Upload
trinhdat
View
224
Download
5
Embed Size (px)
Citation preview
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Sergej Schumilo1, Cornelius Aschermann1, Robert Gawlik1, Sebastian Schinzel2, Thorsten Holz1 1Ruhr-Universität Bochum, 2Münster University of Applied Sciences
2
MotivationIJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav
libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl
wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy-html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn
MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make
m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd
teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson
libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
2
MotivationIJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav
libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl
wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy-html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn
MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make
m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd
teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson
libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
Internet Explorer
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
2
MotivationIJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav
libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl
wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy-html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn
MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make
m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd
teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson
libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
Internet ExplorerAdobe Flash
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
2
MotivationIJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav
libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl
wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy-html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn
MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make
m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd
teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson
libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
OpenSSH
Internet ExplorerAdobe Flash
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
2
MotivationIJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav
libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl
wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy-html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn
MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make
m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd
teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson
libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
OpenSSH
Internet Explorer
Apple Safari
Adobe Flash
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
2
MotivationIJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav
libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl
wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy-html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn
MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make
m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd
teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson
libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
OpenSSH
Internet Explorer
Apple SafariAdobe Reader
Adobe Flash
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
2
MotivationIJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav
libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl
wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy-html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn
MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make
m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd
teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson
libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
OpenSSH
Internet Explorer
Apple SafariAdobe Reader
Wireshark
Adobe Flash
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
2
MotivationIJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav
libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl
wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy-html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn
MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make
m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd
teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson
libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
OpenSSH
Internet Explorer
Apple SafariAdobe Reader
Wireshark
Apache httpd
Adobe Flash
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
3
Stephens, Nick, et al. "Driller: Augmenting Fuzzing Through Selective Symbolic Execution." Proceedings of the Network and Distributed System Security Symposium (NDSS). 2016.
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Rawat, Sanjay, et al. "Vuzzer: Application-aware evolutionary fuzzing.“ Proceedings of the Network and Distributed System Security Symposium (NDSS). 2017.
Böhme, Marcel, et al. "Coverage-based greybox fuzzing as markov chain." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM. 2016.
Motivation
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels4
Motivation
What about Kernel Security?
5
Related Work
Fast Crash Tolerant OS Independent Binary Only
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
5
Related Work
Fast Crash Tolerant OS Independent Binary Only
TriforceAFL (Jesse Hertz & Tim Newsham, NCC Group)
✗ ✓ ~ ✓
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
5
Related Work
Fast Crash Tolerant OS Independent Binary Only
TriforceAFL (Jesse Hertz & Tim Newsham, NCC Group)
✗ ✓ ~ ✓
Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
5
Related Work
Fast Crash Tolerant OS Independent Binary Only
TriforceAFL (Jesse Hertz & Tim Newsham, NCC Group)
✗ ✓ ~ ✓
Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗AFL Filesystem Fuzzer (Vegard Nossum & Quentin Casanovas, Oracle)
✓ ~ ✗ ✗
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
5
Related Work
Fast Crash Tolerant OS Independent Binary Only
TriforceAFL (Jesse Hertz & Tim Newsham, NCC Group)
✗ ✓ ~ ✓
Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗AFL Filesystem Fuzzer (Vegard Nossum & Quentin Casanovas, Oracle)
✓ ~ ✗ ✗
PT Kernel Fuzzer (Richard Johnson, Talos) ✓ ✗ ✗ ✓
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
6
Goal
Build a kernel fuzzer that is all of this:
▪Fast ▪Reliable ▪(mostly) OS independent ▪No source level access required
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Fuzzing in a nutshell
8
Fuzzing in a nutshell
Fuzzer Target
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
