Kernel-mode drivers are challenging to analyze for vulnerabilities, yet play a critical role in maintaining the security of OS kernels. Their wide attack surface, exposed via both the system call interface and the peripheral interface, is often found to be the most direct attack vector to compromise an OS kernel. Researchers therefore have proposed many fuzzing techniques to find vulnerabilities in kernel drivers. However, the performance of kernel fuzzers is still lacking, for reasons such as prolonged execution of kernel code, interference between test inputs, and kernel crashes. This paper proposes lightweight virtual machine checkpointing as a new primitive that enables high-throughput kernel driver fuzzing. Our key insight is that kernel driver fuzzers frequently execute similar test cases in a row, and that their performance can be improved by dynamically creating multiple checkpoints while executing test cases and skipping parts of test cases using the created checkpoints. We built a system, dubbed Agamotto, around the virtual machine checkpointing primitive and evaluated it by fuzzing the peripheral attack surface of USB and PCI drivers in Linux. The results are convincing. Agamotto improved the performance of the state-of-the-art kernel fuzzer, Syzkaller, by 66.6% on average in fuzzing 8 USB drivers, and an AFL-based PCI fuzzer by 21.6% in fuzzing 4 PCI drivers, without modifying their underlying input generation algorithm.
|Title of host publication||Proceedings of the 29th USENIX Security Symposium|
|Number of pages||17|
|Publication status||Published - 2020|
|Event||29th USENIX Security Symposium - Virtual, Online|
Duration: 2020 Aug 12 → 2020 Aug 14
|Name||Proceedings of the 29th USENIX Security Symposium|
|Conference||29th USENIX Security Symposium|
|Period||20/8/12 → 20/8/14|
Bibliographical noteFunding Information:
The authors would like to thank our shepherd, Manuel Egele, and the anonymous reviewers for their valuable feedback. The authors also thank Paul Kirth for his help with proofreading this paper. This material is based upon work partially supported by the Defense Advanced Research Projects Agency under contracts FA8750-15-C-0124 and FA8750-15-C-0085, by the United States Office of Naval Research under contract N00014-17-1-2782, by the National Science Foundation under awards CNS-1619211 and CNS-1513837, by the European Commission under the Horizon 2020 Programme (H2020) as part of the LOCARD project (G.A. no. 832735), by the IITP under contract 20190015700021001, and by the NRF under contract 2017R1A2B3006360. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of our funding agencies.
© 2020 by The USENIX Association. All Rights Reserved.
All Science Journal Classification (ASJC) codes
- Computer Networks and Communications
- Information Systems
- Safety, Risk, Reliability and Quality