Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities

Discovering vulnerabilities in operating system (OS) kernels and patching them is crucial for OS security. However, there is a lack of effective kernel vulnerability detection tools, especially for closed-source OSes such as Microsoft Windows. In this paper, we present Digtool, an effective, binary-code-only, kernel vulnerability detection framework. Built atop a virtualization monitor we designed, Digtool successfully captures various dynamic behaviors of kernel execution, such as kernel object allocation, kernel memory access, thread scheduling, and function invoking. With these behaviors, Digtool has identified 45 zero-day vulnerabilities such as outof-bounds access, use-after-free, and time-of-check-totime-of-use among both kernel code and device drivers of recent versions of Microsoft Windows, including Windows 7 and Windows 10.