Fuzzing Linux Drivers
Also, was designed to infect air-gapped machines by first infecting USB drives that were previously plugged into an infected machine. Konovalov reported the first of the 79 bugs to relevant parties in December last year via a Google Groups mailing list, and has continued to update the group with new findings throughout this year. Notified parties included Google, Linux kernel developers, Intel and The Linux Foundation.
This reporting may explain why Linus Torvalds doing 'targeted fuzzing of driver subsystems' for helping find security issues. Fuzzing involves throwing large volumes of random code at a target piece of software in an attempt to cause crashes. Many of the bugs Konovalov circulated to the mailing list were reported in September and October, of the kernel version 4.14 and fixed by Linux kernel developers during the development process.
Konovalov's syzkaller reports are keeping kernel developers busy. Several of the latest USB bugs that Konovalov reported affected Linux 4.14 release candidate (RC) 8. Torvalds, and by Monday Konovalov had found a USB bugs, some of which have been fixed and. Torvalds said Linux 4.14.0 should be released next Sunday.
Konovalov earlier this year in the Linux kernel using the same fuzzing tool. Linux kernel founder Linus Torvalds recently credited people doing 'targeted fuzzing of driver subsystems' for helping find security issues. Image: Aalto University/YouTube Previous and related coverage Linux 4.14 release candidate five is out. 'Go out and test,' says Linus Torvalds.
Google's Project Zero releases the open-source tool it used to find new bugs in major browsers. Google fuzzer helps find 11-year-old memory-corruption flaw in the Linux kernel. Read more about Linux security.
Related Topics. By registering you become a member of the CBS Interactive family of sites and you have read and agree to the, and.
You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services. You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.
ACCEPT & CLOSE.
I’ve been thinking about what would be the best way to fuzz-test a Linux kernel module, for example a filesystem. Of course this can be done in the context of a live kernel, but for a variety of reasons I’d prefer to run the LKM in user space. At the source level, the interface to an LKM seems a little hairy, but at the object level they are really simple. So, a reasonable approach would seem to be to write a user-space loader for compiled LKMs and then just call the object code directly. At that point it would become necessary to write a set of shims to support each class of device driver and then fuzzing could start. Anyway, I’m curious to see what people think about this idea before I go off and hack.
I did some random web searching and didn’t turn up an existing implementation of this idea, though of course there are plenty of resources on testing various parts of Linux. I’ve never thought of the kernel’s object ABI (symbols exported to modules) as really simple. The interface is big and changes often, though the changes wouldn’t affect you if you only need to target one version of a driver. I think I’d start with User-Mode Linux.
It should take care of the ABI while giving you the flexibility of user space. In particular, the ability to fork, try some fuzz, then just exit and go back to the fork when something fails is pretty appealing. There’s definitely some prior work in checking file systems using model checking: Junfeng Yang (with Dawson Engler) got a best paper award for it at OSDI04. There’s at least a bit of overlap between fuzz testing and model checking. Have you fuzz tested any drivers before? I have, for BlueStripe. One lesson you learn pretty quickly is that drivers have a long initialization phase, and if you fuzz test the whole driver source uniformly, you’ll usually never make it through initialization.
So we ended up setting separate fault rates for initialization and steady state. I’ll be interested to hear how this turns out. For filesystems, I would suggest writing a fuzz module for device-mapper, wrap it around a filesystem, and mount it with a normal kernel. You’d probably want to run the kernel in some kind of virtual machine (or UML) in order to capture as much useful information as possible when things go wrong (I have no doubts they will). The networking stack should be fairly simple to fuzz test using raw sockets (or regular sockets to test only the higher levels). Device drivers could perhaps be tested by running in an emulator (e.g.
Fuzzing Tutorial
Qemu) modified to corrupt accesses. Although it would not accurately emulate genuinely broken hardware, it should still prove interesting. At this level the question arises of just how robust a driver should be expected to be. If the hardware is actually broken, you probably have bigger problems. Hi Patrick, thanks for the comments and good to hear from you. The UML idea has appeal, but doesn’t help with unit-testing of drivers, which is what I’m after here.
I’ve fuzzed drivers but it was a while ago, and using some source-level scaffolding that I found cumbersome. Little fighter 2 1.9c.exe. Also, much more recently I’ve done some fuzzing at the system call level and found it pretty frustrating — very hard to drive execution into interesting dark corners.
Hmm, some of the fs modules have a lot of entry/exit points. What would XFS be doing with almost 2000 external symbols?
Regehr@home:/linux/fs$ for file in $( find. First, I second the suggestion to build such a system on top of UML, which will give you all of the convenience of developing the fuzzer and running it in user space, with the utility of running unmodified kernel modules. Second, have you looked at DDT1 as a possible basis for this work? If memory serves, DDT uses selective symbolic execution to exercise many driver paths and looks for abnormal behavior.
Fuzzing Linux Drivers Windows 10
It works on binary-only drivers, so no source is required. It would be interesting to see if fuzzing could find additional bugs beyond those found by their selective symbolic execution. Kuznetsov, V. Chipounov, and G. Testing Closed-Source Binary Device Drivers with DDT. In USENIX Annual Technical Conference, 2010.
Actually, we did something similar together with Cadence a couple of years ago, where we used virtual platforms to control the hardware side of things and a test runner to control the user-code calling into the driver. With some directed random testing from Incisive ISX.
If you use a virtual platform, you gain two things:. Control over hardware that lets you inject faults, control latencies (making a device really fast or really slow reveals bad driver code real easy, see for example ).
Fuzzing Linux Drivers Windows 7
Use checkpoints to restart tests from a known state with a loaded driver in no time at all, and save progress points as you keep on testing The big question is just what to fuzz, and at which end of the driver.