PeriFuzz: fuzzing the peripheral device/kernel frontier

The OS kernel is responsible for managing the computer's underlying hardware, mediating access to shared resources, and managing requests from peripheral devices. The kernel is exposed to input from user programs via the syscall interface, data packets from the network, as well as hardware through device drivers for attached peripherals. The reliability and security of the kernel are paramount as it affects the whole system. All three input interfaces expose the kernel to attacks. To date, testing efforts have focused mostly on syscalls and network peripherals. The possibility of malicious hardware, e.g., a USB connected device, has been neglected. The state of the art testing technique, fuzzing, relies on providing random data to programs. Fuzzing device drivers has proven difficult because no good technique exists for providing random data from the hardware. Consequently, fuzzing achieves poor coverage in device drivers.

We present PeriFuzz, a framework to apply coverage-guided fuzzing to OS kernels, coming from a malicious peripheral device. PeriFuzz emulates a peripheral device that provides data to the kernel (when it performs IO operations). This allows us to fuzz the peripheral input space of the kernel from the device's perspective, an angle that is difficult to achieve with real hardware.

We implemented a prototype that focuses on USB device drivers of the Linux kernel. Our preliminary evaluation on 9 recent versions of Linux kernel demonstrates its effectiveness: PeriFuzz discovered 53 bugs, out of which 37 are new, and 36 are memory bugs of high security impact, potentially allowing arbitrary read or write in the kernel address space.

CVE-2018-20169OOB read in __usb_get_extra_descriptor4.20-RC5
CVE-2018-19824 UAF write in usb_audio_probe4.20-RC5
CVE-2019-15098NULL derefernce in ath6kl_usb_alloc_urb_from_pipe git
CVE-2019-15099NULL derefernce in ath10k_usb_alloc_urb_from_pipe git
CVE-2018-19985OOB read in hso_get_config_datagit
CVE-2019-15117OOB access in parse_audio_mixer_unitgit
CVE-2019-15118Stack buffer overflow bug in check_input_termgit
CVE-2019-15504Double free bug in rsi_91x_deinit5.2.9
CVE-2019-15505OOB read in technisat_usb2_get_irgit and lkml
CVE-2019-15505OOB read in technisat_usb2_get_irgit and lkml