ABSTRACT
Kernel vulnerabilities are critical in security because they naturally allow attackers to gain unprivileged root access. Although there has been much research on finding kernel vulnerabilities from source code, there are relatively few research on kernel fuzzing, which is a practical bug finding technique that does not require any source code. Existing kernel fuzzing techniques involve feeding in random input values to kernel API functions. However, such a simple approach does not reveal latent bugs deep in the kernel code, because many API functions are dependent on each other, and they can quickly reject arbitrary parameter values based on their calling context. In this paper, we propose a novel fuzzing technique for commodity OS kernels that leverages inferred dependence model between API function calls to discover deep kernel bugs. We implement our technique on a fuzzing system, called IMF. IMF has already found 32 previously unknown kernel vulnerabilities on the latest macOS version 10.12.3 (16D32) at the time of this writing.
Supplemental Material
- Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Jeffrey D. Ullman. [n. d.]. Compilers: Principles, Techniques, and Tools (2nd ed.). Addison Wesley.Google Scholar
- Greg Banks, Marco Cova, Viktoria Felmetsger, Kevin Almeroth, Richard Kemmerer, and Giovanni Vigna. 2006. SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr. In Proceedings of the International Conference on Information Security. 343--358. Google ScholarDigital Library
- Paul Barton. 2013. PyUserInput. https://github.com/SavinaRoja/PyUserInput. (2013).Google Scholar
- Ian Beer. 2014. pwn4fun Spring 2014--Safari--Part II. http://googleprojectzero. blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html. (2014).Google Scholar
- Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coveragebased Greybox Fuzzing as Markov Chain. In Proceedings of the ACM Conference on Computer and Communications Security. 1032--1043.Google Scholar
- Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. 2007. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. In Proceedings of the ACM Conference on Computer and Communications Security. 317--329. Google ScholarDigital Library
- Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the USENIX Symposium on Operating System Design and Implementation. 209--224.Google Scholar
- Sang Kil Cha, Maverick Woo, and David Brumley. 2015. Program-Adaptive Mutational Fuzzing. In Proceedings of the IEEE Symposium on Security and Privacy. 725--741. Google ScholarDigital Library
- Liang Chen, Marco Grassi, and Qidan He. 2016. Don't Trust Your Eye: Apple Graphics Is Compromised!. In CanSecWest. https://cansecwest.com/slides/2016/ CSW2016Chen-Grassi-HeAppleGraphicsIsCompromised.pdfGoogle Scholar
- YoungHan Choi, HyoungChun Kim, HyungGeun Oh, and Dohoon Lee. 2008. CallFlow Aware API Fuzz Testing for Security of Windows Systems. In Proceedings of the International Conference on Computational Sciences and Its Applications. 19--25.Google Scholar
- Mihai Christodorescu, Somesh Jha, and Christopher Kruegel. 2007. Mining Specifications of Malicious Behavior. In Proceedings of the International Symposium on Foundations of Software Engineering. 5--14. Google ScholarDigital Library
- CIFASIS. 2016. Neural Fuzzer. http://neural-fuzzer.org. (2016).Google Scholar
- Jonathan Corbet. 2012. Supervisor mode access prevention. https://lwn.net/ Articles/517475/. (2012).Google Scholar
- Jonathan Corbet and Greg Kroah-Hartman. 2016. Linux Kernel Development. http://go.linuxfoundation.org/linux-kernel-development-report-2016. (2016).Google Scholar
- Weidong Cui, Marcus Peinado, Karl Chen, Helen J. Wang, and Luis Irun-Briz. 2008. Tupni: Automatic Reverse Engineering of Input Formats. In Proceedings of the ACM Conference on Computer and Communications Security. 391--402. Google ScholarDigital Library
- Michael Eddington. 2004. Peach Fuzzing Platform. http://peachfuzzer.com. (2004).Google Scholar
- Bernhard Garn and Dimitris E. Simos. 2014. Eris: A Tool for Combinatorial Testing of the Linux System Call Interface. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation Workshops. 58--67. Google ScholarDigital Library
