Hackers of India

DIFUZZING ANDROID KERNEL DRIVERS

By  Aravind Machiry  , Chris Salls  , Yan Shoshitaishvili  , Jake Corina  , Shuang Hao  on 06 Dec 2017 @ Blackhat

This talk covers following tools where the speaker has contributed or authored
DIFUZE

Presentation Material

Abstract

As the rest of the Android security infrastructure improves, the Android/Linux kernel is well on its way to becoming the “weakest link,” being responsible for a higher and higher fraction of vulnerabilities [1]. Most of these vulnerabilities are in kernel driver code, as this driver code is often maintained by third parties and gets less scrutiny than the kernel itself.

Specifically, most of these bugs are in driver ioctl functions [2]. Despite significant advances in automatic analysis of kernel code, current state-of-the-art tools like Syzkaller [3] and trinity [4] fail to find these bugs. This is because ioctls do not have a standard interface, and each ioctl for each driver expects different commands and data structures. The amount of manual effort required to bridge this “interface gap” for Syzkaller and trinity has hampered effort to find, pwn, and fix these issues.

The problem needed to be fixed, and so we created DIFUZE, a lightweight (yet powerful), python based interface-aware fuzzing framework for driver ioctls. DIFUZE uses a novel combination of static analysis techniques (using LLVM) to extract the structure of argument data of the ioctls from the GPL-mandated headers of kernel drivers, and uses this information to effectively fuzz drivers on the target device.

We will publish the scientific details behind DIFUZE at the ACM Conference on Computer and Communication Security (CCS), one of the premier venues in the scientific security community.

DIFUZE works. We found 32 zero-days in seven modern android phones including the Google Pixel XL. We are certain that more bugs are lurking in more phones, so we are open-sourcing the end-to-end automated tool for the public good. DIFUZE is completely automated – just give it kernel.tar.gz, wait, and collect the 0days.

Happy hunting.

1. https://source.android.com/security/bulletin/ ; [2] Jeffrey Vander Stoep. 2016. Android: protecting the kernel. In Linux Security Summit. Linux Foundation; [3] Google. 2017. syzkaller - linux syscall fuzzer. (2017).syzkaller ; [4] Dave Jones. 2011. Trinity: A system call fuzzer. In Proceedings of the 13th Ottawa Linux Symposium, pages.

AI Generated Summarymay contain errors

Here is a summary of the discussion:

The conversation revolves around a project that involves analyzing the Linux kernel source code to generate device drivers. The speaker explains that they use the entire source code tree, A specific question arises about how they handle recursive structures with pointers to other structures, I their analysis. They limit recursion to one level deep and set the next recursive field to null if it exceeds that.

Another question is asked about whether they use the actual code or just the preprocessor output. The speaker explains that parsing C code can be challenging, using the preprocessor and LLVM makes it easier.

Someone mentions a Python package called “c types gen” that generates Python structures from C structures, similar to what the project does. However, the speaker is not familiar with it.

A suggestion is made about using static code analysis to feed their fuzzer with code paths triggered by specific inputs. The speaker acknowledges this as a possibility but notes they haven’t explored it yet.

Finally, someone recommends using the Eclipse CDT project, which provides abstract syntax trees for C code and allows searching by structures. This could potentially make their lives easier compared to using Clang.