GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → atrosinenko → kbdysch

atrosinenko / kbdysch

Licence: MIT license
A collection of user-space Linux kernel specific guided fuzzers based on LKL

Programming Languages

c
50402 projects - #5 most used programming language
scala
5932 projects
CMake
9771 projects
shell
77523 projects
NASL
115 projects

Labels

filesystemlinux-kernelfuzzingafllkl

Projects that are alternatives of or similar to kbdysch

Grammar-Mutator
A grammar-based custom mutator for AFL++
Stars: ✭ 133 (+114.52%)
Mutual labels:  fuzzing, afl
Paper collection
Academic papers related to fuzzing, binary analysis, and exploit dev, which I want to read or have already read
Stars: ✭ 710 (+1045.16%)
Mutual labels:  linux-kernel, fuzzing
fuzzuf
Fuzzing Unification Framework
Stars: ✭ 263 (+324.19%)
Mutual labels:  fuzzing, afl
e9afl
AFL binary instrumentation
Stars: ✭ 234 (+277.42%)
Mutual labels:  fuzzing, afl
Janus
Janus: a state-of-the-art file system fuzzer on Linux
Stars: ✭ 139 (+124.19%)
Mutual labels:  filesystem, fuzzing
FuzzImageMagick
Sample files for fuzzing ImageMagick
Stars: ✭ 15 (-75.81%)
Mutual labels:  fuzzing, afl
Winafl
A fork of AFL for fuzzing Windows binaries
Stars: ✭ 1,826 (+2845.16%)
Mutual labels:  fuzzing, afl
Aflplusplus
The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
Stars: ✭ 2,319 (+3640.32%)
Mutual labels:  fuzzing, afl
Fisy Fuzz
This is the full file system fuzzing framework that I presented at the Hack in the Box 2020 Lockdown Edition conference in April.
Stars: ✭ 110 (+77.42%)
Mutual labels:  filesystem, fuzzing
Simplefs
A simple file system for Linux kernel
Stars: ✭ 65 (+4.84%)
Mutual labels:  filesystem, linux-kernel
afl-cygwin
AFL "mostly" ported to cygwin
Stars: ✭ 24 (-61.29%)
Mutual labels:  fuzzing, afl
afl-dyninst
American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries
Stars: ✭ 65 (+4.84%)
Mutual labels:  fuzzing, afl
afl-pin
run AFL with pintool
Stars: ✭ 64 (+3.23%)
Mutual labels:  fuzzing, afl
afl-dynamorio
run AFL with dynamorio
Stars: ✭ 32 (-48.39%)
Mutual labels:  fuzzing, afl
ksmbd
ksmbd kernel server(SMB/CIFS server)
Stars: ✭ 98 (+58.06%)
Mutual labels:  filesystem, linux-kernel
LibAFL
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...
Stars: ✭ 1,348 (+2074.19%)
Mutual labels:  fuzzing, afl
StochFuzz
Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting
Stars: ✭ 165 (+166.13%)
Mutual labels:  fuzzing, afl
rorshach
A watchman for your directories. Rorshach allows you to listen to file system changes and run commands when these events occur.
Stars: ✭ 26 (-58.06%)
Mutual labels:  filesystem
x41-smartcard-fuzzing
X41 Smartcard Fuzzer
Stars: ✭ 113 (+82.26%)
Mutual labels:  fuzzing
linux-insides Turkish
Turkish version of linux-insides book @0xAX
Stars: ✭ 65 (+4.84%)
Mutual labels:  linux-kernel
View All Similar Projects ➔

kBdysch

kBdysch is a collection of fast Linux kernel specific fuzzing harnesses supposed to be run in userspace in a guided fuzzing manner. It was designed with AFL compatibility in mind but AFL is not required to use this project.

Fuzzing targets

Currently, kBdysch is capable of testing the following aspects of the kernel:

  • file system implementations (for those residing on a single block device)
    • use one file system implementation as a model for testing some other one. Just like proposed in AFL documentation but for the entire FS driver...
  • eBPF verifier
  • HID subsystem via uhid emulated device
  • partition table parsers

Design

The main design ideas are:

  • reuse Linux Kernel Library project to run almost any part of the Linux kernel in user space just like a regular library
  • reuse Syzkaller syscall descriptions for invoker generation
  • use GNU pth library instead of classic Pthread so all the code is executed in a single OS thread
    • no need to worry about restoring existing threads after fork() being executed by a AFL's forkserver. This is especially useful since the kernel library may start in a matter of seconds, not microseconds, and spawn some essential threads early in the boot sequence
    • bonus: you have much higher stability of behavior because now only discrete thread switch points are possible and no really concurrent memory accesses possible at all
  • implement many different ways to detect abnormal behavior
    • crash, the classical one: if crashed then failed
    • but now we have almost full control over the host-ops (block device operations, printk, etc.)! so, ...
    • suspicious output: if printed some word (error, corruption, etc.) then failed
    • poisoned memory: if some output buffer returned by the kernel contains many poisoned memory marker bytes in a row then failed (existed in the original implementation but not yet moved to the refactored one)
    • panic(), BUG(), etc. triggered
    • misc minor sanity checking, such as "if negative syscall return value signifies error condition, then it should always return either non-negative value or a valid errno code"
    • ... and last, but in fact the original idea of this fuzzer...
    • behavioral difference: this is strictly file system fuzzing related checker, but it can detect some subtle data corruptions by carefully separating operations on different file systems and comparing the results of performing the same syscall sequence on them, considering every not-whitelisted discrepancy as a bug. This can find logical errors even when they do not manifest themselves as a bug on its own.
  • since we proxy the block layer accesses to RAM-backed disk images anyway, we can record the accessed ranges to mutate it on image remount
    • doing this when the volume is mounted makes some sense but probably not too much, since it then simulates way too malicious (or just too buggy) block device and is not implemented for now
    • not compatible with many of the checkers listed above, especially the behavior difference

Pre-existing works

kBdysch is not a unique approach. At least, there exist a Janus fuzzer that uses both syscall invokers and image mutators being applied to LKL. As far as I understand, their approach is slightly different:

  • Janus tests one filesystem image at a time, while kBdysch can compare one implementation against another similar one
  • test case shape:
    • Janus test case has a shape of (Blob, Seq[Mutation], Seq[Syscall]) (apply some existing mutations to the FS image blob, invoke syscall sequence, then record new mutations naturally produced by the kernel)
    • kBdysch uses the shape of (Blob, Seq[Either[Mutation, Syscall]]) (load some reference image, then in each forked child apply a sequence of operations to it from clean state, with one of operation being mutating touched parts)
  • metadata handling:
    • Janus uses hand-written metadata parsers. This can handle checksum-protected metadata in an effective manner
    • kBdysch just records areas of image being accessed before remount (this can be handled trivially since we are already proxying block ops) to mutate them in the hope that they can be accessed again (at least with similar system calls) after remount . On one hand, this may be simply rejected by checksum-protected kernel metadata parsers. On the other hand, this allows much more trivial exploration of new file systems (for those not requiring specific mount helpers, this may be achieved in a matter of minutes)

kBdysch is more tending to an approach of requiring as less manual work as possible while more relying on similar to Pulling JPEGs out of thin air.

Building from sources

To use the bundled invoker, just run the build.sh script.

In case you would want to modify the syscall descriptions, use update_invokers.sh script. You need Java installed in this case (and it will download all other Scala-related stuff on itself).

See troubleshooting.md if something goes wrong.

Optional dependencies:

  • libpcap

Bugs

Technically, this fuzzer has not found anything yet at the time of writing this README, since it is a partial rewrite of the original fuzzer that has found a couple tens of bugs but had quite awful code. I tried to closely replicate its behavior, so it is expected to find roughly the same bugs as its predecessor.

On the bugs found by its predecessor, almost anything matched in git log with something like Reported-by:.*anatoly.trosinenko is found via this approach (but some report can lead to 2-3 commits).

Why such name?

This is not a random sequence of characters. And I don't try to fuzz this project users' ability to read English words, as well. It is merely "K for Kernel" followed by a transliterated Russian word БДЫЩ! (an onomatopoeia denoting the sound of some crash, similar to BOOM!). Just like "borsch" but "bdysch".

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].