![Page 1: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/1.jpg)
Unleashing D* on Android Kernel Drivers
Aravind Machiry (@machiry_msidc)
![Page 2: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/2.jpg)
$ whoami
● Fourth year P.h.D Student at University of California, Santa Barbara.
● Vulnerability Detection in System software.
● machiry.github.io
![Page 3: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/3.jpg)
$ Android is everywhere!!
![Page 4: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/4.jpg)
$ Bugs in Android (First Half of 2017)[1]
[1]https://www.slideshare.net/JunLI174/android-bug-hunting-from-finding-bugs-to-getting-bounty-20170603
![Page 5: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/5.jpg)
$ Where are Android kernel bugs?
android: Protecting the kernel, Jeff Vander Stoep, Linux Foundation 2016
![Page 6: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/6.jpg)
$ Lot of $$$
![Page 7: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/7.jpg)
![Page 8: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/8.jpg)
$ Lot of $$$
![Page 9: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/9.jpg)
$ Okay! Why is it hard to find these bugs?
Good ‘ol knowledge on Bug Detection:
▪ Static Analysis▪ Dynamic Analysis
![Page 10: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/10.jpg)
$ Okay! Why is it hard to find these bugs?
Good ‘ol knowledge on Bug Detection:
▪ Static Analysis▪ Dynamic Analysis
![Page 11: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/11.jpg)
$ Static Analysis
▪ Kernel drivers are open source (GPL).
▪ Use well known source code analysis tools.
▪ $$$
![Page 12: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/12.jpg)
$ Static Analysis: Existing tools
CppCheck flawfinder RATS Sparse
Qualcomm 18 4,365 693 5,202
Samsung 22 8,173 2,244 1,726
Huawei 34 18,132 2,301 11,230
MediaTek 168 14,230 3,730 13,771
Total 242 44,990 8,968 31,929
![Page 13: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/13.jpg)
$ Static Analysis: Existing tools
CppCheck flawfinder RATS Sparse
Qualcomm 18 4,365 693 5,202
Samsung 22 8,173 2,244 1,726
Huawei 34 18,132 2,301 11,230
MediaTek 168 14,230 3,730 13,771
Total 242 44,990 8,968 31,929
![Page 14: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/14.jpg)
$ Ideal Static analysis tool
▪ Track user data.
▪ Check if user data is used in sensitive places.
– Example: memcpy(src, dst, <user_data>);
![Page 15: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/15.jpg)
$ Tracking user data: Pointer analysis
struct foo obj;
scanf(“%d”, &idx);
if(*) {
obj.input_var = &idx;
} else {
obj.input_var = *;
}
....
bar(&obj);
![Page 16: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/16.jpg)
$ Tracking user data: Pointer analysis
struct foo obj;
scanf(“%d”, &idx);
if(*) {
obj.input_var = &idx;
} else {
obj.input_var = *;
}
....
bar(&obj);
![Page 17: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/17.jpg)
$ Tracking user data: Pointer analysis
struct foo obj;
scanf(“%d”, &idx);
if(*) {
obj.input_var = &idx;
} else {
obj.input_var = *;
}
....
bar(&obj);
![Page 18: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/18.jpg)
$ Tracking user data: Pointer analysis
struct foo obj;
scanf(“%d”, &idx);
if(*) {
obj.input_var = &idx;
} else {
obj.input_var = *;
}
....
bar(&obj);
![Page 19: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/19.jpg)
$ Tracking user data: Pointer analysis
struct foo obj;
scanf(“%d”, &idx);
if(*) {
obj.input_var = &idx;
} else {
obj.input_var = *;
}
....
bar(&obj);
void bar(struct foo *obj_ptr) {
…
arr[*(obj_ptr->safe_input)] = 1;
…
arr[*(obj_ptr->input_var)] = 0;
…
}
![Page 20: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/20.jpg)
$ Tracking user data: Pointer analysis
struct foo obj;
scanf(“%d”, &idx);
if(*) {
obj.input_var = &idx;
} else {
obj.input_var = *;
}
....
bar(&obj);
void bar(struct foo *obj_ptr) {
…
arr[*(obj_ptr->safe_input)] = 1;
…
arr[*(obj_ptr->input_var)] = 0;
…
}
![Page 21: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/21.jpg)
$ Tracking user data: Pointer analysis
We should know which pointer points to what object.
void bar(struct foo *obj_ptr) {
…
}
![Page 22: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/22.jpg)
$ Tracking user data: Pointer analysis
We should know which field of a structure object points to what object.
