Introduction

For fuzzing, it is very important to increase efficiency. Without driver's interface information, a routine that cannot be accessed occur because the constraints on the IOCTL routine cannot be resolved. This means that the coverage cannot be increasing smoothly in fuzzing. From this, we can see that driver interface information is essential for efficient driver fuzzing due to the structural characteristics of the driver.

In addition, the driver has different constraints for access to each of the IOCTL routines. Therefore, in order to apply the driver to the fuzzer, we have to find the contraints manually. Furthermore, since most of the drivers are distributed in the form of closed source (.sys), Reverse Engineering is required to obtain driver interface information. It is very inefficient to do this manually every time before you start fuzzing. It is very inefficient to do this manually every time before you start fuzzing. Even if this is possible, there is no guarantee that mistakes and false positives will not exist. Humans are not machines.

We wanted to develop a tool that can easily recovery the structure of numerous drivers to increase the efficiency of fuzzing. That is how IREC (Interface RECovery) was born. The IREC automatically extracts the driver interface and constraints such as IOCTL codes, InputBufferLength, OutBufferLength in the form of JSON.

What is IREC?

A cross platform framework to recover driver's communication interface. It aims to recover communication interface for fuzzing a kernel driver.

IREC was implemented using angr and radare2, and generates json files to perform effective fuzzing. That is, it can extract the interface information and constraints of the wdm driver very easily and quickly without any further inefficient manual work.

Components of IREC

1IREC
2├── test-drivers                            # Test drivers to verify that madcore is working.
3├── projects                                # Driver analysis projects
4│   ├── symbolic                            # Techniques using symbolic execution.
5│   ├── static                              # Techniques using static analysis techniques
6│   └──wdm.py                               # WDM driver analysis framework
7└── irec.py                                 # Main module