Recently, security researchers have uncovered a significant number of high-severity vulnerabilities in Netlink families, posing serious threats to overall kernel security. Despite these risks, there are no automated methods available to effectively detect bugs in Netlink families. For example, Syzkaller—a state-of-the-art, general-purpose kernel fuzzer—fails to achieve effective fuzzing for Netlink families because it depends on manually written descriptions that are often incomplete or inaccurate. To address this gap, we present NLSaber, the first specialized tool designed for enhancing Netlink family fuzzing. NLSaber uses static taint analysis to construct parse graphs that model the message parsing process, and then automatically generates complete and accurate fuzzing descriptions based on these graphs. In our evaluation on Linux 6.1.70, NLSaber identified 76 target families, encompassing 865 operations. The generated fuzzing descriptions were significantly more complete (supporting 43% more families) and more accurate (93% vs. 33% accuracy) compared to existing descriptions. Using these generated descriptions, our enhanced fuzzer improved code coverage by 9.1% over Syzkaller in families supported by both tools (and by 40.8% when including Syzkaller-unsupported families). Additionally, NLSaber uncovered 19 previously unknown vulnerabilities, all reported and confirmed, with 12 CVEs assigned.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

NLSaber: Enhancing Netlink Family Fuzzing via Automated Syscall Description Generation

  • Lin Ma,
  • Xingwei Lin,
  • Ziming Zhang,
  • Yajin Zhou

摘要

Recently, security researchers have uncovered a significant number of high-severity vulnerabilities in Netlink families, posing serious threats to overall kernel security. Despite these risks, there are no automated methods available to effectively detect bugs in Netlink families. For example, Syzkaller—a state-of-the-art, general-purpose kernel fuzzer—fails to achieve effective fuzzing for Netlink families because it depends on manually written descriptions that are often incomplete or inaccurate. To address this gap, we present NLSaber, the first specialized tool designed for enhancing Netlink family fuzzing. NLSaber uses static taint analysis to construct parse graphs that model the message parsing process, and then automatically generates complete and accurate fuzzing descriptions based on these graphs. In our evaluation on Linux 6.1.70, NLSaber identified 76 target families, encompassing 865 operations. The generated fuzzing descriptions were significantly more complete (supporting 43% more families) and more accurate (93% vs. 33% accuracy) compared to existing descriptions. Using these generated descriptions, our enhanced fuzzer improved code coverage by 9.1% over Syzkaller in families supported by both tools (and by 40.8% when including Syzkaller-unsupported families). Additionally, NLSaber uncovered 19 previously unknown vulnerabilities, all reported and confirmed, with 12 CVEs assigned.