HITB LAB: Fuzzing File System Implementations to Uncover Security Bugs

Vulnerability research and especially “fuzz-testing” has become an ever-growing field recently. Finding (exploitable) vulnerabilities and developing effective countermeasures are an essential result from analyzing the inner workings and general system internals of complex systems. File systems are no exception to this and are an often overlooked component on both the attacker and defender side. A typical interaction with a file system happens, for example, during the usage of USB flash drives. Kernel code with elevated rights is typically executed when such a drive is plugged in and mounted. This also includes the code of various file systems from the UNIX world such as EXT2/3/4, UFS, or ZFS among others. As a consequence, finding exploitable bugs in these file systems can lead to dangerous side effects due to code executing in kernel mode.
Even though file system implementations are deeply rooted in a system, and they are supposed to be battle-tested, they are still an open field.

This hands-on lab session presents our research on evaluating the robustness of multiple well established and newer file systems on BSD based systems. We will develop general guidelines about how to approach this area of research efficiently by narrowing down possible attack surfaces. Afterwards, we will dig deeper into important aspects of how to automate our ideas to efficiently fuzz kernel file system implementations.
Simultaneously, we will design a virtualization based framework and a systematic static/randomized user emulation to further stress-test an operating system.

As part of the lab we will also conduct a crash triage of found security as well as non-security bugs, discuss their impact and showcase interesting cases in an interactive hands on session.
These bugs will range from simple denial of services over out-of-bounds reads/writes to fatal double/triple faults.

The main goal of this lab is to obtain a deeper understanding of possible attack surfaces within a complex environment like a UNIX operating system while also obtaining the skill set to rapidly prototype a domain specific fuzzer.

Outline

Each section will convey basic knowledge on the specific topics, present (scientific) thought processes from an engineering/designing POV including an evaluation of made choices. All sections will be accompanied by either demos or exercises prepared for the attendees to solve to get hands on experience.

0. Primer on fuzzing,
1. Overview of BSD operating systems with a focus on target selection,
2. Introduction of file system implementation details,
3. Compiling your own lightweight kernel to speed up fuzzing,
4. Evaluation of fuzzing infrastructure requirements, highlighting QEMU/libvirt/…,
5. File system mutation methods,
6. Setting up a proper user emulation for fuzzing,
7. Crash root cause analysis.

Key Takeaways

1. How to create a domain specific fuzzer
2. How to tune fuzzer parameters the right way
3. How to debug/evaluate vulnerabilities.

Attendee requirements

There are no specific knowledge requirements to understand the content of the talk.  However, to get the most of the lab and the practical exercises it is recommended to have a basic understanding of:

— operating systems, especially UNIX ones.
— x64 ASM, C and Python.
— the “hows” and “whys” of fuzzing.

Hardware requirements for hands on exercises

Attendees should bring a powerful enough laptop with KVM support (Intel VT-x/AMD-V) and VirtualBox 6.1+ to get a guest OS with 4 GB of RAM and at least 2 Cores running smoothly.

MAIN CONFERENCE
Location: Track 3 / HITB Labs Date: April 24, 2020 Time: 10:30 am - 12:30 pm Christopher Krah