Razzer: Finding Kernel Race Bugs through Fuzzing

2019 IEEE Symposium on Security and Privacy (SP) Pub Date : 2019-05-01 DOI:10.1109/SP.2019.00017

Dae R. Jeong, Kyungtae Kim, B. Shivakumar, Byoungyoung Lee, I. Shin

{"title":"Razzer: Finding Kernel Race Bugs through Fuzzing","authors":"Dae R. Jeong, Kyungtae Kim, B. Shivakumar, Byoungyoung Lee, I. Shin","doi":"10.1109/SP.2019.00017","DOIUrl":null,"url":null,"abstract":"A data race in a kernel is an important class of bugs, critically impacting the reliability and security of the associated system. As a result of a race, the kernel may become unresponsive. Even worse, an attacker may launch a privilege escalation attack to acquire root privileges. In this paper, we propose Razzer, a tool to find race bugs in kernels. The core of Razzer is in guiding fuzz testing towards potential data race spots in the kernel. Razzer employs two techniques to find races efficiently: a static analysis and a deterministic thread interleaving technique. Using a static analysis, Razzer identifies over-approximated potential data race spots, guiding the fuzzer to search for data races in the kernel more efficiently. Using the deterministic thread interleaving technique implemented at the hypervisor, Razzer tames the non-deterministic behavior of the kernel such that it can deterministically trigger a race. We implemented a prototype of Razzer and ran the latest Linux kernel (from v4.16-rc3 to v4.18-rc3) using Razzer. As a result, Razzer discovered 30 new races in the kernel, with 16 subsequently confirmed and accordingly patched by kernel developers after they were reported.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"35 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"126","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00017","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 126

Abstract

A data race in a kernel is an important class of bugs, critically impacting the reliability and security of the associated system. As a result of a race, the kernel may become unresponsive. Even worse, an attacker may launch a privilege escalation attack to acquire root privileges. In this paper, we propose Razzer, a tool to find race bugs in kernels. The core of Razzer is in guiding fuzz testing towards potential data race spots in the kernel. Razzer employs two techniques to find races efficiently: a static analysis and a deterministic thread interleaving technique. Using a static analysis, Razzer identifies over-approximated potential data race spots, guiding the fuzzer to search for data races in the kernel more efficiently. Using the deterministic thread interleaving technique implemented at the hypervisor, Razzer tames the non-deterministic behavior of the kernel such that it can deterministically trigger a race. We implemented a prototype of Razzer and ran the latest Linux kernel (from v4.16-rc3 to v4.18-rc3) using Razzer. As a result, Razzer discovered 30 new races in the kernel, with 16 subsequently confirmed and accordingly patched by kernel developers after they were reported.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Razzer:通过模糊测试发现内核竞赛bug

内核中的数据争用是一类重要的bug，严重影响相关系统的可靠性和安全性。由于竞争，内核可能变得无响应。更糟糕的是，攻击者可能发起特权升级攻击以获取根特权。在本文中，我们提出Razzer，一个在内核中查找种族错误的工具。Razzer的核心是引导模糊测试指向内核中潜在的数据竞争点。Razzer采用两种技术来有效地查找竞赛:静态分析和确定性线程交错技术。使用静态分析，Razzer识别过度近似的潜在数据竞争点，指导fuzzer更有效地在内核中搜索数据竞争。使用在管理程序中实现的确定性线程交错技术，Razzer控制内核的非确定性行为，从而可以确定地触发竞争。我们实现了Razzer的原型，并使用Razzer运行了最新的Linux内核(从v4.16-rc3到v4.18-rc3)。结果，Razzer在内核中发现了30个新的赛跑，其中16个在报告后被内核开发人员确认并相应地修补。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

2019 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量