RUB-SysSec / Kafl
Licence: gpl-2.0
Code for the USENIX 2017 paper: kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Stars: ✭ 486
Programming Languages
python
139335 projects - #7 most used programming language
Projects that are alternatives of or similar to Kafl
Cfb
Canadian Furious Beaver is a tool for hijacking IRPs handler in Windows drivers, and facilitating the process of analyzing Windows drivers for vulnerabilities
Stars: ✭ 146 (-69.96%)
Mutual labels: kernel, fuzzing
Paper collection
Academic papers related to fuzzing, binary analysis, and exploit dev, which I want to read or have already read
Stars: ✭ 710 (+46.09%)
Mutual labels: kernel, fuzzing
Fisy Fuzz
This is the full file system fuzzing framework that I presented at the Hack in the Box 2020 Lockdown Edition conference in April.
Stars: ✭ 110 (-77.37%)
Mutual labels: kernel, fuzzing
MsFontsFuzz
OpenType font file format fuzzer for Windows
Stars: ✭ 49 (-89.92%)
Mutual labels: kernel, fuzzing
Syzkaller
syzkaller is an unsupervised coverage-guided kernel fuzzer
Stars: ✭ 3,841 (+690.33%)
Mutual labels: kernel, fuzzing
Graphicsfuzz
A testing framework for automatically finding and simplifying bugs in graphics shader compilers.
Stars: ✭ 448 (-7.82%)
Mutual labels: fuzzing
Enterprise gateway
A lightweight, multi-tenant, scalable and secure gateway that enables Jupyter Notebooks to share resources across distributed clusters such as Apache Spark, Kubernetes and others.
Stars: ✭ 412 (-15.23%)
Mutual labels: kernel
Procfs
procfs provides functions to retrieve system, kernel and process metrics from the pseudo-filesystem proc.
Stars: ✭ 414 (-14.81%)
Mutual labels: kernel
Awesome Fuzzing
A curated list of awesome Fuzzing(or Fuzz Testing) for software security
Stars: ✭ 399 (-17.9%)
Mutual labels: fuzzing
Anticheat Testing Framework
Framework to test any Anti-Cheat
Stars: ✭ 481 (-1.03%)
Mutual labels: kernel
Schedviz
A tool for gathering and visualizing kernel scheduling traces on Linux machines
Stars: ✭ 426 (-12.35%)
Mutual labels: kernel
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Blazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS and Windows.
Published at USENIX Security 2017.
Currently missing:
- full documentation
- agents for macOS and Windows (except for our test driver)
BibTex:
@inproceedings{schumilo2017kafl,
author = {Schumilo, Sergej and Aschermann, Cornelius and Gawlik, Robert and Schinzel, Sebastian and Holz, Thorsten},
title = {{kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels}},
year = {2017},
booktitle = {USENIX Security Symposium}
}
Trophies
- Linux keyctl null pointer dereference (CVE-2016-8650)
- Linux EXT4 memory corruption
- Linux EXT4 denial of service
- macOS APFS memory corruption (CVE-2017-13800)
- macOS HFS memory corruption (CVE-2017-13830)
Setup
This is a short introduction on how to setup kAFL to fuzz Linux kernel components.
Download kAFL and install necessary components
$ git clone https://github.com/RUB-SysSec/kAFL.git
$ cd kAFL
$ chmod u+x install.sh
$ sudo ./install.sh
$ sudo reboot
Setup VM
- Create QEMU hard drive image:
$ qemu-img create -f qcow2 linux.qcow2 20G
- Retrieve an ISO file of the desired OS and install it inside a VM (in this case Ubuntu 16.04 server):
$ wget -O /path/to/where/to/store/ubuntu.iso http://de.releases.ubuntu.com/16.04/ubuntu-16.04.3-server-amd64.iso
$ qemu-system-x86_64 -cpu host -enable-kvm -m 512 -hda linux.qcow2 -cdrom ubuntu.iso -usbdevice tablet
- Download kAFL and compile the loader agent:
git clone https://github.com/RUB-SysSec/kAFL.git
cd path/to/kAFL/kAFL-Fuzzer/agents
chmod u+x compile.sh
./compile.sh
- Shutdown the VM
Prepare VM for kAFL fuzzing
- On the host: Create Overlay and Snapshot Files:
mkdir snapshot && cd snapshot
qemu-img create -b /absolute/path/to/hdd/linux.qcow2 -f qcow2 overlay_0.qcow2
qemu-img create -f qcow2 ram.qcow2 512
- Start the VM using QEMU-PT:
cd /path/to/kAFL
./qemu-2.9.0/x86_64-softmmu/qemu-system-x86_64 -hdb /path/to/snapshot/ram.qcow2 -hda /path/to/snapshot/overlay_0.qcow2 -machine pc-i440fx-2.6 -serial mon:stdio -enable-kvm -k de -m 512
- (Optional) Install and load the vulnerable Test Driver:
cd path/to/kAFl/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64/
chmod u+x load.sh
sudo ./load.sh
- Execute loader binary which is in
path/to/kAFL/kAFL-Fuzzer/agents/linux_x86_64/loader/
asroot
. VM should freeze. Switch to the QEMU management console and create a snapshot:
# press CTRL-a + c
savevm kafl
q
Compile and configure kAFL components
-
Edit
/path/to/kAFL/kAFL-Fuzzer/kafl.ini
(qemu-kafl_location
to point topath/to/kAFL/qemu-2.9.0/x86_64-softmmu/qemu-system-x86_64
) -
Compile agents:
cd <KERNEL_AFL_ROOT>/kAFL-Fuzzer/agents
chmod u+x compile.sh
./compile.sh
- Retrieve address ranges of loaded drivers:
cd /path/to/kAFL/kAFL-Fuzzer
python kafl_info.py /path/to/snapshot/ram.qcow2 /path/to/snapshot/ agents/linux_x86_64/info/info 512 -v
Start Fuzzing!
python kafl_fuzz.py /path/to/snapshot/ram.qcow2 /path/to/snapshot agents/linux_x86_64/fuzzer/kafl_vuln_test 512 /path/to/input/directory /path/to/working/directory -ip0 0xffffffffc0287000-0xffffffffc028b000 -v --Purge
The value ip0
is the address range of the fuzzing target.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].