Code for the USENIX 2017 paper: kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

Overview

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

Blazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS and Windows.

Published at USENIX Security 2017.

Currently missing:

  • full documentation
  • agents for macOS and Windows (except for our test driver)

BibTex:

@inproceedings{schumilo2017kafl,
    author = {Schumilo, Sergej and Aschermann, Cornelius and Gawlik, Robert and Schinzel, Sebastian and Holz, Thorsten},
    title = {{kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels}},
    year = {2017},
    booktitle = {USENIX Security Symposium} 
}

Trophies

Setup

This is a short introduction on how to setup kAFL to fuzz Linux kernel components.

Download kAFL and install necessary components

$ git clone https://github.com/RUB-SysSec/kAFL.git
$ cd kAFL
$ chmod u+x install.sh
$ sudo ./install.sh
$ sudo reboot

Setup VM

  • Create QEMU hard drive image:
$ qemu-img create -f qcow2 linux.qcow2 20G
  • Retrieve an ISO file of the desired OS and install it inside a VM (in this case Ubuntu 16.04 server):
$ wget -O /path/to/where/to/store/ubuntu.iso http://de.releases.ubuntu.com/16.04/ubuntu-16.04.3-server-amd64.iso
$ qemu-system-x86_64 -cpu host -enable-kvm -m 512 -hda linux.qcow2 -cdrom ubuntu.iso -usbdevice tablet
  • Download kAFL and compile the loader agent:
git clone https://github.com/RUB-SysSec/kAFL.git
cd path/to/kAFL/kAFL-Fuzzer/agents
chmod u+x compile.sh
./compile.sh
  • Shutdown the VM

Prepare VM for kAFL fuzzing

  • On the host: Create Overlay and Snapshot Files:
mkdir snapshot && cd snapshot
qemu-img create -b /absolute/path/to/hdd/linux.qcow2 -f qcow2 overlay_0.qcow2
qemu-img create -f qcow2 ram.qcow2 512
  • Start the VM using QEMU-PT:
cd /path/to/kAFL
./qemu-2.9.0/x86_64-softmmu/qemu-system-x86_64 -hdb /path/to/snapshot/ram.qcow2 -hda /path/to/snapshot/overlay_0.qcow2 -machine pc-i440fx-2.6 -serial mon:stdio -enable-kvm -k de -m 512
  • (Optional) Install and load the vulnerable Test Driver:
cd path/to/kAFl/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64/
chmod u+x load.sh
sudo ./load.sh
  • Execute loader binary which is in path/to/kAFL/kAFL-Fuzzer/agents/linux_x86_64/loader/ as root. VM should freeze. Switch to the QEMU management console and create a snapshot:
# press CTRL-a + c
savevm kafl
q 

Compile and configure kAFL components

  • Edit /path/to/kAFL/kAFL-Fuzzer/kafl.ini (qemu-kafl_location to point to path/to/kAFL/qemu-2.9.0/x86_64-softmmu/qemu-system-x86_64)

  • Compile agents:

cd <KERNEL_AFL_ROOT>/kAFL-Fuzzer/agents
chmod u+x compile.sh
./compile.sh
  • Retrieve address ranges of loaded drivers:
cd /path/to/kAFL/kAFL-Fuzzer
python kafl_info.py /path/to/snapshot/ram.qcow2 /path/to/snapshot/ agents/linux_x86_64/info/info 512 -v

Start Fuzzing!

python kafl_fuzz.py /path/to/snapshot/ram.qcow2 /path/to/snapshot agents/linux_x86_64/fuzzer/kafl_vuln_test 512 /path/to/input/directory /path/to/working/directory -ip0 0xffffffffc0287000-0xffffffffc028b000 -v --Purge

The value ip0 is the address range of the fuzzing target.

Comments
  • Bitmap is always zero for kafl_vuln_test

    Bitmap is always zero for kafl_vuln_test

    Hi Sergey,

    Thank you for the great tool & research!

    I am trying to do fuzzing of kafl_vuln_test using kAFL but I have a problem. I managed to install everything (qemu, KVM and etc.) according with the guide provided in README.md step by step including installation of vulnerable driver.