void bar(struct foo *obj_ptr) {
…
arr[*(obj_ptr->safe_input)] = 1;
…
arr[*(obj_ptr->input_var)] = 0;
…
}
![Page 23: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/23.jpg)
$ Tracking user data: Pointer analysis
Real world code is complex: Loops, Type casting
![Page 24: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/24.jpg)
$ Tracking user data: Taint Propagation
We should follow the flow of user data.
scanf(“%d”, &in);… su = in + 5;… arr[su] = 0;
![Page 25: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/25.jpg)
$ Tracking user data: Taint Propagation
What about library functions?
scanf(“%10s”, inputstr);… usrint = atoi(inputstr);…arr[usrint] = 0;
![Page 26: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/26.jpg)
$ Tracking user data: Taint Propagation
What about library functions: Simple policy doesn’t work
scanf(“%10s”, inputstr);… usrint = atoi(inputstr);…ptr = malloc(usrint);… ptr[0] = 0;
![Page 27: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/27.jpg)
$ Kernel drivers are small!!
▪ ~ 31 to 240K SLOC
▪ 80% of drivers <= 7K SLOC
Let’s separate driver code from kernel code!!!
![Page 28: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/28.jpg)
$ Optimizations: Soundy Traversal
❖ Let's analyze code inside loops fixed number of times.
❖ Assume that all kernel functions are safe.
![Page 29: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/29.jpg)
$ DR.CHECKER: Story of the name
![Page 30: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/30.jpg)
$ DR.CHECKER: Story of the name
$ mkdir dr_checker
![Page 31: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/31.jpg)
$ DR.CHECKER: Story of the name
$ mkdir dr_checker
![Page 32: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/32.jpg)
$ DR.CHECKER: Story of the name
$ mkdir dr_checker
![Page 33: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/33.jpg)
$ DR.CHECKER Overview
![Page 34: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/34.jpg)
$ DR.CHECKER: SDTraversal
Starting from entry point of the driver:
● Analyze each instruction of the driver according to the control flow.
At each instruction:
● Maintain and track the user data. ● Consult Vulnerability or bug detectors for any potential bugs.
![Page 35: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/35.jpg)
$ DR.CHECKER: Vulnerability Detectors
▪ Tainted Pointer Dereference.▪ Tainted Integer Arithmetic.▪ Tainted Size.▪ Uninit Leak Detector.▪ Global Variable Race Detector.▪ Improper Tainted Data Use Detector.▪ ….
![Page 36: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/36.jpg)
$ DR.CHECKER: Bug in Mediatek Accdet driver
static char call_status;
...
static ssize_t accdet_store_call_state (struct device_driver *ddri, const char *buf, size_t count)
{
int ret = sscanf(buf, "%s", &call_status);
if (ret != 1) {
ACCDET_DEBUG("accdet: Invalid values\n");
return -EINVAL;
}
![Page 37: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/37.jpg)
static char call_status;
...
static ssize_t accdet_store_call_state (struct device_driver *ddri, const char *buf, size_t count)
{
int ret = sscanf(buf, "%s", &call_status);
if (ret != 1) {
ACCDET_DEBUG("accdet: Invalid values\n");
return -EINVAL;
}
$ DR.CHECKER: Bug in Mediatek Accdet driver
![Page 38: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/38.jpg)
static char call_status;
...
static ssize_t accdet_store_call_state (struct device_driver *ddri, const char *buf, size_t count)
{
int ret = sscanf(buf, "%s", &call_status);
if (ret != 1) { // TOO LATE..Buffer overflow already happened.
ACCDET_DEBUG("accdet: Invalid values\n");
return -EINVAL;
}
$ DR.CHECKER: Bug in Mediatek Accdet driver
![Page 39: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/39.jpg)
$ DR.CHECKER: Bug in Samsung SensorHub driver
if (unlikely(count < 2)) { ...
return -EINVAL;}...buffer = kzalloc(count * sizeof(char), GFP_KERNEL);...ret = copy_from_user(buffer, buf, count);…if (buffer[0] == MSG2SSP_INST_LIB_NOTI) {
ret = ssp_sensorhub_send_cmd(hub_data, buffer, count);}
ssp_sensorhub_send_cmd(..., const char *buf, int count) {
If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP ||
buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {
...}
}
![Page 40: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/40.jpg)
$ DR.CHECKER: Bug in Samsung SensorHub driver
if (unlikely(count < 2)) { //consider when count==2 ...
return -EINVAL;}...buffer = kzalloc(count * sizeof(char), GFP_KERNEL);...ret = copy_from_user(buffer, buf, count);…if (buffer[0] == MSG2SSP_INST_LIB_NOTI) {
ret = ssp_sensorhub_send_cmd(hub_data, buffer, count);}
ssp_sensorhub_send_cmd(..., const char *buf, int count) {
If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP ||
buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {
...}
}
![Page 41: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/41.jpg)
$ DR.CHECKER: Bug in Samsung SensorHub driver
if (unlikely(count < 2)) { //consider when count==2 ...
return -EINVAL;}
...//buffer is of size 2: buffer[0], buffer[1]buffer = kzalloc(count * sizeof(char), GFP_KERNEL);...ret = copy_from_user(buffer, buf, count);…if (buffer[0] == MSG2SSP_INST_LIB_NOTI) {
ret = ssp_sensorhub_send_cmd(hub_data, buffer, count);}
ssp_sensorhub_send_cmd(..., const char *buf, int count) {
If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP ||
buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {
...}
}
![Page 42: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/42.jpg)
$ DR.CHECKER: Bug in Samsung SensorHub driver
if (unlikely(count < 2)) { //consider when count==2 ...
return -EINVAL;}
...//buffer is of size 2: buffer[0], buffer[1]buffer = kzalloc(count * sizeof(char), GFP_KERNEL);...
ret = copy_from_user(buffer, buf, count);…if (buffer[0] == MSG2SSP_INST_LIB_NOTI) {
ret = ssp_sensorhub_send_cmd(hub_data, buffer, count);}
ssp_sensorhub_send_cmd(..., const char *buf, int count) {
If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP ||
buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {
...}
}
![Page 43: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/43.jpg)
$ DR.CHECKER: Bug in Samsung SensorHub driver
if (unlikely(count < 2)) { //consider when count==2 ...
return -EINVAL;}
...//buffer is of size 2: buffer[0], buffer[1]buffer = kzalloc(count * sizeof(char), GFP_KERNEL);...
ret = copy_from_user(buffer, buf, count);…if (buffer[0] == MSG2SSP_INST_LIB_NOTI) {
ret = ssp_sensorhub_send_cmd(hub_data, buffer, count);}
ssp_sensorhub_send_cmd(..., const char *buf, int count) {
If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP ||
buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {
...}
}
![Page 44: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/44.jpg)
$ DR.CHECKER: Bug in Samsung SensorHub driver
if (unlikely(count < 2)) { //consider when count==2 ...
return -EINVAL;}
...//buffer is of size 2: buffer[0], buffer[1]buffer = kzalloc(count * sizeof(char), GFP_KERNEL);...
ret = copy_from_user(buffer, buf, count);…if (buffer[0] == MSG2SSP_INST_LIB_NOTI) {
ret = ssp_sensorhub_send_cmd(hub_data, buffer, count);}
ssp_sensorhub_send_cmd(..., const char *buf, int count) {
If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP ||
buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {
...}
}
![Page 45: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/45.jpg)
$ DR.CHECKER: Bug in Samsung SensorHub driver
if (unlikely(count < 2)) { //consider when count==2 ...
return -EINVAL;}
...//buffer is of size 2: buffer[0], buffer[1]buffer = kzalloc(count * sizeof(char), GFP_KERNEL);...
ret = copy_from_user(buffer, buf, count);…if (buffer[0] == MSG2SSP_INST_LIB_NOTI) {
ret = ssp_sensorhub_send_cmd(hub_data, buffer, count);}
ssp_sensorhub_send_cmd(..., const char *buf, int count) {
If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP ||
buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {
...}
}
![Page 46: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/46.jpg)
![Page 47: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/47.jpg)
$ DR.CHECKER: Open Source and Dockerized
Tested on Qualcomm, MediaTek, Huawei and Samsung kernels
CVE-2016-8433, CVE-2016-8472, CVE-2016-8470, CVE-2016-8471, CVE-2016-8448, CVE-2017-0797 and more..
https://github.com/ucsb-seclab/dr_checker
Use it and get rich from bug bounties :)
![Page 48: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/48.jpg)
$ DR.CHECKER is not enough!!
▪ Use-after-free.
▪ Bugs because of improper usage of kernel API functions.
buf = kmalloc(count, GFP_KERNEL); // if count is Zero.
if(!buf) { // buf will be ZERO_PTR
buf[0] = 1; // Kernel panic..
...
}
![Page 49: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/49.jpg)
$ Okay! Why is it hard to find these bugs?
Good ‘ol knowledge on Bug Detection:
▪ Static Analysis▪ Dynamic Analysis
![Page 50: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/50.jpg)
$ Dynamic Analysis: Fuzzing!!
▪ Hundreds of tools: AFL, Peach etc
▪ Just use AFL..
![Page 51: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/51.jpg)
$ Fuzzing: Good Luck!!
Drivers expect highly structured and constrained input.
![Page 52: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/52.jpg)
$ Fuzzing: Highly constrained input
![Page 53: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/53.jpg)
$ Fuzzing: Highly constrained input
![Page 54: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/54.jpg)
$ Fuzzing: Highly constrained input
![Page 55: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/55.jpg)
$ Fuzzing: Highly constrained input
![Page 56: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/56.jpg)
$ Fuzzing: Highly constrained input
![Page 57: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/57.jpg)
$ Fuzzing: Highly constrained input
![Page 58: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/58.jpg)
$ Drivers Expect Highly structured input
● If command == ISP_READ_REGISTER then param should be a valid user pointer to ISP_REG_IO_STRUCT.
● If command == ISP_WRITE_REGISTER then param should be a valid user pointer to ISP_REG_IO_STRUCT.
● If command == ISP_HOLD_REG_TIME then param should be a valid user pointer to ISP_HOLD_TIME_ENUM.
![Page 59: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/59.jpg)
$ Bugs are hard to trigger
Arbitrary kernel heap write.
![Page 60: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/60.jpg)
$ Bugs are hard to trigger
● You can trigger the bug, only if command == 1337 and param is a valid pointer to the structure:
typedef struct {type_enum type; ( == 77)int idx; ( >= 128)int val;
} foo_t
![Page 61: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/61.jpg)
$ DIFUZE: Idea
● Recover all the command values, corresponding param types automatically.
● This will reduce the state space and help in effective fuzzing.
![Page 62: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/62.jpg)
$ DIFUZE: Overview
![Page 63: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/63.jpg)
$ DIFUZE: Interface Recovery
Source Bitcode Ioctl Handler
Device Names
Argument Types
Type Definitions
XML SpecCommands
![Page 64: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/64.jpg)
$ DIFUZE: Structure Generation
![Page 65: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/65.jpg)
$ DIFUZE: Structure Generation
![Page 66: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/66.jpg)
$ DIFUZE: On Device Execution
● Run on the phone connected to host device via ADB (Android Debug Bridge).
● Map the binary data, do pointer fix ups.
● Open device and perform the ioctl.
![Page 67: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/67.jpg)
$ DIFUZE: Evaluation
Manufacturer Device Chipset
Google Pixel Qualcomm
HTC E9 Plus Mediatek
HTC One M9 Qualcomm
Huawei P9 Lite Huawei
Huawei Honor 8 Huawei
Samsung Galaxy S6 Samsung
Sony Xperia XA Mediatek
![Page 68: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/68.jpg)
$ DIFUZE: Evaluation
Total Unique
E9 Plus 6
Galaxy S6 0
Honor 8 2
One M9 3
P9 Lite 6
Pixel 5
Xperia XA 14
Total 36
![Page 69: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/69.jpg)
$ DIFUZE: Bug Types
Crash Type Count
Arbitrary Read 4
Arbitrary Write 4
Assert Failure 6
Buffer Overflow 2
Null Dereference 9
Out of Bound Index 5
Uncategorized 5
Writing to non-volatile memory 1
![Page 70: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/70.jpg)
$ DIFUZE: Open Source
CVE-2017-15307, CVE-2017-0636, CVE-2017-0804, and many more.
https://github.com/ucsb-seclab/difuze
Use it and become rich :)
![Page 71: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/71.jpg)
$ In Progress: drchecker.io
drchecker.io
Dr.Checker warnings
DIFUZE Interface
Spec
![Page 72: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/72.jpg)
$ Souvenir :)
![Page 73: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/73.jpg)
![Page 74: Unleashing D* on Android Kernel Drivers - GitHub Pages](https://reader034.vdocuments.net/reader034/viewer/2022050403/62701825d862507f1c344836/html5/thumbnails/74.jpg)
$ Thank You
github.com/ucsb-seclab/difuzegithub.com/ucsb-seclab/dr_checker