kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Sergej Schumilo1, Cornelius Aschermann1, Robert Gawlik1, Sebastian Schinzel2, Thorsten Holz1 1Ruhr-Universität Bochum, 2Münster University of Applied Sciences Motivation IJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP Mozilla Firefox Internet Explorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy- html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make tag">m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
2 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Motivation IJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP MozillaInternet Firefox Internet ExplorerExplorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcms Adobe Flash Oracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy- html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
2 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Motivation IJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP MozillaInternet Firefox Internet ExplorerExplorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcmsAdobe Adobe Flash FlashOracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpack OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy- html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
2 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Motivation IJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP MozillaInternet Firefox Internet ExplorerExplorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcmsAdobe Adobe Flash FlashOracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpackOpenSSH OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl wpa_supplicant Apple Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy- html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
2 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Motivation IJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP MozillaInternet Firefox Internet ExplorerExplorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcmsAdobe Adobe Flash FlashOracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpackOpenSSH OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl wpa_supplicantApple Apple Safari Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy- html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botan expat Adobe Reader libav libical OpenBSD kernel collectd libidn MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
2 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Motivation IJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP MozillaInternet Firefox Internet ExplorerExplorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcmsAdobe Adobe Flash FlashOracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpackOpenSSH OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl wpa_supplicantApple Apple Safari Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy- html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botanAdobe expat Adobe Reader Reader libav libical OpenBSD kernel collectd libidn MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbear wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
2 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Motivation IJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP MozillaInternet Firefox Internet ExplorerExplorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcmsAdobe Adobe Flash FlashOracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpackOpenSSH OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl wpa_supplicantApple Apple Safari Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy- html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botanAdobe expat Adobe Reader Reader libav libical OpenBSD kernel collectd libidn MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbearWireshark wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parser mapbox-gl-native rapidjson libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
2 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Motivation IJG jpeg libjpeg-turbo libpng libtiff mozjpeg PHP MozillaInternet Firefox Internet ExplorerExplorer PCRE sqlite OpenSSL LibreOffice poppler freetype GnuTLS GnuPG PuTTY ntpd nginx bash tcpdump JavaScriptCore pdfium ffmpeg libmatroska libarchive ImageMagick BIND QEMU lcmsAdobe Adobe Flash FlashOracle BerkeleyDB Android libstagefright iOS ImageIO FLAC audio library libsndfile less lesspipe strings file dpkg rcs systemd-resolved libyaml Info-Zip unzip libtasn1OpenBSD pfctl NetBSD bpf man mandocIDA Pro clamav libxml2glibc clang llvmnasm ctags mutt procmail fontconfig pdksh Qt wavpackOpenSSH OpenSSH redis lua-cmsgpack taglib privoxy perl libxmp radare2 SleuthKit fwknop X.Org exifprobe jhead capnproto Xerces-C metacam djvulibre exiv Linux btrfs Knot DNS curl wpa_supplicantApple Apple Safari Safari libde265 dnsmasq libbpg lame libwmf uudecode MuPDF imlib2 libraw libbson libsass yara W3C tidy- html5 VLC FreeBSD syscons John the Ripper screen tmux mosh UPX indent openjpeg MMIX OpenMPT rxvt dhcpcd Mozilla NSS Nettle mbed TLS Linux netlink Linux ext4 Linux xfs botanAdobe expat Adobe Reader Reader libav libical OpenBSD kernel collectd libidn MatrixSSL jasperMaraDNS w3m Xen OpenH232 irssi cmark OpenCV Malheur gstreamer Tor gdk-pixbuf audiofilezstd lz4 stb cJSON libpcre MySQL gnulib openexr libmad ettercap lrzip freetds Asterisk ytnefraptor mpg123 exempi libgmime pev v8 sed awk make m4 yacc PHP ImageMagick freedesktop.org patch libtasn1 libvorbis zsh lua ninja ruby busybox gcrypt vim Tor poppler libopus BSD sh gcc qemu w3m zsh dropbearWireshark wireshark libtorrent git rust gravity e2fsprogs parrot lodepng json-glib cabextract libmspack qprint gpsbabel dmg2img antiword arj unrar unace zoo rzip lrzip libiso libtta duktape splint zpaq assimp cppcheck fasm catdoc pngcrush cmark p7zip libjbig2 aaphoto t1utils apngopt sqlparser mdp libtinyxml freexl bgpparser testdisk photorec btcd gumbo chaiscript teseq colcrt pttbbs capstone dex2oat pillow elftoolchain aribas universal-ctags uriparser jq lha xdelta gnuplot libwpd teseq cimg libiberty policycoreutils libsemanage renoise metapixel openclone mp3splt podofo Apache httpd glslang UEFITool libcbor lldpd pngquant muparserx mochilo pyhocon sysdig Overpass-API fish-shell gumbo-parserApache mapbox-gl-native httpd rapidjson libjson FLIF MultiMarkdown astyle pax-utils zziplib PyPDF spiffing apk pgpdump icoutils msitools dosfstools
2 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Motivation
Stephens, Nick, et al. "Driller: Augmenting Fuzzing Through Selective Symbolic Execution." Proceedings of the Network and Distributed System Security Symposium (NDSS). 2016.
Böhme, Marcel, et al. "Coverage-based greybox fuzzing as markov chain." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM. 2016.
Rawat, Sanjay, et al. "Vuzzer: Application-aware evolutionary fuzzing.“ Proceedings of the Network and Distributed System Security Symposium (NDSS). 2017.
3 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Motivation
What about Kernel Security?
4 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Related Work
Fast Crash Tolerant OS Independent Binary Only
5 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Related Work
Fast Crash Tolerant OS Independent Binary Only
TriforceAFL (Jesse Hertz & Tim Newsham, ✗ ✓ ~ ✓ NCC Group)
5 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Related Work
Fast Crash Tolerant OS Independent Binary Only
TriforceAFL (Jesse Hertz & Tim Newsham, ✗ ✓ ~ ✓ NCC Group) Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗
5 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Related Work
Fast Crash Tolerant OS Independent Binary Only
TriforceAFL (Jesse Hertz & Tim Newsham, ✗ ✓ ~ ✓ NCC Group) Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗ AFL Filesystem Fuzzer (Vegard Nossum & Quentin ✓ ~ ✗ ✗ Casanovas, Oracle)
5 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Related Work
Fast Crash Tolerant OS Independent Binary Only
TriforceAFL (Jesse Hertz & Tim Newsham, ✗ ✓ ~ ✓ NCC Group) Syzkaller (Dmitry Vyukov) ✓ ✓ ✗ ✗ AFL Filesystem Fuzzer (Vegard Nossum & Quentin ✓ ~ ✗ ✗ Casanovas, Oracle) PT Kernel Fuzzer (Richard Johnson, Talos) ✓ ✗ ✗ ✓
5 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Goal
Build a kernel fuzzer that is all of this:
▪Fast ▪Reliable ▪(mostly) OS independent ▪No source level access required
6 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Fuzzing in a nutshell Fuzzing in a nutshell
Fuzzer Target
8 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Fuzzing in a nutshell
Inputs
Fuzzer Target
Grammar
8 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Fuzzing in a nutshell
Randomized Inputs Inputs
Fuzzer Target
Grammar
8 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Fuzzing in a nutshell
Randomized Inputs Inputs
Fuzzer Target
Grammar Feedback
8 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Blackbox Fuzzing
"EFG"
Target
9 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Blackbox Fuzzing
"TZG"
Target
exit
9 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Blackbox Fuzzing
"ABC"
Target
Crash
9 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Coverage-Guided Fuzzing Coverage-Guided Fuzzing
input[0] == 'A'
input[1] == 'B'
input[2] == 'C'
crash() exit()
11 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Coverage-Guided Fuzzing
input[0] == 'A' ZZZZ
input[1] == 'B'
input[2] == 'C'
crash() exit()
11 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Coverage-Guided Fuzzing
input[0] == 'A' AAAA
input[1] == 'B'
input[2] == 'C'
crash() exit()
11 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Coverage-Guided Fuzzing
input[0] == 'A' ABBG
input[1] == 'B'
input[2] == 'C'
crash() exit()
11 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Coverage-Guided Fuzzing
input[0] == 'A' ABCJ
input[1] == 'B'
input[2] == 'C'
crash()crash() exit()
11 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Coverage-Guided Fuzzing
input[0] == 'A' ABCJ
input[1] == 'B'
AFL stores transitions in a bitmap input[2] == 'C'
crash()crash() exit()
11 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Feedback Mechanism
Closed-Source Kernel Stable Fast
12 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Feedback Mechanism
Closed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++
12 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Feedback Mechanism
Closed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++ Static Rewriting ✓ - ✗ ++
12 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Feedback Mechanism
Closed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++ Static Rewriting ✓ - ✗ ++ Dynamic Binary Instrumentation ✓ -* ✓ -
* Peter Feiner, et al., DRK: DynamoRIO as a Linux Kernel Module
12 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Feedback Mechanism
Closed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++ Static Rewriting ✓ - ✗ ++ Dynamic Binary Instrumentation ✓ -* ✓ - Emulation ✓ ✓ ✓ - -
* Peter Feiner, et al., DRK: DynamoRIO as a Linux Kernel Module
12 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Feedback Mechanism
Closed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++ Static Rewriting ✓ - ✗ ++ Dynamic Binary Instrumentation ✓ -* ✓ - Emulation ✓ ✓ ✓ - - Intel Branch Trace Store ✓ ✓ ✓ +
* Peter Feiner, et al., DRK: DynamoRIO as a Linux Kernel Module
12 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Feedback Mechanism
Closed-Source Kernel Stable Fast
Compile-Time Instrumentation ✗ ✓ ✓ ++ Static Rewriting ✓ - ✗ ++ Dynamic Binary Instrumentation ✓ -* ✓ - Emulation ✓ ✓ ✓ - - Intel Branch Trace Store ✓ ✓ ✓ + Intel Processor Trace ✓ ✓ ✓ +++
* Peter Feiner, et al., DRK: DynamoRIO as a Linux Kernel Module
12 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Intel Processor Trace Intel Processor Trace
Instruction Intel PT Packet
14 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Intel Processor Trace
Instruction Intel PT Packet
jmp/call loc_b Inferable from disassembly
14 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Intel Processor Trace
Instruction Intel PT Packet
jmp/call loc_b Inferable from disassembly
jnz loc_a Taken / Not Taken
14 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Intel Processor Trace
Instruction Intel PT Packet
jmp/call loc_b Inferable from disassembly
jnz loc_a Taken / Not Taken
jmp/call [eax] Target IP
14 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Intel Processor Trace
Instruction Intel PT Packet
jmp/call loc_b Inferable from disassembly
jnz loc_a Taken / Not Taken
jmp/call [eax] Target IP
ret Target IP (if required)
14 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Intel Processor Trace
Intel PT Data
Not Taken Target IP (0x1009) Target IP (0x1055)
15 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Intel Processor Trace
Intel PT Data
Not Taken Target IP (0x1009) Target IP (0x1055)
Target Binary
15 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Intel Processor Trace
Intel PT Data Traces
Not Taken 0x1000 Target IP (0x1009) 0x1004 Target IP (0x1055) 0x1009
Target Binary
15 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Intel Processor Trace
Intel PT Data Traces Transitions
Not Taken 0x1000 0x0000 / 0x1000 Target IP (0x1009) 0x1004 0x1000 / 0x1004 Target IP (0x1055) 0x1009 0x1004 / 0x1009
Target Binary
15 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Intel Processor Trace
Intel PT Data Traces Transitions AFL Bitmap
Not Taken 0x1000 0x0000 / 0x1000 Target IP (0x1009) 0x1004 0x1000 / 0x1004 011001010010 Target IP (0x1055) 0x1009 0x1004 / 0x1009
Target Binary
15 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Architecture Architecture
Host
Kernel
Fuzzer Agent
17 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Architecture
Host
Benefits: ✓Coverage
Intel PT Driver Kernel
coverage
Fuzzer Agent
17 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Architecture
Host
Benefits: ✓Coverage
Intel PT Driver Kernel
coverage
Fuzzer Agent
17 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Architecture
Host
Benefits: ✓Coverage
Intel PT Driver Kernel
coverage
Fuzzer Agent
17 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Architecture
Host
Benefits: Virtual Machine ✓Coverage ✓Crash Tolerance Intel PT Driver Kernel
coverage
Fuzzer Agent
17 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Architecture
Host
Benefits: Virtual Machine ✓Coverage ✓Crash Tolerance ✓OS Independence Intel PT Driver Kernel coverage
Fuzzer Agent
17 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Architecture
Host
Benefits: Virtual Machine ✓Coverage ✓Crash Tolerance ✓OS Independence Intel PT Driver Kernel ✓Scalable coverage
Fuzzer Agent
17 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Trace Filtering
Host
Virtual Machine
Intel PT Driver Kernel
coverage
Fuzzer Agent
18 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Trace Filtering Full System Tracing
Host
Virtual Machine
Intel PT Driver Kernel
coverage
Fuzzer Agent
18 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Trace Filtering vCPU Tracing
Host
Filter-Mechanisms: Virtual Machine ✓vCPU
Intel PT aware Intel PT Driver Kernel Hypervisor coverage
Fuzzer Agent
18 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Trace Filtering Guest Ring-0 Tracing
Host
Filter-Mechanisms: Virtual Machine ✓vCPU ✓Supervisor Intel PT aware Intel PT Driver Kernel Hypervisor coverage
Fuzzer Agent
18 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Trace Filtering Guest Ring-0 Tracing
0xFFFFFFFFFFFFFFFF Host
Kernel Space Filter-Mechanisms: Virtual Machine ✓vCPU ✓Supervisor Intel PT aware Intel PT Driver Kernel syscall Hypervisor coverage
User Space Fuzzer Agent
0x0000000000000000
18 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Guest Ring-0 Tracing Trace Filtering (Fuzzing-Process) Host
Filter-Mechanisms: Virtual Machine ✓vCPU ✓Supervisor Intel PT aware Intel PT Driver Kernel ✓CR3 Hypervisor coverage
Fuzzer Agent
18 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Guest Ring-0 Tracing Trace Filtering (Fuzzing-Process & Target Range) Host
Filter-Mechanisms: Virtual Machine ✓vCPU ✓Supervisor Intel PT aware Intel PT Driver Kernel ✓CR3 Hypervisor ✓IP-Range coverage
Fuzzer Agent
18 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host
Virtual Machine
Intel PT aware Intel PT Driver Kernel Hypervisor coverage
Fuzzer Agent
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host
Virtual Machine
Intel PT aware Intel PT Driver Kernel Hypervisor coverage
Fuzzer Agent
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host Guest to Host:
Virtual Machine
Intel PT aware Intel PT Driver Kernel Hypervisor coverage
Fuzzer Agent
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host Guest to Host: ▪Synchronization Virtual Machine
Intel PT aware Intel PT Driver Kernel Hypervisor coverage
Fuzzer Agent
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host Guest to Host: ▪Synchronization ▪Next payload Virtual Machine
Intel PT aware Intel PT Driver Kernel Hypervisor coverage
Fuzzer Agent
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host Guest to Host: ▪Synchronization ▪Next payload Virtual Machine ▪Disclose CR3 value Intel PT aware Intel PT Driver Kernel Hypervisor coverage
Fuzzer Agent
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host Guest to Host: ▪Synchronization ▪Next payload Virtual Machine ▪Disclose CR3 value ▪Panic handler address Intel PT aware Intel PT Driver Kernel Hypervisor coverage
Fuzzer Agent
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host Guest to Host: ▪Synchronization ▪Next payload Virtual Machine ▪Disclose CR3 value ▪Panic handler address Intel PT aware Intel PT Driver Kernel ▪Signal kernel panic Hypervisor coverage
Fuzzer Agent
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host Guest to Host: ▪Synchronization ▪Next payload Virtual Machine ▪Disclose CR3 value ▪Panic handler address Intel PT aware Intel PT Driver Kernel ▪Signal kernel panic Hypervisor coverage Host to Guest:
Fuzzer Agent
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host Guest to Host: ▪Synchronization ▪Next payload Virtual Machine ▪Disclose CR3 value ▪Panic handler address Intel PT aware Intel PT Driver Kernel ▪Signal kernel panic Hypervisor coverage Host to Guest: Agent ▪ Fuzzer Agent
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host Guest to Host: ▪Synchronization ▪Next payload Virtual Machine ▪Disclose CR3 value ▪Panic handler address Intel PT aware Intel PT Driver Kernel ▪Signal kernel panic Hypervisor coverage Host to Guest: Agent ▪ Fuzzer Agent ▪Payloads
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Inter-VM Communication
Host Guest to Host: ▪Synchronization ▪Next payload Virtual Machine ▪Disclose CR3 value ▪Panic handler address Intel PT aware Intel PT Driver Kernel ▪Signal kernel panic Hypervisor coverage Host to Guest: Agent ▪ Fuzzer Agent ▪Payloads ▪Overwrite panic handler
19 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Implementation
20 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Implementation
CPU: ▪generates raw Intel-PT data ▪writes data to main memory
20 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Implementation
KVM-PT: ▪configures Intel PT via MSRs ▪enables tracing during VM-Entry transition ▪disables tracing during VM-Exit transition
20 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Implementation
QEMU-PT: ▪usermode counterpart ▪decodes Intel PT data on-the-fly
20 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Implementation
kAFL Fuzzer: ▪generates new fuzz payloads ▪detects new behavior
20 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Evaluation New Vulnerabilities Windows: ▪NTFS (DoS)
macOS: ▪HFS (DoS, Memory Corruption) ▪APFS (Memory Corruption)
Linux: ▪EXT4 (DoS, Memory Corruption) ▪Keyctl (Nullpointer Dereference)
22 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels 5.4 Rediscovery of Known Bugs system, a mainline patch was proposed. The last re- ported Linux vulnerability, which calls in the ext4 error We evaluated kAFL on the keyctl interface, which al- handling routine panic() and hence results in a kernel lows a user space program to store and manage vari- panic, was at the time of writing not investigated any fur- ous kinds of key material in the kernel. More specif- ther. The NTFS bug in Windows 10 is a non-recoverable ically, it features a DER (see RFC5280) parser to load error condition which leads to a blue screen. This bug certificates. This functionality had a known bug (CVE- was reported to Microsoft, but has not been confirmed 2016-07583). We tested kAFL against the same interface yet. Similarly, Apple has not yet verified or confirmed on a vulnerable kernel (version 4.3.2). kAFL was able our reported macOS bugs. to uncover the same problem and one additional previ- ously unknown bug that was assigned CVE-2016-86504. kAFL managed to trigger 17 unique KASan reports and 5.6 Fuzzing Performance 15 unique panics in just one hour of execution time. Dur- We compare the overall performance of kAFL across dif- ing this experiment, kAFL generated over 34 million in- ferent operating systems. To ensure comparable results, puts, found 295 interesting inputs, and performed nearly we created a simple driver that contains a JSON parser 9,000 executions per second. This experiment was per- based on jsmn11 for each aforementioned operating sys- formed while running 8 processes in parallel. tem and used it to decode user input (see Listing 2). If the user input is a JSON string starting with "KAFL",a 5.5 Detected Vulnerabilities crash is triggered. We traced both the JSON parser as well as the final check. This way kAFL was able to learn During the evaluation, kAFL found more than a thou- correct JSON syntax. We measured the time used to find sand unique crashes. We evaluated some manually and the crash, the number of executions per second, and the found multiple security vulnerabilitiesEvaluation in all tested op- Driverspeed for new paths to be discovered on all three target erating systems such as Linux, Windows, and macOS. operating systems. So far, eight bugs were reported and three of them were 1 jsmn_parser parser; confirmed by the maintainers: 2 jsmntok_t tokens[5]; 3 jsmn_init(&parser); 5 4 • Linux: keyctl Null Pointer Dereference (CVE- int res=jsmn_parse(&parser, input, size, tokens, 5); 6 5 2016-8650 ) 6 if(res >= 2){ 7 if(tokens[0].type == JSMN_STRING){ 7 8 int json_len = tokens[0].end - tokens[0]. • Linux: ext4 Memory Corruption start; int s=tokens[0].start; 8 9 • Linux: ext4 Error Handling 10 if(json_len > 0 && input[s+0] == K ){ 11 if(json_len > 1 && input[s+1] == A ){ • Windows: NTFS Div-by-Zero9 12 if(json_len > 2 && input[s+2] == F ){ 13 if(json_len > 3 && input[s+3] == L ){ 14 panic(KERN_INFO "KAFL...\n"); 10 • macOS: HFS Div-by-Zero 15 }}}}} 16 } • macOS: HFS Assertion Fail10 Listing 2: The JSON parser kernel module used for the • macOS: HFS Use-After-Free10 coverage benchmarks.
• macOS: APFS Memory Corruption10 We performed five repeated experiments for each op- 23 kAFL: Hardware-Assisted Feedbackerating Fuzzing system. for OS Kernels Additionally we tested TriforceAFL with Red Hat has assigned a CVE number for the first re- the Linux target driver. TriforceAFL is unable to fuzz ported security flaw, which triggers a null pointer def- Windows and macOS. To compare TriforceAFL with erence and a partial memory corruption in the kernel kAFL, the associated TriforceLinuxSyscallFuzzer was ASN.1 parser if an RSA certificate with a zero expo- slightly modified to work with our vulnerable Linux ker- nent is presented. For the second reported vulnerabil- nel module. Unfortunately, it was not possible to com- ity, which triggers a memory corruption in the ext4 file pare kAFL against Oracle’s file system fuzzer [34] due to technical issues with its setup. 3 https://access.redhat.com/security/cve/cve-2016-0758 During each run, we fuzzed the JSON parser for 30 4https://access.redhat.com/security/cve/cve-2016-8650 5http://seclists.org/fulldisclosure/2016/Nov/76 minutes. The averaged and rounded results are displayed 6https://access.redhat.com/security/cve/cve-2016-8650 in Table 1. As we can see, the performance of kAFL 7http://seclists.org/fulldisclosure/2016/Nov/75 is very similar across different systems. It should be re- 8http://seclists.org/bugtraq/2016/Nov/1 marked that the variance in this experiment is rather high 9Reported to Microsoft Security. 10Reported to Apple Product Security. 11http://zserge.com/jsmn.html
10 5.4 Rediscovery of Known Bugs system, a mainline patch was proposed. The last re- ported Linux vulnerability, which calls in the ext4 error We evaluated kAFL on the keyctl interface, which al- handling routine panic() and hence results in a kernel lows a user space program to store and manage vari- panic, was at the time of writing not investigated any fur- ous kinds of key material in the kernel. More specif- ther. The NTFS bug in Windows 10 is a non-recoverable ically, it features a DER (see RFC5280) parser to load error condition which leads to a blue screen. This bug certificates. This functionality had a known bug (CVE- was reported to Microsoft, but has not been confirmed 2016-07583). We tested kAFL against the same interface yet. Similarly, Apple has not yet verified or confirmed on a vulnerable kernel (version 4.3.2). kAFL was able our reported macOS bugs. to uncover the same problem and one additional previ- ously unknown bug that was assigned CVE-2016-86504. kAFL managed to trigger 17 unique KASan reports and 5.6 Fuzzing Performance 15 unique panics in just one hour of execution time. Dur- We compare the overall performance of kAFL across dif- ing this experiment, kAFL generated over 34 million in- ferent operating systems. To ensure comparable results, puts, found 295 interesting inputs, and performed nearly we created a simple driver that contains a JSON parser 9,000 executions per second. This experiment was per- based on jsmn11 for each aforementioned operating sys- formed while running 8 processes in parallel. tem and used it to decode user input (see Listing 2). If the user input is a JSON string starting with "KAFL",a 5.5 Detected Vulnerabilities crash is triggered. We traced both the JSON parser as well as the final check. This way kAFL was able to learn During the evaluation, kAFL found more than a thou- correct JSON syntax. We measured the time used to find sand unique crashes. We evaluated some manually and the crash, the number of executions per second, and the found multiple security vulnerabilitiesEvaluation in all tested op- Driverspeed for new paths to be discovered on all three target erating systems such as Linux, Windows, and macOS. operating systems. So far, eight bugs were reported and three of them were 1 jsmn_parser parser; confirmed by the maintainers: 2 jsmntok_t tokens[5]; 3 jsmn_init(&parser); 5 4 • Linux: keyctl Null Pointer Dereference (CVE- int res=jsmn_parse(&parser, input, size, tokens, 5); 6 5 2016-8650 ) 6 if(res >= 2){ 7 if(tokens[0].type == JSMN_STRING){ 7 8 int json_len = tokens[0].end - tokens[0]. • Linux: ext4 Memory Corruption start; int s=tokens[0].start; 8 9 • Linux: ext4 Error Handling 10 if(json_len > 0 && input[s+0] == K ){ 11 if(json_len > 1 && input[s+1] == A ){ • Windows: NTFS Div-by-Zero9 12 if(json_len > 2 && input[s+2] == F ){ 13 if(json_len > 3 && input[s+3] == L ){ 14 panic(KERN_INFO "KAFL...\n"); 10 • macOS: HFS Div-by-Zero 15 }}}}} 16 } • macOS: HFS Assertion Fail10 Listing 2: The JSON parser kernel module used for the • macOS: HFS Use-After-Free10 coverage benchmarks.
• macOS: APFS Memory Corruption10 We performed five repeated experiments for each op- 23 kAFL: Hardware-Assisted Feedbackerating Fuzzing system. for OS Kernels Additionally we tested TriforceAFL with Red Hat has assigned a CVE number for the first re- the Linux target driver. TriforceAFL is unable to fuzz ported security flaw, which triggers a null pointer def- Windows and macOS. To compare TriforceAFL with erence and a partial memory corruption in the kernel kAFL, the associated TriforceLinuxSyscallFuzzer was ASN.1 parser if an RSA certificate with a zero expo- slightly modified to work with our vulnerable Linux ker- nent is presented. For the second reported vulnerabil- nel module. Unfortunately, it was not possible to com- ity, which triggers a memory corruption in the ext4 file pare kAFL against Oracle’s file system fuzzer [34] due to technical issues with its setup. 3 https://access.redhat.com/security/cve/cve-2016-0758 During each run, we fuzzed the JSON parser for 30 4https://access.redhat.com/security/cve/cve-2016-8650 5http://seclists.org/fulldisclosure/2016/Nov/76 minutes. The averaged and rounded results are displayed 6https://access.redhat.com/security/cve/cve-2016-8650 in Table 1. As we can see, the performance of kAFL 7http://seclists.org/fulldisclosure/2016/Nov/75 is very similar across different systems. It should be re- 8http://seclists.org/bugtraq/2016/Nov/1 marked that the variance in this experiment is rather high 9Reported to Microsoft Security. 10Reported to Apple Product Security. 11http://zserge.com/jsmn.html
10 5.4 Rediscovery of Known Bugs system, a mainline patch was proposed. The last re- ported Linux vulnerability, which calls in the ext4 error We evaluated kAFL on the keyctl interface, which al- handling routine panic() and hence results in a kernel lows a user space program to store and manage vari- panic, was at the time of writing not investigated any fur- ous kinds of key material in the kernel. More specif- ther. The NTFS bug in Windows 10 is a non-recoverable ically, it features a DER (see RFC5280) parser to load error condition which leads to a blue screen. This bug certificates. This functionality had a known bug (CVE- was reported to Microsoft, but has not been confirmed 2016-07583). We tested kAFL against the same interface yet. Similarly, Apple has not yet verified or confirmed on a vulnerable kernel (version 4.3.2). kAFL was able our reported macOS bugs. to uncover the same problem and one additional previ- ously unknown bug that was assigned CVE-2016-86504. kAFL managed to trigger 17 unique KASan reports and 5.6 Fuzzing Performance 15 unique panics in just one hour of execution time. Dur- We compare the overall performance of kAFL across dif- ing this experiment, kAFL generated over 34 million in- ferent operating systems. To ensure comparable results, puts, found 295 interesting inputs, and performed nearly we created a simple driver that contains a JSON parser 9,000 executions per second. This experiment was per- based on jsmn11 for each aforementioned operating sys- formed while running 8 processes in parallel. tem and used it to decode user input (see Listing 2). If the user input is a JSON string starting with "KAFL",a 5.5 Detected Vulnerabilities crash is triggered. We traced both the JSON parser as well as the final check. This way kAFL was able to learn During the evaluation, kAFL found more than a thou- correct JSON syntax. We measured the time used to find sand unique crashes. We evaluated some manually and the crash, the number of executions per second, and the found multiple security vulnerabilitiesEvaluation in all tested op- Driverspeed for new paths to be discovered on all three target erating systems such as Linux, Windows, and macOS. operating systems. So far, eight bugs were reported and three of them were 1 jsmn_parser parser; confirmed by the maintainers: 2 jsmntok_t tokens[5]; 3 jsmn_init(&parser); 5 4 • Linux: keyctl Null Pointer Dereference (CVE- int res=jsmn_parse(&parser, input, size, tokens, 5); 6 5 2016-8650 ) 6 if(res >= 2){ 7 if(tokens[0].type == JSMN_STRING){ 7 8 int json_len = tokens[0].end - tokens[0]. • Linux: ext4 Memory Corruption start; int s=tokens[0].start; 8 9 • Linux: ext4 Error Handling 10 if(json_len > 0 && input[s+0] == K ){ 11 if(json_len > 1 && input[s+1] == A ){ • Windows: NTFS Div-by-Zero9 12 if(json_len > 2 && input[s+2] == F ){ 13 if(json_len > 3 && input[s+3] == L ){ 14 panic(KERN_INFO "KAFL...\n"); 10 • macOS: HFS Div-by-Zero 15 }}}}} 16 } • macOS: HFS Assertion Fail10 Listing 2: The JSON parser kernel module used for the • macOS: HFS Use-After-Free10 coverage benchmarks.
• macOS: APFS Memory Corruption10 We performed five repeated experiments for each op- 23 kAFL: Hardware-Assisted Feedbackerating Fuzzing system. for OS Kernels Additionally we tested TriforceAFL with Red Hat has assigned a CVE number for the first re- the Linux target driver. TriforceAFL is unable to fuzz ported security flaw, which triggers a null pointer def- Windows and macOS. To compare TriforceAFL with erence and a partial memory corruption in the kernel kAFL, the associated TriforceLinuxSyscallFuzzer was ASN.1 parser if an RSA certificate with a zero expo- slightly modified to work with our vulnerable Linux ker- nent is presented. For the second reported vulnerabil- nel module. Unfortunately, it was not possible to com- ity, which triggers a memory corruption in the ext4 file pare kAFL against Oracle’s file system fuzzer [34] due to technical issues with its setup. 3 https://access.redhat.com/security/cve/cve-2016-0758 During each run, we fuzzed the JSON parser for 30 4https://access.redhat.com/security/cve/cve-2016-8650 5http://seclists.org/fulldisclosure/2016/Nov/76 minutes. The averaged and rounded results are displayed 6https://access.redhat.com/security/cve/cve-2016-8650 in Table 1. As we can see, the performance of kAFL 7http://seclists.org/fulldisclosure/2016/Nov/75 is very similar across different systems. It should be re- 8http://seclists.org/bugtraq/2016/Nov/1 marked that the variance in this experiment is rather high 9Reported to Microsoft Security. 10Reported to Apple Product Security. 11http://zserge.com/jsmn.html
10 5.4 Rediscovery of Known Bugs system, a mainline patch was proposed. The last re- ported Linux vulnerability, which calls in the ext4 error We evaluated kAFL on the keyctl interface, which al- handling routine panic() and hence results in a kernel lows a user space program to store and manage vari- panic, was at the time of writing not investigated any fur- ous kinds of key material in the kernel. More specif- ther. The NTFS bug in Windows 10 is a non-recoverable ically, it features a DER (see RFC5280) parser to load error condition which leads to a blue screen. This bug certificates. This functionality had a known bug (CVE- was reported to Microsoft, but has not been confirmed 2016-07583). We tested kAFL against the same interface yet. Similarly, Apple has not yet verified or confirmed on a vulnerable kernel (version 4.3.2). kAFL was able our reported macOS bugs. to uncover the same problem and one additional previ- ously unknown bug that was assigned CVE-2016-86504. kAFL managed to trigger 17 unique KASan reports and 5.6 Fuzzing Performance 15 unique panics in just one hour of execution time. Dur- We compare the overall performance of kAFL across dif- ing this experiment, kAFL generated over 34 million in- ferent operating systems. To ensure comparable results, puts, found 295 interesting inputs, and performed nearly we created a simple driver that contains a JSON parser 9,000 executions per second. This experiment was per- based on jsmn11 for each aforementioned operating sys- formed while running 8 processes in parallel. tem and used it to decode user input (see Listing 2). If the user input is a JSON string starting with "KAFL",a 5.5 Detected Vulnerabilities crash is triggered. We traced both the JSON parser as well as the final check. This way kAFL was able to learn During the evaluation, kAFL found more than a thou- correct JSON syntax. We measured the time used to find sand unique crashes. We evaluated some manually and the crash, the number of executions per second, and the found multiple security vulnerabilitiesEvaluation in all tested op- Driverspeed for new paths to be discovered on all three target erating systems such as Linux, Windows, and macOS. operating systems. So far, eight bugs were reported and three of them were 1 jsmn_parser parser; confirmed by the maintainers: 2 jsmntok_t tokens[5]; 3 jsmn_init(&parser); 5 4 • Linux: keyctl Null Pointer Dereference (CVE- int res=jsmn_parse(&parser, input, size, tokens, 5); 6 5 2016-8650 ) 6 if(res >= 2){ 7 if(tokens[0].type == JSMN_STRING){ 7 8 int json_len = tokens[0].end - tokens[0]. • Linux: ext4 Memory Corruption start; int s=tokens[0].start; 8 9 • Linux: ext4 Error Handling 10 if(json_len > 0 && input[s+0] == K ){ 11 if(json_len > 1 && input[s+1] == A ){ • Windows: NTFS Div-by-Zero9 12 if(json_len > 2 && input[s+2] == F ){ 13 if(json_len > 3 && input[s+3] == L ){ 14 panic(KERN_INFO "KAFL...\n"); 10 • macOS: HFS Div-by-Zero 15 }}}}} 16 } • macOS: HFS Assertion Fail10 Listing 2: The JSON parser kernel module used for the • macOS: HFS Use-After-Free10 coverage benchmarks.
• macOS: APFS Memory Corruption10 We performed five repeated experiments for each op- 23 kAFL: Hardware-Assisted Feedbackerating Fuzzing system. for OS Kernels Additionally we tested TriforceAFL with Red Hat has assigned a CVE number for the first re- the Linux target driver. TriforceAFL is unable to fuzz ported security flaw, which triggers a null pointer def- Windows and macOS. To compare TriforceAFL with erence and a partial memory corruption in the kernel kAFL, the associated TriforceLinuxSyscallFuzzer was ASN.1 parser if an RSA certificate with a zero expo- slightly modified to work with our vulnerable Linux ker- nent is presented. For the second reported vulnerabil- nel module. Unfortunately, it was not possible to com- ity, which triggers a memory corruption in the ext4 file pare kAFL against Oracle’s file system fuzzer [34] due to technical issues with its setup. 3 https://access.redhat.com/security/cve/cve-2016-0758 During each run, we fuzzed the JSON parser for 30 4https://access.redhat.com/security/cve/cve-2016-8650 5http://seclists.org/fulldisclosure/2016/Nov/76 minutes. The averaged and rounded results are displayed 6https://access.redhat.com/security/cve/cve-2016-8650 in Table 1. As we can see, the performance of kAFL 7http://seclists.org/fulldisclosure/2016/Nov/75 is very similar across different systems. It should be re- 8http://seclists.org/bugtraq/2016/Nov/1 marked that the variance in this experiment is rather high 9Reported to Microsoft Security. 10Reported to Apple Product Security. 11http://zserge.com/jsmn.html
10 5.4 Rediscovery of Known Bugs system, a mainline patch was proposed. The last re- ported Linux vulnerability, which calls in the ext4 error We evaluated kAFL on the keyctl interface, which al- handling routine panic() and hence results in a kernel lows a user space program to store and manage vari- panic, was at the time of writing not investigated any fur- ous kinds of key material in the kernel. More specif- ther. The NTFS bug in Windows 10 is a non-recoverable ically, it features a DER (see RFC5280) parser to load error condition which leads to a blue screen. This bug certificates. This functionality had a known bug (CVE- was reported to Microsoft, but has not been confirmed 2016-07583). We tested kAFL against the same interface yet. Similarly, Apple has not yet verified or confirmed on a vulnerable kernel (version 4.3.2). kAFL was able our reported macOS bugs. to uncover the same problem and one additional previ- ously unknown bug that was assigned CVE-2016-86504. kAFL managed to trigger 17 unique KASan reports and 5.6 Fuzzing Performance 15 unique panics in just one hour of execution time. Dur- We compare the overall performance of kAFL across dif- ing this experiment, kAFL generated over 34 million in- ferent operating systems. To ensure comparable results, puts, found 295 interesting inputs, and performed nearly we created a simple driver that contains a JSON parser 9,000 executions per second. This experiment was per- based on jsmn11 for each aforementioned operating sys- formed while running 8 processes in parallel. tem and used it to decode user input (see Listing 2). If the user input is a JSON string starting with "KAFL",a 5.5 Detected Vulnerabilities crash is triggered. We traced both the JSON parser as well as the final check. This way kAFL was able to learn During the evaluation, kAFL found more than a thou- correct JSON syntax. We measured the time used to find sand unique crashes. We evaluated some manually and the crash, the number of executions per second, and the found multiple security vulnerabilitiesEvaluation in all tested op- Driverspeed for new paths to be discovered on all three target erating systems such as Linux, Windows, and macOS. operating systems. So far, eight bugs were reported and three of them were 1 jsmn_parser parser; confirmed by the maintainers: 2 jsmntok_t tokens[5]; 3 jsmn_init(&parser); 5 4 • Linux: keyctl Null Pointer Dereference (CVE- int res=jsmn_parse(&parser, input, size, tokens, 5); 6 5 2016-8650 ) 6 if(res >= 2){ 7 if(tokens[0].type == JSMN_STRING){ 7 8 int json_len = tokens[0].end - tokens[0]. • Linux: ext4 Memory Corruption start; int s=tokens[0].start; 8 9 • Linux: ext4 Error Handling 10 if(json_len > 0 && input[s+0] == K ){ 11 if(json_len > 1 && input[s+1] == A ){ • Windows: NTFS Div-by-Zero9 12 if(json_len > 2 && input[s+2] == F ){ 13 if(json_len > 3 && input[s+3] == L ){ 14 panic(KERN_INFO "KAFL...\n"); 10 • macOS: HFS Div-by-Zero 15 }}}}} 16 } • macOS: HFS Assertion Fail10 Listing 2: The JSON parser kernel module used for the • macOS: HFS Use-After-Free10 coverage benchmarks.
• macOS: APFS Memory Corruption10 We performed five repeated experiments for each op- 23 kAFL: Hardware-Assisted Feedbackerating Fuzzing system. for OS Kernels Additionally we tested TriforceAFL with Red Hat has assigned a CVE number for the first re- the Linux target driver. TriforceAFL is unable to fuzz ported security flaw, which triggers a null pointer def- Windows and macOS. To compare TriforceAFL with erence and a partial memory corruption in the kernel kAFL, the associated TriforceLinuxSyscallFuzzer was ASN.1 parser if an RSA certificate with a zero expo- slightly modified to work with our vulnerable Linux ker- nent is presented. For the second reported vulnerabil- nel module. Unfortunately, it was not possible to com- ity, which triggers a memory corruption in the ext4 file pare kAFL against Oracle’s file system fuzzer [34] due to technical issues with its setup. 3 https://access.redhat.com/security/cve/cve-2016-0758 During each run, we fuzzed the JSON parser for 30 4https://access.redhat.com/security/cve/cve-2016-8650 5http://seclists.org/fulldisclosure/2016/Nov/76 minutes. The averaged and rounded results are displayed 6https://access.redhat.com/security/cve/cve-2016-8650 in Table 1. As we can see, the performance of kAFL 7http://seclists.org/fulldisclosure/2016/Nov/75 is very similar across different systems. It should be re- 8http://seclists.org/bugtraq/2016/Nov/1 marked that the variance in this experiment is rather high 9Reported to Microsoft Security. 10Reported to Apple Product Security. 11http://zserge.com/jsmn.html
10 5.4 Rediscovery of Known Bugs system, a mainline patch was proposed. The last re- ported Linux vulnerability, which calls in the ext4 error We evaluated kAFL on the keyctl interface, which al- handling routine panic() and hence results in a kernel lows a user space program to store and manage vari- panic, was at the time of writing not investigated any fur- ous kinds of key material in the kernel. More specif- ther. The NTFS bug in Windows 10 is a non-recoverable ically, it features a DER (see RFC5280) parser to load error condition which leads to a blue screen. This bug certificates. This functionality had a known bug (CVE- was reported to Microsoft, but has not been confirmed 2016-07583). We tested kAFL against the same interface yet. Similarly, Apple has not yet verified or confirmed on a vulnerable kernel (version 4.3.2). kAFL was able our reported macOS bugs. to uncover the same problem and one additional previ- ously unknown bug that was assigned CVE-2016-86504. kAFL managed to trigger 17 unique KASan reports and 5.6 Fuzzing Performance 15 unique panics in just one hour of execution time. Dur- We compare the overall performance of kAFL across dif- ing this experiment, kAFL generated over 34 million in- ferent operating systems. To ensure comparable results, puts, found 295 interesting inputs, and performed nearly we created a simple driver that contains a JSON parser 9,000 executions per second. This experiment was per- based on jsmn11 for each aforementioned operating sys- formed while running 8 processes in parallel. tem and used it to decode user input (see Listing 2). If the user input is a JSON string starting with "KAFL",a 5.5 Detected Vulnerabilities crash is triggered. We traced both the JSON parser as well as the final check. This way kAFL was able to learn During the evaluation, kAFL found more than a thou- correct JSON syntax. We measured the time used to find sand unique crashes. We evaluated some manually and the crash, the number of executions per second, and the found multiple security vulnerabilitiesEvaluation in all tested op- Driverspeed for new paths to be discovered on all three target erating systems such as Linux, Windows, and macOS. operating systems. So far, eight bugs were reported and three of them were 1 jsmn_parser parser; confirmed by the maintainers: 2 jsmntok_t tokens[5]; 3 jsmn_init(&parser); 5 4 • Linux: keyctl Null Pointer Dereference (CVE- int res=jsmn_parse(&parser, input, size, tokens, 5); 6 5 2016-8650 ) 6 if(res >= 2){ 7 if(tokens[0].type == JSMN_STRING){ 7 8 int json_len = tokens[0].end - tokens[0]. • Linux: ext4 Memory Corruption start; int s=tokens[0].start; 8 9 • Linux: ext4 Error Handling 10 if(json_len > 0 && input[s+0] == K ){ 11 if(json_len > 1 && input[s+1] == A ){ • Windows: NTFS Div-by-Zero9 12 if(json_len > 2 && input[s+2] == F ){ 13 if(json_len > 3 && input[s+3] == L ){ 14 panic(KERN_INFO "KAFL...\n"); 10 • macOS: HFS Div-by-Zero 15 }}}}} 16 } • macOS: HFS Assertion Fail10 Listing 2: The JSON parser kernel module used for the • macOS: HFS Use-After-Free10 coverage benchmarks.
• macOS: APFS Memory Corruption10 We performed five repeated experiments for each op- 23 kAFL: Hardware-Assisted Feedbackerating Fuzzing system. for OS Kernels Additionally we tested TriforceAFL with Red Hat has assigned a CVE number for the first re- the Linux target driver. TriforceAFL is unable to fuzz ported security flaw, which triggers a null pointer def- Windows and macOS. To compare TriforceAFL with erence and a partial memory corruption in the kernel kAFL, the associated TriforceLinuxSyscallFuzzer was ASN.1 parser if an RSA certificate with a zero expo- slightly modified to work with our vulnerable Linux ker- nent is presented. For the second reported vulnerabil- nel module. Unfortunately, it was not possible to com- ity, which triggers a memory corruption in the ext4 file pare kAFL against Oracle’s file system fuzzer [34] due to technical issues with its setup. 3 https://access.redhat.com/security/cve/cve-2016-0758 During each run, we fuzzed the JSON parser for 30 4https://access.redhat.com/security/cve/cve-2016-8650 5http://seclists.org/fulldisclosure/2016/Nov/76 minutes. The averaged and rounded results are displayed 6https://access.redhat.com/security/cve/cve-2016-8650 in Table 1. As we can see, the performance of kAFL 7http://seclists.org/fulldisclosure/2016/Nov/75 is very similar across different systems. It should be re- 8http://seclists.org/bugtraq/2016/Nov/1 marked that the variance in this experiment is rather high 9Reported to Microsoft Security. 10Reported to Apple Product Security. 11http://zserge.com/jsmn.html
10 5.4 Rediscovery of Known Bugs system, a mainline patch was proposed. The last re- ported Linux vulnerability, which calls in the ext4 error We evaluated kAFL on the keyctl interface, which al- handling routine panic() and hence results in a kernel lows a user space program to store and manage vari- panic, was at the time of writing not investigated any fur- ous kinds of key material in the kernel. More specif- ther. The NTFS bug in Windows 10 is a non-recoverable ically, it features a DER (see RFC5280) parser to load error condition which leads to a blue screen. This bug certificates. This functionality had a known bug (CVE- was reported to Microsoft, but has not been confirmed 2016-07583). We tested kAFL against the same interface yet. Similarly, Apple has not yet verified or confirmed on a vulnerable kernel (version 4.3.2). kAFL was able our reported macOS bugs. to uncover the same problem and one additional previ- ously unknown bug that was assigned CVE-2016-86504. kAFL managed to trigger 17 unique KASan reports and 5.6 Fuzzing Performance 15 unique panics in just one hour of execution time. Dur- We compare the overall performance of kAFL across dif- ing this experiment, kAFL generated over 34 million in- ferent operating systems. To ensure comparable results, puts, found 295 interesting inputs, and performed nearly we created a simple driver that contains a JSON parser 9,000 executions per second. This experiment was per- based on jsmn11 for each aforementioned operating sys- formed while running 8 processes in parallel. tem and used it to decode user input (see Listing 2). If the user input is a JSON string starting with "KAFL",a 5.5 Detected Vulnerabilities crash is triggered. We traced both the JSON parser as well as the final check. This way kAFL was able to learn During the evaluation, kAFL found more than a thou- correct JSON syntax. We measured the time used to find sand unique crashes. We evaluated some manually and the crash, the number of executions per second, and the found multiple security vulnerabilitiesEvaluation in all tested op- Driverspeed for new paths to be discovered on all three target erating systems such as Linux, Windows, and macOS. operating systems. So far, eight bugs were reported and three of them were 1 jsmn_parser parser; confirmed by the maintainers: 2 jsmntok_t tokens[5]; 3 jsmn_init(&parser); 5 4 • Linux: keyctl Null Pointer Dereference (CVE- int res=jsmn_parse(&parser, input, size, tokens, 5); 6 5 2016-8650 ) 6 if(res >= 2){ 7 if(tokens[0].type == JSMN_STRING){ 7 8 int json_len = tokens[0].end - tokens[0]. • Linux: ext4 Memory Corruption start; int s=tokens[0].start; 8 9 • Linux: ext4 Error Handling 10 if(json_len > 0 && input[s+0] == K ){ 11 if(json_len > 1 && input[s+1] == A ){ • Windows: NTFS Div-by-Zero9 12 if(json_len > 2 && input[s+2] == F ){ 13 if(json_len > 3 && input[s+3] == L ){ 14 panic(KERN_INFO "KAFL...\n"); 10 • macOS: HFS Div-by-Zero 15 }}}}} 16 } • macOS: HFS Assertion Fail10 Listing 2: The JSON parser kernel module used for the • macOS: HFS Use-After-Free10 coverage benchmarks.
• macOS: APFS Memory Corruption10 We performed five repeated experiments for each op- 23 kAFL: Hardware-Assisted Feedbackerating Fuzzing system. for OS Kernels Additionally we tested TriforceAFL with Red Hat has assigned a CVE number for the first re- the Linux target driver. TriforceAFL is unable to fuzz ported security flaw, which triggers a null pointer def- Windows and macOS. To compare TriforceAFL with erence and a partial memory corruption in the kernel kAFL, the associated TriforceLinuxSyscallFuzzer was ASN.1 parser if an RSA certificate with a zero expo- slightly modified to work with our vulnerable Linux ker- nent is presented. For the second reported vulnerabil- nel module. Unfortunately, it was not possible to com- ity, which triggers a memory corruption in the ext4 file pare kAFL against Oracle’s file system fuzzer [34] due to technical issues with its setup. 3 https://access.redhat.com/security/cve/cve-2016-0758 During each run, we fuzzed the JSON parser for 30 4https://access.redhat.com/security/cve/cve-2016-8650 5http://seclists.org/fulldisclosure/2016/Nov/76 minutes. The averaged and rounded results are displayed 6https://access.redhat.com/security/cve/cve-2016-8650 in Table 1. As we can see, the performance of kAFL 7http://seclists.org/fulldisclosure/2016/Nov/75 is very similar across different systems. It should be re- 8http://seclists.org/bugtraq/2016/Nov/1 marked that the variance in this experiment is rather high 9Reported to Microsoft Security. 10Reported to Apple Product Security. 11http://zserge.com/jsmn.html
10 Performance
Intel i7-6700 / 32GB DDR4
24 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Coverage
Intel i7-6700 / 32GB DDR4
25 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Coverage
kAFL: ▪5-7 minutes
TriforceAFL: ▪~2 hours
Intel i7-6700 / 32GB DDR4
25 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Conclusion
▪Intel PT and virtualization for feedback fuzzing ▪Fast ▪OS independence (x86-64) ▪Reliable and long-term ▪Fully extensible
▪High bug yield for kernel fuzzing ▪Opportunities for further fuzzing
https://github.com/RUB-SysSec/kAFL
26 kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels