research-article

Open access

SyzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers

Authors:

Zhiyun QianAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 749 - 763

https://doi.org/10.1145/3460120.3484564

Published: 13 November 2021 Publication History

Abstract

Kernel drivers are a critical part of the attack surface since they constitute a large fraction of kernel codebase and oftentimes lack proper vetting, especially for those closed-source ones. Unfortunately, the complex input structure and unknown relationships/dependencies among interfaces make them very challenging to understand. Thus, security analysts primarily rely on manual audit for interface recovery to generate meaningful fuzzing test cases. In this paper, we present SyzGen, a first attempt to automate the generation of syscall specifications for closed-source macOS drivers and facilitate interface-aware fuzzing. We leverage two insights to overcome the challenges of binary analysis: (1) iterative refinement of syscall knowledge and (2) extraction and extrapolation of dependencies from a small number of execution traces. We evaluated our approach on 25 targets. The results show that SyzGen can effectively produce high-quality specifications, leading to 34 bugs, including one that attackers can exploit to escalate privilege, and 2 CVEs to date.

References

[1]

2021. Apple Open Source. https://opensource.apple.com/source.

[2]

2021. IDA Pro. https://www.hex-rays.com/ida-pro/.

[3]

2021. p-joker. https://github.com/lilang-wu/p-joker.

[4]

2021. Symbolic lengths. https://docs.angr.io/advanced-topics/gotchas.

[5]

2021. Syzbot. https://syzkaller.appspot.com/upstream.

[6]

2021. Syzkaller. https://github.com/google/syzkaller.

[7]

Xiaolong Bai, Luyi Xing, Min Zheng, and Fuping Qu. 2020. iDEA: Static Analysis on the Security of Apple Kernel Drivers. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1185--1202.

Digital Library

[8]

Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-vivo multi-path analysis of software systems. Acm Sigplan Notices, Vol. 46, 3 (2011), 265--278.

Digital Library

[9]

Jake Corina, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Shuang Hao, Christopher Kruegel, and Giovanni Vigna. 2017. Difuze: Interface aware fuzzing for kernel drivers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2123--2138.

Digital Library

[10]

Weidong Cui, Marcus Peinado, Karl Chen, Helen J Wang, and Luis Irun-Briz. 2008. Tupni: Automatic reverse engineering of input formats. In Proceedings of the 15th ACM conference on Computer and communications security. 391--402.

Digital Library

[11]

William HE Day and Herbert Edelsbrunner. 1984. Efficient algorithms for agglomerative hierarchical clustering methods. Journal of classification, Vol. 1, 1 (1984), 7--24.

[12]

Gregory J Duck, Xiang Gao, and Abhik Roychoudhury. 2020. Binary rewriting without control flow recovery. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation. 151--163.

Digital Library

[13]

Andrea Fioraldi, Daniele Cono D'Elia, and Leonardo Querzoni. 2020. Fuzzing binaries for memory safety errors with QASan. In 2020 IEEE Secure Development (SecDev). IEEE, 23--30.

[14]

HyungSeok Han and Sang Kil Cha. 2017. Imf: Inferred model-based fuzzer. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2345--2358.

Digital Library

[15]

Dae R Jeong, Kyungtae Kim, Basavesh Shivakumar, Byoungyoung Lee, and Insik Shin. 2019. Razzer: Finding kernel race bugs through fuzzing. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 754--768.

[16]

Kyungtae Kim, Dae R Jeong, Chung Hwan Kim, Yeongjin Jang, Insik Shin, and Byoungyoung Lee. 2020. HFL: Hybrid fuzzing on the linux kernel. In Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA .

[17]

JongHyup Lee, Thanassis Avgerinos, and David Brumley. 2011. TIE: Principled reverse engineering of types in binary programs. (2011).

[18]

Juwei Lin and Junzhi Lu. 2019. Panic on the Streets of Amsterdam: PanicXNU 3.0. 2019 HITB Security Conference.

[19]

Zhiqiang Lin, Xiangyu Zhang, and Dongyan Xu. 2010. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 11th Annual Information Security Symposium. 1--1.

Digital Library

[20]

Stefan Nagy and Matthew Hicks. 2019. Full-speed fuzzing: Reducing fuzzing overhead through coverage-guided tracing. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 787--802.

[21]

Shankara Pailoor, Andrew Aday, and Suman Jana. 2018. Moonshine: Optimizing OS fuzzer seed selection with trace distillation. In 27th USENIX Security Symposium (USENIX Security 18). 729--743.

[22]

Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. 2017. kafl: Hardware-assisted feedback fuzzing for OS kernels. In 26th USENIX Security Symposium (USENIX Security 17). 167--182.

Digital Library

[23]

Dokyung Song, Felicitas Hetzelt, Dipanjan Das, Chad Spensky, Yeoul Na, Stijn Volckaert, Giovanni Vigna, Christopher Kruegel, Jean-Pierre Seifert, and Michael Franz. 2019. Periscope: An effective probing and fuzzing framework for the hardware-os boundary. In NDSS .

[24]

JV Stoep. 2016. Android: protecting the kernel. Linux Securit Summit (August 2016) (2016).

[25]

Dmitry Vyukov. 2019. Syzkaller: an unsupervised, coverage-guided kernel fuzzer.

[26]

Dmitry Vyukov. 2020. Syzkaller: adventures in continuous coverage-guided kernel fuzzing. Bluehat IL.

[27]

Fish Wang and Yan Shoshitaishvili. 2017. Angr-the next generation of binary analysis. In 2017 IEEE Cybersecurity Development (SecDev). IEEE, 8--9.

[28]

Lilang Wu and moony Li. 2019. Fresh Apples: Researching new attack interfaces on iOS and OSX. In HITB Security Conference .

[29]

Meng Xu, Sanidhya Kashyap, Hanqing Zhao, and Taesoo Kim. 2020. Krace: Data Race Fuzzing for Kernel File Systems. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1643--1660.

[30]

Meng Xu, Chenxiong Qian, Kangjie Lu, Michael Backes, and Taesoo Kim. 2018. Precise and scalable detection of double-fetch bugs in OS kernels. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 661--678.

[31]

Wen Xu, Hyungon Moon, Sanidhya Kashyap, Po-Ning Tseng, and Taesoo Kim. 2019. Fuzzing file systems via two-dimensional input space exploration. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 818--834.

[32]

Michal Zalewski. 2015. American fuzzy lop. URL http://lcamtuf.coredump.cx/afl (2015).

Cited By

Zhu JLin MYin TCai ZWang YChang RShen WLuo BLiao XXu JKirda ELie D(2024)CrossFire: Fuzzing macOS Cross-XPU Memory on Apple SiliconProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690376(3749-3762)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690376
Chen WHao YZhang ZZou XKirat DMishra SSchales DJang JQian Z(2024)SyzGen++: Dependency Inference for Augmenting Kernel Driver Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00269(4661-4677)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00269
Schloegel MBars NSchiller NBernhard LScharnowski TCrump AAle-Ebrahim ABissantz NMuench MHolz T(2024)SoK: Prudent Evaluation Practices for Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00137(1974-1993)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00137
Show More Cited By

Index Terms

SyzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Towards Malware-Resistant Networking Environment
SYSSEC '11: Proceedings of the 2011 First SysSec Workshop

The modern cyber crime activities largely rely on malware-based infrastructure, i.e. botnets and backdoors in popular services for collecting private financial data, distributed denial of service and etc. A significant effort to develop better methods ...
Syscall-BSEM: Behavioral semantics enhancement method of system call sequence for high accurate and robust host intrusion detection
Abstract
The system call sequence is widely used as raw data due to its prospective performance in host-based intrusion detection methods using machine learning. However, evolutionary intrusion attacks such as the obfuscation technique can ...
Highlights
- This paper presents a threat model for system calls-based HIDS.
- The behavioral ...
Enviral: Fuzzing the Environment for Evasive Malware Analysis
EUROSEC '23: Proceedings of the 16th European Workshop on System Security

Analyzing malicious behavior is vital to effectively safeguard computer systems against malware. However, contemporary malware frequently contains evasive behavior, which allows it to hide its malicious intent from analysis. More specifically, if the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
796
Total Downloads

Downloads (Last 12 months)324
Downloads (Last 6 weeks)32

Reflects downloads up to 19 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhu JLin MYin TCai ZWang YChang RShen WLuo BLiao XXu JKirda ELie D(2024)CrossFire: Fuzzing macOS Cross-XPU Memory on Apple SiliconProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690376(3749-3762)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690376
Chen WHao YZhang ZZou XKirat DMishra SSchales DJang JQian Z(2024)SyzGen++: Dependency Inference for Augmenting Kernel Driver Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00269(4661-4677)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00269
Schloegel MBars NSchiller NBernhard LScharnowski TCrump AAle-Ebrahim ABissantz NMuench MHolz T(2024)SoK: Prudent Evaluation Practices for Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00137(1974-1993)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00137
Liu YWang YJia XZhang ZSu P(2024)AFGen: Whole-Function Fuzzing for Applications and Libraries2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00011(1901-1919)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00011
Yin TGao ZXiao ZMa ZZheng MZhang CCalandrino JTroncoso C(2023)KextFuzzProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620519(5039-5054)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620519
Jang JKang MSong DCalandrino JTroncoso C(2023)ReUSBProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620401(2921-2938)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620401
Yuan MZhao BLi PLiang JHan XLuo XZhang CCalandrino JTroncoso C(2023)DDRaceProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620397(2849-2866)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620397
Liu ZChen CAhmed EZhang JLiu D(2023)WinkFuzz: Model-based Script Synthesis for FuzzingProceedings of the Third International Symposium on Advanced Security on Software and Systems10.1145/3591365.3592946(1-12)Online publication date: 10-Jul-2023
https://doi.org/10.1145/3591365.3592946
Yin JLi MLi YYu YLin BZou YLiu YHuo WXue J(2023)RSFuzzer: Discovering Deep SMI Handler Vulnerabilities in UEFI Firmware with Hybrid Fuzzing2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179421(2155-2169)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179421
Hao YLi GZou XChen WZhu SQian ZSani A(2023)SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179298(3262-3278)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179298
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten