TY - GEN
T1 - GREBE
T2 - 43rd IEEE Symposium on Security and Privacy, SP 2022
AU - Lin, Zhenpeng
AU - Chen, Yueqi
AU - Wu, Yuhang
AU - Mu, Dongliang
AU - Yu, Chensheng
AU - Xing, Xinyu
AU - Li, Kang
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Nowadays, dynamic testing tools have significantly expedited the discovery of bugs in the Linux kernel. When unveiling kernel bugs, they automatically generate reports, specifying the errors the Linux encounters. The error in the report implies the possible exploitability of the corresponding kernel bug. As a result, many security analysts use the manifested error to infer a bug's exploitability and thus prioritize their exploit development effort. However, using the error in the report, security researchers might underestimate a bug's exploitability. The error exhibited in the report may depend upon how the bug is triggered. Through different paths or under different contexts, a bug may manifest various error behaviors implying very different exploitation potentials. This work proposes a new kernel fuzzing technique to explore all the possible error behaviors that a kernel bug might bring about. Unlike conventional kernel fuzzing techniques concentrating on kernel code coverage, our fuzzing technique is more directed towards the buggy code fragment. It introduces an object-driven kernel fuzzing technique to explore various contexts and paths to trigger the reported bug, making the bug manifest various error behaviors. With the newly demonstrated errors, security researchers could better infer a bug's possible exploitability. To evaluate our proposed technique's effectiveness, efficiency, and impact, we implement our fuzzing technique as a tool GREBE and apply it to 60 real-world Linux kernel bugs. On average, GREBE could manifest 2+ additional error behaviors for each of the kernel bugs. For 26 kernel bugs, GREBE discovers higher exploitation potential. We report to kernel vendors some of the bugs - the exploitability of which was wrongly assessed and the corresponding patch has not yet been carefully applied - resulting in their rapid patch adoption.
AB - Nowadays, dynamic testing tools have significantly expedited the discovery of bugs in the Linux kernel. When unveiling kernel bugs, they automatically generate reports, specifying the errors the Linux encounters. The error in the report implies the possible exploitability of the corresponding kernel bug. As a result, many security analysts use the manifested error to infer a bug's exploitability and thus prioritize their exploit development effort. However, using the error in the report, security researchers might underestimate a bug's exploitability. The error exhibited in the report may depend upon how the bug is triggered. Through different paths or under different contexts, a bug may manifest various error behaviors implying very different exploitation potentials. This work proposes a new kernel fuzzing technique to explore all the possible error behaviors that a kernel bug might bring about. Unlike conventional kernel fuzzing techniques concentrating on kernel code coverage, our fuzzing technique is more directed towards the buggy code fragment. It introduces an object-driven kernel fuzzing technique to explore various contexts and paths to trigger the reported bug, making the bug manifest various error behaviors. With the newly demonstrated errors, security researchers could better infer a bug's possible exploitability. To evaluate our proposed technique's effectiveness, efficiency, and impact, we implement our fuzzing technique as a tool GREBE and apply it to 60 real-world Linux kernel bugs. On average, GREBE could manifest 2+ additional error behaviors for each of the kernel bugs. For 26 kernel bugs, GREBE discovers higher exploitation potential. We report to kernel vendors some of the bugs - the exploitability of which was wrongly assessed and the corresponding patch has not yet been carefully applied - resulting in their rapid patch adoption.
UR - http://www.scopus.com/inward/record.url?scp=85135953951&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85135953951&partnerID=8YFLogxK
U2 - 10.1109/SP46214.2022.9833683
DO - 10.1109/SP46214.2022.9833683
M3 - Conference contribution
AN - SCOPUS:85135953951
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 2078
EP - 2095
BT - Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 23 May 2022 through 26 May 2022
ER -