<scp>Horus</scp> : Accelerating Kernel Fuzzing through Efficient Host-VM Memory Access Procedures-Reference-Cited by-同舟云学术

Horus : Accelerating Kernel Fuzzing through Efficient Host-VM Memory Access Procedures

Published:2023-11-24 Issue:1 Volume:33 Page:1-25
ISSN:1049-331X
Container-title:ACM Transactions on Software Engineering and Methodology
language:en
Short-container-title:ACM Trans. Softw. Eng. Methodol.

Author:

Liu Jianzhong¹^ORCID,Shen Yuheng¹^ORCID,Xu Yiru¹^ORCID,Sun Hao¹^ORCID,Jiang Yu¹^ORCID

Affiliation:

1. Tsinghua University, China

Abstract

Kernel fuzzing is an effective technique in operating system vulnerability detection. Fuzzers such as Syzkaller and Moonshine frequently pass highly structured data between fuzzer processes in guest virtual machines and manager processes in the host operating system to synchronize fuzzing-relevant data and information. Since the guest virtual machines’ and the host operating system’s memory spaces are mutually isolated, fuzzers conduct synchronization operations using mechanisms such as Remote Procedure Calls over TCP/IP networks, incurring significant overheads that negatively impact the fuzzer’s efficiency and effectiveness in increasing code coverage and finding vulnerabilities. In this paper, we propose Horus , a kernel fuzzing data transfer mechanism that mitigates the aforementioned data transfer overheads. Horus removes host-VM memory isolation and performs data transfers through copying to and from target memory locations in the guest virtual machine. Horus facilitates such efficient transfers through using fixed stub structures in the guest’s memory space, whose addresses, along with the guest’s RAM contents, are exposed to the host during the fuzzer’s initialization process. When conducting transfers, Horus passes highly-structured non-trivial data between the host and guest instances through copying the data directly to and from the stub structures, reducing the overall overhead significantly compared to that of using a network-based approach. We implemented Horus upon state-of-the-art kernel fuzzers Syzkaller , Moonshine and kAFL and evaluated its effectiveness. For Syzkaller and Moonshine , Horus increased their transfer speeds by 84.5% and 85.8% for non-trivial workloads on average and improved their fuzzing throughputs by 31.07% and 30.62%, respectively. Syzkaller and Moonshine both achieved a coverage speedup of 1.6× through using Horus . For kAFL, Horus improved specifically its Redqueen component’s execution speeds by 19.4%.

Funder

National Key Research and Development Project

NSFC

MIIT

Publisher

Association for Computing Machinery (ACM)

Subject

Software

Link

https://dl.acm.org/doi/pdf/10.1145/3611665

Reference42 articles.

1. Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. 2019. REDQUEEN: Fuzzing with input-to-state correspondence. In NDSS, Vol. 19. 1–15.

2. Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In 2005 USENIX Annual Technical Conference (USENIX ATC 05). USENIX Association, Anaheim, CA. https://www.usenix.org/conference/2005-usenix-annual-technical-conference/qemu-fast-and-portable-dynamic-translator

3. Implementing remote procedure calls

4. Tim Blazytko Cornelius Aschermann Moritz Schlögel Ali Abbasi Sergej Schumilo Simon Wörner and Thorsten Holz. 2019. GRIMOIRE: synthesizing structure while fuzzing. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC’19) . USENIX Association 1985–2002.

5. Yuanliang Chen, Yu Jiang, Fuchen Ma, Jie Liang, Mingzhe Wang, Chijin Zhou, Xun Jiao, and Zhuo Su. 2019. Enfuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers. In 28th USENIX Security Symposium (USENIX Security 19). 1967–1983.