Name
Abstract | ||
|---|---|---|
Sandboxing provides a strong security guarantee for applications, by isolating untrusted code into separated compartments. Untrusted code could only use IPC (inter-process communication) to launch sensitive actions, which are implemented in trusted (and maybe privileged) code. IPC-related security bugs in trusted code could facilitate jailbreaks of sandboxing, and thus are becoming high-value targets. However, finding vulnerabilities that could be triggered by IPC is challenging, due to the fact that IPC communication is stateful and format-sensitive. In this paper, we propose a new fuzzing solution to discover IPC bugs in IPC services without source code, by combining static analysis and dynamic analysis. We use static analysis to recognize format checks and help construct IPC messages of valid formats. We then use dynamic analysis to infer the constraints between IPC messages, and model the stateful logic with a probability matrix. Therefore, we are able to generate high-quality IPC messages to test IPC services, and discover deep and complex IPC bugs. Without loss of generality, we implemented a prototype MachFuzzer, for a specific complicated and crucial IPC service, i.e., WindowServer in macOS. This prototype helps us find 12 previously unknown vulnerabilities in WindowServer in 48 hours. Among them, three vulnerabilities are confirmed exploitable, and could be exploited to escape the sandbox and gain root privilege. |
Year | DOI | Venue |
|---|---|---|
2019 | 10.1109/SRDS47363.2019.00012 | 2019 38th Symposium on Reliable Distributed Systems (SRDS) |
Keywords | DocType | ISSN |
IPC,Fuzzing,macOS | Conference | 1060-9857 |
ISBN | Citations | PageRank |
978-1-7281-4223-4 | 0 | 0.34 |
References | Authors | |
8 | 5 | |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Kun Yang | 1 | 47 | 12.60 |
| Hanqing Zhao | 2 | 4 | 5.83 |
| Chao Zhang | 3 | 423 | 38.17 |
| Jianwei Zhuge | 4 | 155 | 13.86 |
| Haixin Duan | 5 | 237 | 36.86 |