The usage of the PCIe standard has become crucial in computer systems. It allows fast and straightforward communication between different computer components. Nowadays, it is possible to connect external devices that use this technology by using external physical interfaces. These interfaces expose the OS kernel and the device driver to potential attacks by a malicious device. On the other side, drivers are designed by considering devices as trusted, so they only expect data from faulty hardware, not malicious attacks. In this scenario, it is essential to find bugs on device drivers since if they are exploited, they will ultimately compromise the integrity of the host machine. The fuzzing technique is very useful and widely used in bug findings. It provides random inputs to the target program, making it crash. However, testing device drivers is challenging due to the difficulty of giving random data to the tested driver that comes from the device. We propose a new approach to test device drivers by fuzzing them from the device side. In our work, we use a coverage-guided fuzzing technique in combination with a virtual custom device which emulates a real device while sending fuzzed input to the target driver. It is a new approach to fuzzing PCIe drivers since, up to now, most of the attempts to test these drivers were using syscalls, so they were testing drivers only from the system side. Our flexible approach allowed us to successfully test 7 different PCIe device drivers compiled on a recent Linux kernel version. For most of them, we found new execution paths during the testing process, resulting in crashes and a bug.
L'uso dello standard PCIe è diventato fondamentale nei sistemi informatici. Consente una comunicazione rapida e diretta tra i diversi componenti del computer. Oggi è possibile collegare dispositivi esterni che utilizzano questa tecnologia tramite interfacce fisiche esterne. Queste interfacce espongono il kernel del sistema operativo e il driver del dispositivo a potenziali attacchi da parte di un dispositivo malevolo. D'altra parte, i driver sono progettati considerando i dispositivi come affidabili, quindi si aspettano solo i dati provenienti da hardware difettoso, non da attacchi malevoli. In questo scenario, è essenziale trovare i bug nei driver dei dispositivi poiché, se sfruttati, comprometteranno l'integrità della macchina host. La tecnica del fuzzing è molto utile e ampiamente utilizzata nella ricerca di bug. Fornisce input casuali al programma di destinazione, facendolo crashare. Tuttavia, testare i driver dei dispositivi è problematico a causa della difficoltà di fornire al driver testato, dati casuali provenienti dal dispositivo. Proponiamo un nuovo approccio per testare i driver dei dispositivi effettuando il fuzzing dal lato del dispositivo. Nel nostro lavoro, utilizziamo il coverage-guided fuzzing in combinazione con un dispositivo virtuale che, emulando un dispositivo reale, invia input casuali al driver che si sta testando. Si tratta di un nuovo approccio al fuzzing dei driver PCIe, poiché finora la maggior parte dei tentativi di testare questi driver utilizzavano le syscall e quindi testavano i driver solo "dal lato del sistema operativo". Il nostro approccio versatile ci ha permesso di testare con successo 7 diversi driver di dispositivi PCIe compilati su una versione recente del kernel Linux. Per la maggior parte di essi, abbiamo trovato nuovi percorsi di esecuzione durante il processo di test, con conseguenti crash e bug.
PCIe Fuzz : a novel approach to test PCle drivers using the fuzzing technique
Caldarola, Giovanni
2021/2022
Abstract
The usage of the PCIe standard has become crucial in computer systems. It allows fast and straightforward communication between different computer components. Nowadays, it is possible to connect external devices that use this technology by using external physical interfaces. These interfaces expose the OS kernel and the device driver to potential attacks by a malicious device. On the other side, drivers are designed by considering devices as trusted, so they only expect data from faulty hardware, not malicious attacks. In this scenario, it is essential to find bugs on device drivers since if they are exploited, they will ultimately compromise the integrity of the host machine. The fuzzing technique is very useful and widely used in bug findings. It provides random inputs to the target program, making it crash. However, testing device drivers is challenging due to the difficulty of giving random data to the tested driver that comes from the device. We propose a new approach to test device drivers by fuzzing them from the device side. In our work, we use a coverage-guided fuzzing technique in combination with a virtual custom device which emulates a real device while sending fuzzed input to the target driver. It is a new approach to fuzzing PCIe drivers since, up to now, most of the attempts to test these drivers were using syscalls, so they were testing drivers only from the system side. Our flexible approach allowed us to successfully test 7 different PCIe device drivers compiled on a recent Linux kernel version. For most of them, we found new execution paths during the testing process, resulting in crashes and a bug.| File | Dimensione | Formato | |
|---|---|---|---|
|
Thesis (3).pdf
non accessibile
Dimensione
1.2 MB
Formato
Adobe PDF
|
1.2 MB | Adobe PDF | Visualizza/Apri |
|
Executive_Summary___Scuola_di_Ingegneria_Industriale_e_dell_Informazione___Politecnico_di_Milano.pdf
non accessibile
Dimensione
486.5 kB
Formato
Adobe PDF
|
486.5 kB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/194958