PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary

Periscope is a practical dynamic analysis tool that can analyze large complex device drivers along the hardware OS boundary and is effective at finding vulnerabilities. The tool was used to analyze Wi-Fi drivers in popular Android smartphones and found 15 vulnerabilities, including memory safety violations, reachable assertions, and low pointer dereferences.

• Periscope is a dynamic analysis tool used to analyze large complex device drivers along the hardware OS boundary
• The tool was used to analyze Wi-Fi drivers in popular Android smartphones and found 15 vulnerabilities
• The vulnerabilities included memory safety violations, reachable assertions, and low pointer dereferences
• The Wi-Fi drivers were highly concurrent and consisted of hundreds of thousands of lines of code
• Existing driver fuzzers could not directly fuzz certain code paths due to the use of interrupts and kernel thread context
• The fuzzing throughput ranged from 7 to 24 inputs per second and could be improved with optimization
• Future work includes minimizing the impact of shallow bugs and improving the throughput
• Periscope profiles are practical dynamic analysis tools that can effectively find vulnerabilities along the hardware OS boundary

The tool found a double fetch bug in which the driver fetched the same bus twice from a message, causing the system to crash. It also found a kernel address leak in which a kernel pointer was being disclosed to the device in the name of cookie, causing the system to crash when the driver read and dereferenced the value.

The OS kernel is an attractive target for remote attackers. If compromised, the kernel gives adversaries full system access, including the ability to install rootkits, extract sensitive information, and perform other malicious actions, all while evading detection. Most of the kernel protection efforts have focused primarily on securing the system call interface, through which adversaries in user space can compromise the kernel. However, there are additional paths to kernel compromise that do not involve system calls, as has been demonstrated by recent remote kernel exploits. For example, by compromising the firmware of a peripheral device such as a Wi-Fi chipset and subsequently sending malicious inputs from the Wi-Fi chipset to the Wi-Fi driver, adversaries have been able to gain control over the kernel without invoking a single system call. Unfortunately, there are currently no versatile probing and fuzzing frameworks that can help developers find and fix vulnerabilities occurring along the hardware-OS boundary.In this talk, I will present PeriScope, a Linux-kernel-based in-kernel probing framework that enables fine-grained analysis of device-driver interactions. PeriScope hooks into the kernel's page fault handling mechanism to either passively monitor and log traffic between device drivers and their corresponding hardware, or mutate the data stream on-the-fly using a fuzzing component, PeriFuzz, thus mimicking an active adversarial attack. PeriFuzz accurately models the capabilities of an attacker on peripheral devices, to expose different classes of bugs including, but not limited to, memory corruption bugs and double-fetch bugs. To demonstrate the risk that peripheral devices pose, as well as the value of our framework, we have evaluated PeriFuzz on the Wi-Fi drivers of two popular chipset vendors, where we discovered 15 unique vulnerabilities, 9 of which were previously unknown.