kAFL: Hardware-Assisted Feedback Fuzzing for OS · PDF filehtml5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd ... kAFL: Hardware-Assisted

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

Sergej Schumilo1, Cornelius Aschermann1, Robert Gawlik1, Sebastian Schinzel2, Thorsten Holz1 1Ruhr-Universität Bochum, 2Münster University of Applied Sciences

2

MotivationIJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav

libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl

wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy-html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn

MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make

m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd

teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson

libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools


2








Internet Explorer


2








Internet ExplorerAdobe Flash


2








OpenSSH

Internet ExplorerAdobe Flash


2








OpenSSH

Internet Explorer

Apple Safari

Adobe Flash


2








OpenSSH

Internet Explorer

Apple SafariAdobe Reader

Adobe Flash


2








OpenSSH

Internet Explorer


Wireshark

Adobe Flash


2








OpenSSH

Internet Explorer


Wireshark

Apache httpd

Adobe Flash


3

Stephens, Nick, et al. "Driller: Augmenting Fuzzing Through Selective Symbolic Execution." Proceedings of the Network and Distributed System Security Symposium (NDSS). 2016.


Rawat, Sanjay, et al. "Vuzzer: Application-aware evolutionary fuzzing.“ Proceedings of the Network and Distributed System Security Symposium (NDSS). 2017.

Böhme, Marcel, et al. "Coverage-based greybox fuzzing as markov chain." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM. 2016.

Motivation

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels4

Motivation

What about Kernel Security?

5

Related Work

Fast Crash Tolerant OS Independent Binary Only


5

Related Work


TriforceAFL (Jesse Hertz & Tim Newsham, NCC Group)

✗ ✓ ~ ✓


5

Related Work



✗ ✓ ~ ✓

Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗


5

Related Work



✗ ✓ ~ ✓

Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗AFL Filesystem Fuzzer (Vegard Nossum & Quentin Casanovas, Oracle)

✓ ~ ✗ ✗


5

Related Work



✗ ✓ ~ ✓

Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗AFL Filesystem Fuzzer (Vegard Nossum & Quentin Casanovas, Oracle)

✓ ~ ✗ ✗

PT Kernel Fuzzer (Richard Johnson, Talos) ✓ ✗ ✗ ✓


6

Goal

Build a kernel fuzzer that is all of this:

▪Fast ▪Reliable ▪(mostly) OS independent ▪No source level access required


Fuzzing in a nutshell

8


Fuzzer Target


8


Fuzzer Target

Inputs

Grammar


8


Fuzzer Target

Inputs

Grammar

Randomized Inputs


8


Fuzzer Target

Inputs

Grammar

Randomized Inputs

Feedback


9

Blackbox Fuzzing

Target

exit

"EFG"


9

Blackbox Fuzzing

Target

exit

"TZG"


9

Blackbox Fuzzing

Target

"ABC"

CrashkAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

Coverage-Guided Fuzzing

11


input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash()


11


input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash() exit()

input[0] == 'A'ZZZZ


11


input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash() exit()

input[1] == 'B'

input[0] == 'A'AAAA


11


input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash() exit()

input[2] == 'C'

input[1] == 'B'

input[0] == 'A'ABBG


11


input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash()crash()

input[2] == 'C'

input[1] == 'B'

input[0] == 'A'ABCJ


11


input[0] == 'A'

input[2] == 'C'

exit()

input[1] == 'B'

crash()

AFL stores transitions in a bitmap

crash()

input[2] == 'C'

input[1] == 'B'

input[0] == 'A'ABCJ


12

Feedback MechanismClosed-Source Kernel Stable Fast


12


Compile-Time Instrumentation ✗ ✓ ✓ ++


12


Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++


12


Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -

* Peter Feiner, et al., DRK: DynamoRIO as a Linux Kernel Module


12


Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -Emulation ✓ ✓ ✓ - -



12


Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -Emulation ✓ ✓ ✓ - -Intel Branch Trace Store ✓ ✓ ✓ +



12


Compile-Time Instrumentation ✗ ✓ ✓ ++Static Rewriting ✓ - ✗ ++Dynamic Binary Instrumentation ✓ -* ✓ -Emulation ✓ ✓ ✓ - -Intel Branch Trace Store ✓ ✓ ✓ +Intel Processor Trace ✓ ✓ ✓ +++



Intel Processor Trace

14


Instruction Intel PT Packet


14



jmp/call loc_b Inferable from disassembly


14




jnz loc_a Taken / Not Taken


14





jmp/call [eax] Target IP


14





jmp/call [eax] Target IP

ret Target IP (if required)


15


Intel PT Data

Not TakenTarget IP (0x1009)Target IP (0x1055)


15


Intel PT Data


Target Binary


15


Intel PT Data


Target Binary

Traces

0x10000x10040x1009


15


Intel PT Data


Target Binary

Traces

0x10000x10040x1009

Transitions

0x0000 / 0x10000x1000 / 0x10040x1004 / 0x1009


15


Intel PT Data


Target Binary

Traces

0x10000x10040x1009

Transitions

0x0000 / 0x10000x1000 / 0x10040x1004 / 0x1009

AFL Bitmap

011001010010


Architecture

17

Architecture

Kernel

AgentFuzzer

Host


17

Architecture

Kernel

AgentFuzzer

Intel PT Driver

coverage

Benefits:✓Coverage

Host


17

Architecture

Kernel

AgentFuzzer

Intel PT Driver

coverage


Host


17

Architecture

Kernel

AgentFuzzer

Intel PT Driver

coverage


Host


17

Architecture

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Benefits:✓Coverage✓Crash Tolerance

Host


17

Architecture

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Benefits:✓Coverage✓Crash Tolerance✓OS Independence

Host


17

Architecture

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Benefits:✓Coverage✓Crash Tolerance✓OS Independence✓Scalable

Host


18

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Host


18

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Host


Full System Tracing

18

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage

Intel PT aware Hypervisor

Host


✓vCPUFilter-Mechanisms:

vCPU Tracing

18

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage


Host


✓vCPU✓Supervisor

Filter-Mechanisms:

Guest Ring-0 Tracing

18

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage


Host


✓vCPU✓Supervisor

Filter-Mechanisms:

Guest Ring-0 Tracing

Kernel Space

User Space

0xFFFFFFFFFFFFFFFF

0x0000000000000000

syscall

18

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage


Host


✓vCPU✓Supervisor✓CR3

Filter-Mechanisms:

Guest Ring-0 Tracing (Fuzzing-Process)

18

Trace Filtering

Virtual Machine

Kernel

AgentFuzzer

Intel PT Driver

coverage


Host


✓vCPU✓Supervisor✓CR3✓IP-Range

Filter-Mechanisms:

Guest Ring-0 Tracing (Fuzzing-Process & Target Range)

19

Inter-VM Communication

Virtual Machine

Intel PT Driver

coverage

Host


Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host


Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host


Guest to Host:

Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host


Guest to Host:▪Synchronization

Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host


Guest to Host:▪Synchronization▪Next payload

Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host


Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value

Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host


Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value▪Panic handler address Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host


Guest to Host:▪Synchronization▪Next payload▪Disclose CR3 value▪Panic handler address▪Signal kernel panic

Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host



Host to Guest:

Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host



Host to Guest:▪Agent

Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host



Host to Guest:▪Agent▪Payloads

Kernel

AgentFuzzer


19


Virtual Machine

Intel PT Driver

coverage

Host



Host to Guest:▪Agent▪Payloads▪Overwrite panic handler

Kernel

AgentFuzzer


20

Implementation


20

Implementation

CPU: ▪generates raw Intel-PT data ▪writes data to main memory


20

Implementation

KVM-PT: ▪configures Intel PT via MSRs ▪enables tracing during VM-Entry transition ▪disables tracing during VM-Exit transition


20

Implementation

QEMU-PT: ▪usermode counterpart ▪decodes Intel PT data on-the-fly


20

Implementation

kAFL Fuzzer: ▪generates new fuzz payloads ▪detects new behavior


Evaluation

22

New VulnerabilitiesWindows: ▪NTFS (DoS)

macOS: ▪HFS (DoS, Memory Corruption) ▪APFS (Memory Corruption)

Linux: ▪EXT4 (DoS, Memory Corruption) ▪Keyctl (Nullpointer Dereference)


23

Evaluation Driver

5.4 Rediscovery of Known BugsWe evaluated kAFL on the keyctl interface, which al-lows a user space program to store and manage vari-ous kinds of key material in the kernel. More specif-ically, it features a DER (see RFC5280) parser to loadcertificates. This functionality had a known bug (CVE-2016-07583). We tested kAFL against the same interfaceon a vulnerable kernel (version 4.3.2). kAFL was ableto uncover the same problem and one additional previ-ously unknown bug that was assigned CVE-2016-86504.kAFL managed to trigger 17 unique KASan reports and15 unique panics in just one hour of execution time. Dur-ing this experiment, kAFL generated over 34 million in-puts, found 295 interesting inputs, and performed nearly9,000 executions per second. This experiment was per-formed while running 8 processes in parallel.

5.5 Detected VulnerabilitiesDuring the evaluation, kAFL found more than a thou-sand unique crashes. We evaluated some manually andfound multiple security vulnerabilities in all tested op-erating systems such as Linux, Windows, and macOS.So far, eight bugs were reported and three of them wereconfirmed by the maintainers:

• Linux: keyctl Null Pointer Dereference5 (CVE-2016-86506)

• Linux: ext4 Memory Corruption7

• Linux: ext4 Error Handling8

• Windows: NTFS Div-by-Zero9

• macOS: HFS Div-by-Zero10

• macOS: HFS Assertion Fail10

• macOS: HFS Use-After-Free10

• macOS: APFS Memory Corruption10

Red Hat has assigned a CVE number for the first re-ported security flaw, which triggers a null pointer def-erence and a partial memory corruption in the kernelASN.1 parser if an RSA certificate with a zero expo-nent is presented. For the second reported vulnerabil-ity, which triggers a memory corruption in the ext4 file

3https://access.redhat.com/security/cve/cve-2016-07584https://access.redhat.com/security/cve/cve-2016-86505http://seclists.org/fulldisclosure/2016/Nov/766https://access.redhat.com/security/cve/cve-2016-86507http://seclists.org/fulldisclosure/2016/Nov/758http://seclists.org/bugtraq/2016/Nov/19Reported to Microsoft Security.

10Reported to Apple Product Security.

system, a mainline patch was proposed. The last re-ported Linux vulnerability, which calls in the ext4 errorhandling routine panic() and hence results in a kernelpanic, was at the time of writing not investigated any fur-ther. The NTFS bug in Windows 10 is a non-recoverableerror condition which leads to a blue screen. This bugwas reported to Microsoft, but has not been confirmedyet. Similarly, Apple has not yet verified or confirmedour reported macOS bugs.

5.6 Fuzzing PerformanceWe compare the overall performance of kAFL across dif-ferent operating systems. To ensure comparable results,we created a simple driver that contains a JSON parserbased on jsmn11 for each aforementioned operating sys-tem and used it to decode user input (see Listing 2). Ifthe user input is a JSON string starting with "KAFL", acrash is triggered. We traced both the JSON parser aswell as the final check. This way kAFL was able to learncorrect JSON syntax. We measured the time used to findthe crash, the number of executions per second, and thespeed for new paths to be discovered on all three targetoperating systems.

1 jsmn_parser parser;2 jsmntok_t tokens [5];3 jsmn_init (& parser);4

5 int res=jsmn_parse (&parser , input , size , tokens , 5);6 if(res >= 2){7 if(tokens [0]. type == JSMN_STRING){8 int json_len = tokens [0]. end - tokens [0].

start;9 int s = tokens [0]. start;

10 if(json_len > 0 && input[s+0] == �K�){11 if(json_len > 1 && input[s+1] == �A�){12 if(json_len > 2 && input[s+2] == �F�){13 if(json_len > 3 && input[s+3] == �L�){14 panic(KERN_INFO "KAFL ...\n");15 }}}}}16 }

Listing 2: The JSON parser kernel module used for thecoverage benchmarks.

We performed five repeated experiments for each op-erating system. Additionally we tested TriforceAFL withthe Linux target driver. TriforceAFL is unable to fuzzWindows and macOS. To compare TriforceAFL withkAFL, the associated TriforceLinuxSyscallFuzzer wasslightly modified to work with our vulnerable Linux ker-nel module. Unfortunately, it was not possible to com-pare kAFL against Oracle’s file system fuzzer [34] dueto technical issues with its setup.

During each run, we fuzzed the JSON parser for 30minutes. The averaged and rounded results are displayedin Table 1. As we can see, the performance of kAFLis very similar across different systems. It should be re-marked that the variance in this experiment is rather high

11http://zserge.com/jsmn.html

10


23

Evaluation Driver
























10


23

Evaluation Driver
























10


23

Evaluation Driver
























10


23

Evaluation Driver
























10


23

Evaluation Driver
























10


23

Evaluation Driver
























10


24

Performance

Intel i7-6700 / 32GB DDR4


25

Coverage



25

Coverage


kAFL: ▪5-7 minutes

TriforceAFL: ▪~2 hours


26

Conclusion

▪Intel PT and virtualization for feedback fuzzing ▪Fast ▪OS independence (x86-64) ▪Reliable and long-term ▪Fully extensible

▪High bug yield for kernel fuzzing ▪Opportunities for further fuzzing

https://github.com/RUB-SysSec/kAFL


https://github.com/RUB-SysSec/kAFL

Documents

kAFL: Hardware-Assisted Feedback Fuzzing for OS · PDF filehtml5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd ... kAFL: Hardware-Assisted