PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary

Abstract: The OS kernel is an attractive target for remote attackers. If compromised, the kernel gives adversaries full system access, including the ability to install rootkits, extract sensitive information, and perform other malicious actions, all while evading detection. Most of the kernel's attack surface is situated along the system call boundary. Ongoing kernel protection efforts have focused primarily on securing this boundary; several capable analysis and fuzzing frameworks have been developed for this purpose.

“…To support a huge number of different devices or features, i.e., supporting polymorphism with a single interface, most components in Linux are decoupled with its abstract interface and implementation layer, where the interface layer is generically used for accessing a specific implementation. This in fact is similar to employing polymorphism commonly exercised perf_fuzzer [49] Linux (perf_event set) ✓ × × × × × Digtool [35] Windows ✓ × × × × × kAFL [40] Win/Linux/macOS ✓ ✓ × × × × Razzer [26] Linux ✓ × × × × × PeriScope [43] Linux (drivers) ✓ ✓ × × × × FIRM-AFL [54] Firmware ✓ ✓ × × × × CAB-Fuzz [28] Windows (drivers) × × ✓ × × × IMF [24] macOS ✓ × × × ✓ × MoonShine [33] Linux ✓ ✓ × × ✓ × DIFUZE [16] Android Figure 2, autofs_ioctl acts as a dispatcher, which invokes various underlying control functions, using a function pointer table _ioctls. In a similar way, cmd derived from the userspace implicitly affects the following control-flow transfer via an indirect function call.…”

“…Table I lists the characteristics of recent kernel testing methods. Techniques used in the first six fuzzers, such as perf_fuzzer [49], Digtool [35], kAFL [40], Razzer [26], PeriScope [43], and FIRM-AFL [54], do not handle the aforementioned kernel-specific challenges. CAB-Fuzz [28], which is an S2E-based symbolic execution fuzzer, handles strict kernel branch conditions, but it does not handle indirect branches nor the rest of the challenges.…”

“…HFL, on the other hand, neither relies on imprecise static analysis results nor requires the hardware support. Periscope [43] devises a device driver fuzzer that is not related to system calls, but mutating input space over I/O bus. Razzer [26] designs a combination scheme of static and dynamic testing to effectively reach the points where race bugs potentially occurs, then verifying true bugs.…”

“…These challenges make hybrid fuzzing difficult, and to the best of our knowledge, existing kernel testing approaches [26,35,40,43,49] either naively use each technique separately by not handling such challenges or imprecisely handle a part of challenges only by static analysis [16,24,33].…”

HFL: Hybrid Fuzzing on the Linux Kernel

“…To support a huge number of different devices or features, i.e., supporting polymorphism with a single interface, most components in Linux are decoupled with its abstract interface and implementation layer, where the interface layer is generically used for accessing a specific implementation. This in fact is similar to employing polymorphism commonly exercised perf_fuzzer [49] Linux (perf_event set) ✓ × × × × × Digtool [35] Windows ✓ × × × × × kAFL [40] Win/Linux/macOS ✓ ✓ × × × × Razzer [26] Linux ✓ × × × × × PeriScope [43] Linux (drivers) ✓ ✓ × × × × FIRM-AFL [54] Firmware ✓ ✓ × × × × CAB-Fuzz [28] Windows (drivers) × × ✓ × × × IMF [24] macOS ✓ × × × ✓ × MoonShine [33] Linux ✓ ✓ × × ✓ × DIFUZE [16] Android Figure 2, autofs_ioctl acts as a dispatcher, which invokes various underlying control functions, using a function pointer table _ioctls. In a similar way, cmd derived from the userspace implicitly affects the following control-flow transfer via an indirect function call.…”

“…Table I lists the characteristics of recent kernel testing methods. Techniques used in the first six fuzzers, such as perf_fuzzer [49], Digtool [35], kAFL [40], Razzer [26], PeriScope [43], and FIRM-AFL [54], do not handle the aforementioned kernel-specific challenges. CAB-Fuzz [28], which is an S2E-based symbolic execution fuzzer, handles strict kernel branch conditions, but it does not handle indirect branches nor the rest of the challenges.…”

“…HFL, on the other hand, neither relies on imprecise static analysis results nor requires the hardware support. Periscope [43] devises a device driver fuzzer that is not related to system calls, but mutating input space over I/O bus. Razzer [26] designs a combination scheme of static and dynamic testing to effectively reach the points where race bugs potentially occurs, then verifying true bugs.…”

“…These challenges make hybrid fuzzing difficult, and to the best of our knowledge, existing kernel testing approaches [26,35,40,43,49] either naively use each technique separately by not handling such challenges or imprecisely handle a part of challenges only by static analysis [16,24,33].…”

HFL: Hybrid Fuzzing on the Linux Kernel

“…Malicious hardware can invoke such handler functions by triggering the interrupt and prepare their parameter; therefore, they are also controllable to attackers. PeriScope [45] also fuzzes kernel drivers and regards these IRQ handlers as entry points.…”

Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison

The progress, challenges, and perspectives of directed greybox fuzzing