Device drivers are an essential part in modern Unix-like systems to handle operations on physical devices, from hard disks and printers to digital cameras and Bluetooth speakers. The surge of new hardware, particularly on mobile devices, introduces an explosive growth of device drivers in system kernels. Many such drivers are provided by third-party developers, which are susceptible to security vulnerabilities and lack proper vetting. Unfortunately, the complex input data structures for device drivers render traditional analysis tools, such as fuzz testing, less effective, and so far, research on kernel driver security is comparatively sparse.
DIFUZE is an interface-aware fuzzing tool to automatically generate valid inputs and trigger the execution
of the kernel drivers. We leverage static analysis to compose correctly-structured input in the userspace to explore kernel drivers.
DIFUZE is fully automatic, ranging from identifying driver handlers, to mapping to device file names, to constructing complex argument instances. We evaluate our approach on seven modern Android smartphones. The results showthat DIFUZE can effectively identify kernel driver bugs, and reports 32 previously unknown vulnerabilities, including flaws that lead to arbitrary code execution.
• Security and privacy → Mobile platform security; Vulnerability scanners;
sudo apt-get install libxml2-dev
git clone https://github.com/ucsb-seclab/difuze && cd difuze
python setup_difuze.py -o difuze_deps
make V=1 O=out ARCH=arm64 > makeout.txt 2>&1
Running Interface Recovery analysis
python run_all.py -l ~/mediatek_kernel/llvm_bitcode_out -a 1 -m ~/mediatek_kernel/kernel-3.18/makeout.txt -g aarch64-linux-android-gcc -n 2 -o ~/mediatek_kernel/kernel-3.18/out -k ~/mediatek_kernel/kernel-3.18 -f ~/mediatek_kernel/ioctl_finder_out