8
Fuzzing in a nutshell
Fuzzer Target
Inputs
Grammar
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
8
Fuzzing in a nutshell
Fuzzer Target
Inputs
Grammar
Randomized Inputs
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
8
Fuzzing in a nutshell
Fuzzer Target
Inputs
Grammar
Randomized Inputs
Feedback
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
9
Blackbox Fuzzing
Target
exit
"EFG"
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
9
Blackbox Fuzzing
Target
exit
"TZG"
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
9
Blackbox Fuzzing
Target
"ABC"
CrashkAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Coverage-Guided Fuzzing
11
Coverage-Guided Fuzzing
input[0] == 'A'
input[2] == 'C'
exit()
input[1] == 'B'
crash()
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
11
Coverage-Guided Fuzzing
input[0] == 'A'
input[2] == 'C'
exit()
input[1] == 'B'
crash() exit()
input[0] == 'A'ZZZZ
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
11
Coverage-Guided Fuzzing
input[0] == 'A'
input[2] == 'C'
exit()
input[1] == 'B'
crash() exit()
input[1] == 'B'
input[0] == 'A'AAAA
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
11
Coverage-Guided Fuzzing
input[0] == 'A'
input[2] == 'C'
exit()
input[1] == 'B'
crash() exit()
input[2] == 'C'
input[1] == 'B'
input[0] == 'A'ABBG
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
11
Coverage-Guided Fuzzing
input[0] == 'A'
input[2] == 'C'
exit()
input[1] == 'B'
crash()crash()
input[2] == 'C'
input[1] == 'B'
input[0] == 'A'ABCJ
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
11
Coverage-Guided Fuzzing
input[0] == 'A'
input[2] == 'C'
exit()
input[1] == 'B'
crash()
AFL stores transitions in a bitmap
crash()
input[2] == 'C'
input[1] == 'B'
input[0] == 'A'ABCJ
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
12
Feedback MechanismClosed-Source Kernel Stable Fast
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
12
Feedback MechanismClosed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
12
Feedback MechanismClosed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
12
Feedback MechanismClosed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -
* Peter Feiner, et al., DRK: DynamoRIO as a Linux Kernel Module
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
12
Feedback MechanismClosed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -Emulation ✓ ✓ ✓ - -
* Peter Feiner, et al., DRK: DynamoRIO as a Linux Kernel Module
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
12
Feedback MechanismClosed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -Emulation ✓ ✓ ✓ - -Intel Branch Trace Store ✓ ✓ ✓ +
* Peter Feiner, et al., DRK: DynamoRIO as a Linux Kernel Module
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
12
Feedback MechanismClosed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -Emulation ✓ ✓ ✓ - -Intel Branch Trace Store ✓ ✓ ✓ +Intel Processor Trace ✓ ✓ ✓ +++
* Peter Feiner, et al., DRK: DynamoRIO as a Linux Kernel Module
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Intel Processor Trace
14
Intel Processor Trace
Instruction Intel PT Packet
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
14
Intel Processor Trace
Instruction Intel PT Packet
jmp/call loc_b Inferable from disassembly
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
14
Intel Processor Trace
Instruction Intel PT Packet
jmp/call loc_b Inferable from disassembly
jnz loc_a Taken / Not Taken
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
14
Intel Processor Trace
Instruction Intel PT Packet
jmp/call loc_b Inferable from disassembly
jnz loc_a Taken / Not Taken
jmp/call [eax] Target IP
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
14
Intel Processor Trace
Instruction Intel PT Packet
jmp/call loc_b Inferable from disassembly
jnz loc_a Taken / Not Taken
jmp/call [eax] Target IP
ret Target IP (if required)
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
15
Intel Processor Trace
Intel PT Data
Not TakenTarget IP (0x1009)Target IP (0x1055)
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
15
Intel Processor Trace
Intel PT Data
Not TakenTarget IP (0x1009)Target IP (0x1055)
Target Binary
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
15
Intel Processor Trace
Intel PT Data
Not TakenTarget IP (0x1009)Target IP (0x1055)
Target Binary
Traces
0x10000x10040x1009
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
15
Intel Processor Trace
Intel PT Data
Not TakenTarget IP (0x1009)Target IP (0x1055)
Target Binary
Traces
0x10000x10040x1009
Transitions
0x0000 / 0x10000x1000 / 0x10040x1004 / 0x1009
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
15
Intel Processor Trace
Intel PT Data
Not TakenTarget IP (0x1009)Target IP (0x1055)
Target Binary
Traces
0x10000x10040x1009
Transitions
0x0000 / 0x10000x1000 / 0x10040x1004 / 0x1009
AFL Bitmap
011001010010
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Architecture
17
Architecture
Kernel
AgentFuzzer
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
17
Architecture
Kernel
AgentFuzzer
Intel PT Driver
coverage
Benefits:✓Coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
17
Architecture
Kernel
AgentFuzzer
Intel PT Driver
coverage
Benefits:✓Coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
17
Architecture
Kernel
AgentFuzzer
Intel PT Driver
coverage
Benefits:✓Coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
17
Architecture
Virtual Machine
Kernel
AgentFuzzer
Intel PT Driver
coverage
Benefits:✓Coverage✓Crash Tolerance
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
17
Architecture
Virtual Machine
Kernel
AgentFuzzer
Intel PT Driver
coverage
Benefits:✓Coverage✓Crash Tolerance✓OS Independence
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
17
Architecture
Virtual Machine
Kernel
AgentFuzzer
Intel PT Driver
coverage
Benefits:✓Coverage✓Crash Tolerance✓OS Independence✓Scalable
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
18
Trace Filtering
Virtual Machine
Kernel
AgentFuzzer
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
18
Trace Filtering
Virtual Machine
Kernel
AgentFuzzer
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Full System Tracing
18
Trace Filtering
Virtual Machine
Kernel
AgentFuzzer
Intel PT Driver
coverage
Intel PT aware Hypervisor
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
✓vCPUFilter-Mechanisms:
vCPU Tracing
18
Trace Filtering
Virtual Machine
Kernel
AgentFuzzer
Intel PT Driver
coverage
Intel PT aware Hypervisor
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
✓vCPU✓Supervisor
Filter-Mechanisms:
Guest Ring-0 Tracing
18
Trace Filtering
Virtual Machine
Kernel
AgentFuzzer
Intel PT Driver
coverage
Intel PT aware Hypervisor
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
✓vCPU✓Supervisor
Filter-Mechanisms:
Guest Ring-0 Tracing
Kernel Space
User Space
0xFFFFFFFFFFFFFFFF
0x0000000000000000
syscall
18
Trace Filtering
Virtual Machine
Kernel
AgentFuzzer
Intel PT Driver
coverage
Intel PT aware Hypervisor
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
✓vCPU✓Supervisor✓CR3
Filter-Mechanisms:
Guest Ring-0 Tracing (Fuzzing-Process)
18
Trace Filtering
Virtual Machine
Kernel
AgentFuzzer
Intel PT Driver
coverage
Intel PT aware Hypervisor
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
✓vCPU✓Supervisor✓CR3✓IP-Range
Filter-Mechanisms:
Guest Ring-0 Tracing (Fuzzing-Process & Target Range)
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Guest to Host:
Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Guest to Host:▪Synchronization
Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Guest to Host:▪Synchronization▪Next payload
Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value
Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value▪Panic handler address Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value▪Panic handler address▪Signal kernel panic
Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value▪Panic handler address▪Signal kernel panic
Host to Guest:
Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value▪Panic handler address▪Signal kernel panic
Host to Guest:▪Agent
Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value▪Panic handler address▪Signal kernel panic
Host to Guest:▪Agent▪Payloads
Kernel
AgentFuzzer
Intel PT aware Hypervisor
19
Inter-VM Communication
Virtual Machine
Intel PT Driver
coverage
Host
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value▪Panic handler address▪Signal kernel panic
Host to Guest:▪Agent▪Payloads▪Overwrite panic handler
Kernel
AgentFuzzer
Intel PT aware Hypervisor
20
Implementation
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
20
Implementation
CPU: ▪generates raw Intel-PT data ▪writes data to main memory
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
20
Implementation
KVM-PT: ▪configures Intel PT via MSRs ▪enables tracing during VM-Entry transition ▪disables tracing during VM-Exit transition
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
20
Implementation
QEMU-PT: ▪usermode counterpart ▪decodes Intel PT data on-the-fly
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
20
Implementation
kAFL Fuzzer: ▪generates new fuzz payloads ▪detects new behavior
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Evaluation
22
New VulnerabilitiesWindows: ▪NTFS (DoS)
macOS: ▪HFS (DoS, Memory Corruption) ▪APFS (Memory Corruption)
Linux: ▪EXT4 (DoS, Memory Corruption) ▪Keyctl (Nullpointer Dereference)
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
23
Evaluation Driver
5.4 Rediscovery of Known BugsWe evaluated kAFL on the keyctl interface, which al-lows a user space program to store and manage vari-ous kinds of key material in the kernel. More specif-ically, it features a DER (see RFC5280) parser to loadcertificates. This functionality had a known bug (CVE-2016-07583). We tested kAFL against the same interfaceon a vulnerable kernel (version 4.3.2). kAFL was ableto uncover the same problem and one additional previ-ously unknown bug that was assigned CVE-2016-86504.kAFL managed to trigger 17 unique KASan reports and15 unique panics in just one hour of execution time. Dur-ing this experiment, kAFL generated over 34 million in-puts, found 295 interesting inputs, and performed nearly9,000 executions per second. This experiment was per-formed while running 8 processes in parallel.
5.5 Detected VulnerabilitiesDuring the evaluation, kAFL found more than a thou-sand unique crashes. We evaluated some manually andfound multiple security vulnerabilities in all tested op-erating systems such as Linux, Windows, and macOS.So far, eight bugs were reported and three of them wereconfirmed by the maintainers:
• Linux: keyctl Null Pointer Dereference5 (CVE-2016-86506)
• Linux: ext4 Memory Corruption7
• Linux: ext4 Error Handling8
• Windows: NTFS Div-by-Zero9
• macOS: HFS Div-by-Zero10
• macOS: HFS Assertion Fail10
• macOS: HFS Use-After-Free10
• macOS: APFS Memory Corruption10
Red Hat has assigned a CVE number for the first re-ported security flaw, which triggers a null pointer def-erence and a partial memory corruption in the kernelASN.1 parser if an RSA certificate with a zero expo-nent is presented. For the second reported vulnerabil-ity, which triggers a memory corruption in the ext4 file
3https://access.redhat.com/security/cve/cve-2016-07584https://access.redhat.com/security/cve/cve-2016-86505http://seclists.org/fulldisclosure/2016/Nov/766https://access.redhat.com/security/cve/cve-2016-86507http://seclists.org/fulldisclosure/2016/Nov/758http://seclists.org/bugtraq/2016/Nov/19Reported to Microsoft Security.
10Reported to Apple Product Security.
system, a mainline patch was proposed. The last re-ported Linux vulnerability, which calls in the ext4 errorhandling routine panic() and hence results in a kernelpanic, was at the time of writing not investigated any fur-ther. The NTFS bug in Windows 10 is a non-recoverableerror condition which leads to a blue screen. This bugwas reported to Microsoft, but has not been confirmedyet. Similarly, Apple has not yet verified or confirmedour reported macOS bugs.
5.6 Fuzzing PerformanceWe compare the overall performance of kAFL across dif-ferent operating systems. To ensure comparable results,we created a simple driver that contains a JSON parserbased on jsmn11 for each aforementioned operating sys-tem and used it to decode user input (see Listing 2). Ifthe user input is a JSON string starting with "KAFL", acrash is triggered. We traced both the JSON parser aswell as the final check. This way kAFL was able to learncorrect JSON syntax. We measured the time used to findthe crash, the number of executions per second, and thespeed for new paths to be discovered on all three targetoperating systems.
1 jsmn_parser parser;2 jsmntok_t tokens [5];3 jsmn_init (& parser);4
5 int res=jsmn_parse (&parser , input , size , tokens , 5);6 if(res >= 2){7 if(tokens [0]. type == JSMN_STRING){8 int json_len = tokens [0]. end - tokens [0].
start;9 int s = tokens [0]. start;
10 if(json_len > 0 && input[s+0] == �K�){11 if(json_len > 1 && input[s+1] == �A�){12 if(json_len > 2 && input[s+2] == �F�){13 if(json_len > 3 && input[s+3] == �L�){14 panic(KERN_INFO "KAFL ...\n");15 }}}}}16 }
Listing 2: The JSON parser kernel module used for thecoverage benchmarks.
We performed five repeated experiments for each op-erating system. Additionally we tested TriforceAFL withthe Linux target driver. TriforceAFL is unable to fuzzWindows and macOS. To compare TriforceAFL withkAFL, the associated TriforceLinuxSyscallFuzzer wasslightly modified to work with our vulnerable Linux ker-nel module. Unfortunately, it was not possible to com-pare kAFL against Oracle’s file system fuzzer [34] dueto technical issues with its setup.
