Research On Grey Box Testing Technology For Operating System Kernel

Kernel is the central part of an operating system.Generally,it executed on the highest privilege level to provides security protection for hardware access and resource abstraction for upper-layer applications.It also maintains security isolation between users and systems,which is the guarantee for the safe execution of the entire operation system.However,the kernel has a huge code base,widespread attack patterns,and complex data structures,more and more kernel security vulnerabilities have been exploited.Once an attacker breaks through the protection of the operating system through a kernel vulnerability,they can obtain the highest privilege of the system and carry out any malicious operations they want,including executing the execution of arbitrary code.For kernel security testing,the existing methods are faced with the problems of small test scale,slow test rate,inaccurate test cases,low coverage and so on,which can't meet the rapid increase of code size of the system kernel.Aiming at the problems of small scale and slow execution rate of the existing methods,a coverage guided parallel kernel gray box fuzzing model is proposed in this paper,and further proposes a sequence-driven seed generation model aiming at solve the problems of inaccurate test cases and low coverage.Finally,this two models are combined with QEMU-KVM to improve the performance.The main contents of this paper are as follows:1)A coverage guided parallel grey box kernel fuzzing model DisModel is proposed,which includes parallel module,coverage-guided module and vulnerability monitor module.The parallel module and coverage-guided module are guided by code coverage,and it uses a star structure composed of computing nodes and control nodes as the parallel model.The computing node continuously fuzzing the kernel with code coverage,the control node performs collection and interaction of code coverage between compute nodes,and the vulnerability monitor module matches the execution output through regular expressions to determine whether execution can trigger vulnerabilities.Compared with Syzkaller and TriforceAFL,this model breaks through the limitation of computing resources and has a certain increase in execution speed,code coverage and vulnerability numbers.It proves that the model can be applied to large-scale scenarios and improve the testing efficiency to a certain extent.2)A novel seed generation model for kernel fuzzing SeqModel is proposed,it uses syntax rules to automatically generate highly structured inputs,which can bypass the syntax detection to function parameters by kernel and provide high quality seeds for mutation.Firstly,the model generates a function description document according to the function structure in the system header file and the defined function syntax rules.Then it uses the function description document to generate a function that conforms to the grammar rules.Next,the short function sequence is generated by the parameter dependency between the functions to test the kernel,the short function sequence which can generate new coverage is stored in the corpus.Finally,the system call graph is constructed by using the Markov chain and the function transfer relationship between the short function sequences,kernel is tested by extracting long function sequence from the system call graph,which improves the accurateness and completeness of the test case chain.Compared with Syzkaller,this model has a higher improvement in test case generation efficiency,coverage and number of crashes,which proves the effectiveness of the model.3)Based on the achievements of 1)and 2),a fusion accelerated kernel fuzzing model Diskaller is designed and implemented.The model uses QEMU-KVM virtualization to accelerate the test process,and uses 1)to parallel test the virtual system containing the kernel,uses the seed generation model constructed by 2)to generate inputs.Finally,the effectiveness of the model is proved by experiments.