    When I start kAFL it looks like it works but bitmap is always 0.00b and the file bitmap in the work directory is empty. I see qemu-system process in memory and I see multiple python processes working. My intuition that something is wrong on client side... I copied the address range of my driver from the output of kafl_info.py.

    Do you have any ideas how to fix or debug that ?

    Thank you in advance!

    opened by mxmssh 11
  • Questions in Intel PT decoder

    Questions in Intel PT decoder

    Hello.

    Currently, I'm studying kAFL's KVM-PT and QEMU-PT to apply binary kernel fuzzing. So, I modified your kAFL to fit our fuzzer; only QEMU-PT. And I found some errors that occurs when the hypervisor sets the multiple IP ranges in QEMU-PT's decoder part.

    As I understand in Intel PT decoder, after the pt_disable() is called, the hypervisor starts decoding about the stored Intel PT packets decode_buffer(). However, I got the different results when I set the single IP range (e.g., IP range A) and multiple IP range (e.g., IP range A, and B). For example, if I saw the control flow(ex. a->b->c) in single IP range A, I saw the different control flow(ex. a→d→e) when I set the multiple IP ranges, including a single IP range A.

    I kept searching why it happens, and found that it has some errors in decoding the TNT packets. Each decoder which sets different IP ranges got influences from the another IP range's TNT infos. Therefore, it save the wrong control flows after decoding Intel PT packets.

    I think the decoder part needs to be fixed.

    Thank you.

    opened by ir0nc0w 2
  • Qemu exits before agent ends

    Qemu exits before agent ends

    I have written a custom fuzzing agent that creates another process then calls WaitForSingleObject on that process. I disabled the -nographic option of qemu to see what was actually going on in the fuzzed VM and saw that the program wasn't fully executed and stopped in the middle.

    Is there some kind of timeout or mecanism that could be happening and cutting the execution?

    opened by alzkejalzkje 2
  • VMX_PT is not loaded!

    VMX_PT is not loaded!

    Hi, I encountered some problems when I try to install kAFL.

    • Problem 1:

    when I try to run ./load.sh, It failed.

    lzs243@E356-U180315:~/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64$ sudo ./load.sh 
    [sudo] password for lzs243: 
    make -C /lib/modules/4.13.0-37-generic/build M=/home/lzs243/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64 modules
    make[1]: Entering directory '/usr/src/linux-headers-4.13.0-37-generic'
      CC [M]  /home/lzs243/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64/kafl_vuln_test.o
    In file included from /home/lzs243/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64/kafl_vuln_test.c:6:0:
    ./arch/x86/include/asm/uaccess.h: In function ‘set_fs’:
    ./arch/x86/include/asm/uaccess.h:31:9: error: dereferencing pointer to incomplete type ‘struct task_struct’
      current->thread.addr_limit = fs;
             ^
    /home/lzs243/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64/kafl_vuln_test.c: In function ‘write_info’:
    /home/lzs243/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64/kafl_vuln_test.c:52:6: error: implicit declaration of function ‘copy_from_user’ [-Werror=implicit-function-declaration]
      if (copy_from_user(input, buff, len)) {
          ^
    cc1: some warnings being treated as errors
    scripts/Makefile.build:315: recipe for target '/home/lzs243/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64/kafl_vuln_test.o' failed
    make[2]: *** [/home/lzs243/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64/kafl_vuln_test.o] Error 1
    Makefile:1550: recipe for target '_module_/home/lzs243/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64' failed
    make[1]: *** [_module_/home/lzs243/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64] Error 2
    make[1]: Leaving directory '/usr/src/linux-headers-4.13.0-37-generic'
    Makefile:4: recipe for target 'all' failed
    make: *** [all] Error 2
    insmod: ERROR: could not load module kafl_vuln_test.ko: No such file or directory
    done
    
    
    • Problem 2:

    When I try to run the loader in /agents/linux_x86_64/loader, It says Illegal instruction (core dumped)

    lzs243@E356-U180315:~/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/agents/linux_x86_64/loader$ sudo ./loader 
    Kernel Panic Handler Address:	ffffffffb0a870f3
    Illegal instruction (core dumped)
    lzs243@E356-U180315:~/Documents/Kernel_Fuzzing/Tools/kAFL/kAFL-Fuzzer/agents/linux_x86_64/loader$
    
    • Problem 3:

    when I run the command:

    python kafl_info.py snapshot/ram.qcow2 snapshot/ agents/linux_x86_64/info/info 512 -v

    It shows [Error] VMX_PT is not loaded!

    kernel AFL: A feedback-driven general purpose ring-0 interface fuzzer for x86-64 operating systems.
    
    Sergej Schumilo		<[email protected]>
    Cornelius Aschermann	<[email protected]>
    Robert Gawlik		<[email protected]>
    
    Version: 0.1
    
    (C) 2017
    << kafl_info.py: Kernel Address Dumper >>
    
    **[Error] VMX_PT is not loaded!**
    
    opened by stuartly 2
  • Problems with

    Problems with "Setup VM" & "Compile and configure kAFL components"

    Hello there, I meet some problems during installation. In "Setup VM": When I run qemu-2.9.0/x86_64-softmmu/qemu-system-x86_64 -cpu host -enable-kvm -m 512 -hda linux.qcow2 -cdrom ubuntu.iso -usbdevice tablet I get an error: qemu-system-x86_64: error: failed to set MSR 0x38d to 0x0 qemu-system-x86_64: /home/c2hpxq/sectools/kAFL/qemu-2.9.0/target/i386/kvm.c:1833: kvm_put_msrs: Assertion ret == cpu->kvm_msr_buf->nmsrs' failed. I've tried use qemu-system-x86_64 installed by apt instead, the error not occurring anymore but when in "Compile and configure kAFL components", I run: python kafl_info.py /path/to/snapshot/ram.qcow2 /path/to/snapshot/ agents/linux_x86_64/info/info 512 -v I'm told VMX_PT not loaded.

    Now I'm trying to comment out assertions in qemu-2.9.0/target/i386/kvm.c (line 1833 & 2204), and the VM installation seems working(I'm still on it when writing this answer) Do I get anything wrong? What's the right way to do it?

    And by the way, when VM installation completed & rebooting, it get stuck at interface "Ubuntu 16.04", not continuing anymore... Kind of weird...

    Please help me about it.

    Update1: Still meet the problem [Error] VMX_PT is not loaded!

    Update2: Can I do installation in a Ubuntu 16.04 virtual machine? i.e., qemu vm running in a virtual machine, does that matter? And where can I find information about whether a CPU supporting PT or not, it seems CPU specification doesn't list it in the product specification page, and I don't find anything useful in intel PT page. I don't know whether i7-7820HQ & i7-4712MQ are supported or not. I assume the former is supported and doubt the latter.

    Hope for your help!

    opened by c2hpxq 2
  • This code can not work

    This code can not work

    Is it lack of some components?Can't find any information about qemu slave vm,especially this line "-hda " + self.config.argument_values['overlay_dir'] + "/overlay_" + self.qemu_id + ".qcow2 " \, Could you give me some clue , thanks a lot .

    opened by evenbily 2
  • kafl vuln test is not working.

    kafl vuln test is not working.

    I installed kAFL and setup the kafl_vuln_test test case according to the README.md from the latest (1ece095a7a835887477393b2bba88247b1536d4f) version in git. I also patched the fuzzer to set "socket.setdefaulttimeout(None)" and patched mapserver to import lz4.block. When I run the fuzzer it quickly finds 7 paths in the first 20 seconds. The corpus shows some progress towards inputs that will crash the test driver. But then the fuzzer makes no further progress even if I leave it running for hours. It looks like it is still running but it finds no more paths and adds no more entries to the corpus.

    I've built on ubuntu 16.04.3 and installed 16.04.3 server in the guest. I was able to use the info program to get the ip0 range for kafl_vuln_test.

    opened by timnewsham 1
  • Can you provide the compiled windows vulnerable driver?

    Can you provide the compiled windows vulnerable driver?

    For testing purposes it would be much easier to have the compiled windows vulnerable driver or an easy way to have that. I have been struggling with mingw to get it compile, would you have any way to do it easily?

    opened by alzkejalzkje 1
  • Some troubles when I Prepared VM for kAFL fuzzing

    Some troubles when I Prepared VM for kAFL fuzzing

    I met some troubles when following your instructions.

    1. As your saying:

    Execute loader binary which is in path/to/kAFL/kAFL-Fuzzer/agents/linux_x86_64/loader/ as root VM should freeze.

