Reverse engineering of binary device drivers with RevNIC

This paper presents a technique that helps automate the reverse engineering of device drivers. It takes a closed-source binary driver, automatically reverse engineers the driver's logic, and synthesizes new device driver code that implements the exact same hardware protocol as the original driver. This code can be targeted at the same or a different OS. No vendor documentation or source code is required. Drivers are often proprietary and available for only one or two operating systems, thus restricting the range of device support on all other OSes. Restricted device support leads to low market viability of new OSes and hampers OS researchers in their efforts to make their ideas available to the 'real world.' Reverse engineering can help automate the porting of drivers, as well as produce replacement drivers with fewer bugs and fewer security vulnerabilities. Our technique is embodied in RevNIC, a tool for reverse engineering network drivers. We use RevNIC to reverse engineer four proprietary Windows drivers and port them to four different OSes, both for PCs and embedded systems. The synthesized network drivers deliver performance nearly identical to that of the original drivers.

[1]  Helen J. Wang,et al.  Tupni: automatic reverse engineering of input formats , 2008, CCS.

[2]  Dawson R. Engler,et al.  RWset: Attacking Path Explosion in Constraint-Based Test Generation , 2008, TACAS.

[3]  Asim Kadav,et al.  Tolerating hardware device failures in software , 2009, SOSP '09.

[4]  Cristina Cifuentes,et al.  Reverse compilation techniques , 1994 .

[5]  Emin Gün Sirer,et al.  Device Driver Safety Through a Reference Validation Mechanism , 2008, OSDI.

[6]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[7]  Gregory R. Andrews,et al.  Disassembly of executable code revisited , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[8]  Manuel Costa,et al.  Bouncer: securing software by blocking bad input , 2008, WRAITS '08.

[9]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[10]  Michael R. Lowry,et al.  Combining unit-level symbolic execution and system-level concrete execution for testing nasa software , 2008, ISSTA '08.

[11]  Laurent Réveillère,et al.  Devil: an IDL for hardware programming , 2000, OSDI.

[12]  Информатика,et al.  Uniform Driver Interface , 2010 .

[13]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[14]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[15]  Julia L. Lawall,et al.  Documenting and automating collateral evolutions in linux device drivers , 2008, Eurosys '08.

[16]  Vitaly Chipounov,et al.  Selective Symbolic Execution , 2009 .

[17]  Somesh Jha,et al.  The design and implementation of microdrivers , 2008, ASPLOS.

[18]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.

[19]  Helen J. Wang,et al.  Discoverer: Automatic Protocol Reverse Engineering from Network Traces , 2007, USENIX Security Symposium.

[20]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[21]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[22]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[23]  George Candea,et al.  Cloud9: a software testing service , 2010, OPSR.

[24]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[25]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[26]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[27]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[28]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[29]  Tal Garfinkel,et al.  VMwareDecoupling Dynamic Program Analysis from Execution in Virtual Environments , 2008, USENIX Annual Technical Conference.

[30]  Stefan Götz,et al.  Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines , 2004, OSDI.

[31]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[32]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[33]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[34]  Leonid Ryzhyk,et al.  Automatic device driver synthesis with termite , 2009, SOSP '09.

[35]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[36]  Samuel T. King,et al.  Debugging Operating Systems with Time-Traveling Virtual Machines (Awarded General Track Best Paper Award!) , 2005, USENIX Annual Technical Conference, General Track.

[37]  Jun Sun,et al.  HAIL: a language for easy and correct device access , 2005, EMSOFT.

[38]  Gernot Heiser,et al.  Towards a Practical, Verified Kernel , 2007, HotOS.