-
SyzRetrospector: A Large-Scale Retrospective Study of Syzbot
Authors:
Joseph Bursey,
Ardalan Amiri Sani,
Zhiyun Qian
Abstract:
Over the past 6 years, Syzbot has fuzzed the Linux kernel day and night to report over 5570 bugs, of which 4604 have been patched [11]. While this is impressive, we have found the average time to find a bug is over 405 days. Moreover, we have found that current metrics commonly used, such as time-to-find and number of bugs found, are inaccurate in evaluating Syzbot since bugs often spend the major…
▽ More
Over the past 6 years, Syzbot has fuzzed the Linux kernel day and night to report over 5570 bugs, of which 4604 have been patched [11]. While this is impressive, we have found the average time to find a bug is over 405 days. Moreover, we have found that current metrics commonly used, such as time-to-find and number of bugs found, are inaccurate in evaluating Syzbot since bugs often spend the majority of their lives hidden from the fuzzer. In this paper, we set out to better understand and quantify Syzbot's performance and improvement in finding bugs. Our tool, SyzRetrospector, takes a different approach to evaluating Syzbot by finding the earliest that Syzbot was capable of finding a bug, and why that bug was revealed. We use SyzRetrospector on a large scale to analyze 559 bugs and find that bugs are hidden for an average of 331.17 days before Syzbot is even able to find them. We further present findings on the behaviors of revealing factors, how some bugs are harder to reveal than others, the trends in delays over the past 6 years, and how bug location relates to delays. We also provide key takeaways for improving Syzbot's delays.
△ Less
Submitted 21 January, 2024;
originally announced January 2024.
-
BRF: eBPF Runtime Fuzzer
Authors:
Hsin-Wei Hung,
Ardalan Amiri Sani
Abstract:
The eBPF technology in the Linux kernel has been widely adopted for different applications, such as networking, tracing, and security, thanks to the programmability it provides. By allowing user-supplied eBPF programs to be executed directly in the kernel, it greatly increases the flexibility and efficiency of deploying customized logic. However, eBPF also introduces a new and wide attack surface:…
▽ More
The eBPF technology in the Linux kernel has been widely adopted for different applications, such as networking, tracing, and security, thanks to the programmability it provides. By allowing user-supplied eBPF programs to be executed directly in the kernel, it greatly increases the flexibility and efficiency of deploying customized logic. However, eBPF also introduces a new and wide attack surface: malicious eBPF programs may try to exploit the vulnerabilities in the eBPF subsystem in the kernel.
Fuzzing is a promising technique to find such vulnerabilities. Unfortunately, our experiments with the state-of-the-art kernel fuzzer, Syzkaller, shows that it cannot effectively fuzz the eBPF runtime, those components that are in charge of executing an eBPF program, for two reasons. First, the eBPF verifier (which is tasked with verifying the safety of eBPF programs) rejects many fuzzing inputs because (1) they do not comply with its required semantics or (2) they miss some dependencies, i.e., other syscalls that need to be issued before the program is loaded. Second, Syzkaller fails to attach and trigger the execution of eBPF programs most of the times.
This paper introduces the BPF Runtime Fuzzer (BRF), a fuzzer that can satisfy the semantics and dependencies required by the verifier and the eBPF subsystem. Our experiments show, in 48-hour fuzzing sessions, BRF can successfully execute 8x more eBPF programs compared to Syzkaller. Moreover, eBPF programs generated by BRF are much more expressive than Syzkaller's. As a result, BRF achieves 101% higher code coverage. Finally, BRF has so far managed to find 4 vulnerabilities (some of them have been assigned CVE numbers) in the eBPF runtime, proving its effectiveness.
△ Less
Submitted 15 May, 2023;
originally announced May 2023.
-
Minimizing Trust with Exclusively-Used Physically-Isolated Hardware
Authors:
Zhihao Yao,
Seyed Mohammadjavad Seyed Talebi,
Mingyi Chen,
Ardalan Amiri Sani,
Thomas Anderson
Abstract:
Smartphone owners often need to run security-critical programs on the same device as other untrusted and potentially malicious programs. This requires users to trust hardware and system software to correctly sandbox malicious programs, trust that is often misplaced.
Our goal is to minimize the number and complexity of hardware and software components that a smartphone owner needs to trust to wit…
▽ More
Smartphone owners often need to run security-critical programs on the same device as other untrusted and potentially malicious programs. This requires users to trust hardware and system software to correctly sandbox malicious programs, trust that is often misplaced.
Our goal is to minimize the number and complexity of hardware and software components that a smartphone owner needs to trust to withstand adversarial inputs. We present a multi-domain hardware design composed of statically-partitioned, physically-isolated trust domains. We introduce a few simple, formally-verified hardware components to enable a program to gain provably exclusive and simultaneous access to both computation and I/O on a temporary basis. To manage this hardware, we present OctopOS, an OS composed of mutually distrustful subsystems.
We present a prototype of this machine (hardware and OS) on a CPU-FPGA board and show that it incurs a small hardware cost compared to modern SoCs. For security-critical programs, we show that this machine significantly reduces the required trust compared to mainstream TEEs while achieving decent performance. For normal programs, performance is similar to a legacy machine.
△ Less
Submitted 20 October, 2022; v1 submitted 15 March, 2022;
originally announced March 2022.
-
Vronicle: A System for Producing Videos with Verifiable Provenance
Authors:
Yuxin,
Liu,
Yoshimichi Nakatsuka,
Ardalan Amiri Sani,
Sharad Agarwal,
Gene Tsudik
Abstract:
Demonstrating the veracity of videos is a longstanding problem that has recently become more urgent and acute. It is extremely hard to accurately detect manipulated videos using content analysis, especially in the face of subtle, yet effective, manipulations, such as frame rate changes or skin tone adjustments. One prominent alternative to content analysis is to securely embed provenance informati…
▽ More
Demonstrating the veracity of videos is a longstanding problem that has recently become more urgent and acute. It is extremely hard to accurately detect manipulated videos using content analysis, especially in the face of subtle, yet effective, manipulations, such as frame rate changes or skin tone adjustments. One prominent alternative to content analysis is to securely embed provenance information into videos. However, prior approaches have poor performance and/or granularity that is too coarse. To this end, we construct Vronicle -- a video provenance system that offers fine-grained provenance information and substantially better performance. It allows a video consumer to authenticate the camera that originated the video and the exact sequence of video filters that were subsequently applied to it. Vronicle exploits the increasing popularity and availability of Trusted Execution Environments (TEEs) on many types of computing platforms.
One contribution of Vronicle is the design of provenance information that allows the consumer to verify various aspects of the video, thereby defeating numerous fake-video creation methods. Vronicle's adversarial model allows for a powerful adversary that can manipulate the video (e.g., in transit) and the software state outside the TEE. Another contribution is the use of fixed-function Intel SGX enclaves to post-process videos. This design facilitates verification of provenance information.
We present a prototype implementation of Vronicle (to be open sourced), which relies on current technologies, making it readily deployable. Our evaluation demonstrates that Vronicle's performance is well-suited for offline use-cases.
△ Less
Submitted 26 September, 2021;
originally announced September 2021.
-
IoT Notary: Attestable Sensor Data Capture in IoT Environments
Authors:
Nisha Panwar,
Shantanu Sharma,
Guoxi Wang,
Sharad Mehrotra,
Nalini Venkatasubramanian,
Mamadou H. Diallo,
Ardalan Amiri Sani
Abstract:
Contemporary IoT environments, such as smart buildings, require end-users to trust data-capturing rules published by the systems. There are several reasons why such a trust is misplaced -- IoT systems may violate the rules deliberately or IoT devices may transfer user data to a malicious third-party due to cyberattacks, leading to the loss of individuals' privacy or service integrity. To address s…
▽ More
Contemporary IoT environments, such as smart buildings, require end-users to trust data-capturing rules published by the systems. There are several reasons why such a trust is misplaced -- IoT systems may violate the rules deliberately or IoT devices may transfer user data to a malicious third-party due to cyberattacks, leading to the loss of individuals' privacy or service integrity. To address such concerns, we propose IoT Notary, a framework to ensure trust in IoT systems and applications. IoT Notary provides secure log sealing on live sensor data to produce a verifiable `proof-of-integrity,' based on which a verifier can attest that captured sensor data adheres to the published data-capturing rules. IoT Notary is an integral part of TIPPERS, a smart space system that has been deployed at the University of California Irvine to provide various real-time location-based services on the campus. We present extensive experiments over realtime WiFi connectivity data to evaluate IoT Notary, and the results show that IoT Notary imposes nominal overheads. The secure logs only take 21% more storage, while users can verify their one day's data in less than two seconds even using a resource-limited device.
△ Less
Submitted 4 August, 2021;
originally announced August 2021.
-
IoT Notary: Sensor Data Attestation in Smart Environment
Authors:
Nisha Panwar,
Shantanu Sharma,
Guoxi Wang,
Sharad Mehrotra,
Nalini Venkatasubramanian,
Mamadou H. Diallo,
Ardalan Amiri Sani
Abstract:
Contemporary IoT environments, such as smart buildings, require end-users to trust data-capturing rules published by the systems. There are several reasons why such a trust is misplaced --- IoT systems may violate the rules deliberately or IoT devices may transfer user data to a malicious third-party due to cyberattacks, leading to the loss of individuals' privacy or service integrity. To address…
▽ More
Contemporary IoT environments, such as smart buildings, require end-users to trust data-capturing rules published by the systems. There are several reasons why such a trust is misplaced --- IoT systems may violate the rules deliberately or IoT devices may transfer user data to a malicious third-party due to cyberattacks, leading to the loss of individuals' privacy or service integrity. To address such concerns, we propose IoT Notary, a framework to ensure trust in IoT systems and applications. IoT Notary provides secure log sealing on live sensor data to produce a verifiable `proof-of-integrity,' based on which a verifier can attest that captured sensor data adheres to the published data-capturing rules. IoT Notary is an integral part of TIPPERS, a smart space system that has been deployed at UCI to provide various real-time location-based services in the campus. IoT Notary imposes nominal overheads for verification, thereby users can verify their data of one day in less than two seconds.
△ Less
Submitted 27 August, 2019;
originally announced August 2019.
-
Glider: A GPU Library Driver for Improved System Security
Authors:
Ardalan Amiri Sani,
Lin Zhong,
Dan S. Wallach
Abstract:
Legacy device drivers implement both device resource management and isolation. This results in a large code base with a wide high-level interface making the driver vulnerable to security attacks. This is particularly problematic for increasingly popular accelerators like GPUs that have large, complex drivers. We solve this problem with library drivers, a new driver architecture. A library driver i…
▽ More
Legacy device drivers implement both device resource management and isolation. This results in a large code base with a wide high-level interface making the driver vulnerable to security attacks. This is particularly problematic for increasingly popular accelerators like GPUs that have large, complex drivers. We solve this problem with library drivers, a new driver architecture. A library driver implements resource management as an untrusted library in the application process address space, and implements isolation as a kernel module that is smaller and has a narrower lower-level interface (i.e., closer to hardware) than a legacy driver. We articulate a set of device and platform hardware properties that are required to retrofit a legacy driver into a library driver. To demonstrate the feasibility and superiority of library drivers, we present Glider, a library driver implementation for two GPUs of popular brands, Radeon and Intel. Glider reduces the TCB size and attack surface by about 35% and 84% respectively for a Radeon HD 6450 GPU and by about 38% and 90% respectively for an Intel Ivy Bridge GPU. Moreover, it incurs no performance cost. Indeed, Glider outperforms a legacy driver for applications requiring intensive interactions with the device driver, such as applications using the OpenGL immediate mode API.
△ Less
Submitted 13 November, 2014;
originally announced November 2014.
-
Rio: A System Solution for Sharing I/O between Mobile Systems
Authors:
Ardalan Amiri Sani,
Kevin Boos,
Min Hong Yun,
Lin Zhong
Abstract:
Mobile systems are equipped with a diverse collection of I/O devices, including cameras, microphones, sensors, and modems. There exist many novel use cases for allowing an application on one mobile system to utilize I/O devices from another. This paper presents Rio, an I/O sharing solution that supports unmodified applications and exposes all the functionality of an I/O device for sharing. Rio's d…
▽ More
Mobile systems are equipped with a diverse collection of I/O devices, including cameras, microphones, sensors, and modems. There exist many novel use cases for allowing an application on one mobile system to utilize I/O devices from another. This paper presents Rio, an I/O sharing solution that supports unmodified applications and exposes all the functionality of an I/O device for sharing. Rio's design is common to many classes of I/O devices, thus significantly reducing the engineering effort to support new I/O devices. Our implementation of Rio on Android consists of 6700 total lines of code and supports four I/O classes with fewer than 450 class-specific lines of code. Rio also supports I/O sharing between mobile systems of different form factors, including smartphones and tablets. We show that Rio achieves performance close to that of local I/O for audio, sensors, and modems, but suffers noticeable performance degradation for camera due to network throughput limitations between the two systems, which is likely to be alleviated by emerging wireless standards.
△ Less
Submitted 17 December, 2013;
originally announced December 2013.
-
Making I/O Virtualization Easy with Device Files
Authors:
Ardalan Amiri Sani,
Sreekumar Nair,
Lin Zhong,
Quinn Jacobson
Abstract:
Personal computers have diverse and fast-evolving I/O devices, making their I/O virtualization different from that of servers and data centers. In this paper, we present our recent endeavors in simplifying I/O virtualization for personal computers. Our key insight is that many operating systems, including Unix-like ones, abstract I/O devices as device files. There is a small and stable set of oper…
▽ More
Personal computers have diverse and fast-evolving I/O devices, making their I/O virtualization different from that of servers and data centers. In this paper, we present our recent endeavors in simplifying I/O virtualization for personal computers. Our key insight is that many operating systems, including Unix-like ones, abstract I/O devices as device files. There is a small and stable set of operations on device files, therefore, I/O virtualization at the device file boundary requires a one-time effort to support various I/O devices.
We present devirtualization, our design of I/O virtualization at the device file boundary and its implementation for Linux/x86 systems. We are able to virtualize various GPUs, input devices, cameras, and audio devices with fewer than 4900 LoC, of which only about 300 are specific to I/O device classes. Our measurements show that devirtualized devices achieve interactive performance indistinguishable from native ones by human users, even when running 3D HD games.
△ Less
Submitted 13 April, 2013;
originally announced April 2013.
-
Opportunistic Content Search of Smartphone Photos
Authors:
Ardalan Amiri Sani,
Wolfgang Richter,
Xuan Bao,
Trevor Narayan,
Mahadev Satyanarayanan,
Lin Zhong,
Romit Roy Choudhury
Abstract:
Photos taken by smartphone users can accidentally contain content that is timely and valuable to others, often in real-time. We report the system design and evaluation of a distributed search system, Theia, for crowd-sourced real-time content search of smartphone photos. Because smartphones are resource-constrained, Theia incorporates two key innovations to control search cost and improve search e…
▽ More
Photos taken by smartphone users can accidentally contain content that is timely and valuable to others, often in real-time. We report the system design and evaluation of a distributed search system, Theia, for crowd-sourced real-time content search of smartphone photos. Because smartphones are resource-constrained, Theia incorporates two key innovations to control search cost and improve search efficiency. Incremental Search expands search scope incrementally and exploits user feedback. Partitioned Search leverages the cloud to reduce the energy consumption of search in smartphones. Through user studies, measurement studies, and field studies, we show that Theia reduces the cost per relevant photo by an average of 59%. It reduces the energy consumption of search by up to 55% and 81% compared to alternative strategies of executing entirely locally or entirely in the cloud. Search results from smartphones are obtained in seconds. Our experiments also suggest approaches to further improve these results.
△ Less
Submitted 28 June, 2011;
originally announced June 2011.