DIFUZE: Interface Aware Fuzzing for Kernel Drivers

Device drivers are an essential part in modern Unix-like systems to handle operations on physical devices, from hard disks and printers to digital cameras and Bluetooth speakers. The surge of new hardware, particularly on mobile devices, introduces an explosive growth of device drivers in system kernels. Many such drivers are provided by third-party developers, which are susceptible to security vulnerabilities and lack proper vetting. Unfortunately, the complex input data structures for device drivers render traditional analysis tools, such as fuzz testing, less effective, and so far, research on kernel driver security is comparatively sparse. In this paper, we present DIFUZE, an interface-aware fuzzing tool to automatically generate valid inputs and trigger the execution of the kernel drivers. We leverage static analysis to compose correctly-structured input in the userspace to explore kernel drivers. DIFUZE is fully automatic, ranging from identifying driver handlers, to mapping to device file names, to constructing complex argument instances. We evaluate our approach on seven modern Android smartphones. The results show that DIFUZE can effectively identify kernel driver bugs, and reports 32 previously unknown vulnerabilities, including flaws that lead to arbitrary code execution.

[1]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[2]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[4]  Zhendong Su,et al.  Finding deep compiler bugs via guided stochastic program mutation , 2015, OOPSLA.

[5]  Dave Aitel,et al.  The Advantages of Block - Based Protocol Analysis for Security Testing , 2002 .

[6]  Nuno Ferreira Neves,et al.  Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities , 2007, 2008 Seventh European Dependable Computing Conference.

[7]  Herbert Bos,et al.  Dowser: A Guided Fuzzer for Finding Buffer Overflow Vulnerabilities , 2013, login Usenix Mag..

[8]  Alessandro Armando,et al.  Android vs. SEAndroid: An empirical assessment , 2016, Pervasive Mob. Comput..

[9]  Matthew Wilcox,et al.  Improving the Linux Test Project with Kernel Code Coverage Analysis , 2003 .

[10]  Sanjay Rawat,et al.  KameleonFuzz: evolutionary fuzzing for black-box XSS detection , 2014, CODASPY '14.

[11]  Peter T. Breuer,et al.  One Million (LOC) and Counting: Static Analysis for Errors and Vulnerabilities in the Linux Kernel Source Code , 2006, Ada-Europe.

[12]  Laurent Butti,et al.  Discovering and exploiting 802.11 wireless driver vulnerabilities , 2008, Journal in Computer Virology.

[13]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[14]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[15]  Christopher Negus,et al.  GNU General Public License , 2015 .

[16]  Greg Kroah-Hartman,et al.  Linux Device Drivers , 1998 .

[17]  Greg Kroah-Hartman,et al.  Linux device drivers - where the Kernel meets the hardware (3. ed.) , 2005 .

[18]  Herbert Bos,et al.  The BORG: Nanoprobing Binaries for Buffer Overreads , 2015, CODASPY.

[19]  R. Spenneberg Don ’ t trust your USB ! How to find bugs in USB device drivers , 2014 .

[20]  Vincent M. Weaver,et al.  perf fuzzer: Targeted Fuzzing of the perf event open() System Call , 2015 .

[21]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[22]  Pablo Buiras,et al.  QuickFuzz: an automatic random fuzzer for common file formats , 2016, Haskell.

[23]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[24]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[25]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[26]  Fernando Magno Quintão Pereira,et al.  A fast and low-overhead technique to secure programs against integer overflows , 2013, Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[27]  Jared Roesch,et al.  Fuzzing the Rust Typechecker Using CLP (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[28]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.

[29]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[30]  Rob Williams,et al.  Linux device drivers , 2006 .

[31]  Wolfgang Küchlin,et al.  Integrated Static Analysis for Linux Device Driver Verification , 2007, IFM.

[32]  Kwan Yong Sim,et al.  Fuzzing the out-of-memory killer on embedded Linux: an adaptive random approach , 2011, SAC.

[33]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[34]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[35]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[36]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[37]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[38]  Wu Gang,et al.  Vulnerability Analysis for X86 Executables Using Genetic Algorithm and Fuzzing , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[39]  Andreas Zeller,et al.  Fuzzing with Code Fragments , 2012, USENIX Security Symposium.

[40]  Fabrizio Valpreda,et al.  GNU General Public License , 2012 .