[Review] HEALER: Relation Learning Guided Kernel Fuzzing

Link

The paper proposes a new technique called relation learning to help infer the relations between system calls when fuzzing the kernel.

Relation learning is achieved by constructing a relation graph, which is a two-dimensional graph with each cell $R_{ij}$ representing the dependencies between two system calls.

The relation graph is built through static and dynamic learning. Static learning will infer the dependencies by analyzing the parameters and the return value of each system call. Dynamic learning will determine the dependencies by analyzing the generated minimized system call sequences.

Introduction

Kernel fuzzing is critical, and current works like Syzkaller and Moonshine are unable to infer the relations between system calls, resulting in the inability to figure out the hidden problems in the kernel.

In this scenario, HEALER is created with relation learning to help cope with this problem.

HEALER achieves higher coverage than Syzkaller and Moonshine by 28% and 21% on average, respectively. Furthermore, HEALER achieves the same amount of coverage as that of Syzkaller and Moonshine with a speed-up of 2.2× and 1.8×, respectively.

Implementation

System call descriptions are reused(i.e., Syzlang).

Static learning: Inferring the dependencies through the parameters and the return value of each system call.

Dynamic learning: Inferring the dependencies through generated minimized system call sequences.

The relation graph will help the fuzzing process by mutation and parameter synthesis.

Evaluation

RQ1: How well does HEALER perform compared to Syzkaller and Moonshine?

RQ2: How effective is relation learning in assisting test case generation and mutation?

RQ3: How does HEALER perform in vulnerability detection?

Ablation involved. Reconstruct a subsystem HEALER-(HEALER without relation learning).

Benchmarks: HEALER, HEALER-, Syzkaller, Moonshine.

Testing dimensions: branch coverage, efficiency, vulnerabilities detected, system call sequence length, and a case study.

Future work

• Syzlang descriptions autonomous generation.
• Better relation inferring techniques to increase the system call length.