Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

11-2023

Abstract

We present KRover, a novel kernel symbolic execution engine catered for dynamic kernel analysis such as vulnerability analysis and exploit generation. Different from existing symbolic execution engines, KRover operates directly upon a live kernel thread's virtual memory and weaves symbolic execution into the target's native executions. KRover is compact as it neither lifts the target binary to an intermediary representation nor uses QEMU or dynamic binary translation. Benchmarked against S2E, our performance experiments show that KRover is up to 50 times faster but with one tenth to one quarter of S2E memory cost. As shown in our four case studies, KRover is noise free, has the best-possible binary intimacy and does not require prior kernel instrumentation. Moreover, a user can develop her kernel analyzer that not only uses KRover as a symbolic execution library but also preserves its independent capabilities of reading/writing/controlling the target runtime. Namely, the resulting analyzer on top of KRover integrates symbolic reasoning and conventional dynamic analysis and reaps the benefits of their reinforcement to each other.

Keywords

dynamic kernel analysis, symbolic execution

Discipline

Information Security

Research Areas

Cybersecurity

Publication

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

First Page

2009

Last Page

2023

ISBN

9798400700507

Identifier

10.1145/3576915.3623198

Publisher

ACM

City or Country

US

Copyright Owner and License

Authors

Additional URL

https://doi.org/10.1145/3576915.3623198

Share

COinS