During each run, we fuzzed the JSON parser for 30minutes. The averaged and rounded results are displayedin Table 1. As we can see, the performance of kAFLis very similar across different systems. It should be re-marked that the variance in this experiment is rather high
11http://zserge.com/jsmn.html
10
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
23
Evaluation Driver
5.4 Rediscovery of Known BugsWe evaluated kAFL on the keyctl interface, which al-lows a user space program to store and manage vari-ous kinds of key material in the kernel. More specif-ically, it features a DER (see RFC5280) parser to loadcertificates. This functionality had a known bug (CVE-2016-07583). We tested kAFL against the same interfaceon a vulnerable kernel (version 4.3.2). kAFL was ableto uncover the same problem and one additional previ-ously unknown bug that was assigned CVE-2016-86504.kAFL managed to trigger 17 unique KASan reports and15 unique panics in just one hour of execution time. Dur-ing this experiment, kAFL generated over 34 million in-puts, found 295 interesting inputs, and performed nearly9,000 executions per second. This experiment was per-formed while running 8 processes in parallel.
5.5 Detected VulnerabilitiesDuring the evaluation, kAFL found more than a thou-sand unique crashes. We evaluated some manually andfound multiple security vulnerabilities in all tested op-erating systems such as Linux, Windows, and macOS.So far, eight bugs were reported and three of them wereconfirmed by the maintainers:
• Linux: keyctl Null Pointer Dereference5 (CVE-2016-86506)
• Linux: ext4 Memory Corruption7
• Linux: ext4 Error Handling8
• Windows: NTFS Div-by-Zero9
• macOS: HFS Div-by-Zero10
• macOS: HFS Assertion Fail10
• macOS: HFS Use-After-Free10
• macOS: APFS Memory Corruption10
Red Hat has assigned a CVE number for the first re-ported security flaw, which triggers a null pointer def-erence and a partial memory corruption in the kernelASN.1 parser if an RSA certificate with a zero expo-nent is presented. For the second reported vulnerabil-ity, which triggers a memory corruption in the ext4 file
3https://access.redhat.com/security/cve/cve-2016-07584https://access.redhat.com/security/cve/cve-2016-86505http://seclists.org/fulldisclosure/2016/Nov/766https://access.redhat.com/security/cve/cve-2016-86507http://seclists.org/fulldisclosure/2016/Nov/758http://seclists.org/bugtraq/2016/Nov/19Reported to Microsoft Security.
10Reported to Apple Product Security.
system, a mainline patch was proposed. The last re-ported Linux vulnerability, which calls in the ext4 errorhandling routine panic() and hence results in a kernelpanic, was at the time of writing not investigated any fur-ther. The NTFS bug in Windows 10 is a non-recoverableerror condition which leads to a blue screen. This bugwas reported to Microsoft, but has not been confirmedyet. Similarly, Apple has not yet verified or confirmedour reported macOS bugs.
5.6 Fuzzing PerformanceWe compare the overall performance of kAFL across dif-ferent operating systems. To ensure comparable results,we created a simple driver that contains a JSON parserbased on jsmn11 for each aforementioned operating sys-tem and used it to decode user input (see Listing 2). Ifthe user input is a JSON string starting with "KAFL", acrash is triggered. We traced both the JSON parser aswell as the final check. This way kAFL was able to learncorrect JSON syntax. We measured the time used to findthe crash, the number of executions per second, and thespeed for new paths to be discovered on all three targetoperating systems.
1 jsmn_parser parser;2 jsmntok_t tokens [5];3 jsmn_init (& parser);4
5 int res=jsmn_parse (&parser , input , size , tokens , 5);6 if(res >= 2){7 if(tokens [0]. type == JSMN_STRING){8 int json_len = tokens [0]. end - tokens [0].
start;9 int s = tokens [0]. start;
10 if(json_len > 0 && input[s+0] == �K�){11 if(json_len > 1 && input[s+1] == �A�){12 if(json_len > 2 && input[s+2] == �F�){13 if(json_len > 3 && input[s+3] == �L�){14 panic(KERN_INFO "KAFL ...\n");15 }}}}}16 }
Listing 2: The JSON parser kernel module used for thecoverage benchmarks.
We performed five repeated experiments for each op-erating system. Additionally we tested TriforceAFL withthe Linux target driver. TriforceAFL is unable to fuzzWindows and macOS. To compare TriforceAFL withkAFL, the associated TriforceLinuxSyscallFuzzer wasslightly modified to work with our vulnerable Linux ker-nel module. Unfortunately, it was not possible to com-pare kAFL against Oracle’s file system fuzzer [34] dueto technical issues with its setup.
During each run, we fuzzed the JSON parser for 30minutes. The averaged and rounded results are displayedin Table 1. As we can see, the performance of kAFLis very similar across different systems. It should be re-marked that the variance in this experiment is rather high
11http://zserge.com/jsmn.html
10
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
23
Evaluation Driver
5.4 Rediscovery of Known BugsWe evaluated kAFL on the keyctl interface, which al-lows a user space program to store and manage vari-ous kinds of key material in the kernel. More specif-ically, it features a DER (see RFC5280) parser to loadcertificates. This functionality had a known bug (CVE-2016-07583). We tested kAFL against the same interfaceon a vulnerable kernel (version 4.3.2). kAFL was ableto uncover the same problem and one additional previ-ously unknown bug that was assigned CVE-2016-86504.kAFL managed to trigger 17 unique KASan reports and15 unique panics in just one hour of execution time. Dur-ing this experiment, kAFL generated over 34 million in-puts, found 295 interesting inputs, and performed nearly9,000 executions per second. This experiment was per-formed while running 8 processes in parallel.
5.5 Detected VulnerabilitiesDuring the evaluation, kAFL found more than a thou-sand unique crashes. We evaluated some manually andfound multiple security vulnerabilities in all tested op-erating systems such as Linux, Windows, and macOS.So far, eight bugs were reported and three of them wereconfirmed by the maintainers:
• Linux: keyctl Null Pointer Dereference5 (CVE-2016-86506)
• Linux: ext4 Memory Corruption7
• Linux: ext4 Error Handling8
• Windows: NTFS Div-by-Zero9
• macOS: HFS Div-by-Zero10
• macOS: HFS Assertion Fail10
• macOS: HFS Use-After-Free10
• macOS: APFS Memory Corruption10
Red Hat has assigned a CVE number for the first re-ported security flaw, which triggers a null pointer def-erence and a partial memory corruption in the kernelASN.1 parser if an RSA certificate with a zero expo-nent is presented. For the second reported vulnerabil-ity, which triggers a memory corruption in the ext4 file
3https://access.redhat.com/security/cve/cve-2016-07584https://access.redhat.com/security/cve/cve-2016-86505http://seclists.org/fulldisclosure/2016/Nov/766https://access.redhat.com/security/cve/cve-2016-86507http://seclists.org/fulldisclosure/2016/Nov/758http://seclists.org/bugtraq/2016/Nov/19Reported to Microsoft Security.
10Reported to Apple Product Security.
system, a mainline patch was proposed. The last re-ported Linux vulnerability, which calls in the ext4 errorhandling routine panic() and hence results in a kernelpanic, was at the time of writing not investigated any fur-ther. The NTFS bug in Windows 10 is a non-recoverableerror condition which leads to a blue screen. This bugwas reported to Microsoft, but has not been confirmedyet. Similarly, Apple has not yet verified or confirmedour reported macOS bugs.
5.6 Fuzzing PerformanceWe compare the overall performance of kAFL across dif-ferent operating systems. To ensure comparable results,we created a simple driver that contains a JSON parserbased on jsmn11 for each aforementioned operating sys-tem and used it to decode user input (see Listing 2). Ifthe user input is a JSON string starting with "KAFL", acrash is triggered. We traced both the JSON parser aswell as the final check. This way kAFL was able to learncorrect JSON syntax. We measured the time used to findthe crash, the number of executions per second, and thespeed for new paths to be discovered on all three targetoperating systems.
1 jsmn_parser parser;2 jsmntok_t tokens [5];3 jsmn_init (& parser);4
5 int res=jsmn_parse (&parser , input , size , tokens , 5);6 if(res >= 2){7 if(tokens [0]. type == JSMN_STRING){8 int json_len = tokens [0]. end - tokens [0].
start;9 int s = tokens [0]. start;
10 if(json_len > 0 && input[s+0] == �K�){11 if(json_len > 1 && input[s+1] == �A�){12 if(json_len > 2 && input[s+2] == �F�){13 if(json_len > 3 && input[s+3] == �L�){14 panic(KERN_INFO "KAFL ...\n");15 }}}}}16 }
Listing 2: The JSON parser kernel module used for thecoverage benchmarks.
We performed five repeated experiments for each op-erating system. Additionally we tested TriforceAFL withthe Linux target driver. TriforceAFL is unable to fuzzWindows and macOS. To compare TriforceAFL withkAFL, the associated TriforceLinuxSyscallFuzzer wasslightly modified to work with our vulnerable Linux ker-nel module. Unfortunately, it was not possible to com-pare kAFL against Oracle’s file system fuzzer [34] dueto technical issues with its setup.
During each run, we fuzzed the JSON parser for 30minutes. The averaged and rounded results are displayedin Table 1. As we can see, the performance of kAFLis very similar across different systems. It should be re-marked that the variance in this experiment is rather high
11http://zserge.com/jsmn.html
10
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
23
Evaluation Driver
5.4 Rediscovery of Known BugsWe evaluated kAFL on the keyctl interface, which al-lows a user space program to store and manage vari-ous kinds of key material in the kernel. More specif-ically, it features a DER (see RFC5280) parser to loadcertificates. This functionality had a known bug (CVE-2016-07583). We tested kAFL against the same interfaceon a vulnerable kernel (version 4.3.2). kAFL was ableto uncover the same problem and one additional previ-ously unknown bug that was assigned CVE-2016-86504.kAFL managed to trigger 17 unique KASan reports and15 unique panics in just one hour of execution time. Dur-ing this experiment, kAFL generated over 34 million in-puts, found 295 interesting inputs, and performed nearly9,000 executions per second. This experiment was per-formed while running 8 processes in parallel.
5.5 Detected VulnerabilitiesDuring the evaluation, kAFL found more than a thou-sand unique crashes. We evaluated some manually andfound multiple security vulnerabilities in all tested op-erating systems such as Linux, Windows, and macOS.So far, eight bugs were reported and three of them wereconfirmed by the maintainers:
• Linux: keyctl Null Pointer Dereference5 (CVE-2016-86506)
• Linux: ext4 Memory Corruption7
• Linux: ext4 Error Handling8
• Windows: NTFS Div-by-Zero9
• macOS: HFS Div-by-Zero10
• macOS: HFS Assertion Fail10
• macOS: HFS Use-After-Free10
• macOS: APFS Memory Corruption10
Red Hat has assigned a CVE number for the first re-ported security flaw, which triggers a null pointer def-erence and a partial memory corruption in the kernelASN.1 parser if an RSA certificate with a zero expo-nent is presented. For the second reported vulnerabil-ity, which triggers a memory corruption in the ext4 file
3https://access.redhat.com/security/cve/cve-2016-07584https://access.redhat.com/security/cve/cve-2016-86505http://seclists.org/fulldisclosure/2016/Nov/766https://access.redhat.com/security/cve/cve-2016-86507http://seclists.org/fulldisclosure/2016/Nov/758http://seclists.org/bugtraq/2016/Nov/19Reported to Microsoft Security.
