SyzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers

Chen, Weiteng; Wang, Yu; Zhang, Zheng; Qian, Zhiyun

doi:10.1145/3460120.3484564

Cited by 13 publications

(3 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recent exploit generation papers [14], [46] have not yet open-sourced or just a subset of their verified dynamic traces. K-LEAK will benefit from recent work that automates the recovery of syscall interfaces [12], [18], [25] and performs better kernel fuzzing [45], [52], which can facilitate the generation of more dynamic traces. Also, our dynamic symbolic execution requires a dynamic trace to begin with.…”

Section: Discussion and Future Workmentioning

confidence: 99%

K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

Liang,

Zou,

Song

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The severity of information leak (infoleak for short) in OS kernels cannot be underestimated, and various exploitation techniques have been proposed to achieve infoleak in OS kernels. Among them, memory-error-based infoleak is powerful and widely used in real-world exploits. However, existing approaches to finding memory-error-based infoleak lack the systematic reasoning about its search space, and do not fully explore the search space. Consequently, they fail to exploit a large number of memory errors in the kernel. According to a theoretical modeling of memory errors, the actual search space of such approach is huge, as multiple steps could be involved in the exploitation process, and virtually any memory error can be exploited to achieve infoleak. To bridge the gap between the theory and reality, we propose a framework K-LEAK to facilitate generating memory-error-based infoleak exploits in the Linux kernel. K-LEAK considers infoleak exploit generation as a data-flow search problem. By modeling unintended data flows introduced by memory errors, and how existing memory errors can create new memory errors, K-LEAK can systematically search for infoleak data-flow paths in a multistep manner. We implement a prototype of K-LEAK and evaluate it with memory errors from syzbot and CVEs. The evaluation results demonstrate the effectiveness of K-LEAK in generating diverse infoleak exploits using various multi-step strategies.

show abstract

Section: Discussion and Future Workmentioning

confidence: 99%

K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

Liang,

Zou,

Song

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…The synthesis of information detected by multiple sensors, when combined and complemented, addresses the limitations of individual sensors under external influences. This collaborative approach mitigates the risk of decision errors and enhances overall recognition capabilities (16)(17)(18)(19).…”

Section: Multi-sensor Information Fusion 3 1 Multi-sensor Information...mentioning

confidence: 99%

Framework of Electric Vehicle Fault Diagnosis System Based on Diagnostic Communication

Yang

2024

IJE

View full text Add to dashboard Cite

With the escalating integration of Electronic Control Units (ECUs) in contemporary vehicles, the intricacy of vehicle networks is incessantly advancing. Diagnostic communication, as a pivotal facet within these networks, grapples with protracted development cycles and heightened intricacies. In a bid to augment software reusability and portability, this study meticulously scrutinized pertinent research and proffered an electric vehicle fault diagnosis system predicated on the Controller Area Network (CAN) bus, leveraging the diagnostic communication architecture advocated by the AUTOSAR standard. The integration of AUTOSAR seeks to pioneer an innovative software development paradigm for automotive fault diagnosis systems, thereby remedying extant limitations. The communication and diagnostic module of this study were instantiated using AUTOSAR, thereby obviating the necessity for developers to immerse themselves in hardware intricacies and communication implementations. This allows developers to focalize their efforts on crafting software features for fault diagnosis. Empirical results illustrate that the single-core CPU utilization rate of the proposed method in this article stands at 40.68%, with a fault detection time of 0.0217. The success rate of fault detection is 98.70%, indicating an increase of 12.97% and 8.98% when compared to the CAN bus and structural analysis methods, respectively. Testing indicators are significantly mitigated, yielding more precise fault detection outcomes. The exploration of this avant-garde software development methodology in automotive electronic products markedly amplifies the efficiency of automotive troubleshooting system software, underscoring its potential for academic contribution and application in real-world scenarios.

show abstract

“…In recent years, the use of continuous fuzzing, e.g., syzbot [40], has exposed thousands of Linux kernel bugs to the public. With the improvements of kernel fuzzing techniques [64], [31], [41], [69], [35], [63], even more bugs may be exposed in the future. Considering the enormous volume of kernel bugs, conducting manual inspections to assess the exploitability of every single one is unrealistic.…”

Section: Introductionmentioning

confidence: 99%

SyzBridge: Bridging the Gap in Exploitability Assessment of Linux Kernel Bugs in the Linux Ecosystem

Zou,

Hao,

Zhang

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Continuous fuzzing has become an integral part of the Linux kernel ecosystem, discovering thousands of bugs over the past few years. Interestingly, only a tiny fraction of them were turned into real-world exploits that target downstream distributions, e.g., Ubuntu and Fedora. This contradicts the conclusions of existing exploitability assessment tools, which classify hundreds of those bugs as high-risk, implying a high likelihood of exploitability. Our study aims to understand the gap and bridge it. Through our investigation, we realize that the current exploitability assessment tools exclusively test bug exploitability on the upstream Linux, which is for development only; in fact, we find many of them fail to reproduce directly in downstreams. Through a large-scale measurement study of 230 bugs on 43 distros (8,032 bug/distro pairs), we find that each distro only reproduces 19.1% of bugs on average by running the upstream PoCs as root user, and 0.9% without root. Remarkably, both numbers can be significantly improved by 61% and 1300% times respectively through appropriate PoC adaptations, necessitated by environment differences. To this end, we developed SyzBridge, a fully automated system that adapts upstream PoCs to downstream kernels. We further integrate SyzBridge with SyzScope, a state-of-the-art exploitability assessment tool that can identify high-risk exploit primitives, e.g., control flow hijack. Our integrated pipeline successfully identified 53 bugs originated from syzbot that are likely exploitable on downstream distributions, surpassing the mere 5 bugs that were turned into real-world exploits among 5,000 upstream bugs from syzbot. Notably, to validate the results, we successfully exploited 5 additional bugs that were previously not known to be exploitable publicly.

show abstract

SyzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers

Cited by 13 publications

References 15 publications

K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

Framework of Electric Vehicle Fault Diagnosis System Based on Diagnostic Communication

SyzBridge: Bridging the Gap in Exploitability Assessment of Linux Kernel Bugs in the Linux Ecosystem

Contact Info

Product

Resources

About