Hao Sun
Ph.D. student, supervised by Prof. Zhendong Su
Advanced Software Technologies (AST) Lab
Department of Computer Science
ETH Zurich

Email: hao.sun#inf.ethz.ch
CNB H 103.2, Universitätstrasse 6, 8092 Zürich, Switzerland

I’m a system security researcher at ETH Zurich, focusing on operating system kernels, with an emphasis on Linux. The fundamental goal of my research is to improve the correctness of OS kernels, one of the most complicated software, via finding and eliminating the bugs with the approaches called fuzz testing and symbolic execution.

I designed and implemented a kernel fuzzer called Healer, which is open-sourced and has found more than 100 bugs in Linux. This work was accepted by SOSP ‘21. My recent work KSG, a kernel specification generator, has led to the discovery of 23 bugs in Linux and was accepted by ATC ‘22. Besides, I’m also interested in system works and the idea of redesigning the software stack with current security and privacy concerns in mind is fascinating to me.

news

Jul 6, 2022	Tardis, a coverage-guided Embedded OS fuzzer, is accepted by EMSOFT ‘22.
May 20, 2022	Will be working as a RA at City University of Hong Kong for 6 months.
Apr 30, 2022	KSG, a kernel specification generator, is accepted to ATC ‘22.
Aug 7, 2021	Healer, a kernel fuzzer written in rust, is accepted to SOSP ‘21.

Selected pubs

ATC ’22
KSG: Augmenting Kernel Fuzzing with System Call Specification Generation

Hao, Sun, Yuheng, Shen, Jianzhong, Liu, Yiru, Xu, and Yu, Jiang

In 2022 USENIX Annual Technical Conference (USENIX ATC 22) Jul 2022

Abs Bib PDF Slides

Kernel fuzzing is a dynamic testing technique that has successfully found numerous kernel vulnerabilities. However, existing kernel fuzzers, such as Syzkaller, depend on system call specifications to generate test cases. Writing such specifications requires an immense amount of domain knowledge while being extremely laborious. Meanwhile, automated generation of the specification is still an open problem due to the complexity of the kernel, including entry function extraction and input type identification. As a result, the current amount of system call information is insufficient to test the entire kernel code base thoroughly. Syzkaller covers an average of 38% of Linux kernel code with current Syzlang specifications for a prolonged time of fuzzing. In this paper, we propose KSG to generate system call specifications for kernel fuzzers automatically. First, it utilizes probe-based tracing to extract entry functions accurately. Then, it uses path-sensitive analysis to collect precise input types and range constraints in each execution path of entry functions. Based on the aforementioned information, KSG generates specifications in the domain language Syzlang, which is used by most kernel fuzzers. We evaluated KSG on several versions of the Linux kernel. It automatically generated 2433 unique specifications. Leveraging the newly generated specifications, Syzkaller and Moonshine achieved coverage improvements of 22% and 23% respectively. Furthermore, our approach assisted fuzzers to discover 26 previously unknown bugs, where 13 and 6 bugs were fixed and assigned with CVEs, respectively.
@inproceedings{KSG, author = {Hao, Sun and Yuheng, Shen and Jianzhong, Liu and Yiru, Xu and Yu, Jiang}, title = {{KSG}: Augmenting Kernel Fuzzing with System Call Specification Generation}, booktitle = {2022 USENIX Annual Technical Conference (USENIX ATC 22)}, year = {2022}, isbn = {978-1-939133-29-20}, address = {Carlsbad, CA}, pages = {351--366}, url = {https://www.usenix.org/conference/atc22/presentation/sun}, publisher = {USENIX Association}, month = jul, }
SOSP ’21
HEALER: Relation Learning Guided Kernel Fuzzing

Hao, Sun, Yuheng, Shen, Cong, Wang, Jianzhong, Liu, Yu, Jiang, Ting, Chen, and Aiguo, Cui

In Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles Jul 2021

Abs Bib PDF Code Poster Slides

Modern operating system kernels are too complex to be free of bugs. Fuzzing is a promising approach for vulnerability detection and has been applied to kernel testing. However, existing work does not consider the influence relations between system calls when generating and mutating inputs, resulting in difficulties when trying to reach into the kernel’s deeper logic effectively.In this paper, we propose HEALER, a kernel fuzzer that improves fuzzing’s effectiveness by utilizing system call relation learning. HEALER learns the influence relations between system calls by dynamically analyzing minimized test cases. Then, HEALER utilizes the learned relations to guide input generation and mutation, which improves the quality of test cases and the effectiveness of fuzzing. We implemented HEALER and evaluated its performance on recent versions of the Linux kernel. Compared to state-of-the-art kernel fuzzers such as Syzkaller and Moonshine, HEALER improves branch coverage by 28% and 21%, while achieving a speedup of 2.2x and 1.8x, respectively. In addition, HEALER detected 218 vulnerabilities, 33 of which are previously unknown and have been confirmed by the corresponding kernel maintainers.
@inproceedings{Healer, author = {Hao, Sun and Yuheng, Shen and Cong, Wang and Jianzhong, Liu and Yu, Jiang and Ting, Chen and Aiguo, Cui}, title = {HEALER: Relation Learning Guided Kernel Fuzzing}, year = {2021}, isbn = {9781450387095}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3477132.3483547}, doi = {10.1145/3477132.3483547}, booktitle = {Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles}, pages = {344--358}, numpages = {15}, keywords = {System Call Relation Learning, Kernel Fuzzing}, location = {Virtual Event, Germany}, series = {SOSP '21}, }
EMSOFT ’21
Rtkaller: State-Aware Task Generation for RTOS Fuzzing

Yuheng, Shen, Hao, Sun, Yu, Jiang, Heyuan, Shi, Yixiao, Yang, and Wanli, Chang

ACM Trans. Embed. Comput. Syst. Sep 2021

Abs Bib PDF

A real-time operating system (RTOS) is an operating system designed to meet certain real-time requirements. It is widely used in embedded applications, and its correctness is safety-critical. However, the validation of RTOS is challenging due to its complex real-time features and large code base. In this paper, we propose Rtkaller, a state-aware kernel fuzzer for the vulnerability detection in RTOS. First, Rtkaller implements an automatic task initialization to transform the syscall sequences into initial tasks with more real-time information. Then, a coverage-guided task mutation is designed to generate those tasks that explore more in-depth real-time related code for parallel execution. Moreover, Rtkaller realizes a task modification to correct those tasks that may hang during fuzzing. We evaluated it on recent versions of rt-Linux, which is one of the most widely used RTOS. Compared to the state-of-the-art kernel fuzzers Syzkaller and Moonshine, Rtkaller achieves the same code coverage at the speed of 1.7X and 1.6X , gains an increase of 26.1% and 22.0% branch coverage within 24 hours respectively. More importantly, Rtkaller has confirmed 28 previously unknown vulnerabilities that are missed by other fuzzers.
@article{Rtkaller, author = {Yuheng, Shen and Hao, Sun and Yu, Jiang and Heyuan, Shi and Yixiao, Yang and Wanli, Chang}, title = {{Rtkaller: State-Aware Task Generation for RTOS Fuzzing}}, year = {2021}, issue_date = {October 2021}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, volume = {20}, number = {5s}, issn = {1539-9087}, url = {https://doi.org/10.1145/3477014}, doi = {10.1145/3477014}, journal = {ACM Trans. Embed. Comput. Syst.}, month = sep, articleno = {83}, numpages = {22}, keywords = {RTOS, task generation, Fuzz testing, vulnerability detection}, }
ISSRE ’19
Go-Sanitizer: Bug-Oriented Assertion Generation for Golang

Cong, Wang, Hao, Sun, Yiwen, Xu, Yu, Jiang, Huafeng, Zhang, and Ming, Gu

In 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) Sep 2019

Abs Bib PDF

Go programming language (Golang) is widely used, and the security issue becomes increasingly important because of its extensive applications. Most existing validation techniques, such as fuzz testing and unit testing, mainly focus on crashes detection and coverage improvements. However, it is challenging for test engines to perceive common program bugs such as loss of precision and integer overflow. In this paper, we propose Go-Sanitizer, an effective bug-oriented assertion generator for Golang, which is able to achieve a better performance in finding program bugs. Firstly, we manually analyze the Common Weakness Enumeration (CWE) and summarize the applicabilities on Golang. Secondly, we design a generator to automatically insert several bug-oriented assertions to the proper locations of the target program. Finally, we can utilize the traditional validation techniques such as fuzz and unit testing to test the programs with inserted assertions, and Go-Sanitizer reports bugs via the failures of assertions. For evaluation, we apply Go-Sanitizer to Badger, a widely-used database software, and successfully discovers 12 previously unreported program bugs, which can not be detected by pure fuzzer such as Go-Fuzz or unit testing methods.
@inproceedings{GoSanitizer, author = {Cong, Wang and Hao, Sun and Yiwen, Xu and Yu, Jiang and Huafeng, Zhang and Ming, Gu}, booktitle = {2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)}, title = {Go-Sanitizer: Bug-Oriented Assertion Generation for Golang}, year = {2019}, volume = {}, number = {}, pages = {36--41}, doi = {10.1109/ISSREW.2019.00039}, }

software

Healer, kernel fuzzer inspired by Syzkaller

Healer is an automated kernel bug finding tool, written in 17,000+ lines of Rust. It utilizes specifications that encode input information to generate system call sequences, and detects kernel bugs via triggering kernel crashes with generated sequences. While the idea behind Healer is relatively straightforward, it incorporates many tricks and techniques for efficient runtime behavior… more
KEY RESULTS: 100+ reported and fixed Linux bugs, 10+ CVEs assigned, 199 stars on github.

KSG, kernel syscall specification generator

Writting system call specifications for kernel fuzzers requires significant amount of domain knowledge while being laborious. To address this, I designed and implemented a kernel specification generator (KSG) with 7000+ lines of C++ code based on Clang Static Analyzer. KSG utilizes a probe-based tracing and a symbolic execution-based type propagation algorithm…more
KEY RESULTS: 2433 automatically generated specifications and 23 bugs.

UFUZZ, OSEK/VDX RTOS kernel fuzzer

UFUZZ is an automated bug discovery tool, designed for embedded RTOS kernels that conform to the OSEK/VDX specification. It generates test cases with the awareness of the application model, e.g., prioritized tasks, and transfers inputs via directly accessing the memory of guest VM. UFUZZ has been adopted and deployed in a private organization.