kAFL: Hardware-Assisted Feedback Fuzzing for OS · PDF filehtml5 VLC FreeBSD syscons John the...

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

Sergej Schumilo1, Cornelius Aschermann1, Robert Gawlik1, Sebastian Schinzel2, Thorsten Holz1 1Ruhr-Universität Bochum, 2Münster University of Applied Sciences

MotivationIJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav

libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl

wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy-html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn

MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make

m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd

teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson

libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools

Internet Explorer

Internet ExplorerAdobe Flash

OpenSSH

Internet ExplorerAdobe Flash

OpenSSH

Internet Explorer

Apple Safari

Adobe Flash

OpenSSH

Internet Explorer

Apple SafariAdobe Reader

Adobe Flash

OpenSSH

Internet Explorer

Wireshark

Adobe Flash

OpenSSH

Internet Explorer

Wireshark

Apache httpd

Adobe Flash

Stephens, Nick, et al. "Driller: Augmenting Fuzzing Through Selective Symbolic Execution." Proceedings of the Network and Distributed System Security Symposium (NDSS). 2016.

Rawat, Sanjay, et al. "Vuzzer: Application-aware evolutionary fuzzing.“ Proceedings of the Network and Distributed System Security Symposium (NDSS). 2017.

Böhme, Marcel, et al. "Coverage-based greybox fuzzing as markov chain." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM. 2016.

Motivation

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels4

Motivation

What about Kernel Security?

Related Work

Fast Crash Tolerant OS Independent Binary Only

Related Work

TriforceAFL (Jesse Hertz & Tim Newsham, NCC Group)

✗ ✓ ~ ✓

Related Work

✗ ✓ ~ ✓

Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗

Related Work

✗ ✓ ~ ✓

Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗AFL Filesystem Fuzzer (Vegard Nossum & Quentin Casanovas, Oracle)

✓ ~ ✗ ✗

Related Work

✗ ✓ ~ ✓

Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗AFL Filesystem Fuzzer (Vegard Nossum & Quentin Casanovas, Oracle)

✓ ~ ✗ ✗

PT Kernel Fuzzer (Richard Johnson, Talos) ✓ ✗ ✗ ✓

Build a kernel fuzzer that is all of this:

▪Fast ▪Reliable ▪(mostly) OS independent ▪No source level access required

Fuzzing in a nutshell

Fuzzer Target

Inputs

Grammar

Fuzzer Target

Inputs

Grammar

Randomized Inputs

Fuzzer Target

Inputs

Grammar

Randomized Inputs

Feedback

Blackbox Fuzzing

Target

Blackbox Fuzzing

Target

Blackbox Fuzzing

Target

CrashkAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

Coverage-Guided Fuzzing

input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash()

input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash() exit()

input[0] == 'A'ZZZZ

input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash() exit()

input[1] == 'B'

input[0] == 'A'AAAA

input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash() exit()

input[2] == 'C'

input[1] == 'B'

input[0] == 'A'ABBG

input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash()crash()

input[2] == 'C'

input[1] == 'B'

input[0] == 'A'ABCJ

input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash()

AFL stores transitions in a bitmap

crash()

input[2] == 'C'

input[1] == 'B'

input[0] == 'A'ABCJ

Feedback MechanismClosed-Source Kernel Stable Fast

Compile-Time Instrumentation ✗ ✓ ✓ ++

Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++

Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -

* Peter Feiner, et al., DRK: DynamoRIO as a Linux Kernel Module

Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -Emulation ✓ ✓ ✓ - -

Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -Emulation ✓ ✓ ✓ - -Intel Branch Trace Store ✓ ✓ ✓ +

Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -Emulation ✓ ✓ ✓ - -Intel Branch Trace Store ✓ ✓ ✓ +Intel Processor Trace ✓ ✓ ✓ +++

Intel Processor Trace

Instruction Intel PT Packet

jmp/call loc_b Inferable from disassembly

jnz loc_a Taken / Not Taken

jmp/call [eax] Target IP

ret Target IP (if required)

Intel PT Data

Not TakenTarget IP (0x1009)Target IP (0x1055)

Intel PT Data

Target Binary

Intel PT Data

Target Binary

Traces

0x10000x10040x1009

Intel PT Data

Target Binary

Traces

0x10000x10040x1009

Transitions

0x0000 / 0x10000x1000 / 0x10040x1004 / 0x1009

Intel PT Data

Target Binary

Traces

0x10000x10040x1009

Transitions

0x0000 / 0x10000x1000 / 0x10040x1004 / 0x1009

AFL Bitmap

011001010010

Architecture

Kernel

AgentFuzzer

Architecture

Kernel

AgentFuzzer

Intel PT Driver

coverage

Benefits:✓Coverage

Architecture

Kernel

AgentFuzzer

Intel PT Driver

coverage

Architecture

Kernel

AgentFuzzer

Intel PT Driver

coverage

Architecture

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Benefits:✓Coverage✓Crash Tolerance

Architecture

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Benefits:✓Coverage✓Crash Tolerance✓OS Independence

Architecture

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Benefits:✓Coverage✓Crash Tolerance✓OS Independence✓Scalable

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Full System Tracing

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Intel PT aware Hypervisor

✓vCPUFilter-Mechanisms:

vCPU Tracing

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

✓vCPU✓Supervisor

Filter-Mechanisms:

Guest Ring-0 Tracing

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

✓vCPU✓Supervisor

Filter-Mechanisms:

Guest Ring-0 Tracing

Kernel Space

User Space

0xFFFFFFFFFFFFFFFF

0x0000000000000000

syscall

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

✓vCPU✓Supervisor✓CR3

Filter-Mechanisms:

Guest Ring-0 Tracing (Fuzzing-Process)

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

✓vCPU✓Supervisor✓CR3✓IP-Range

Filter-Mechanisms:

Guest Ring-0 Tracing (Fuzzing-Process & Target Range)

Inter-VM Communication

Virtual Machine

Intel PT Driver

coverage

Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Guest to Host:

Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Guest to Host:▪Synchronization

Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Guest to Host:▪Synchronization▪Next payload

Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value

Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value▪Panic handler address Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value▪Panic handler address▪Signal kernel panic

Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Host to Guest:

Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Host to Guest:▪Agent

Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Host to Guest:▪Agent▪Payloads

Kernel

AgentFuzzer

Virtual Machine

Intel PT Driver

coverage

Host to Guest:▪Agent▪Payloads▪Overwrite panic handler

Kernel

AgentFuzzer

Implementation

CPU: ▪generates raw Intel-PT data ▪writes data to main memory

Implementation

KVM-PT: ▪configures Intel PT via MSRs ▪enables tracing during VM-Entry transition ▪disables tracing during VM-Exit transition

Implementation

QEMU-PT: ▪usermode counterpart ▪decodes Intel PT data on-the-fly

Implementation

kAFL Fuzzer: ▪generates new fuzz payloads ▪detects new behavior

Evaluation

New VulnerabilitiesWindows: ▪NTFS (DoS)

macOS: ▪HFS (DoS, Memory Corruption) ▪APFS (Memory Corruption)

Linux: ▪EXT4 (DoS, Memory Corruption) ▪Keyctl (Nullpointer Dereference)

Evaluation Driver

5.4 Rediscovery of Known BugsWe evaluated kAFL on the keyctl interface, which al-lows a user space program to store and manage vari-ous kinds of key material in the kernel. More specif-ically, it features a DER (see RFC5280) parser to loadcertificates. This functionality had a known bug (CVE-2016-07583). We tested kAFL against the same interfaceon a vulnerable kernel (version 4.3.2). kAFL was ableto uncover the same problem and one additional previ-ously unknown bug that was assigned CVE-2016-86504.kAFL managed to trigger 17 unique KASan reports and15 unique panics in just one hour of execution time. Dur-ing this experiment, kAFL generated over 34 million in-puts, found 295 interesting inputs, and performed nearly9,000 executions per second. This experiment was per-formed while running 8 processes in parallel.

5.5 Detected VulnerabilitiesDuring the evaluation, kAFL found more than a thou-sand unique crashes. We evaluated some manually andfound multiple security vulnerabilities in all tested op-erating systems such as Linux, Windows, and macOS.So far, eight bugs were reported and three of them wereconfirmed by the maintainers:

• Linux: keyctl Null Pointer Dereference5 (CVE-2016-86506)

• Linux: ext4 Memory Corruption7

• Linux: ext4 Error Handling8

• Windows: NTFS Div-by-Zero9

• macOS: HFS Div-by-Zero10

• macOS: HFS Assertion Fail10

• macOS: HFS Use-After-Free10

• macOS: APFS Memory Corruption10

Red Hat has assigned a CVE number for the first re-ported security flaw, which triggers a null pointer def-erence and a partial memory corruption in the kernelASN.1 parser if an RSA certificate with a zero expo-nent is presented. For the second reported vulnerabil-ity, which triggers a memory corruption in the ext4 file

3https://access.redhat.com/security/cve/cve-2016-07584https://access.redhat.com/security/cve/cve-2016-86505http://seclists.org/fulldisclosure/2016/Nov/766https://access.redhat.com/security/cve/cve-2016-86507http://seclists.org/fulldisclosure/2016/Nov/758http://seclists.org/bugtraq/2016/Nov/19Reported to Microsoft Security.

10Reported to Apple Product Security.

system, a mainline patch was proposed. The last re-ported Linux vulnerability, which calls in the ext4 errorhandling routine panic() and hence results in a kernelpanic, was at the time of writing not investigated any fur-ther. The NTFS bug in Windows 10 is a non-recoverableerror condition which leads to a blue screen. This bugwas reported to Microsoft, but has not been confirmedyet. Similarly, Apple has not yet verified or confirmedour reported macOS bugs.

5.6 Fuzzing PerformanceWe compare the overall performance of kAFL across dif-ferent operating systems. To ensure comparable results,we created a simple driver that contains a JSON parserbased on jsmn11 for each aforementioned operating sys-tem and used it to decode user input (see Listing 2). Ifthe user input is a JSON string starting with "KAFL", acrash is triggered. We traced both the JSON parser aswell as the final check. This way kAFL was able to learncorrect JSON syntax. We measured the time used to findthe crash, the number of executions per second, and thespeed for new paths to be discovered on all three targetoperating systems.

1 jsmn_parser parser;2 jsmntok_t tokens [5];3 jsmn_init (& parser);4

5 int res=jsmn_parse (&parser , input , size , tokens , 5);6 if(res >= 2){7 if(tokens [0]. type == JSMN_STRING){8 int json_len = tokens [0]. end - tokens [0].

start;9 int s = tokens [0]. start;

10 if(json_len > 0 && input[s+0] == �K�){11 if(json_len > 1 && input[s+1] == �A�){12 if(json_len > 2 && input[s+2] == �F�){13 if(json_len > 3 && input[s+3] == �L�){14 panic(KERN_INFO "KAFL ...\n");15 }}}}}16 }

Listing 2: The JSON parser kernel module used for thecoverage benchmarks.

We performed five repeated experiments for each op-erating system. Additionally we tested TriforceAFL withthe Linux target driver. TriforceAFL is unable to fuzzWindows and macOS. To compare TriforceAFL withkAFL, the associated TriforceLinuxSyscallFuzzer wasslightly modified to work with our vulnerable Linux ker-nel module. Unfortunately, it was not possible to com-pare kAFL against Oracle’s file system fuzzer [34] dueto technical issues with its setup.

During each run, we fuzzed the JSON parser for 30minutes. The averaged and rounded results are displayedin Table 1. As we can see, the performance of kAFLis very similar across different systems. It should be re-marked that the variance in this experiment is rather high

11http://zserge.com/jsmn.html

Evaluation Driver

Performance

Intel i7-6700 / 32GB DDR4

Coverage

kAFL: ▪5-7 minutes

TriforceAFL: ▪~2 hours

Conclusion

▪Intel PT and virtualization for feedback fuzzing ▪Fast ▪OS independence (x86-64) ▪Reliable and long-term ▪Fully extensible

▪High bug yield for kernel fuzzing ▪Opportunities for further fuzzing

https://github.com/RUB-SysSec/kAFL

kAFL: Hardware-Assisted Feedback Fuzzing for OS · PDF filehtml5 VLC FreeBSD syscons John the...

Documents

ASSISTED RECOVERY’S

Animal-assisted therapy and equine-assisted therapy ... · Animal-assisted therapy (AAT) and equine-assisted therapy/learning (EAT/L) are innovative techniques in counselling, psychotherapy,

Assisted Connections

Comparison of steam-assisted versus microwave-assisted

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernelsei.rub.de/media/emma/veroeffentlichungen/2017/08/16/usenix17-kAFL.pdf · kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

Benefit Solutions Outsourcing - KAFL Inc · Benefit Solutions Outsourcing Flexible partnership options for today’s financial professionals. Our Job is to Make Yours Easier Insurance

Eiland Assisted Living CenterEiland Assisted Living Center · 2019-10-31 · Eiland Assisted Living CenterEiland Assisted Living Center November 2019 Activity Highlights Check back

A Computer-Assisted Test for Accessible Computer-Assisted Assessment

Assisted Information

Microscopically-assisted Open Structure Rhinoplasty€¦ · Microscopically-Assisted Open Structure Rhinoplasty ... used throughout the whole procedure. ... Microscopically-assisted

Express Issue Impairment Guide - KAFL Inc › ... › uploads › 2016 › 10 › Securian-Express-Impairmen… · Express Issue Impairment Guide Life Insurance Insurance products

Effect of ultrasonic-assisted and microwave-assisted

HTML5 CSS3 - · PDF fileHTML5 & CSS3 by Steve Smith - Ordered List, Sidebar Creative FoWD:NYC 2009 Demo files available for download at:

Assisted reproduction

Running head: ANIMAL-ASSISTED THERAPY i ANIMAL-ASSISTED

Assisted Living

HTML5 Game Engine - web.wpi.edu · PDF fileHTML5 GAME ENGINE A Major Qualifying ... build top-down adventure games without knowing how to program. ... those with the appropriate technical

RESIDENT'S GUIDE ASSISTED LIVING - Assisted Living 411

Assisted Suicide

HTML5 Games with CreateJS - David K - · PDF fileHTML5 Games with CreateJS TWITTER: @DAVID_KELLEHER DAVIDK.NET/GAME