More Web Proxy on the site http://driver.im/

research-article

Public Access

DIFUZE: Interface Aware Fuzzing for Kernel Drivers

Authors:

Aravind Machiry,

Christopher Salls,

Yan Shoshitaishvili,

Christopher Kruegel,

Giovanni VignaAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 2123 - 2138

https://doi.org/10.1145/3133956.3134069

Published: 30 October 2017 Publication History

Abstract

Device drivers are an essential part in modern Unix-like systems to handle operations on physical devices, from hard disks and printers to digital cameras and Bluetooth speakers. The surge of new hardware, particularly on mobile devices, introduces an explosive growth of device drivers in system kernels. Many such drivers are provided by third-party developers, which are susceptible to security vulnerabilities and lack proper vetting. Unfortunately, the complex input data structures for device drivers render traditional analysis tools, such as fuzz testing, less effective, and so far, research on kernel driver security is comparatively sparse. In this paper, we present DIFUZE, an interface-aware fuzzing tool to automatically generate valid inputs and trigger the execution of the kernel drivers. We leverage static analysis to compose correctly-structured input in the userspace to explore kernel drivers. DIFUZE is fully automatic, ranging from identifying driver handlers, to mapping to device file names, to constructing complex argument instances. We evaluate our approach on seven modern Android smartphones. The results show that DIFUZE can effectively identify kernel driver bugs, and reports 32 previously unknown vulnerabilities, including flaws that lead to arbitrary code execution.

Supplemental Material

MP4 File

Download
1992.02 MB

References

[1]

Alfred Aho, Jeffrey Ullman, Monica S. Lam, and Ravi Sethi 1986. Compilers: Principles, Techniques, and Tools. "Addison-Wesley".

[2]

Dave Aitel. 2002. The Advantages of Block-Based Protocol Analysis for Security Testing. (2002). shownotehttps://www.immunitysec.com/downloads/advantages_of_block_based_analysis.html.

[3]

ARM 2013. ARM Exception levels. (2013). shownotehttp://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0488c/CHDHJIJG.html.

[4]

K. Ashcraft and D. Engler 2002. Using programmer-written compiler extensions to catch security holes Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP '02). 143--159. 1007/978--3--540--73210--5_27

[5]

LLVM Project. 2003. LLVM Bitcode File Format. (2003). shownotehttp://llvm.org/docs/BitCodeFormat.html.

[6]

Fernando Magno Quintao Pereira, Raphael Ernani Rodrigues, and Victor Hugo Sperle Campos. 2013. A fast and low-overhead technique to secure programs against integer overflows Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO '13). IEEE Computer Society, 1--11.

[7]

Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In Proceedings of the 2017 Network and Distributed System Security Symposium (NDSS '17). San Diego, CA, USA.

[8]

redhat 2017. Proc device registration. (2017). shownotehttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Reference_Guide/s2-proc-devices.html.

[9]

Juha Röning, Marko Laakso, and Ari Takanen. 2002. PROTOS -- Systematic Approach to Eliminate Software Vulnerabilities. Invited presentation at Microsoft Research (May 2002).

[10]

Alessandro Rubini and Jonathan Corbet 2001. Linux device drivers. " O'Reilly Media, Inc.".

[11]

Samsung 2017. Samsung Android Kernel Sources. (2017). shownotehttp://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=T&menu_item=mobile&classification1=mobile_phone.

[12]

Sergej Schumilo, Ralf Spenneberg, and H Schwartke. 2014. Don't trust your USB! How to find bugs in USB device drivers. Blackhat Europe (2014).

[13]

Kwan Yong Sim, F-C Kuo, and R Merkel 2011. Fuzzing the out-of-memory killer on embedded Linux: an adaptive random approach Proceedings of the 2011 ACM Symposium on Applied Computing (SAC '11). ACM, 387--392.

[14]

Sony 2017. Sony Android Kernel Sources. (2017). shownotehttps://github.com/sonyxperiadev/kernel.

[15]

Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS '16). San Diego, CA, USA.

[16]

Jeffrey Vander Stoep. 2016. Android: protecting the kernel. In Linux Security Summit. Linux Foundation.

[17]

Linus Torvalds. 2011. C2XML - Converting source code to XML. (2011). shownotehttp://c2xml.sourceforge.net/.

[18]

Vincent M Weaver and Dave Jones 2015. perf fuzzer: Targeted fuzzing of the perf event open () system call. bibinfotypeTechnical Report. bibinfoinstitutionTechnical Report UMAINEVMW-TR-PERF-FUZZER, University of Maine.

[19]

Wiki 2017. Tanenbaum--Torvalds debate. (2017). shownotehttps://en.wikipedia.org/wiki/Tanenbaum%E2%80%93Torvalds_debate.

[20]

Xiaomi 2017. Xiaomi Android Kernel Sources. (2017). shownotehttps://github.com/MiCode/Xiaomi_Kernel_OpenSource.

[21]

Xst3nZ 2012. IOCTLbf is just a small tool (Proof of Concept) that can be used to search vulnerabilities in Windows kernel drivers. (2012). shownotehttps://code.google.com/archive/p/ioctlbf/.

[22]

Michal Zalewski. 2014. Binary fuzzing strategies: what works, what doesn't. (2014). shownotehttps://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html.

[23]

M. Zalewski. 2017. American Fuzzy Lop. (2017). shownotehttp://lcamtuf.coredump.cx/afl/technical_details.txt. endthebibliography

Cited By

Yang JLiu CFang B(2024)Adaptive scheduling-based fine-grained greybox fuzzing for cloud-native applicationsJournal of Cloud Computing10.1186/s13677-024-00681-113:1Online publication date: 26-Jun-2024
https://doi.org/10.1186/s13677-024-00681-1
Chen XLi ZZhang JBurtsev A(2024)Veld: Verified Linux DriversProceedings of the 2nd Workshop on Kernel Isolation, Safety and Verification10.1145/3698576.3698766(23-30)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3698576.3698766
Li TBai JSui YHu S(2024)SPATA: Effective OS Bug Detection with Summary-Based, Alias-Aware, and Path-Sensitive Typestate AnalysisACM Transactions on Computer Systems10.1145/369525042:3-4(1-40)Online publication date: 6-Sep-2024
https://dl.acm.org/doi/10.1145/3695250
Show More Cited By

Index Terms

DIFUZE: Interface Aware Fuzzing for Kernel Drivers
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Mobile platform security
    2. Vulnerability management
      1. Vulnerability scanners

Recommendations

DRIP: A framework for purifying trojaned kernel drivers
DSN '13: Proceedings of the 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Kernel drivers are usually provided in the form of loadable kernel extensions, which can be loaded/unloaded dynamically at runtime and execute with the same privilege as the core operating system kernel. The unrestricted security access from the drivers ...
BSOD: Binary-only Scalable fuzzing Of device Drivers
RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

Operating system code interacting with the devices attached to our computers, device drivers, are often provided by their respective vendors. As they may run with kernel privileges, this effectively means that kernel code is written by third parties. ...
High-Coverage Security Testing for Windows Kernel Drivers
MINES '12: Proceedings of the 2012 Fourth International Conference on Multimedia Information Networking and Security

In Windows kernel drivers, different function paths will be called according to the DeviceIoControlCode parameter in DeviceIoControl request. In order to achieve high-coverage security testing of these function paths, a new testing method using symbolic ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

DARPA
ONR

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

100
Total Citations
View Citations
3,575
Total Downloads

Downloads (Last 12 months)598
Downloads (Last 6 weeks)82

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yang JLiu CFang B(2024)Adaptive scheduling-based fine-grained greybox fuzzing for cloud-native applicationsJournal of Cloud Computing10.1186/s13677-024-00681-113:1Online publication date: 26-Jun-2024
https://doi.org/10.1186/s13677-024-00681-1
Chen XLi ZZhang JBurtsev A(2024)Veld: Verified Linux DriversProceedings of the 2nd Workshop on Kernel Isolation, Safety and Verification10.1145/3698576.3698766(23-30)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3698576.3698766
Li TBai JSui YHu S(2024)SPATA: Effective OS Bug Detection with Summary-Based, Alias-Aware, and Path-Sensitive Typestate AnalysisACM Transactions on Computer Systems10.1145/369525042:3-4(1-40)Online publication date: 6-Sep-2024
https://dl.acm.org/doi/10.1145/3695250
Bai SZhang ZHu HLuo BLiao XXu JKirda ELie D(2024)CountDown: Refcount-guided Fuzzing for Exposing Temporal Memory Errors in Linux KernelProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690320(1315-1329)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690320
Xiong HDai QChang RQiu MWang RShen WZhou YChristakis MPradel M(2024)Atlas: Automating Cross-Language Fuzzing on Android Closed-Source LibrariesProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652133(350-362)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3652133
Sharma STanksalkar SCherupattamoolayil SMachiry AQuek TGao DZhou JCardenas A(2024)Fuzzing API Error Handling Behaviors using Coverage Guided Fault InjectionProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637650(1495-1509)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637650
Li YChen YJi SZhang XYan GLiu AWu CPan ZLin P(2024)G-Fuzz: A Directed Fuzzing Framework for gVisorIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324482521:1(168-185)Online publication date: Jan-2024
https://doi.org/10.1109/TDSC.2023.3244825
Chen WHao YZhang ZZou XKirat DMishra SSchales DJang JQian Z(2024)SyzGen++: Dependency Inference for Augmenting Kernel Driver Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00269(4661-4677)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00269
Xu YSun HLiu JShen YJiang Y(2024)Saturn: Host-Gadget Synergistic USB Driver Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00051(4646-4660)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00051
Huster SHollick MClassen J(2024)To Boldly Go Where No Fuzzer Has Gone Before: Finding Bugs in Linux’ Wireless Stacks through VirtIO Devices2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00024(4629-4645)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00024
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents