DNAFuzz: Descriptor-Aware Fuzzing for USB Drivers

USB is a widely used interface standard in modern operating systems for connecting computers to various external devices. External devices can launch attacks by injecting random data into the host via USB, causing memory errors or even system-level crashes. Fuzzing has been proven to be an effective method to detect USB driver vulnerabilities. However, existing fuzzing methods generate testing inputs without considering the format and semantics of USB descriptors, which define device functionality. As a result, many test cases fail to pass the host's input validation mechanism, leading to ineffective testing. In this paper, we propose DNAFuzz, a USB driver fuzzer that generates descriptor-aware payloads. First, it utilizes USB specifications to parse the field definitions and item types of USB descriptors for modeling. Then, based on the field description list and semantic information, DNAFuzz designs mutation strategies to guide the generation of payloads. This approach improves the quality of test cases and the fuzzing effectiveness. Currently, we evaluated DNAFuzz on multiple versions of Linux kernel USB drivers and compared it with state-of-the-art fuzzers, including USBFuzz and Syzkaller. Results show that DNAFuzz significantly improves input quality, successfully increasing the proportion of tests with execution times exceeding 2 seconds by 358% and 65%. In addition, DNAFuzz detected 15 bugs, 11 of which have been fixed or confirmed by the corresponding maintainers.