Fault Injection in System Calls

Similar documents
Trinity A Linux kernel fuzz tester.

POSIX Shared Memory. Linux/UNIX IPC Programming. Outline. Michael Kerrisk, man7.org c 2017 November 2017

API 퍼징을통한취약점탐지 카이스트 차상길

Processes COMPSCI 386

CSCE 548 Building Secure Software Dirty COW Race Condition Attack

Perf: From Profiling to Kernel Mobile Threat Response Team

System Calls and Signals: Communication with the OS. System Call. strace./hello. Kernel. Context Switch

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

Lab 09 - Virtual Memory

MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. Shankara Pailoor, Andrew Aday, Suman Jana Columbia University

File Descriptors and Piping

CSE 333 SECTION 3. POSIX I/O Functions

Virtual USB Fuzzer Updates

CSC209H Lecture 6. Dan Zingaro. February 11, 2015

System Calls & Signals. CS449 Spring 2016

Secure Architecture Principles

CS61 Scribe Notes Lecture 18 11/6/14 Fork, Advanced Virtual Memory

CSE 333 SECTION 3. POSIX I/O Functions

Secure Software Programming and Vulnerability Analysis

CAN STRACE MAKE YOU FAIL?

Project 1 System Calls

CS2028 -UNIX INTERNALS

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

codius-sandbox Documentation

Fall 2017 :: CSE 306. File Systems Basics. Nima Honarmand

Memory Mapped I/O. Michael Jantz. Prasad Kulkarni. EECS 678 Memory Mapped I/O Lab 1

Memory management. Single process. Multiple processes. How to: All memory assigned to the process Addresses defined at compile time

EECS 482 Introduction to Operating Systems

Juwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting

PROJECT 2 - MEMORY ALLOCATOR Computer Systems Principles. October 1, 2010

Section 2: Processes

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Juwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting

ECE 471 Embedded Systems Lecture 22

Dissecting a 17-year-old kernel bug

Processes often need to communicate. CSCB09: Software Tools and Systems Programming. Solution: Pipes. Recall: I/O mechanisms in C

Processes and Threads

Design Overview of the FreeBSD Kernel CIS 657

Design Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent?

Scaling CQUAL to millions of lines of code and millions of users p.1

CSE 565 Computer Security Fall 2018

File Systems: Consistency Issues

CSE 410: Systems Programming

Unleashing D* on Android Kernel Drivers. Aravind Machiry

Logical disks. Bach 2.2.1

Outline. Relationship between file descriptors and open files

Fault Isolation for Device Drivers

Outline. Basic features of BPF virtual machine

Operating systems. Lecture 7

Ricardo Rocha. Department of Computer Science Faculty of Sciences University of Porto

The Embedded I/O Company TIP700-SW-82 Linux Device Driver User Manual TEWS TECHNOLOGIES GmbH TEWS TECHNOLOGIES LLC

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

Section 3: File I/O, JSON, Generics. Meghan Cowan

Windows architecture. user. mode. Env. subsystems. Executive. Device drivers Kernel. kernel. mode HAL. Hardware. Process B. Process C.

UNIX System Calls. Sys Calls versus Library Func

Improving Linux development with better tools

CSC209 Review. Yeah! We made it!

The Serial Device Bus

Overview. This Lecture. Interrupts and exceptions Source: ULK ch 4, ELDD ch1, ch2 & ch4. COSC440 Lecture 3: Interrupts 1

MASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE. HC Tencent s XuanwuLab

Lecture 19: File System Implementation. Mythili Vutukuru IIT Bombay

Like select() and poll(), epoll can monitor multiple FDs epoll returns readiness information in similar manner to poll() Two main advantages:

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

MediaTek Log Filtering Driver Information Disclosure

Escalating Privileges in Linux using Fault Injection. September 25, 2017

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

VFS, Continued. Don Porter CSE 506

IBM PSSC Montpellier Customer Center. Blue Gene/P ASIC IBM Corporation

FUT92715 Solve the Paradox SUSE Linux Enterprise Live Patching Roadmap

Improving Linux Development with better tools. Andi Kleen. Oct 2013 Intel Corporation

Inter-Process Communication. Disclaimer: some slides are adopted from the book authors slides with permission 1

read(2) There can be several cases where read returns less than the number of bytes requested:

Shared Memory Memory mapped files

Marek Szyprowski Samsung R&D Institute Poland

OS COMPONENTS OVERVIEW OF UNIX FILE I/O. CS124 Operating Systems Fall , Lecture 2

Project 2--User Programs

This report is based on sampled data. Jun 1 Jul 6 Aug 10 Sep 14 Oct 19 Nov 23 Dec 28 Feb 1 Mar 8 Apr 12 May 17 Ju

I run a Linux server, so we re secure

SysSec. Aurélien Francillon

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

Process Management! Goals of this Lecture!

OS Containers. Michal Sekletár November 06, 2016

RAS Enhancement Activities for Mission-Critical Linux Systems

UNIX Kernel. UNIX History

How to design a Linux kernel interface

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

VEOS high level design. Revision 2.1 NEC

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files. Compiler vs.

The Shellcoder's Handbook Discovering and Exploiting Security Holes Second Edition

perf fuzzer: Exposing Kernel Bugs by Detailed Fuzzing of a Specific System Call

Copyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis

Fuzz testing the BSD kernel. Using competitive analysis to increase the effectiveness of operating system fuzz testing

Virtual Memory: Systems

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL. Saar Amar Recon brx 2018

strace Practical Application Troubleshooting Tuesday, February 19, 13

CS3210: Isolation Mechanisms

STING: Finding Name Resolution Vulnerabilities in Programs

Operating systems offer processes running in User Mode a set of interfaces to interact with hardware devices such as

Process Creation in UNIX

Transcription:

Fault Injection in System Calls Angelo Haller 2015-05-28 Fault Injection in System Calls 1 Angelo Haller

1 Why System Calls? 2 Trinity Bugs Found Inner Workings Fuzzing Process 3 Demo Annotated System Call: open Log Format 4 Fault Injection Model [Cristian] Implementation 5 Final Remarks Shortcomings Similar Tools Discussion 6 References Fault Injection in System Calls 2 Angelo Haller

Why System Calls? Interface between applications and the kernel Dependability of the kernel: denial of service, privilege escalation,... Large surface area, reaching deep into underlying kernel structures > 300 system calls in Linux 3.10 New features added on a regular basis open, read, write, close, mmap, ioctl, mlock,... Fault Injection in System Calls 3 Angelo Haller

Trinity Semi-intelligent Linux system call fuzzer Developed primarily by Dave Jones since 2006; gained momentum in 2010 Free and open source (GPLv2) Actively used to fuzz current kernel releases Found more than 150 bugs in 2012 alone Fault Injection in System Calls 4 Angelo Haller

Trinity - Bugs Found Oldest dates back to 1996: kernel oops when calling setsockopt CVE-2010-4256: pipe fcntl local DoS CVE-2010-4169: use-after-free vulnerability in mm/mprotect.c CVE-2011-1748: raw release in net/can/raw.c NULL pointer dereference world writable acpi file in sysfs... Fault Injection in System Calls 5 Angelo Haller

Trinity - Inner Workings Knowledge about system call arguments encoded in annotation files: buffers & buffer sizes file descriptors addresses process IDs custom methods to sanitise arguments Valid values (e.g. file descriptors) are created on startup and then shared among fuzzing processes. Fault Injection in System Calls 6 Angelo Haller

Trinity - Inner Workings Annotations regarded most of the time to pass early checks within system calls Random bit flips disregarding annotations to probe system call sanity checks Fuzzing of interesting values: off by one, misaligned addresses, kernel/user space addresses,... Limited support for seeds Fault Injection in System Calls 7 Angelo Haller

Trinity - Fuzzing Process trinity trinity-main trinity-watchdog child 1 child 2 child 3 child 4 Fault Injection in System Calls 8 Angelo Haller

Annotated System Call: open static void sanitise_open(struct syscallrecord *rec); struct syscallentry syscall_open = {.name = "open",.num_args = 3,.arg1name = "filename",.arg1type = ARG_PATHNAME,.arg2name = "flags",.arg2type = ARG_OP,.arg2list = {.num = 4,.values = { O_RDONLY, O_WRONLY, O_RDWR, O_CREAT, }, },.arg3name = "mode",.arg3type = ARG_MODE_T,.sanitise = sanitise_open, }; Fault Injection in System Calls 9 Angelo Haller

