fuzzing the openbsd kernel
play

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist - PowerPoint PPT Presentation

Jan 20, 2024 •498 likes •668 views

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction Fuzzing the OpenBSD kernel using the syzkaller kernel fuzzer. Heard about first on the BSD Now podcast back in April 2018. Ongoing effort, hence 1/N in

  1. Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org>

  2. Introduction Fuzzing the OpenBSD kernel using the syzkaller kernel fuzzer. Heard about first on the BSD Now podcast back in April 2018. Ongoing effort, hence 1/N in the title. My ambition is to turn this into a recurring topic for future meetups. Today, I'll focus on some background and the current state.

  3. syzkaller Unsupervised, coverage-guided kernel fuzzer. Published under Google's account on GitHub but not an official Google product (Apache-2.0 licensed). Total of 3200 crashes found in Linux, Android, Chrome OS and other internal kernels.

  4. syzkaller overview

  5. Syscall Descriptions Declarative description of syscalls: open(file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd 225 syscalls supported so far. Far from exhaustive since every ioctl(2) command needs a separate description: ioctl$TIOCSETA(fd fd_tty, cmd const[TIOCSETA], arg ptr[in, termios])

  6. Syscall Programs Descriptions are used to generate and mutate programs: r0 = open(&(0x7f0000000000)="./file0", 0x3, 0x9) read(r0 , &(0x7f0000000000), 42) close(r0) Novelty arises from the possiblility to test the interaction between different syscalls. All generated programs are not equally interesting. Programs are categorized based on the heuristic: A program is considered interesting if it causes a new code path in the kernel to be executed. More on this later... An interesting program is further mutated in the hope of continued code path discovery.

  7. syz-prog2c(1) Generated programs can be turned into C programs: uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0); long res = 0; memcpy((void*)0x20000000, "./file0", 8); res = syscall(SYS_open, 0x20000000, 0, 0x10); if (res != -1) r[0] = res; syscall(SYS_read, r[0], 0x20000000, 0); syscall(SYS_close, r[0]); return 0; }

  8. syzbot Continous fuzzing of unreleased kernels. Can even bisect to find the commit that introduces a regression. OpenBSD is not quite there yet...

  9. kcov(4) A driver for tracking kernel code coverage. Enabled on a per thread basis. The kernel program counter is tracked during syscalls made by the same thread. Not a strict requirement for syzkaller but improves its ability to generate interesting programs.

  10. kcov(4) - implementation Not enabled by default, requires one to compile a custom kernel. Limited to architectures using Clang due to usage of the -fsanitize-coverage=trace-pc option. Newer versions of GCC does support the same option. The option will insert calls to a user-supplied function along every line in the original source code (sort of): -fno-sanitize-coverage=trace-pc -fsanitize-coverage=trace-pc int max(int x, int y) { int max(int x, int y) { if (x > y) { __sanitizer_cov_trace_pc(); return x; if (x > y) { } __sanitizer_cov_trace_pc(); return y; return x; } } __sanitizer_cov_trace_pc(); return y; }

  11. Found bugs on OpenBSD poll: execution of address 0x0 caused by console redirection kqueue: use-after-free in kqueue_close() unveil: invalid call to VOP_UNLOCK() open: NULL pointer dereference while operating on cloned device mprotect: incorrect bounds check in uvm_map_protect() fchown: NULL pointer dereference while operating on cloned device recvmsg: double free of mbuf ftruncate: NULL pointer dereference while operating on cloned device kqueue: NULL pointer dereference

  12. What about the other BSDs? FreeBSD supported by syzkaller, kcov(4) under development. NetBSD supported by syzkaller, kcov(4) under development.

  13. Want to help out? Write syscall descriptions (most bang for the buck). Know Go? Plenty left todo in syzkaller related supporting continous fuzzing. Enable kcov(4) support for remaining Clang architectures. Not as important but could be a fun exercise.

  14. Thanks! Martin Pieuchot (OpenBSD) for the help during development of kcov(4). Visa Hankala (OpenBSD) for reviewing diffs and fixing found panics. Mark Kettenis (OpenBSD) for reviewing diffs and fixing found panics. Bob Beck (OpenBSD) for fixing found panics. Alexander Bluhm (OpenBSD) for reviewing diffs. Philip Guenther (OpenBSD) for reviewing diffs. Theo de Raadt (OpenBSD) for reviewing diffs. Theo Buehler (OpenBSD) for testing panic fixes. Klemens Nanni (OpenBSD) for testing my syzkaller diffs. Ingo Schwarze (OpenBSD) for inviting me back in May 2017. Dmitry Vyukov (syzkaller) for reviewing diffs.

  15. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Porting OpenBSD Niall OHiggins &lt;niallo@openbsd.org&gt; Uwe Sthler &lt;uwe@openbsd.org&gt;

Porting OpenBSD Niall OHiggins &lt;niallo@openbsd.org&gt; Uwe Sthler &lt;uwe@openbsd.org&gt;

Porting OpenBSD Niall OHiggins &lt;niallo@openbsd.org&gt; Uwe Sthler &lt;uwe@openbsd.org&gt; OpenCON, 2005 Outline 1 Porting OpenBSD What It Takes Preparation Cross-Development The Boot Loader Building The Kernel Adapting Startup

1.59k views • 88 slides
GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan &amp; Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan &amp; Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan &amp; Chan Lee Yee Ministry of Science, Technology and Innovation Agenda Agenda Introduction TrueType Font (.TTF) TTF Fuzzer Exploit Demonstration MS11

788 views • 65 slides
HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim ,

HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim ,

HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim , Yeongjin Jang , Insik Shin, Byoungyoung Lee * * Purdue University, KAIST, NEC Labs America, Oregon State University, Seoul National

771 views • 18 slides
HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim ,

HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim ,

HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim , Yeongjin Jang , Insik Shin, Byoungyoung Lee * * Purdue University, KAIST, NEC Labs America, Oregon State University, Seoul National

214 views • 19 slides
No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

3.64k views • 23 slides
Supporting Radio Clocks in OpenBSD Marc Balmer &lt; mbalmer@openbsd.org &gt; micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer &lt; mbalmer@openbsd.org &gt; micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer &lt; mbalmer@openbsd.org &gt; micro systems/OpenBSD BSDConTr, Istanbul, Turkey Agenda 1 Introduction 2 Radio Clocks 3 Architectural Overview 4 Support for GPS-Receivers 5 Support for Time Signal

745 views • 35 slides
Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao,

Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao,

Introduction Title Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao, Taesoo Kim May 1, 2020 Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems 1 May 1, 2020 Introduction Data

847 views • 64 slides
Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Reflections|Projections 2007 Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org Overview of OpenBSD History Berkeley Software Distribution (BSD) First freely distributable BSD was released in June

810 views • 24 slides
vmd Reyk Flter reyk@openbsd.org About vmd vmd is a daemon responsible for the execution

vmd Reyk Flter reyk@openbsd.org About vmd vmd is a daemon responsible for the execution

vmd Reyk Flter reyk@openbsd.org About vmd vmd is a daemon responsible for the execution of virtual machines (VMs) on a host. vmd(8) interfaces with vmm(4) in the kernel It handles the VM setup, vCPUs, exists, and device layer

372 views • 8 slides
Lock, Stock And Two Smoking Apples - XNU Kernel Security Alex Plaskett (@alexjplaskett) / James

Lock, Stock And Two Smoking Apples - XNU Kernel Security Alex Plaskett (@alexjplaskett) / James

PUBLIC Lock, Stock And Two Smoking Apples - XNU Kernel Security Alex Plaskett (@alexjplaskett) / James Loureiro (@NerdKernel) PUBLIC Agenda System call fuzzing (OSXFuzz) Scaling up Code coverage IOKit and Mach fuzzing

1.04k views • 54 slides
through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee

through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee

Razzer: Finding Kernel Race Bugs through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

1.17k views • 47 slides
Zero-Copy Socket Splicing Alexander Bluhm bluhm@openbsd.org Sunday, 29. September 2013

Zero-Copy Socket Splicing Alexander Bluhm bluhm@openbsd.org Sunday, 29. September 2013

Motivation Kernel MBuf Packet Processing Socket Splicing Interface Implementation Applications Zero-Copy Socket Splicing Alexander Bluhm bluhm@openbsd.org Sunday, 29. September 2013 Motivation Kernel MBuf Packet Processing Socket

736 views • 38 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler phessler@openbsd.org OpenBSD 17 March, 2013 1 / 27 what is this spamd uses IP host entries, to whitelist, blacklist or greylist hosts spamd can import and

412 views • 27 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Help! My system is slow! Profiling tools, tips and tricks Kris Kennaway kris@FreeBSD.org

Help! My system is slow! Profiling tools, tips and tricks Kris Kennaway kris@FreeBSD.org

Help! My system is slow! Profiling tools, tips and tricks Kris Kennaway kris@FreeBSD.org Overview Goal: Present some tools for evaluating the workload of your FreeBSD system, and identifying the bottleneck(s) that are limiting performance

756 views • 29 slides
News from CAIAs NewTCP Project Delay-based TCP and improved instrumentation of FreeBSDs TCP

News from CAIAs NewTCP Project Delay-based TCP and improved instrumentation of FreeBSDs TCP

News from CAIAs NewTCP Project Delay-based TCP and improved instrumentation of FreeBSDs TCP stack Presented by Michael Welzl on behalf of: David Hayes, Lawrence Stewart {dahayes,lastewart}@swin.edu.au Centre for Advanced Internet

570 views • 10 slides
My BSD Sucks Less Than Yours EuroBSDcon 2017 Paris ajacoutot@OpenBSD.org

My BSD Sucks Less Than Yours EuroBSDcon 2017 Paris ajacoutot@OpenBSD.org

Antoine Jacoutot Baptiste Daroussin My BSD Sucks Less Than Yours EuroBSDcon 2017 Paris ajacoutot@OpenBSD.org bapt@FreeBSD.org ROUND 1 Ports &amp; packages Release model &amp; engineering Binary upgrades SMP &amp; scheduling The

630 views • 24 slides
Bloomfield BSD Traditional School School Students enrolled in the BSD District Traditional

Bloomfield BSD Traditional School School Students enrolled in the BSD District Traditional

Bloomfield BSD Traditional School School Students enrolled in the BSD District Traditional School Model will 2020-2021 return to campus and Return to School Plan classrooms with the traditional school schedule and in-person instruction.

722 views • 5 slides
Porting FreeBSD on Xen on ARM How to support your OS as Xen ARM guest Julien Grall

Porting FreeBSD on Xen on ARM How to support your OS as Xen ARM guest Julien Grall

Porting FreeBSD on Xen on ARM How to support your OS as Xen ARM guest Julien Grall julien.grall@linaro.org FOSDEM February 1, 2014 Intro Requirements FreeBSD Conclusion Xen Type-I hypervisor Support for ARM v7 and ARM v8 with

496 views • 20 slides
NetBSD Live CDs Jan Schaumann jschauma@netbsd.org PGP: 136D 027F DC29 8402 7B42 47D6 7C5B 64AF

NetBSD Live CDs Jan Schaumann jschauma@netbsd.org PGP: 136D 027F DC29 8402 7B42 47D6 7C5B 64AF

NetBSD Live CDs NetBSD Live CDs Jan Schaumann jschauma@netbsd.org PGP: 136D 027F DC29 8402 7B42 47D6 7C5B 64AF AF22 6A4C Jan Schaumann BSDCan 2006 NetBSD Live CDs Focus on NetBSD The first NetBSD Live CD: developed by J org Braun based

961 views • 48 slides
Operating Systems CSE451 Simon Peter With thanks to Timothy Roscoe (ETH Zurich) Autumn 2015

Operating Systems CSE451 Simon Peter With thanks to Timothy Roscoe (ETH Zurich) Autumn 2015

Datacenter Operating Systems CSE451 Simon Peter With thanks to Timothy Roscoe (ETH Zurich) Autumn 2015 This Lecture Whats a datacenter Why datacenters Types of datacenters Hyperscale datacenters Major problem: Server I/O

792 views • 29 slides
No, I was not on Crack Je ne regrette rien Brought to you by Alistair G. Crooks agc@pkgsrc.org

No, I was not on Crack Je ne regrette rien Brought to you by Alistair G. Crooks agc@pkgsrc.org

No, I was not on Crack Je ne regrette rien Brought to you by Alistair G. Crooks agc@pkgsrc.org Wed May 11 23:11:48 CEST 2005 No, I was not on Crack Je ne regrette rien Really brought to you by Alistair G. Crooks agc@pkgsrc.org Wed May 11

798 views • 43 slides

More recommend