A Research On Operating System Kernel Fuzzing Method

Kernel fuzzing is a vulnerability detection technology that has received extensive attention from both the academic and industrial in recent years.A series of kernel fuzzing tools have been released,and thousands of bugs that seriously endanger the security and reliability of the operating system have been detected.At present,researchers have proposed various methods to improve fuzzing tools,from the applicability of tools to tools' bug detection capabilities.However,it lacks quantitative evaluations of the existing fuzzing technology.These evaluations not only benefit tool developers,but also guide operating system maintainers to increase the security and reliability of the kernel.This paper uses Google kernel fuzzer Syzkaller as the research foundation,and conducts an empirical analysis of the 3093 kernel bugs discovered by it.These bugs are distributed in five kernels: Linux(2700),Android(55),Free BSD(80),Net BSD(110),and Open BSD(148),with a time span of 4 years(2017-2020).The empirical analysis includes two parts: bug feature analysis and bug-triggering sequences analysis.For the bugs detected by Syzkaller,this paper analyzes the bug characteristics in detail from five dimensions: bug classification,bug reproducibility,number of kernel crashes caused by bugs,bug distribution in kernel modules,and bug-fixing patch complexity.Aiming at the bug-triggering system call sequences collected from Syzkaller,this paper first conducts experiments to analyze the similarity between the system call sequences.Then the frequent subsequence mining is performed on the sequence to explore the sequence pattern.After that this paper analyzes the length of these sequences and the execution parameters of these sequence.Finally the degree of influence on the fuzzing test is studied from the perspective of a single system call.The main contributions of this paper are as follows:(1)This paper completes the collection of the kernel bugs detected by the fuzzing tool and further analyzes these bugs in detail to reveal their characteristics.Meanwhile,We conduct experiments to disclose problems on the existing fuzzing reproduction mechanism.Abundant bug information on the one hand can help kernel developers design more robust mechanisms to enhance the reliability and security of the kernel;on the other hand,it reveals the existing defects and biases of fuzzing tools and guides the future research direction of fuzzing tools.(2)This paper completes the collection of bug-triggering system call sequences in the fuzzing scenario and analyzes the sequence length and sequence execution options respectively.Meanwhile,We compare kernel test programs with bug-triggering sequences.The sequence length analysis result can guide the generation of kernel fuzzing seed sequence.The study of sequence execution options on the one hand inspires developers to combine different options to increase the probability of tools triggering bugs,on the other hand,it can improve the reproducibility of bugs.(3)This paper completes sequence similarity exploration and sequence mining experiment.The sequence similarity experiment results reflect that the fuzzing mutation algorithm can generate a variety of system call sequences to cover as many code blocks as possible and increase the probability of finding bugs.The sequence mining experiment explores the common sequence patterns of the bug-triggering system call sequences.From the perspective of generating effective fuzzing input,a strategy to improve the tool's bug detection ability through these sequence patterns is proposed.