kAFL: Hard­ware-As­sis­ted Feed­back Fuz­zing for OS Ker­nels

kAFL: Hard­ware-As­sis­ted Feed­back Fuz­zing for OS Ker­nels

Ser­gej Schu­mi­lo, Cor­ne­li­us Ascher­mann, Ro­bert Gaw­lik, Se­bas­ti­an Schin­zel, Thors­ten Holz

26th USE­NIX Se­cu­ri­ty Sym­po­si­um, Van­cou­ver, Ca­na­da, Au­gust 2017

Many kinds of me­mo­ry sa­fe­ty vul­nerabi­li­ties have been end­an­ge­ring soft­ware sys­tems for deca­des. Amongst other ap­proa­ches, fuz­zing is a pro­mi­sing tech­ni­que to un­veil va­rious soft­ware faults. Re­cent­ly, feed­back-gui­ded fuz­zing de­mons­tra­ted its power, pro­du­cing a steady stream of se­cu­ri­ty-cri­ti­cal soft­ware bugs. Most fuz­zing ef­forts—es­pe­ci­al­ly feed­back fuz­zing—are li­mi­ted to user space com­po­n­ents of an ope­ra­ting sys­tem (OS), alt­hough bugs in ker­nel com­po­n­ents are more se­ve­re, be­cau­se they allow an at­ta­cker to gain ac­cess to a sys­tem with full pri­vi­le­ges. Un­for­t­u­n­a­te­ly, ker­nel com­po­n­ents are dif­fi­cult to fuzz as feed­back me­cha­nis­ms (i.e., gui­ded code co­ver­a­ge) can­not be ea­si­ly ap­p­lied. Ad­di­tio­nal­ly, non-de­ter­mi­nism due to in­ter­rupts, ker­nel thre­ads, sta­te­ful­ness, and si­mi­lar me­cha­nis­ms poses pro­blems. Fur­ther­mo­re, if a pro­cess fuz­zes its own ker­nel, a ker­nel crash high­ly im­pacts the per­for­mance of the fuz­zer as the OS needs to re­boot. In this paper, we ap­proach the pro­blem of co­ver­a­ge-gui­ded ker­nel fuz­zing in an OS-in­de­pen­dent and hard­ware-as­sis­ted way: We uti­li­ze a hy­per­vi­sor and Intel’s Pro­ces­sor Trace (PT) tech­no­lo­gy. This al­lows us to re­main in­de­pen­dent of the tar­get OS as we just re­qui­re a small user space com­po­nent that in­ter­acts with the tar­ge­ted OS. As a re­sult, our ap­proach in­tro­du­ces al­most no per­for­mance over­head, even in cases where the OS cras­hes, and per­forms up to 17,000 exe­cu­ti­ons per se­cond on an off-the-shelf lap­top. We de­ve­lo­ped a frame­work cal­led ker­nel-AFL (kAFL) to as­sess the se­cu­ri­ty of Linux, macOS, and Win­dows ker­nel com­po­n­ents. Among many cras­hes, we un­co­ver­ed se­ver­al flaws in the ext4 dri­ver for Linux, the HFS and APFS file sys­tem of macOS, and the NTFS dri­ver of Win­dows.



Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s