IMF: Inferred Model-based Fuzzer

Kernel vulnerabilities are critical in security because they naturally allow attackers to gain unprivileged root access. Although there has been much research on finding kernel vulnerabilities from source code, there are relatively few research on kernel fuzzing, which is a practical bug finding technique that does not require any source code. Existing kernel fuzzing techniques involve feeding in random input values to kernel API functions. However, such a simple approach does not reveal latent bugs deep in the kernel code, because many API functions are dependent on each other, and they can quickly reject arbitrary parameter values based on their calling context. In this paper, we propose a novel fuzzing technique for commodity OS kernels that leverages inferred dependence model between API function calls to discover deep kernel bugs. We implement our technique on a fuzzing system, called IMF. IMF has already found 32 previously unknown kernel vulnerabilities on the latest macOS version 10.12.3 (16D32) at the time of this writing.

[1]  Daniel P. Siewiorek,et al.  Comparing operating systems using robustness benchmarks , 1997, Proceedings of SRDS'97: 16th IEEE Symposium on Reliable Distributed Systems.

[2]  Rauli Kaksonen,et al.  System Security Assessment through Specification Mutations and Fault Injection , 2001, Communications and Multimedia Security.

[3]  Robert Love,et al.  Linux Kernel Development , 2003 .

[4]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[5]  Peter Oehlert,et al.  Violating Assumptions with Fuzzing , 2005, IEEE Secur. Priv..

[6]  Kevin C. Almeroth,et al.  SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr , 2006, ISC.

[7]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[8]  Michael D. Ernst,et al.  Feedback-Directed Random Test Generation , 2007, 29th International Conference on Software Engineering (ICSE'07).

[9]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[10]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[11]  Helen J. Wang,et al.  Tupni: automatic reverse engineering of input formats , 2008, CCS.

[12]  HyungGeun Oh,et al.  Call-Flow Aware API Fuzz Testing for Security of Windows Systems , 2008, 2008 International Conference on Computational Sciences and Its Applications.

[13]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[14]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[15]  Rob Miller,et al.  Sikuli: using GUI screenshots for search and automation , 2009, UIST '09.

[16]  Jean-Louis Lanet,et al.  Enhancing Fuzzing Technique for OKL4 Syscalls Testing , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[17]  Andreas Zeller,et al.  Fuzzing with Code Fragments , 2012, USENIX Security Symposium.

[18]  Jonathan Levin Mac OS X and iOS Internals: To the Apple's Core , 2012 .

[19]  Xi Wang,et al.  Improving Integer Security for Systems with KINT , 2012, OSDI.

[20]  Wolfgang Schröder-Preikschat,et al.  Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring , 2013, NDSS.

[21]  David Brumley,et al.  Scheduling black-box mutational fuzzing , 2013, CCS.

[22]  Mira Mezini,et al.  Ieee Transactions on Software Engineering 1 Automated Api Property Inference Techniques , 2022 .

[23]  Bernhard Garn,et al.  Eris: A Tool for Combinatorial Testing of the Linux System Call Interface , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops.

[24]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[25]  Angelos D. Keromytis,et al.  ret2dir: Rethinking Kernel Isolation , 2014, USENIX Security Symposium.

[26]  David Brumley,et al.  Optimizing Seed Selection for Fuzzing , 2014, USENIX Security Symposium.

[27]  Juanru Li,et al.  From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel , 2015, CCS.

[28]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.

[29]  Vincent M. Weaver,et al.  perf fuzzer: Targeted Fuzzing of the perf event open() System Call , 2015 .

[30]  Konrad Rieck,et al.  Pulsar: Stateful Black-Box Fuzzing of Proprietary Network Protocols , 2015, SecureComm.

[31]  Florence March,et al.  2016 , 2016, Affair of the Heart.

[32]  Taesoo Kim,et al.  Breaking Kernel Address Space Layout Randomization with Intel TSX , 2016, CCS.

[33]  Somesh Jha,et al.  Security and Privacy in Communication Networks , 2017, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.

[34]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[35]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.