DevFuzz: Automatic Device Model-Guided Device Driver Fuzzing.

The security of device drivers is critical for the entire operating system's reliability. Yet, it remains very challenging to validate if a device driver can properly handle potentially malicious input from a hardware device. Unfortunately, existing symbolic execution-based solutions often do not scale, while fuzzing solutions require real devices or manual device models, leaving many device drivers under-tested and insecure. This paper presents DEVFUZZ, a new model-guided device driver fuzzing framework that does not require a physical device. DEVFUZZ uses symbolic execution to automatically generate the probe model that can guide a fuzzer to properly initialize a device driver under test. DEVFUZZ also leverages both static and dynamic program analyses to construct MMIO, PIO, and DMA device models to improve the effectiveness of fuzzing further. DEVFUZZ successfully tested 191 device drivers of various bus types (PCI, USB, RapidIO, I2C) from different operating systems (Linux, FreeBSD, and Windows) and detected 72 bugs, 41 of which have been patched and merged into the mainstream.