IMF: Inferred Model-based

Fuzzer
HyungSeok Han
Sang Kil Cha
CCS ’17, October 30-November 3, 2017, Dallas, TX, USA

PA168, Reading Talk

Arvind Rao, 476357
 Outline
• Background and Motivation
• Design,Architecture and
Implementation
• Evaluation and Results
• Discussion

Sunday, April 8, 2018 2

Background and
Motivation
 Common OS architecture
• Ring-0(kernel) v Ring-3(userspace)

Sunday, April 8, 2018 4

 Kernel API Fuzzing:
• Sequence of API calls to the kernel
from userspace
• Naïve way: Blind Random calls with
random values (tsys)
• Easy to implement but has poor
performance

Sunday, April 8, 2018 5

 Type Aware Kernel Fuzzers
• Semi-Intelligent, uses function
prototypes to generate random data of
particular type.
Hooking based Kernel Fuzzers

• fuzz the API calls by intercepting API

function calls while running a program

Sunday, April 8, 2018 6

 Feedback-driven Kernel Fuzzers
• Code Coverage based mutational
fuzzing(State of the art).
• Generate Cases to increase code
coverage
• Syzkaller, Kernel-fuzzing,
TriforceLinuxSyscall Fuzzer,
TriforceAFL
Sunday, April 8, 2018 7
Sunday, April 8, 2018 8
 Contribution of the authors
• None of the kernel fuzzers discussed thus
far takes calling contexts into account
• a novel method called model-based API
fuzzing, which exploit the similarity
between API logs to produce random yet
well-structured API call sequences.
• Developed for Mac OSX
• But principle holds for syscalls in Linux and
Win32 API in Windows

Sunday, April 8, 2018 9

Design and
Architecture
 XNU Kernel Architecture

Sunday, April 8, 2018 11

 CVE-2015-7077 (OSX <=10.11.2)

Sunday, April 8, 2018 12

 IMF Architecture
Annotated
Prototypes

Files, cmd,
mouse
events etc

Sunday, April 8, 2018 13

 Running Example
• Program : 2048 Game
• a header file that defines the prototypes of
(ALL,93) IOKitLib API functions with annotated
parameters(used during hooking)
• a series of mouse clicks as input to the
program, generated by a small script
• the maximum number of logs to take(N)
• the fuzzing configuration, which essentially
describes how API calls are fuzzed.

Sunday, April 8, 2018 14

 Inferring the API Model

Sunday, April 8, 2018 15

 Logger
• input and output values for each hooked
API function call
• Uses annotation to decide parameter
type(_in_, _out_, _inout_)
• only one level of pointer indirection
stored
• Input generation manually for GUI
applications using PyuserInput

Sunday, April 8, 2018 16

 Inferrer
• Selects N logs that have the longest
common prefix from the given the entire
set of logs.
• Infers Order dependence
• Infers value dependence, uses
annotations
• Output of Inferrer is a Abstract Syntax
Tree which is used to generate a C
program.

Sunday, April 8, 2018 17

 Inferred Model (example)

Sunday, April 8, 2018 18

 Fuzzing
• Using AST and fuzzing config a C program is
generated
• Fuzzing Conf={Timeout,# Iterations,Mutation Prob, #
Fixed bits, PRNG Seed}
• Mutation done without disturbing the order and Value
dependence, usually the constants from the logs
• For Example:

• Becomes

Sunday, April 8, 2018 19

 Fuzzing(contd.)
• mutates each parameter value based on the
mutation probability P and the number of fixed
bits F
• For example P=0.01 and F=20, 1% of the time
the lowest 12 bits of a int_32t parameter is
mutated.
• Type-Based parameter mutation
• Mutation for primitives like char, int, short etc
defined
• If F > sizeof(parameter) then only LSB mutated

Sunday, April 8, 2018 20

 Implementation
• Using Python, 1.2K LOC
• PyUserInput for mouse and keyboard
automation
• Manually defined and annotated API
definitions for 93 IOKitLib functions
• LLVM compiler (8.1.0) in Xcode 8.3
used to compile generated C program
• Code published :
https://github.com/Softsec-KAIST/IMF
Sunday, April 8, 2018 21
Evaluation and
Results
 Experimental Setup
• Hardware:
• 10 Mac minis (late 2014)
• Intel Core i5 2.6 Ghz CPU with 8 GB of memory
• OS:
• macOS version 10.12.3 (build 16D32)
• Programs logged:
• 105 apps from US app store, 5 top free from each of 21
categories
• Each program ran 1000 times
• Successfully logged 95 out of 105 apps
• Average number of API calls in logs 687

Sunday, April 8, 2018 23

 Choice of N, (Inferrer Parameter)

Sunday, April 8, 2018 24

 Choice of I, P, F

• I = 1, 000, P = 1/1000, and F = 20

Sunday, April 8, 2018 25
 Comparison
• Compared with IOKit fuzzer released by
Google Project Zero, 2014
• Ran IMF and IOKIt fuzzer for a subset of
apps(5) for 24 hours
• IOKit fuzzer found 3 unique kernel
panics
• IMF found 10!!
• Location of IMF bugs deeper in kernel
Sunday, April 8, 2018 26
 Summary of bugs found

Sunday, April 8, 2018 27

Discussion &
Conclusion
Conclusion
 the first model-based kernel fuzzer that
automatically infers API models from call traces
 produces multiple API logs from the same
program with the same input in order to compute
an API model
 uses this model to generate a program that can
automatically fuzz the OS under test
 Evaluated methodology for MacOS
 Review
• Countering Non Determinism of API
logs(ASLR, threads, interrupts,
optimizations etc)
• Mutation Strategy using type information
• Fuzzing inefficient. Restart of OS on fail.
QEMU or VM to reduce overhead
• Semi-Blind Mutation, can leverage
code-coverage to increase convergence
Sunday, April 8, 2018 30
Thanks!