计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (6A): 240400161-8.doi: 10.11896/jsjkx.240400161

• 计算机软件&体系架构 • 上一篇    下一篇

基于配置引导的实时Linux内核靶向模糊测试

施鹤远1,3, 陈世俊2,3, 张强4, 沈煜恒5, 姜宇5, 施荣华1   

  1. 1 中南大学电子信息学院 长沙 410004
    2 中南大学计算机学院 长沙 410012
    3 网络空间安全态势感知与评估安徽省重点实验室 合肥 230037
    4 湖南大学信息科学与工程学院 长沙 410082
    5 清华大学软件学院 北京 100084
  • 出版日期:2025-06-16 发布日期:2025-06-12
  • 通讯作者: 沈煜恒(shenyh20@mails.tsinghua.edu.cn)
  • 作者简介:(hey.shi@foxmail.com)
  • 基金资助:
    国家自然科学基金(62202500);国家重点研发计划(2022YFB3104003);湖南省自然科学基金(2023JJ40772);网络空间安全态势感知与评估安徽省重点实验室开放课题(CSSAE-2023-010);中南大学高性能计算中心

Configuration-guided Directed Kernel Fuzzing for Real-time Linux

SHI Heyuan1,3, CHEN Shijun2,3, ZHANG Qiang4, SHEN Yuheng5, JIANG Yu5, SHI Ronghua1   

  1. 1 School of Electronic Information,Central South University,Changsha 410004,China
    2 School of Computer Science and Engineering,Central South University,Changsha 410012,China
    3 Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation,Hefei 230037,China
    4 College of Computer Science and Electronic Engineering,Hunan University,Changsha 410082,China
    5 School of Software,Tsinghua University,Beijing 100084,China
  • Online:2025-06-16 Published:2025-06-12
  • About author:SHI Heyuan,born in 1993,associate professor,is a member of CCF(No.T2400M).His main research interests include software safety and testing,and so on.
    SHEN Yuheng,born in 1998,doctoral student.His main research interests include verification of software and ope-rating system kernel fuzzing.
  • Supported by:
    National Natural Science Foundation of China(62202500),National Key Research and Development Program of China(2022YFB3104003),Hunan Provincial Natural Science Foundation(2023JJ40772),Fund of Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation(CSSAE-2023-010) and High Performance Computing Center of Central South University.

PDF (PC)

58

摘要: 实时Linux在各类实时性需求业务场景中得到广泛应用,保障实时Linux内核安全稳定至关重要。当前主流的覆盖率导向内核模糊测试技术对于特定待测代码定位存在局限,导致内核模糊测试对实时特性相关代码的针对性测试能力不足。针对此问题,文中提出了一种基于配置引导的实时Linux内核靶向模糊测试方法。该方法首先结合内核配置选项构建内核文件树,识别实时特性相关内核代码;然后基于实时Linux内核函数间调用关系和基本块地址,构建实时特性相关待测靶点;最后利用基于权重的种子调度策略提升内核模糊测试针对性测试效果。该方法在4个版本的实时Linux内核的测试任务中,发现了58个实时特性相关的内核缺陷。与通用覆盖率导向内核模糊测试工具Syzkaller相比,该方法对于实时特性相关代码的基本块覆盖数量提升17.06%,发现实时特性相关漏洞数量提升65.39%。实验结果表明,该方法能显著提高内核模糊测试的实时特性相关代码覆盖能力与针对性测试能力。

关键词: 实时Linux, 模糊测试, 异常检测, 内核配置

Abstract: The real-time Linux,due to its real-time characteristics,has been widely applied in various high-precision scenarios,which underscores the importance of its own security and reliability.However,the current methods for locating code sections related to real-time are limited,resulting in coverage-oriented kernel fuzzing tools,such as Syzkaller,lacking the ability to test this code comprehensively and thoroughly.To address this issue,this paper proposes a configuration-guided targeted fuzzing approach for the real-time Linux kernel.Our approach first constructs a kernel file tree by combining kernel configuration options,identi-fying real-time feature code,and building test targets.Next,it leverages the inter-function call relationships and basic block addresses within the real-time Linux kernel to define specific testing targets for real-time features.Finally,it utilizes a weight-based seed scheduling strategy to enhance the efficiency of directed testing in kernel fuzzing.In testing tasks across four versions of real-time Linux kernels,the proposed method identifies 58 kernel defects related to real-time features.Compared to general coverage-guided kernel fuzz testing method Syzkaller,our approach achieves a 17.06% increase in the basic block coverage of real-time feature code and a 65.39% improvement in the detection of vulnerabilities related to real-time features.Experimental results demonstrate that this method significantly enhances the capabilities of kernel fuzz testing tools in terms of coverage of real-time feature related code and directed testing ability.

Key words: Real-time Linux, Fuzz testing, Anomaly detect, Kernel configuration

中图分类号: 

  • TP311
[1]ZIKRIA Y B,KIM S W,HAHM O,et al.Internet of Things(IoT) operating systems management:Opportunities,challenges,and solution[J].Sensors,2019,19(8):1793.
[2]WANG C,YANG F,WANG H,et al.Improving real time performance of Linux System using RT-Linux[J].Journal of Physics:Conference Series,2019,1237(5):052017.
[3]ZHU X,WEN S,CAMTEPE S,et al.Fuzzing:a survey for road-map[J].ACM Computing Surveys(CSUR),2022,54(11s):1-36.
[4]LUO Z,ZUO F,SHEN Y,et al.ICS protocol fuzzing:Coverage guided packet crack and generation[C]//2020 57th ACM/IEEE Design Automation Conference(DAC).IEEE,2020:1-6.
[5]FU J,LIANG J,WU Z,et al.Griffin:Grammar-free DBMS fuzzing[C]//Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering.2022:1-12.
[6]WANG R,WANG Q,HU Y,et al.Industry practice of configuration auto-tuning for cloud applications and services[C]//Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering.2022:1555-1565.
[7]ZHANG C,BAI M,ZHENG Y,et al.Understanding Large Language Model Based Fuzz Driver Generation[J].arXiv:2307.12469,2023.
[8]DMITRYV Y,ANDREY K.Syzkaller is an unsupervised coverage-guided kernel fuzzer[OL].https://github.com/google/syzkaller.2015
[9]PAILOOR S,ADAY A,JANAS.{MoonShine}:Optimizing {OS}fuzzer seed selection with trace distillation[C]//27th USENIX Security Symposium(USENIX Security 18).2018:729-743.
[10]SHEN Y,SUN H,JIANG Y,et al.Rtkaller:State-aware task generation for RTOS fuzzing[J].ACM Transactions on Embedded Computing Systems(TECS),2021,20(5s):1-22.
[11]SHEN Y,XU Y,SUN H,et al.Tardis:Coverage-Guided Embedded Operating System Fuzzing[J].IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems,2022,41(11):4563-4574.
[12]SUN H,SHEN Y,LIU J,et al.{KSG}:Augmenting KernelFuzzing with System Call Specification Generation[C]//2022 USENIX Annual Technical Conference(USENIX ATC 22).2022:351-366.
[13]HAMBARDE P,VARMA R,JHA S.The survey of real timeoperating system:RTOS[C]//2014 International Conference on Electronic Systems,Signal Processing and Computing Technologies.IEEE,2014:34-39.
[14]REGHENZANI F,MASSARI G,FORNACIARIW.The real-time linux kernel:A survey on preempt_rt[J].ACM Computing Surveys(CSUR),2019,52(1):1-36.
[15]SU W,FEI H.Survey of Coverage-guided Grey-box Fuzzing[J].Journal of Information Security Research,2022,8(7):643.
[16]BÖHME M,CADAR C,ROYCHOUDHURYA.Fuzzing:Challenges and reflections[J].IEEE Software,2020,38(3):79-86.
[17]Lcamtuf:American fuzzy lop[OL].https://lcamtuf.coredump.cx/afl.2013
[18]BÖHME M,PHAM V T,NGUYEN M D,et al.Directed greybox fuzzing[C]//Proceedings of the 2017 ACM SIGSAC Confe-rence on Computer and Communications Security.2017:2329-2344.
[19]ZHANG J M,CUI Z Q,CHEN X,et al.DeltaFuzz:historicalversion information guided fuzz testing[J].Journal of Computer Science and Technology,2022,37(1):29-49.
[20]ZHU X,BÖHME M.Regression greybox fuzzing[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.2021:2169-2182.
[21]YOU W,ZONG P,CHEN K,et al.Semfuzz:Semantics-basedautomatic generation of proof-of-concept exploits[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.2017:2139-2154.
[22]LI H,ZHANG C,YANG X,et al.Survey of OS Kernel Fuzzing[J].Journal of Chinese Computer Systems,2019,40(9):1994-1999.
[23]SHI H,WANG R,FU Y,et al.Industry practice of coverage-guided enterprise linux kernel fuzzing[C]//Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.2019:986-995.
[24]SHI H,WANG G,FU Y,et al.Abaci-finder:Linux kernel crash classification through stack trace similarity learning[J].Journal of Parallel and Distributed Computing,2022,168:70-79.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发