PeriFuzz: fuzzing the peripheral device/kernel frontier
The OS kernel is responsible for managing the computer's underlying hardware,
mediating access to shared resources, and managing requests from peripheral
devices. The kernel is exposed to input from user programs via the syscall
interface, data packets from the network, as well as hardware through device
drivers for attached peripherals. The reliability and security of the kernel are
paramount as it affects the whole system. All three input interfaces expose the
kernel to attacks. To date, testing efforts have focused mostly on syscalls and
network peripherals. The possibility of malicious hardware, e.g., a USB
connected device, has been neglected. The state of the art testing technique,
fuzzing, relies on providing random data to programs. Fuzzing device drivers has
proven difficult because no good technique exists for providing random data from
the hardware. Consequently, fuzzing achieves poor coverage in device drivers.
We present PeriFuzz, a framework to apply coverage-guided fuzzing to OS
kernels, coming from a malicious peripheral device. PeriFuzz emulates a
peripheral device that provides data to the kernel (when it performs IO
operations). This allows us to fuzz the peripheral input space of the kernel from
the device's perspective, an angle that is difficult to achieve with real
hardware.
We implemented a prototype that focuses on USB device drivers of the Linux
kernel. Our preliminary evaluation on 9 recent versions of Linux kernel
demonstrates its effectiveness: PeriFuzz discovered 53 bugs, out of which 37
are new, and 36 are memory bugs of high security impact, potentially allowing
arbitrary read or write in the kernel address space.
| CVE | Title | Patch |
| CVE-2018-20169 | OOB read in __usb_get_extra_descriptor | 4.20-RC5 |
| CVE-2018-19824 | UAF write in usb_audio_probe | 4.20-RC5 |
| CVE-2019-15098 | NULL derefernce in ath6kl_usb_alloc_urb_from_pipe | git |
| CVE-2019-15099 | NULL derefernce in ath10k_usb_alloc_urb_from_pipe | git |
| CVE-2018-19985 | OOB read in hso_get_config_data | git |
| CVE-2019-15117 | OOB access in parse_audio_mixer_unit | git |
| CVE-2019-15118 | Stack buffer overflow bug in check_input_term | git |
| CVE-2019-15504 | Double free bug in rsi_91x_deinit | 5.2.9 |
| CVE-2019-15505 | OOB read in technisat_usb2_get_ir | git and lkml |
| CVE-2019-15505 | OOB read in technisat_usb2_get_ir | git and lkml |