DIFUZZing Android Kernel Drivers

Presented at Black Hat Europe 2017, Dec. 6, 2017, 3:30 p.m. (60 minutes)

As the rest of the Android security infrastructure improves, the Android/Linux kernel is well on its way to becoming the "weakest link," being responsible for a higher and higher fraction of vulnerabilities [1]. Most of these vulnerabilities are in kernel driver code, as this driver code is often maintained by third parties and gets less scrutiny than the kernel itself.

Specifically, most of these bugs are in driver ioctl functions [2]. Despite significant advances in automatic analysis of kernel code, current state-of-the-art tools like Syzkaller [3] and trinity [4] fail to find these bugs. This is because ioctls do not have a standard interface, and each ioctl for each driver expects different commands and data structures. The amount of manual effort required to bridge this "interface gap" for Syzkaller and trinity has hampered effort to find, pwn, and fix these issues.

The problem needed to be fixed, and so we created DIFUZE, a lightweight (yet powerful), python based interface-aware fuzzing framework for driver ioctls. DIFUZE uses a novel combination of static analysis techniques (using LLVM) to extract the structure of argument data of the ioctls from the GPL-mandated headers of kernel drivers, and uses this information to effectively fuzz drivers on the target device.

We will publish the scientific details behind DIFUZE at the ACM Conference on Computer and Communication Security (CCS), one of the premier venues in the scientific security community.

DIFUZE works. We found 32 zero-days in seven modern android phones including the Google Pixel XL. We are certain that more bugs are lurking in more phones, so we are open-sourcing the end-to-end automated tool for the public good. DIFUZE is completely automated -- just give it kernel.tar.gz, wait, and collect the 0days.

Happy hunting.

[1] https://source.android.com/security/bulletin/; [2] Jeffrey Vander Stoep. 2016. Android: protecting the kernel. In Linux Security Summit. Linux Foundation; [3] Google. 2017. syzkaller - linux syscall fuzzer. (2017). https://github . com/google/syzkaller; [4] Dave Jones. 2011. Trinity: A system call fuzzer. In Proceedings of the 13th Ottawa Linux Symposium, pages.

Presenters:

• Yan Shoshitaishvili / Zardus - Assistant Professor, Arizona State University   as Yan Shoshitaishvili
  Yan Shoshitaishvili is an Assistant Professor at Arizona State University, where he drives research into the automatic analysis, exploitation, and defense of real-world software. He is an avid CTF player and a member of Shellphish, the team that he led to become one of the winners of the DARPA Cyber Grand Challenge.
• Shuang Hao - Assistant Professor, University of Texas, Dalls
  Shuang Hao is an Assistant Professor in the Department of Computer Science at the University of Texas at Dallas. His research focuses on computer and network security, spam filtering, botnet detection, DNS reputation analysis, and underground economy study. His work has been recognized in press coverage, including MIT Technology Review, WIRED, KrebsOnSecurity, and Slashdot.
• Jake Corina - Independent Researcher, N/A
  Jake Corina is an Independent Researcher, he holds a master's degree from the University of California, Santa Barbara. He works on fuzzing low-level systems like kernel, modem and other smartphone subsystems. Along with Salls, He demonstrated an Android root at exploit at Geekpwn. He is also a member of Shellphish, He says he likes big heaps and he cannot lie.
• Chris Salls - Graduate Research Assistant, University of California, Santa Barbara
  Chris Salls is a PhD student at the University of California, Santa Barbara, where he works on automated techniques to find memory corruption bugs. Recently, one bug that was found in his research was used to demonstrate an Android root at exploit at Geekpwn. As the captain of Shellphish, he works to lead team members in learning advanced exploitation techniques.
• Aravind Machiry - Graduate Research Assistant, University of California, Santa Barbara
  Aravind Machiry is a third year PhD student at University of California, Santa Barbara and a member of Shellphish Grill Team. He works on using static and dynamic analysis to find flaws in system software including linux kernel. He found several bugs in Android kernel. He also found a design flaw in Trusted Execution Environments, called Boomerang which was published in NDSS 2017.

Links:

• https://www.blackhat.com/eu-17/briefings/schedule/#difuzzing-android-kernel-drivers-8903

Similar Presentations:

• DEF CON 27 (2019) / Get off the Kernel if you can't Drive
• Black Hat Asia 2018 / New Compat Vulnerabilities in Linux Device Drivers
• VB2019 / Play fuzzing machine - hunting iOS and macOS kernel vulnerabilities automatically and smartly