A Hybrid Interface Recovery Method for Android Kernels Fuzzing335

A Hybrid Interface Recovery Method for Android Kernels Fuzzing335

2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS) A Hybrid Interface Recovery Method for Android Kernels Fuzzing Shuaibing Lu, Xiaohui Kuang, Yuanping Nie, Zhechao Lin National Key Laboratory of Science and Technology on Information System Security, Beijing, 100101, China [email protected], xiaohui [email protected], [email protected], [email protected] Abstract—Android kernel fuzzing is a research area of interest considered on two levels: userspace application and kernel. specifically for detecting kernel vulnerabilities which may allow Kernel vulnerabilities threaten operation systems and user attackers to obtain the root privilege. The number of Android applications. The kernel of the Android operating system is mobile phones is increasing rapidly with the explosive growth of Android kernel drivers. Interface aware fuzzing is an effective relatively vulnerable to attack, despite available protections technique to test the security of kernel driver. Existing researches [2]. rely on static analysis with kernel source code. However, in Fuzzing is a well-known technique that is used for security fact, there exist millions of Android mobile phones without testing by generating massive, specially designed inputs to public accessible source code. In this paper, we propose a hybrid the target programs. However, with the Android operating interface recovery method for fuzzing kernels which can recover kernel driver interface no matter the source code is available system becoming more and more complex, kernel interface or not. In white box condition, we employ a dynamic interface arguments are diverse. Without prior knowledge of argument recover method that can automatically and completely identify structures, it is difficult for fuzzing tools to find kernel the interface knowledge. In black box condition, we use reverse vulnerabilities. Some researches [3], [4] have been done in engineering to extract the key interface information and use order to reduce the random space and allow fuzzing tools similarity computation to infer argument types. We evaluate our hybrid algorithm on on 12 Android smartphones from 9 to make meaningful choices when mutating the data. Corina vendors. Empirical experimental results show that our method et al. [5] proposed Difuze, a kernel interface-aware fuzzing can effectively recover interface argument lists and find Android tool used for automatically generating valid inputs and trigger kernel bugs. In total, 31 vulnerabilities are reported in white the execution of the kernel drivers. Difuze implements an and black box conditions. The vulnerabilities were responsibly automatic kernel interface recovery tool and identifies kernel disclosed to affected vendors and 9 of the reported vulnerabilities have been already assigned CVEs. bugs in real phones. However, these approaches rely on the static analysis of the Android kernel source code. Android Index Terms —IoT security, kernel fuzzing, interface recovery, products must be open-sourced according to the GNU General Android security Public License [6]. However, in fact, researchers cannot always find the custom kernel code for some Android mobile phones. I. INTRODUCTION For example, when a) some manufacturers do not provide all Recently, “smart” products such as smart phones, watches the device source codes for some reason, like OPPO, one of and TVs, perform a significant role in people’s lives. Android the top five Android smartphone manufacturers in sales [1]; powered products have been in a dominant position among b) the Android kernel has many versions, it is not easy to all smart phones. According to an IDC investigation, in 2019, find the corresponding version, especially for small-volume smartphone companies shipped a total of 1.382 billion phones manufacturers; c) there may be a time delay between the and Android phones capture roughly 86.6% of the worldwide release date of the product and the date of the publication smartphone volume [1]. Android equipment provides rich of the source codes; and d) the language barrier makes source functionality to satisfy the needs of consumers. Users can code retrieval difficult. It is necessary to develop an Android communicate with their friends using text, audio and video. kernel interface reconstruction algorithm in the black box They can also query their friends’ locations, navigate to condition. Fuzzing an Android kernel without source code destination, record their individual health data and even pay (black box) can be beneficial, as follows: bills using Android mobile phones. Android mobile phones 1. Improvement of fuzzing generalization: Without the influence all aspects of people’s lives. Therefore, the security kernel source code, the fuzzing relies on fewer input which features of Android mobile phones are of great importance. enables fuzzing to work in very restricted conditions. If attackers invade an Android mobile phone, they are not 2. A broadening of the scope of safety testing: Millions of only able to steal user’s private information but they also users are using Android products that are not open source or endanger the user’s identity and property safety. On a social for which it is difficult to find the source code. Proposing a level, Android operating system vulnerabilities can threaten black box fuzzing tool can help to improve the scope of the the safety of public facilities and commercial trade. fuzzing test. Android security analysis has become a key area of interest 3. Ease of operation for safety testers: Analyzing the kernel in both industry and academia. Android security can be requires testers with professional background knowledge. A 978-1-7281-8913-0/20/$31.00 ©2020 IEEE 335 DOI 10.1109/QRS51102.2020.00052 black box condition fuzzing tool makes it easy for beginners state settings. For example, the operation of the microphone to test the Android mobile phones. modification sampling frequency cannot be done by using In this paper, we introduce a hybrid kernel interface-aware regular read and write operations. In the user space program, fuzzing framework for Android drivers that can effectively the ioctl system call is invoked by using the file descriptor, fuzz Android mobile phones with source codes (white box the command identifier, and the required data structure as conditions) and without source code (black box conditions). the parameters. In the kernel, the corresponding driver ioctl We open sourced our work on Github1. handler function is invoked according to the file descriptor. We have designed several experiments to evaluate the pro- The ioctl handler function executes corresponding operations posed fuzzing method. We first analyze the kernel interface according to the command identifier and processes data from recovery results in both white and black box conditions. In the incoming user space. In the Linux system, the directory the white box conditions, compared with other state-of-the-art path /dev stores the device files, and each device file algorithms, our method can recover the interface information corresponds to the ioctl processing function. The complexity more automatically and faster. and diversity make the ioctl system call more vulnerable and In summary, our work makes the following contributions to challenge valid sample generating as well. In this paper, we the field: attempt to recover the values and types of ioctl arguments in Fast and automatic interface recovery in white box order to guide the deep fuzzing test. conditions. Interface recovery is the key component of kernel interface-aware fuzzing. We propose a dwarf-based interface B. Kernel Fuzzing recovery method that can quickly and automatically rebuild the interface parameters in white box conditions. The proposed The kernels of modern operating systems are relatively interface recovery technique is more automated and obtain vulnerable to attacks, despite the available protection. The faster results [5]. Android kernel fuzzing test in particular has attracted a great The interface structure inference in black box condi- deal of research attention due to the urgent need for kernel tions. Without the Android kernel source code, we propose security. It is practical for fuzzing interface or system calls a binary reverse engineering method to extract the interface to test the operating system kernel. Most drivers use ioctl structure information and employ a similarity calculation functions, forming a POSIX standard, to communicate with method to obtain interface inference. The proposed method the user space. Ioctl fuzzing requires specific command values can effectively generate accurate testing samples for a deep and data formats generated by users. It is necessary to identify fuzzing test. valid command values and their associated data structures Fuzzing Android kernel drivers in both white and black in ioctl fuzzing. Previous researches have been proposed for box conditions. We introduce a hybrid method to facilitate the Windows kernels: Iofuzz [7], ioattack [8], ioctlbf [9] and interface-aware fuzzing test of Android mobile phones in both ioctlfuzzer [10]. Some works [11], [12] introduce fuzzing white and black box conditions. We found 13 vulnerabilities method for Mac OS kernels. For Linux kernels, the well- in the mobile phones with source codes and 15 in the mobile known linux syscall fuzzing tools are Trinity [13] and syzkaller phones without source codes in a real Android mobile phone [14]. These are reported to perform badly when fuzzing the security test. With the

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    12 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us