running fuzzing tests against software applications, in which the state of the application is caught within a virtual machine for easier inspection and remediation.

Fuzzing is a security mechanism and programming technique that pummels a program with a wide range of random input in order to see if the program misbehaves or otherwise crashes, which is good for security and regression testing.

Released as open source this week, Snapchange is a fuzzing framework written in Rust. It provides a library of utilities for running the fuzzing process and can be controlled by the command line.

This fuzzer is unique in that it can replay physical memory snapshots in a KVM virtual machine, thus reducing labor and supporting introspection. This approach has been of growing interest to security researchers, according to the company.

A snapshot is the pairing of a physical memory dump and a register state. Fuzzing with a snapshot allows for granular execution in order to reach code blocks that are traditionally difficult to fuzz without the complexities of managing state within the target, said AWS Security Engineer Cory Duplantis, in an interview with The New Stack.

In a demonstration for TNS, Duplantis ran a fuzz test against LibTIFF, an open source library for creating TIFF files.

The idea is to feed the program random and purposefully mutated data in order to understand where problems may occur, with special attention to those edge cases. Each application instance is given a mutated TIFF file to run multiple times in isolated KVMs, which the memory of each instance, along with the register state for that machine, is captured. Snapchange provides metrics such as the number of executions, the time-per-execution, and the number of software crashes it has caused.

Such gives the developer or security professional useful information, such as where a bug may be, Duplantis said. Developers can rewrite memory chunks to test software. They can access the register state, and add hooks to functions.

Snapchange is run from the command line and offers many configuration settings, such as the number of cores that can be used to run the program. The program can be run across multiple cores, with each core running a separate copy of the application separately. The software then can aggregate the results. The software captures which portions of the code are executed during the runtime.

“If we find anything new, we keep that input for future cases,” Duplantis said. Those will be reused for future tests, with the idea to find as many paths through the target application as possible.

The KVM Advantage

The KVM is advantageous in that it brings a “pseudo-determinism,” in which the developer knows what the memory range is for a given execution, and so can test changes, Duplantis explained. “This could be really useful for something like a race condition bug, where you might not be able to reproduce it in the real world as easily, but if you can reproduce it in the snapshot, it makes it easier to triage.”

Snapchange is already used in-house at AWS. The company’s find-and-fix debugging team, of which Duplantis is part, uses the software for internal application, and they are introducing the software to develop other teams within AWS.

Open Source

AWS created the tool because there were no KVM-based equivalents. The closest was What the Fuzz, though that library focuses on Windows, whereas SnapChange works in Linux environments.

AWS debuted the tool at the Linux Foundation’s Open Source Summit, being held this week in Vancouver. At the show, the cloud services giant also released Cedar, an open source language and software development kit (SDK) for writing and enforcing authorization policies for AWS applications.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Pragma, The New Stack.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.