Leveraging Binary Coverage for Effective Generation Guidance in Kernel Fuzzing
Published in 2024 ACM Conference on Computer and Communications Security (CCS), 2024
Recommended citation: Jianzhong Liu, Yuheng Shen, Yiru Xu, and Yu Jiang. 2024. Leveraging Binary Coverage for Effective Generation Guidance in Kernel Fuzzing. In Proceedings of the 2024 ACM Conference on Computer and Communications Security (CCS).
State-of-the-art kernel fuzzers use edge-based code coverage metrics for novel behavior detection. However, code coverage is not sufficient for operating system kernels, for they contain many untracked but interesting features, such as comparison operands, kernel state identifiers, flags, and executable code, within its data segments, that, when accessed differently, reflects different execution patterns, which cannot be conveyed by code coverage, but can profoundly increase the granularity and scope of the coverage metrics conveyed to the fuzzers. This paper proposes the use of Kernel Binary Coverage Feedback, a comprehensive and effective execution feedback method that provides metrics reflecting the execution coverage status of the entire binary coverage to kernel fuzzers. Our approach, based on assumptions valid for contemporary computer systems, abstracts program behavior as its memory access pattern during execution, and considers all such relevant behavior, including standard memory reads and writes, predicate comparisons, etc., to obtain a coverage metric on the whole kernel binary for input generation guidance. We implemented a prototype tool KBinCov that provides the proposed method and integrated it into a popular kernel fuzzer Syzkaller. We evaluated its effectiveness against vanilla Syzkaller, as well as certain other approaches, including StateFuzz and IJON, where the latter is adapted for use in the kernel domain. Our results show that KBinCov achieves code coverage increases of 7%, 13%, 9%, compared to Syzkaller (using kcov), StateFuzz, and IJON, on recent versions of the Linux kernels, respectively, while only incurring a 1.74× overhead increase, less than StateFuzz and IJON’s 2.4× and 2.2× figures. In addition, we found 21 previously unknown bugs during the experiment phase using KBinCov with Syzkaller, more than Syzkaller (with kcov), StateFuzz, and IJON, which found 4, 2, and 2 bugs, respectively.
Recommended citation: Jianzhong Liu, Yuheng Shen, Yiru Xu, and Yu Jiang. 2024. Leveraging Binary Coverage for Effective Generation Guidance in Kernel Fuzzing. In Proceedings of the 2024 ACM Conference on Computer and Communications Security (CCS).