Fuzzing Error Handling Code in Device Drivers Based on Software Fault Injection

Device drivers remain a main source of runtime failures in operating systems. To detect bugs in device drivers, fuzzing has been commonly used in practice. However, a main limitation of existing fuzzing approaches is that they cannot effectively test error handling code. Indeed, these fuzzing approaches require effective inputs to cover target code, but much error handling code in drivers is triggered by occasional errors (such as insufficient memory and hardware malfunctions) that are not related to inputs. In this paper, based on software fault injection, we propose a new fuzzing approach named FIZZER, to test error handling code in device drivers. At compile time, FIZZER uses static analysis to recommend possible error sites that can trigger error handling code. During driver execution, by analyzing runtime information, it automatically fuzzes error-site sequences for fault injection to improve code coverage. We evaluate FIZZER on 18 device drivers in Linux 4.19, and in total find 22 real bugs. The code coverage is increased by over 15% compared to normal execution without fuzzing.

[1]  Rishabh Singh,et al.  Learn&Fuzz: Machine learning for input fuzzing , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[2]  B B Meshram,et al.  Device Driver Fault Simulation Using KEDR , 2012 .

[3]  Domenico Cotroneo,et al.  On Fault Representativeness of Software Fault Injection , 2013, IEEE Transactions on Software Engineering.

[4]  Kang G. Shin,et al.  Software fault injection and its application in distributed systems , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[5]  Li Lei,et al.  Automatic fault injection for driver robustness testing , 2015, ISSTA.

[6]  Suman Saha,et al.  Hector: Detecting Resource-Release Omission Faults in error-handling code for systems software , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[7]  Nuno Ferreira Neves,et al.  Robustness Testing of the Windows DDK , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[8]  Nuno Ferreira Neves,et al.  Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities , 2007, 2008 Seventh European Dependable Computing Conference.

[9]  Sebastian Burckhardt,et al.  Effective Data-Race Detection for the Kernel , 2010, OSDI.

[10]  George Candea,et al.  Fast black-box testing of system recovery code , 2012, EuroSys '12.

[11]  Suman Jana,et al.  MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation , 2018, USENIX Security Symposium.

[12]  Sebastian G. Elbaum,et al.  Amplifying Tests to Validate Exception Handling Code: An Extended Study in the Mobile Application Domain , 2014, TSEM.

[13]  Jean-Pierre Seifert,et al.  PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary , 2019, NDSS.

[14]  Suman Jana,et al.  Automatically Detecting Error Handling Bugs Using Error Specifications , 2016, USENIX Security Symposium.

[15]  Shi-Min Hu,et al.  Testing Error Handling Code in Device Drivers Using Characteristic Fault Injection , 2016, USENIX Annual Technical Conference.

[16]  Suman Saha,et al.  An approach to improving the structure of error-handling code in the linux kernel , 2011, LCTES '11.

[17]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[18]  Andrea C. Arpaci-Dusseau,et al.  EIO: Error Handling is Occasionally Correct , 2008, FAST.

[19]  Domenico Cotroneo,et al.  Representativeness analysis of injected software faults in complex software , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[20]  Tao Xie,et al.  Mining exception-handling rules as sequence association rules , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[21]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[22]  Chao Zhang,et al.  CollAFL: Path Sensitive Fuzzing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[23]  Asim Kadav,et al.  Understanding modern device drivers , 2012, ASPLOS XVII.

[24]  Sebastian Schinzel,et al.  kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels , 2017, USENIX Security Symposium.

[25]  Insik Shin,et al.  Razzer: Finding Kernel Race Bugs through Fuzzing , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[26]  Cristiano Giuffrida,et al.  EDFI: A Dependable Fault Injection Tool for Dependability Benchmarking Experiments , 2013, 2013 IEEE 19th Pacific Rim International Symposium on Dependable Computing.

[27]  Yang Liu,et al.  Skyfire: Data-Driven Seed Generation for Fuzzing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[28]  Yuanyuan Zhou,et al.  Bug characteristics in open source software , 2013, Empirical Software Engineering.

[29]  Hang Zhang,et al.  Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems , 2018, USENIX Security Symposium.

[30]  Patrice Godefroid Fuzzing , 2020, Communications of the ACM.

[31]  Neeraj Suri,et al.  An empirical study of injected versus actual interface errors , 2014, ISSTA 2014.

[32]  Koushik Sen,et al.  PREFAIL: a programmable tool for multiple-failure injection , 2011, OOPSLA '11.

[33]  George Candea,et al.  LFI: A practical and general library-level fault injector , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[34]  Shi-Min Hu,et al.  PF-Miner: A practical paired functions mining method for Android kernel in error paths , 2016, J. Syst. Softw..

[35]  Sudipto Ghosh,et al.  Bytecode fault injection for Java software , 2008, J. Syst. Softw..

[36]  Christopher Krügel,et al.  DIFUZE: Interface Aware Fuzzing for Kernel Drivers , 2017, CCS.

[37]  Dawn Xiaodong Song,et al.  PerfFuzz: automatically generating pathological inputs , 2018, ISSTA.

[38]  Neeraj Suri,et al.  On the Selection of Error Model(s) for OS Robustness Evaluation , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[39]  Neeraj Suri,et al.  On the Impact of Injection Triggers for OS Robustness Evaluation , 2007, The 18th IEEE International Symposium on Software Reliability (ISSRE '07).

[40]  Chen Fu,et al.  Testing of java web services for robustness , 2004, ISSTA '04.

[41]  Takeshi Yoshimura,et al.  Do Injected Faults Cause Real Failures? A Case Study of Linux , 2014, 2014 IEEE International Symposium on Software Reliability Engineering Workshops.

[42]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.