Evolution of kernel fuzzers in NetBSD
Dumb mutational fuzzing techniques fail to perform in an age where kernel vulnerability mitigation mainly involve techniques such as sandboxing and usermode privilege separation. And therefore we look at advanced fuzzing techniques such as evolutionary fuzzing using code coverage and fuzzing aides like sanitizers. This talk looks at the fuzzing setup in the NetBSD kernel and the unique techniques that we are implementing for a variety of kernel subsystems.
Talk Outline - Quick study of common kernel vulnerability mitigation techniques. - Common issues faced during kernel fuzzing. - What is coverage guided fuzzing? - What is kernel Code Coverage - KCov(4)? - Introduction to syzkaller and its capabilities (Demo of syzkaller) - Sanitizers and how they work - Looking into different approaches into fuzzing different parts of the kernel with syzkaller - System Calls - Network Stack - Filesystem Stack
The talk begins with a brief discussion on some of the containment based - kernel vulnerability mitigation techniques that have been implemented across a variety of operating systems. There will also be a discussion on some of the common issues faced during kernel fuzzing and why advanced techniques are required for effective fuzzing. For eg, one of the major issue is fuzzing functions which can’t be directly accessed from the user space since the kernel doesn’t export it as a part of the API. One way to tackle such issues is to follow the concept of coverage guided fuzzing. We will look into the compiler instrumented KCov(Kernel code Coverage) feature and try to understand how it is used in tandem with syzkaller which is an open source kernel fuzzer by Google. This will be followed up with a quick look into the state of sanitizers in the NetBSD kernel with focus on the address sanitizer. After discussing on how the whole ecosystem will work together we will move on and take a look at the specific approaches that we are currently implementing for different kernel subsystems such as the Filesystem.