A collection of user-space Linux kernel specific guided fuzzers based on LKL

Overview

kBdysch

kBdysch is a collection of fast Linux kernel specific fuzzing harnesses supposed to be run in userspace in a guided fuzzing manner. It was designed with AFL compatibility in mind but AFL is not required to use this project.

Fuzzing targets

Currently, kBdysch is capable of testing the following aspects of the kernel:

  • file system implementations (for those residing on a single block device)
    • use one file system implementation as a model for testing some other one. Just like proposed in AFL documentation but for the entire FS driver...
  • eBPF verifier
  • HID subsystem via uhid emulated device
  • partition table parsers

Design

The main design ideas are:

  • reuse Linux Kernel Library project to run almost any part of the Linux kernel in user space just like a regular library
  • reuse Syzkaller syscall descriptions for invoker generation
  • use GNU pth library instead of classic Pthread so all the code is executed in a single OS thread
    • no need to worry about restoring existing threads after fork() being executed by a AFL's forkserver. This is especially useful since the kernel library may start in a matter of seconds, not microseconds, and spawn some essential threads early in the boot sequence
    • bonus: you have much higher stability of behavior because now only discrete thread switch points are possible and no really concurrent memory accesses possible at all
  • implement many different ways to detect abnormal behavior
    • crash, the classical one: if crashed then failed
    • but now we have almost full control over the host-ops (block device operations, printk, etc.)! so, ...
    • suspicious output: if printed some word (error, corruption, etc.) then failed
    • poisoned memory: if some output buffer returned by the kernel contains many poisoned memory marker bytes in a row then failed (existed in the original implementation but not yet moved to the refactored one)
    • panic(), BUG(), etc. triggered
    • misc minor sanity checking, such as "if negative syscall return value signifies error condition, then it should always return either non-negative value or a valid errno code"
    • ... and last, but in fact the original idea of this fuzzer...
    • behavioral difference: this is strictly file system fuzzing related checker, but it can detect some subtle data corruptions by carefully separating operations on different file systems and comparing the results of performing the same syscall sequence on them, considering every not-whitelisted discrepancy as a bug. This can find logical errors even when they do not manifest themselves as a bug on its own.
  • since we proxy the block layer accesses to RAM-backed disk images anyway, we can record the accessed ranges to mutate it on image remount
    • doing this when the volume is mounted makes some sense but probably not too much, since it then simulates way too malicious (or just too buggy) block device and is not implemented for now
    • not compatible with many of the checkers listed above, especially the behavior difference

Pre-existing works

kBdysch is not a unique approach. At least, there exist a Janus fuzzer that uses both syscall invokers and image mutators being applied to LKL. As far as I understand, their approach is slightly different:

  • Janus tests one filesystem image at a time, while kBdysch can compare one implementation against another similar one
  • test case shape:
    • Janus test case has a shape of (Blob, Seq[Mutation], Seq[Syscall]) (apply some existing mutations to the FS image blob, invoke syscall sequence, then record new mutations naturally produced by the kernel)
    • kBdysch uses the shape of (Blob, Seq[Either[Mutation, Syscall]]) (load some reference image, then in each forked child apply a sequence of operations to it from clean state, with one of operation being mutating touched parts)
  • metadata handling:
    • Janus uses hand-written metadata parsers. This can handle checksum-protected metadata in an effective manner
    • kBdysch just records areas of image being accessed before remount (this can be handled trivially since we are already proxying block ops) to mutate them in the hope that they can be accessed again (at least with similar system calls) after remount . On one hand, this may be simply rejected by checksum-protected kernel metadata parsers. On the other hand, this allows much more trivial exploration of new file systems (for those not requiring specific mount helpers, this may be achieved in a matter of minutes)

kBdysch is more tending to an approach of requiring as less manual work as possible while more relying on similar to Pulling JPEGs out of thin air.

Building from sources

To use the bundled invoker, just run the build.sh script.

In case you would want to modify the syscall descriptions, use update_invokers.sh script. You need Java installed in this case (and it will download all other Scala-related stuff on itself).

See troubleshooting.md if something goes wrong.

Bugs

Technically, this fuzzer has not found anything yet at the time of writing this README, since it is a partial rewrite of the original fuzzer that has found a couple tens of bugs but had quite awful code. I tried to closely replicate its behavior, so it is expected to find roughly the same bugs as its predecessor.

On the bugs found by its predecessor, almost anything matched in git log with something like Reported-by:.*anatoly.trosinenko is found via this approach (but some report can lead to 2-3 commits).

Why such name?

