research-article

IMF: Inferred Model-based Fuzzer

Authors:

Sang Kil ChaAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 2345 - 2358

https://doi.org/10.1145/3133956.3134103

Published: 30 October 2017 Publication History

Abstract

Kernel vulnerabilities are critical in security because they naturally allow attackers to gain unprivileged root access. Although there has been much research on finding kernel vulnerabilities from source code, there are relatively few research on kernel fuzzing, which is a practical bug finding technique that does not require any source code. Existing kernel fuzzing techniques involve feeding in random input values to kernel API functions. However, such a simple approach does not reveal latent bugs deep in the kernel code, because many API functions are dependent on each other, and they can quickly reject arbitrary parameter values based on their calling context. In this paper, we propose a novel fuzzing technique for commodity OS kernels that leverages inferred dependence model between API function calls to discover deep kernel bugs. We implement our technique on a fuzzing system, called IMF. IMF has already found 32 previously unknown kernel vulnerabilities on the latest macOS version 10.12.3 (16D32) at the time of this writing.

Supplemental Material

MP4 File

Download
2233.02 MB

References

[1]

Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Jeffrey D. Ullman. [n. d.]. Compilers: Principles, Techniques, and Tools (2nd ed.). Addison Wesley.

[2]

Greg Banks, Marco Cova, Viktoria Felmetsger, Kevin Almeroth, Richard Kemmerer, and Giovanni Vigna. 2006. SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr. In Proceedings of the International Conference on Information Security. 343--358.

Digital Library

[3]

Paul Barton. 2013. PyUserInput. https://github.com/SavinaRoja/PyUserInput. (2013).

[4]

Ian Beer. 2014. pwn4fun Spring 2014--Safari--Part II. http://googleprojectzero. blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html. (2014).

[5]

Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coveragebased Greybox Fuzzing as Markov Chain. In Proceedings of the ACM Conference on Computer and Communications Security. 1032--1043.

[6]

Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. 2007. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. In Proceedings of the ACM Conference on Computer and Communications Security. 317--329.

Digital Library

[7]

Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the USENIX Symposium on Operating System Design and Implementation. 209--224.

[8]

Sang Kil Cha, Maverick Woo, and David Brumley. 2015. Program-Adaptive Mutational Fuzzing. In Proceedings of the IEEE Symposium on Security and Privacy. 725--741.

Digital Library

[9]

Liang Chen, Marco Grassi, and Qidan He. 2016. Don't Trust Your Eye: Apple Graphics Is Compromised!. In CanSecWest. https://cansecwest.com/slides/2016/ CSW2016Chen-Grassi-HeAppleGraphicsIsCompromised.pdf

[10]

YoungHan Choi, HyoungChun Kim, HyungGeun Oh, and Dohoon Lee. 2008. CallFlow Aware API Fuzz Testing for Security of Windows Systems. In Proceedings of the International Conference on Computational Sciences and Its Applications. 19--25.

[11]

Mihai Christodorescu, Somesh Jha, and Christopher Kruegel. 2007. Mining Specifications of Malicious Behavior. In Proceedings of the International Symposium on Foundations of Software Engineering. 5--14.

Digital Library

[12]

CIFASIS. 2016. Neural Fuzzer. http://neural-fuzzer.org. (2016).

[13]

Jonathan Corbet. 2012. Supervisor mode access prevention. https://lwn.net/ Articles/517475/. (2012).

[14]

Jonathan Corbet and Greg Kroah-Hartman. 2016. Linux Kernel Development. http://go.linuxfoundation.org/linux-kernel-development-report-2016. (2016).

[15]

Weidong Cui, Marcus Peinado, Karl Chen, Helen J. Wang, and Luis Irun-Briz. 2008. Tupni: Automatic Reverse Engineering of Input Formats. In Proceedings of the ACM Conference on Computer and Communications Security. 391--402.

Digital Library

[16]

Michael Eddington. 2004. Peach Fuzzing Platform. http://peachfuzzer.com. (2004).

[17]

Bernhard Garn and Dimitris E. Simos. 2014. Eris: A Tool for Combinatorial Testing of the Linux System Call Interface. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation Workshops. 58--67.

Digital Library

[18]

Hugo Gascon, Christian Wressnegger, Fabian Yamaguchi, Daniel Arp, and Konrad Rieck. 2015. Security and Privacy in Communication Networks. Springer International Publishing. 330--347 pages.

[19]

Amaury Gauthier, Clement Mazin, Julien Iguchi-Cartigny, and Jean-Louis Lanet. 2011. Enhancing fuzzing technique for OKL4 syscalls testing. In Proceedings of the International Conference on Availability, Reliability and Security. 728--733.

Digital Library

[20]

Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with Code Fragments. In Proceedings of the USENIX Security Symposium. 445--458.

[21]

George Hotz. 2013. machfuzzer. https://github.com/geohot/jenkyiphonetools/ blob/master/machfuzzer. (2013).

[22]

Apple Inc. 2013. Kernel Architecture Overview. https://developer.apple.com/ library/content/documentation/Darwin/Conceptual/KernelProgramming/Architecture/Architecture.html. (2013).

[23]

Yeongjin Jang, Sangho Lee, and Taesoo Kim. 2016. Breaking Kernel Address Space Layout Randomization with Intel TSX. In Proceedings of the ACM Conference on Computer and Communications Security. 380--392.

Digital Library

[24]

Rob Johnson and David Wagner. 2004. Finding User/Kernel Pointer Bugs with Type Inference. In Proceedings of the USENIX Security Symposium.

[25]

Dave Jones. 2010. trinity. https://github.com/kernelslacker/trinity. (2010).

[26]

Mateusz Jurczyk. 2012. csrss_win32k_fuzzer. http://j00ru.vexillium.org/?p=1455. (2012).

[27]

Rauli Kaksonen, Marko Laakso, and Ari Takanen. 2001. Software Security Assessment through Specification Mutations and Fault Injection. In Communications and Multimedia Security. 173--183.

[28]

Vasileios P. Kemerlis, Michalis Polychronakis, and Angelos D. Keromytis. 2014. ret2dir: Rethinking Kernel Isolation. In Proceedings of the USENIX Security Symposium. 957--972.

[29]

Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive Formal Verification of an OS Microkernel. ACM Transactions on Computer Systems 32, 1 (2014), 2:1--2:70.

Digital Library

[30]

Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal Verification of an OS Kernel. In Proceedings of the ACM Symposium on Operating System Principles. 207--220.

Digital Library

[31]

Philip Koopman, John Sung, Christopher Dingman, Daniel Siewiorek, and Ted Marz. 1997. Comparing Operating Systems Using Robustness Benchmarks. In Proceedings of the Symposium on Reliable Distributed Systems. 72--79.

[32]

Anil Kurmus, Reinhard Tartler, Daniela Dorneanu, Bernhard Heinloth, Valentin Rothberg, Andreas Ruprecht, Wolfgang Schroder-Preikschat, Daniel Lohmann, and Rudiger Kapitza. 2013. Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring. In Proceedings of the Network and Distributed System Security Symposium.

[33]

MWR Labs. 2016. KernelFuzzer. https://github.com/mwrlabs/KernelFuzzer. (2016).

[34]

Tin Le. 1991. tsys. http://groups.google.com/groups?q=syscall+crashme&hl= en&lr=&ie=UTF-8&selm=1991Sep20.232550.5013%40smsc.sony.com&rnum=1. (1991).

[35]

Jonathan Levin. 2013. Mac OS X and iOS Internals: To the Apple's Core. Wrox.

[36]

Moony Li. 2016. Active fuzzing as complementary for passive fuzzing. In PacSec.

[37]

Lei Long. 2015. Optimized Fuzzing IOKIT in iOS. In Black Hat USA.

[38]

MITRE. 2015. CVE-2015--5845. https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2015--5845. (2015).

[39]

MITRE. 2015. CVE-2015--7077. https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2015--7077. (2015).

[40]

NCC Group. 2016. Triforce Linux Syscall Fuzzer. https://github.com/nccgroup/ TriforceLinuxSyscallFuzzer. (2016).

[41]

Peter Oehlert. 2005. Violating Assumptions with Fuzzing. IEEE Security and Privacy 3, 2 (2005), 58--62.

Digital Library

[42]

Dmytro Oleksiuk. 2009. IOCTL fuzzer. https://github.com/Cr4sh/ioctlfuzzer. (2009).

[43]

Oracle. 2016. Kernel-Fuzzing. https://github.com/oracle/kernel-fuzzing. (2016).

[44]

Tavis Ormandy. 2010. iknowthis. https://code.google.com/archive/p/iknowthis/. (2010).

[45]

Carlos Pacheco, Shuvendu K. Lahiri, Michael D. Ernst, and Thomas Ball. 2007. Feedback-Directed Random Test Generation. In Proceedings of the International Conference on Software Engineering. 75--84.

Digital Library

[46]

Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In Proceedings of the Network and Distributed System Security Symposium.

[47]

Alexandre Rebert, Sang Kil Cha, Thanassis Avgerinos, Jonathan Foote, David Warren, Gustavo Grieco, and David Brumley. 2014. Optimizing Seed Selection for Fuzzing. In Proceedings of the USENIX Security Symposium. 861--875.

[48]

Martin P. Robillard, Eric Bodden, David Kawrykow, Mira Mezini, and Tristan Ratchford. 2013. Automated API Property Inference Techniques. IEEE Transactions on Software Engineering 39, 5 (2013), 613--637.

Digital Library

[49]

sqrkkyu and twzi. 2007. Attacking the Core: Kernel Exploiting Notes. http: //phrack.org/issues/64/6.html. (2007).

[50]

Robert Swiecki and Felix Gröbert. 2010. honggfuzz. https://github.com/google/honggfuzz. (2010).

[51]

Luca Todesco. 2015. Attacking the XNU Kernel in El Capitan. In Black Hat EU.

[52]

Ilja van Sprundel. 2005. Fuzzing: Breaking software in an automated fashion. In Chaos Communication Congress.

[53]

Dmitry Vyukov. 2015. Syzkaller. https://github.com/google/syzkaller. (2015).

[54]

Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, and M. Frans Kaashoek. 2012. Improving Integer Security for Systems with KINT. In Proceedings of the USENIX Symposium on Operating System Design and Implementation. 163--177.

[55]

Vincent M. Weaver and Dave Jones. 2015. perf_fuzzer: Targeted Fuzzing of the perf_event_open() System Call. Technical Report. UMaine VMW Group.

[56]

Maverick Woo, Sang Kil Cha, Samantha Gottlieb, and David Brumley. 2013. Scheduling Black-box Mutational Fuzzing. In Proceedings of the ACM Conference on Computer and Communications Security. 511--522.

Digital Library

[57]

Chen Xiaobo and Xu Hao. 2012. Find Your Own iOS Kernel Bug. In Power of Community.

[58]

Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, and Dawu Gu. 2015. From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel. In Proceedings of the ACM Conference on Computer and Communications Security. 414--425.

Digital Library

[59]

Tom Yeh, Tsung-Hsiang Chang, and Robert C. Miller. 2009. Sikuli: Using GUI Screenshots for Search and Automation. In Proceedings of the Annual ACM Symposium on User Interface Software and Technology. 183--192.

Digital Library

[60]

Michal Zalewski. 2014. American Fuzzy Lop. http://lcamtuf.coredump.cx/afl/. (2014).

[61]

Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. 2011. Making Information Flow Explicit in HiStar. Commun. ACM 54, 11 (2011), 93--101.

