Dominik Maier, Benedikt Radtke, and Bastian Harren, TU Berlin
Fuzzing uncovers an ever-growing number of critical vulnerabilities. Despite the simple concept—execute the target until it crashes—setting up fuzz tests can pose complex challenges. This is especially true for code that cannot run as part of a userland process on desktop operating systems—for example device drivers and kernel components. In this paper, we explore the use of CPU emulation to fuzz arbitrary parsers in kernelspace with coverage-based feedback. We propose and open-source Unicorefuzz and explain merits and pitfalls of emulation-based fuzzing approaches. The viability of the approach is evaluated against artificial Linux kernel modules, the Open vSwitch network virtualization component as well as bugs originally uncovered by syzcaller. Emulator-based fuzzing of kernel code is not very complex to set up and can even be used to fuzz operating systems and devices for which no source code is available.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Dominik Maier and Benedikt Radtke and Bastian Harren},
title = {Unicorefuzz: On the Viability of Emulation for Kernelspace Fuzzing},
booktitle = {13th USENIX Workshop on Offensive Technologies (WOOT 19)},
year = {2019},
address = {Santa Clara, CA},
url = {https://www.usenix.org/conference/woot19/presentation/maier},
publisher = {USENIX Association},
month = aug
}