This is not a random sequence of characters. And I don't try to fuzz this project users' ability to read English words, as well. It is merely "K for Kernel" followed by a transliterated Russian word БДЫЩ! (an onomatopoeia denoting the sound of some crash, similar to BOOM!). Just like "borsch" but "bdysch".

Issues
  • Cannot load eBPF program

    Cannot load eBPF program

    On ubuntu 18.04 I've built the lkl.so and linked the kbdysch runtime successfully with the USE_INVOKERS option OFF.

    But when I test the bpffuzz with following cmd

    ./bpffuzz init=/bin/sh < ../../ebpf_data/data
    

    It shows that

    [    0.000000] Linux version 5.3.0+ ([email protected]) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #1 Sun May 31 22:20:21 PDT 2020
    [    0.000000] memblock address range: 0x7fdf7c000000 - 0x7fdf7ffff000
    [    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 16159
    [    0.000000] Kernel command line: init=/bin/sh
    [    0.000000] Dentry cache hash table entries: 8192 (order: 4, 65536 bytes, linear)
    [    0.000000] Inode-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
    [    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
    [    0.000000] Memory available: 64500k/65532k RAM
    [    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
    [    0.000000] NR_IRQS: 4096
    [    0.000000] lkl: irqs initialized
    [    0.000000] clocksource: lkl: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
    ...
    Mounting all...
    Cannot load eBPF program: Invalid system call number
    

    seems Invalid system call number, but I check the syscall invoke instruction again

    INVOKE_SYSCALL(state, bpf, BPF_PROG_LOAD , (long)&attr, sizeof(attr));
    

    replace the BPF_PROG_LOAD with LKL_BPF_PROG_LOAD also fail.

    opened by pcy190 2
  • undefined reference to `pth_self'

    undefined reference to `pth_self'

    after installing GNU Pth 2.0.7 and make, it occured errors like these:

    [email protected]:~/kernel-fuzz/kbdysch/lkl-linux$ make -C tools/lkl -j8 make: Entering directory '/home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl' afl-clang-fast++2.59d by <[email protected]> LINK /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/tests/boot /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in function_gettid': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:161: undefined reference to pth_self' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functionthread_self': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:122: undefined reference to pth_self' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functiontls_get': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:156: undefined reference to pth_key_getdata' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functionthread_exit': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:109: undefined reference to pth_exit' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functionthread_create': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:98: undefined reference to pth_spawn' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functiontls_set': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:149: undefined reference to pth_key_setdata' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functiontls_free': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:143: undefined reference to pth_key_delete' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functiontls_alloc': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:134: undefined reference to pth_key_create' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functionthread_join': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:114: undefined reference to pth_join' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functionmutex_unlock': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:87: undefined reference to pth_mutex_release' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functionmutex_lock': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:82: undefined reference to pth_mutex_acquire' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functionmutex_alloc': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:75: undefined reference to pth_mutex_init' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functionsem_down': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:61: undefined reference to pth_mutex_acquire' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:63: undefined reference topth_cond_await' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:65: undefined reference to pth_mutex_release' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in functionsem_up': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:52: undefined reference to pth_mutex_acquire' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:56: undefined reference topth_mutex_release' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:55: undefined reference to pth_cond_notify' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:56: undefined reference topth_mutex_release' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/liblkl.a(liblkl-in.o): in function sem_alloc': /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:37: undefined reference topth_mutex_init' /usr/bin/ld: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/lib/posix-host-pth.inc.c:39: undefined reference to pth_cond_init' collect2: error: ld returned 1 exit status make: *** [Makefile:82: /home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl/tests/boot] Error 1 make: Leaving directory '/home/osboxes/kernel-fuzz/kbdysch/lkl-linux/tools/lkl'

    opened by De4dCr0w 10
  • make lkl failed

    make lkl failed

    On ubuntu server 18.04 I just run ./build.sh when make -C tools/lkl

    /home/uuu/kernel/kbdysch/lkl-linux/tools/lkl//include/lkl/asm/syscall_defs.h: In function ‘lkl_sys_inotify_init’:
    /home/uuu/kernel/kbdysch/lkl-linux/tools/lkl//include/lkl/asm/syscalls.h:288:22: error: ‘__lkl__NR_inotify_init’ undeclared (first use in this function); did you mean ‘__lkl__NR_inotify_init1’?
       return lkl_syscall(__lkl__NR##name, params);        \
                          ^
    /home/uuu/kernel/kbdysch/lkl-linux/tools/lkl//include/lkl/asm/syscalls.h:325:40: note: in expansion of macro ‘LKL_SYSCALL0’
     #define LKL_SYSCALL_DEFINE0(name, ...) LKL_SYSCALL0(name)
    
    opened by areuu 1
Owner
Anatoly Trosinenko
Anatoly Trosinenko
A patched QEMU that exposes an interface for LibAFL-based fuzzers

QEMU LibAFL Bridge This is a patched QEMU that exposes an interface for LibAFL-based fuzzers. This raw interface is used in libafl_qemu that expose a

Advanced Fuzzing League ++ 24 Apr 26, 2022
Cloud Native Data Plane (CNDP) is a collection of user space libraries to accelerate packet processing for cloud applications.

CNDP - Cloud Native Data Plane Overview Cloud Native Data Plane (CNDP) is a collection of userspace libraries for accelerating packet processing for c

Cloud Native Data Plane 19 Jun 28, 2022
our supper awesome kernel and user space system

osakauss our super awesome kernel and user space system memory layout The kernel is loaded at 0x00100000. kmalloc initially uses 'placement' allocatio

Eduard 8 Aug 26, 2021
A collection of scripts written in many different programming languages and each developed independently to perform very specific tasks (big or small)

Script Collection A collection of scripts written in many different programming languages and each developed independently to perform very specific ta

Giovanni Rebouças 5 Aug 31, 2021
Coverage-guided grammar aware fuzzer that uses grammar automatons

Gramatron Gramatron is a coverage-guided fuzzer that uses grammar automatons to perform grammar-aware fuzzing. Technical details about our framework a

HexHive 37 May 8, 2022
A framework for implementing block device drivers in user space

BDUS is a Linux 4.0+ framework for developing block devices in user space. More specifically, it enables you to implement block device drivers as regu

Alberto Faria 26 May 24, 2022
User space configuration tool for RME HDSPe MADI / AES / RayDAT / AIO and AIO Pro cards driven by the snd-hdspe driver.

hdspeconf User space configuration tool for RME HDSPe MADI / AES / RayDAT / AIO and AIO Pro cards, driven by the snd-hdspe driver. Building hdspeconf

Philippe Bekaert 9 Jun 15, 2022
Project Etnaviv is an open source user-space driver for the Vivante GCxxx series of embedded GPUs.

Introduction Project Etnaviv is an open source user-space driver for the Vivante GCxxx series of embedded GPUs. This repository contains reverse-engin

null 199 Jun 24, 2022
Selective user space swap (kubernetes swap / kubeswap)

BigMaac ?? ?? ( Big Malloc Access And Calloc ) because sometimes a happy meal is not big enough BigMaac can be used in userspace (e.g. inside Kubernet

Misko 7 Jun 6, 2022
Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem-CP-M This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so ev

null 10 Apr 7, 2022
Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem4CPM This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so eve

null 10 Apr 7, 2022
A Navigator 2.0 based Flutter widget that automatically splits the screen into two views based on available space

A Navigator 2.0 based Flutter widget that automatically splits the screen into two views based on available space

null 3 Feb 8, 2022
A kernel module that patches Linux kernel "on-the-fly" to skip TASK_RSS_EVENTS_THRESH check in check_sync_rss_stat

split-rss-counting-patch A kernel module that patches Linux kernel "on-the-fly" to skip TASK_RSS_EVENTS_THRESH check in check_sync_rss_stat. Why? Read

Bao-Hiep Le 3 Mar 6, 2022
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

null 76 Jun 22, 2022
The source for the Linux kernel used in Windows Subsystem for Linux 2 (WSL2)

Introduction The WSL2-Linux-Kernel repo contains the kernel source code and configuration files for the WSL2 kernel. Reporting Bugs If you discover an

Microsoft 5.8k Jun 23, 2022
Protect files under a specific folder from deleting or moving by explorer.exe.

Explorer-Delete-Protection Protect files under a specific folder from deleting or moving by explorer.exe. Requierments: Microsoft Detours Library - ht

null 4 Jan 2, 2022
MFD Button Switches for Flight Simulators. Arduino *.ino and PCB Gerber files and a picture. Now with FalconBMS specific firmwares.

MFD-Switches Use at your own risk. I am not accepting responsiblity for anything. Copyright Ron Lyttle 2021. I have to copyright because of some of th

Ron Lyttle 9 Apr 18, 2022
Contains platform and API specific code written by Primal community members.

PrimalPlus Contains platform and API specific code written by Primal community members. How to use The general idea is to simply copy the files from t

Game Engine Series 11 Jun 26, 2022
S6-overlay-helpers - Small binary utilities, specific to s6-overlay

s6-overlay-helpers Small utilities specifically written for s6-overlay. s6-overlay-helpers centralizes all the additional C programs and libraries tha

null 8 May 3, 2022