ALEXKIDD-FUZZER: Kernel Fuzzing Guided by Symbolic Information (Working in Progress) Kyungtae Kim and Byoungyoung Lee Department of Computer Science and CERIAS, Purdue University PROJECT OVERVIEW Concolic Logic Concolic Engine Constraint Generator Agent Logic Instrumentation Verifier Fuzzing Logic CovClassifier Execution Engine Input Generator system call information ❶<Prog> ❹<Prog inst , Sys, Br> ❻<Prog sym 1 , Sys, Br> ❼<Prog sym 2 , Sys, Br> ❷<Prog, Path> ❸<Prog, Sys, Br> ❺<Prog sym 1 , Sys, Br> MOTIVATION FUTURE WORK IMPLEMENTATION • Black-box fuzzing and white-box fuzzing (i.e. symbolic execution) are both getting popular for software testing • Black-box fuzzing has limitation of handling constant values whereas such a random testing is fast and efficient • Symbolic execution suffers from state explosion and performance overhead of constraint solver although it can generate high quality inputs which lead to all feasible paths • All implementation is on Ubuntu-14.04 LTS • Main fuzzing logic is built upon Google syzkaller • Concolic logic leverages S2E symbolic execution framework • Agent logic is written in python 2.7 CHALLENGES • How to handle nondeterministic behaviors caused by global state • How to generate valid sequences of system calls in user programs OBJECTIVE • Find more BUGS/CRASHES on various system software (i.e. OS kernel) • Maximize kernel code coverage • Fuzzing logic generates and mutates input programs depending on various sources and transfer particular inputs that need to be further analyzed by agent logic • Concolic logic records path constraints and solve them during concrete execution of input programs • Agent logic glues between fuzzing and concolic logics by symbolizing input programs and verifying constraints PROPOSED SOLUTION • We design ALEXKIDD-FUZZER, which overcomes limitation of fuzzing and symbolic execution. • We first employ general fuzzing mechanism such that feasible execution paths are explored at a rapid pace. • Furthermore, during fuzzing execution, we allow concolic engine to guide the fuzzer to make unreachable-code reachable. PROBLEMS • Unexplored paths and low code coverage due to low quality of inputs if (a == 0x9e74bae1) BUG … … … ALEXKIDD-FUZZER EXPECTED CODE COVERAGE Static analysis • Measure code coverage and performance overhead • Find real-world bugs/crashes and analyze them. Symbolic execution Fuzzing
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ALEXKIDD-FUZZER: Kernel Fuzzing Guided by Symbolic Information(Working in Progress)
Kyungtae Kim and Byoungyoung LeeDepartment of Computer Science and CERIAS, Purdue University
PROJECT OVERVIEW
Concolic Logic
Concolic Engine
Constraint Generator
Agent Logic
Instrumentation
Verifier
Fuzzing Logic
CovClassifier
Execution Engine
Input Generator
system callinformation
❶<Prog>
❹<Proginst, Sys, Br>
❻<Progsym1, Sys, Br>
❼<Progsym2, Sys, Br>
❷<Prog, Path>
❸<Prog, Sys, Br>
❺<Progsym1, Sys, Br>
MOTIVATION
FUTURE WORK
IMPLEMENTATION
• Black-box fuzzing and white-box fuzzing (i.e. symbolic execution) are both getting popular for software testing
• Black-box fuzzing has limitation of handling constant values whereas such a random testing is fast and efficient
• Symbolic execution suffers from state explosion and performance overhead of constraint solver although it can generate high quality inputs which lead to all feasible paths
• All implementation is on Ubuntu-14.04 LTS
• Main fuzzing logic is built upon Google syzkaller
• Concolic logic leverages S2E symbolic execution framework
• Agent logic is written in python 2.7
CHALLENGES
• How to handle nondeterministic behaviors caused by global state
• How to generate valid sequences of system calls in user programs
OBJECTIVE
• Find more BUGS/CRASHES on various system software (i.e. OS kernel)
• Maximize kernel code coverage
• Fuzzing logic generates and mutates input programs depending on various sources and transfer particular inputs that need to be further analyzed by agent logic
• Concolic logic records path constraints and solve them during concrete execution of input programs
• Agent logic glues between fuzzing and concolic logics by symbolizing input programs and verifying constraints
PROPOSED SOLUTION• We design ALEXKIDD-FUZZER,
which overcomes limitation of fuzzing and symbolic execution.
• We first employ general fuzzing mechanism such that feasible execution paths are explored at a rapid pace.
• Furthermore, during fuzzing execution, we allow concolic engine to guide the fuzzer to make unreachable-code reachable.
PROBLEMS
• Unexplored paths and low code coverage due to low quality of inputs
if (a == 0x9e74bae1)
BUG
…… …
ALEXKIDD-FUZZER
EXPECTED CODE COVERAGE
Static analysis
• Measure code coverage and performance overhead
• Find real-world bugs/crashes and analyze them.
Symbolicexecution
Fuzzing
mfocosi
Typewritten Text
mfocosi
Typewritten Text
2018 - ESS - 829-D1B - ALEXKIDD-FUZZER: Kernel Fuzzing Guided by Symbolic Information - Kyungtae Kim
Related Documents
