MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. Shankara Pailoor, Andrew Aday, Suman Jana Columbia University

Similar documents
MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation

API 퍼징을통한취약점탐지 카이스트 차상길

Memory management. Johan Montelius KTH

Secure Software Development: Theory and Practice

Module: Future of Secure Programming

CSE 333 SECTION 3. POSIX I/O Functions

Files and File Systems

CS 471 Operating Systems. Yue Cheng. George Mason University Fall 2017

File Descriptors and Piping

Software Security: Buffer Overflow Attacks

Processes often need to communicate. CSCB09: Software Tools and Systems Programming. Solution: Pipes. Recall: I/O mechanisms in C

CSE509 Spring 2007 Midterm Exam. Electronic devices, including calculators, cell phones, mp3 players, and laptops are all prohibited.

CSE 565 Computer Security Fall 2018

CSE 333 SECTION 3. POSIX I/O Functions

Unleashing D* on Android Kernel Drivers. Aravind Machiry

Section 3: File I/O, JSON, Generics. Meghan Cowan

Operating System Labs. Yuanbin Wu

Fuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team

Static Vulnerability Analysis

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security

2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Fault Injection in System Calls

Fall 2017 :: CSE 306. File Systems Basics. Nima Honarmand

pthreads CS449 Fall 2017

File Systems. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Fundamentals of Computer Security

ECE454 Tutorial. June 16, (Material prepared by Evan Jones)

Lab 09 - Virtual Memory

ECE 650 Systems Programming & Engineering. Spring 2018

Introduction to File Systems. CSE 120 Winter 2001

Man-In-The-Disk. Slava Makkaveev DEF CON 2018

Module: Future of Secure Programming

Software Security: Buffer Overflow Defenses and Miscellaneous

CS 550 Operating Systems Spring System Call

KLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND

Runtime Defenses against Memory Corruption

CSE 410: Systems Programming

Basic OS Progamming Abstrac7ons

How Double-Fetch Situations turn into Double-Fetch Vulnerabilities:

OS COMPONENTS OVERVIEW OF UNIX FILE I/O. CS124 Operating Systems Fall , Lecture 2

About unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos

Basic OS Progamming Abstrac2ons

Ricardo Rocha. Department of Computer Science Faculty of Sciences University of Porto

Memory Mapping. Sarah Diesburg COP5641

CSC369 Lecture 2. Larry Zhang

COSC Operating Systems Design, Fall Lecture Note: Unnamed Pipe and Shared Memory. Unnamed Pipes

Final Exam. Fall Semester 2016 KAIST EE209 Programming Structures for Electrical Engineering. Name: Student ID:

Basic OS Programming Abstractions (and Lab 1 Overview)

Inter-Process Communication. Disclaimer: some slides are adopted from the book authors slides with permission 1

Process Creation in UNIX

Operating System Labs. Yuanbin Wu

Software Security: Miscellaneous

Files. Eric McCreath

Program Security and Vulnerabilities Class 2

Chapter 2: System Structures

Software Security: Buffer Overflow Defenses

Exception-Less System Calls for Event-Driven Servers

NPTEL Course Jan K. Gopinath Indian Institute of Science

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Large Systems: Design + Implementation: Communication Coordination Replication. Image (c) Facebook

Networked Applications: Sockets. End System: Computer on the Net

EECS 3221 Operating System Fundamentals

EECS 3221 Operating System Fundamentals

CSC369 Lecture 2. Larry Zhang, September 21, 2015

IntFlow: Integer Error Handling With Information Flow Tracking

EXPLODE: a Lightweight, General System for Finding Serious Storage System Errors. Junfeng Yang, Can Sar, Dawson Engler Stanford University

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing

CSE 509: Computer Security

we are here I/O & Storage Layers Recall: C Low level I/O Recall: C Low Level Operations CS162 Operating Systems and Systems Programming Lecture 18

Software Security: Misc and Principles

Prepared by Prof. Hui Jiang Process. Prof. Hui Jiang Dept of Electrical Engineering and Computer Science, York University

EFFECTIVE PROGRAMMING TECHNIQUES less watts

(Early) Memory Corruption Attacks

CMPSC 497 Buffer Overflow Vulnerabilities

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

Process. Prepared by Prof. Hui Jiang Dept. of EECS, York Univ. 1. Process in Memory (I) PROCESS. Process. How OS manages CPU usage? No.

VFS, Continued. Don Porter CSE 506

Computer Networks Prof. Ashok K. Agrawala

ECE 471 Embedded Systems Lecture 22

Implementation of Pipe under C in Linux. Tushar B. Kute,

we are here Page 1 Recall: How do we Hide I/O Latency? I/O & Storage Layers Recall: C Low level I/O

Real-World Buffer Overflow Protection in User & Kernel Space

W4118: OS Overview. Junfeng Yang

Contents. IPC (Inter-Process Communication) Representation of open files in kernel I/O redirection Anonymous Pipe Named Pipe (FIFO)

Lecture 21 Systems Programming in C

CSE 565 Computer Security Fall 2018

Linux Kernel Futex Fun: Exploiting CVE Dougall Johnson

Introduction to pthreads

Trinity A Linux kernel fuzz tester.

CSMC 412. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala Set 2. September 15 CMSC417 Set 2 1

Applications of. Virtual Memory in. OS Design

Finding User/Kernel Pointer Bugs with Type Inference p.1

lpengfei Ding & Chenfu Bao lsecurity Researcher & Baidu X-Lab lfocused on Mobile, IoT and Linux kernel security

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Interprocess Communication

Thwarting unknown bugs: hardening features in the mainline Linux kernel

Files and File Systems

Transcription:

MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation Shankara Pailoor, Andrew Aday, Suman Jana Columbia University 1

OS Fuzzing Popular technique to find OS vulnerabilities Primarily tests system-call interface Can be invoked by untrusted user programs Large surface area for attack 2

OS Fuzzing - Overview Seeds fd = open( ) write(fd, ) close(fd) Synthetic Programs Fuzzer OS Feedback 3

OS Fuzzing - Overview Seeds fd = open( ) write(fd, ) close(fd) Synthetic Programs Fuzzer OS Feedback 4

Synthetic Program Generation Goal Maximize code coverage Random generation alone is unlikely to succeed #include <unistd.h> Linux Programmer s Manual size_t write(int fd, const void *buf, size_t count); Opened with write permissions Valid userspace pointer 5

Synthetic Program Generation Goal Maximize code coverage Random generation alone is unlikely to succeed o Fuzzer must track and maintain system-call dependencies 6

Synthetic Program Generation Goal Maximize code coverage Random generation alone is unlikely to succeed o Fuzzer must track and maintain system-call dependencies State-of-the-art Thousands of hardcoded rules!! resource fd[int32] open(file ptr[in], ) fd write(f fd, buf buffer[in], count len[buf]) 7

Synthetic Program Generation Goal Maximize code coverage Random generation alone is unlikely to succeed o Fuzzer must track and maintain system-call dependencies State-of-the-art Templates with thousands of manual rules Hard to scale 8

MoonShine Real Program Traces Distilled Seeds 9

Trace Distillation vs. User-Level Seed Selection MinSet (Sec 14) o o o Afl-tmin o o o Find smallest subset with most coverage Subset of traces is not good enough! L Subset of calls is better but we need dependencies! Dynamically removes blocks of data while preserving coverage Prohibitively slow with traces! Doesn t scale Needs to understand system call dependencies! 10

Distillation Challenges Minimize trace sizes Track dependencies 11

Why does trace size matter? Fuzzer performance tied to program size (# calls) Measured against Syzkaller 10 second trace of Chromium contains 462,225 calls!! Traces can t be directly used as seeds 12

Trace Distillation Goal Minimize the traces while preserving coverage strace /bin/ls Total Calls 359 New Coverage 35 10x reduction Strategy Select calls that contribute most coverage 13

Explicit Dependencies o Dependencies Shared state passed through arguments Implicit Dependencies o Modify shared kernel data structure 14

Explicit Dependencies Call A is explicitly dependent on call B if B produces a result used by A 3 = open( /tmp/file0.txt, O_WRONLY) 16 = write(3, somerandomtext\n, 16) 15

Implicit Dependencies Call A is implicitly dependent on Call B if B affects the execution of A by modifying a shared kernel data structure mlockall(intlock_flags) int mlockall( ) { void mlock_fixup_lock { if (lock) vma->vm_flags = lock_flags } msync(void *addr, size_t length, intflags) int msync( ) { if (vma->vm_flags & VM_LOCKED) error = -EBUSY } 16

Tracking Explicit Dependencies Statically analyze trace Return Cache: Map<(Type, Ret-Val), List<Call>> o data type or semantic type (e.g., file descriptor) If (type, value) key in Return Cache, then every call that returned this key is marked as explicit dependency. 17

Tracking Implicit Dependencies Control and Data Flow Analysis Call c uses shared variable v in conditional c is read dependent on v Call c writes to shared variable v c is write dependent on v Call B Write Read Call A If (Overlap!= NULL) => Implicit Dependency 18

Working Example Trace Excerpt Distilled Trace mlockall(mcl_future) 3 = open( ) 0x7b2000 = mmap(null,, 3, 0) 0x7b3000 = mmap(null,, 3, 0) 0x7b4000 = mmap(null,, 3, 0) -EBUSY = msync(0x7b2000,, MS_INVALIDATE) 5 = write(1, Hello, 5) 3 = write(1, abc, 3) 19

Working Example Trace Excerpt Distilled Trace mlockall(mcl_future) 3 = open( ) 0x7b2000 = mmap(null,, 3, 0) 0x7b3000 = mmap(null,, 3, 0) 0x7b4000 = mmap(null,, 3, 0) -EBUSY = msync(0x7b2000,, MS_INVALIDATE) 5 = write(1, Hello, 5) 3 = write(1, abc, 3) 20

Working Example Trace Excerpt Distilled Trace mlockall(mcl_future) 3 = open( ) 0x7b2000 = mmap(null,, 3, 0) 0x7b3000 = mmap(null,, 3, 0) 0x7b4000 = mmap(null,, 3, 0) -EBUSY = msync(0x7b2000,, MS_INVALIDATE) 5 = write(1, Hello, 5) 3 = write(1, abc, 3) 21

Working Example Explicit Dependencies Trace Excerpt Distilled Trace mlockall(mcl_future) 3 = open( ) 0x7b3000 = mmap(null,, 3, 0) 0x7b4000 = mmap(null,, 3, 0) 3 = write(1, abc, 3) 0x7b2000 = mmap(null,, 3, 0) -EBUSY = msync(0x7b2000,, MS_INVALIDATE) 5 = write(1, Hello, 5) Explicit Dependencies 22

Working Example Implicit Dependencies Trace Excerpt Distilled Trace mlockall(mcl_future) 0x7b3000 = mmap(null,, 3, 0) 0x7b4000 = mmap(null,, 3, 0) 3 = write(1, abc, 3) 3 = open( ) 0x7b2000 = mmap(null,, 3, 0) -EBUSY = msync(0x7b2000,, MS_INVALIDATE) 5 = write(1, Hello, 5) Implicit Dependencies 23

Implementation Linux Kernel Syzkaller OS Fuzzer (Google) Strace System-call traces Kcov Coverage Smatch Static analysis framework o o Read deps. with Condition Hook Write deps. with Unary Op and Assign. Hooks 2580 lines of Golang and 640 lines of C 24

Evaluation - Setup Seed Source Number of Traces Glibc Testsuite 1120 Linux Kernel Selftests 55 Linux Testing Project (LTP) 390 Open Posix Testsuite 1630 25

New Vulnerabilities 26

13.1% coverage increase over default Syzkaller with implicit + explicit 9.7% coverage increase over default Syzkaller with only explicit Coverage Improvement 27

Effectiveness of Distillation Total Calls After Distillation Comparison Coverage Preserved 2,900,000 16,400 176x reduction 86% 28

Vulnerability Discovered By MoonShine 29

Exhibit: Buffer Overflow in inotify (CVE-2017-7533) CPU 1 CPU 2 inotify_handle_event(..., file_name) { //file_name is currently HelloWorld len = strlen(file_name); alloc_len += len + 1; event = kmalloc(alloc_len, GFP_KERNEL); Privilege Escalation sys_rename(..., new_name) { //new_name is LongFileName copy_name(file_name, new_name) //file_name changed to LongFileName } } strcpy(event->name, file_name); //strcpy will now overflow event 30

Exhibit: Buffer Overflow in inotify (CVE-2017-7533) Seed Distilled by MoonShine 1: mmap(...) 2: r0 = inotify_init () 3: r1 = inotify_add_watch(r0,., 0xfff) 4: chmod(., 0x1ed) 5: r2 = creat( short1, 0x1ed) 6: close(r2) 7: rename( short1, short2 ) 8: close(r0) 31

Exhibit: Buffer Overflow in inotify (CVE-2017-7533) Seed Distilled by MoonShine 1: mmap(...) 2: r0 = inotify_init () 3: r1 = inotify_add_watch(r0,., 0xfff) 4: chmod(., 0x1ed) 5: r2 = creat( short1, 0x1ed) 6: close(r2) 7: rename( short1, short2 ) 8: close(r0) 32

Exhibit: Buffer Overflow in inotify (CVE-2017-7533) Crash-inducing mutation 1: mmap(...) 2: r0 = inotify_init () 3: r1 = inotify_add_watch(r0,., 0xfff) 4: chmod(., 0x1ed) 5: r2 = creat( short1, 0x1ed) 6: close(r2) 7: rename( short1, long_name short2 ) ) 8: close(r0) 33

Conclusion State-of-the-art OS fuzzers rely on manual rules o Hard to scale MoonShine scalably generates seeds from traces of real-world programs o Lightweight static analysis to track explicit and implicit dependencies Discovered 17 new vulnerabilities in Linux kernel https://github.com/shankarapailoor/moonshine Getting integrated into syzkaller 34

Backup Slides 35

Limitations/Future Work Support more OS/Fuzzers No multithreaded dependency tracking Inter-procedural dependencies o Infer that a file must be created from trace Multiple distillation strategies o distillation without code coverage? 36

Static Analysis False Positives/Negatives False Positives o Imprecise pointer analysis False Negatives o Incomplete AST traversal - function pointers o o Shared state is not global variable or struct/union field Aliased struct fields get modified char *p = a->v; p[0] = 1 37

Coverage Breakdown 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback