PUBLICATIONS |

2024

OSDI ’24

Validating the eBPF Verifier via State Embedding

Hao, Sun, and Zhendong, Su

In Proceedings of the 18h USENIX Conference on Operating Systems Design and Implementation 2024
EuroSys ’24

Finding Correctness Bugs in eBPF Verifier with Structured and Sanitized Program

Hao, Sun, Yiru, Xu, Jianzhong, Liu, Yuheng, Shen, Nan, Guan, and Yu, Jiang

In Proceedings of the European Conference on Computer Systems 2024
S&P ’24
SATURN: Host-Gadget Synergistic USB Driver Fuzzing

Yiru, Xu, Hao, Sun, Jianzhong, Liu, Yuheng, Shen, and Yu, Jiang

In 2024 IEEE Symposium on Security and Privacy (SP) May 2024

Abs Bib

The Universal Serial Bus (USB) is an essential component in modern operating systems, allowing for a wide assortment of peripherals to connect conveniently to a computer. The USB stack in an operating system usually consists of the following two components: the host-side driver and the device-side gadget driver, both of which are security-critical. If any vulnerabilities in these privileged-mode drivers are exploited, a malicious or malformed device could crash the whole system. Fuzzing, a popular automated vulnerability detection technology, has been applied to testing kernel components such as drivers with varying degrees of success. However, existing works mainly focus on a single side and test drivers through emulating malicious input from userspace or peripherals while neglecting intricate internal states triggered only through interaction between the two boundaries, leaving a multitude of bugs exposed. In this paper, we propose SATURN, a host-gadget synergistic USB driver fuzzing approach, aiming to cover the entire handling chain throughout the USB communication. To achieve this, SATURN first leverages extracted driver information to attach gadgets systematically and trigger more driver types, facilitating the transition to interactive logic. Then, SATURN performs a persistent synergistic fuzzing process through canonical operation injection on both sides to play their own important roles, significantly expanding the states explored and exposing bugs in such logic. Compared to the state-of-the-art USB fuzzers, such as Syzkaller, USBFuzz and FUZZUSB, SATURN improves the branch coverage statistics on the corresponding stack by 1.53x, 3.69x and 2.3x, respectively. In addition, SATURN found 26 previously unknown bugs, among which are 4 CVEs, including drivers on each side.
@inproceedings{SATURN, author = {Yiru, Xu and Hao, Sun and Jianzhong, Liu and Yuheng, Shen and Yu, Jiang}, booktitle = {2024 IEEE Symposium on Security and Privacy (SP)}, title = {SATURN: Host-Gadget Synergistic USB Driver Fuzzing}, year = {2024}, volume = {}, issn = {2375-1207}, pages = {51-51}, keywords = {}, doi = {10.1109/SP54263.2024.00051}, url = {https://doi.ieeecomputersociety.org/10.1109/SP54263.2024.00051}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, month = may, }

2023

TOSEM
Horus: Accelerating Kernel Fuzzing Through Efficient Host-VM Memory Access Procedures

