DIFUZE: Interface Aware Fuzzing for Kernel Drivers JakeCorina AravindMachiry ChristopherSalls UCSantaBarbara UCSantaBarbara UCSantaBarbara [email protected] [email protected] [email protected] YanShoshitaishvili ShuangHao ChristopherKruegel ArizonaStateUniversity UniversityofTexasatDallas UCSantaBarbara [email protected] [email protected] [email protected] GiovanniVigna UCSantaBarbara [email protected] ABSTRACT nightandthefirstthingwereachforinthemorning.Weusethem DevicedriversareanessentialpartinmodernUnix-likesystemsto tocarryoutfinancialtransactionsandtocommunicatewithfamily, handleoperationsonphysicaldevices,fromharddisksandprint- friends,andcoworkers,andallowthemtorecordlocation,audio, erstodigitalcamerasandBluetoothspeakers.Thesurgeofnew andvideo.Increasingly,theyareusednotjustforpersonaland hardware,particularlyonmobiledevices,introducesanexplosive commercialpurposes,butalsotofacilitategovernmentactivity. growthofdevicedriversinsystemkernels.Manysuchdriversare Theimportanceofthesecurityofthesedevicesisobvious.If providedbythird-partydevelopers,whicharesusceptibletose- anadversarycompromisesthedevicethathasbecomeourgate- curityvulnerabilitiesandlackpropervetting.Unfortunately,the way to the connected world, he gains an enormous amount of complexinputdatastructuresfordevicedriversrendertraditional power.Therefore,muchefforthasgoneintoensuringthesecu- analysistools,suchasfuzztesting,lesseffective,andsofar,research rityofsmartphones.Thissecurityisachievedusingsophisticated onkerneldriversecurityiscomparativelysparse. applicationsandboxing,byleveragingmanyattackmitigationtech- Inthispaper,wepresentDIFUZE,aninterface-awarefuzzing niques targeting userspace applications (such asAddress Space tooltoautomaticallygeneratevalidinputsandtriggertheexecu- LayoutRandomization,DataExecutionProtection,andSELinux), tionofthekerneldrivers.Weleveragestaticanalysistocompose andbymakingsecurityafirst-tierdevelopmentgoal.However, correctly-structuredinputintheuserspacetoexplorekerneldri- thereisaweaknessinthesecurityofmobiledevices:theirkernels. vers.DIFUZEisfullyautomatic,rangingfromidentifyingdriver Unlikeuserspaceapplications,forwhichseveralvulnerability handlers,tomappingtodevicefilenames,toconstructingcomplex mitigationtechniquesareavailableandused,thekernelsofmodern argumentinstances.Weevaluateourapproachonsevenmodern operatingsystemsarerelativelyvulnerabletoattackdespiteavail- Androidsmartphones.TheresultsshowthatDIFUZEcaneffectively ableprotections[43].Asaresult,asvulnerabilitiesinuserspace identifykerneldriverbugs,andreports32previouslyunknownvul- applicationsbecomerarer,attackersturntheirfocusonthekernel. nerabilities,includingflawsthatleadtoarbitrarycodeexecution. Forexample,overthelastthreeyears,theshareofAndroidvulner- abilitiesthatareinkernelcodeincreasedfrom4%(in2014)to39% CCSCONCEPTS (in2016)[62],highlightingtheneedfortechniquestodetectand eliminatekernelbugs. •Securityandprivacy→Mobileplatformsecurity;Vulnera- Thekernelcanitselfbesplitintotwotypesofcode:corekernel bilityscanners; codeanddevicedrivers.Theformerisaccessedthroughthesystem KEYWORDS call(syscall)interface,allowingausertoopenfiles(theopen() systemcall),executeprograms(theexecve()systemcall),andso Fuzzing,Kerneldrivers,Interfaceaware on.Thelatter,onPOSIX-compliantsystems(suchasLinux/An- droidandFreeBSD/iOSwhichcoverover98%ofthemobilephone 1 INTRODUCTION market),aretypicallyaccessedviatheioctlinterface.Thisinter- Smartphonesandothermobiledevicesoccupyacentralpartofour face,implementedasaspecificsystemcall,allowsforthedispatch modernlives.Theyarethelastthingmanyofusinteractwithat ofinputtobeprocessedbyadevicedriver.AccordingtoGoogle, 85%ofthebugsreportedagainsttheAndroidkernel(whichisa Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalor closeforkofLinux)areindrivercodewrittenbythird-partyde- classroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributed forprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitation vicevendors[62].Withthecontinuallygrowingnumberofmobile onthefirstpage.CopyrightsforcomponentsofthisworkownedbyothersthanACM devicesinuse,andwiththecriticalityoftheirsecurity,automated mustbehonored.Abstractingwithcreditispermitted.Tocopyotherwise,orrepublish, approachestoidentifyvulnerabilitiesindevicedriversbeforethey topostonserversortoredistributetolists,requirespriorspecificpermissionand/ora [email protected]. canbeexploitedbyattackersarecritical. CCS’17,October30-November3,2017,Dallas,TX,USA Whileautomaticanalysisofthesystemcallinterfacehasbeen ©2017AssociationforComputingMachinery. thoroughlyexploredbyrelatedwork[28,34],ioctlshavebeen ACMISBN978-1-4503-4946-8/17/10...$15.00 https://doi.org/10.1145/3133956.3134069 neglected.Thisisbecause,whileinteractionwithsyscallsfollowsa unified,well-definedspecification,interactionwithioctlsvaries 2.1 POSIXDeviceDrivers dependingonthedevicedriverinquestion.Specifically,theioctl ThePOSIXstandardspecifiesaninterfacefortheinteractionof interfacecomprisesstructuredargumentsforeachofasetofvalid userspaceapplicationswithdevicedrivers.Thisinterfacesupports commands,withboththecommandsandthedatastructuresbe- interactionwiththedevicethroughdevicefiles,whicharespecial ing driver-dependent. While this has security implications (i.e., filesthatrepresenttheuserspacepresenceofthekernel-resident pointers,dynamically-sizedfields,unions,andsub-structuresin devicedrivers.Afterauserspaceapplicationobtainsahandleto thesestructuresincreasethechanceofavulnerabilityresulting thedevicefilewiththeopen()systemcall,therearemultipleways fromthemis-parsingofthestructure),italsomakesthesedevices inwhichtheapplicationcaninteractwiththesefiles. hardtoanalyze.Anyautomatedanalysisofsuchdevicesmustbe Differentdevicesrequiredifferentsystemcallstofulfilltheir interface-aware,inthesensethat,tobeeffective,itmustinteract functionalities.Forexample,read(),write(),andseek()arepre- withioctlsusingthecommandidentifiersanddatastructures sumablyapplicableforaharddrivedevicefile(showingthecon- expectedbythem. tentsoftheharddriveas,essentially,asinglefile).Foranaudio Inthispaper,wepresentDIFUZE,anovelcombinationoftech- device,read()mightreadrawaudiodatafromthemicrophone,and niquestoenableinterface-awarefuzzing,andfacilitatethedynamic write()mightwriterawaudiodatatothespeakers,andseek() explorationoftheioctlinterfaceprovidedbydevicedrivers.DI- mightbeunused. FUZEperformsanautomatedstaticanalysisofkerneldrivercodeto However,somefunctionalitycannotbeimplementedthrough recovertheirspecificioctlinterface,includingthevalidcommands traditionalsystemcalls.Forexample,fortheaudiodevice,how andassociateddatastructures.Itusesthisrecoveredinterfaceto wouldauserspaceapplicationconfigurethesamplingrateatwhich generateinputstoioctlcalls,whichcanbedispatchedtotheker- torecordorplayaudio?Suchout-of-bandactionsaresupportedby nelfromuserspaceprograms.Theseinputsmatchthecommands thePOSIXstandardthroughtheioctl()interface1.Thissystem andstructuresusedbythedriver,enablingefficientanddeeperex- callallowsdriverstoexposefunctionalitythatishardtomodelas plorationoftheioctls.Therecoveredinterfaceallowsthefuzzer atraditionalfile. tomakemeaningfulchoiceswhenmutatingthedata:i.e.,typed Tosupportgenerality,theioctl()interfacecanreceivearbi- fieldslikepointers,enums,andintegersshouldnotbehandledas trarydriver-specifiedstructuresasinput.It’sCprototypelookslike simplyasequenceofbytes.DIFUZEstressesassumptionsmadeby int ioctl(int file_descriptor, int request, ...),where thedriversinquestionandexposesserioussecurityvulnerabilities. thefirstargumentistheopenfiledescriptor,thesecondargument Inourexperiments,weanalyzedsevenmodernmobiledevicesand isanintegercommonlyknownasthecommandidentifier,andthe found36vulnerabilities,ofwhich32werepreviouslyunknown(4 typeandquantityoftheremainingargumentsaredependenton vulnerabilitiesfoundbyDIFUZEwerepatchedduringthecourse thedriverandthecommandidentifier. ofourexperiments),ranginginseverityfromflawsthatcrashthe Challenges.Theaforementionedpropertymakesioctlsystem deviceinquestioncausingDenialofService(DoS)tobugsthatcan calls especially susceptible to vulnerabilities: First, unlike with givetheattackercompletecontroloverthephone. read()andwrite(),thedataprovidedtoanioctl()callareof- Insummary,ourpapermakesthefollowingcontributions: teninstancesofextremelycomplex,nonstandard,datastructures. Parsingof suchstructures isnottrivial, andanymistake could Interface-awarefuzzing. Wedesignanovelapproachtofacili- introducecriticalvulnerabilitiesdirectlyintothekernelcontext. tatethefuzzingofinterface-sensitivetargets,suchasthe Second,thegeneralityofthedatastructurealsomakestheanalysis ioctlkerneldriverinterfaceonPOSIXsystems. ofioctl()interfacesdifficult,asananalystmusthaveknowledge Automateddriveranalysis. Wedevelopedafuzzingframework, ofhowthedriverinquestionprocessesdifferentcommandidenti- thatcanautomaticallyanalyzethekernelsourcesofadevice. fiers,andwhattypeofdataitexpectsfortheoptionalarguments. Foreverydriverthetoolidentifiesalltheioctlentrypoints, Thesearethecoreproblemsthatweaimtosolve.Wedesigned aswellasthecorrespondingstructures,anddevicefilenames. DIFUZEtoautomaticallyrecovercommandidentifiersandstructure Weapplyourtechniquetoanalyzesevendevices,identifying information,buildtherequiredcomplexdatastructures,andfuzz 36vulnerabilities.Thesevulnerabilities,rangingfromDoSto devices with ioctl() interfaces to find security vulnerabilities, codeexecutionflaws,demonstratetheefficacyandimpactof withminimalhumanintervention. ourapproach.Weareintheprocessofresponsiblydisclosing thesevulnerabilitiestotherespectivedrivervendors. DIFUZEprototype. WearereleasingDIFUZEasanopen-source 2.2 AndroidOperatingSystem toolatwww.github.com/ucsb-seclab/difuzeinthehopethat Androidisdesignedasanoperatingsystemforsmartphones.A itwillbeusefulforfuturesecurityresearchers. recentreportshowsthatAndroidhasdominatedthesmartphone OSmarket,withan86.8%sharein2016Q3[15].AlthoughAndroid designerstakecautiousstepstosafeguardthedevices,thereare 2 BACKGROUNDANDRELATEDWORK severalvulnerabilitiesinsmartphonesystems[20].Giventhepop- Inthissection,wewillexplaintheuniquechallengesthatwemust ularityandincreasingsecurityproblemsofAndroid,wechoose overcome(andwhythesechallengesmakeexistingstate-of-the- artsystemsinapplicabletoioctlfuzzing),introducetheplatform (Android)inwhichourfuzzingtooloperates,andcompareprevious 1Intheoriginalstandard,thisinterfacewasonlydesignedforcertaintypesofdevices, workonfindingprogramvulnerabilities. butthishaschangedinmodernimplementations. Androidsystemsasourmaintargetplatformtoevaluateouranal- Kernelanddriverfuzzing.Fuzzingoperatingsysteminterfaces ysisapproach.NotethatDIFUZEalsoworksonotherUnix-like orsystemcallsisapracticalapproachtotestingtheoperatingsys- systems. temkernel[28,34].Mostdriversuseioctlfunctions,aPOSIX AndroidisbasedontheLinuxkernel,whichhasamonolithic standard,tointeractwithuserspace.AsdiscussedinSection3.1, architecture. Although kernel modules (such as device drivers) ioctlsarecomplex,andtheyrequirespecificcommandvalues provideacertainlevelofmodularity,thedesignprincipleisstill anddataformatsgeneratedbyusers.Identifyingvalidcommand monolithic,inthesensethattheentirekernelrunsinasinglemem- valuesandtheirassociateddatastructuresarethetwokeyproblems oryspace,withallitspartsbeingequallyprivileged[65].Therefore, inioctlfuzzing.Sometoolshavebeendevelopedtotestioctl anyvulnerabilityinadevicedrivercouldcompromisetheentire interfacesforWindowskernels,suchasiofuzz[17],ioattack[44], kernel.Indeed,in2016morethan80%ofthebugsreportedinthe ioctlbf[67]andioctlfuzzer[16].However,thesetoolsdependon Androidkernelwerefromdrivercodewrittenbyvendors[62].The theextensiveloggingandtracingofinformationprovidedbythe AndroidOpenSourceProjectallowsvendors(e.g.,Sony,HTC)to Windowskernel,aswellastheformatof ioctlcommandsspe- customizeAndroidkerneldriverstosupportnewhardware,such cifictoWindows.Moreover,manyofthesetoolsaresimplisticin asdigitalcameras,accelerometers,orGPSdevices.Becausesecurity nature.Theyinvolvesimplyattachingtoprocessesandhooking oftentakesabackseattotime-to-marketforsuchcompanies,their theWindowsioctlcall.Oncehooked,thetoolmutatesthevalues developmentprocessissusceptibletotheintroductionofsecurity whenacallismade.Thisislackinginseveralaspectse.g.thepro- vulnerabilities.Thankfully,theopennessoftheAndroidsystem cessesmaynotexercisethefullcapabilityofthedrivers,andyou makesthesourcecodepubliclyavailableundertheGNUGeneral cannotknowthetypeinformationoftheincomingdata.Tosolve PublicLicense[22].Thisfacilitatesourapproach,asitprovides thisproblem,DIFUZEanalyzesthesourcecodeofdevicedrivers accesstoahigh-level,semanticallyrichinformationaboutadriver. toidentifyvalidcommandsandthecorrespondingdatastructure. Theanalysistechniquesthatweuserequirenomodificationtothe actualdevice. 2.3 FuzzTesting The extraction of valid ioctl commands was previously at- temptedbyStanislas,etal.,butthestate-of-the-artsystemwas Fuzzingisawell-knowntechniqueforprogramtestingbygen- unabletoscaletoreal-worldkernelmodules[38].Conversely,as eratingrandomdataasinputtotheprograms[45].Ithasdrawn weshowinSection8,DIFUZEscalesto(andfindsvulnerabilities much research attention, such as SPIKE [3], Valgrind [47], and in)largekernelmodulesonrealdevices. PROTOS[55]. Trinity [34] and syzkaller [28] are specifically developed for Fuzzing.Thekeyprospectoffuzzingistogenerate“mostly-valid” Linuxsyscallfuzzing.AsweshowinSection8,theyperformbadly inputstoexecuteatargetprogram,exerciseawiderangeoffunc- tionality,andtriggersomecornercaseleadingtoavulnerability. whenfuzzingioctlhandlersofdevicedrivers.Althoughsyzkaller usesadditionalinstrumentationtechniques,likeKernelAddress Dynamictainttrackingisawidely-usedstrategytogeneratepo- Sanitizer [26], to detect more bugs, these techniques cannot be tentialinputs.Dowser[30]andBuzzFuzz[21]usetainttracking directlyusedonvendordevices,sincetheyrequiretheanalystto togenerateinputsthataremorelikelytotriggercertainclasses reflashthedevicesusingcustomfirmware.Severalapproaches[8, of vulnerabilities. However, for ioctl functions, which require 42,58,59,64]concentrateonfuzzingspecifically-chosensyscalls highlyconstrainedinputs,thesetechniquesarelesseffective.Ap- anddrivers.However,theyonlyfocusonspecificfunctionsand proachesbasedontaintanalysisexisttorecovertheinputformat cannotbegeneralizedtoothersyscallsanddrivers.DIFUZEisthe usedbytheunderlyingprogram[13,40],buttheycannotrecover firstcompletelyautomatedsystemthatcanbegeneralizedtofuzz thecross-dependencybetweenvalues,e.g.,givenaparticularcom- allLinuxkerneldriversonadevicerunninganunmodifiedkernel. mandidentifieranioctlhandlerwillexpectafurtherargumentof aparticulartype. Evolutionarytechniquesrepresentanothercommoninputgen- erationstrategyinfuzzingsystems[19,41,69].VUzzer[53],and 2.4 OtherAnalyses SymFuzz[12]combinestaticanalysiswithmutation-basedevolu- Asidefromfuzzing,therearetwootheranalysistechniques,sym- tionarytechniquestoefficientlygenerateinputs.However,these bolicexecution,andstaticanalysis,thatarerelatedtoourwork. techniquesareineffectiveingeneratinghighlyconstrainedinput. Wewillintroducethesemechanismsandexplainhowtheyaffect DIFUZEsolvesthisproblembyfirstcollectingpossibleioctlcom- ourdesign. mandvaluesandthenfuzzingonlytheunconstrainedvalueswith Symbolicexecution.Symbolicexecutionisatechniquethatuses theexpectedinputformat. symbolicvariablestogenerateconstrainedinputandsatisfycom- Iftheinputformatofaprogramisknown,fuzzingcanbeen- plexchecks[10]. hancedwithaspecificationofthevalidinputs.Peach[49]isone DART[24],SAGE[25],Fuzzgrind[11]andDriller[61]combine oftheindustrystandardtools.However,itcannotgeneratelive symbolicexecutionwithrandomtestingtoincreasethecodecov- data(i.e.,datacontainingactivepointerstootherdata),and,aswe erage.BORG[48]usessymbolicexecutiontogenerateinputsmore showinSection8,manydevicedriversrequireinputstructuresthat likelytotriggerbufferoverreads.Engineeringissuesofperforming containpointers.Grammar-basedtechniqueshavebeenusedto symbolicexecutionontherawdevicesandthefundamentalpath fuzzfileformats[29],interpreters[23,31],andcompilers[18,37], explosionproblem(madealltheworsebycomplexsystemkernels) butthesetechniquesrequireinputstohaveafixedformat. renderthesetechniquesimpracticalforkerneldrivers. Interface Recovery On-device Execution Build System Instrument Structure Generation Pointer Fixup ioctl Handler Identification XML Fuzz Spec. Type-Specific Unit Device File Detection Value Creation Structure Recursion Command Value Determination Sub-structure Generation Kernel Source Code Argument Type Identification AuEtxoemcauttiico nR e(abnodo t) VulneBraacbkiltirtaiecse sB etoin Rg eTcroigrgde red Finding the Structure Definition Analysis Host Target Host Analysis Host Figure1:TheDIFUZEapproachdiagram.DIFUZEanalyzestheprovidedkernelsourcesusingacompositionofanalysesto extractdriverinterfaceinformation,suchasvalidioctlcommandsandargumentstructuretypes.Itsynthesizesinstancesof thesestructuresanddispatchesthemtothetargetdevice,whichtriggersioctlexecutionwiththegiveninputsand,eventually, findscrashesinthedevicedrivers. Staticanalysis.Staticanalysisisapopulartechniquetofindpro- correctstructurestoexercisethisinterface,andtriggertheprocess- gramvulnerabilitieswithoutexecutingtheprograminquestion[2]. ingofthesestructuresbythekernelofthetargethost.Becausethe Tomaximizeprecision,thesetechniquestypicallyrequiresource triggeringofkernelbugsoftenrendersasystemunstable(leading codetoperformtheanalysis.Sincemanysystemkernels(includ- toahangorreboot),onlyDIFUZE’sfinalstageisdoneinvivoonthe ingtheLinuxkernel)anddevicedriversareopen-source,kernel targethost.Theotherstagesareexecutedonanexternalanalysis securitycangreatlybenefitfromstaticanalysis[7].Forexample, host,theirresultsareloggedlocally(forinputreplay,incaseabug Ashcraft,etal.developedcompilerextensionstocatchintegers istriggered),andthentransferredoveranetworkconnectionor readfromuntrustedsourcesinLinuxandOpenBSDkernels[5]. debuginterfacetothetargethost. Post,etal.usedaboundedmodelcheckertofinddeadlocksand Inmoredetail,thesestagesare: memoryleaksinLinuxkernels[50].Ball,etal.builtastaticanal- ysistoolwithasetofrulestoprovethecorrectnessofWindows Interfacerecovery. Initsfirststage,DIFUZEanalyzesthepro- drivers[6]. videdsourcestodetectwhatdriversareenabledonthetarget Onelimitationofmoststaticanalysistoolsistheproduction host,whatdevicefilesareusedtointeractwiththem,what ofmanyfalsepositives.Sinceourworkleveragesfuzzingforthe ioctlcommandstheycanreceive,andwhatstructuresthey vulnerabilitydetectionstep,allidentifiedvulnerabilitiesareactual expecttobepassedtothesecommands.Thisseriesofanaly- bugs,andfalsepositivesareentirelyavoided.Anotherdrawbackof sesareimplementedusingLLVM,andarefurtherdescribed staticanalysistechniquesisthattheanalysisoftenneedsamanual inSection4.Theendresultofthisstageisasetoftuplesof specificationofsecuritypoliciesandrules. thedevicefilenameforthetargetdriver,thetargetioctl command,andstructuretypedefinitions. 3 OVERVIEW Structuregeneration. Foreachstructure,DIFUZEcontinuously Inthissection,wewillprovideanoverviewofourinterface-aware generatesstructureinstances:memorycontentsrepresenting instantiationsofthetypeinformationrecoveredfromthe fuzzingapproachanditsapplicationtovulnerabilitydetectionin previousstep.Theseinstancesareloggedandtransferred devicedriversthroughioctlfuzzing.Wewillalsopresentanex- tothetargethost,alongwiththeassociatedtargetdevice amplethatwillbereferencedthroughoutthepapertoassistthe curiousreaderinunderstandingourend-to-endsystem. filenamesandtargetioctlcommandidentifiers.Thisstage isdetailedinSection5. Figure1demonstratesthehigh-levelworkflowofthesystem. DIFUZErequires,asinput,thesourcecodeofthekernel(which On-deviceexecution. The actual ioctl triggering component residesonthetargethostitself.Uponreceiptofthetarget willincludethesourcecodeofthedevicedrivers)ofthetargethost. SinceLinuxislicensedundertheGNUGeneralPublicLicense,any devicefilename,thetargetioctlcommand,andthegener- atedstructureinstances,theexecutorproceedstotriggerthe softwarethatislinkedagainstit,suchasthekernel-driverinterface code,mustalsobereleased.Thus,thekernelsourcesofAndroid executionof ioctls.WediscussthisstageinSection6. devicesarereadilyavailable[27,32,33,39,46,57,60,66]andcan DIFUZElogsthesequenceofinputsthatissenttothetarget. beusedforouranalysis. Thus,whenabugistriggered,andthetargetdevicecrashes,the Giventhisinput,DIFUZEworksthroughanumberofphasesto inputscanbeusedforreproducibilityandmanualtriage/analysis. recovertheinteractioninterfacefordevicedrivers,generatethe 3.1 Example 1 DriverStructTwo dev_data1[16]; 2 DriverStructTwo dev_data2[16]; TohelpthereaderunderstandDIFUZE,weprovideanexampleofa 3 static bool enable_short; static bool subhandler_enabled; simpledriver.ThisexampleispresentedinListing1(thestructure 4 5 long ioctl_handler(struct file *file, int cmd, long arg) { definitions),2(awrapperaroundthecopy_from_userfunction, 6 uint32_t curr_idx; whichpresentsminorcomplicationstotheanalysis),Listing4(the 7 uint8_t short_idx; void *argp = (void*) arg; maindriverinitializationcode),andListing3(theioctlhandlers 8 DriverStructTwo *target_dev = NULL; 9 switch (cmd) { themselves). 10 case 0x1003: Thefunctiondriver_initinListing4isthedriverinitialization 11 target_dev = dev_data2; function,whichwillbecalledaspartofkernelinitialization.This 12 case 0x1002: 13 if(!target_dev) functionregistersthedevicewithaname"example_device"(line 14 target_dev = dev_data1; // program continues to execute 8)andspecifiesthatthefunctionioctl_handlershouldbeinvoked 15 if(!enable_short) { 16 if (copy_from_user_wrapper((void*)&curr_idx, argp, whenauserspaceapplicationperformstheioctlsystemcall(lines 17 sizeof(curr_idx))) { 10and11)onthedevicefile(inthiscase,/dev/example_device). 18 return -ENOMEM; // failed to copy from user Althoughthefilenameisexample_device,theabsolutepathof 19 } 20 } else { thefiledependsonthetypeofdevice.Thedeviceintherunning 21 if (copy_from_user_wrapper((void*)&short_idx, argp, example is a character device [35] and it will be created under 22 sizeof(short_idx))) { the/devdirectory,However,thereareothertypesofdevicefiles, 23 return -ENOMEM; // failed to copy from user 24 } whichwillbecreatedindifferentdirectories.Forinstance,proc 25 curr_idx = short_idx; devices[54]willbecreatedunderthe/procdirectory. 26 } 27 if(curr_idx < 16) Wewillrefertothisexamplethroughouttherestofthepaperas 28 return process_data(&(target_dev[curr_idx])); the“runningexample”. 29 return -EINVAL; 30 default: 31 if(subhandler_enabled) 32 return ioctl_subhandler(file, cmd, argp); 33 } 34 return -EINVAL; 35 } 1 typedef struct { 36 2 long sub_id; 37 long ioctl_subhandler(struct file *file, int cmd, void *argp) { 3 char sub_name[32]; 38 DriverStructOne drv_data = {0}; 4 } DriverSubstructTwo; 39 DriverStructTwo *target_dev; 5 40 if(cmd == 0x1001) { 6 typedef union { 41 if(copy_from_user_wrapper((void*)&drv_data, argp, 7 long meta_id; 42 sizeof(drv_data))) { 8 DriverSubstructTwo n_data; 43 return -ENOMEM; // failed to copy from user 9 } DriverStructTwo; 44 } 10 45 target_dev = dev_data1; 11 typedef struct { 46 if(drv_data.subtype & 1) 12 int idx; 47 target_dev = dev_data2; 13 uint8_t subtype; 48 // Arbitrary heap write if drv_data.idx > 16 14 DriverStructTwo *subdata; 49 if(copy_from_user_wrapper((void*)&(target_dev[drv_data.idx]), 15 } DriverStructOne; 50 drv_data.subdata, 51 sizeof(DriverStructTwo))) { 52 return -ENOMEM; // failed to copy from user Listing 1: The structure definitions of our running exam- 53 } ple. DIFUZE automatically recovers these and performs 54 return 0; structure-awarefuzzingofthetargetdriver. 55 } 56 return -EINVAL; 57 } Listing3:Theioctlhandlerswhichexpectveryspecificval- uesforthecommandidentifiersandexpectdatatobepre- sentedintheproperstructureforeachcommand.Theioctl processingissplitacrossmultiplefunctions. 1 int copy_from_user_wrapper(void *buff, void *userp, size_t size) { 2 // copy size bytes from address provided by the user (userp) 3 return copy_from_user(buff, userp, size); 4 } Listing2:Likemanyreal-worlddrivers,ourexampledriver shipswithawrappedcopy_from_userfunction.Becauseof wrapperslikethis(andmorecomplexones),DIFUZEmust supporttheanalysisofnestedfunctions. 1 static struct cdev driver_devc; bitcodefilestocreateasinglebitcodefileperdriver.Thisallows 2 static dev_t client_devt; ustocarryoutinterfacerecoveryanalysesonasinglebitcodefile, 3 static struct file_operations driver_ops; 4 __init int driver_init(void) simplifyingtheanalyses.Thisconsolidatedbitcodefileisusedin 5 { thefollowingphasestoperformtheanalyses. 6 // request minor number 7 alloc_chrdev_region(&driver_devt, 0, 1, "example_device"); 8 // set the ioctl handler for this device 4.2 ioctlHandlerIdentification 9 driver_ops.unlocked_ioctl = ioctl_handler; AsdiscussedinSection2.1,muchoftheinteractionwithdevice 10 cdev_init(&driver_devc, &driver_ops); 11 // register the corresponding device. drivershappensthroughtheioctlinterface.Fromuserspace,the 12 cdev_add(&driver_devc, MKDEV(MAJOR(driver_devt), 0), 1); applicationcallstheioctl()systemcall,passinginafiledescriptor 13 } tothedriver’sdevicefile,acommandidentifier,andtherequired structureddataargument.Whenthissystemcallisreceivedinker- Listing 4: The main driver initialization function of our nelspace,thecorrespondingdriver’sioctlhandlerisinvoked.This runningexample.Itdynamicallycreatesthedriverfile,the handlerthendispatchestherequesttodifferentfunctionalityinside nameofwhichmustthenberecoveredbyDIFUZE,andreg- thedriver,dependingonthecommandidentifier.Inthecaseofour istersthetop-levelioctlhandler,whichmustalsoberecov- runningexample,theioctlhandlerfunctionisioctl_handler. ered. Inordertorecovervalidcommandidentifiersandthestructure definitionsofadditionalioctlarguments,DIFUZEmustfirstiden- 4 INTERFACERECOVERY tifythetop-levelioctlhandler.Eachdrivercanregisteratop-level Toefficientlyfuzztheioctlsofadevicedriver,DIFUZEneedsto ioctl handler for each of its device files, and there are several recovertheinterfaceofthatdriver.Theinterfaceofadevicedriveris waystodothisintheLinuxkernel.Allofthesemethods,however, comprisedofthename/pathofthedevicefileusedtocommunicate involvethecreationofoneofasetofstructures2createdforthis with the device, the valid values for ioctl commands for that purpose,withoneofthefieldsofthesestructuresbeingafunc- device,andthestructuredefinitionoftheioctldataargumentfor tionpointertotheioctlhandler.Afulllistofthesestructures, thedifferentioctlcommands. andcorrespondingfieldnamesforoneofthekernelsarelistedin Torecoverthisdata,DIFUZEusesacombinationofanalyses, AppendixA. implementedinLLVM.AstheLinuxkerneldoesnotlenditself Ouranalysistoidentifytheioctlhandlerisstraightforward: toanalysis(orevencompilation)withLLVM,wefirstdeveloped usingLLVM’sanalysiscapabilities,wefindallusesofanyofthese analternatebuildprocedure.Afterthisisdone,weidentifythe structuresinthedriverandrecoverthevalueoftheassignment filenameofthedevicefilescreatedbythedevicedriver,findthe oftheioctlhandlerfunctionpointer.Inthecaseofourrunning ioctlhandler,recoverthevalidsetof ioctlcommandidentifiers, example,weidentifythewritetotheunlocked_ioctlfieldofa andretrievethestructuredefinitionsforthedataargumentsto file_operationsstructure(Listing4,line9).Wecanthenconsider thoseioctlcommands. thefunctionioctl_handlerasanioctlhandler. 4.1 BuildSystemInstrumentation 4.3 DeviceFileDetection WetakeseveralstepstoenableDIFUZEtoperformLLVManalyses Todeterminethedevicefilecorrespondingtoanioctlhandler,we onLinuxdevicedrivers. needtoidentifythenameprovidedintheregistrationoftheioctl handler(forexample,inourrunningexample,thedevicefilewould GCCcompilation. First,weperformthemanualstepofsetting be/dev/example_device,fromline7ofListing4). upthekernelanddriversourcesofthetargethostforcompilation, Depending on the type of device, there are several ways to using GCC. While this is generally a well-documented process, registerthefilenameintheLinuxkernel[14,56].Forexample, thevendorsofmobiledevicesdonotgooutoftheirwaytomake the registration of a character device [35] will use the method theirGPL-mandatedsourcecodereleaseseasytocompile,sosome alloc_chrdev_regiontoassociateanamewiththedevice.For manualconfigurationeffortisrequired.Oncethesourcetreecanbe procdevices,themethodproc_createisusedtoprovidethefile- compiledwithGCC,werunafullcompilationandlogallexecuted name.Furthermore,asmentionedinSection3.1,dependingonthe commands. devicetype,thedirectoryinwhichthedevicefileisfoundmay GCC-to-LLVMconversion. Weprocessthelogofexecutedcom- vary. mandsduringthecompilationstepwithaGCC-to-LLVMcommand Given an ioctl handler, we use the following procedure to conversionutilitythatwecreatedforDIFUZE.Thisutilitytrans- identifythecorrespondingdevicename. latescommand-lineflagsfromtheformatexpectedbyGCCtothe (1) First, we search for any LLVM store instruction that is formatexpectedbyLLVMutilitiesandenablesthecompilationof storingtheaddressintooneofthefieldsofanyoperations thekernelsourceviaLLVM.Initscompilation,LLVMgeneratesa structureslistedinAppendixA. bitcodefile[51]foreachsourcefile.Weenabledebuginformation (2) Wethencheckforanyreferencetotheoperationsstructure tobeembeddedinthebitcodefile,whichhelpsusinextractingthe inanyoftheregistrationfunctions[56]. structuredefinitionsasexplainedinSection4.6 (3) Weanalyzetheargumentvalueforthedevicefilenameand returnitifitisaconstant. Bitcodeconsolidation. TheanalysesthatDIFUZEundertakesop- erateoneachdriverseparately.Assuch,weconsolidatethevarious 2Thereareatleast72variationsofthesestructures. In case of the running example, Listing 4, we previously de- sourceoperand(i.e.,thesecondargumentofcopy_from_user)is terminethattheioctlhandlerfunctionisioctl_handler.We notthepassedargumenttotheioctlfunction,sincesuchcase identify that ioctl_handler is stored in the file_operations cannothelpustodeterminetheioctlargumenttype.Ateachof structure(i.e.,driver_ops)atline9(Step1),thencheckforthe theremainingcall-sites,wefindthetypeofthesourceoperand. usageof driver_ops,asparameterforthefunctioncdev_init Thisisthetypedefinitiontowhichtheuserdataargumenttothe atline10(Step2).Thefunctioncdev_addimpliesthatthedevice ioctlhandlermustconform. isacharacterdevice.Webacktracktotheallocationfunctionfor Notethatpointercastingcouldhidetheactualstructuretype. thedevicemetadata(alloc_chrdrv_region)atline7,whosethird Considertherunningexample,wherethecopy_from_userinline argumentisthedevicename,detectitasaconstantstring,and 3ofListing2isreachablefromtheioctlhandler,ioctl_handler return/dev/example_deviceasthedevicename. inListing3frommultiplepaths(likeline16,line21,andline32 →line41).However,theactualtypeofthesourceoperandatthe 1 VOS_INT __init RNIC_InitNetCard(VOS_VOID) { call-siteisvoid *.Inaddition,thecopy_from_userfunctionmight 2 ... resideinawrapperfunctionandbecalledindirectlybytheioctl 3 snprintf(pstDev->name, sizeof(pstDev->name), function(suchasline16inListing3→line3inListing2),which 4 "%s%s", 5 RNIC_DEV_NAME_PREFIX, isdistributedacrossdifferentfunctionsorfiles. 6 g_astRnicManageTbl[ucIndex].pucRnicNetCardName); Tohandlethis,weperforminter-procedural,path-sensitivetype 7 ... propagationtodetermineallthepossibletypesthatmaybeassigned 8 } tothesourceoperandofacopy_to_userfunctionineachpath. Thisgivesusthesetofpossibletypes,foreachgivenpath,ofthe Listing5:DynamicallygenerateddevicenameinRNICdri- veronHuaweiHonorphone.DIFUZEfailstofindthedevice userdataargumenttotheioctlhandler. Toassociatethecommandidentifiertoeachofthesestructure nameforthisdriver. types, we also collect the equality constraints (as explained in Section4.4)alongthepathwhileperformingthetypepropaga- Adrivercouldusedynamicallycreatedfilenames,asshownin tion.Theconstraintsonthecommandvalueonapathreachinga Listing5.Unfortunately,withthelimitationsinherenttostaticanal- copy_from_userfunctionrepresentthepossiblecommandidenti- ysis,wemisssuchfilenamesandmustfallbacktomanualanalysis fiersassociatedwiththestructuretype. (ofcourse,ifwewishtoremainfullyautomatedwecansimply FortherunningexampleinListing3,wefirstidentifyallpaths ignorethesedevices). reachingacopy_from_usercall-site(Notethattheactualcallhap- Next,weproceedontoidentifyingvalidcommandidentifiers pens through the wrapper function copy_from_user_wrapper). acceptedbyagivenioctlhandler. Table 1, column 2 shows all the relevant paths. For brevity, we ignoredthepathsthathavethesameconstraintsoncmdandreach 4.4 CommandValueDetermination thesamecall-site. Giventheioctlhandler,weperformastaticinter-procedural,path- WealsoignorePath6sincethesourceoperandisnottheuser sensitiveanalysistocollectalltheequalityconstraintsonthecmd argument (i.e., at line 49 in Listing 3, the second argument of value(i.e.,thesecondargumentoftheioctl()).WethenuseRange copy_from_user_wrapper is not argp). Finally, for the remain- Analysis[52]torecoverthepossiblevaluesforthecomparison ingpaths,weidentifythetypeofthedestinationoperandofthe operand.InthecaseoftheioctlexampleshowninListing3,we targetcopy_from_usercall-sitetodeterminethecommandvalue collectthefollowingconstraints:cmd == 0x1003(line10),cmd == type.Forexample,forPath1inTable1,thetypeof argpisthe 0x1002(line12)andcmd == 0x1001(line32→Line41).Asthe sameasthedestinationoperandcurr_idxatline16in3,whichis comparisonoperandsareconstants,runningRangeAnalysison definedasuint32_tatline6.Foreachcommandvalue,wemayget themresultsinconstants:0x1003,0x1002and0x1001respectively. multipletypes.Forinstance,asshowninTable1,Path1andPath2 Weconsideronlyequalityconstraintsonthecmdvalue.Based havethesamecmdconstraintvaluesbutdifferentargumenttypes. onourobservationthatalmostallthedriversuseequalitycom- Foreachcommandvalue,weassociateallthepossibleargument parisontocheckforthevalidcommandIDs.Thereexistsspecial types.Forexample,fromTable1,thecommandvalue0x1003can ioctlfunctions,suchasV4L2drivers,inwhichthedriverspecific beassociatedwithargumenttypesuint32_tanduint8_t.Next, functionsarecalledinanestedmannerbyotherdrivers.Weexpand weneedtoextractthearguments’structuredefinitions. oursolutionforthesecasesinAppendixB. 4.5 ArgumentTypeIdentification 4.6 FindingtheStructureDefinition Theioctlcommandidentifiersandthecorrespondingdatastruc- Findingthedefinitionofatyperequiresfindingthedefinitionof turedefinitionshaveamany-to-manyrelationship:eachioctlcom- allthetypesitiscomposedof.Inthecaseofourrunningexample, mandmaytakeseveraldifferentstructures(forexample,basedon inListing1,extractingthedefinitionoftypeDriverStructOne globalconfiguration),andeachcommandstructuremaybepassed requiresextractingthedefinitionsofbothDriverStructTwoand tomultipleioctlcommands.Tofindthesestructures,wefirstiden- DriverSubstructTwo. tifyallthepathstothecopy_from_userfunction,whichtheLinux ForeachofthetypesidentifiedinSection4.5,wefindthesource kernelusestocopydatafromuserspacetokernelspace,suchas filenameofthecorrespondingcopy_from_userfunctionusingthe line16inListing3→line3inListing2.Weignorecall-siteswhose debuginformationcomputedinSection4.1.Knowingthesourcefile, Table1:Relevantpathsfromioctlhandler(ofListing3)toacopy_from_usercall-site Id Path cmdconstraints Resolvedcommandid Userargumenttype 1 Line10→Line11→Line16→Line3(ofListing2) cmd == 0x1003 0x1003 uint32_t 2 Line10→Line11→Line21→Line3(ofListing2) cmd == 0x1003 0x1003 uint8_t 3 Line12→Line16→Line3(ofListing2) cmd == 0x1002 0x1002 uint32_t 4 Line12→Line21→Line3(ofListing2) cmd == 0x1002 0x1002 uint8_t 5 Line30→Line32→Line41→Line3(ofListing2) cmd == 0x1001 0x1001 DriverStructOne 6 Line30→Line32→Line49→Line3(ofListing2) cmd == 0x1001 0x1001 N/A weuseourGCC-to-LLVMpipelinetogeneratethecorresponding 6.1 PointerFixup preprocessedfile.Aspreprocessedfilesshouldcontainadefinition Somestructurescomprisemultiplememoryregionsconnectedby ofalltherequiredtypes,wefindthedefinitionoftheidentified pointers.Tosavespace,thestructuregenerationcomponenttrans- type.Thenwerunc2xml[63]tooltoparsetheCstructdefinition mitsthedifferentmemoryregioninstancesindependently,along intoXMLformatfromwhichtherequireddefinitionofthetypesis withmetadataabouthowtheycanbecombined,andtheon-device extracted. executioncomponentbuildsthecompletestructureusingthisdata. Thispreservesbandwidthbetweentheanalysishostandtarget host,sincethesamedatacanbeusedfordifferentlybuiltstructures. Forexample,sincetheindividualnodesofatreestructurewillbe 5 STRUCTUREGENERATION sentindividually,thesenodescanbeusedtocreatemanydifferent AfterDIFUZErecoverstheioctlinterface,itcanbegingenerating finalconfigurationsofthetreestructure. instancesofstructurestopasstotheon-deviceexecutionengine. Somestructuresarerecursive.Forexample,alinkedlistnodemay The procedure for this is straightforward: DIFUZE instantiates containapointertothenextlinkedlistnode.Tosetaboundonthe structures,fillstheirfieldswithrandomdata,andproperlysets numberofcombinationsofstructuresthattheon-deviceexecution pointerstobuildcomplexinputstoioctls. componentattemptstocreate,DIFUZElimitstherecursionofsuch Type-SpecificValueCreation:Certainvaluesaremorelikely structurestoasetthreshold. totriggerincreasedcodecoveragethanothers.Forexample,buffer lengths in system code are often aligned to bit boundaries (i.e., buffersofsize128,256,andsoon),sovaluesonorjustunderabit 6.2 Execution boundaryaremorelikelytotriggercornercases(suchassingle-byte Withthestructurecreated,DIFUZE’son-deviceexecutioncom- overwritesduetocarelessstringtermination).Thisobservation ponentopenstheappropriatedevicefileandtriggerstheioctl iscommonwisdominthefuzzingcommunity,andpreviouswork systemcallwiththeioctlcommandidentifierandtheproperdata haswidelyusedit[68].DIFUZEleveragesthisconceptaswell,and structure.Atthispoint,DIFUZEwatchesforanybugintheker- favors(butdoesnotconfineitselfto)integersthatareapowerof nel,whichcrashesthetargetdevice.Thisisdonebymaintaining two,onelessthanapoweroftwo,oronegreaterthanapowerof aheartbeatsignalbetweentheanalysishostandthetargethost. twoinitsgeneratedintegers. WhenDIFUZEfindsabug,itlogstheseriesofinputsthathadbeen Therearesomepointersthatreferencedatathatiseitherunstruc- senttothehostdeviceforlaterreproductionandtriage. tured(char *pointers,forexample),orforwhichthestructure definitioncan’tberecovered(void *data).Forthisdata,DIFUZE System restart. When a bug is triggered, the target host will allocatesapageofrandomcontent. eitherbeinaninconsistentstateorwillhavecrashed.Intheformer Sub-structure Generation: Inputs to ioctls often take the case,theon-deviceexecutioncomponenttriggersarebootofthe form of nested structures, where a top-level structure contains device before resuming fuzzing on other ioctl commands and pointers to other structures. DIFUZE generates these structure otherdrivers.Inthelattercase,dependingonthewaythecrash instancesindividuallyandsendsthemtotheon-deviceexecution occurred,thedevicesometimesrestartsitself.Whenthathappens, component.Thiscomponent,inthenextstage,mergesthemintoa DIFUZEcanresumewithoutanalystinteraction.Otherwise,an nestedstructurebeforepassingthemtotheioctlitself. analystwillneedtorebootthedevicebeforefuzzingcanresume. 7 IMPLEMENTATION 6 ON-DEVICEEXECUTION AsshowninFigure1,weengineeredoursystemtobecompletely automated.Theusersimplyprovidesthecompilablekernelsource WhilepriorstagesofDIFUZErunontheanalysishost,theactual archive, connects the target host (i.e., the mobile phone) to the executionof ioctlsmusthappenonthetargethost.Assuch,the analysishost,andstartstheon-deviceexecutioncomponentonthe structuregenerationcomponentsendsthegeneratedstructures, targethost.Afterthat,withasinglecommand,ourentirepipeline alongwiththetargetdevicedriverfilenameandioctlcommand willberun. identifier,totheon-deviceexecutioncomponent.Thiscomponent thenfinalizesthesestructuresandtriggerstheioctl. Interface Extraction: We used LLVM 3.8 to implement the interfaceextractiontechniques.Allcomponentsoftheinterface extractionareimplementedasindividualLLVMpasses.Asmen- Table2:AndroidPhonesUsedinEvaluation(Notethatthe tionedinSection4.4,WeusedanexistingimplementationofRange kernel versions were the latest Android kernels for each Analysis[52]torecovervalidcommandidentifiers. phoneatthetimeofourexperiment) AndroidKernel 7.1 Interface-AwareFuzzing Device Vendor ChipsetVendor Version OurimplementationofSections5and6iscalledMangoFuzz.Man- Pixel Google Qualcomm 3.18 goFuzzisthecombinationofstructuregenerationontheanalysis E9Plus HTC Mediatek 3.10 hostandon-deviceexecutionof ioctls,whichtogetherachieve M9 HTC Qualcomm 3.10 interface-awarefuzzing.Itisanintentionallysimpleprototypede- P9Lite Huawei Huawei 3.10 signedtotesttheeffectivenessofinterface-awarefuzzing,without Honor8 Huawei Huawei 4.1 otheroptimizationsthatcouldinfluencetheresults. GalaxyS6 Samsung Samsung 3.10 MangoFuzzspecificallytargetsioctlsystemcallsonrealAn- XperiaXA Sony Mediatek 3.18 droiddevices.UsingthemethodsdescribedinSection5,itgenerates randomsequencesof ioctlcalls,alongwithassociatedstructures, 100 andsendsthemtotheon-deviceexecutioncomponentrunningon thetargethost. ers90 dl Fora“production-ready”variantofourapproach,wealsoin- an80 h tegratedDIFUZEintosyzkaller,astate-of-the-artLinuxsystem ctl 70 o csiablllefutozozel,r.wThhicishinwteegwrialtlicoonnhtraisbuthteebgaocaklotofcthreeactionmgmthuenbiteystaspoasn- %) of i60 e (50 open-sourceenhancementofsyzkaller. g a SyzkallerisaLinuxsystemcallfuzzer,whichallowsanalyststo ent40 er (manually)providesystemcalldescriptions,afterwhichitwillfuzz e p30 tchaellaasrsgoucmiaetendtssyifscteomrrecsapllo.nSdyiznkgalfloerrmcaantshaarnedmleasntruuaclltyursepseacsifiseydst.eTmo mulativ20 integratewithDIFUZE,weautomaticallyconverttheresultsofour Cu10 InterfaceRecoverysteptotheformatexpectedbysyzkaller,making 0 0 5 10 15 20 25 30 35 40 45 50 55 60 itinterface-aware.Syzkalleristypicallyusedonkernelscompiled Number of valid command identifiers withcoverageinformationandKASAN(oranothermemoryaccess Figure2:CDFofpercentageofioctlhandlerstothenumber sanitizer).However,thereisaconfigurationforrunningonreal, ofvalidcommandidentifiers unmodifiedAndroiddevices,whichcanbeusedforourpurposes. 8 EVALUATION devices.Thenumberofhandlersalsocloselycorrespondtothe To determine the effectiveness of DIFUZE we evaluate both its numberofdriversonthecorrespondingphone. interfacerecoveryandbug-findingcapabilities.Theevaluationis DeviceNameIdentification:Ourapproachfordevicename performedonsevendifferentAndroidphonesfromfiveofthemost identification (Section 4.3) is able to work on different vendor- popularvendors,coveringawiderangeofdevicedrivers.Table2 specific devices. DIFUZE can automatically identify 469 device showsthespecificphonesalongwiththevendorofthechipsets. names,accountingfor59.44%oftheioctlhandlers.Mostofthe First,weevaluatetheeffectivenessandefficiencyoftheinterface identificationfailurescomefromkernelmainlinedrivers.Forex- recovery,asitisthecorecomponentofthesystem.Tovalidate ample,ournamerecoveryononlyvendordriversoftheXperiaXA theresults,wemanuallyanalyzearandomsamplingof ioctls wasabletorecovermorethan90%ofthenames.Thereasonfor and structures and check them against our system’s recovered thisdiscrepancyisthatmainlinedriverstendtousedynamically interfaces.Wethenperformacomparativeevaluationofthebug generatednames(Listing5andSection4.3)whereasvendordrivers finding capabilities of DIFUZE, using both MangoFuzz and our tendtousestaticnames.Wemanuallyextractedthosedynamically improvementstosyzkallerasthefuzzingcomponent. createddevicenames. Valid Command Identifiers: The fourth column of Table 3 showsthenumberofvalidcommandidentifiersextractedacross 8.1 InterfaceExtractionEvaluation alltheentrypointsofthecorrespondingkernels.Intotal,DIFUZE Allthestepsofinterfaceextractionarerunonthesameexperiment found3,565validcommandidentifiersacrossallthedriversofall platform,amachinewithanIntelXeonCPUE5-2690(3.00GHz) kernels.Thenumbersofvalidcommandidentifiersvaryconsider- runningUbuntu16.04.2LTS.Onaverage,ittook55.74minutesto ablyacrossdifferentkernels.AswewillshowinTables3and5,the completetheentireinterfaceextractionphaseforakernel. numberofcrashesthefuzzerfoundispositivelycorrelatedwith Weevaluatetheeffectivenessofdifferentstepsofourinterface thenumberofvalidcommandidentifiers. extractiononthekernelsofthedeviceslistedinTable2.Table3 Figure2showsthedistributionofthenumberofvalidcommand showstheinterfaceextractionresultsondifferentkernels.DIFUZE identifiersperioctlhandler.11%oftheioctlhandlersdonot identified a total of 789 ioctl handlers in the kernels of seven expectanycommand.Thecodeoftheseioctlsisconditionally Table3:InterfacesrecoveredbyDIFUZEondifferentkernelsofthePhones. ioctl DeviceNames ValidCommand UserArgumentTypes handlers AutomaticallyIdentified Identifiers nocopy_from_user Scalar Struct Structwithpointers Pixel 193 136 611 270 87 151 103 E9Plus 77 36 610 272 101 195 42 M9 171 122 563 216 83 149 115 P9Lite 71 30 384 187 56 118 23 Honor8 86 33 376 208 70 87 11 GalaxyS6 106 70 364 243 23 67 31 XperiaXA 85 42 657 292 106 194 65 Total 789 469 3,565 1,688 526 961 390 compiledandguardedbykernelconfigurations.Duringourcom- toeffectivelyfuzzwithouttheargumenttypeinformation,because pilation,theioctlhandlercodeisdisabled,sothecorresponding theuserargumentisexpectedtopointtoastructure,whichitself ioctlhandlerappearsemptyinthegeneratedbitcodefile,which containspointers(whichshouldalsobevalidpointers). leadstozerocommandvalueinourcommandidentificationprocess. RandomSamplingVerification:Wepickedarandomsample Thereare50%oftheioctlhandlersthatexpectasinglecommand offiveioctlsforeachofthesevenAndroidphonesinourtestset identifier.Mostofthemareattributedtothev4l2_ioctl_ops.As andmanuallyverifiedthattheextractedtypeswerecorrect.These explainedinAppendixB,thesearenestedhandlersthatmanage 35ioctlshadatotalof327commands,ofwhichwecorrectly a (single) specific command. The majority (98.3%) of the ioctl identifiedtheargumentandcommandsfor294ofthem,yieldinga handlershavelessthan20validcommandidentifiers.Wemanually 90%accuracy. investigatetherest(1.7%)oftheioctlswithmorethan20com- mandidentifiers,andfindthatourapproachoverapproximatesthe 8.2 EvaluationSetup functionpointersforsomeoftheioctlfunctions.Althoughsuch TodeterminehowwellDIFUZEcanfindactualbugsindevicedri- overestimationcausesextrainvalidfuzzunitsinoursubsequent vers,andtheeffectsofusingtheextractedinterfaceinformation fuzzingsteps,ithasmarginalimpactontheoverallperformance onthisability,wetestitbothusingourprototypefuzzer,Man- (especiallygiventhatwehaveasmallpercentageofsuchcases). goFuzz,andusingsyzkaller.WewillusetheidentifiersDIFUZEm Userargumenttypes:ThelastfourcolumnsinTable3show andDIFUZEs torepresentDIFUZEwhenitisusingMangoFuzz howanargumentpassedbytheuser(thirdargumenttotheioctl andsyzkaller,respectively,asthefuzzingandon-deviceexecution handler)istreated. component.Additionally,weevaluatethesystembyvaryingthe For 1,688 (47%) of command identifiers, we do not find any amountoftheinterfacethatweprovidetosyzkaller;thisway,we copy_from_user.Thisplacesusinoneoftwocategories.(1)the canexaminehowdifferentlevelsofinterfaceextractioninfluence userargumentistreatedasCtypelong,andthusargumenttype the results. Specifically, we run the following configurations of identificationisnotneededsincetheuserargumentistreatedasa DIFUZE: rawvalue(andhencenocopy_from_userispresent).(2)Or,there isinsteadacopy_to_user,wheretheuserismeanttosupplya Syzkallerbase. Wespecifythatsyzkallershouldonlyfuzzusing pointertosometypeforwhichthekernelwillcopyinformation thesystemcallsopen()(toopenthedevicefiles)andioctl totheuser.Wedonotcareabouttypeidentificationhereeither,as (totriggerioctlhandlers).Itsdefaultconfigurationcon- thekernelwillnotbeprocessingtheuserdata. tainsseveralstandarddevicefilenamesandthestructuresof Fortherest1,877(53%)ofthecommandidentifiers,theuser somestandardtypesalongwithioctlsforcommonLinux argumentisexpectedtobeapointertoaspecificdatatype.i.e.,a devices. copy_from_usercallshouldbeusedtocopythedata.Suchpointer Syzkaller+path. Inthisconfiguration,weaddthespecifications argumentscanbefurthercategorizedasthefollowingthreecases. ofextracteddriverpathswhichsyzkallershouldtrytofuzz. (i)526(15%)ofthecommandidentifiersexpectascalarpointer However,therestoftheinterfaceinformationisnotpro- argument,Forexample,inourrunningcase,asshowninTable1, vided. commandIDs0x1003and0x1002belongstothiscategorysince DIFUZEi. Here,theextractedinterfaceinformationofthedevice theyexpecttheuserargumentpointingtoscalartypesuint32_t pathsandioctlsisusedwithsyzkallerasthefuzzer.We oruint8_t.(ii)961(30%)ofthecommandidentifiersexpectthe expectthatthisconfigurationwouldbeabletotriggerioctl userargumenttopointtoaCstructurewithnoembeddedpoint- commandhandling,butwillbeunabletoexplorecodethat ers.e.g.,DriverStructTwoinListing1.(iii)For390(11%)ofthe handlescomplexstructures. commandidentifiers,thedatetypeisaCstructurewhichcontains DIFUZEs. Thisconfigurationintegratesalloftheinterfacerecov- embeddedpointers.Inthecaseofourrunningexample,asshown ery,includingautomaticidentificationofioctlargument inTable1,commandID0x1001belongtothiscategoryandexpects structureformats,withsyzkaller.Weexpectthistobethe theuserargumenttopointtoDriverStructOne,whichcontains best-performingconfiguration,asitisabletoleveragemany embeddedpointers(Listing1).Thesecommandsareextremelyhard oftheoptimizationsfoundinsyzkaller.