Description
Fuzzing is a popular approach to finding vulnerabilities in the firmware
of embedded Linux systems. Previous work on firmware emulation and
analysis has mostly focused on finding vulnerabilities in userspace
programs, but many firmwares also contain proprietary kernel modules.
Since module code runs with full kernel privileges, vulnerabilities in
kernel modules can have a large impact on system security. In this
thesis we present our system for emulating and fuzzing kernel modules
that are only available as binaries, using the Unicorefuzz fuzzing
framework.
We improve Unicorefuzz by fixing issues that could lead to false
positives, and by adding detection for invalid operations on heap memory
that does not require compile time instrumentation of the fuzzing
target. To reduce the manual effort required for a working fuzzing
setup, we provide tools to automate the creation of configuration files
for the Linux kernel and Unicorefuzz compatible with a given module
binary. All of our tools and improvements are designed to be reusable
for future fuzzing projects.
We evaluate our system by fuzzing ten kernel modules from recent
firmware releases, finding vulnerabilities in five of them.
|
