Research On Detection And Analysis Of Vulnerability Of Windows Device Drivers

Windows OS has been widely used in various fields and its safety draws more and more attentions. As the safety of kernel drivers directly concerns the security of the entire system, the vulnerability detection and analysis of windows kernel drivers has long been a research focus and difficulty. DeviceIoControl at user mode could trigger a kernel module response, so research on DeviceloControl vulnerability exerts practical significance in the vulnerability discovery of the kernel mode. Currently, the main approach to exploit the vulnerability towards kernel mode is fuzzing test. Due to the fact that the internal program state cannot be known, test sets cannot be specifically generated and there’re no tools to quantify code coverage rate of kernel code. The methods and tool implementation of current program analysis technologies such as taint analysis and symbolic execution are relatively perfect in analyzing user mode program, but they are difficult to be applied in the kernel mode directly. In terms of the patch analysis, the suitable samples are frequently needed to be built up to ensure that the program should be executed to specific code blocks, but due to the complexity of the kernel environment, the establishment of suitable samples consumes much time.This thesis conducts the research on the preceding problem, and the work mainly completed and the main research achievements includes:(1) Summarize state-of-art of vulnerability exploration in the field of the Windows device drivers, discuss the application of fuzzing test in the kernel vulnerability, deeply analyze and summarize the application of popular symbolic solver tool Z3and intermediate language REIL in program analysis;(2) Propose heuristic algorithm for obtaining static information such as device name,IO control code of device driver and its processing routine, apply the algorithm into kernel fuzzing test tool to guide the generation of test sets; summarize the key design points of kernel fuzzing test tool, design and implement the prototype tool for the assessment of kernel code coverage;(3) Design and implement the kernel binary analysis prototype tool based on symbolic execution, which transfers instructions into intermediate language, utilizes symbolic execution technique to track execution during the process of the device drivers, gathers constraints on execution, and then results in the implementation of symbolic execution engine. This system could be applied to build up data input which could reach the targeted code blocks.By doing experiment and test, heuristic algorithm for obtaining static information proposed in this thesis can precisely collect information of target device driver, and archived expected targets for constructing data inputs about leading execution to assigned code block. The preceding improves the efficiency of discovery and exploitation of kernel device vulnerability, and has good application value.