X-AFL: a kernel fuzzer combining passive and active fuzzing

Vulnerabilities in OS kernel are more severe than those in user space because they allow attackers to access a system with full privileges. Fuzzing is an efficient technique to detect vulnerabilities though little fuzzing efforts aim to kernels. On one hand, by hooking the kernel, passive fuzzing can satisfy the dependencies among system calls but get no feedback, and thus fails to generate test cases for a resulted crash. On the other hand, guided with run-time feedback, active fuzzing can easily reproduce the crash with generated test cases, but cannot find bugs in deeper code path due to lacking of data dependency or control dependency. In this paper, we propose a novel approach for fuzzing kernel which combines passive fuzzing and active fuzzing and therefore gain their advantages. We implement the approach in a prototype called X-AFL which currently aims to test the Android kernel. Preliminary evaluation results show that X-AFL is an effective kernel fuzzer and can indeed find kernel vulnerabilities.

[1]  Insik Shin,et al.  Razzer: Finding Kernel Race Bugs through Fuzzing , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[2]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[3]  Yue Yu,et al.  Sequence Coverage Directed Greybox Fuzzing , 2019, 2019 IEEE/ACM 27th International Conference on Program Comprehension (ICPC).

[4]  Sang Kil Cha,et al.  IMF: Inferred Model-based Fuzzer , 2017, CCS.

[5]  Peiyuan Zong,et al.  SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits , 2017, CCS.

[6]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[7]  Suman Jana,et al.  MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation , 2018, USENIX Security Symposium.

[8]  HyungGeun Oh,et al.  Call-Flow Aware API Fuzz Testing for Security of Windows Systems , 2008, 2008 International Conference on Computational Sciences and Its Applications.

[9]  Xi Wang,et al.  Improving Integer Security for Systems with KINT , 2012, OSDI.

[10]  Christopher Krügel,et al.  DIFUZE: Interface Aware Fuzzing for Kernel Drivers , 2017, CCS.