Youlin Li,Weina Niu,Yukun Zhu,Jiacheng Gong,Beibei Li,Xiaosong Zhang

DOI: https://doi.org/10.1109/icc45041.2023.10278676

2023-01-01

Abstract:eBPF is widely used in Microsoft, Google, and Facebook because it is able to extend kernel without modifying the kernel source code. Nevertheless, vulnerabilities in kernel with eBPF will affect the stability and security of information system. Fuzzing has proven to be an effective approach for finding kernel bugs since it requires minimal knowledge about the target. However, two main challenges exist in discovering eBPF logical bugs: generating input that satisfies all eBPF instruction semantic requirements, and detecting the eBPF logical bug states. We remove highly semantically demanding and unnecessary instructions by analyzing the impact of the instructions to obtain a higher verification pass rate to address the first challenge. We also develop a bound-violation indicator to address the second challenge based on our analysis of eBPF logical bug patterns. We manually introduce 10 recently fixed logical bugs in eBPF for evaluation, and the experimental results show that we can effectively find 9 of them, while Syzkaller fails on all of them. In addition, 4 new bugs have been fixed for upstream Linux based on our work, and 3 functional issues have been reported.

Shaohua Li,Zhendong Su

2024-01-09

Abstract:In this paper, we propose a testing framework for validating sanitizer implementations in compilers. Our core components are (1) a program generator specifically designed for producing programs containing undefined behavior (UB), and (2) a novel test oracle for sanitizer testing. The program generator employs Shadow Statement Insertion, a general and effective approach for introducing UB into a valid seed program. The generated UB programs are subsequently utilized for differential testing of multiple sanitizer implementations. Nevertheless, discrepant sanitizer reports may stem from either compiler optimization or sanitizer bugs. To accurately determine if a discrepancy is caused by sanitizer bugs, we introduce a new test oracle called crash-site mapping. We have incorporated our techniques into UBfuzz, a practical tool for testing sanitizers. Over a five-month testing period, UBfuzz successfully found 31 bugs in both GCC and LLVM sanitizers. These bugs reveal the serious false negative problems in sanitizers, where certain UBs in programs went unreported. This research paves the way for further investigation in this crucial area of study.

Cryptography and Security,Programming Languages,Software Engineering

Elazar Gershuni,Nadav Amit,Arie Gurfinkel,Nina Narodytska,Jorge A. Navas,Noam Rinetzky,Leonid Ryzhyk,Mooly Sagiv

DOI: https://doi.org/10.1145/3314221.3314590

2019-06-08

Abstract:Extended Berkeley Packet Filter (eBPF) is a Linux subsystem that allows safely executing untrusted user-defined extensions inside the kernel. It relies on static analysis to protect the kernel against buggy and malicious extensions. As the eBPF ecosystem evolves to support more complex and diverse extensions, the limitations of its current verifier, including high rate of false positives, poor scalability, and lack of support for loops, have become a major barrier for developers. We design a static analyzer for eBPF within the framework of abstract interpretation. Our choice of abstraction is based on common patterns found in many eBPF programs. We observed that eBPF programs manipulate memory in a rather disciplined way which permits analyzing them successfully with a scalable mixture of very-precise abstraction of certain bounded regions with coarser abstractions of other parts of the memory. We use the Zone domain, a simple domain that tracks differences between pairs of registers and offsets, to achieve precise and scalable analysis. We demonstrate that this abstraction is as precise in practice as more costly abstract domains like Octagon and Polyhedra. Furthermore, our evaluation, based on hundreds of real-world eBPF programs, shows that the new tool generates no more false alarms than the existing Linux verifier, while it supports a wider class of programs (including programs with loops) and has better asymptotic complexity.

Hsin-Wei Hung,Ardalan Amiri Sani

DOI: https://doi.org/10.48550/arXiv.2305.08782

2023-05-16

Abstract:The eBPF technology in the Linux kernel has been widely adopted for different applications, such as networking, tracing, and security, thanks to the programmability it provides. By allowing user-supplied eBPF programs to be executed directly in the kernel, it greatly increases the flexibility and efficiency of deploying customized logic. However, eBPF also introduces a new and wide attack surface: malicious eBPF programs may try to exploit the vulnerabilities in the eBPF subsystem in the kernel. Fuzzing is a promising technique to find such vulnerabilities. Unfortunately, our experiments with the state-of-the-art kernel fuzzer, Syzkaller, shows that it cannot effectively fuzz the eBPF runtime, those components that are in charge of executing an eBPF program, for two reasons. First, the eBPF verifier (which is tasked with verifying the safety of eBPF programs) rejects many fuzzing inputs because (1) they do not comply with its required semantics or (2) they miss some dependencies, i.e., other syscalls that need to be issued before the program is loaded. Second, Syzkaller fails to attach and trigger the execution of eBPF programs most of the times. This paper introduces the BPF Runtime Fuzzer (BRF), a fuzzer that can satisfy the semantics and dependencies required by the verifier and the eBPF subsystem. Our experiments show, in 48-hour fuzzing sessions, BRF can successfully execute 8x more eBPF programs compared to Syzkaller. Moreover, eBPF programs generated by BRF are much more expressive than Syzkaller's. As a result, BRF achieves 101% higher code coverage. Finally, BRF has so far managed to find 4 vulnerabilities (some of them have been assigned CVE numbers) in the eBPF runtime, proving its effectiveness.

Cryptography and Security,Software Engineering

Kaled Alshmrany,Lucas Cordeiro

DOI: https://doi.org/10.48550/arXiv.2001.09592

2020-01-27

Cryptography and Security

Abstract:Implementations of network protocols are often prone to vulnerabilities caused by developers' mistakes when accessing memory regions and dealing with arithmetic operations. Finding practical approaches for checking the security of network protocol implementations has proven to be a challenging problem. The main reason is that the protocol software state-space is too large to be explored. Here we propose a novel verification approach that combines fuzzing with symbolic execution to verify intricate properties in network protocol implementations. We use fuzzing for an initial exploration of the network protocol, while symbolic execution explores both the program paths and protocol states, which were uncovered by fuzzing. From this combination, we automatically generate high-coverage test input packets for a network protocol implementation. We surveyed various approaches based on fuzzing and symbolic execution to understand how these techniques can be effectively combined and then choose a suitable tool to develop further our model on top of it. In our preliminary evaluation, we used ESBMC, Map2Check, and KLEE as software verifiers and SPIKE as fuzzer to check their suitability to verify our network protocol implementations. Our experimental results show that ESBMC can be further developed within our verification framework called \textit{FuSeBMC}, to efficiently and effectively detect intricate security vulnerabilities in network protocol implementations.

Yutian Wang,Dan Li,Li Chen

DOI: https://doi.org/10.1145/3609021.3609305

2023-01-01

Abstract:The flexibility of eBPF makes it widely used in performance, security, and monitoring. However, this flexibility is a double-edged sword, allowing attackers to use eBPF for malicious purposes. Security researchers have discovered multiple backdoors built by eBPF. Detecting malicious eBPF programs is challenging since eBPF exploits are almost invisible to inspection in both the user and kernel space. To defend against malicious eBPF programs, auditing an operating system's eBPF programs externally at load time is a more efficient approach. We propose HyperBee, a system integrated into the hypervisor that enables auditing of eBPF programs loaded in guests without performance impact during the execution. Guests relinquish their ability to load eBPF programs and must complete verification and JIT compilation of their eBPF programs through HyperBee. We implement a prototype of HyperBee on KVM and the HyperBee-aware guest based on Linux and evaluate its performance when loading eBPF programs. Our results show that HyperBee only brings overhead at load time: 9% extra load time when there is no security policy and 17% extra load time when using security policies against known eBPF malicious programs.

Ruijie Meng,Gregory J. Duck,Abhik Roychoudhury

2024-09-02

Abstract:Computer programs are not executed in isolation, but rather interact with the execution environment which drives the program behaviors. Software validation methods thus need to capture the effect of possibly complex environmental interactions. Program environments may come from files, databases, configurations, network sockets, human-user interactions, and more. Conventional approaches for environment capture in symbolic execution and model checking employ environment modeling, which involves manual effort. In this paper, we take a different approach based on an extension of greybox fuzzing. Given a program, we first record all observed environmental interactions at the kernel/user-mode boundary in the form of system calls. Next, we replay the program under the original recorded interactions, but this time with selective mutations applied, in order to get the effect of different program environments -- all without environment modeling. Via repeated (feedback-driven) mutations over a fuzzing campaign, we can search for program environments that induce crashing behaviors. Our EnvFuzz tool found 33 previously unknown bugs in well-known real-world protocol implementations and GUI applications. Many of these are security vulnerabilities and 16 CVEs were assigned.

Software Engineering

Soo Yee Lim,Tanya Prasad,Xueyuan Han,Thomas Pasquier

2024-09-11

Abstract:The eBPF framework enables execution of user-provided code in the Linux kernel. In the last few years, a large ecosystem of cloud services has leveraged eBPF to enhance container security, system observability, and network management. Meanwhile, incessant discoveries of memory safety vulnerabilities have left the systems community with no choice but to disallow unprivileged eBPF programs, which unfortunately limits eBPF use to only privileged users. To improve run-time safety of the framework, we introduce SafeBPF, a general design that isolates eBPF programs from the rest of the kernel to prevent memory safety vulnerabilities from being exploited. We present a pure software implementation using a Software-based Fault Isolation (SFI) approach and a hardware-assisted implementation that leverages ARM's Memory Tagging Extension (MTE). We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while achieving desired security properties.

Cryptography and Security,Operating Systems

Xiaochen Zou,Guoren Li,Weiteng Chen,Hang Zhang,Zhiyun Qian

DOI: https://doi.org/10.48550/arXiv.2111.06002

2021-11-11

Cryptography and Security

Abstract:Fuzzing has become one of the most effective bug finding approach for software. In recent years, 24*7 continuous fuzzing platforms have emerged to test critical pieces of software, e.g., Linux kernel. Though capable of discovering many bugs and providing reproducers (e.g., proof-of-concepts), a major problem is that they neglect a critical function that should have been built-in, i.e., evaluation of a bug's security impact. It is well-known that the lack of understanding of security impact can lead to delayed bug fixes as well as patch propagation. In this paper, we develop SyzScope, a system that can automatically uncover new "high-risk" impacts given a bug with seemingly "low-risk" impacts. From analyzing over a thousand low-risk bugs on syzbot, SyzScope successfully determined that 183 low-risk bugs (more than 15%) in fact contain high-risk impacts, e.g., control flow hijack and arbitrary memory write, some of which still do not have patches available yet.

Fatimah Aljaafari,Rafael Menezes,Mustafa A. Mustafa,Lucas C. Cordeiro

DOI: https://doi.org/10.48550/arXiv.2103.11363

2021-04-28

Abstract:Internet of Things (IoT) consists of a large number of devices connected through a network, which exchange a high volume of data, thereby posing new security, privacy, and trust issues. One way to address these issues is ensuring data confidentiality using lightweight encryption algorithms for IoT protocols. However, the design and implementation of such protocols is an error-prone task; flaws in the implementation can lead to devastating security vulnerabilities. Here we propose a new verification approach named Encryption-BMC and Fuzzing (EBF), which combines Bounded Model Checking (BMC) and Fuzzing techniques to check for security vulnerabilities that arise from concurrent implementations of cyrptographic protocols, which include data race, thread leak, arithmetic overflow, and memory safety. EBF models IoT protocols as a client and server using POSIX threads, thereby simulating both entities' communication. It also employs static and dynamic verification to cover the system's state-space exhaustively. We evaluate EBF against three benchmarks. First, we use the concurrency benchmark from SV-COMP and show that it outperforms other state-of-the-art tools such as ESBMC, AFL, Lazy-CSeq, and TSAN with respect to bug finding. Second, we evaluate an open-source implementation called WolfMQTT. It is an MQTT client implementation that uses the WolfSSL library. We show that \tool detects a data race bug, which other approaches are unable to find. Third, to show the effectiveness of EBF, we replicate some known vulnerabilities in OpenSSL and CyaSSL (lately WolfSSL) libraries. EBF can detect the bugs in minimum time.

Cryptography and Security

Soo Yee Lim,Xueyuan Han,Thomas Pasquier

2023-08-15

Abstract:For safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter (eBPF). This is unfortunate, especially since the eBPF framework itself has seen an increase in scope over the years. We propose SandBPF, a software-based kernel isolation technique that dynamically sandboxes eBPF programs to allow unprivileged users to safely extend the kernel, unleashing eBPF's full potential. Our early proof-of-concept shows that SandBPF can effectively prevent exploits missed by eBPF's native safety mechanism (i.e., static verification) while incurring 0%-10% overhead on web server benchmarks.

Operating Systems,Cryptography and Security

Zhang Feng,Zhao Yongwang,Ma Dianfu,Niu Wensheng

DOI: https://doi.org/10.1109/isorc.2019.00013

2019-01-01

Abstract:Bugs in memory management of Operating Systems may lead to crashing. This paper presents a case study of formal verification on the buddy memory allocation component of the Zephyr RTOS kernel. The algorithm of the component allows memory blocks of 4-power sizes to be dynamically allocated by efficiently partitioning larger blocks into smaller ones, and then be released supporting immediate and automatic combining of smaller blocks. The execution of memory allocation is preemptive, which means that the allocation may invoke rescheduling when there is no block available for memory requests. In this paper, we provide a fine-grained formal specification of buddy memory allocation and formally verify its safety via invariants and functional correctness. The specification covers all the elements of the data structure as well as all statements of memory initialization, allocation, and release presented in the C source code. During the formal verification, we found a functional flaw in the C code. To the best of our knowledge, this paper is the first effort of formal verification at a fine-grained level on buddy memory allocation in Operating Systems.

Chen Chen,Rahul Kande,Nathan Nguyen,Flemming Andersen,Aakash Tyagi,Ahmad-Reza Sadeghi,Jeyavijayan Rajendran

2023-06-25

Abstract:Recent research has shown that hardware fuzzers can effectively detect security vulnerabilities in modern processors. However, existing hardware fuzzers do not fuzz well the hard-to-reach design spaces. Consequently, these fuzzers cannot effectively fuzz security-critical control- and data-flow logic in the processors, hence missing security vulnerabilities. To tackle this challenge, we present HyPFuzz, a hybrid fuzzer that leverages formal verification tools to help fuzz the hard-to-reach part of the processors. To increase the effectiveness of HyPFuzz, we perform optimizations in time and space. First, we develop a scheduling strategy to prevent under- or over-utilization of the capabilities of formal tools and fuzzers. Second, we develop heuristic strategies to select points in the design space for the formal tool to target. We evaluate HyPFuzz on five widely-used open-source processors. HyPFuzz detected all the vulnerabilities detected by the most recent processor fuzzer and found three new vulnerabilities that were missed by previous extensive fuzzing and formal verification. This led to two new common vulnerabilities and exposures (CVE) entries. HyPFuzz also achieves 11.68$\times$ faster coverage than the most recent processor fuzzer.

Cryptography and Security

Fatimah K. Aljaafari,Rafael Menezes,Edoardo Manino,Fedor Shmarov,Mustafa A. Mustafa,Lucas C. Cordeiro

DOI: https://doi.org/10.48550/arXiv.2206.06043

2022-10-20

Abstract:Finding software vulnerabilities in concurrent programs is a challenging task due to the size of the state-space exploration, as the number of interleavings grows exponentially with the number of program threads and statements. We propose and evaluate EBF (Ensembles of Bounded Model Checking with Fuzzing) -- a technique that combines Bounded Model Checking (BMC) and Gray-Box Fuzzing (GBF) to find software vulnerabilities in concurrent programs. Since there are no publicly-available GBF tools for concurrent code, we first propose OpenGBF -- a new open-source concurrency-aware gray-box fuzzer that explores different thread schedules by instrumenting the code under test with random delays. Then, we build an ensemble of a BMC tool and OpenGBF in the following way. On the one hand, when the BMC tool in the ensemble returns a counterexample, we use it as a seed for OpenGBF, thus increasing the likelihood of executing paths guarded by complex mathematical expressions. On the other hand, we aggregate the outcomes of the BMC and GBF tools in the ensemble using a decision matrix, thus improving the accuracy of EBF. We evaluate EBF against state-of-the-art pure BMC tools and show that it can generate up to 14.9% more correct verification witnesses than the corresponding BMC tools alone. Furthermore, we demonstrate the efficacy of OpenGBF, by showing that it can find 24.2% of the vulnerabilities in our evaluation suite, while non-concurrency-aware GBF tools can only find 0.55%. Finally, thanks to our concurrency-aware OpenGBF, EBF detects a data race in the open-source wolfMqtt library and reproduces known bugs in several other real-world programs, which demonstrates its effectiveness in finding vulnerabilities in real-world software.

Software Engineering,Systems and Control

Yuntong Zhang,Ridwan Shariffdeen,Gregory J. Duck,Jiaqi Tan,Abhik Roychoudhury

2023-08-02

Abstract:Fuzz testing (fuzzing) is a well-known method for exposing bugs/vulnerabilities in software systems. Popular fuzzers, such as AFL, use a biased random search over the domain of program inputs, where 100s or 1000s of inputs (test cases) are executed per second in order to expose bugs. If a bug is discovered, it can either be fixed manually by the developer or fixed automatically using an Automated Program Repair (APR) tool. Like fuzzing, many existing APR tools are search-based, but over the domain of patches rather than inputs. In this paper, we propose search-based program repair as patch-level fuzzing. The basic idea is to adapt a fuzzer (AFL) to fuzz over the patch space rather than the input space. Thus we use a patch-space fuzzer to explore a patch space, while using a traditional input level fuzzer to rule out patch candidates and help in patch selection. To improve the throughput, we propose a compilation-free patch validation methodology, where we execute the original (unpatched) program natively, then selectively interpret only the specific patched statements and expressions. Since this avoids (re)compilation, we show that compilation-free patch validation can achieve a similar throughput as input-level fuzzing (100s or 1000s of execs/sec). We show that patch-level fuzzing and input-level fuzzing can be combined, for a co-exploration of both spaces in order to find better quality patches. Such a collaboration between input-level fuzzing and patch-level fuzzing is then employed to search over candidate fix locations, as well as patch candidates in each fix location.

Software Engineering

Yizhuo Zhai,Yu Hao,Hang Zhang,Daimeng Wang,Chengyu Song,Zhiyun Qian,Mohsen Lesani,Srikanth V. Krishnamurthy,Paul Yu

DOI: https://doi.org/10.1145/3368089.3409686

2020-11-07

Abstract:Use-before-Initialization (UBI) bugs in the Linux kernel have serious security impacts, such as information leakage and privilege escalation. Developers are adopting forced initialization to cope with UBI bugs, but this approach can still lead to undefined behaviors (e.g., NULL pointer dereference). As it is hard to infer correct initialization values, we believe that the best way to mitigate UBI bugs is detection and manual patching. Precise detection of UBI bugs requires path-sensitive analysis. The detector needs to track an associated variable’s initialization status along all the possible program execution paths to its uses. However, such exhaustive analysis prevents the detection from scaling to the whole Linux kernel. This paper presents UBITect, a UBI bug finding tool which combines flow-sensitive type qualifier analysis and symbolic execution to perform precise and scalable UBI bug detection. The scalable qualifier analysis guides symbolic execution to analyze variables that are likely to cause UBI bugs. UBITect also does not require manual effort for annotations and hence, it can be directly applied to the kernel without any source code or intermediate representation (IR) change. On the Linux kernel version 4.14, UBITect reported 190 bugs, among which 78 bugs were deemed by us as true positives and 52 were confirmed by Linux maintainers.

Cong Wang,Hao Sun,Yiwen Xu,Yu Jiang,Huafeng Zhang,Ming Gu

DOI: https://doi.org/10.1109/ISSREW.2019.00039

2019-01-01

Abstract:Go programming language (Golang) is widely used, and the security issue becomes increasingly important because of its extensive applications. Most existing validation techniques, such as fuzz testing and unit testing, mainly focus on crashes detection and coverage improvements. However, it is challenging for test engines to perceive common program bugs such as loss of precision and integer overflow. In this paper, we propose Go-Sanitizer, an effective bug-oriented assertion generator for Golang, which is able to achieve a better performance in finding program bugs. Firstly, we manually analyze the Common Weakness Enumeration (CWE) and summarize the applicabilities on Golang. Secondly, we design a generator to automatically insert several bug-oriented assertions to the proper locations of the target program. Finally, we can utilize the traditional validation techniques such as fuzz and unit testing to test the programs with inserted assertions, and Go-Sanitizer reports bugs via the failures of assertions. For evaluation, we apply Go-Sanitizer to Badger, a widely-used database software, and successfully discovers 12 previously unreported program bugs, which can not be detected by pure fuzzer such as Go-Fuzz or unit testing methods.

Ying Zhao,Jinhao Tan,Guoqiang Li

2021-01-01

Abstract: Program verification on concurrent programs is a big challenge due to general undecidable results. Petri nets and its extensions are used in most works. However, existing verifiers based on Petri nets are difficult to be complete and efficient. Basic Parallel Process (BPP), as a subclass of Petri nets, can be used as a model for describing and verifying concurrent programs with lower complexity. We propose and implement BPPChecker, the first model checker for verifying CTL on BPP. We propose constraint-based algorithms for the problem of model checking CTL on BPPs and handle formulas by SMT solver Z3. For EF operator, we reduce the model checking of EF-formulas to the satisfiability problem of existential Presburger formula. For EG operator, we provide a $k$-step bounded semantics and reduce the model checking of EG-formulas to the satisfiability problem of linear integer arithmetic. Besides, we give Actor Communicating System (ACS) the over-approximation BPP-based semantics and evaluate BPPChecker on ACSs generated from real Erlang programs. Experimental results show that BPPChecker performs more efficiently than the existing tools for a series of branching-time property verification problems of Erlang programs.

Ying Zhao,Jinhao Tan,Guoqiang Li

DOI: https://doi.org/10.48550/arxiv.2110.09414

2021-01-01

Abstract:Program verification on concurrent programs is a big challenge due to general undecidable results. Petri nets and its extensions are used in most works. However, existing verifiers based on Petri nets are difficult to be complete and efficient. Basic Parallel Process (BPP), as a subclass of Petri nets, can be used as a model for describing and verifying concurrent programs with lower complexity. We propose and implement BPPChecker, the first model checker for verifying a subclass of CTL on BPP. We propose constraint-based algorithms for the problem of model checking on BPPs and handle formulas by SMT solver Z3. For EF operator, we reduce the model checking of EF-formulas to the satisfiability problem of existential Presburger formula. For EG operator, we provide a k-step bounded semantics and reduce the model checking of EG-formulas to the satisfiability problem of linear integer arithmetic. Besides, we give Actor Communicating System (ACS) the over-approximation BPP-based semantics and evaluate BPPChecker on ACSs generated from real Erlang programs. Experimental results show that BPPChecker performs more efficiently than the existing tools for a series of branching-time property verification problems of Erlang programs.

Liheng Chen,Zheming Li,Zheyu Ma,Yuan Li,Baojian Chen,Chao Zhang

DOI: https://doi.org/10.14722/ndss.2024.24819

2024-01-01

Abstract:Intel's Software Guard Extensions (SGX) offers an isolated execution environment, known as an enclave, where everything outside the enclave is considered potentially malicious, including non-enclave memory region, peripherals, and the operating system.Despite its robust attack model, the code running within enclaves is still prone to common memory corruption vulnerabilities.Moreover, such an attack model may introduce new threats or amplify existing ones.For instance, any direct memory access to untrusted memory from within an enclave can lead to Time-of-Check-Time-of-Use (TOCTOU) bugs since attackers are capable of controlling the whole untrusted memory.Moreover, null-pointer dereference may have a more severe security impact since the zero page controlled by the operating system is also considered malicious.Current fuzzing solutions, such as SGXFuzz and FuzzSGX, have limitations detecting such SGX-specific vulnerabilities.In this paper, we propose EnclaveFuzz, a multi-dimension structure-aware fuzzing framework that analyzes enclave sources to extract input structures and correlations, then generates fuzz harnesses that can produce valid inputs to pass sanity checks.To conduct multi-dimensional fuzzing, EnclaveFuzz creates data for all three input dimensions of an enclave, including both parameters and return values that enter an enclave, as well as direct untrusted memory access from within an enclave.To detect more types of vulnerabilities, we design a new sanitizer to detect both SGX-specific vulnerabilities and typical memory corruption vulnerabilities.Lastly, we provide a custom SDK to accelerate the fuzzing process and execute the enclave without the need for special hardware.To verify the effectiveness of our solution, we applied our work to test 20 real-world open-source enclaves and found 162 bugs in 14 of them.