Jianzhong, Liu, Yuheng, Shen, Yiru, Xu, Hao, Sun, and Yu, Jiang

ACM Trans. Softw. Eng. Methodol. Aug 2023

Abs Bib PDF

Kernel fuzzing is an effective technique in operating system vulnerability detection. Fuzzers such as Syzkaller and Moonshine frequently pass highly structured data between fuzzer processes in guest virtual machines and manager processes in the host operating system to synchronize fuzzing-relevant data and information. Since the guest virtual machines’ and the host operating system’s memory spaces are mutually isolated, fuzzers conduct synchronization operations using mechanisms such as Remote Procedure Calls over TCP/IP networks, incurring significant overheads that negatively impact the fuzzer’s efficiency and effectiveness in increasing code coverage and finding vulnerabilities. In this paper, we propose Horus, a kernel fuzzing data transfer mechanism that mitigates the aforementioned data transfer overheads. Horus removes host-VM memory isolation and performs data transfers through copying to and from target memory locations in the guest virtual machine. Horus facilitates such efficient transfers through using fixed stub structures in the guest’s memory space, whose addresses, along with the guest’s RAM contents, are exposed to the host during the fuzzer’s initialization process. When conducting transfers, Horus passes highly-structured non-trivial data between the host and guest instances through copying the data directly to and from the stub structures, reducing the overall overhead signficantly compared to that of using a network-based approach. We implemented Horus upon state-of-the-art kernel fuzzers Syzkaller, Moonshine and kAFL and evaluated its effectiveness. For Syzkaller and Moonshine, Horus increased their transfer speeds by 84.5% and 85.8% for non-trivial workloads on average and improved their fuzzing throughputs by 31.07% and 30.62%, respectively. Syzkaller and Moonshine both achieved a coverage speedup of 1.6 \texttimes through using Horus. For kAFL, Horus improved specifically its Redqueen component’s execution speeds by (19.4% ) .
@article{Horus, author = {Jianzhong, Liu and Yuheng, Shen and Yiru, Xu and Hao, Sun and Yu, Jiang}, title = {Horus: Accelerating Kernel Fuzzing Through Efficient Host-VM Memory Access Procedures}, year = {2023}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, issn = {1049-331X}, url = {https://doi.org/10.1145/3611665}, doi = {10.1145/3611665}, note = {Just Accepted}, journal = {ACM Trans. Softw. Eng. Methodol.}, month = aug, keywords = {kernel fuzzing, security, performance enhancement, testing}, }

2022

EMSOFT ’22
Tardis: Coverage-Guided Embedded Operating System Fuzzing

Yuheng, Shen, Yiru, Xu, Hao, Sun, Jianzhong, Liu, Zichen, Xu, Aiguo, Cui, Heyuan, Shi, and Jiang, Yu

ACM Trans. Embed. Comput. Syst. Aug 2022

Abs Bib PDF

Embedded Operating Systems are extensively deployed in many mission-critical industrial scenarios. Any defects within these systems may result in unacceptable losses. Therefore, it is imperative to develop tools to detect bugs within Embedded Operating Systems, thus minimizing potential impacts on industrial infrastructures. Coverage guided fuzzing is a vulnerability detection technique that has found numerous realworld vulnerabilities within both application programs as well as kernels. However, state-of-the-art kernel fuzzers, e.g., Syzkaller, mainly target general purpose operating systems, such as Linux, macOS, and Windows, whereas Embedded Operating System support is mostly lacking. In this paper, we propose Tardis, the first Embedded Operating System fuzzer capable of testing a wide selection of Embedded Operating Systems while leveraging coverage feedback. Tardis conducts OS-agnostic code coverage collection and analysis, allowing developers and testers to test a wide range of Embedded Operating Systems without significant manual efforts. We implemented and evaluated Tardis on several well-known Embedded Operating Systems, such as UC/OS and FreeRTOS. Tardis can successfully perform fuzz testing on these kernels without significant manual effort for adaptation. By leveraging coverage feedback, Tardis can cover 51.32% more branches than black-box fuzzing on average on the respective Embedded Operating Systems over 24 hours. Tardis also found 17 previously unknown bugs among the target Embedded Operating System
@article{Tardis, author = {Yuheng, Shen and Yiru, Xu and Hao, Sun and Jianzhong, Liu and Zichen, Xu and Aiguo, Cui and Heyuan, Shi and Jiang, Yu}, title = {{Tardis: Coverage-Guided Embedded Operating System Fuzzing}}, year = {2022}, publisher = {Association for Computing Machinery}, journal = {ACM Trans. Embed. Comput. Syst.}, keywords = {RTOS, Fuzz testing, vulnerability detection}, }
ATC ’22
KSG: Augmenting Kernel Fuzzing with System Call Specification Generation

Hao, Sun, Yuheng, Shen, Jianzhong, Liu, Yiru, Xu, and Yu, Jiang

In 2022 USENIX Annual Technical Conference (USENIX ATC 22) Jul 2022

Abs Bib PDF Slides

Kernel fuzzing is a dynamic testing technique that has successfully found numerous kernel vulnerabilities. However, existing kernel fuzzers, such as Syzkaller, depend on system call specifications to generate test cases. Writing such specifications requires an immense amount of domain knowledge while being extremely laborious. Meanwhile, automated generation of the specification is still an open problem due to the complexity of the kernel, including entry function extraction and input type identification. As a result, the current amount of system call information is insufficient to test the entire kernel code base thoroughly. Syzkaller covers an average of 38% of Linux kernel code with current Syzlang specifications for a prolonged time of fuzzing. In this paper, we propose KSG to generate system call specifications for kernel fuzzers automatically. First, it utilizes probe-based tracing to extract entry functions accurately. Then, it uses path-sensitive analysis to collect precise input types and range constraints in each execution path of entry functions. Based on the aforementioned information, KSG generates specifications in the domain language Syzlang, which is used by most kernel fuzzers. We evaluated KSG on several versions of the Linux kernel. It automatically generated 2433 unique specifications. Leveraging the newly generated specifications, Syzkaller and Moonshine achieved coverage improvements of 22% and 23% respectively. Furthermore, our approach assisted fuzzers to discover 26 previously unknown bugs, where 13 and 6 bugs were fixed and assigned with CVEs, respectively.
@inproceedings{KSG, author = {Hao, Sun and Yuheng, Shen and Jianzhong, Liu and Yiru, Xu and Yu, Jiang}, title = {{KSG}: Augmenting Kernel Fuzzing with System Call Specification Generation}, booktitle = {2022 USENIX Annual Technical Conference (USENIX ATC 22)}, year = {2022}, isbn = {978-1-939133-29-20}, address = {Carlsbad, CA}, pages = {351--366}, url = {https://www.usenix.org/conference/atc22/presentation/sun}, publisher = {USENIX Association}, month = jul, }

2021

SOSP ’21
HEALER: Relation Learning Guided Kernel Fuzzing

Hao, Sun, Yuheng, Shen, Cong, Wang, Jianzhong, Liu, Yu, Jiang, Ting, Chen, and Aiguo, Cui

In Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles Jul 2021

Abs Bib PDF Code Poster Slides

Modern operating system kernels are too complex to be free of bugs. Fuzzing is a promising approach for vulnerability detection and has been applied to kernel testing. However, existing work does not consider the influence relations between system calls when generating and mutating inputs, resulting in difficulties when trying to reach into the kernel’s deeper logic effectively.In this paper, we propose HEALER, a kernel fuzzer that improves fuzzing’s effectiveness by utilizing system call relation learning. HEALER learns the influence relations between system calls by dynamically analyzing minimized test cases. Then, HEALER utilizes the learned relations to guide input generation and mutation, which improves the quality of test cases and the effectiveness of fuzzing. We implemented HEALER and evaluated its performance on recent versions of the Linux kernel. Compared to state-of-the-art kernel fuzzers such as Syzkaller and Moonshine, HEALER improves branch coverage by 28% and 21%, while achieving a speedup of 2.2x and 1.8x, respectively. In addition, HEALER detected 218 vulnerabilities, 33 of which are previously unknown and have been confirmed by the corresponding kernel maintainers.
@inproceedings{Healer, author = {Hao, Sun and Yuheng, Shen and Cong, Wang and Jianzhong, Liu and Yu, Jiang and Ting, Chen and Aiguo, Cui}, title = {HEALER: Relation Learning Guided Kernel Fuzzing}, year = {2021}, isbn = {9781450387095}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3477132.3483547}, doi = {10.1145/3477132.3483547}, booktitle = {Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles}, pages = {344--358}, numpages = {15}, keywords = {System Call Relation Learning, Kernel Fuzzing}, location = {Virtual Event, Germany}, series = {SOSP '21}, }
EMSOFT ’21
Rtkaller: State-Aware Task Generation for RTOS Fuzzing

Yuheng, Shen, Hao, Sun, Yu, Jiang, Heyuan, Shi, Yixiao, Yang, and Wanli, Chang

ACM Trans. Embed. Comput. Syst. Sep 2021

Abs Bib PDF

A real-time operating system (RTOS) is an operating system designed to meet certain real-time requirements. It is widely used in embedded applications, and its correctness is safety-critical. However, the validation of RTOS is challenging due to its complex real-time features and large code base. In this paper, we propose Rtkaller, a state-aware kernel fuzzer for the vulnerability detection in RTOS. First, Rtkaller implements an automatic task initialization to transform the syscall sequences into initial tasks with more real-time information. Then, a coverage-guided task mutation is designed to generate those tasks that explore more in-depth real-time related code for parallel execution. Moreover, Rtkaller realizes a task modification to correct those tasks that may hang during fuzzing. We evaluated it on recent versions of rt-Linux, which is one of the most widely used RTOS. Compared to the state-of-the-art kernel fuzzers Syzkaller and Moonshine, Rtkaller achieves the same code coverage at the speed of 1.7X and 1.6X , gains an increase of 26.1% and 22.0% branch coverage within 24 hours respectively. More importantly, Rtkaller has confirmed 28 previously unknown vulnerabilities that are missed by other fuzzers.
@article{Rtkaller, author = {Yuheng, Shen and Hao, Sun and Yu, Jiang and Heyuan, Shi and Yixiao, Yang and Wanli, Chang}, title = {{Rtkaller: State-Aware Task Generation for RTOS Fuzzing}}, year = {2021}, issue_date = {October 2021}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, volume = {20}, number = {5s}, issn = {1539-9087}, url = {https://doi.org/10.1145/3477014}, doi = {10.1145/3477014}, journal = {ACM Trans. Embed. Comput. Syst.}, month = sep, articleno = {83}, numpages = {22}, keywords = {RTOS, task generation, Fuzz testing, vulnerability detection}, }

2019

ISSRE ’19
Go-Sanitizer: Bug-Oriented Assertion Generation for Golang

Cong, Wang, Hao, Sun, Yiwen, Xu, Yu, Jiang, Huafeng, Zhang, and Ming, Gu

In 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) Sep 2019

Abs Bib PDF

Go programming language (Golang) is widely used, and the security issue becomes increasingly important because of its extensive applications. Most existing validation techniques, such as fuzz testing and unit testing, mainly focus on crashes detection and coverage improvements. However, it is challenging for test engines to perceive common program bugs such as loss of precision and integer overflow. In this paper, we propose Go-Sanitizer, an effective bug-oriented assertion generator for Golang, which is able to achieve a better performance in finding program bugs. Firstly, we manually analyze the Common Weakness Enumeration (CWE) and summarize the applicabilities on Golang. Secondly, we design a generator to automatically insert several bug-oriented assertions to the proper locations of the target program. Finally, we can utilize the traditional validation techniques such as fuzz and unit testing to test the programs with inserted assertions, and Go-Sanitizer reports bugs via the failures of assertions. For evaluation, we apply Go-Sanitizer to Badger, a widely-used database software, and successfully discovers 12 previously unreported program bugs, which can not be detected by pure fuzzer such as Go-Fuzz or unit testing methods.
@inproceedings{GoSanitizer, author = {Cong, Wang and Hao, Sun and Yiwen, Xu and Yu, Jiang and Huafeng, Zhang and Ming, Gu}, booktitle = {2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)}, title = {Go-Sanitizer: Bug-Oriented Assertion Generation for Golang}, year = {2019}, volume = {}, number = {}, pages = {36--41}, doi = {10.1109/ISSREW.2019.00039}, }