UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed...
Transcript of UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed...
![Page 1: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/1.jpg)
Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems
Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, Ardalan Amiri Sani, Zhiyun Qian
UC Irvine UC Riverside
![Page 2: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/2.jpg)
Key ideas to solve the problemWhat is the problem?
Design
2
Summary Evaluation
![Page 3: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/3.jpg)
Security of mobile systems is vital
3
![Page 4: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/4.jpg)
Mobile systems are diverse
4
● More than 1,000 Android device manufacturers
● More than 24,000 distinct Android devices
![Page 5: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/5.jpg)
Diverse hardware → many device drivers
5
Vendors competition → more features → more hardwares → more device drivers
![Page 6: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/6.jpg)
Device drivers are a major risk to the security of mobile systems
6Source: Jeffrey Vander Stoep. 2016. Android: protecting the kernel. In Linux Security Summit. Linux Foundation.
![Page 7: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/7.jpg)
How to investigate bugs in device drivers of mobile systems?
7Source: Jeffrey Vander Stoep. 2016. Android: protecting the kernel. In Linux Security Summit. Linux Foundation.
![Page 8: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/8.jpg)
8
Fuzzing Interactive debugging
RECPlay
Record-and-replay Selective Symbolic Execution
Dynamic analysis is useful to find vulnerabilities
Dynamic taint analysis
![Page 9: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/9.jpg)
Many existing dynamic analysis tools usevirtual machines
Fuzzing
● kAFL● Digtool
9
Interactive debugging
RECPlay
Record-and-replay
● GDB ● QEMU
Selective Symbolic Execution
● S2E
Dynamic taint analysis
● DECAF
![Page 10: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/10.jpg)
Many existing dynamic analysis tools usevirtual machines
Fuzzing
● kAFL● Digtool
10
Interactive debugging
RECPlay
Record-and-replay
● GDB ● QEMU
Selective Symbolic Execution
● S2E
Dynamic taint analysis
● DECAF
![Page 11: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/11.jpg)
11
Many existing dynamic analysis tools usevirtual machines
Fuzzing Interactive debugging
RECPlay
Record-and-replay
● kAFL● Digtool
● GDB ● QEMU
Selective Symbolic Execution
● S2E
Dynamic taint analysis
● DECAF
![Page 12: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/12.jpg)
12
Many existing dynamic analysis tools usevirtual machines
Fuzzing Interactive debugging
RECPlay
Record-and-replay
● kAFL● Digtool
● GDB ● QEMU
Selective Symbolic Execution
● S2E
Dynamic taint analysis
● DECAF
![Page 13: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/13.jpg)
13
Many existing dynamic analysis tools usevirtual machines
Fuzzing Interactive debugging
RECPlay
Record-and-replay
● kAFL● Digtool
● GDB ● QEMU
Selective Symbolic Execution
● S2E
Dynamic taint analysis
● DECAF
![Page 14: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/14.jpg)
14
Applying these tools to device drivers in mobile systems is hard
Hardware assisted virtual machine
Not available
![Page 15: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/15.jpg)
15
Applying these tools to device drivers in mobile systems is hard
Software onlyvirtual machine
Hardware assisted virtual machine
Poor performanceNot available
![Page 16: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/16.jpg)
DesignKey ideas to solve the problem
16
EvaluationSummary
![Page 17: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/17.jpg)
Key idea 1: running device drivers of a mobile system in a virtual machine on a workstation
17
Virtual machine
Device driver(s) of
mobile system
![Page 18: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/18.jpg)
Key idea 1: running device driver of a mobile system in a virtual machine on a workstation
18
Virtual machine
Device driver(s) of
mobile system
Fails without I/O access
![Page 19: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/19.jpg)
19
Virtual machine
Device driver(s) of
mobile system
Low-level I/O operations
Key idea 2: use the mobile device to serve low-level I/O operations
![Page 20: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/20.jpg)
Design
20
EvaluationSummary
![Page 21: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/21.jpg)
User spaceKernel
Mobile systemOS
I/O device
Shared modules
SharedHW
Device driver of a mobile system: a closer look
Device driver
21
![Page 22: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/22.jpg)
User spaceKernel
Mobile systemOS
Shared modules
SharedHWI/O device
Device driver of a mobile system: a closer look
Device driver
22
● Memory mapped register read/writes
● Interrupt
![Page 23: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/23.jpg)
User spaceKernel
Mobile systemOS
I/O device
Device driver
Shared modules
Device driver of a mobile system: a closer look
23
Shared HW
Clock, power management, GPIO,
and pin control
![Page 24: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/24.jpg)
User spaceKernel
Mobile systemOS
I/O device
Device driver
Shared modules
Device driver of a mobile system: a closer look
24
Shared HW
Function calls toLinux API for shared
modules
![Page 25: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/25.jpg)
User space
KernelUser space
Kernel
Workstation Mobile system
Hypervisor
Virtual machine OS OS
I/O device
Shared modules
SharedHW
Move the device driver to a workstation
Device driver
25
![Page 26: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/26.jpg)
User space
KernelUser space
Kernel
Workstation Mobile system
Hypervisor
Virtual machine OS OS
I/O device
Shared modules
Shared HW
Device driver
26
Move the device driver to a workstation
![Page 27: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/27.jpg)
User space
KernelUser space
Kernel
Workstation Mobile system
Hypervisor
Virtual machine OS OS
I/O device
Shared modules
SharedHW
Mobile system cannot boot without clock, power
management, GPIO, and pin control modules
27
Device driver
Challenge: cannot move shared modules
![Page 28: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/28.jpg)
28
User space
KernelUser space
Kernel
Workstation Mobile system
Hypervisor
Virtual machine OS OS
I/O device
Sharedmodules
28
Device driver
Do not move shared modules
SharedHW
![Page 29: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/29.jpg)
29
User space
KernelUser space
Kernel
Workstation Mobile system
Hypervisor
Virtual machine OS OS
I/O device
Shared modules
Remote I/O operations
29
Fails without I/O access
Device driver
SharedHW
![Page 30: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/30.jpg)
30
User space
KernelUser space
Kernel
Workstation Mobile system
Hypervisor
Virtual machine OS OS
I/O device
Shared modules
30
Stub
Stub
USB channel
Device driver
Low latency USB channel
SharedHW
![Page 31: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/31.jpg)
31
SharedHW
Device driver
I/O device
Shared modules
User space
KernelUser space
Kernel
Workstation Mobile system
Hypervisor
Virtual machine OS
Stub
OS
31
Stub
CharmUSB
channel
Design decision 2: low latency USB channel Normal
USB channel
~ 2 msLatency
~ 100 usLatency
![Page 32: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/32.jpg)
Virtual machine OS
Shared modules
SharedHW
OSUser space
Hypervisor
Kernel KernelUser space
32
Workstation Mobile system
I/O device
Remote I/O interface 1: remote register read/write
32
Stub
Stub
USB channel
Device driver
![Page 33: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/33.jpg)
Virtual machine OS
Shared modules
SharedHW
OSUser space
Hypervisor
Kernel KernelUser space
33
Workstation Mobile system
I/O device33
Stub
Stub
USB channel
Device driver
Remote I/O interface 2: remote interrupt handling
![Page 34: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/34.jpg)
Virtual machine OS OSUser space
Hypervisor
Kernel KernelUser space
I/O device
34
Shared modules
Workstation Mobile system
34
Stub
Stub
USB channel
Device driver
Remote I/O interface 3: Remote Procedure Call (RPC)
SharedHW
![Page 35: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/35.jpg)
Evaluation
35
Summary
![Page 36: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/36.jpg)
Charm supports various drivers and devices
36
Model Nexus 5X Nexus 6P Galaxy S7
Manufacturer LG Huawei Samsung
Supported drivers Camera, Audio GPU IMU Sensors
Lines of Code Ported 65,000 + 30,000 31,000 3000
Porting time - 7 days 2 days
![Page 37: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/37.jpg)
Time it takes to port a driver to Charm
37
Model Nexus 5X Nexus 6P Galaxy S7
Manufacturer LG Huawei Samsung
Supported drivers Camera, Audio GPU IMU Sensors
Lines of Code Ported 65,000 + 30,000 31,000 3000
Porting time - 7 days 2 days
![Page 38: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/38.jpg)
Charm supports various dynamic analysis techniques
● Fuzzing● Record-and-replay● Manual Interactive debugging
38
![Page 39: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/39.jpg)
How Charm facilitates fuzzing
39
More hardware support
VT-xPT
![Page 40: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/40.jpg)
How Charm facilitates fuzzing
40
More hardware support
VT-xPT
KASANKMSANKTSAN
More software support
![Page 41: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/41.jpg)
How Charm facilitates fuzzing
41
Reliable console access No special hardware
More hardware support
VT-xPT
KASANKMSANKTSAN
More software support
![Page 42: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/42.jpg)
Fuzzing scenarios
42
Scenario 1
Execute fuzzer on the phone
Scenario 2
Execute fuzzer on the server
Without Charm With Charm
![Page 43: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/43.jpg)
Fuzzing performance on Charm
43
![Page 44: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/44.jpg)
Low overhead for fuzzing on Charm
44
Low-level I/O operationsHigher
performance
Not frequent
![Page 45: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/45.jpg)
Bugs found by Charm
45
Total number of bugs 25
New bugs 14
Bugs found using KASAN 2
False positive bugs 0
![Page 46: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/46.jpg)
● Fuzzing● Record-and-replay● Manual Interactive debugging
46
REC Play
Charm supports various dynamic analysis techniques
![Page 47: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/47.jpg)
Charm facilitates record-and-replay
● Not feasible without Charm for mobile device drivers
47
REC Play
![Page 48: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/48.jpg)
Virtual machine OSUser space
KernelUser space
Kernel
OS
Resident modules
Resident hwHypervisor
48
Workstation
Device driver
Mobile system
I/O device
Record all remote I/O interactions
48
Stub
Stub
USB channel
REC
![Page 49: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/49.jpg)
Virtual machine OSUser space
Hypervisor
Kernel
49
Workstation
Device driver
49
Stub
Replay the recorded interactions
Play
![Page 50: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/50.jpg)
Virtual machine OSUser space
Hypervisor
Kernel
50
Workstation
Device driver
50
Stub
Replay the recorded interactions
Play
Mobile system is not needed while replaying
![Page 51: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/51.jpg)
Record-and-replay performance
51
![Page 52: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/52.jpg)
● Fuzzing● Record and Replay● Manual Interactive debugging
52
Charm supports various dynamic analysis techniques
![Page 53: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/53.jpg)
Charm facilitates manual interactive debugging
● Charm enables using GDB for device drivers
53
Breakpoint Watchpoint Single-step execution
![Page 54: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/54.jpg)
Manual interactive debugging results
● We analyzed three known vulnerabilities ○ CVE-2016-3903: use-after-free bug○ CVE-2016-2501: out-of-bounds access bug○ CVE-2016-2061: out-of-bounds access bug
● We built an arbitrary kernel code execution exploit using CVE-2016-2061
54
![Page 55: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/55.jpg)
Related work
55
Charm Avatar [NDSS’14]
Surrogate [WOOT’15]
Target Mobile systems, open source device drivers
Embedded systems firmware
Embedded systems firmware
Forward I/O accesses Yes Yes Yes
Communication channel
USB UART and JTAG PCIe FPGA board/JTAG
Performance Near native Poor Near native
![Page 56: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/56.jpg)
Limitations and Future work
56
Current Implementation Future work
Manual port of drivers Automatic port of drivers
No DMA support DMA support
Open source drivers support Binary drivers support
![Page 57: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/57.jpg)
Summary
57
![Page 58: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/58.jpg)
Summary
● Charm facilitates dynamic analysis of mobile device drivers
● Charm’s performance is on par with actual mobile systems
● Charm supports a broad variety of device drivers with reasonable engineering effort
58
![Page 59: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/59.jpg)
Summary
● Charm facilitates dynamic analysis of mobile device drivers
● Charm’s performance is on par with actual mobile systems
● Charm supports a broad variety of device drivers with reasonable engineering effort
59
Charm is open source: http://trusslab.github.io/charm
![Page 60: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/60.jpg)
Backup slides: vulnerable code snippet of CVE-2016-2061
60
![Page 61: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/61.jpg)
Backup slides: vulnerable code snippet of CVE-2016-2061
61
![Page 62: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/62.jpg)
Backup slides: building exploit
62
Heap or stack?
![Page 63: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/63.jpg)
Backup slides: building exploit
63
Heap or stack? Heap -> Spray target objects
![Page 64: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/64.jpg)
Backup slides: building exploit
64
Vulnerable object
Target object
offset
![Page 65: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/65.jpg)
Dynamic analysis is very useful
65
Static analysis Dynamic analysis
False positives rate High Low
Compiler/linker bugs Cannot find Can find
Code obfuscation Vulnerable Not vulnerable
Unknown types of bugs Cannot find Can find
Code coverage High Low
![Page 66: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/66.jpg)
CVE-2016-3903
66
Is it out-of-bound access?
![Page 67: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/67.jpg)
CVE-2016-3903
67
Is it out-of-bound access?
![Page 68: UC Irvine UC Riverside Charm: Facilitating Dynamic ... · of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, ... Virtual](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f06ee947e708231d41a7406/html5/thumbnails/68.jpg)
CVE-2016-3903
68
Watch points
Use after free