    I execute loader binary as root but VM didn't freeze. It echoed a sentence that:

    Kernel Panic Handler Address: ffffffff8118d734

    Is this a right way?

    1. How to Switch to the QEMU management console? I press CTRL-a + c but nothing happenned.

    Looking forward to your answer.

    opened by ChijinZ 1
  • Can I modify the QEMU-PT code to get the mtc and tsc information?

    Can I modify the QEMU-PT code to get the mtc and tsc information?

    After using this project, I can get the TNT and the TIP information, but I also need the time information,so can I ask for how to modify the code to get that message?

    opened by yyl321 1
  • Problems booting on macOS

    Problems booting on macOS

    Has anyone got this working with the latest macOS?

    I have found to run macOS on QEMU I need to add several CPU feature flags including the invtsc flag, however this flag makes the VM non-migratable so the savevm command no longer works.

    opened by brainrecursion 2
  • kafl fuzzer measures the wrong test case's coverage

    kafl fuzzer measures the wrong test case's coverage

    qemu.py sends an extra 'R' message during initial handshake and soft reload. This releases the virtual machine that is waiting on hypercall_next_payload before qemu.py writes to the payload buffer. As a result, when the bitmap is returned, it is always measuring the previous test case, not the current test case (unless the vm is running slow enough, then qemu.py can occasionally win the race and get the buffer filled before the vm processes it). The fix is easy -- remove the extra send of the 'R' message in qemu.py's soft_reload and set_init_state methods.

    opened by timnewsham 0
  • close failed in file object destructor:

    close failed in file object destructor:

    I installed on ubuntu 16.04.3 server and followed the startup instructions in the readme to load the vulnerable test driver in the guest and start fuzzing it. After about three minutes the UI displays a python error

    close failed in file object destructor: IOError: [Errno 9] Bad file descriptor

    It does not provide much context and the fuzzer process seems to continue running.

    opened by timnewsham 0
  • Write_virtual_memory function at memory_access.c  failed

    Write_virtual_memory function at memory_access.c failed

    Hi Sergey and mxmssh , Thank you for the great tool & research!

    I am trying to do fuzzing of kafl_vuln_test using kAFL but I have a problem. I managed to install everything (qemu, KVM and etc.) according with the guide provided in README.md step by step including installation of vulnerable driver. (Forgive me,mxmmsh)
    

    But I got this error : FAIL 1 0xxxxxxx; After debugging, I found that the problem appeared here. write_virtual_memory function at memory_access.c

        phys_addr = cpu_get_phys_page_attrs_debug(cpu, (address & x86_64_PAGE_MASK), &attrs);
    
        if (phys_addr == -1){
            printf("FAIL 1 (%lx)!\n", address);
            return false;
        }
    

    Do you have any ideas how to fix that ?

    Thank you in advance!

    opened by u609 2
Owner
Chair for Sys­tems Se­cu­ri­ty
Chair for Sys­tems Se­cu­ri­ty
Emulation and Feedback Fuzzing of Firmware with Memory Sanitization

BaseSAFE This repository contains the BaseSAFE Rust APIs, introduced by "BaseSAFE: Baseband SAnitized Fuzzing through Emulation". The example/ directo

Security in Telecommunications 138 Dec 16, 2022
Feedback is important: response-aware feedback mechanism for background based conversation

RFM The code for the paper: "Feedback is important: response-aware feedback mechanism for background based conversation." Requirements python 3.7 pyto

Jiatao Chen 2 Sep 29, 2022
Research Artifact of USENIX Security 2022 Paper: Automated Side Channel Analysis of Media Software with Manifold Learning

Manifold-SCA Research Artifact of USENIX Security 2022 Paper: Automated Side Channel Analysis of Media Software with Manifold Learning The repo is org

Yuanyuan Yuan 172 Dec 29, 2022
Memory-efficient optimum einsum using opt_einsum planning and PyTorch kernels.

opt-einsum-torch There have been many implementations of Einstein's summation. numpy's numpy.einsum is the least efficient one as it only runs in sing

Haoyan Huo 9 Nov 18, 2022
Planar Prior Assisted PatchMatch Multi-View Stereo

ACMP [News] The code for ACMH is released!!! [News] The code for ACMM is released!!! About This repository contains the code for the paper Planar Prio

Qingshan Xu 127 Dec 31, 2022
Meta graph convolutional neural network-assisted resilient swarm communications

Resilient UAV Swarm Communications with Graph Convolutional Neural Network This repository contains the source codes of Resilient UAV Swarm Communicat

null 62 Dec 6, 2022
The PyTorch improved version of TPAMI 2017 paper: Face Alignment in Full Pose Range: A 3D Total Solution.

Face Alignment in Full Pose Range: A 3D Total Solution By Jianzhu Guo. [Updates] 2020.8.30: The pre-trained model and code of ECCV-20 are made public

Jianzhu Guo 3.4k Jan 2, 2023
PyTorch implementation of NIPS 2017 paper Dynamic Routing Between Capsules

Dynamic Routing Between Capsules - PyTorch implementation PyTorch implementation of NIPS 2017 paper Dynamic Routing Between Capsules from Sara Sabour,

Adam Bielski 475 Dec 24, 2022
Implementation of EMNLP 2017 Paper "Natural Language Does Not Emerge 'Naturally' in Multi-Agent Dialog" using PyTorch and ParlAI

Language Emergence in Multi Agent Dialog Code for the Paper Natural Language Does Not Emerge 'Naturally' in Multi-Agent Dialog Satwik Kottur, José M.

Karan Desai 105 Nov 25, 2022
PyTorch version of the paper 'Enhanced Deep Residual Networks for Single Image Super-Resolution' (CVPRW 2017)

About PyTorch 1.2.0 Now the master branch supports PyTorch 1.2.0 by default. Due to the serious version problem (especially torch.utils.data.dataloade

Sanghyun Son 2.1k Jan 1, 2023
A PyTorch implementation of the paper "Semantic Image Synthesis via Adversarial Learning" in ICCV 2017

Semantic Image Synthesis via Adversarial Learning This is a PyTorch implementation of the paper Semantic Image Synthesis via Adversarial Learning. Req

Seonghyeon Nam 146 Nov 25, 2022
Implementation supporting the ICCV 2017 paper "GANs for Biological Image Synthesis"

GANs for Biological Image Synthesis This codes implements the ICCV-2017 paper "GANs for Biological Image Synthesis". The paper and its supplementary m

Anton Osokin 95 Nov 25, 2022
Implementation of EMNLP 2017 Paper "Natural Language Does Not Emerge 'Naturally' in Multi-Agent Dialog" using PyTorch and ParlAI

Language Emergence in Multi Agent Dialog Code for the Paper Natural Language Does Not Emerge 'Naturally' in Multi-Agent Dialog Satwik Kottur, José M.

Karan Desai 105 Nov 25, 2022
Code for "3D Human Pose and Shape Regression with Pyramidal Mesh Alignment Feedback Loop"

PyMAF This repository contains the code for the following paper: 3D Human Pose and Shape Regression with Pyramidal Mesh Alignment Feedback Loop Hongwe

Hongwen Zhang 450 Dec 28, 2022
The code for two papers: Feedback Transformer and Expire-Span.

transformer-sequential This repo contains the code for two papers: Feedback Transformer Expire-Span The training code is structured for long sequentia

Facebook Research 125 Dec 25, 2022
An efficient PyTorch implementation of the winning entry of the 2017 VQA Challenge.

Bottom-Up and Top-Down Attention for Visual Question Answering An efficient PyTorch implementation of the winning entry of the 2017 VQA Challenge. The

Hengyuan Hu 731 Jan 3, 2023
Fader Networks: Manipulating Images by Sliding Attributes - NIPS 2017

FaderNetworks PyTorch implementation of Fader Networks (NIPS 2017). Fader Networks can generate different realistic versions of images by modifying at

Facebook Research 753 Dec 23, 2022
Oriented Response Networks, in CVPR 2017

Oriented Response Networks [Home] [Project] [Paper] [Supp] [Poster] Torch Implementation The torch branch contains: the official torch implementation

ZhouYanzhao 217 Dec 12, 2022
Improving Convolutional Networks via Attention Transfer (ICLR 2017)

Attention Transfer PyTorch code for "Paying More Attention to Attention: Improving the Performance of Convolutional Neural Networks via Attention Tran

Sergey Zagoruyko 1.4k Dec 23, 2022