Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds
Peripheral hardware in modern computers is typically assumed to be secure and not malicious, and device drivers are implemented in a way that trusts inputs from hardware. However, recent vulnerabilities such as Broadpwn have demonstrated that attackers can exploit hosts through vulnerable peripherals, highlighting the importance of securing the OS-peripheral boundary. In this talk, we present a hardware-free concolic-augmented fuzzer targeting WiFi and Ethernet drivers, and a technique for generating high-quality initial seeds, which we call golden seeds, that allow fuzzing to bypass difficult code constructs during driver initialization. Compared to prior work using symbolic execution or greybox fuzzing, Drifuzz is more successful at automatically finding inputs that allow network interfaces to be fully initialized, and improves fuzzing coverage by 214% (3.1x) in WiFi drivers and 60% (1.6x) for Ethernet drivers. During our experiments with fourteen PCI and USB network drivers, we found eleven previously unknown bugs, two of which were assigned CVEs.
Brendan Dolan-Gavitt is an Assistant Professor in the Computer Science and Engineering Department at the NYU Tandon School of Engineering, and is a member of the NYU Center for Cybersecurity (CCS). He leads the the MESS Lab, which focuses on software security, reverse engineering, embedded systems, and machine learning security. He is the recipient of a 2022 NSF CAREER award, and can be found making bad jokes as @moyix on Twitter.