skip to main content
10.1145/3133956.3134103acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

IMF: Inferred Model-based Fuzzer

Authors Info & Claims
Published:30 October 2017Publication History

ABSTRACT

Kernel vulnerabilities are critical in security because they naturally allow attackers to gain unprivileged root access. Although there has been much research on finding kernel vulnerabilities from source code, there are relatively few research on kernel fuzzing, which is a practical bug finding technique that does not require any source code. Existing kernel fuzzing techniques involve feeding in random input values to kernel API functions. However, such a simple approach does not reveal latent bugs deep in the kernel code, because many API functions are dependent on each other, and they can quickly reject arbitrary parameter values based on their calling context. In this paper, we propose a novel fuzzing technique for commodity OS kernels that leverages inferred dependence model between API function calls to discover deep kernel bugs. We implement our technique on a fuzzing system, called IMF. IMF has already found 32 previously unknown kernel vulnerabilities on the latest macOS version 10.12.3 (16D32) at the time of this writing.

Skip Supplemental Material Section

Supplemental Material

hyungseokhan-imfinferred.mp4

References

  1. Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Jeffrey D. Ullman. [n. d.]. Compilers: Principles, Techniques, and Tools (2nd ed.). Addison Wesley.Google ScholarGoogle Scholar
  2. Greg Banks, Marco Cova, Viktoria Felmetsger, Kevin Almeroth, Richard Kemmerer, and Giovanni Vigna. 2006. SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr. In Proceedings of the International Conference on Information Security. 343--358. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Paul Barton. 2013. PyUserInput. https://github.com/SavinaRoja/PyUserInput. (2013).Google ScholarGoogle Scholar
  4. Ian Beer. 2014. pwn4fun Spring 2014--Safari--Part II. http://googleprojectzero. blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html. (2014).Google ScholarGoogle Scholar
  5. Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coveragebased Greybox Fuzzing as Markov Chain. In Proceedings of the ACM Conference on Computer and Communications Security. 1032--1043.Google ScholarGoogle Scholar
  6. Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. 2007. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. In Proceedings of the ACM Conference on Computer and Communications Security. 317--329. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the USENIX Symposium on Operating System Design and Implementation. 209--224.Google ScholarGoogle Scholar
  8. Sang Kil Cha, Maverick Woo, and David Brumley. 2015. Program-Adaptive Mutational Fuzzing. In Proceedings of the IEEE Symposium on Security and Privacy. 725--741. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Liang Chen, Marco Grassi, and Qidan He. 2016. Don't Trust Your Eye: Apple Graphics Is Compromised!. In CanSecWest. https://cansecwest.com/slides/2016/ CSW2016Chen-Grassi-HeAppleGraphicsIsCompromised.pdfGoogle ScholarGoogle Scholar
  10. YoungHan Choi, HyoungChun Kim, HyungGeun Oh, and Dohoon Lee. 2008. CallFlow Aware API Fuzz Testing for Security of Windows Systems. In Proceedings of the International Conference on Computational Sciences and Its Applications. 19--25.Google ScholarGoogle Scholar
  11. Mihai Christodorescu, Somesh Jha, and Christopher Kruegel. 2007. Mining Specifications of Malicious Behavior. In Proceedings of the International Symposium on Foundations of Software Engineering. 5--14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. CIFASIS. 2016. Neural Fuzzer. http://neural-fuzzer.org. (2016).Google ScholarGoogle Scholar
  13. Jonathan Corbet. 2012. Supervisor mode access prevention. https://lwn.net/ Articles/517475/. (2012).Google ScholarGoogle Scholar
  14. Jonathan Corbet and Greg Kroah-Hartman. 2016. Linux Kernel Development. http://go.linuxfoundation.org/linux-kernel-development-report-2016. (2016).Google ScholarGoogle Scholar
  15. Weidong Cui, Marcus Peinado, Karl Chen, Helen J. Wang, and Luis Irun-Briz. 2008. Tupni: Automatic Reverse Engineering of Input Formats. In Proceedings of the ACM Conference on Computer and Communications Security. 391--402. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Michael Eddington. 2004. Peach Fuzzing Platform. http://peachfuzzer.com. (2004).Google ScholarGoogle Scholar
  17. Bernhard Garn and Dimitris E. Simos. 2014. Eris: A Tool for Combinatorial Testing of the Linux System Call Interface. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation Workshops. 58--67. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Hugo Gascon, Christian Wressnegger, Fabian Yamaguchi, Daniel Arp, and Konrad Rieck. 2015. Security and Privacy in Communication Networks. Springer International Publishing. 330--347 pages.Google ScholarGoogle Scholar
  19. Amaury Gauthier, Clement Mazin, Julien Iguchi-Cartigny, and Jean-Louis Lanet. 2011. Enhancing fuzzing technique for OKL4 syscalls testing. In Proceedings of the International Conference on Availability, Reliability and Security. 728--733. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with Code Fragments. In Proceedings of the USENIX Security Symposium. 445--458.Google ScholarGoogle Scholar
  21. George Hotz. 2013. machfuzzer. https://github.com/geohot/jenkyiphonetools/ blob/master/machfuzzer. (2013).Google ScholarGoogle Scholar
  22. Apple Inc. 2013. Kernel Architecture Overview. https://developer.apple.com/ library/content/documentation/Darwin/Conceptual/KernelProgramming/Architecture/Architecture.html. (2013).Google ScholarGoogle Scholar
  23. Yeongjin Jang, Sangho Lee, and Taesoo Kim. 2016. Breaking Kernel Address Space Layout Randomization with Intel TSX. In Proceedings of the ACM Conference on Computer and Communications Security. 380--392. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Rob Johnson and David Wagner. 2004. Finding User/Kernel Pointer Bugs with Type Inference. In Proceedings of the USENIX Security Symposium.Google ScholarGoogle Scholar
  25. Dave Jones. 2010. trinity. https://github.com/kernelslacker/trinity. (2010).Google ScholarGoogle Scholar
  26. Mateusz Jurczyk. 2012. csrss_win32k_fuzzer. http://j00ru.vexillium.org/?p=1455. (2012).Google ScholarGoogle Scholar
  27. Rauli Kaksonen, Marko Laakso, and Ari Takanen. 2001. Software Security Assessment through Specification Mutations and Fault Injection. In Communications and Multimedia Security. 173--183. Google ScholarGoogle ScholarCross RefCross Ref
  28. Vasileios P. Kemerlis, Michalis Polychronakis, and Angelos D. Keromytis. 2014. ret2dir: Rethinking Kernel Isolation. In Proceedings of the USENIX Security Symposium. 957--972.Google ScholarGoogle Scholar
  29. Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive Formal Verification of an OS Microkernel. ACM Transactions on Computer Systems 32, 1 (2014), 2:1--2:70.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal Verification of an OS Kernel. In Proceedings of the ACM Symposium on Operating System Principles. 207--220. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Philip Koopman, John Sung, Christopher Dingman, Daniel Siewiorek, and Ted Marz. 1997. Comparing Operating Systems Using Robustness Benchmarks. In Proceedings of the Symposium on Reliable Distributed Systems. 72--79. Google ScholarGoogle ScholarCross RefCross Ref
  32. Anil Kurmus, Reinhard Tartler, Daniela Dorneanu, Bernhard Heinloth, Valentin Rothberg, Andreas Ruprecht, Wolfgang Schroder-Preikschat, Daniel Lohmann, and Rudiger Kapitza. 2013. Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  33. MWR Labs. 2016. KernelFuzzer. https://github.com/mwrlabs/KernelFuzzer. (2016).Google ScholarGoogle Scholar
  34. Tin Le. 1991. tsys. http://groups.google.com/groups?q=syscall+crashme&hl= en&lr=&ie=UTF-8&selm=1991Sep20.232550.5013%40smsc.sony.com&rnum=1. (1991).Google ScholarGoogle Scholar
  35. Jonathan Levin. 2013. Mac OS X and iOS Internals: To the Apple's Core. Wrox.Google ScholarGoogle Scholar
  36. Moony Li. 2016. Active fuzzing as complementary for passive fuzzing. In PacSec.Google ScholarGoogle Scholar
  37. Lei Long. 2015. Optimized Fuzzing IOKIT in iOS. In Black Hat USA.Google ScholarGoogle Scholar
  38. MITRE. 2015. CVE-2015--5845. https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2015--5845. (2015).Google ScholarGoogle Scholar
  39. MITRE. 2015. CVE-2015--7077. https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2015--7077. (2015).Google ScholarGoogle Scholar
  40. NCC Group. 2016. Triforce Linux Syscall Fuzzer. https://github.com/nccgroup/ TriforceLinuxSyscallFuzzer. (2016).Google ScholarGoogle Scholar
  41. Peter Oehlert. 2005. Violating Assumptions with Fuzzing. IEEE Security and Privacy 3, 2 (2005), 58--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Dmytro Oleksiuk. 2009. IOCTL fuzzer. https://github.com/Cr4sh/ioctlfuzzer. (2009).Google ScholarGoogle Scholar
  43. Oracle. 2016. Kernel-Fuzzing. https://github.com/oracle/kernel-fuzzing. (2016).Google ScholarGoogle Scholar
  44. Tavis Ormandy. 2010. iknowthis. https://code.google.com/archive/p/iknowthis/. (2010).Google ScholarGoogle Scholar
  45. Carlos Pacheco, Shuvendu K. Lahiri, Michael D. Ernst, and Thomas Ball. 2007. Feedback-Directed Random Test Generation. In Proceedings of the International Conference on Software Engineering. 75--84. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In Proceedings of the Network and Distributed System Security Symposium. Google ScholarGoogle ScholarCross RefCross Ref
  47. Alexandre Rebert, Sang Kil Cha, Thanassis Avgerinos, Jonathan Foote, David Warren, Gustavo Grieco, and David Brumley. 2014. Optimizing Seed Selection for Fuzzing. In Proceedings of the USENIX Security Symposium. 861--875.Google ScholarGoogle Scholar
  48. Martin P. Robillard, Eric Bodden, David Kawrykow, Mira Mezini, and Tristan Ratchford. 2013. Automated API Property Inference Techniques. IEEE Transactions on Software Engineering 39, 5 (2013), 613--637. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. sqrkkyu and twzi. 2007. Attacking the Core: Kernel Exploiting Notes. http: //phrack.org/issues/64/6.html. (2007).Google ScholarGoogle Scholar
  50. Robert Swiecki and Felix Gröbert. 2010. honggfuzz. https://github.com/google/honggfuzz. (2010).Google ScholarGoogle Scholar
  51. Luca Todesco. 2015. Attacking the XNU Kernel in El Capitan. In Black Hat EU.Google ScholarGoogle Scholar
  52. Ilja van Sprundel. 2005. Fuzzing: Breaking software in an automated fashion. In Chaos Communication Congress.Google ScholarGoogle Scholar
  53. Dmitry Vyukov. 2015. Syzkaller. https://github.com/google/syzkaller. (2015).Google ScholarGoogle Scholar
  54. Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, and M. Frans Kaashoek. 2012. Improving Integer Security for Systems with KINT. In Proceedings of the USENIX Symposium on Operating System Design and Implementation. 163--177.Google ScholarGoogle Scholar
  55. Vincent M. Weaver and Dave Jones. 2015. perf_fuzzer: Targeted Fuzzing of the perf_event_open() System Call. Technical Report. UMaine VMW Group.Google ScholarGoogle Scholar
  56. Maverick Woo, Sang Kil Cha, Samantha Gottlieb, and David Brumley. 2013. Scheduling Black-box Mutational Fuzzing. In Proceedings of the ACM Conference on Computer and Communications Security. 511--522. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Chen Xiaobo and Xu Hao. 2012. Find Your Own iOS Kernel Bug. In Power of Community.Google ScholarGoogle Scholar
  58. Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, and Dawu Gu. 2015. From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel. In Proceedings of the ACM Conference on Computer and Communications Security. 414--425. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Tom Yeh, Tsung-Hsiang Chang, and Robert C. Miller. 2009. Sikuli: Using GUI Screenshots for Search and Automation. In Proceedings of the Annual ACM Symposium on User Interface Software and Technology. 183--192. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Michal Zalewski. 2014. American Fuzzy Lop. http://lcamtuf.coredump.cx/afl/. (2014).Google ScholarGoogle Scholar
  61. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. 2011. Making Information Flow Explicit in HiStar. Commun. ACM 54, 11 (2011), 93--101. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Markus Zimmermann. 2014. Tavor. https://github.com/zimmski/tavor. (2014).Google ScholarGoogle Scholar

Index Terms

  1. IMF: Inferred Model-based Fuzzer

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in
    • Published in

      cover image ACM Conferences
      CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
      October 2017
      2682 pages
      ISBN:9781450349468
      DOI:10.1145/3133956

      Copyright © 2017 ACM

      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 30 October 2017

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article

      Acceptance Rates

      CCS '17 Paper Acceptance Rate151of836submissions,18%Overall Acceptance Rate1,261of6,999submissions,18%

      Upcoming Conference

      CCS '24
      ACM SIGSAC Conference on Computer and Communications Security
      October 14 - 18, 2024
      Salt Lake City , UT , USA

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader