research-article

Industry practice of coverage-guided enterprise Linux kernel fuzzing

Authors:

Jiaguang SunAuthors Info & Claims

ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 986 - 995

https://doi.org/10.1145/3338906.3340460

Published: 12 August 2019 Publication History

Abstract

Coverage-guided kernel fuzzing is a widely-used technique that has helped kernel developers and testers discover numerous vulnerabilities. However, due to the high complexity of application and hardware environment, there is little study on deploying fuzzing to the enterprise-level Linux kernel. In this paper, collaborating with the enterprise developers, we present the industry practice to deploy kernel fuzzing on four different enterprise Linux distributions that are responsible for internal business and external services of the company. We have addressed the following outstanding challenges when deploying a popular kernel fuzzer, syzkaller, to these enterprise Linux distributions: coverage support absence, kernel configuration inconsistency, bugs in shallow paths, and continuous fuzzing complexity. This leads to a vulnerability detection of 41 reproducible bugs which are previous unknown in these enterprise Linux kernel and 6 bugs with CVE IDs in U.S. National Vulnerability Database, including flaws that cause general protection fault, deadlock, and use-after-free.

References

[1]

Shuai Bai, Dan Li, Minhuan Huang, and Hua Chen. 2017. Synthesis of Linux Kernel Fuzzing Tools Based on Syscall. DEStech Transactions on Computer Science and Engineering (2017).

[2]

Costin Carabas and Mihai Carabas. 2017. Fuzzing the Linux kernel. 2017 Computing Conference (2017), 839–843.

[3]

Yuanliang Chen, Yu Jiang, Fuchen Ma, Jie Liang, Mingzhe Wang, Chijin Zhou, Zhuo Su, and Xun Jiao. 2018. EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers.

[4]

Jake Corina, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Shuang Hao, Christopher Krügel, and Giovanni Vigna. 2017. DIFUZE: Interface Aware Fuzzing for Kernel Drivers. In ACM Conference on Computer and Communications Security.

Digital Library

[5]

HyungSeok Han and Sang Kil Cha. 2017. IMF: Inferred Model-based Fuzzer. In ACM Conference on Computer and Communications Security.

Digital Library

[6]

Dae R. Jeong, Kyung Tae Kim, Basavesh Shivakumar, Byoungyoung Lee, and Insik Shin. 2018. RAZZER : Finding Kernel Race Bugs through Fuzzing.

[7]

Dave Jiang. 2018. Kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE. https://lkml.org/lkml/2018/2/6/842. Accessed April 26, 2019.

[8]

Kyungtae Kim and Byoungyoung Lee. 2018. ALEXKIDD-FUZZER: Kernel Fuzzing Guided by Symbolic Information. https://www.cerias.purdue.edu/assets/ symposium/2018-posters/829-D1B.pdf. Accessed April 26, 2019.

[9]

Andi Kleen. 2018. Manipulate options in a .config file from the command line. https://github.com/torvalds/linux/blob/master/scripts/config. Accessed April 26, 2019.

[10]

Dust Li. 2019. Tcp: fix potential NULL pointer dereference in tcp_sk_exit. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id= b506bc975f60f06e13e74adb35e708a23dc4e87c. Accessed April 26, 2019.

[11]

Jun Li, Bodong Zhao, and Chao Zhang. 2018. Fuzzing: a survey. Cybersecurity 1 (2018), 6.

[12]

Hongliang Liang, Xiaoxiao Pei, Xiaodong Jia, Wuwei Shen, and Jian Guang Zhang. 2018. Fuzzing: State of the Art. IEEE Transactions on Reliability 67 (2018), 1199–1218.

[13]

Jie Liang, Yu Jiang, Yuanliang Chen, Mingzhe Wang, Chijin Zhou, and Jiaguang Sun. 2018. Pafl: extend fuzzing optimizations of single mode to industrial parallel mode. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 809–814.

Digital Library

[14]

Jie Liang, Mingzhe Wang, Yuanliang Chen, Yu Jiang, and Renwei Zhang. 2018. Fuzz testing in practice: Obstacles and solutions. 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER) (2018), 562–566.

[15]

Valentin J. M. Manès, H. Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo. 2018. Fuzzing: Art, Science, and Engineering. CoRR abs/1812.00140 (2018).

[16]

Shankara Pailoor, Andrew Aday, and Suman Jana. 2018. MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. In USENIX Security Symposium.

Digital Library

[17]

Borislav Petkov. 2013. X86, platform, kvm, kconfig: Turn existing .config’s into KVM-capable configs. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/ linux.git/commit/?id=46ff53874bd935ab9955dee56d60212857e89bf3. Accessed April 26, 2019.

[18]

Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. 2017. kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels. In USENIX Security Symposium.

Digital Library

[19]

Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, Ardalan Amiri Sani, and Zhiyun Qian. 2018. Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems. In USENIX Security Symposium.

Digital Library

[20]

Dmitry Vyukov. 2015. Syzkaller: an unsupervised, coverage-guided kernel fuzzer. https://github.com/google/syzkaller. Accessed April 26, 2019.

[21]

Dmitry Vyukov. 2016. Documentation: note that KCOV is supported since gcc 4.5. https://lkml.org/lkml/2016/12/13/373. Accessed April 26, 2019.

[22]

Dmitry Vyukov. 2019. kcov: code coverage for fuzzing. https://www.kernel.org/ doc/html/latest/dev-tools/kcov.html. Accessed April 26, 2019.

[23]

Mingzhe Wang, Jie Liang, Yuanliang Chen, Yu Jiang, Xun Jiao, Han Liu, Xibin Zhao, and Jiaguang Sun. 2018. SAFL: increasing and accelerating testing coverage with symbolic execution and guided fuzzing. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings. ACM, 61–64.

Digital Library

[24]

Wen Xu, Hyungon Moon, Sanidhya Kashyap, Po-Ning Tseng, and Taesoo Kim. 2019. Fuzzing File Systems via Two-Dimensional Input Space Exploration. In IEEE Symposium on Security and Privacy (SP).

[25]

Wei You, Peiyuan Zong, Kai Chen, Xiaofeng Wang, Xiaojing Liao, Pan Bian, and Bin Liang. 2017. SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits. In ACM Conference on Computer and Communications Security.

Digital Library

[26]

Xu Yu. 2019. Bpf: do not restore dst_reg when cur_state is freed. https://lkml. org/lkml/2019/3/21/202. Accessed April 26, 2019.

Cited By

Liu JShen YXu YSun HJiang Y(2023)Horus: Accelerating Kernel Fuzzing through Efficient Host-VM Memory Access ProceduresACM Transactions on Software Engineering and Methodology10.1145/361166533:1(1-25)Online publication date: 8-Aug-2023
https://dl.acm.org/doi/10.1145/3611665
Shen YChen SLiu JXu YZhang QWang RShi HJiang Y(2023)Brief Industry Paper: Directed Kernel Fuzz Testing on Real-time Linux2023 IEEE Real-Time Systems Symposium (RTSS)10.1109/RTSS59052.2023.00059(495-499)Online publication date: 5-Dec-2023
https://doi.org/10.1109/RTSS59052.2023.00059
Zhang MZhou CLiu JWang MLiang JZhu JJiang Y(2023)Daisy: Effective Fuzz Driver Synthesis with Object Usage Sequence Analysis2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)10.1109/ICSE-SEIP58684.2023.00013(87-98)Online publication date: May-2023
https://doi.org/10.1109/ICSE-SEIP58684.2023.00013
Show More Cited By

Index Terms

Industry practice of coverage-guided enterprise Linux kernel fuzzing
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

A Systemic Review of Kernel Fuzzing
CIAT 2020: Proceedings of the 2020 International Conference on Cyberspace Innovation of Advanced Technologies

As an automatic vulnerability discovery method, fuzzing has received more and more attention from academia and industry. To address the weaknesses of existing fuzzers or to apply them into different scenarios, researchers have proposed various solutions ...
SyzDirect: Directed Greybox Fuzzing for Linux Kernel
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Bug reports and patch commits are dramatically increasing for OS kernels, incentivizing a critical need for kernel-level bug reproduction and patch testing. Directed greybox fuzzing (DGF), aiming to stress-test a specific part of code, is a promising ...
Industry practice of coverage-guided enterprise-level DBMS fuzzing
ICSE-SEIP '21: Proceedings of the 43rd International Conference on Software Engineering: Software Engineering in Practice

As an infrastructure for data persistence and analysis, Database Management Systems (DBMSs) are the cornerstones of modern enterprise software. To improve their correctness, the industry has been applying blackbox fuzzing for decades. Recently, the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 2019

1264 pages

ISBN:9781450355728

DOI:10.1145/3338906

General Chairs:
Marlon Dumas
University of Tartu, Estonia
,
Dietmar Pfahl
University of Tartu, Estonia
,
Program Chairs:
Sven Apel
Saarland University, Germany
,
Alessandra Russo
Imperial College, UK

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE '19

Sponsor:

SIGSOFT

ESEC/FSE '19: 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 26 - 30, 2019

Tallinn, Estonia

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
652
Total Downloads

Downloads (Last 12 months)87
Downloads (Last 6 weeks)11

Reflects downloads up to 21 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu JShen YXu YSun HJiang Y(2023)Horus: Accelerating Kernel Fuzzing through Efficient Host-VM Memory Access ProceduresACM Transactions on Software Engineering and Methodology10.1145/361166533:1(1-25)Online publication date: 8-Aug-2023
https://dl.acm.org/doi/10.1145/3611665
Shen YChen SLiu JXu YZhang QWang RShi HJiang Y(2023)Brief Industry Paper: Directed Kernel Fuzz Testing on Real-time Linux2023 IEEE Real-Time Systems Symposium (RTSS)10.1109/RTSS59052.2023.00059(495-499)Online publication date: 5-Dec-2023
https://doi.org/10.1109/RTSS59052.2023.00059
Zhang MZhou CLiu JWang MLiang JZhu JJiang Y(2023)Daisy: Effective Fuzz Driver Synthesis with Object Usage Sequence Analysis2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)10.1109/ICSE-SEIP58684.2023.00013(87-98)Online publication date: May-2023
https://doi.org/10.1109/ICSE-SEIP58684.2023.00013
He YChen ZGoues CBissyandé TKlein JBird CSarro F(2023)PreciseBugCollector: Extensible, Executable and Precise Bug-Fix CollectionProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00163(1899-1910)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00163
Duan GFu YZhang BDeng PSun JChen HChen Z(2023)TEEFuzzerFuture Generation Computer Systems10.1016/j.future.2023.03.008144:C(192-204)Online publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1016/j.future.2023.03.008
Hao YZhang HLi GDu XQian ZSani ADwyer MDamian DZeller A(2022)Demystifying the dependency challenge in kernel fuzzingProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510126(659-671)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510126
Shi HWang GFu YHu CSong HDong JTang KLiang K(2022)Abaci-finder: Linux kernel crash classification through stack trace similarity learningJournal of Parallel and Distributed Computing10.1016/j.jpdc.2022.06.003168(70-79)Online publication date: Oct-2022
https://doi.org/10.1016/j.jpdc.2022.06.003
Sun HShen YWang CLiu JJiang YChen TCui A(2021)HEALERProceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles10.1145/3477132.3483547(344-358)Online publication date: 26-Oct-2021
https://dl.acm.org/doi/10.1145/3477132.3483547
Ding ZLe Goues C(2021)An Empirical Study of OSS-Fuzz Bugs2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR)10.1109/MSR52588.2021.00026(131-142)Online publication date: May-2021
https://doi.org/10.1109/MSR52588.2021.00026
Boehme MCadar CROYCHOUDHURY A(2021)Fuzzing: Challenges and ReflectionsIEEE Software10.1109/MS.2020.301677338:3(79-86)Online publication date: May-2021
https://doi.org/10.1109/MS.2020.3016773
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents