Publications

Leveraging Binary Coverage for Effective Generation Guidance in Kernel Fuzzing

Published in 2024 ACM Conference on Computer and Communications Security (CCS), 2024

State-of-the-art kernel fuzzers use edge-based code coverage metrics for novel behavior detection. However, code coverage is not sufficient for operating system kernels, for they contain many untracked but interesting features, such as comparison operands, kernel state identifiers, flags, and executable code, within its data segments, that, when accessed differently, reflects different execution patterns, which cannot be conveyed by code coverage, but can profoundly increase the granularity and scope of the coverage metrics conveyed to the fuzzers. This paper proposes the use of Kernel Binary Coverage Feedback, a comprehensive and effective execution feedback method that provides metrics reflecting the execution coverage status of the entire binary coverage to kernel fuzzers. Our approach, based on assumptions valid for contemporary computer systems, abstracts program behavior as its memory access pattern during execution, and considers all such relevant behavior, including standard memory reads and writes, predicate comparisons, etc., to obtain a coverage metric on the whole kernel binary for input generation guidance. We implemented a prototype tool KBinCov that provides the proposed method and integrated it into a popular kernel fuzzer Syzkaller. We evaluated its effectiveness against vanilla Syzkaller, as well as certain other approaches, including StateFuzz and IJON, where the latter is adapted for use in the kernel domain. Our results show that KBinCov achieves code coverage increases of 7%, 13%, 9%, compared to Syzkaller (using kcov), StateFuzz, and IJON, on recent versions of the Linux kernels, respectively, while only incurring a 1.74× overhead increase, less than StateFuzz and IJON’s 2.4× and 2.2× figures. In addition, we found 21 previously unknown bugs during the experiment phase using KBinCov with Syzkaller, more than Syzkaller (with kcov), StateFuzz, and IJON, which found 4, 2, and 2 bugs, respectively.

Recommended citation: Jianzhong Liu, Yuheng Shen, Yiru Xu, and Yu Jiang. 2024. Leveraging Binary Coverage for Effective Generation Guidance in Kernel Fuzzing. In Proceedings of the 2024 ACM Conference on Computer and Communications Security (CCS).

Effectively Sanitizing Embedded Operating Systems

Published in 2024 61st ACM/IEEE Design Automation Conference (DAC), 2024

Embedded operating systems, considering their widespread use in security-critical applications, are not effectively tested with sanitizers to effectively root out bugs. Sanitizers provide a means to detect bugs that are not visible directly through exceptional or erroneous behaviors, thus uncovering more potent bugs during testing. In this paper, we propose EmbSan, an embedded systems sanitizer for a diverse range of embedded operating system firmware through the use of dynamic instrumentation of sanitizer facilities and de-coupled on-host runtime libraries. This allows us to perform sanitation for multiple embedded OSs during fuzzing, such as many Embedded Linux-based firmware, various FreeRTOS firmware, and detect actual bugs within them. We evaluated EmbSan’s effectiveness on firmware images based on Embedded Linux, FreeRTOS, LiteOS, and VxWorks. Our results show that EmbSan can detect the same criteria of actual bugs found in the Embedded Linux kernel as reference implementations of KASAN, and exhibits a slowdown of 2.2× to 3.2× and 5.2× to 5.7× for KASAN and KCSAN, respectively, which is on par with established kernel sanitizers. EmbSan and embedded OS fuzzers also found a total of 41 new bugs in Embedded Linux, FreeRTOS, LiteOS and VxWorks.

Recommended citation: Jianzhong Liu, Yuheng Shen, Yiru Xu, and Yu Jiang. 2024. Effectively Sanitizing Embedded Operating Systems. In Proceedings of the 2024 61st ACM/IEEE Design Automation Conference (DAC) http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/paper_from_24/embsan_DAC24.pdf

Horus: Accelerating Kernel Fuzzing through Efficient Host-VM Memory Access Procedures

Published in ACM Transactions on Software Engineering and Methodology, 2023

Kernel fuzzing is an effective technique in operating system vulnerability detection. Fuzzers such as Syzkaller and Moonshine frequently pass highly structured data between fuzzer processes in guest virtual machines and manager processes in the host operating system to synchronize fuzzing-relevant data and information. Since the guest virtual machines’ and the host operating system’s memory spaces are mutually isolated, fuzzers conduct synchronization operations using mechanisms such as Remote Procedure Calls over TCP/IP networks, incurring significant overheads that negatively impact the fuzzer’s efficiency and effectiveness in increasing code coverage and finding vulnerabilities. In this paper, we propose Horus, a kernel fuzzing data transfer mechanism that mitigates the aforementioned data transfer overheads. Horus removes host-VM memory isolation and performs data transfers through copying to and from target memory locations in the guest virtual machine. Horus facilitates such efficient transfers through using fixed stub structures in the guest’s memory space, whose addresses, along with the guest’s RAM contents, are exposed to the host during the fuzzer’s initialization process. When conducting transfers, Horus passes highly-structured non-trivial data between the host and guest instances through copying the data directly to and from the stub structures, reducing the overall overhead significantly compared to that of using a network-based approach. We implemented Horus upon state-of-the-art kernel fuzzers Syzkaller, Moonshine and kAFL and evaluated its effectiveness. For Syzkaller and Moonshine, Horus increased their transfer speeds by 84.5% and 85.8% for non-trivial workloads on average and improved their fuzzing throughputs by 31.07% and 30.62%, respectively. Syzkaller and Moonshine both achieved a coverage speedup of 1.6× through using Horus. For kAFL, Horus improved specifically its Redqueen component’s execution speeds by 19.4%.

Recommended citation: Jianzhong Liu, Yuheng Shen, Yiru Xu, Hao Sun, and Yu Jiang. 2023. Horus: Accelerating Kernel Fuzzing through Efficient Host-VM Memory Access Procedures. ACM Trans. Softw. Eng. Methodol. 33, 1, Article 11 (January 2024), 25 pages. https://doi.org/10.1145/3611665 https://doi.org/10.1145/3611665