kernel-fuzzing-張超.pdf

1、內核漏洞挖掘技術張超清華大學第十屆開源操作系統年度技術會議（OS2ATC）網絡研究院INSC網絡研究院INSChttps:/ kernel 漏洞統計數據（source:CVE details)網絡研究院INSC網絡研究院INSChttps:/ found by Syzbot(Syzkaller)till Mar 24,2023(First commit on Aug 17,2017)網絡研究院INSC網絡研究院INSChttps:/ Fuzzing 模糊測試 生成/變異測試例,測試,檢查,重復 問題/挑戰：在無窮的輸入空間中，如何高效搜索有限的漏洞樣本？模糊測試（fuzzing）monitor

2、inputsGenerator/Mutatortarget programSecurityviolation?bugshow?網絡研究院INSC網絡研究院INSC測試例篩選測試例生成/選擇https:/ Fuzzer與kernel Fuzzer：host用戶態 Kernel：guest內核 測試例變異 基于AFL 覆蓋率采集 Intel PT（硬件輔助）漏洞檢測 N/A 其他特性 支持閉源內核代表性kernel fuzzing方案：kAFL網絡研究院INSC網絡研究院INSChttps:/ Fuzzer與kernel Fuzzer：guest vm用戶態 Kernel：guest vm內核 測

3、試例變異 Syzlang描述syscall格式 覆蓋率采集 kcov（源碼編譯插樁）漏洞檢測 KASAN（源碼編譯插樁）KTSan,KMSan,KUBSan 其他特性 遠程管理,web展示,并行化代表性kernel fuzzing方案：Syzkaller測試例篩選測試例生成/選擇https:/ Android Native System Services via Automated Interface Analysis”USENIX Security 2020（1）如何改進？網絡研究院INSC網絡研究院INSC12 C1.Multi-Level Interface Recognition Co

4、llect all top-level Interfaces,then identify multi-level interfaces C2.Interface Model Extraction Collect all of the possible transactions of each interface Extract the input and output variables in the transactions C3.Semantically-correct Input Generation Variable name and variable type,variable de

5、pendency,interface dependency Problem:Android System Service網絡研究院INSC網絡研究院INSChttps:/ Features of interface Services use onTransact method to dispatch transactions Design網絡研究院INSC網絡研究院INSChttps:/ Services(interfaces)use onTransact method to dispatch transactions usually implemented as a switch state

6、ment,where each case statement relates to one transaction Services utilize special methods(e.g.,readInt32,writeInt32)to deal with I/O variables Extract I/O variables(patterns,name,type)by analyzing such methodsDesign網絡研究院INSC網絡研究院INSChttps:/ dependency:Generation dependency:writeStrongBinder()Use de

7、pendency readStrongBinder()Variable DependencyIntra-transaction dependency:e.g.,conditional dependency Inter-transaction dependency:matching types,and similar namesDesign網絡研究院INSC網絡研究院INSChttps:/ 43 top-level interfaces 25 multi-level interfaces Most interfaces are written manually interfacestransac

8、tions網絡研究院INSC網絡研究院INSChttps:/ Dependency網絡研究院INSC網絡研究院INSChttps:/ vulnerabilities,20 confirmed by Google($),138 Java exceptions測試例篩選測試例生成/選擇https:/ Linux Drivers via Automated Virtual Device Simulation,ISSTA 2022（2）如何改進？網絡研究院INSC網絡研究院INSCProblem:Drivers are unreliable and underexplored Distribution

9、 of bugs in the android kernel1 The distribution of code in drivers21 https:/events.static.linuxfound.org/sites/events/files/slides/Android-%20protecting%20the%20kernel.pdf2 Asim Kadav and Michael M Swift.2012.Understanding modern device drivers.ACM SIGPLAN Notices 47,4(2012),8798.驅動程序代碼量大、漏洞多;但是，fu

10、zzing難以測試驅動代碼，因為驅動代碼依賴于外設，實際測試環境缺少大量的硬件外設網絡研究院INSC網絡研究院INSCThreat ModelUser SpaceKernel SpacePeripheralfd=open(“/dev/xx”);ioctl(fd,cmd,arg);Device Driversuser data requested by copy_from_user()System callDMAMMIOInterruptAPICDMA ControllerControl FlowData Flowuser data sent assystem call arguments Da

11、ta Flow The arguments of the system call MMIO,DMA from the peripheral Control Flow System call Interrupt from the peripheral能不能自動模擬外設？Fuzzing工具模擬攻擊者從多個維度注入測試數據網絡研究院INSC網絡研究院INSChttps:/ PreparationVirtual Device ModelingIR GenerationInformation CollectionConfig EnablingKernel CompilingCoverage and Fa

12、ult InstrumentationAutomatedDevices Generation Bug ReportCoordinated Multi-dimension FuzzingDevice Functionality SimulationFuzzing in System Call TemplatesLinux Source CodebzImageDevice Info從驅動代碼提取外設知識自動模擬外設(E)注入多維度測試數據MMIO,DMA,PIO注入硬件中斷(I)、注入硬件錯誤網絡研究院INSC網絡研究院INSChttps:/ G r ro ou u p p020004000600

13、080001000012000C C o ov ve er re ed d B B a as si ic c B B l lo oc ck ks s235326091156911968DD+ID+ED+E+I代碼覆蓋率提升120%消融實驗：D:Default device;E:Extra devices;I:Interrupts網絡研究院INSC網絡研究院INSC26試驗評估：缺陷數量DD+ID+ED+E+IVI AG G r ro ou u p p020406080100T Th h e e n n u u m m b b e er r o of f f fo ou u n n d d b

14、b u u g g s s56819950DD+ID+ED+E+IVI A消融實驗：D:Default device;E:Extra devices;I:Interrupts在PCI驅動中發現112個bug（所有驅動：180個bug，88個補?。y試例篩選測試例生成/選擇https:/ Call-Based State-Aware Linux Driver Fuzzing”USENIX Security 2022（3）如何改進？網絡研究院INSC網絡研究院INSC28 Example:maze game most code can be explored easilyCode Coverage

15、-LimitationState:values of mazeyx網絡研究院INSC網絡研究院INSC29 Another Example:DNN testing most(Python)code can be explored easilyCode Coverage-LimitationState:output of neurons(activated or not)網絡研究院INSC網絡研究院INSC30 Step 1:Analyze drivers with static analysis&symbolic execution,to recognize user actions,and

16、identify state-variables(accessed by two actions)infer the value ranges of state-variablesStateFuzz:ImplementationStates span multiple user actions(e.g.,syscalls),usually are stored in state-variables網絡研究院INSC網絡研究院INSC31 Step 2:Instrument the driver,to track values of all state-variables,especially

17、the combination of two relevant state-variables values.StateFuzz:Implementation網絡研究院INSC網絡研究院INSC32 Step 3:Test the driver with 3-dimension feedback guided fuzzing save seeds when there arenew code explored,new value ranges of state-variables,extreme values of state-variablesStateFuzz:Implementation

18、網絡研究院INSC網絡研究院INSC33Evaluation:State variables identification狀態變量的統計數據，每個狀態變量的平均值域是3個網絡研究院INSC網絡研究院INSC34Evaluation:Vulnerabilities discovering20個漏洞，數萬美元的獎金測試例篩選測試例生成/選擇https:/ Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing”USENIX Security 2023（4）如何改進？網絡研究院INSC網絡研究院INSChttps:

19、/ Limitation of fuzzing The exploration space=input space thread-interleaving space Directed fuzzing is not tailored forconcurrency UAF Concurrency bugs are hard toreproduceProblem:Concurrency UAFLinux device drivers have plenty of race issues,which may cause use-after-free(UAF)in some cases.網絡研究院IN

20、SC網絡研究院INSChttps:/ 識別潛在UAF點 輕量級動態分析 識別潛在race線程 UAF點關聯的Race變量 定向調度Fuzzing 離目標距離：（傳統邊距離）、dom樹計算距離、漏洞約束距離 反饋信號：（傳統覆蓋率信號）、線程交錯信號、race變量交錯信號 基于距離、信號、調度頻次選擇種子測試例 適應性VM狀態遷移 緩解測試例無法復現問題方案：DDRaceDirected Fuzzing for Concurrency UAF網絡研究院INSC網絡研究院INSChttps:/ UAF pairs have fewer than 20 pairs of related race p

21、airs most UAF pairs require no more than 9 driver interfaces 網絡研究院INSC網絡研究院INSChttps:/ 在Linux內核中發現12個Race導致的UAF漏洞Evaluation：漏洞與其他工具對比測試例篩選測試例生成/選擇（5）如何改進？https:/ macOS Kernel EXTensions on Apple Silicon via Exploiting Mitigations”USENIX Security 2023網絡研究院INSC網絡研究院INSCExisting Driver FuzzingExecution

22、&introspectionInterfaceSpecificationFuzzersource code analysis（e.g.DIFUZE,Moonshine,PrIntFuzz)testcasesInteraction Trace(e.g.SyzGen,IMF)source-code level instrumentation(e.g.kcov,kasan)others(e.g.HFL,periscope)Header File&Binary Analysis(e.g.NTFuzz)Hypervisor(e.g.Digtool)Kernel Debugger(e.g.LLDB-Fuz

23、zer,SyzGen)Hardware Tracer(e.g.kAFL)網絡研究院INSC網絡研究院INSCClosed-source Driver Fuzzing on Apple SiliconExecution&introspectionInterfaceSpecificationFuzzersource code analysis（e.g.DIFUZE,Moonshine,PrIntFuzz)testcasesInteraction Trace(e.g.SyzGen,IMF)Hypervisor(e.g.Digtool)source-code level instrumentation

24、(e.g.kcov,kasan)others(e.g.HFL,periscope)Kernel Debugger(e.g.LLDB-Fuzzer,SyzGen)Header File&Binary Analysis(e.g.NTFuzz)Hardware Tracer(e.g.kAFL)Closed-SourcePoor toolchain support:(:(:(Limited info網絡研究院INSC網絡研究院INSCHow to Make Fuzzing Greate Again?Execution&introspectionInterfaceSpecificationFuzzert

25、estcaseschallenge1:How to collect Coverage Feedback?challenge3:How to generate testcases with complex input format?challenge2:How to bypass runtime restrictions?(entitlement check)網絡研究院INSC網絡研究院INSCHow to Make Fuzzing Greate Again?Execution&introspectionInterfaceSpecificationFuzzertestcasesMitigatio

26、ns Fuzz Resources?PA,entitlement,wrappers,KextFuzz網絡研究院INSC網絡研究院INSCDesign of KextFuzz(1)1.Pointer Authentication mitigation binary level instrumentationeasily results inreference ambiguity=system crash1.add cov instruction2.mov other instructionsRegular Binary RewriteKextFuzz Coverage Collectorno r

27、eference ambiguity=stable in fuzzReplace PA instructions網絡研究院INSC網絡研究院INSCDesign of KextFuzz(2)2.Remove Entitlement Mitigation testing privileged codeFunction hook網絡研究院INSC網絡研究院INSCDesign of KextFuzz(3)3.Kernel function isolation layer Interface knowledgeTaint Sink:wrapper_func(this,String XX,.)inpu

28、t_0=CFArrayCreate(XX,.);input_1=kext_invocation1();input_2=global_var;kext_invocation2(input_0,input_1,input_2);s1:caller arguments2:creation functions3:outputs4:global variablestr1,str2,str3Taint Source:Type,ValuemacOS uses userspace wrappers to reduce direct kext invocations.AppAppAppwrappers(e.g.

29、framework,dylib,daemon)kextkextkextinterface knowledgeHow does system binary interact with kexts?Taint analysis on the isolation layer(wrapper)網絡研究院INSC網絡研究院INSCEvaluation Analysis&InstrumentationConnection status before and after Entitlement FilterCoverage CollectorInstruments 34.71%basic blocks with 2.03x overheadSpecial arguments recognized by KextFuzz網絡研究院INSC網絡研究院INSChttps:/ Ablation Study(coverage)網絡研究院INSC網絡研究院INSChttps:/ 40 unique kernel crashes,$網絡研究院INSC51Takeaway網絡研究院INSC網絡研究院INSC測試例篩選測試例生成/選擇https:/