WinkFuzz: Model-based Script Synthesis for Fuzzing
Authors: 
Zian Liu, Chao Chen, Ejaz Ahmed, Jun Zhang, Dongxi LiuAuthors Info & Claims
Zian Liu, Chao Chen, Ejaz Ahmed, Jun Zhang, Dongxi LiuAuthors Info & ClaimsArticle No.: 2, Pages 1 - 12
Abstract
Kernel fuzzing is important for finding critical kernel vulnerabilities. Close-source (e.g., Windows) operating system kernel fuzzing is even more challenging due to the lack of source code. Existing approaches fuzz the kernel by modeling syscall sequences from traces or static analysis of system codes. However, a common limitation is that they do not learn and mutate the syscall sequences to reach different kernel states, which can potentially result in more bugs or crashes.
In this paper, we propose WinkFuzz, an approach to learn and mutate traced syscall sequences in order to reach different kernel states. WinkFuzz learns syscall dependencies from the trace, identifies potential syscalls in the trace that can have dependent subsequent syscalls, and applies the dependencies to insert more syscalls while preserving the dependencies into the trace. Then WinkFuzz fuzzes the synthesized new syscall sequence to find system crashes.
We applied WinkFuzz to four seed applications and found a total increase in syscall number of 70.8%, with a success rate of 61%, within three insert levels. The average time for tracing, dependency analysis, recovering model script, and synthesizing script was 600, 39, 34, and 129 seconds respectively. The instant fuzzing rate is 3742 syscall executions per second. However, the average fuzz efficiency dropped to 155 syscall executions per second when the initializing time, waiting time, and other factors were taken into account. We fuzzed each seed application for 24 seconds and, on average, obtained 12.25 crashes within that time frame.
References
[1]
[n. d.]. Announcing oss-fuzz: Continuous fuzzing for open source software. https://testing.googleblog.com/2016/12/announcing-ossfuzz-continuous-fuzzing.html
[2]
[n. d.]. iknowthis. https://github.com/rgbkrk/iknowthis
[3]
[n. d.]. sysfuzz: A Prototype Systemcall Fuzzer. https://events.ccc.de/congress/2005/fahrplan/attachments/ 683-slides_fuzzing.pdf
[4]
[n. d.]. System Service Descriptor Table - SSDT. https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/glimpse-into-ssdt-in-windows-x64-kernel
[5]
Osbert Bastani, Rahul Sharma, Alex Aiken, and Percy Liang. 2017. Synthesizing program input grammars. ACM SIGPLAN Notices 52, 6 (2017), 95–110.
[6]
Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based greybox fuzzing as markov chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1032–1043.
[7]
Cristian Cadar, Daniel Dunbar, Dawson R Engler, 2008. Klee: unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, Vol. 8. 209–224.
[8]
Sang K Cha. 2020. Model-Based Fuzzing for Finding Kernel Vulnerabilities.
[9]
Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing mayhem on binary code. In 2012 IEEE Symposium on Security and Privacy. IEEE, 380–394.
[10]
Sang Kil Cha, Maverick Woo, and David Brumley. 2015. Program-adaptive mutational fuzzing. In 2015 IEEE Symposium on Security and Privacy. IEEE, 725–741.
[11]
Weiteng Chen, Yu Wang, Zheng Zhang, and Zhiyun Qian. 2021. SyzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers. In ACM CCS.
[12]
Jaeseung Choi, Kangsu Kim, Daejin Lee, and Sang Kil Cha. 2021. NTFuzz: Enabling type-aware kernel fuzzing on windows with static binary analysis. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 677–693.
[13]
Jake Corina, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Shuang Hao, Christopher Kruegel, and Giovanni Vigna. 2017. Difuze: Interface aware fuzzing for kernel drivers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2123–2138.
[14]
Vijay Ganesh, Tim Leek, and Martin Rinard. 2009. Taint-based directed whitebox fuzzing. In 2009 IEEE 31st International Conference on Software Engineering. IEEE, 474–484.
[15]
Bernhard Garn and Dimitris E Simos. 2014. Eris: A tool for combinatorial testing of the linux system call interface. In 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops. IEEE, 58–67.
[16]
Amaury Gauthier, Clément Mazin, Julien Iguchi-Cartigny, and Jean-Louis Lanet. 2011. Enhancing fuzzing technique for OKL4 syscalls testing. In 2011 Sixth International Conference on Availability, Reliability and Security. IEEE, 728–733.
[17]
Patrice Godefroid, Nils Klarlund, and Koushik Sen. 2005. DART: Directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation. 213–223.
[18]
Patrice Godefroid, Michael Y Levin, and David Molnar. 2012. SAGE: whitebox fuzzing for security testing. Commun. ACM 55, 3 (2012), 40–44.
[19]
Patrice Godefroid, Hila Peleg, and Rishabh Singh. 2017. Learn&fuzz: Machine learning for input fuzzing. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 50–59.
[20]
HyungSeok Han and Sang Kil Cha. 2017. Imf: Inferred model-based fuzzer. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2345–2358.
[21]
Christian Holler, Kim Herzig, Andreas Zeller, 2012. Fuzzing with Code Fragments. In USENIX Security Symposium. 445–458.
[22]
Dae R Jeong, Kyungtae Kim, Basavesh Shivakumar, Byoungyoung Lee, and Insik Shin. 2019. Razzer: Finding kernel race bugs through fuzzing. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 754–768.
[23]
Rob Johnson and David Wagner. 2004. Finding user/kernel pointer bugs with type inference. In USENIX Security Symposium, Vol. 2. 0.
[24]
[24] Dave Jones. [n. d.]. https://github.com/kernelslacker/trinity
[25]
Jinho Jung, Stephen Tong, Hong Hu, Jungwon Lim, Yonghwi Jin, and Taesoo Kim. 2021. Winnie: Fuzzing windows applications with harness synthesis and fast cloning. In Proceedings of the 2021 Network and Distributed System Security Symposium (NDSS 2021).
[26]
Mateusz Jurczyk. [n. d.]. BrokenType. https://github.com/googleprojectzero/BrokenType.
[27]
Kyungtae Kim, Dae R Jeong, Chung Hwan Kim, Yeongjin Jang, Insik Shin, and Byoungyoung Lee. 2020. HFL: Hybrid Fuzzing on the Linux Kernel. In NDSS.
[28]
Su Yong Kim, Sangho Lee, Insu Yun, Wen Xu, Byoungyoung Lee, Youngtae Yun, and Taesoo Kim. 2017. { CAB-Fuzz} : Practical Concolic Testing Techniques for { COTS} Operating Systems. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). 689–701.
[29]
Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems (TOCS) 32, 1 (2014), 1–70.
[30]
Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. 207–220.
[31]
F-Secure LABS. [n. d.]. Kernel Fuzzer. https://github.com/FSecureLABS/KernelFuzzer
[32]
Lucas Leong. 2019. Make static instrumentation great again: High performance fuzzing for Windows system. In Blackhat.
[33]
Moony Li. 2016. Active fuzzing as complementary for passive fuzzing. PacSec (2016).
[34]
Dejan Lukan. [n. d.]. The Sysenter Instruction Internals. https://resources.infosecinstitute.com/topic/the-sysenter-instruction-internals/
[35]
David Molnar, Xue Cong Li, and David A Wagner. 2009. Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs. In USENIX Security Symposium, Vol. 9. 67–82.
[36]
Dmytro Oleksiuk. 2009. Ioctl fuzzer. https://github.com/Cr4sh/ioctlfuzzer
[37]
Carlos Pacheco, Shuvendu K Lahiri, Michael D Ernst, and Thomas Ball. 2007. Feedback-directed random test generation. In 29th International Conference on Software Engineering (ICSE’07). IEEE, 75–84.
[38]
Shankara Pailoor, Andrew Aday, and Suman Jana. 2018. { MoonShine} : Optimizing { OS} Fuzzer Seed Selection with Trace Distillation. In 27th USENIX Security Symposium (USENIX Security 18). 729–743.
[39]
Jianfeng Pan, Guanglu Yan, and Xiaocao Fan. 2017. Digtool: A { Virtualization-Based} Framework for Detecting Kernel Vulnerabilities. In 26th USENIX Security Symposium (USENIX Security 17). 149–165.
[40]
Alex Plaskett. [n. d.]. OSXFuzz. https://github.com/FSecureLABS/OSXFuzz.
[41]
Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. Vuzzer: Application-aware evolutionary fuzzing. In NDSS, Vol. 17. 1–14.
[42]
Alexandre Rebert, Sang Kil Cha, Thanassis Avgerinos, Jonathan Foote, David Warren, Gustavo Grieco, and David Brumley. 2014. Optimizing seed selection for fuzzing. In 23rd { USENIX} Security Symposium ({ USENIX} Security 14). 861–875.
[43]
Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. 2017. kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels. In USENIX Security Symposium. 167–182.
[44]
Solomon Sklash. 2020. Using Syscalls to Inject Shellcode on Windows. https://www.solomonsklash.io/syscalls-for-shellcode-injection.html
[45]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS, Vol. 16. 1–16.
[46]
ReactOS Team. [n. d.]. ReactOS. https://reactos.org/
[47]
Joachim Viide, Aki Helin, Marko Laakso, Pekka Pietikäinen, Mika Seppänen, Kimmo Halunen, Rauli Puuperä, and Juha Röning. 2008. Experiences with Model Inference Assisted Fuzzing.WOOT 2 (2008), 1–2.
[48]
Dmitry Vyukov. [n. d.]. syzkaller. https://github.com/google/syzkaller.
[49]
Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In 2010 IEEE Symposium on Security and Privacy. IEEE, 497–512.
[50]
Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, and M Frans Kaashoek. 2012. Improving integer security for systems with { KINT}. In Presented as part of the 10th { USENIX} Symposium on Operating Systems Design and Implementation ({ OSDI} 12). 163–177.
[51]
Vincent M Weaver and Dave Jones. 2015. perf fuzzer: Targeted fuzzing of the perf event open () system call. UMaine VMW Group, Tech. Rep (2015).
[52]
Maverick Woo, Sang Kil Cha, Samantha Gottlieb, and David Brumley. 2013. Scheduling black-box mutational fuzzing. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 511–522.
Index Terms
- WinkFuzz: Model-based Script Synthesis for Fuzzing
Recommendations
Online Model-Based Behavioral Fuzzing
ICSTW '13: Proceedings of the 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation WorkshopsFuzz testing or fuzzing is interface robustness testing by stressing the interface of a system under test (SUT) with invalid input data. It aims at finding security-relevant weaknesses in the implementation that may result in a crash of the system-under-...
Accelerating Fuzzing through Prefix-Guided Execution
Coverage-guided fuzzing is one of the most effective approaches for discovering software defects and vulnerabilities. It executes all mutated tests from seed inputs to expose coverage-increasing tests. However, executing all mutated tests incurs ...
LLVM-based Hybrid Fuzzing with LibKluzzer (Competition Contribution)
Fundamental Approaches to Software EngineeringAbstractLibKluzzer is a novel implementation of hybrid fuzzing, which combines the strengths of coverage-guided fuzzing and dynamic symbolic execution (a.k.a. whitebox fuzzing). While coverage-guided fuzzing can discover new execution paths at nearly ...
Comments
Information & Contributors
Information
Published In
July 2023
53 pages
ISBN:9798400701825
DOI:10.1145/3591365
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 10 July 2023
Check for updates
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ASIA CCS '23
ASIA CCS '23: ACM ASIA Conference on Computer and Communications Security
July 10 - 14, 2023
VIC, Melbourne, Australia
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 71Total Downloads
- Downloads (Last 12 months)47
- Downloads (Last 6 weeks)2
Reflects downloads up to 01 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format