Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities

Mendonça, M.H.; Neves, Nuno

doi:10.1109/edcc-7.2008.22

Cited by 10 publications

(1 citation statement)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Carrette [9] developed the tool CrashMe that tests the robustness of operating systems by trying to execute random data streams as instructions. Mendoncca et al [49] and Jodeit et al [37] demonstrate that fuzzing drivers via the hardware level is another possibility to attack an operating system.…”

Section: Background 21 Fuzzingmentioning

confidence: 99%

Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features

Schwarz

Gruss

Lipp

et al. 2018

Proceedings of the 2018 on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Double-fetch bugs are a special type of race condition, where an unprivileged execution thread is able to change a memory location between the time-of-check and time-of-use of a privileged execution thread. If an unprivileged attacker changes the value at the right time, the privileged operation becomes inconsistent, leading to a change in control flow, and thus an escalation of privileges for the attacker. More severely, such double-fetch bugs can be introduced by the compiler, entirely invisible on the source-code level.We propose novel techniques to efficiently detect, exploit, and eliminate double-fetch bugs. We demonstrate the first combination of state-of-the-art cache attacks with kernel-fuzzing techniques to allow fully automated identification of double fetches. We demonstrate the first fully automated reliable detection and exploitation of double-fetch bugs, making manual analysis as in previous work superfluous. We show that cache-based triggers outperform stateof-the-art exploitation techniques significantly, leading to an exploitation success rate of up to 97 %. Our modified fuzzer automatically detects double fetches and automatically narrows down this candidate set for double-fetch bugs to the exploitable ones. We present the first generic technique based on hardware transactional memory, to eliminate double-fetch bugs in a fully automated and transparent manner. We extend defensive programming techniques by retrofitting arbitrary code with automated double-fetch prevention, both in trusted execution environments as well as in syscalls, with a performance overhead below 1 %. CCS CONCEPTS• Security and privacy → Operating systems security;

show abstract

Section: Background 21 Fuzzingmentioning

confidence: 99%