As the rest of the Android security infrastructure improves, the Android/Linux kernel is well on its way to becoming the “weakest link,” being responsible for a higher and higher fraction of vulnerabilities . Most of these vulnerabilities are in kernel driver code, as this driver code is often maintained by third parties and gets less scrutiny than the kernel itself.
Specifically, most of these bugs are in driver ioctl functions . Despite significant advances in automatic analysis of kernel code, current state-of-the-art tools like Syzkaller  and trinity  fail to find these bugs. This is because ioctls do not have a standard interface, and each ioctl for each driver expects different commands and data structures. The amount of manual effort required to bridge this “interface gap” for Syzkaller and trinity has hampered effort to find, pwn, and fix these issues.
The problem needed to be fixed, and so we created DIFUZE, a lightweight (yet powerful), python based interface-aware fuzzing framework for driver ioctls. DIFUZE uses a novel combination of static analysis techniques (using LLVM) to extract the structure of argument data of the ioctls from the GPL-mandated headers of kernel drivers, and uses this information to effectively fuzz drivers on the target device.
We will publish the scientific details behind DIFUZE at the ACM Conference on Computer and Communication Security (CCS), one of the premier venues in the scientific security community.
DIFUZE works. We found 32 zero-days in seven modern android phones including the Google Pixel XL. We are certain that more bugs are lurking in more phones, so we are open-sourcing the end-to-end automated tool for the public good. DIFUZE is completely automated – just give it kernel.tar.gz, wait, and collect the 0days.
1. https://source.android.com/security/bulletin/ ;  Jeffrey Vander Stoep. 2016. Android: protecting the kernel. In Linux Security Summit. Linux Foundation;  Google. 2017. syzkaller - linux syscall fuzzer. (2017).syzkaller ;  Dave Jones. 2011. Trinity: A system call fuzzer. In Proceedings of the 13th Ottawa Linux Symposium, pages.