through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar - - PowerPoint PPT Presentation

through fuzzing
SMART_READER_LITE
LIVE PREVIEW

through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar - - PowerPoint PPT Presentation

Jun 24, 2023 677 likes •1.17k views

Razzer: Finding Kernel Race Bugs through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

slide-1
SLIDE 1

Razzer: Finding Kernel Race Bugs through Fuzzing

Dae R. Jeong† Kyungtae Kim∗ Basavesh Shivakumar∗ Byoungyoung Lee‡∗ Insik Shin†

†Korea Advanced Institute of Science and Technology ‡Seoul National University ∗Purdue University

slide-2
SLIDE 2

Kernel Vulnerability

2

slide-3
SLIDE 3

Kernel Vulnerability

2

slide-4
SLIDE 4

Kernel Vulnerability

Attacker can control the entire system

2

slide-5
SLIDE 5

Fuzzing: Focused to Extend Coverage

  • Fuzzing
  • One of the most practical approaches in finding vulnerabilities
  • Coverage-guided fuzzing
  • It gathers interesting inputs that extend code coverage.
  • The more coverage, the more vulnerabilities

3

slide-6
SLIDE 6

Race Bugs

  • Assumption: Race condition between two threads
  • Race condition occurs if following three conditions meet
  • Two instructions access the same memory location
  • At least one of two is a write instruction
  • These two are executed concurrently
  • If a race occurs, the computational results may vary

depending on the execution order

  • A race vulnerability is caused by the execution order unintended by

developers.

4

slide-7
SLIDE 7

Inefficient Fuzzing for Race Bugs

5

  • Traditional fuzzers are inefficient to find race bugs
  • Instructions should be executed within a specific time window
  • Called as race window
  • Execution orders are not determined by the fuzzer
  • Execution orders are determined by the kernel scheduler
slide-8
SLIDE 8

Inefficient Fuzzing for Race Bugs: Example

Thread 1

6

Race window

strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

len = strlen(file_name); buf = kmalloc(len);

Syscall: open() Syscall: rename()

slide-9
SLIDE 9

Inefficient Fuzzing for Race Bugs: Example

Thread 1

6

Race window

strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

len = strlen(file_name); buf = kmalloc(len);

Syscall: open() Syscall: rename()

slide-10
SLIDE 10

Inefficient Fuzzing for Race Bugs: Example

Thread 1

6

Race window

strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

len = strlen(file_name); buf = kmalloc(len);

Syscall: open() Syscall: rename()

slide-11
SLIDE 11

Inefficient Fuzzing for Race Bugs: Example

Thread 1

6

Race window

strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

len = strlen(file_name); buf = kmalloc(len);

Syscall: open() Syscall: rename()

slide-12
SLIDE 12

Inefficient Fuzzing for Race Bugs: Example

Thread 1

6

Race window

strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

len = strlen(file_name); buf = kmalloc(len);

file_name is longer than the allocated buffer

Syscall: open() Syscall: rename()

slide-13
SLIDE 13

Inefficient Fuzzing for Race Bugs: Example

Thread 1

6

Race window

strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

len = strlen(file_name); buf = kmalloc(len);

file_name is longer than the allocated buffer Buffer overflow!

Syscall: open() Syscall: rename()

slide-14
SLIDE 14

Inefficient Fuzzing for Race Bugs: Syzkaller

  • Syzkaller
  • A kernel syscall fuzzer developed by Google
  • Run Syzkaller to find three race bugs with limited set of syscalls
  • CVE-2016-8655
  • CVE-2017-17712
  • CVE-2017-2636
  • None of CVEs was found within 10 hours
  • Traditional fuzzing is inefficient to find race bugs
  • Razzer can find all of them within 7~30 minutes

7

slide-15
SLIDE 15

Our approach: Razzer

8

Code coverage Thread interleaving

strcpy(file_name, longer_name); len = strlen(file_name); buf = kmalloc(len); strcpy(buf, file_name);

slide-16
SLIDE 16

Our approach: Razzer

9

Thread 1

Race window

len = strlen(file_name); buf = kmalloc(len); strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

Syscall: open() Syscall: rename()

slide-17
SLIDE 17

Our approach: Razzer

9

Thread 1

Race window

len = strlen(file_name); buf = kmalloc(len); strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

BP BP Syscall: open() Syscall: rename()

slide-18
SLIDE 18

Our approach: Razzer

9

Thread 1

Race window

len = strlen(file_name); buf = kmalloc(len); strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

BP BP Syscall: open() Syscall: rename()

slide-19
SLIDE 19

Our approach: Razzer

9

Thread 1

Race window

len = strlen(file_name); buf = kmalloc(len); strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

BP Syscall: open() Syscall: rename()

slide-20
SLIDE 20

Our approach: Razzer

9

Thread 1

Race window

len = strlen(file_name); buf = kmalloc(len); strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2

Syscall: open() Syscall: rename()

slide-21
SLIDE 21

Our approach: Razzer

9

Thread 1

Race window

len = strlen(file_name); buf = kmalloc(len); strcpy(file_name, longer_name); strcpy(buf, file_name);

Thread 2 Buffer overflow!

Syscall: open() Syscall: rename()

slide-22
SLIDE 22

Multi-thread input

Design Overview

10

Source code

Static analysis Single-thread fuzzing

Offline analysis Online testing

Multi-thread fuzzing

Over-approximated data races

slide-23
SLIDE 23

Multi-thread input

Design Overview

11

Single-thread fuzzing

Offline analysis Online testing

Multi-thread fuzzing

Source code

Static analysis

Over-approximated data races

slide-24
SLIDE 24

Static Analysis

  • Identifying instructions that may race
  • Teaching Razzer where to install breakpoints to trigger race
  • Inclusion-based points-to analysis
  • Also known as Andersen-style points-to analysis
  • This static analysis certainly has false positives
  • Next phases (fuzzing) takes care of this issue because it is “fuzzing”

12

slide-25
SLIDE 25

Static Analysis: Example

13

strcpy(file_name, longer_name); strcpy(buf, file_name); len = strlen(file_name); buf = kmalloc(len); Read Write Read Source code

slide-26
SLIDE 26

Static Analysis: Example

13

strcpy(file_name, longer_name); strcpy(buf, file_name); len = strlen(file_name); buf = kmalloc(len); Read Write Read Source code

Razzer identified 3.4M race candidates over the entire Linux kernel

slide-27
SLIDE 27

Source code

Static analysis

Design Overview

14

Offline analysis Online testing

Multi-thread fuzzing

Multi-thread input

Single-thread fuzzing

Over-approximated data races

slide-28
SLIDE 28

Single-thread Fuzzing

15

  • pen()

rename()

Single-thread input

slide-29
SLIDE 29

strcpy(file_name, longer_name); strcpy(buf, file_name); len = strlen(file_name); buf = kmalloc(len);

Single-thread Fuzzing

15

  • pen()

rename()

Single-thread input

Syscall: open() Syscall: rename()

Thread 1

slide-30
SLIDE 30

Transformation to Multi-thread Input

16

  • pen()

rename()

slide-31
SLIDE 31

Transformation to Multi-thread Input

16

Thread 1

  • pen()

… Thread 2

rename()

slide-32
SLIDE 32

strcpy(buf, file_name); len = strlen(file_name); buf = kmalloc(len); strcpy(file_name, longer_name);

Transformation to Multi-thread Input

16

Thread 1

  • pen()

… Thread 2

rename()

BP BP

slide-33
SLIDE 33

Over-approximated data races

Single-thread fuzzing

Source code

Static analysis

Design Overview

17

Offline analysis Online testing

Multi-thread input

Multi-thread fuzzing

slide-34
SLIDE 34

strcpy(buf, file_name); strcpy(file_name, longer_name); len = strlen(file_name); buf = kmalloc(len);

Multi-thread Fuzzing

CPU 1 CPU 2

Guest VM

Thread 1 Syscall n

Thread 2 Syscall m

18 BP BP

slide-35
SLIDE 35

strcpy(buf, file_name); strcpy(file_name, longer_name); len = strlen(file_name); buf = kmalloc(len);

Multi-thread Fuzzing

CPU 1 CPU 2 Thread 1 Thread 2

Guest VM Hypervisor

Thread 1 Syscall n

Thread 2 Syscall m

18 BP BP

slide-36
SLIDE 36

strcpy(buf, file_name); strcpy(file_name, longer_name); len = strlen(file_name); buf = kmalloc(len);

Multi-thread Fuzzing

CPU 1 CPU 2 Thread 1 Thread 2

Guest VM Hypervisor

Thread 1 Syscall n

Thread 2 Syscall m

Hypercall Hypercall

18 BP BP

slide-37
SLIDE 37

strcpy(buf, file_name); strcpy(file_name, longer_name); len = strlen(file_name); buf = kmalloc(len);

Multi-thread Fuzzing

CPU 1 CPU 2 Thread 1 Thread 2

Guest VM Hypervisor

Thread 1 Syscall n

Thread 2 Syscall m

Hypercall Hypercall

18 BP BP

slide-38
SLIDE 38

strcpy(buf, file_name); strcpy(file_name, longer_name); len = strlen(file_name); buf = kmalloc(len);

strcpy(buf, file_name);

Multi-thread Fuzzing

CPU 1 CPU 2 Thread 1 Thread 2

Guest VM Hypervisor

Thread 1 Syscall n

Thread 2 Syscall m

Hypercall Hypercall

18 BP BP

strcpy(file_name, other_name);

slide-39
SLIDE 39

strcpy(buf, file_name); strcpy(file_name, longer_name); len = strlen(file_name); buf = kmalloc(len);

strcpy(buf, file_name);

Multi-thread Fuzzing

CPU 1 CPU 2 Thread 1 Thread 2

Guest VM Hypervisor

Thread 1 Syscall n

Thread 2 Syscall m

Hypercall Hypercall

18 BP BP

Two threads access the same memory  A race condition is occurred

strcpy(file_name, other_name);

slide-40
SLIDE 40

Implementation

  • Static analysis
  • Implemented using SVF which is based on LLVM compiler suite
  • Single-thread/Multi-thread fuzzing
  • Implemented based on Syzkaller
  • Deterministic scheduler
  • Implemented using QEMU/KVM
  • Exposing hypercall interfaces to support per-core breakpoint

19

slide-41
SLIDE 41
  • 30 new races in the Linux kernel
  • 15 were fixed

Evaluation

slide-42
SLIDE 42
  • 30 new races in the Linux kernel
  • 15 were fixed

Evaluation

Use-after-free

slide-43
SLIDE 43
  • 30 new races in the Linux kernel
  • 15 were fixed

Evaluation

Use-after-free Heap overflow

slide-44
SLIDE 44
  • 30 new races in the Linux kernel
  • 15 were fixed

Evaluation

Use-after-free Heap overflow Double free

slide-45
SLIDE 45

Evaluation: Comparison with Syzkaller

Race bugs Syzkaller Razzer # of exec Time Found # of exec Time Found CVE-2016-8655 29 M 10 hrs X 1,170 K 26 min ✓ CVE-2017-17712 37 M 10 hrs X 807 K 18 mins ✓ CVE-2017-2636 5 M 10 hrs X 246 K 7 mins ✓

  • Run Razzer and Syzkaller with limited set of syscalls
  • Razzer found race bugs 23~85 faster than Syzkaller
  • Razzer found 3 race bugs within short time
  • Syzkaller didn’t find 3 race bugs within 10 hours

21

slide-46
SLIDE 46

Conclusion

  • Razzer, a new fuzzer focusing on race bugs
  • Taming non-deterministic behavior of races
  • Combining static analysis and fuzzing
  • Source code (by May 25, 2019)
  • https://github.com/compsec-snu/razzer

22

slide-47
SLIDE 47

Thank you

Dae R. Jeong threeearcat@gmail.com