syzkaller
play

syzkaller Mark Johnston markj@FreeBSD.org FreeBSD Bay Area Vendor - PowerPoint PPT Presentation

Oct 29, 2022 •602 likes •744 views

syzkaller Mark Johnston markj@FreeBSD.org FreeBSD Bay Area Vendor Summit October 12, 2019 System Call Fuzzing: What? Common syscall usage patterns cover a small space Why would you ever call send(2) after listen(2) ? Increase

  1. syzkaller Mark Johnston markj@FreeBSD.org FreeBSD Bay Area Vendor Summit October 12, 2019

  2. System Call Fuzzing: What? ◮ Common syscall usage patterns cover a small space ◮ Why would you ever call send(2) after listen(2) ? ◮ Increase coverage by generating and executing programs ◮ Look for crashes, hangs, sanitizer reports, etc. ◮ Cannot easily validate positive results for (;;) { p = generate_prog(); execute(p); }

  3. System Call Fuzzing: Why? ◮ Kernel is part of the TCB ◮ System calls present a huge attack surface ◮ Jails and Capsicum help but are not sufficient ◮ FreeBSD has 500 system calls ◮ Plus COMPAT FREEBSD32 , COMPAT LINUX ... ◮ Plus de-muxing via ioctl(2) , fcntl(2) , setsockopt(2) ... ◮ Fine-grained parallelism makes things much worse

  4. System Call Fuzzing: How? ◮ Naive fuzzing mostly catches input validation bugs ◮ Can do better with semantic knowledge of syscall params ◮ Idea: use code coverage as input to test case generation for (cov = NULL;;) { p = generate_prog(corpus); cov1 = execute(p); if (!cov.contains(cov1)) { cov.add(cov1); corpus.add(p); } }

  5. Introduction to syzkaller ◮ “Unsupervised, coverage-guided kernel fuzzer” ◮ By Dmitry Vyukov at Google, initially for Linux ◮ https://github.com/google/syzkaller/docs ◮ Kitchen sink approach: ◮ Manages VMs running target kernels ◮ Generates minimal reproducibles ◮ Can inject network, USB, etc. packets ◮ Collects, summarizes and deduplicates crash reports ◮ Collects kernel code coverage info ◮ Presents crash reports and test cases in a web dashboard ◮ syz-ci periodically rebuilds kernel and syzkaller itself ◮ Checks for regressions ◮ Bisects new crashes ◮ ...

  6. syzkaller on FreeBSD syz-ci buildkernel gmake bhyve, syz-manager ZFS corpus, crash reports syz-prog2c SSH, SCP .c files VMs syz-fuzzer :80 syz-exec utor /dev/kcov syscalls netdumpd vmcores

  7. KCOV ◮ Thin user interface around LLVM SanitizerCoverage for kernel ◮ Initial implementation by mhorne@, finished by andrew@ ◮ Open /dev/kcov and mmap to create shared buffer ◮ KIOENABLE ioctl enables tracing for the calling thread ◮ Buffer entries generated for every edge and comparison include "./GENERIC" ident SYZKALLER options COVERAGE options KCOV

  8. System Call Descriptions ◮ syzkaller defines a syscall description grammar ◮ Supports “enhanced” types: flags, file descriptors, ... ◮ Implements compound types ◮ Each system call needs to be described - lots of work ◮ Some system calls have multiple flavours, e.g. connect(2) #include <fcntl.h> open(file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd open_flags = O_RDONLY, O_WRONLY, O_RDWR, O_APPEND, ... open_mode = S_IRUSR, S_IWUSR, ... stat { dev int64 ino int64 nlink int64 mode int16 __pad0 const[0, int16] uid uid gid gid ... }

  9. Sample Reproducer #{"threaded":true,"collide":true,"repeat":true,"procs":4,"sandbox":"none","fault_call":-1, "tmpdir":true,"segv":true} r0 = socket(0x2, 0x10000001, 0x84) connect$unix(r0, &(0x7f0000000000)=@file={0xbd5699bc1ec0282, ’./file0\x00’}, 0x10) getsockopt$inet6_sctp_SCTP_ENABLE_STREAM_RESET(r0, 0x84, 0x900, &(0x7f0000000080)={<r1=>0x0, 0x4}, &(0x7f00000000c0)=0x8) getsockopt$inet6_sctp_SCTP_DELAYED_SACK(r0, 0x84, 0xf, &(0x7f0000000180)={r1, 0x9, 0x6}, &(0x7f00000001c0)=0xc) listen(r0, 0x9) setsockopt$inet6_sctp_SCTP_EVENTS(r0, 0x84, 0xc, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x6}, 0xb) setsockopt$inet6_sctp_SCTP_RTOINFO(r0, 0x84, 0x1, &(0x7f0000000100)={0x0, 0x0, 0x80000001}, 0x10) shutdown(r0, 0x1) Run with sudo syz-execprog ./repro.syz

  10. syzbot ◮ Hosted CI for syzkaller, on GCE ◮ https://syzkaller.appspot.com ◮ Fuzzes many different operating systems ◮ Thousands of bugs found ◮ Mails syzkaller-freebsd-bugs@googlegroups.com when a new crash is found ◮ Resolve reports automatically using a Reported-by tag: commit fb4ce630e036f6b73bef06c3c4b9c7bf363a9b23 Author: markj <markj@FreeBSD.org> Date: Mon Mar 25 21:38:58 2019 +0000 Reject F_SETLK_REMOTE commands when sysid == 0. A sysid of 0 denotes the local system, and some handlers for remote locking commands do not attempt to deal with local locks. Note that F_SETLK_REMOTE is only available to privileged users as it is intended to be used as a testing interface. Reviewed by: kib Reported by: syzbot+9c457a6ae014a3281eb8@syzkaller.appspotmail.com MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19702

  11. Netdump ◮ syzkaller does not do a perfect job generating reproducers: ◮ Some panics happen asynchronously (e.g., in a callout) ◮ Some reproducers do not work (race conditions) ◮ Reproducer minimization is not perfect or reliable ◮ VM disk image is discarded during reboot ◮ netdump(4) to the rescue

  12. FreeBSD and syzkaller Why is it worth investing time into syzkaller? What do we need? ◮ Bug triage and analysis ◮ More system call descriptions ◮ Fuzzing ZFS, NFS-based images ◮ Fuzzing non-amd64 kernels ◮ syzkaller jail image ◮ Sanitizer support

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist &lt;anton@openbsd.org&gt; Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist &lt;anton@openbsd.org&gt; Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist &lt;anton@openbsd.org&gt; Introduction Fuzzing the OpenBSD kernel using the syzkaller kernel fuzzer. Heard about first on the BSD Now podcast back in April 2018. Ongoing effort, hence 1/N in

668 views • 15 slides
Security in a cloud context David Crooks, for the EGI CSIRT Lessons learned from recent incidents

Security in a cloud context David Crooks, for the EGI CSIRT Lessons learned from recent incidents

Security in a cloud context David Crooks, for the EGI CSIRT Lessons learned from recent incidents www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Cloud Security EGI

571 views • 16 slides
Accessing Samba from Linux. Whats new? Whats faster? Whats better? Steve French

Accessing Samba from Linux. Whats new? Whats faster? Whats better? Steve French

Accessing Samba from Linux. Whats new? Whats faster? Whats better? Steve French Principal Systems Engineer Primary Data Legal Statement T h i s w o r k r e p r e s e n t s t h e v i e w s o f t h e a u t h o r ( s ) a n d d o e

480 views • 28 slides
Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how

Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how

create your own exercise Christoph Schmidt, Team 1 Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how the NSA uses its access to the Backbone Goal 2: Understanding how MITM attacks can be done

1.02k views • 82 slides
Modern Cryptology: from public key cryptography to homomorphic encryption 2015/12 Yaound,

Modern Cryptology: from public key cryptography to homomorphic encryption 2015/12 Yaound,

Modern Cryptology: from public key cryptography to homomorphic encryption 2015/12 Yaound, Cameroun Damien Robert quipe LFANT, Inria Bordeaux Sud-Ouest Institut de Mathmatiques de Bordeaux quipe MACISA, Laboratoire International de

960 views • 46 slides
Security and Protection Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica

Security and Protection Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica

Security and Protection Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica de Catalunya (UPC) May 26, 2014 Introduction About security Security components Lectures System administration introduction 1 Operating System

517 views • 35 slides
Katacryptology trust or not your favorite cryptotool ? RSA PreSE 1 Robert Erra PreSE 2 LSE

Katacryptology trust or not your favorite cryptotool ? RSA PreSE 1 Robert Erra PreSE 2 LSE

Katacryptology Robert Erra LSE WEEK 2014 Catacrypt ? Why should you Katacryptology trust or not your favorite cryptotool ? RSA PreSE 1 Robert Erra PreSE 2 LSE WEEK 2014 PreSE 3 PreSE 5 PostSE 1 July 17, 2014 PostSE 3 Back to RSA

922 views • 44 slides
Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago;

Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago;

1 Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago; Ruhr University Bochum 2 2000 Cohen cryptosystem Public key: vector of integers K = ( K 1 ; : : : ; K N ) { X; : : : ; X } N .

1.84k views • 164 slides
Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly joint work with Taechan Kim and Yongsu Song) Department of Mathematical Sciences and ISaC-RIM Seoul National University December 13, 2013 1 / 41

557 views • 41 slides
Exploring the Effect of an Advance Letter on Response and Eligibility Rates: A M Met eta-Ana

Exploring the Effect of an Advance Letter on Response and Eligibility Rates: A M Met eta-Ana

Exploring the Effect of an Advance Letter on Response and Eligibility Rates: A M Met eta-Ana nalysis S Stud udy for the he Nationa nal I Immuni unization S n Sur urvey (NIS) Abera Wouhib 1 , Jie Zhao 2 , Meena Khare 1 and Vicki Pineau 2

812 views • 17 slides
ENISA EUROPEAN NIS AGENDA AND THE PERSPECTIVE Prof. Dr. Reinhard Posch Chairperson ENISA

ENISA EUROPEAN NIS AGENDA AND THE PERSPECTIVE Prof. Dr. Reinhard Posch Chairperson ENISA

ENISA EUROPEAN NIS AGENDA AND THE PERSPECTIVE Prof. Dr. Reinhard Posch Chairperson ENISA Management Board THE GENERAL GOAL The general goal of ENISA and of any subsequent situation is to strengthen Euorpe with NIS and to enable NIS

337 views • 10 slides
www.enisa.eu.int ENISA update 17 th TF-CSIRT, Amsterdam, 23.01.2006 Marco Thorbruegge

www.enisa.eu.int ENISA update 17 th TF-CSIRT, Amsterdam, 23.01.2006 Marco Thorbruegge

www.enisa.eu.int ENISA update 17 th TF-CSIRT, Amsterdam, 23.01.2006 Marco Thorbruegge marco.thorbruegge@enisa.eu.int 1 ENISAs tasks Risk assessment Becoming a centre and Track of expertise risk management standardisation Information

728 views • 16 slides
System Administration HW5 - Mini Private Lab tzute Computer Center, CS, NCTU Architecture

System Administration HW5 - Mini Private Lab tzute Computer Center, CS, NCTU Architecture

System Administration HW5 - Mini Private Lab tzute Computer Center, CS, NCTU Architecture Overview (1/3) behind account SSH playground storage 2 Computer Center, CS, NCTU Architecture Overview (2/3) Sharing these via YP: behind ypbind

397 views • 28 slides
Web-based Supporting Materials for Power/Sample Size Calculations for Assessing Correlates of Risk

Web-based Supporting Materials for Power/Sample Size Calculations for Assessing Correlates of Risk

Web-based Supporting Materials for Power/Sample Size Calculations for Assessing Correlates of Risk in Clinical Efficacy Trials Peter B. Gilbert, Holly E. Janes, Yunda Huang Appendix A: Unbiased Biomarker Characterization Accounting for the Sam-

396 views • 12 slides
ETC Teaching Session Instructor: Swara Ravindranath JWST Proposal Planning Workshop May 15

ETC Teaching Session Instructor: Swara Ravindranath JWST Proposal Planning Workshop May 15

The Canadian NIRISS Unbiased Cluster Survey (CANUCS) ETC Teaching Session Instructor: Swara Ravindranath JWST Proposal Planning Workshop May 15 18, 2017 STScI The Canadian NIRISS Unbiased Cluster Survey (CANUCS) Slitless spectroscopy

1.08k views • 14 slides
Indian National System of Innovation and Globalisation: Some Lessons for African National System

Indian National System of Innovation and Globalisation: Some Lessons for African National System

INNOVATION SYSTEMS AND DEVELOPMENT STRATEGIES FOR THE THIRD MILLENIUM Rio de Janeiro, Brazil 2-6 November 2003 Indian National System of Innovation and Globalisation: Some Lessons for African National System of Innovation Mammo Muchie

270 views • 23 slides
CS 171: Introduction to Computer Science II Algorithm Analysis Li Xiong Today Hw1

CS 171: Introduction to Computer Science II Algorithm Analysis Li Xiong Today Hw1

CS 171: Introduction to Computer Science II Algorithm Analysis Li Xiong Today Hw1 discussion Recap: linear search and binary search Algorithm Analysis Big-O Notation Big-O Notation Loop Analysis Hw1 Discussion Read

2.41k views • 45 slides
www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

1 www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013 NZ's National Integrity System Assessment The Treasury Friday 14 th March 2014 1:30pm- 3:00pm liz.brown@paradise.net.nz mpetrie@esg.co.nz

947 views • 45 slides
Changing the probability distribution Recall the binary tree with a probability distribution P

Changing the probability distribution Recall the binary tree with a probability distribution P

Changing the probability distribution Recall the binary tree with a probability distribution P defined by with probability p u S i +1 = S i with probability 1 p d The process { S i } 0 i N is not a P

499 views • 14 slides
Rule Models as Semantic Models for Command and Control Francisco Loaiza Steven Wartik Institute

Rule Models as Semantic Models for Command and Control Francisco Loaiza Steven Wartik Institute

I N F O R M A T I O N T E C H N O L O G Y &amp; S Y S T E M S D I V I S I O N Rule Models as Semantic Models for Command and Control Francisco Loaiza Steven Wartik Institute for Defense Analyses TOC I N F O R M A T I O N T E C H N O L

621 views • 13 slides
Deploying pNFS solution over Distributed Storage Jiffin Tony Thottan Associate Software Engineer

Deploying pNFS solution over Distributed Storage Jiffin Tony Thottan Associate Software Engineer

Deploying pNFS solution over Distributed Storage Jiffin Tony Thottan Associate Software Engineer Agenda pNFS protocol NFS-Ganesha GlusterFS Integration Challenges Configuring pNFS cluster 2 pNFS Protocol Overview

587 views • 31 slides
Nursing Nursing Informati tion Syste tem A relevant t substi titu tute te of th the paper

Nursing Nursing Informati tion Syste tem A relevant t substi titu tute te of th the paper

Nursing Nursing Informati tion Syste tem A relevant t substi titu tute te of th the paper record M.B. Michel-Verkerke Saxion University of Applied Sciences, Enschede, The Netherlands MIE 2011 Oslo, August 31 Nurse Donna Taylor uses a

404 views • 19 slides
a superconducting qubit and a single-electron transistor Jukka Pekola, Aalto University,

a superconducting qubit and a single-electron transistor Jukka Pekola, Aalto University,

Experiments on quantum heat transport through a superconducting qubit and a single-electron transistor Jukka Pekola, Aalto University, Helsinki, Finland 1. Heat in circuits: measurement and control 2. Thermometry 3. Single-electron transistor:

390 views • 36 slides
Peer-to-Peer Networks 01: Organization and Introduction Christian Schindelhauer Technical

Peer-to-Peer Networks 01: Organization and Introduction Christian Schindelhauer Technical

Peer-to-Peer Networks 01: Organization and Introduction Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Web &amp; Dates Web page -

494 views • 17 slides

More recommend