Related Works
Tools
iofuzz
ioattack
ioctlbf
ioctlfuzzer
Papers
Abstract
[์ฐ๊ตฌ ๋ฐฐ๊ฒฝ] External vendors develop a significant percentage of Windows kernel drivers, and Microsoft relies on these vendors to handle all aspects of driver security. Unfortunately, device vendors are not immune to software bugs, which in some cases can be exploited to gain elevated privileges. Testing the security of kernel drivers remains challenging: the lack of source code, the requirement of the presence of a physical device, and the need for a functional kernel execution environment are all factors that can prevent thorough security analysis. As a result, there are no binary analysis tools that can scale and accurately find bugs at the Windows kernel level.
[์ฐ๊ตฌ ๋ด์ฉ] To address these challenges, we introduce POPKORN, a lightweight framework that harnesses the power of taint analysis and targeted symbolic execution to automatically find security bugs in Windows kernel drivers at scale. Our system focuses on a class of bugs that affect security-critical Windows API functions used in privilege-escalation exploits. POPKORN analyzes drivers independently of both the kernel and the device, avoiding the complexity of performing a full-system analysis.
[์ธก์ ] We evaluate our system on a diverse dataset of 212 unique signed Windows kernel drivers. When run against these drivers, POPKORN reported 38 high impact bugs in 27 unique drivers, with manual verification revealing no false positives. Among the bugs we found, 31 were previously unknown vulnerabilities that potentially allow for Elevation of Privilege (EoP). During this research, we have received two CVEs and six acknowledgments from different driver vendors, and we continue to work with vendors to fix the issues that we identified.
DIFUZE: Interface Aware Fuzzing for Kernel Drivers
ACM - CCS2017AndroidCorina, Jake and Machiry, Aravind and Salls, Christopher and Shoshitaishvili, Yan and Hao, Shuang and Kruegel, Christopher and Vigna, Giovanni (UC Santa Barbara)
Abstract
[๋๋ฐ์ด์ค ๋๋ผ์ด๋ฒ๋?] Device drivers are an essential part in modern Unix-like systems to handle operations on physical devices, from hard disks and printers to digital cameras and Bluetooth speakers.
[๋ชจ๋ฐ์ผ ๊ธฐ๊ธฐ์ ๋๋ผ์ด๋ฒ] The surge of new hardware, particularly on mobile devices, introduces an explosive growth of device drivers in system kernels. Many such drivers are provided by third-party developers, which are susceptible to security vulnerabilities and lack proper vetting.
[์ฐ๊ตฌํ์์ฑ] Unfortunately, the complex input data structures for device drivers render traditional analysis tools, such as fuzz testing, less effective, and so far, research on kernel driver security is comparatively sparse.
[๋ณธ ์ฐ๊ตฌ๋โฆ1 ๊ตฌ์กฐ์ธ์ ํผ์ง] In this paper, we present DIFUZE, an interface-aware fuzzing tool to automatically generate valid inputs and trigger the execution of the kernel drivers. We leverage static analysis to compose correctly-structured input in the userspace to explore kernel drivers.
[๋ณธ ์ฐ๊ตฌ๋โฆ2 ์๋ํ] DIFUZE is fully automatic, ranging from identifying driver handlers, to mapping to device file names, to constructing complex argument instances.
[ํ๊ฐ] We evaluate our approach on seven modern Android smartphones. The results show that DIFUZE can effectively identify kernel driver bugs, and reports 32 previously unknown vulnerabilities, including flaws that lead to arbitrary code execution.
Abstract
[๋๋ผ์ด๋ฒ ๋ณด์์ด ์ค์ํ ์ด์ ] Operating system code interacting with the devices attached to our computers, device drivers, are often provided by their respective vendors. As they may run with kernel privileges, this effectively means that kernel code is written by third parties. Some of these may not live up to the high security standards the core kernel code abides by. A single bug in a driver can harm the complete operating systemโs integrity, just as if the bug was in the kernel itself. Attackers can exploit these bugs to escape sandboxes and to gain system privileges.
[์๋ ๋ณด์ ํ ์คํ ์ด ์ด๋ ค์ด ์ด์ ] Automated security testing of device drivers is hard. It depends on the attached device, and the driver code is not freely available. Dependency on a physical device increases the complexity even further.
[์ฐ๋ฆฌ๊ฐ ์ ์ํ๋ ๊ฒ] To alleviate these issues, we present BSOD, a fuzzing framework for high-complexity device drivers, based on KVM-VMI. BSOD retargets the well-known and battle-proven fuzzers, Syzkaller and AFL-2++, for binary-only drivers.
[Evaluation] We do not depend on vendor-specific CPU features and exceed 10k execs/sec on COTS hardware for coverage-guided kernel fuzzing. For evaluation, we focus on the highly complex closed-source drivers of a major graphics-card vendor for multiple operating systems.
[๋ฐฉ๋ฒ๋ก ] To overcome the strict hardware dependency of device driver fuzzing, making scaling impractical, we implement BSOD-fakedev, a virtual record & replay device, able to load a full graphics card driver without a physical device attached. It allows to scale fuzz campaigns to a large number of machines without the need for additional hardware.
[๊ฒฐ๋ก ] BSOD was able to uncover numerous bugs in graphics card drivers on Windows, Linux, and FreeBSD.
USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation
USENIX2020LinuxFreeBSDMacOSWindows
Abstract
[USB์ Device Driver ๋ณด์] The Universal Serial Bus (USB) connects external devices to a host. This interface exposes the OS kernels and device drivers to attacks by malicious devices. Unfortunately, kernels and drivers were developed under a security model that implicitly trusts connected devices. Drivers expect faulty hardware but not malicious attacks.
[Fuzzing์ด ์ด๋ ค์ด ์ด์ ] Similarly, security testing drivers is challenging as input must cross the hardware/software barrier. Fuzzing, the most widely used bug finding technique, relies on providing random data to programs. However, fuzzing device drivers is challenging due to the difficulty in crossing the hardware/software barrier and providing random device data to the driver under test.
[์ฐ๋ฆฌ๊ฐ ์ ์ํ๋ ๊ฒ] We present USBFuzz, a portable, flexible, and modular framework for fuzz testing USB drivers. At its core, USBFuzz uses a software-emulated USB device to provide random device data to drivers (when they perform IO operations). As the emulated USB device works at the device level, porting it to other platforms is straight-forward.
[์ ์ 3๊ฐ์ง] Using the USBFuzz framework, we apply (i) coverage-guided fuzzing to a broad range of USB drivers in the Linux kernel; (ii) dumb fuzzing in FreeBSD, MacOS, and Windows through cross pollination seeded by the Linux inputs; and (iii) focused fuzzing of a USB webcam driver.
[์ฑ๊ณผ] USBFuzz discovered a total of 26 new bugs, including 16 memory bugs of high security impact in various Linux subsystems (USB core, USB sound, and network), one bug in FreeBSD, three in MacOS (two resulting in an unplanned reboot and one freezing the system), and four in Windows 8 and Windows 10 (resulting in Blue Screens of Death), and one bug in the Linux USB host controller driver and another one in a USB camera driver. From the Linux bugs, we have fixed and upstreamed 11 bugs and received 10 CVEs.
SymDrive: Testing Drivers without Devices
USENIX2012LinuxFreeBSD
Abstract
[๋๋ฐ์ด์ค ๋๋ผ์ด๋ฒ ๋ณด์์ด ์ด๋ ค์ด ์ด์ _์ฐ๊ตฌํ์์ฑ] Device-driver development and testing is a complex and error-prone undertaking. For example, testing errorhandling code requires simulating faulty inputs from the device. A single driver may support dozens of devices, and a developer may not have access to any of them. Consequently, many Linux driver patches include the comment โcompile tested only.โ
[์ ์ํ๋ ๊ฒ] SymDrive is a system for testing Linux and FreeBSD drivers without their devices present. The system uses symbolic execution to remove the need for hardware, and extends past tools with three new features.
First, SymDrive uses static-analysis and source-to-source transformation to greatly reduce the effort of testing a new driver
Second, SymDrive checkers are ordinary C code and execute in the kernel, where they have full access to kernel and driver state.
Finally, SymDrive provides an executiontracing tool to identify how a patch changes I/O to the device and to compare device-driver implementations.
[์ฑ๊ณผ] In applying SymDrive to 21 Linux drivers and 5 FreeBSD drivers, we found 39 bugs.
Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints
USENIX2020Linux
Abstract
[์ฐ๊ตฌ๋์ ์ค์์ฑ] Kernel-mode drivers are challenging to analyze for vulnerabilities, yet play a critical role in maintaining the security of OS kernels. Their wide attack surface, exposed via both the system call interface and the peripheral interface, is often found to be the most direct attack vector to compromise an OS kernel.
[์ฐ๊ตฌ๋ฐฐ๊ฒฝ] Researchers therefore have proposed many fuzzing techniques to find vulnerabilities in kernel drivers. However, the performance of kernel fuzzers is still lacking, for reasons such as prolonged execution of kernel code, interference between test inputs, and kernel crashes.
[์ฐ๊ตฌ์ฃผ์ ] This paper proposes lightweight virtual machine checkpointing as a new primitive that enables high-throughput kernel driver fuzzing. Our key insight is that kernel driver fuzzers frequently execute similar test cases in a row, and that their performance can be improved by dynamically creating multiple checkpoints while executing test cases and skipping parts of test cases using the created checkpoints. We built a system, dubbed Agamotto, around the virtual machine checkpointing primitive and evaluated it by fuzzing the peripheral attack surface of USB and PCI drivers in Linux.
[์ฐ๊ตฌ์ฑ๊ณผ] The results are convincing. Agamotto improved the performance of the state-of-the-art kernel fuzzer, Syzkaller, by 66.6% on average in fuzzing 8 USB drivers, and an AFL-based PCI fuzzer by 21.6% in fuzzing 4 PCI drivers, without modifying their underlying input generation algorithm.
DEVFUZZ: Automatic Device Model-Guided Device Driver Fuzzing
IEEE S&P2023WindowsLinux
Abstract
[์ฐ๊ตฌ ํ์์ฑ] The security of device drivers is critical for the entire operating system's reliability. Yet, it remains very challenging to validate if a device driver can properly handle potentially malicious input from a hardware device.
[์ ํ์ฐ๊ตฌ ํ๊ณ] Unfortunately, symbolic execution based solutions often do not scale, while fuzzing solutions require real devices or manual device models, leaving many device drivers under-tested and insecure.
[๋ณธ ์ฐ๊ตฌ] This paper presents DEVFUZZ, a new model-guided device driver fuzzing framework obviating the need for a physical device. DEVFUZZ uses symbolic execution to automatically generate the probe model that can guide a fuzzer to properly initialize a device driver under test. DEVFUZZ also leverages both static and dynamic program analyses to construct MMIO, PIO, and DMA device models to further improve the effectiveness of fuzzing.
[ํ๊ฐ] DEVFUZZ successfully tested 191 device drivers of various bus types (PCI, USB, RadpiIO, I2C) from different operating systems (Linux, FreeBSD, and Windows) and detected 72 bugs, 41 of which have been patched and merged into the mainstream.
SyzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers
CCS 2021macOS
DR Fuzz: Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators
ICSE 2022Linux
Last updated