Design And Implemention Of Fuzzing Tool For Android Kernel

Today,the Android system has become the mainstream operation system on the mobile phone,occupying most of the market share,but with great security risks.Vulnerabilities in OS kernel are more severe than those in user space because they allow attackers to access a system with full privileges.With the gradual emphasis on security,existing kernel vulnerability detection tools are becoming more capable.Many vulnerabilities in the shallower layers of the code have been discovered,so researchers have begun to explore kernel vulnerabilities hidden deeper in the code,while traditional fuzzing tools based on random system calls has been unable to meet this need.The passive fuzzing technology for the kernel has a natural calling sequence and is more likely to trigger deep and difficult-to-find vulnerabilities.It is an efficient technique for finding new attack surfaces and discovering new vulnerabilities,but this method does not generate specific test cases;While the kernel-oriented active fuzzing technology uses the previously mutated parameters and actively executes the corresponding system call for testing.Once a vulnerability is found,the corresponding test case can be obtained,but all calls are configured by expert knowledge,it is not easy to trigger deep code.In order to achieve more efficient kernel fuzzing,this thesis proposes a combination of active and passive fuzzing techniques.On the one hand,the system call log of the application running during the passive fuzzing process is used to infer the system call model,and the active fuzzing is used to execute the system call model to retain the passive fuzzing call sequence,so that the active fuzzing can also reach deeper code.On the other hand,the passive fuzzing system call sequence is used to guide the active fuzzing process,so that active fuzzing will cover as many calls as possible in the sequence until the vulnerability corresponding to the calling sequence is triggered,thereby generating corresponding test cases for passive fuzzing.Based on AFL and the proposed fuzzing method,this thesis implements the fuzzing tool X-AFL for Android kernel.It contains three modules:passive fuzzing,model inference and active fuzzing.In this thesis,the three modules are evaluated experimentally.The experimental results show that the passive fuzzing module can effectively trigger many kernel bugs;and X-AFL uses the inference model can achieve higher system call execution efficiency than random system calls;X-AFL,which combines inference model and sequence guidance technology,is an effective kernel fuzzing tool.