10Reported to Apple Product Security.
system, a mainline patch was proposed. The last re-ported Linux vulnerability, which calls in the ext4 errorhandling routine panic() and hence results in a kernelpanic, was at the time of writing not investigated any fur-ther. The NTFS bug in Windows 10 is a non-recoverableerror condition which leads to a blue screen. This bugwas reported to Microsoft, but has not been confirmedyet. Similarly, Apple has not yet verified or confirmedour reported macOS bugs.
5.6 Fuzzing PerformanceWe compare the overall performance of kAFL across dif-ferent operating systems. To ensure comparable results,we created a simple driver that contains a JSON parserbased on jsmn11 for each aforementioned operating sys-tem and used it to decode user input (see Listing 2). Ifthe user input is a JSON string starting with "KAFL", acrash is triggered. We traced both the JSON parser aswell as the final check. This way kAFL was able to learncorrect JSON syntax. We measured the time used to findthe crash, the number of executions per second, and thespeed for new paths to be discovered on all three targetoperating systems.
1 jsmn_parser parser;2 jsmntok_t tokens [5];3 jsmn_init (& parser);4
5 int res=jsmn_parse (&parser , input , size , tokens , 5);6 if(res >= 2){7 if(tokens [0]. type == JSMN_STRING){8 int json_len = tokens [0]. end - tokens [0].
start;9 int s = tokens [0]. start;
10 if(json_len > 0 && input[s+0] == �K�){11 if(json_len > 1 && input[s+1] == �A�){12 if(json_len > 2 && input[s+2] == �F�){13 if(json_len > 3 && input[s+3] == �L�){14 panic(KERN_INFO "KAFL ...\n");15 }}}}}16 }
Listing 2: The JSON parser kernel module used for thecoverage benchmarks.
We performed five repeated experiments for each op-erating system. Additionally we tested TriforceAFL withthe Linux target driver. TriforceAFL is unable to fuzzWindows and macOS. To compare TriforceAFL withkAFL, the associated TriforceLinuxSyscallFuzzer wasslightly modified to work with our vulnerable Linux ker-nel module. Unfortunately, it was not possible to com-pare kAFL against Oracle’s file system fuzzer [34] dueto technical issues with its setup.
During each run, we fuzzed the JSON parser for 30minutes. The averaged and rounded results are displayedin Table 1. As we can see, the performance of kAFLis very similar across different systems. It should be re-marked that the variance in this experiment is rather high
11http://zserge.com/jsmn.html
10
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
23
Evaluation Driver
5.4 Rediscovery of Known BugsWe evaluated kAFL on the keyctl interface, which al-lows a user space program to store and manage vari-ous kinds of key material in the kernel. More specif-ically, it features a DER (see RFC5280) parser to loadcertificates. This functionality had a known bug (CVE-2016-07583). We tested kAFL against the same interfaceon a vulnerable kernel (version 4.3.2). kAFL was ableto uncover the same problem and one additional previ-ously unknown bug that was assigned CVE-2016-86504.kAFL managed to trigger 17 unique KASan reports and15 unique panics in just one hour of execution time. Dur-ing this experiment, kAFL generated over 34 million in-puts, found 295 interesting inputs, and performed nearly9,000 executions per second. This experiment was per-formed while running 8 processes in parallel.
5.5 Detected VulnerabilitiesDuring the evaluation, kAFL found more than a thou-sand unique crashes. We evaluated some manually andfound multiple security vulnerabilities in all tested op-erating systems such as Linux, Windows, and macOS.So far, eight bugs were reported and three of them wereconfirmed by the maintainers:
• Linux: keyctl Null Pointer Dereference5 (CVE-2016-86506)
• Linux: ext4 Memory Corruption7
• Linux: ext4 Error Handling8
• Windows: NTFS Div-by-Zero9
• macOS: HFS Div-by-Zero10
• macOS: HFS Assertion Fail10
• macOS: HFS Use-After-Free10
• macOS: APFS Memory Corruption10
Red Hat has assigned a CVE number for the first re-ported security flaw, which triggers a null pointer def-erence and a partial memory corruption in the kernelASN.1 parser if an RSA certificate with a zero expo-nent is presented. For the second reported vulnerabil-ity, which triggers a memory corruption in the ext4 file
3https://access.redhat.com/security/cve/cve-2016-07584https://access.redhat.com/security/cve/cve-2016-86505http://seclists.org/fulldisclosure/2016/Nov/766https://access.redhat.com/security/cve/cve-2016-86507http://seclists.org/fulldisclosure/2016/Nov/758http://seclists.org/bugtraq/2016/Nov/19Reported to Microsoft Security.
10Reported to Apple Product Security.
system, a mainline patch was proposed. The last re-ported Linux vulnerability, which calls in the ext4 errorhandling routine panic() and hence results in a kernelpanic, was at the time of writing not investigated any fur-ther. The NTFS bug in Windows 10 is a non-recoverableerror condition which leads to a blue screen. This bugwas reported to Microsoft, but has not been confirmedyet. Similarly, Apple has not yet verified or confirmedour reported macOS bugs.
5.6 Fuzzing PerformanceWe compare the overall performance of kAFL across dif-ferent operating systems. To ensure comparable results,we created a simple driver that contains a JSON parserbased on jsmn11 for each aforementioned operating sys-tem and used it to decode user input (see Listing 2). Ifthe user input is a JSON string starting with "KAFL", acrash is triggered. We traced both the JSON parser aswell as the final check. This way kAFL was able to learncorrect JSON syntax. We measured the time used to findthe crash, the number of executions per second, and thespeed for new paths to be discovered on all three targetoperating systems.
