Presentation Material
Abstract
First, we present DR.CHECKER, which is able to overcome many of the inherent limitations of static analysis by scoping our analysis to only the most bug-prone parts of the kernel (i.e., the drivers), and by only sacrificing soundness in very few cases to ensure that our the technique is both scalable and precise. DR.CHECKER is a fully-automated static analysis tool capable of performing general bug finding using both pointer and taint anal-yses that are flow-sensitive, context-sensitive, and field-sensitive on kernel drivers. To demonstrate the scala-bility and efficacy of DR. CHECKER, we analyzed the drivers of nine production Linux kernels (3.1 million LOC), where it correctly identified 158 critical zero-day bugs with an overall precision of 78%. Next, We present DIFUZE, an interface-aware fuzzing tool to automatically generate valid inputs and trigger the execution of the kernel drivers. We leverage similar static analysis to compose correctly-structured input in the userspace to explore kernel drivers. DIFUZE is fully automatic, ranging from identifying driver handlers, to mapping to device file names, to constructing complex argument instances. We evaluate our approach on seven modern Android smartphones. The results show that DIFUZE can effectively identify kernel driver bugs, and reports 32 previously unknown vulnerabilities, including flaws that lead to arbitrary code execution.
AI Generated Summary
This talk addresses the high prevalence of security vulnerabilities in Android kernel drivers, which constitute 85% of kernel bugs and are valuable targets for exploitation. The speaker presents two specialized tools: Dr. Checker, a static analysis framework, and Diffuse, a guided fuzzing engine, both designed to overcome the limitations of general-purpose vulnerability detectors when applied to driver code.
Dr. Checker employs context-sensitive taint tracking and pointer analysis tailored for the small, separable codebase of kernel drivers. It uses a simplified traversal that bounds loop analysis and treats kernel functions as safe to reduce false positives, a common issue with tools like CPPCheck or Flawfinder. Its web-based UI provides traceable warnings, aiding analyst triage. Diffuse tackles the challenge of fuzzing drivers, which require highly structured, interdependent inputs. It automatically extracts interface specifications—command types, parameter structures, and their constraints—from driver source code. This specification guides the generation of valid binary inputs, enabling effective on-device fuzzing via an ADB-connected client that captures kernel panics.
Evaluation of both tools across multiple vendor kernels and devices (including Qualcomm, MediaTek, and Google Pixel) yielded numerous CVEs. Dr. Checker found approximately 150 issues, including format string and off-by-one errors. Diffuse discovered 36 bugs, including arbitrary read/write primitives and null dereferences, many located deep within conditional logic that unconstrained fuzzers like AFL would likely miss. Both tools are open-source and automated, requiring only kernel source and a connected device. The work demonstrates that domain-specific static and dynamic analysis, leveraging driver characteristics like small size and open-source availability, can systematically uncover high-severity vulnerabilities in a critical attack surface.