Razzer: Finding Kernel Race Bugs through Fuzzing

Abstract: A data race in a kernel is an important class of bugs, critically impacting the reliability and security of the associated system. As a result of a race, the kernel may become unresponsive. Even worse, an attacker may launch a privilege escalation attack to acquire root privileges.In this paper, we propose RAZZER, a tool to find race bugs in kernels. The core of RAZZER is in guiding fuzz testing towards potential data race spots in the kernel. RAZZER employs two techniques to find races efficiently: a static a… Show more

“…To support a huge number of different devices or features, i.e., supporting polymorphism with a single interface, most components in Linux are decoupled with its abstract interface and implementation layer, where the interface layer is generically used for accessing a specific implementation. This in fact is similar to employing polymorphism commonly exercised perf_fuzzer [49] Linux (perf_event set) ✓ × × × × × Digtool [35] Windows ✓ × × × × × kAFL [40] Win/Linux/macOS ✓ ✓ × × × × Razzer [26] Linux ✓ × × × × × PeriScope [43] Linux (drivers) ✓ ✓ × × × × FIRM-AFL [54] Firmware ✓ ✓ × × × × CAB-Fuzz [28] Windows (drivers) × × ✓ × × × IMF [24] macOS ✓ × × × ✓ × MoonShine [33] Linux ✓ ✓ × × ✓ × DIFUZE [16] Android Figure 2, autofs_ioctl acts as a dispatcher, which invokes various underlying control functions, using a function pointer table _ioctls. In a similar way, cmd derived from the userspace implicitly affects the following control-flow transfer via an indirect function call.…”

“…Table I lists the characteristics of recent kernel testing methods. Techniques used in the first six fuzzers, such as perf_fuzzer [49], Digtool [35], kAFL [40], Razzer [26], PeriScope [43], and FIRM-AFL [54], do not handle the aforementioned kernel-specific challenges. CAB-Fuzz [28], which is an S2E-based symbolic execution fuzzer, handles strict kernel branch conditions, but it does not handle indirect branches nor the rest of the challenges.…”

“…Traditional Kernel Fuzzing. For software testing, numerous research projects have been working on random fuzz testing due to its efficiency and effectiveness [22,26,36,38,44,52]. Trinity [27] and Syzkaller [46] are popular coverage-guided system call fuzzers, targeting the Linux kernel.…”

“…These challenges make hybrid fuzzing difficult, and to the best of our knowledge, existing kernel testing approaches [26,35,40,43,49] either naively use each technique separately by not handling such challenges or imprecisely handle a part of challenges only by static analysis [16,24,33].…”

HFL: Hybrid Fuzzing on the Linux Kernel

“…To support a huge number of different devices or features, i.e., supporting polymorphism with a single interface, most components in Linux are decoupled with its abstract interface and implementation layer, where the interface layer is generically used for accessing a specific implementation. This in fact is similar to employing polymorphism commonly exercised perf_fuzzer [49] Linux (perf_event set) ✓ × × × × × Digtool [35] Windows ✓ × × × × × kAFL [40] Win/Linux/macOS ✓ ✓ × × × × Razzer [26] Linux ✓ × × × × × PeriScope [43] Linux (drivers) ✓ ✓ × × × × FIRM-AFL [54] Firmware ✓ ✓ × × × × CAB-Fuzz [28] Windows (drivers) × × ✓ × × × IMF [24] macOS ✓ × × × ✓ × MoonShine [33] Linux ✓ ✓ × × ✓ × DIFUZE [16] Android Figure 2, autofs_ioctl acts as a dispatcher, which invokes various underlying control functions, using a function pointer table _ioctls. In a similar way, cmd derived from the userspace implicitly affects the following control-flow transfer via an indirect function call.…”

“…Table I lists the characteristics of recent kernel testing methods. Techniques used in the first six fuzzers, such as perf_fuzzer [49], Digtool [35], kAFL [40], Razzer [26], PeriScope [43], and FIRM-AFL [54], do not handle the aforementioned kernel-specific challenges. CAB-Fuzz [28], which is an S2E-based symbolic execution fuzzer, handles strict kernel branch conditions, but it does not handle indirect branches nor the rest of the challenges.…”

“…Traditional Kernel Fuzzing. For software testing, numerous research projects have been working on random fuzz testing due to its efficiency and effectiveness [22,26,36,38,44,52]. Trinity [27] and Syzkaller [46] are popular coverage-guided system call fuzzers, targeting the Linux kernel.…”

“…These challenges make hybrid fuzzing difficult, and to the best of our knowledge, existing kernel testing approaches [26,35,40,43,49] either naively use each technique separately by not handling such challenges or imprecisely handle a part of challenges only by static analysis [16,24,33].…”

HFL: Hybrid Fuzzing on the Linux Kernel

“…Most kernel fuzzing tools focus on the system call boundary [9], [14], [19], [35], [41], [43], [58], [59], [65], [75]. DIFUZE uses static analysis and performs type-aware fuzzing of the IOCTL interface, which can expose a substantial amount of driver functionality to user space [35].…”

PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary

Cyber Security and Threat Analysis in Autonomous Vehicles