1 jsmn_parser parser;2 jsmntok_t tokens [5];3 jsmn_init (& parser);4
5 int res=jsmn_parse (&parser , input , size , tokens , 5);6 if(res >= 2){7 if(tokens [0]. type == JSMN_STRING){8 int json_len = tokens [0]. end - tokens [0].
start;9 int s = tokens [0]. start;
10 if(json_len > 0 && input[s+0] == �K�){11 if(json_len > 1 && input[s+1] == �A�){12 if(json_len > 2 && input[s+2] == �F�){13 if(json_len > 3 && input[s+3] == �L�){14 panic(KERN_INFO "KAFL ...\n");15 }}}}}16 }
Listing 2: The JSON parser kernel module used for thecoverage benchmarks.
We performed five repeated experiments for each op-erating system. Additionally we tested TriforceAFL withthe Linux target driver. TriforceAFL is unable to fuzzWindows and macOS. To compare TriforceAFL withkAFL, the associated TriforceLinuxSyscallFuzzer wasslightly modified to work with our vulnerable Linux ker-nel module. Unfortunately, it was not possible to com-pare kAFL against Oracle’s file system fuzzer [34] dueto technical issues with its setup.
During each run, we fuzzed the JSON parser for 30minutes. The averaged and rounded results are displayedin Table 1. As we can see, the performance of kAFLis very similar across different systems. It should be re-marked that the variance in this experiment is rather high
11http://zserge.com/jsmn.html
10
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
23
Evaluation Driver
5.4 Rediscovery of Known BugsWe evaluated kAFL on the keyctl interface, which al-lows a user space program to store and manage vari-ous kinds of key material in the kernel. More specif-ically, it features a DER (see RFC5280) parser to loadcertificates. This functionality had a known bug (CVE-2016-07583). We tested kAFL against the same interfaceon a vulnerable kernel (version 4.3.2). kAFL was ableto uncover the same problem and one additional previ-ously unknown bug that was assigned CVE-2016-86504.kAFL managed to trigger 17 unique KASan reports and15 unique panics in just one hour of execution time. Dur-ing this experiment, kAFL generated over 34 million in-puts, found 295 interesting inputs, and performed nearly9,000 executions per second. This experiment was per-formed while running 8 processes in parallel.
5.5 Detected VulnerabilitiesDuring the evaluation, kAFL found more than a thou-sand unique crashes. We evaluated some manually andfound multiple security vulnerabilities in all tested op-erating systems such as Linux, Windows, and macOS.So far, eight bugs were reported and three of them wereconfirmed by the maintainers:
• Linux: keyctl Null Pointer Dereference5 (CVE-2016-86506)
• Linux: ext4 Memory Corruption7
• Linux: ext4 Error Handling8
• Windows: NTFS Div-by-Zero9
• macOS: HFS Div-by-Zero10
• macOS: HFS Assertion Fail10
• macOS: HFS Use-After-Free10
• macOS: APFS Memory Corruption10
Red Hat has assigned a CVE number for the first re-ported security flaw, which triggers a null pointer def-erence and a partial memory corruption in the kernelASN.1 parser if an RSA certificate with a zero expo-nent is presented. For the second reported vulnerabil-ity, which triggers a memory corruption in the ext4 file
3https://access.redhat.com/security/cve/cve-2016-07584https://access.redhat.com/security/cve/cve-2016-86505http://seclists.org/fulldisclosure/2016/Nov/766https://access.redhat.com/security/cve/cve-2016-86507http://seclists.org/fulldisclosure/2016/Nov/758http://seclists.org/bugtraq/2016/Nov/19Reported to Microsoft Security.
10Reported to Apple Product Security.
system, a mainline patch was proposed. The last re-ported Linux vulnerability, which calls in the ext4 errorhandling routine panic() and hence results in a kernelpanic, was at the time of writing not investigated any fur-ther. The NTFS bug in Windows 10 is a non-recoverableerror condition which leads to a blue screen. This bugwas reported to Microsoft, but has not been confirmedyet. Similarly, Apple has not yet verified or confirmedour reported macOS bugs.
5.6 Fuzzing PerformanceWe compare the overall performance of kAFL across dif-ferent operating systems. To ensure comparable results,we created a simple driver that contains a JSON parserbased on jsmn11 for each aforementioned operating sys-tem and used it to decode user input (see Listing 2). Ifthe user input is a JSON string starting with "KAFL", acrash is triggered. We traced both the JSON parser aswell as the final check. This way kAFL was able to learncorrect JSON syntax. We measured the time used to findthe crash, the number of executions per second, and thespeed for new paths to be discovered on all three targetoperating systems.
1 jsmn_parser parser;2 jsmntok_t tokens [5];3 jsmn_init (& parser);4
5 int res=jsmn_parse (&parser , input , size , tokens , 5);6 if(res >= 2){7 if(tokens [0]. type == JSMN_STRING){8 int json_len = tokens [0]. end - tokens [0].
start;9 int s = tokens [0]. start;
10 if(json_len > 0 && input[s+0] == �K�){11 if(json_len > 1 && input[s+1] == �A�){12 if(json_len > 2 && input[s+2] == �F�){13 if(json_len > 3 && input[s+3] == �L�){14 panic(KERN_INFO "KAFL ...\n");15 }}}}}16 }
Listing 2: The JSON parser kernel module used for thecoverage benchmarks.
We performed five repeated experiments for each op-erating system. Additionally we tested TriforceAFL withthe Linux target driver. TriforceAFL is unable to fuzzWindows and macOS. To compare TriforceAFL withkAFL, the associated TriforceLinuxSyscallFuzzer wasslightly modified to work with our vulnerable Linux ker-nel module. Unfortunately, it was not possible to com-pare kAFL against Oracle’s file system fuzzer [34] dueto technical issues with its setup.
During each run, we fuzzed the JSON parser for 30minutes. The averaged and rounded results are displayedin Table 1. As we can see, the performance of kAFLis very similar across different systems. It should be re-marked that the variance in this experiment is rather high
11http://zserge.com/jsmn.html
10
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
23
Evaluation Driver
5.4 Rediscovery of Known BugsWe evaluated kAFL on the keyctl interface, which al-lows a user space program to store and manage vari-ous kinds of key material in the kernel. More specif-ically, it features a DER (see RFC5280) parser to loadcertificates. This functionality had a known bug (CVE-2016-07583). We tested kAFL against the same interfaceon a vulnerable kernel (version 4.3.2). kAFL was ableto uncover the same problem and one additional previ-ously unknown bug that was assigned CVE-2016-86504.kAFL managed to trigger 17 unique KASan reports and15 unique panics in just one hour of execution time. Dur-ing this experiment, kAFL generated over 34 million in-puts, found 295 interesting inputs, and performed nearly9,000 executions per second. This experiment was per-formed while running 8 processes in parallel.
5.5 Detected VulnerabilitiesDuring the evaluation, kAFL found more than a thou-sand unique crashes. We evaluated some manually andfound multiple security vulnerabilities in all tested op-erating systems such as Linux, Windows, and macOS.So far, eight bugs were reported and three of them wereconfirmed by the maintainers:
• Linux: keyctl Null Pointer Dereference5 (CVE-2016-86506)
• Linux: ext4 Memory Corruption7
• Linux: ext4 Error Handling8
• Windows: NTFS Div-by-Zero9
• macOS: HFS Div-by-Zero10
• macOS: HFS Assertion Fail10
• macOS: HFS Use-After-Free10
• macOS: APFS Memory Corruption10
Red Hat has assigned a CVE number for the first re-ported security flaw, which triggers a null pointer def-erence and a partial memory corruption in the kernelASN.1 parser if an RSA certificate with a zero expo-nent is presented. For the second reported vulnerabil-ity, which triggers a memory corruption in the ext4 file
3https://access.redhat.com/security/cve/cve-2016-07584https://access.redhat.com/security/cve/cve-2016-86505http://seclists.org/fulldisclosure/2016/Nov/766https://access.redhat.com/security/cve/cve-2016-86507http://seclists.org/fulldisclosure/2016/Nov/758http://seclists.org/bugtraq/2016/Nov/19Reported to Microsoft Security.
10Reported to Apple Product Security.
system, a mainline patch was proposed. The last re-ported Linux vulnerability, which calls in the ext4 errorhandling routine panic() and hence results in a kernelpanic, was at the time of writing not investigated any fur-ther. The NTFS bug in Windows 10 is a non-recoverableerror condition which leads to a blue screen. This bugwas reported to Microsoft, but has not been confirmedyet. Similarly, Apple has not yet verified or confirmedour reported macOS bugs.
5.6 Fuzzing PerformanceWe compare the overall performance of kAFL across dif-ferent operating systems. To ensure comparable results,we created a simple driver that contains a JSON parserbased on jsmn11 for each aforementioned operating sys-tem and used it to decode user input (see Listing 2). Ifthe user input is a JSON string starting with "KAFL", acrash is triggered. We traced both the JSON parser aswell as the final check. This way kAFL was able to learncorrect JSON syntax. We measured the time used to findthe crash, the number of executions per second, and thespeed for new paths to be discovered on all three targetoperating systems.
1 jsmn_parser parser;2 jsmntok_t tokens [5];3 jsmn_init (& parser);4
5 int res=jsmn_parse (&parser , input , size , tokens , 5);6 if(res >= 2){7 if(tokens [0]. type == JSMN_STRING){8 int json_len = tokens [0]. end - tokens [0].
start;9 int s = tokens [0]. start;
10 if(json_len > 0 && input[s+0] == �K�){11 if(json_len > 1 && input[s+1] == �A�){12 if(json_len > 2 && input[s+2] == �F�){13 if(json_len > 3 && input[s+3] == �L�){14 panic(KERN_INFO "KAFL ...\n");15 }}}}}16 }
Listing 2: The JSON parser kernel module used for thecoverage benchmarks.
We performed five repeated experiments for each op-erating system. Additionally we tested TriforceAFL withthe Linux target driver. TriforceAFL is unable to fuzzWindows and macOS. To compare TriforceAFL withkAFL, the associated TriforceLinuxSyscallFuzzer wasslightly modified to work with our vulnerable Linux ker-nel module. Unfortunately, it was not possible to com-pare kAFL against Oracle’s file system fuzzer [34] dueto technical issues with its setup.
During each run, we fuzzed the JSON parser for 30minutes. The averaged and rounded results are displayedin Table 1. As we can see, the performance of kAFLis very similar across different systems. It should be re-marked that the variance in this experiment is rather high
11http://zserge.com/jsmn.html
10
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
24
Performance
Intel i7-6700 / 32GB DDR4
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
25
Coverage
Intel i7-6700 / 32GB DDR4
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
25
Coverage
Intel i7-6700 / 32GB DDR4
kAFL: ▪5-7 minutes
TriforceAFL: ▪~2 hours
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
26
Conclusion
▪Intel PT and virtualization for feedback fuzzing ▪Fast ▪OS independence (x86-64) ▪Reliable and long-term ▪Fully extensible
▪High bug yield for kernel fuzzing ▪Opportunities for further fuzzing
https://github.com/RUB-SysSec/kAFL
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels