Agamotto: Accelerating kernel driver fuzzing with lightweight virtual machine checkpoints

Dokyung Song; Felicitas Hetzelt; Jonghwan Kim; Brent Byunghoon Kang; Jean Pierre Seifert; Michael Franz

Agamotto: Accelerating kernel driver fuzzing with lightweight virtual machine checkpoints

Dokyung Song, Felicitas Hetzelt, Jonghwan Kim, Brent Byunghoon Kang, Jean Pierre Seifert, Michael Franz

College of Computing

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

26 Citations (Scopus)

Abstract

Kernel-mode drivers are challenging to analyze for vulnerabilities, yet play a critical role in maintaining the security of OS kernels. Their wide attack surface, exposed via both the system call interface and the peripheral interface, is often found to be the most direct attack vector to compromise an OS kernel. Researchers therefore have proposed many fuzzing techniques to find vulnerabilities in kernel drivers. However, the performance of kernel fuzzers is still lacking, for reasons such as prolonged execution of kernel code, interference between test inputs, and kernel crashes. This paper proposes lightweight virtual machine checkpointing as a new primitive that enables high-throughput kernel driver fuzzing. Our key insight is that kernel driver fuzzers frequently execute similar test cases in a row, and that their performance can be improved by dynamically creating multiple checkpoints while executing test cases and skipping parts of test cases using the created checkpoints. We built a system, dubbed Agamotto, around the virtual machine checkpointing primitive and evaluated it by fuzzing the peripheral attack surface of USB and PCI drivers in Linux. The results are convincing. Agamotto improved the performance of the state-of-the-art kernel fuzzer, Syzkaller, by 66.6% on average in fuzzing 8 USB drivers, and an AFL-based PCI fuzzer by 21.6% in fuzzing 4 PCI drivers, without modifying their underlying input generation algorithm.

Original language	English
Title of host publication	Proceedings of the 29th USENIX Security Symposium
Publisher	USENIX Association
Pages	2541-2557
Number of pages	17
ISBN (Electronic)	9781939133175
Publication status	Published - 2020
Event	29th USENIX Security Symposium - Virtual, Online Duration: 2020 Aug 12 → 2020 Aug 14

Publication series

Name	Proceedings of the 29th USENIX Security Symposium

Conference

Conference	29th USENIX Security Symposium
City	Virtual, Online
Period	20/8/12 → 20/8/14

Bibliographical note

Funding Information:
The authors would like to thank our shepherd, Manuel Egele, and the anonymous reviewers for their valuable feedback. The authors also thank Paul Kirth for his help with proofreading this paper. This material is based upon work partially supported by the Defense Advanced Research Projects Agency under contracts FA8750-15-C-0124 and FA8750-15-C-0085, by the United States Office of Naval Research under contract N00014-17-1-2782, by the National Science Foundation under awards CNS-1619211 and CNS-1513837, by the European Commission under the Horizon 2020 Programme (H2020) as part of the LOCARD project (G.A. no. 832735), by the IITP under contract 20190015700021001, and by the NRF under contract 2017R1A2B3006360. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of our funding agencies.

Publisher Copyright:
© 2020 by The USENIX Association. All Rights Reserved.

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Cite this

@inproceedings{ba6b928147f341bb866884b9239bbaf7,

title = "Agamotto: Accelerating kernel driver fuzzing with lightweight virtual machine checkpoints",

abstract = "Kernel-mode drivers are challenging to analyze for vulnerabilities, yet play a critical role in maintaining the security of OS kernels. Their wide attack surface, exposed via both the system call interface and the peripheral interface, is often found to be the most direct attack vector to compromise an OS kernel. Researchers therefore have proposed many fuzzing techniques to find vulnerabilities in kernel drivers. However, the performance of kernel fuzzers is still lacking, for reasons such as prolonged execution of kernel code, interference between test inputs, and kernel crashes. This paper proposes lightweight virtual machine checkpointing as a new primitive that enables high-throughput kernel driver fuzzing. Our key insight is that kernel driver fuzzers frequently execute similar test cases in a row, and that their performance can be improved by dynamically creating multiple checkpoints while executing test cases and skipping parts of test cases using the created checkpoints. We built a system, dubbed Agamotto, around the virtual machine checkpointing primitive and evaluated it by fuzzing the peripheral attack surface of USB and PCI drivers in Linux. The results are convincing. Agamotto improved the performance of the state-of-the-art kernel fuzzer, Syzkaller, by 66.6% on average in fuzzing 8 USB drivers, and an AFL-based PCI fuzzer by 21.6% in fuzzing 4 PCI drivers, without modifying their underlying input generation algorithm.",

author = "Dokyung Song and Felicitas Hetzelt and Jonghwan Kim and Kang, {Brent Byunghoon} and Seifert, {Jean Pierre} and Michael Franz",

note = "Funding Information: The authors would like to thank our shepherd, Manuel Egele, and the anonymous reviewers for their valuable feedback. The authors also thank Paul Kirth for his help with proofreading this paper. This material is based upon work partially supported by the Defense Advanced Research Projects Agency under contracts FA8750-15-C-0124 and FA8750-15-C-0085, by the United States Office of Naval Research under contract N00014-17-1-2782, by the National Science Foundation under awards CNS-1619211 and CNS-1513837, by the European Commission under the Horizon 2020 Programme (H2020) as part of the LOCARD project (G.A. no. 832735), by the IITP under contract 20190015700021001, and by the NRF under contract 2017R1A2B3006360. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of our funding agencies. Publisher Copyright: {\textcopyright} 2020 by The USENIX Association. All Rights Reserved.; 29th USENIX Security Symposium ; Conference date: 12-08-2020 Through 14-08-2020",

year = "2020",

language = "English",

series = "Proceedings of the 29th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "2541--2557",

booktitle = "Proceedings of the 29th USENIX Security Symposium",

}

Agamotto: Accelerating kernel driver fuzzing with lightweight virtual machine checkpoints. / Song, Dokyung; Hetzelt, Felicitas; Kim, Jonghwan et al.
Proceedings of the 29th USENIX Security Symposium. USENIX Association, 2020. p. 2541-2557 (Proceedings of the 29th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Agamotto

T2 - 29th USENIX Security Symposium

AU - Song, Dokyung

AU - Hetzelt, Felicitas

AU - Kim, Jonghwan

AU - Kang, Brent Byunghoon

AU - Seifert, Jean Pierre

AU - Franz, Michael

N1 - Funding Information: The authors would like to thank our shepherd, Manuel Egele, and the anonymous reviewers for their valuable feedback. The authors also thank Paul Kirth for his help with proofreading this paper. This material is based upon work partially supported by the Defense Advanced Research Projects Agency under contracts FA8750-15-C-0124 and FA8750-15-C-0085, by the United States Office of Naval Research under contract N00014-17-1-2782, by the National Science Foundation under awards CNS-1619211 and CNS-1513837, by the European Commission under the Horizon 2020 Programme (H2020) as part of the LOCARD project (G.A. no. 832735), by the IITP under contract 20190015700021001, and by the NRF under contract 2017R1A2B3006360. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of our funding agencies. Publisher Copyright: © 2020 by The USENIX Association. All Rights Reserved.

PY - 2020

Y1 - 2020

N2 - Kernel-mode drivers are challenging to analyze for vulnerabilities, yet play a critical role in maintaining the security of OS kernels. Their wide attack surface, exposed via both the system call interface and the peripheral interface, is often found to be the most direct attack vector to compromise an OS kernel. Researchers therefore have proposed many fuzzing techniques to find vulnerabilities in kernel drivers. However, the performance of kernel fuzzers is still lacking, for reasons such as prolonged execution of kernel code, interference between test inputs, and kernel crashes. This paper proposes lightweight virtual machine checkpointing as a new primitive that enables high-throughput kernel driver fuzzing. Our key insight is that kernel driver fuzzers frequently execute similar test cases in a row, and that their performance can be improved by dynamically creating multiple checkpoints while executing test cases and skipping parts of test cases using the created checkpoints. We built a system, dubbed Agamotto, around the virtual machine checkpointing primitive and evaluated it by fuzzing the peripheral attack surface of USB and PCI drivers in Linux. The results are convincing. Agamotto improved the performance of the state-of-the-art kernel fuzzer, Syzkaller, by 66.6% on average in fuzzing 8 USB drivers, and an AFL-based PCI fuzzer by 21.6% in fuzzing 4 PCI drivers, without modifying their underlying input generation algorithm.

AB - Kernel-mode drivers are challenging to analyze for vulnerabilities, yet play a critical role in maintaining the security of OS kernels. Their wide attack surface, exposed via both the system call interface and the peripheral interface, is often found to be the most direct attack vector to compromise an OS kernel. Researchers therefore have proposed many fuzzing techniques to find vulnerabilities in kernel drivers. However, the performance of kernel fuzzers is still lacking, for reasons such as prolonged execution of kernel code, interference between test inputs, and kernel crashes. This paper proposes lightweight virtual machine checkpointing as a new primitive that enables high-throughput kernel driver fuzzing. Our key insight is that kernel driver fuzzers frequently execute similar test cases in a row, and that their performance can be improved by dynamically creating multiple checkpoints while executing test cases and skipping parts of test cases using the created checkpoints. We built a system, dubbed Agamotto, around the virtual machine checkpointing primitive and evaluated it by fuzzing the peripheral attack surface of USB and PCI drivers in Linux. The results are convincing. Agamotto improved the performance of the state-of-the-art kernel fuzzer, Syzkaller, by 66.6% on average in fuzzing 8 USB drivers, and an AFL-based PCI fuzzer by 21.6% in fuzzing 4 PCI drivers, without modifying their underlying input generation algorithm.

UR - http://www.scopus.com/inward/record.url?scp=85091940627&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85091940627&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85091940627

T3 - Proceedings of the 29th USENIX Security Symposium

SP - 2541

EP - 2557

BT - Proceedings of the 29th USENIX Security Symposium

PB - USENIX Association

Y2 - 12 August 2020 through 14 August 2020

ER -

Agamotto: Accelerating kernel driver fuzzing with lightweight virtual machine checkpoints

Abstract

Publication series

Conference

Bibliographical note

All Science Journal Classification (ASJC) codes

Other files and links

Fingerprint

Cite this