To Boldly Go Where No Fuzzer Has Gone Before: Finding Bugs in Linux' Wireless Stacks through VirtIO Devices

The security of Linux kernel interfaces is paramount in preventing over-the-air, proximity, or other network attacks. The Linux kernel is fuzzed continuously to detect newly introduced bugs. Despite their long runtime, existing fuzzers fail to detect critical bugs, as they are unaware of physical device semantics and difficult to adapt to new devices. This paper proposes a novel fuzzer called VirtFuzz, which is based on Virtual I/O (VirtIO) device drivers. A proxy mechanism enables data collection from physical device interaction. These collected inputs are then used to fuzz through a virtual device. Using our universal VirtIO device, VirtFuzz is generic and can be easily adapted to various Linux VirtIO kernel drivers and their related subsystems. We use this approach to fuzz the Linux Bluetooth and Wireless LAN (WLAN) stacks. To demonstrate the adaptability of our approach, we additionally provide implementations to fuzz the networking and input stack. We find 31 new, manually confirmed bugs, with 6 Common Vulnerabilities and Exposuress (CVEs) assigned.