Digital Library

[62]

Markus Zimmermann. 2014. Tavor. https://github.com/zimmski/tavor. (2014).

Cited By

Yang JLiu CFang B(2024)Adaptive scheduling-based fine-grained greybox fuzzing for cloud-native applicationsJournal of Cloud Computing10.1186/s13677-024-00681-113:1Online publication date: 26-Jun-2024
https://doi.org/10.1186/s13677-024-00681-1
Kuliamin V(2024)A Survey of Software Dynamic Analysis MethodsProgramming and Computing Software10.1134/S036176882401007950:1(90-114)Online publication date: 22-May-2024
https://dl.acm.org/doi/10.1134/S0361768824010079
Wan XLi TLin WCai YZheng Z(2024)Coverage-guided fuzzing for deep reinforcement learning systemsJournal of Systems and Software10.1016/j.jss.2024.111963210:COnline publication date: 25-Jun-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.111963
Show More Cited By

Index Terms

IMF: Inferred Model-based Fuzzer
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

X-AFL: a kernel fuzzer combining passive and active fuzzing
EuroSec '20: Proceedings of the 13th European workshop on Systems Security

Vulnerabilities in OS kernel are more severe than those in user space because they allow attackers to access a system with full privileges. Fuzzing is an efficient technique to detect vulnerabilities though little fuzzing efforts aim to kernels. On one ...
Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Modern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. ...
Grey-box concolic testing on binary code
ICSE '19: Proceedings of the 41st International Conference on Software Engineering

We present grey-box concolic testing, a novel path-based test case generation method that combines the best of both white-box and grey-box fuzzing. At a high level, our technique systematically explores execution paths of a program under test as in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Institute for Information & communications Technology Promotion Korea

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,210 of 6,719 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

78
Total Citations
View Citations
893
Total Downloads

Downloads (Last 12 months)89
Downloads (Last 6 weeks)6

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yang JLiu CFang B(2024)Adaptive scheduling-based fine-grained greybox fuzzing for cloud-native applicationsJournal of Cloud Computing10.1186/s13677-024-00681-113:1Online publication date: 26-Jun-2024
https://doi.org/10.1186/s13677-024-00681-1
Kuliamin V(2024)A Survey of Software Dynamic Analysis MethodsProgramming and Computing Software10.1134/S036176882401007950:1(90-114)Online publication date: 22-May-2024
https://dl.acm.org/doi/10.1134/S0361768824010079
Wan XLi TLin WCai YZheng Z(2024)Coverage-guided fuzzing for deep reinforcement learning systemsJournal of Systems and Software10.1016/j.jss.2024.111963210:COnline publication date: 25-Jun-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.111963
Yin TGao ZXiao ZMa ZZheng MZhang CCalandrino JTroncoso C(2023)KextFuzzProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620519(5039-5054)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620519
Fleischer MDas DBose PBai WLu KPayer MKruegel CVigna GCalandrino JTroncoso C(2023)ACTORProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620517(5003-5020)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620517
Jang JKang MSong DCalandrino JTroncoso C(2023)ReUSBProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620401(2921-2938)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620401
Yuan MZhao BLi PLiang JHan XLuo XZhang CCalandrino JTroncoso C(2023)DDRaceProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620397(2849-2866)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620397
Peng HYao ZSani ATian DPayer MCalandrino JTroncoso C(2023)GLeeFuzzProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620343(1883-1899)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620343
Liu ZChen CAhmed EZhang JLiu D(2023)WinkFuzz: Model-based Script Synthesis for FuzzingProceedings of the Third International Symposium on Advanced Security on Software and Systems10.1145/3591365.3592946(1-12)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3591365.3592946
Liu ZLin ZChen YWu YZou YMu DXing X(2023)Towards Unveiling Exploitation Potential With Multiple Error Behaviors for Kernel BugsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324617021:1(93-109)Online publication date: 17-Feb-2023
https://dl.acm.org/doi/10.1109/TDSC.2023.3246170
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents