| With the widespread use of the Linux operating system,more and more security experts have begun to focus on the security of the Linux operating system kernel.Fuzzing techniques have become one of the most important tools in Linux kernel vulnerability detection in recent years.Specifically,the Linux kernel fuzzing is generally based on system call sequences,injecting a large number of system call sequences into the kernel to observe the kernel’s response and crashes.However,due to the large number of system calls provided by the kernel and the lack of adequate analysis of their relevance,kernel fuzzing faces the problem of exploding system call sequences in combination.Therefore,Strict branching problems and hard-coded kernel fuzzing strategies also limit the efficiency of kernel fuzzing.To address the above challenges,this paper proposes two key designs:(1)Fuzzing the Linux kernel with system call correlation:It is suggested to combine static and dynamic correlation in this way.A more accurate kernel function call graph is extracted using an improved pointer analysis algorithm to obtain more adequate and accurate global variable read/write dependencies.Static dependencies,parameter dependencies,return value dependencies,and global variable read/write dependencies among system calls are fused.Moreover,dynamic system call correlation is used to correct the false positives produced by static system call correlation.(2)Kernel fuzzing based on basic block weight and multi-armed bandit:Use the reward values for task selection and think of the generate,mutate,and triage jobs as multi-armed machine problems.Think of the seed selection as an additional multi-armed machine challenge.Weights are assigned by evaluating the ease with which the test samples cover each basic block of the kernel source code,so that the seeds receive more valuable weights.The dependFuzzer and syzballer are suggested in this paper along with the implementation of the two key ideas stated above.To verify the effectiveness of each,three different versions of the linux kernel were selected for testing.According to the experimental findings,dependFuzzer resolves 47 additional sets(or 21%of all global variable dependencies),increases the coverage of fuzzing by 11.7%,and detect 6 additional KASAN vulnerabilities.Syzballer improved fuzzing coverage by 17.8%and found 6 more KASAN vulnerabilities by increasing the percentage of variant tasks executed.Experimental results show that dependFuzzer alleviates the problem of combinatorial explosion and syzballer solves the problem of strict branching and hard coding of fuzzy test strategies. |
PDF Full Text Request