Abstract
File systems (FSes) store crucial data. However, FS bugs can lead to data loss and security vulnerabilities. FS fuzzing is an effective technique for identifying FS bugs that may be difficult to detect through traditional regression suites and human testing. FS fuzzing involves two parts: (1) File image fuzzing often involves altering bits of an FS at random storage locations; (2) File operation fuzzing typically issues random sequences of file operations to an FS image.
Since leading FS fuzzers tend to access a small set of files to encourage the exploration of deep code branches, the accessed FS image locations tend to be clustered and localized. Thus, altering bits at random FS locations is ineffective in triggering bugs, as these locations are often not referenced by file operations. Furthermore, the minimum FS image is insufficiently small for frequent image saves and restores due to performance and storage overhead.
In this paper, we introduce LFuzz, which exploits the locality shown in typical FS fuzzing workloads. LFuzz tracks recently accessed image locations and nearby locations to predict which locations will soon be referenced. The scheme is adaptive to migrating file access patterns. Moreover, since modified image locations are localized, LFuzz can compactly and incrementally accumulate FS image changes so that FS states can be fuzzed from intermediary images instead of top-level seed images. LFuzz further explores the use of partially updated images to simulate corrupted FSes with mixed versions of metadata.
We applied LFuzz to ext4, BTRFS, and F2FS and found 21 new bugs. Compared to JANUS, LFuzz reduced the fuzzing area by up to 8x with unique edges deviated by up to 15%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aota, N., Kono, K.: File systems are hard to test—learning from XFStests. IEICE Trans. Inf. Syst. 102(2), 269–279 (2019)
Corina, J., et al.: DIFUZE: interface aware fuzzing for kernel drivers. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS) (2017)
Federal Communications Commission: What is ‘Juice Jacking’ and Tips to Avoid It, Federal Communications Commission (2023)
Jeong, D.R., Kim, K., Shivakumar, B., Lee, B., Shin, I.: Razzer: finding kernel race bugs through fuzzing. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (2019)
Jeon, Y., Han, W., Burow, N., Payer, M.: FuZZan: efficient sanitizer metadata design for fuzzing. In: Proceedings of the 2020 USENIX Annual Technical Conference (ATC) (2020)
Kim, K., Jeong, D.R., Kim, C.H., Jang, Y., Shin, I., Lee. B.: HFL: hybrid fuzzing on the Linux kernel. In: Proceedings 2020 Network and Distributed System Security Symposium (2020)
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. In: Proceedings of the 32nd IEEE Symposium on Security and Privacy (2011)
Lattner, C., Adve, V.: LLVM: A compilation framework for lifelong program analysis & transformation. In: Proceedings of 2004 International Symposium on Code Generation and Optimization (CGO) (2004)
Lee, C., Sim, D., Hwang, J.Y., Cho, S.: F2FS: a new file system for flash storage. In: Proceedings of the 13th USENIX Conference on File and Storage Technologies (FAST) (2015)
https://lore.kernel.org/all/20220704142721.157985-1-lczerner@redhat.com/
Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN Notices 40(6), 190–200 (2005)
Mathur, A., Cao, M., Bhattacharya, S., Dilger, A., Tomas, A., Vivier, L.: The new ext4 filesystem: current status and future plans. In: Proceedings of the Linux Symposium (2007)
MITRE Corporation. CVE-2009–1235 (2009)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44879
Mohan, J., Martinez, A., Ponnapalli, S., Raju, P., Chidambaram, V.: CrashMonkey and ACE: systematically testing file-system crash consistency. ACM Trans. Storage 15(2), 1–34 (2019). https://doi.org/10.1145/3320275
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM SIGPLAN Notices 42(6), 89–100 (2007)
Nossum, V., Casasnovas, Q.: Filesystem fuzzing with american fuzzy lop. In: Proceedings of Vault Linux Storage and Filesystems Conference (2016)
Pailoor, S., Aday, A., Jana, S.: MoonShine: optimizing OS fuzzer seed selection with trace distillation. In: Proceedings of the 27th USENIX Security Symposium (2018)
Peng, H., Payer, M.: USBFuzz: a framework for fuzzing USB drivers by device emulation. In: Proceedings of the 29th USENIX Security Symposium, USENIX Security (2020)
Purdila, O., Grijincu, L.A., Tapus, N.: LKL: the Linux kernel library. In: Proceedings of the 9th RoEduNet IEEE International Conference (2010)
Rodeh, O., Bacik, J., Mason, C.: BTRFS: the Linux B-tree filesystem. ACM Trans. Storage 9(3), 1–32 (2013)
Schumilo, S., Aschermann, C., Gawlik, R., Schinzel, S., Holz, T.: kAFL: hardware-assisted feedback fuzzing for OS kernels. In: Proceedings of the 26th USENIX Security Symposium (2017)
SGI, OSDL and Bull: Linux Test Project (2023). https://github.com/linux-test-project/ltp
Song, D., et al.: PeriScope: an effective probing and fuzzing framework for the hardware-OS boundary. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS) (2019)
syzbot: Google (2023). https://Syzkaller.appspot.com/upstream
Syzkaller: Google (2023). https://github.com/google/Syzkaller
Syzkaller: Syscall descriptions (2022). https://github.com/google/Syzkaller/blob/master/docs/syscall_descriptions.md
Wang, D., Zhang, Z., Zhang, H., Qian, Z., Krishnamurthy, S.V., Abu-Ghazaleh, N.: Beating kernel fuzzing odds with reinforcement learning. In: Proceedings of the 30th USENIX Security Symposium (2021)
Wen, C., et al.: MemLock: memory usage guided fuzzing. In: Proceedings of the 42nd International Conference on Software Engineering (2020)
Xu, W., Moon, H., Kashyap, S., Tseng, P.N., Kim, T.: Fuzzing file systems via two-dimensional input space exploration. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP) (2019)
Xu, M., Kashyap, S., Zhao, H., Kim, T.: Krace: Data race fuzzing for kernel file systems. In: Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP) (2020)
Zalewski, M.: American Fuzzy Lop (2.52b) (2018). http://lcamtuf.coredump.cx/afl
Zhao, B., et al.: StateFuzz: system call-based state-aware linux driver fuzzing. In: Proceedings of the 31st USENIX Security Symposium (2022)
Acknowledgements
We thank anonymous reviewers for their invaluable feedback. This work is sponsored by the National Science Foundation (DGE-2146354). Opinions, findings, and conclusions or recommendations expressed in this document do not necessarily reflect the views of the NSF, Florida State University, or the U.S. government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix I: Bugs Detected by LFuzz and JANUS
Appendix I: Bugs Detected by LFuzz and JANUS
FS | Bug number | Bug type | Ver | Bug location | status | JANUS | LRU + delta (+ partial updates) | delta (+ partial updates) | no parial updates | LRU |
---|---|---|---|---|---|---|---|---|---|---|
ext4 | 1 | stack-out-of-bounds | 5.18 | __blk_flush_plug | Ack’d | X | O | X | O | X |
2 | page fault | 5.18 | fs/ext4/namei.c: do_split() | Ack’d | X | O | X | O | X | |
3 | out-of-bounds read | 4.19 | ext4_search_dir() | patched | X | O | X | O | O | |
4 | use after free | 5.18 | CVE-2022–1184 | patched | X | O | X | O | X | |
