Abstract
Device drivers are security-critical. In monolithic kernels like Linux, there are hundreds of thousands of drivers which run in the same privilege as the core kernel. Consequently, a bug in a driver can compromise the whole system. More critically, drivers are particularly buggy. First, drivers receive complex and untrusted inputs from not only the user space but also the hardware. Second, the driver code can be developed by less-experienced third parties, and is less tested because running a driver requires the corresponding hardware device or the emulator. Therefore, existing studies show that drivers tend to have a higher bug density and have become a major security threat. Existing testing techniques have to focus the fuzzing on a limited number of drivers that have the corresponding devices or the emulators, thus cannot scale. In this paper, we propose a device-free driver fuzzing system, DR. FUZZ, that does not require hardware devices to fuzz-test drivers. The core of DR. FUZZ is a semantic-informed mechanism that efficiently generates inputs to properly construct relevant data structures to pass the “validation chain” in driving initialization, which enables subsequent device-free driver fuzzing. The elimination of the needs for the hardware devices and the emulators removes the bottleneck in driver testing. The semantic-informed mechanism incorporates multiple new techniques to make device-free driver fuzzing practical: inferring valid input values for passing the validation chain in initialization, inferring the temporal usage order of input bytes to minimize mutation space, and employing error states as a feedback to direct the fuzzing going through the validation chain. Moreover, the semantic-informed mechanism is generic; we can also instruct it to generate semi-malformed inputs for a higher code coverage. We evaluate DR. FUZZ on 214 Linux drivers. With an only 24-hour time budget, DR. FUZZ can successfully initialize and enable most of the drivers without the corresponding devices, whereas existing fuzzers like syzkaller cannot succeed in any case. DR. FUZZ also significantly outperforms existing driver fuzzers that are even equipped with the device or emulator in other aspects: it increases the code coverage by 70% and the throughput by 18%. With DR. FUZZ, we also find 46 new bugs in these Linux drivers.
| Original language | English (US) |
|---|---|
| Title of host publication | 29th Annual Network and Distributed System Security Symposium, NDSS 2022 |
| Publisher | The Internet Society |
| ISBN (Electronic) | 1891562746, 9781891562747 |
| DOIs | |
| State | Published - 2022 |
| Event | 29th Annual Network and Distributed System Security Symposium, NDSS 2022 - Hybrid, San Diego, United States Duration: Apr 24 2022 → Apr 28 2022 |
Publication series
| Name | 29th Annual Network and Distributed System Security Symposium, NDSS 2022 |
|---|
Conference
| Conference | 29th Annual Network and Distributed System Security Symposium, NDSS 2022 |
|---|---|
| Country/Territory | United States |
| City | Hybrid, San Diego |
| Period | 4/24/22 → 4/28/22 |
Bibliographical note
Publisher Copyright:© 2022 29th Annual Network and Distributed System Security Symposium, NDSS 2022. All Rights Reserved.