- Hugo Gascon, Christian Wressnegger, Fabian Yamaguchi, Daniel Arp, and Konrad Rieck. 2015. Security and Privacy in Communication Networks. Springer International Publishing. 330--347 pages.Google Scholar
- Amaury Gauthier, Clement Mazin, Julien Iguchi-Cartigny, and Jean-Louis Lanet. 2011. Enhancing fuzzing technique for OKL4 syscalls testing. In Proceedings of the International Conference on Availability, Reliability and Security. 728--733. Google ScholarDigital Library
- Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with Code Fragments. In Proceedings of the USENIX Security Symposium. 445--458.Google Scholar
- George Hotz. 2013. machfuzzer. https://github.com/geohot/jenkyiphonetools/ blob/master/machfuzzer. (2013).Google Scholar
- Apple Inc. 2013. Kernel Architecture Overview. https://developer.apple.com/ library/content/documentation/Darwin/Conceptual/KernelProgramming/Architecture/Architecture.html. (2013).Google Scholar
- Yeongjin Jang, Sangho Lee, and Taesoo Kim. 2016. Breaking Kernel Address Space Layout Randomization with Intel TSX. In Proceedings of the ACM Conference on Computer and Communications Security. 380--392. Google ScholarDigital Library
- Rob Johnson and David Wagner. 2004. Finding User/Kernel Pointer Bugs with Type Inference. In Proceedings of the USENIX Security Symposium.Google Scholar
- Dave Jones. 2010. trinity. https://github.com/kernelslacker/trinity. (2010).Google Scholar
- Mateusz Jurczyk. 2012. csrss_win32k_fuzzer. http://j00ru.vexillium.org/?p=1455. (2012).Google Scholar
- Rauli Kaksonen, Marko Laakso, and Ari Takanen. 2001. Software Security Assessment through Specification Mutations and Fault Injection. In Communications and Multimedia Security. 173--183. Google ScholarCross Ref
- Vasileios P. Kemerlis, Michalis Polychronakis, and Angelos D. Keromytis. 2014. ret2dir: Rethinking Kernel Isolation. In Proceedings of the USENIX Security Symposium. 957--972.Google Scholar
- Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive Formal Verification of an OS Microkernel. ACM Transactions on Computer Systems 32, 1 (2014), 2:1--2:70.Google ScholarDigital Library
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal Verification of an OS Kernel. In Proceedings of the ACM Symposium on Operating System Principles. 207--220. Google ScholarDigital Library
- Philip Koopman, John Sung, Christopher Dingman, Daniel Siewiorek, and Ted Marz. 1997. Comparing Operating Systems Using Robustness Benchmarks. In Proceedings of the Symposium on Reliable Distributed Systems. 72--79. Google ScholarCross Ref
- Anil Kurmus, Reinhard Tartler, Daniela Dorneanu, Bernhard Heinloth, Valentin Rothberg, Andreas Ruprecht, Wolfgang Schroder-Preikschat, Daniel Lohmann, and Rudiger Kapitza. 2013. Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- MWR Labs. 2016. KernelFuzzer. https://github.com/mwrlabs/KernelFuzzer. (2016).Google Scholar
- Tin Le. 1991. tsys. http://groups.google.com/groups?q=syscall+crashme&hl= en&lr=&ie=UTF-8&selm=1991Sep20.232550.5013%40smsc.sony.com&rnum=1. (1991).Google Scholar
- Jonathan Levin. 2013. Mac OS X and iOS Internals: To the Apple's Core. Wrox.Google Scholar
- Moony Li. 2016. Active fuzzing as complementary for passive fuzzing. In PacSec.Google Scholar
- Lei Long. 2015. Optimized Fuzzing IOKIT in iOS. In Black Hat USA.Google Scholar
- MITRE. 2015. CVE-2015--5845. https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2015--5845. (2015).Google Scholar
- MITRE. 2015. CVE-2015--7077. https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2015--7077. (2015).Google Scholar
- NCC Group. 2016. Triforce Linux Syscall Fuzzer. https://github.com/nccgroup/ TriforceLinuxSyscallFuzzer. (2016).Google Scholar
- Peter Oehlert. 2005. Violating Assumptions with Fuzzing. IEEE Security and Privacy 3, 2 (2005), 58--62. Google ScholarDigital Library
- Dmytro Oleksiuk. 2009. IOCTL fuzzer. https://github.com/Cr4sh/ioctlfuzzer. (2009).Google Scholar
- Oracle. 2016. Kernel-Fuzzing. https://github.com/oracle/kernel-fuzzing. (2016).Google Scholar
- Tavis Ormandy. 2010. iknowthis. https://code.google.com/archive/p/iknowthis/. (2010).Google Scholar
- Carlos Pacheco, Shuvendu K. Lahiri, Michael D. Ernst, and Thomas Ball. 2007. Feedback-Directed Random Test Generation. In Proceedings of the International Conference on Software Engineering. 75--84. Google ScholarDigital Library
- Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In Proceedings of the Network and Distributed System Security Symposium. Google ScholarCross Ref
- Alexandre Rebert, Sang Kil Cha, Thanassis Avgerinos, Jonathan Foote, David Warren, Gustavo Grieco, and David Brumley. 2014. Optimizing Seed Selection for Fuzzing. In Proceedings of the USENIX Security Symposium. 861--875.Google Scholar
- Martin P. Robillard, Eric Bodden, David Kawrykow, Mira Mezini, and Tristan Ratchford. 2013. Automated API Property Inference Techniques. IEEE Transactions on Software Engineering 39, 5 (2013), 613--637. Google ScholarDigital Library
- sqrkkyu and twzi. 2007. Attacking the Core: Kernel Exploiting Notes. http: //phrack.org/issues/64/6.html. (2007).Google Scholar
- Robert Swiecki and Felix Gröbert. 2010. honggfuzz. https://github.com/google/honggfuzz. (2010).Google Scholar
- Luca Todesco. 2015. Attacking the XNU Kernel in El Capitan. In Black Hat EU.Google Scholar
- Ilja van Sprundel. 2005. Fuzzing: Breaking software in an automated fashion. In Chaos Communication Congress.Google Scholar
- Dmitry Vyukov. 2015. Syzkaller. https://github.com/google/syzkaller. (2015).Google Scholar
- Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, and M. Frans Kaashoek. 2012. Improving Integer Security for Systems with KINT. In Proceedings of the USENIX Symposium on Operating System Design and Implementation. 163--177.Google Scholar
- Vincent M. Weaver and Dave Jones. 2015. perf_fuzzer: Targeted Fuzzing of the perf_event_open() System Call. Technical Report. UMaine VMW Group.Google Scholar
- Maverick Woo, Sang Kil Cha, Samantha Gottlieb, and David Brumley. 2013. Scheduling Black-box Mutational Fuzzing. In Proceedings of the ACM Conference on Computer and Communications Security. 511--522. Google ScholarDigital Library
- Chen Xiaobo and Xu Hao. 2012. Find Your Own iOS Kernel Bug. In Power of Community.Google Scholar
- Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, and Dawu Gu. 2015. From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel. In Proceedings of the ACM Conference on Computer and Communications Security. 414--425. Google ScholarDigital Library
- Tom Yeh, Tsung-Hsiang Chang, and Robert C. Miller. 2009. Sikuli: Using GUI Screenshots for Search and Automation. In Proceedings of the Annual ACM Symposium on User Interface Software and Technology. 183--192. Google ScholarDigital Library
- Michal Zalewski. 2014. American Fuzzy Lop. http://lcamtuf.coredump.cx/afl/. (2014).Google Scholar
- Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. 2011. Making Information Flow Explicit in HiStar. Commun. ACM 54, 11 (2011), 93--101. Google ScholarDigital Library
- Markus Zimmermann. 2014. Tavor. https://github.com/zimmski/tavor. (2014).Google Scholar
Index Terms
IMF: Inferred Model-based Fuzzer
Recommendations
Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityModern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. ...
X-AFL: a kernel fuzzer combining passive and active fuzzing
EuroSec '20: Proceedings of the 13th European workshop on Systems SecurityVulnerabilities in OS kernel are more severe than those in user space because they allow attackers to access a system with full privileges. Fuzzing is an efficient technique to detect vulnerabilities though little fuzzing efforts aim to kernels. On one ...
Jump over ASLR: attacking branch predictors to bypass ASLR
MICRO-49: The 49th Annual IEEE/ACM International Symposium on MicroarchitectureAddress Space Layout Randomization (ASLR) is a widely-used technique that protects systems against a range of attacks. ASLR works by randomizing the offset of key program segments in virtual memory, making it difficult for an attacker to derive the ...
Comments