5 | slab-out-of-bounds | 5.18 | fs/ext4/xattr.c: ext4_xattr_set_entry() | reported | X | O | X | O | X | |
6 | use after free | 5.18 | fs/ext4/namei.c:ext4_insert_dentry() | reported | X | O | X | O | X | |
7 | BUG() | 5.18 | fs/ext4/extents_status.c:202 | reported | O | O | X | O | O | |
8 | BUG() | 5.18 | fs/ext4/ext4_jbd2.h: ext4_inode_journal_mode() | reported | X | O | X | O | X | |
9 | BUG() | 5.18 | fs/ext4/extent.c: ext4_ext_determine_hole() | patched | X | O | O | O | X | |
10 | BUG() | 6.0-rc7 | fs/ext4/ext4.h: ext4_rec_len_to_disk() | reported | X | O | X | O | X | |
11 | BUG() | 5.19 | fs/ext4/extents.c: ext4_ext_insert_extent() | confirmed | X | O | X | O | X | |
12 | NULL pointer deref | 6.0-rc7 | fs/ext4/ialloc.c: ext4_read_inode_bitmap() | reported | X | O | X | X | X | |
13 | NULL pointer deref | 6.0-rc7 | ext4_free_blocks() | reported | X | O | X | X | X | |
BTRFS | 14 | array out of bound access | 5.16 | fs/btrfs/struct-funcs.c:btrfs_get_16() | reported | O | O | X | O | O |
15 | NULL pointer deref | 5.17 | fs/btrfs/ctree.c:btrfs_search_slot() | reported | O | O | X | O | O | |
16 | gen. Protection fault | 5.16 | fs/btrfs/struct-funcs.c:btrfs_get_32() | patched | O | O | X | O | O | |
17 | gen. Protection fault | 5.17 | fault at fs/btrfs/tree-checker.c: check_dir_item() | reported | O | O | X | O | O | |
18 | gen. Protection fault | 5.17 | fs/btrfs/print-tree.c: btrfs_print_leaf() | reported | O | O | X | O | O | |
19 | gen. Protection fault | 5.17 | fs/btrfs/treelog.c: btrfs_check_ref_name_override() | reported | O | O | X | O | O | |
20 | gen. Protection fault | 5.18 | fs/btrfs/file-item.c: btrfs_csum_file_blocks() | reported | O | O | X | O | O | |
21 | gen. Protection fault | 5.15.57 | fs/btrfs/volumes.c: btrfs_get_io_geometry() | reported | X | O | X | X | X | |
22 | gen. Protection fault | 5.15.57 | fs/btrfs/lzo.c: lzo_decompress_bio() | reported | X | O | X | X | X | |
23 | BUG() | 5.19 | fs/btrfs/inode.c: btrfs_finish_ordered_io() | reported | O | O | X | O | O | |
24 | BUG() | 5.18 | fs/btrfs/extent_io.c: extent_io_tree_panic() | reported | X | O | X | X | X | |
25 | BUG() | 5.15.57 | fs/btrfs/extent-tree.c: update_inline_extent_backref() | reported | X | O | X | X | X | |
26 | BUG() | 5.15.57 | fs/btrfs/root-tree.c: btrfs_del_root() | reported | X | O | X | X | X | |
27 | BUG() | 5.18 | fs/btrfs/delayed-ref.c: update_existing_head_ref() | reported | X | O | X | X | X | |
fs | 28 | BUG() | fs/inode.c:611 | reported | O | O | X | O | O | |
F2FS | 29 | NULL pointer deref | 5.15 | CVE-2021–44879 | patched | X | O | X | O | O |
30 | use after free | 5.15 | CVE-2021–45469 | patched | O | O | X | O | O | |
31 | array-index-out-of-bounds | 5.17-rc6 | fs/f2fs/segment.c:3460 | patched | O | O | X | O | O | |
32 | NULL pointer deref | 5.17 | f2fs/dir.c:f2fs_add_regular_entry() | patched | O | O | X | O | O | |
33 | use after free | 5.19 | fs/f2fs/segment.c: f2fs_update_meta_page() | patched | O | O | X | O | O | |
34 | use-after-free | 5.19 | fs/f2fs/recovery.c:check_index_in_prev_nodes() | patched | X | O | X | X | X | |
35 | slab-out-of-bounds | 5.15–6.0 | fs/f2fs/segment.c:reset_curseg | reported | X | O | X | X | X |
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Liu, W., Wang, AI.A. (2024). LFuzz: Exploiting Locality-Enabled Techniques for File-System Fuzzing. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14345. Springer, Cham. https://doi.org/10.1007/978-3-031-51476-0_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-51476-0_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51475-3
Online ISBN: 978-3-031-51476-0
eBook Packages: Computer ScienceComputer Science (R0)