What is SyzScope?

SyzScope is a system that can automatically uncover high-risk impacts given a bug with only low-risk impacts.

Github: https://github.com/plummm/SyzScope

Paper: https://www.usenix.org/conference/usenixsecurity22/presentation/zou

Why did we develop SyzScope?

A major problem of current fuzzing platforms is that they neglect a critical function that should have been built-in: evaluation of a bug's security impact. It is well-known that the lack of understanding of security impact can lead to delayed bug fixes as well as patch propagation. Therefore, we developed SyzScope to reveal the potential high-risk bugs among seemingly low-risk bugs on syzbot.

How to define high-risk and low-risk?

We consider abnormally memory write is high-risk (UAF/OOB write, arbitrary/constrained value write, arbitrary/constrained address write), and abnormally function pointer dereference is high-risk.

We consider abnormally memory read is low-risk (e.g., UAF/OOB read), and all other types of bugs are low-risk (WARNING, INFO, BUG, etc)

How does SyzScope work?

The first bug report DOES NOT exhibit the worst impact of the underlying bug. SyzScope packages fuzzing, static analysis ,and symbolic execution to discover the high-risk impacts behind the first bug report.

Long story short:

1. We disabled "CONFIG_BUG_ON_DATA_CORRUPTION" in kernel config and "panic_on_warn" in booting parameters to make sure fuzzer won't be interrupted by trivial bugs. We also enabled "kasan_multi_shot" to let KASAN catch multiple bugs.

2. Then we do fuzzing to find more contexts contain KASAN read or write contexts

3. Finally, we symbolize the whole vulnerable object and perform symbolic execution on the KASAN contexts we obtained in step 2. Then, we are able to reveal the high-risk impacts based on symbolic states.