Hackers of India

Unleashing D* on Android Kernel Drivers

 Aravind Machiry 


Presentation Material


First, we present DR.CHECKER, which is able to overcome many of the inherent limitations of static analysis by scoping our analysis to only the most bug-prone parts of the kernel (i.e., the drivers), and by only sacrificing soundness in very few cases to ensure that our the technique is both scalable and precise. DR.CHECKER is a fully-automated static analysis tool capable of performing general bug finding using both pointer and taint anal-yses that are flow-sensitive, context-sensitive, and field-sensitive on kernel drivers. To demonstrate the scala-bility and efficacy of DR. CHECKER, we analyzed the drivers of nine production Linux kernels (3.1 million LOC), where it correctly identified 158 critical zero-day bugs with an overall precision of 78%. Next, We present DIFUZE, an interface-aware fuzzing tool to automatically generate valid inputs and trigger the execution of the kernel drivers. We leverage similar static analysis to compose correctly-structured input in the userspace to explore kernel drivers. DIFUZE is fully automatic, ranging from identifying driver handlers, to mapping to device file names, to constructing complex argument instances. We evaluate our approach on seven modern Android smartphones. The results show that DIFUZE can effectively identify kernel driver bugs, and reports 32 previously unknown vulnerabilities, including flaws that lead to arbitrary code execution.