Vitaly Chipounov
George Candea
ABSTRACT
This paper presents a technique that helps automate the reverse engineering of device drivers. It takes a closed-source binary driver, automatically reverse engineers the driver's logic, and synthesizes new device driver code that implements the exact same hardware protocol as the original driver. This code can be targeted at the same or a different OS. No vendor documentation or source code is required. Drivers are often proprietary and available for only one or two operating systems, thus restricting the range of device support on all other OSes. Restricted device support leads to low market viability of new OSes and hampers OS researchers in their efforts to make their ideas available to the 'real world.' Reverse engineering can help automate the porting of drivers, as well as produce replacement drivers with fewer bugs and fewer security vulnerabilities. Our technique is embodied in RevNIC, a tool for reverse engineering network drivers. We use RevNIC to reverse engineer four proprietary Windows drivers and port them to four different OSes, both for PCs and embedded systems. The synthesized network drivers deliver performance nearly identical to that of the original drivers.
- T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner. Thorough static analysis of device drivers. In EUROSYS Conf., 2006. Google Scholar
Digital Library
- F. Bellard. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conf., 2005. Google ScholarDigital Library
- Boomerang decompiler. http://boomerang.sourceforge.net/.Google Scholar
- P. Boonstoppel, C. Cadar, and D. R. Engler. RWset: Attacking path explosion in constraint-based test generation. In Tools and Algorithms for the Construction and Analysis of Systems, 2008. Google ScholarDigital Library
- D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In IEEE Symp. on Security and Privacy, 2008. Google ScholarDigital Library
- C. Cadar, D. Dunbar, and D. R. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Symp. on Operating Systems Design and Implementation, 2008. Google ScholarDigital Library
- C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. In Conf. on Computer and Communication Security, 2006. Google ScholarDigital Library
- V. Chipounov, V. Georgescu, C. Zamfir, and G. Candea. Selective symbolic execution. In Workshop on Hot Topics in Dependable Systems, 2009.Google Scholar
- J. Chow, T. Garfinkel, and P. M. Chen. Decoupling dynamic program analysis from execution in virtual environments. In USENIX Annual Technical Conf., 2008. Google ScholarDigital Library
- C. Cifuentes. Reverse Compilation Techniques. PhD thesis, Queensland University of Technology, 1994.Google Scholar
- L. Ciortea, C. Zamfir, S. Bucur, V. Chipounov, and G. Candea. Cloud9: A software testing service. In Workshop on Large Scale Distributed Systems and Middleware, 2009.Google Scholar
- M. Costa, M. Castro, L. Zhou, L. Zhang, and M. Peinado. Bouncer: Securing software by blocking bad input. In Symp. on Operating Systems Principles, 2007. Google ScholarDigital Library
- W. Cui, J. Kannan, and H. J. Wang. Discoverer: Automatic protocol reverse engineering. In USENIX Security Symp., 2007. Google ScholarDigital Library
- W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz. Tupni: Automatic reverse engineering of input formats. In Conf. on Computer and Communication Security, 2008. Google ScholarDigital Library
- K. Elphinstone, G. Klein, P. Derrin, T. Roscoe, and G. Heiser. Towards a practical, verified kernel. In Workshop on Hot Topics in Operating Systems, 2007. Google ScholarDigital Library
- V. Ganapathy, M. J. Renzelmann, A. Balakrishnan, M. M. Swift, and S. Jha. The design and implementation of microdrivers. In Intl. Conf. on Architectural Support for Programming Languages and Operating Systems, 2008. Google ScholarDigital Library
- P. Godefroid, A. Kiezun, and M. Y. Levin. Grammar-based whitebox fuzzing. In Conf. on Programming Language Design and Implementation, 2008. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In Conf. on Programming Language Design and Implementation, 2005. Google ScholarDigital Library
- P. Godefroid, M. Y. Levin, and D. Molnar. Automated Whitebox Fuzz Testing. In Network and Distributed System Security Symp., 2008.Google Scholar
- Hex-Rays. IDA Pro Disassembler. http://www.hex-rays.com.Google Scholar
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: Tracking processes in a virtual machine environment. In USENIX Annual Technical Conf., 2006. Google ScholarDigital Library
- Jungo. WinDriver device driver development tookit, version 9.0. http://www.jungo.com/windriver.html, 2007.Google Scholar
- A. Kadav, M. J. Renzelmann, and M. M. Swift. Tolerating hardware device failures in software. In Symp. on Operating Systems Principles, 2009. Google ScholarDigital Library
- J. C. King. Symbolic execution and program testing. Communications of the ACM, 1976. Google ScholarDigital Library
- S. T. King, G. W. Dunlap, and P. M. Chen. Debugging operating systems with time--traveling virtual machines. In USENIX Annual Technical Conf., 2005. Google ScholarDigital Library
- C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis and transformation. In Intl. Symp. on Code Generation and Optimization, 2004. Google ScholarDigital Library
- J. LeVasseur, V. Uhlig, J. Stoess, and S. Götz. Unmodified device driver reuse and improved system dependability via virtual machines. In Symp. on Operating Systems Design and Implementation, 2004. Google ScholarDigital Library
- F. Mérillon, L. Réveillère, C. Consel, R. Marlet, and G. Muller. Devil: An IDL for hardware programming. In Symp. on Operating Systems Design and Implementation, 2000. Google ScholarDigital Library
- Microsoft security advisory #944653: Vulnerability in Macrovision driver. http://www.microsoft.com/technet/security/advisory/944653.mspx.Google Scholar
- Microsoft Windows Driver Kit. http://www.microsoft.com/whdc/devtools/WDK, 2009.Google Scholar
- A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In IEEE Symp. on Security and Privacy, 2007. Google ScholarDigital Library
- NDISwrapper. http://ndiswrapper.sourceforge.net, 2008.Google Scholar
- Y. Padioleau, J. Lawall, R. R. Hansen, and G. Muller. Documenting and automating collateral evolutions in Linux device drivers. In EUROSYS Conf., 2008. Google ScholarDigital Library
- C. Pasareanu, P. Mehlitz, D. Bushnell, K. Gundy- Burlet, M. Lowry, S. Person, and M. Pape. Combining unit-level symbolic execution and system--level concrete execution for testing NASA software. In Intl. Symp. on Software Testing and Analysis, 2008. Google ScholarDigital Library
- Project UDI. Uniform Driver Interface. http://udi.certek.com/, 2008.Google Scholar
- R. Beuchat, P. Ienne et al. FPGA4U. http://fpga4u.epfl.ch/.Google Scholar
- L. Ryzhyk, P. Chubb, I. Kuz, E. L. Sueur, and G. Heiser. Automatic device driver synthesis with Termite. In Symp. on Operating Systems Principles, 2009. Google ScholarDigital Library
- B. Schwarz, S. Debray, and G. Andrews. Disassembly of executable code revisited. In Working Conf. on Reverse Engineering, 2002. Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In Symp. on the Foundations of Software Engineering, 2005. Google ScholarDigital Library
- J. Sun, W. Yuan, M. Kallahalla, and N. Islam. HAIL: a language for easy and correct device access. In Intl. Conf. on Embedded Software, 2005. Google ScholarDigital Library
- M. M. Swift, M. Annamalai, B. N. Bershad, and H. M. Levy. Recovering device drivers. ACM Transactions on Computer Systems, 24(4), 2006. Google ScholarDigital Library
- M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the reliability of commodity operating systems. ACM Transactions on Computer Systems, 23(1), 2005. Google ScholarDigital Library
- R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Symp. on Operating Systems Principles, 1993. Google ScholarDigital Library
- D. Williams, P. Reynolds, K. Walsh, E. G. Sirer, and F. B. Schneider. Device driver safety through a reference validation mechanism. In Symp. on Operating Systems Design and Implementation, 2008. Google ScholarDigital Library
- H. Yin, H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system--wide information flow for malware detection and analysis. In Conf. on Computer and Communication Security, 2007. Google ScholarDigital Library
Index Terms
- Reverse engineering of binary device drivers with RevNIC
Recommendations
Understanding modern device drivers
ASPLOS XVII: Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating SystemsDevice drivers are the single largest contributor to operating-system kernel code with over 5 million lines of code in the Linux kernel, and cause significant complexity, bugs and development costs. Recent years have seen a flurry of research aimed at ...
Understanding modern device drivers
ASPLOS '12Device drivers are the single largest contributor to operating-system kernel code with over 5 million lines of code in the Linux kernel, and cause significant complexity, bugs and development costs. Recent years have seen a flurry of research aimed at ...
A tool for converting Linux device drivers into Solaris compatible binaries
Research ArticlesThe Linux operating system is quickly becoming a standard, attracting a wide user community and supporting a broad variety of applications and devices. Other vendors, such as Sun, have provided Linux-compatible system call interfaces to their kernels, ...
Comments