SyzParam: Introducing Runtime Parameters into Kernel Driver Fuzzing

TL;DR

SyzParam enhances kernel driver fuzzing by integrating runtime parameters, static analysis, and relation-based mutation strategies, leading to improved bug detection and higher code coverage.

Contribution

It introduces a novel fuzzing framework that incorporates runtime parameters and inter-device relations, improving kernel driver testing effectiveness.

Findings

Outperformed existing fuzzers in coverage and bug detection

Identified 30 new kernel bugs, 20 confirmed, 14 patched

Discovered 9 CVEs in kernel upstreams

Abstract

This paper introduces a novel fuzzing framework, SyzParam which incorporates runtime parameters into the fuzzing process. Achieving this objective requires addressing several key challenges, including valid value extraction, inter-device relation construction, and fuzz engine integration. By inspecting the data structures and functions associated with the LKDM, our tool can extract runtime parameters across various drivers through static analysis. Additionally, SyzParam collects inter-device relations and identifies associations between runtime parameters and drivers. Furthermore, SyzParam proposes a novel mutation strategy, which leverages these relations and prioritizes parameter modification during related driver execution. Our evaluation demonstrates that SyzParam outperforms existing fuzzing works in driver code coverage and bug-detection capabilities. To date, we have identified 30 unique bugs in the latest kernel upstreams, with 20 confirmed and 14 patched into the mainline kernel, including 9 CVEs.