Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints

Kernel-mode drivers are challenging to analyze for vulnerabilities, yet play a critical role in maintaining the security of OS kernels. Their wide attack surface, exposed via both the system call interface and the peripheral interface, is often found to be the most direct attack vector to compromise an OS kernel. Researchers therefore have proposed many fuzzing techniques to find vulnerabilities in kernel drivers. However, the performance of kernel fuzzers is still lacking, for reasons such as prolonged execution of kernel code, interference between test inputs, and kernel crashes. This paper proposes lightweight virtual machine checkpointing as a new primitive that enables high-throughput kernel driver fuzzing. Our key insight is that kernel driver fuzzers frequently execute similar test cases in a row, and that their performance can be improved by dynamically creating multiple checkpoints while executing test cases and skipping parts of test cases using the created checkpoints. We built a system, dubbed Agamotto, around the virtual machine checkpointing primitive and evaluated it by fuzzing the peripheral attack surface of USB and PCI drivers in Linux. The results are convincing. Agamotto improved the performance of the state-of-the-art kernel fuzzer, Syzkaller, by 66.6% on average in fuzzing 8 USB drivers, and an AFL-based PCI fuzzer by 21.6% in fuzzing 4 PCI drivers, without modifying their underlying input generation algorithm.

[1]  Kevin R. B. Butler,et al.  LBM: A Security Framework for Peripherals within the Linux Kernel , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[2]  Asim Kadav,et al.  Understanding modern device drivers , 2012, ASPLOS XVII.

[3]  Christopher Krügel,et al.  DIFUZE: Interface Aware Fuzzing for Kernel Drivers , 2017, CCS.

[4]  Jianfeng Pan,et al.  Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities , 2017, USENIX Security Symposium.

[5]  Silas Boyd-Wickizer,et al.  Tolerating Malicious Device Drivers in Linux , 2010, USENIX Annual Technical Conference.

[6]  Asim Kadav,et al.  SymDrive: Testing Drivers without Devices , 2012, OSDI.

[7]  Dutch T. Meyer,et al.  Remus: High Availability via Asynchronous Virtual Machine Replication. (Best Paper) , 2008, NSDI.

[8]  Hang Zhang,et al.  Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems , 2018, USENIX Security Symposium.

[9]  Peter G. Neumann,et al.  Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals , 2019, NDSS.

[10]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[11]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[12]  Christopher Krügel,et al.  Toward the Analysis of Embedded Firmware through Automated Re-hosting , 2019, RAID.

[13]  Heng Yin,et al.  FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation , 2019, USENIX Security Symposium.

[14]  Leslie Lamport,et al.  Specifying Concurrent Program Modules , 1983, TOPL.

[15]  Francis Hayes,et al.  Over the Air , 1942 .

[16]  George Candea,et al.  Testing Closed-Source Binary Device Drivers with DDT , 2010, USENIX Annual Technical Conference.

[17]  Asim Kadav,et al.  Fine-grained fault tolerance using device checkpoints , 2013, ASPLOS '13.

[18]  R. Spenneberg Don ’ t trust your USB ! How to find bugs in USB device drivers , 2014 .

[19]  Sang Kil Cha,et al.  IMF: Inferred Model-based Fuzzer , 2017, CCS.

[20]  Sebastian Schinzel,et al.  kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels , 2017, USENIX Security Symposium.

[21]  Taesoo Kim,et al.  Fuzzing File Systems via Two-Dimensional Input Space Exploration , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[22]  Nuno Ferreira Neves,et al.  Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities , 2007, 2008 Seventh European Dependable Computing Conference.

[23]  Jean-Pierre Seifert,et al.  PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary , 2019, NDSS.

[24]  Amir Pnueli,et al.  Applications of Temporal Logic to the Specification and Verification of Reactive Systems: A Survey of Current Trends , 1986, Current Trends in Concurrency.

[25]  Wen Xu,et al.  CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems , 2017, USENIX Annual Technical Conference.

[26]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[27]  Clemens Kolbitsch,et al.  Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment , 2007 .

[28]  Kevin R. B. Butler,et al.  Defending Against Malicious USB Firmware with GoodUSB , 2015, ACSAC.

[29]  Giovanni Vigna,et al.  HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation , 2020, USENIX Security Symposium.

[30]  Christophe Calvès,et al.  Faults in linux: ten years later , 2011, ASPLOS XVI.

[31]  Insik Shin,et al.  Razzer: Finding Kernel Race Bugs through Fuzzing , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[32]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[33]  Patrick Traynor,et al.  Making USB Great Again with USBFILTER , 2016, USENIX Security Symposium.

[34]  Suman Jana,et al.  MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation , 2018, USENIX Security Symposium.

[35]  Wen Xu,et al.  Designing New Operating Primitives to Improve Fuzzing Performance , 2017, CCS.

[36]  Samuel T. King,et al.  Debugging Operating Systems with Time-Traveling Virtual Machines (Awarded General Track Best Paper Award!) , 2005, USENIX Annual Technical Conference, General Track.

[37]  Andy Davis USB – Undermining Security Barriers , 2011 .

[38]  Matthew Hicks,et al.  Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[39]  Lorenzo Cavallaro,et al.  POTUS: Probing Off-The-Shelf USB Drivers with Symbolic Fault Injection , 2017, WOOT.

[40]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[41]  Matthew Tischer,et al.  Users Really Do Plug in USB Drives They Find , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[42]  Long Lu,et al.  P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling (extended version) , 2019, USENIX Security Symposium.

[43]  Andrew J. Blumberg,et al.  Defending against Malicious Peripherals with Cinch , 2016, USENIX Security Symposium.