Demo Fault Injection in System Calls 10 Angelo Haller

Fault Injection in System Calls 11 Angelo Haller

./trinity -q [init] shm is at 0x7f7efa034000 [init] Using user passed random seed: 256421206 [init] 32-bit syscalls: 359 enabled, 0 disabled. 64-bit syscalls: 323 [init] mapping [0]: (zeropage PROT_READ PROT_WRITE) 0x7f7efa006000 (8 [...] [main] fd[121] = domain:4 (PF_IPX) type:0x2 protocol:48 [main] setsockopt(1 a 1f8dc10 c7) on fd 121 [4:2:48] [main] fd[122] = domain:5 ( PF_APPLETALK) type:0x2 protocol:0 [...] [main] Generating file descriptors [main] Added 159 filenames from /dev [main] Added 12154 filenames from /proc [main] Added 8981 filenames from /sys [main] fd[416] = open /sys/devices/pci0000 :00/0000:00:03.0/ device (rea [main] fd[417] = fopen /proc/41/ net/irda/ discovery (read -only) flags:0 [...] [main] Enabled 9 fd providers. [watchdog] Watchdog is alive. (pid:982) [watchdog] kernel became tainted! (512/0) Last seed was 256421206 [main] Bailing main loop because kernel became tainted.. [watchdog] [982] Watchdog exiting because kernel became tainted.. [init] Ran 1224 syscalls. Successes: 239 Failures: 985 Fault Injection in System Calls 12 Angelo Haller

less tmp/trinity-post-mortem.log [child0 :998] [127] getresuid(ruid=0x7f7ef9307000, euid=0x7f7ef9307001, suid=0xfffffffffffbffff) = -1 (Bad address) [child0 :998] [128] clock_nanosleep( which_clock=0x2, flags=0x0, rqtp=0x7f7ef9307000, rmtp=0xffffffffff004000) Fault Injection in System Calls 13 Angelo Haller

Fault Injection - Model [Cristian] Mainly aimed at crash faults Trigger and debug of other faults possible too: Omission faults Computation faults Timing faults Fault Injection in System Calls 14 Angelo Haller

Fault Injection - Implementation Trigger mechanism Location based Injection time During runtime Injection level Assembler Faults are injected into the CPU registers before performing the system call Fault Injection in System Calls 15 Angelo Haller

Shortcomings Manual annotation of system calls Leaks memory Can not fuzz all system calls without interfering with the tool itself (e.g. munmap, shutdown) System calls not ordered (interdependencies) Reproducibility: race conditions, dependencies Difficult to find actual fault location in source Fault Injection in System Calls 16 Angelo Haller

Similar Tools iknowthis (Google) Very similar to Trinity: annotated files Supports Linux and FreeBSD Seems to be abandoned since 2012 sysfuzz Very similar to Trinity: annotated files FreeBSD only Fault Injection in System Calls 17 Angelo Haller

Discussion Fault Injection in System Calls 18 Angelo Haller

References I S. Winter, C. Sârbu, N. Suri, and B. Murphy, The impact of fault models on software robustness evaluations, in Proceedings of the 33rd International Conference on Software Engineering, ser. ICSE 11, Waikiki, Honolulu, HI, USA: ACM, 2011, pp. 51 60, isbn: 978-1-4503-0445-0. doi: 10.1145/1985793.1985801. [Online]. Available: http://doi.acm.org/10.1145/1985793.1985801. M. Kerrisk. (Feb. 6, 2013), Lca: The trinity fuzz tester, [Online]. Available: https://lwn.net/articles/536173/ (visited on May 22, 2015). D. Jones, Trinity: A linux kernel fuzz tester. Linux Conf Australia, 2013. [Online]. Available: http://codemonkey.org.uk/projects/talks/lca2013-trinity.pdf. Syscalls (2), Apr. 17, 2013. [Online]. Available: https://www.freebsd.org/cgi/man.cgi?query=syscalls&sektion=2&manpath=centos+7.1 (visited on May 22, 2015)., (Nov. 9, 2010), System call abuse, [Online]. Available: http://codemonkey.org.uk/2010/11/09/system-call-abuse/ (visited on May 22, 2015)., (Dec. 15, 2010), System call fuzzing continued, [Online]. Available: http://codemonkey.org.uk/2010/12/15/system-call-fuzzing-continued/ (visited on May 22, 2015). Fault Injection in System Calls 19 Angelo Haller

References II,Trinity 1.5, Mar. 2, 2015. [Online]. Available: http://codemonkey.org.uk/projects/trinity/trinity-1.5.tar.xz (visited on May 2, 2015). T. Ormandy. (Sep. 14, 2011), Iknowthis, [Online]. Available: https://code.google.com/p/iknowthis/ (visited on May 27, 2015). M. Johnston. (Nov. 16, 2014), Sysfuzz, [Online]. Available: https://github.com/markjdb/sysfuzz (visited on May 27, 2015). C. Evans and T. Ormandy. (Aug. 25, 2014), The poisoned nul byte, 2014 edition, [Online]. Available: http://googleprojectzero.blogspot.de/2014/08/the-poisoned-nul-byte-2014-edition.html (visited on May 27, 2015). Fault Injection in System Calls 20 Angelo Haller

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback