IMF: Inferred Model-based Fuzzer HyungSeok Han Sang Kil Cha KAIST KAIST
[email protected] [email protected] ABSTRACT aim of which is to find kernel vulnerabilities. There are also kernel- Kernel vulnerabilities are critical in security because they naturally level formal verification approaches [29, 30], but all such techniques allow attackers to gain unprivileged root access. Although there has require the source code. been much research on finding kernel vulnerabilities from source The current best practice for finding kernel vulnerabilities on code, there are relatively few research on kernel fuzzing, which is commodity OSes is fuzzing, which involves repeatedly calling an a practical bug finding technique that does not require any source arbitrary sequence of kernel API functions, e.g., system calls, with code. Existing kernel fuzzing techniques involve feeding in random randomly generated parameter values. There are various kernel input values to kernel API functions. However, such a simple ap- fuzzers developed by security experts and practitioners [4, 25, 37, proach does not reveal latent bugs deep in the kernel code, because 40, 53, 57] as well as academic researchers [17, 19, 55], but all of many API functions are dependent on each other, and they can them share the same idea: they call random kernel API functions quickly reject arbitrary parameter values based on their calling with randomly generated parameter values. context. In this paper, we propose a novel fuzzing technique for Unfortunately, all of the existing kernel fuzzers are associated commodity OS kernels that leverages inferred dependence model with a high failure rate in terms of how many API functions can be between API function calls to discover deep kernel bugs.