A Kernel fuzzer focusing on race bugs

Related tags

Deep Learning razzer
Overview

Razzer: Finding kernel race bugs through fuzzing

Environment setup

$ source scripts/envsetup.sh

scripts/envsetup.sh sets up necessary environment variables. One should select the kernel version during environment setup, for example, v4.17.

Install

Initialize kernels_repo submodule

Kernel source codes used in this project are in the other reprository which is included as a submodule. To initialize the submodule one should execute git submodule update command as a follow.

$ git submodule update --init --depth=1 kernels_repo

Dependencies

$ sudo apt install zlib libglib-dev python-setuptools quilt libssl-dev dwarfdump

Install toolchains / tools

$ scripts/install.sh

scripts/install.sh then installs all the rest necessary toolchains and tools.

Static analysis

The Razzer's static analysis is based on the LLVM toolchain and the SVF static analysis tool. See documents in docs/static-analysis.md.

Fuzzing

Razzer's two-phases fuzzing is based on Syzkaller. The deterministic scheduler is implemented using QEMU/KVM. See documents in docs/fuzzing.md.

Paper

Razzer: Finding Kernel Race Bugs through Fuzzing (IEEE S&P 2019)

Trophies

Contributors

Comments
  • Fuzzer not responding

    Fuzzer not responding

    Hello,

    After going through the process to get everything built and running, when I start syzkaller none of the fuzzers appear to be working.

    ~/razzer/tools/race-syzkaller/exp$ sudo -E ./run.sh --config configs/kernel/config
    ~/razzer/tools/qemu-2.5.0 ~/fast/razzer/tools/race-syzkaller/exp
    [*] Rebuilding QEMU
    VMLINUX:  ~/razzer/tools/race-syzkaller/kernel-build/build-v4.17/vmlinux
    HYPEADDR: 0xffffffff8031be1e
      CC    disas/i386.o
      CC    x86_64-softmmu/cpus.o
      CC    x86_64-softmmu/hypercall.o
      CC    x86_64-softmmu/kvm-all.o
      LINK  x86_64-softmmu/qemu-system-x86_64
    
    ~/fast/razzer/tools/race-syzkaller/exp
    [*] KERNEL_VERSION: v4.17
    [*] git: e289c23db10a60854a602a2c6ae7df8c449dce75 (master)
     kernels_repo                                                         | 2 +-
     scripts/install.sh                                                   | 2 +-
     scripts/kernel_version.lst                                           | 1 +
     scripts/qemu/install.sh                                              | 2 ++
     tools/llvmlinux/targets/x86_64/build-kernel.sh                       | 4 ++--
     tools/llvmlinux/targets/x86_64/configs/static_analysis_v4.8.mk       | 2 +-
     tools/race-syzkaller/exp/configs/kernel/config                       | 5 ++---
     tools/race-syzkaller/exp/partition-scripts/partitioned_analysis.sh   | 5 ++++-
     tools/race-syzkaller/exp/partition-scripts/run-partition-analysis.py | 1 +
     9 files changed, 15 insertions(+), 9 deletions(-)
    [*] Running: syz-manager -config configs/kernel/config -v 0
    2019/07/09 09:36:08 Suppress  option: 1
    2019/07/09 09:36:08 RootCause  option: false
    2019/07/09 09:36:08 Loading race candidate pairs...
    2019/07/09 09:36:13 Loading suppressed mempair: 1148234
    2019/07/09 09:36:14 Removed supp-ed mempair: 1158064
    2019/07/09 09:36:14 Remaining mempair: 0
    2019/07/09 09:36:14 Total # of mempair: 0
    2019/07/09 09:36:14 Total # of mapping: 0
    2019/07/09 09:36:14 Initializing cover per mapping...
    2019/07/09 09:36:14 Building Sparse race candidates...
    2019/07/09 09:36:14 Total # of sparseRaceCandPairs: 0 (0)
    2019/07/09 09:36:14 [*] loading corpus
    2019/07/09 09:36:15 [+] loaded 1192 corpus programs (1192 total, 0 deleted)
    2019/07/09 09:36:15 [*] loading racecorpus
    2019/07/09 09:36:15 [-] No raceprog cand loaded from racecorpus
    2019/07/09 09:36:15 [*] loading likelycorpus
    2019/07/09 09:36:15 [-] No raceprog cand loaded from likelycorpus
    2019/07/09 09:36:15 serving http on http://0.0.0.0:56741
    2019/07/09 09:36:15 serving rpc on tcp://[::]:33495
    2019/07/09 09:36:15 booting test machines...
    2019/07/09 09:36:15 wait for the connection from test machine...
    2019/07/09 09:36:36 received first connection from test machine fuzzer-9
    2019/07/09 09:36:43 machine check: 1517 calls enabled, kcov=true, kleakcheck=false, faultinjection=false, comps=false
    2019/07/09 09:36:45 #1 Fuzzer: exe 1 (1), sig 0 (0), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
    2019/07/09 09:36:45      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-2 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-7 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-12 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-6 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-10 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-8 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-1 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-5 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-13 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-14 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-11 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-15 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-4 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-0 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (sched) sched-1 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (sched) sched-15 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (sched) sched-4 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (sched) sched-5 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (sched) sched-12 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (sched) sched-9 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (sched) sched-8 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (sched) sched-6 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (sched) sched-10 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:45      [WARN] (sched) sched-13 is not responding (last poll was 9223372036.9 secs before)
    2019/07/09 09:36:55 #2 Fuzzer: exe 759 (379), sig 14016 (7008), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
    2019/07/09 09:36:55      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
    2019/07/09 09:37:05 #3 Fuzzer: exe 2356 (785), sig 16653 (5551), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
    2019/07/09 09:37:05      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
    2019/07/09 09:37:15 #4 Fuzzer: exe 3504 (876), sig 17635 (4408), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
    2019/07/09 09:37:15      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
    2019/07/09 09:37:25 #5 Fuzzer: exe 4438 (887), sig 17963 (3592), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
    2019/07/09 09:37:25      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
    2019/07/09 09:37:28 [*] Sent all cands from corpusDB
    
    
    
    #####
    
    
    cat configs/kernel/config
    {
      "target": "linux/amd64",
      "http": "0.0.0.0:56741",
      "workdir": "$PWD/workdir",
      "vmlinux": "$KERNEL_BUILD/vmlinux",
      "image": "$PWD/wheezy.img",
      "sshkey": "$PWD/ssh/id_rsa",
      "syzkaller": "$SYZKALLER_HOME/src/github.com/google/syzkaller",
      "procs": 1,
      "type": "qemu",
      "mempair":   "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/mempair",
      "mapping":   "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/mapping",
      "callgraph": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/callgraph",
      "distance":  "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/distance",
      "sandbox": "none",
      "vm": {
        "schedcount": 16,
        "count": 16,
        "kernel": "$KERNEL_BUILD/arch/x86/boot/bzImage",
        "cpu": 2,
        "mem": 8192,
        "qemu": "$QEMU_HOME/build/x86_64-softmmu/qemu-system-x86_64"
      }
    }
    
    opened by albigay 10
  • Time of release?

    Time of release?

    Your paper Razzer: Finding Kernel Race Bugs through Fuzzing is definately well written and we all appreciate this amazing work. But may I ask when will this code be released? Since your paper mentioned that

    We will open source of RAZZER such that kernel developers and researchers can beneft from using RAZZER.

    We will truely appreciate that.

    opened by zhanggenex 6
  • Failed to build built-in.bc files

    Failed to build built-in.bc files

    Hi, I am following the instructions to build bitcode files. However, after running ./build-kernel.sh --config configs/static_analysis_v4.16.mk, for built-in.*, only built-in.o files were built but no built-in.bc. For other files, e.g., kernel/pid.c, the corresponding .o files and .bc files were built.

    The ./build-kernel.sh scripts also failed because of a bunch undefined reference to xxx errors when executing the command tools/llvmlinux/arch/all/bin/llvm-link-bc.sh -m elf_x86_64 -z max-page-size=0x200000 --build-id -o .tmp_vmlinux1 -T ./arch/x86/kernel/vmlinux.lds --whole-archive built-in.o --no-whole-archive --start-group lib/lib.a arch/x86/lib/lib.a --end-group, according to tmp/log. As pointed out here, I can ignore the link error because it was expected, but I cannot find any built-in.bc files built for subsequent analysis.

    Any ideas? Thanks!

    opened by Luluno01 4
  • a little confusion

    a little confusion

    "As a consequence, LLVM Linux will fail to build the entire kernel binary. It is okay if .bc files for files under interests and built-in.bc for each subdirectory (e.g., drivers/built-in.bc, net/built-in.bc) is built."

    LLVM Linux will fail to build the entire kernel binary but merge-mempairs.py runs get_address.py and in get_address.py it requires vmlinux file. After I fail to build the entire kernel binary I can run run-partition-analysis.py successfully but merge-mempairs.py will remind me no vmlinux found.

    opened by houjingyi233 4
  • Links to C repro in Trophies are unavailable

    Links to C repro in Trophies are unavailable

    Hi,

    I'm interested in razzer and I want to inspect race cases reported by razzer. It seems that links to C repro & kernel config in lkml are unavailable now.

    Are they still available somewhere? Since I don't have enough memory(less than 16GB, not enough even under N_PROC = 1), it's hard for me to perform complete static analysis of razzer. So it's problematic for me to get razzer work at full speed and it helps a lot if those C repros & config are still available.

    Thanks in advance.

    opened by c2hpxq 2
  • Makefile:129: recipe for target 'all' failed

    Makefile:129: recipe for target 'all' failed

    When I run "scripts/install.sh" to install the environment, there is a question.

    [ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddBddAbs.c.o
    
    [ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddCompose.c.o
    
    [ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddHarwell.c.o
    
    [ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddPriority.c.o
    
    [ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddSubsetHB.c.o
    
    [ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddZddGroup.c.o
    
    [ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddZddUtil.c.o
    
    [ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/dddmpNodeAdd.c.o
    
    [ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/epd.c.o
    
    [ 68%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/restart.c.o
    
    [ 68%] Linking C shared module Cudd.so
    
    [ 68%] Built target Cudd
    
    Makefile:129: recipe for target 'all' failed
    make: *** [all] Error 2
    

    I cannot understand it.

    opened by bsauce 2
  • 静态分析的问题

    静态分析的问题

    静态分析的时候.执行/run-partition-analysis.py出现 File "/usr/lib/python3.5/os.py", line 725, in getitem raise KeyError(key) from None KeyError: 'KERNEL_VERSION' 请问是什么原因?

    opened by lxjlxk 0
  • QEMU build error

    QEMU build error

    while I use ./scripts/qemu/install.sh, I found that QEMU build is error:

    config-temp/qemu-conf.c:1:10: fatal error: sys/endian.h: No such file or directory #include <sys/endian.h> compilation terminated.

    how to deal with it? Thanks!

    And there are other errors before this error, such as:

    config-temp/qemu-conf.c: In function ‘main’: config-temp/qemu-conf.c:6:3: error: too many arguments to function ‘xc_domain_create’ xc_domain_create(xc, 0, handle, 0, NULL, NULL); In file included from config-temp/qemu-conf.c:1:0: /usr/include/xenctrl.h:511:5: note: declared here int xc_domain_create(xc_interface *xch,

    and

    /tmp/ccBwhhaj.o: In function main': root/razzer/tools/qemu-2.5.0/build/config-temp/qemu-conf.c:5: undefined reference touuid_generate' collect2: error: ld returned 1 exit status

    but these errors did not cause compilation terminated

    opened by liuwanke152 1
  • Question about hypercall implementation in kernel_repo

    Question about hypercall implementation in kernel_repo

    I find nop instead of vmcall instruction in each kernel/hypercall.c

    I'm not that familiar with virtualization but it seems that the hypercall implementation will never call into VMM?

    Please help me with it. Do I misunderstand sth about the implementation or how should I modify it to make razzer work?

    Thanks.

    opened by c2hpxq 2
  • What should I do if I want to razzer another kernel version?

    What should I do if I want to razzer another kernel version?

    I am confused about what the config file(in tools/llvmlinux/targets/x86_64, ) should look like, or how to generate the right config file, if I want to try to razzer another kernel version? Now I have tried the following steps:

    1. modify kernel base on static-analysis.md, and diff between origin and your kernels_repo.
    2. modifiy script/envsetup.sh(add to script/kernel_version.lst)
    3. try some existing config files in tools/llvmlinux/targets/x86_64/configs/ to build linux(static analysis, so is llvmlinux). But all failed.

    So, I want to know how to generate the right config file? Thanks.

    opened by LittleSec 7
  • static-analysis is killed while do_analyze

    static-analysis is killed while do_analyze

    While I do Static analysis according to docs/static-analysis.md, I found that ./run-partition-analysis.py is killed.The log is shown as below:

    begin do_analyze( sound/built-in.bc init/built-in.bc fs/built-in.bc ipc/built-in.bc ) [*] NAME: [sound] [*] Kernel version: v4.17 [*] Making static analysis directory [*] DIR: /root/lava_workspace/razzer_test/razzer/tools/race-syzkaller/exp/configs/kernel/partition/v4.17 [*] Generating combined-sound.bc [*] Generating mssa.sound Killed [*] Generating mempair_all.net-vmw_vsock [*] Prune and check_testing_bugs [WARN] Testing bug ('drivers/tty/n_hdlc.c:440', 'drivers/tty/n_hdlc.c:216') not found [WARN] Testing bug ('net/packet/af_packet.c:3660', 'net/packet/af_packet.c:4229') not found [WARN] Testing bug ('net/packet/af_packet.c:1653', 'net/packet/af_packet.c:1710') not found [WARN] Testing bug ('net/ipv4/raw.c:640', 'net/ipv4/ip_sockglue.c:748') not found [WARN] Testing bug ('net/sctp/associola.c:1088', 'net/sctp/socket.c:7423') not found [WARN] Testing bug ('net/packet/af_packet.c:1645', 'net/packet/af_packet.c:367') not found

    I found in scripts/misc/analysis.py,it do as below: cmd = "wpa -indCallLimit=100000 -dump-callgraph -ander -vgep -svfg -dump-mssa -dump-race " + args.bitcode What is it doing?

    How to deal with it ? Thanks!

    opened by zizhiyoumu-fuzz 2
Owner
Systems and Software Security Lab at Seoul National University (SNU)
Systems and Software Security Lab at Seoul National University (SNU)
Repo for FUZE project. I will also publish some Linux kernel LPE exploits for various real world kernel vulnerabilities here. the samples are uploaded for education purposes for red and blue teams.

Linux_kernel_exploits Some Linux kernel exploits for various real world kernel vulnerabilities here. More exploits are yet to come. This repo contains

Wei Wu 472 Dec 21, 2022
Local trajectory planner based on a multilayer graph framework for autonomous race vehicles.

Graph-Based Local Trajectory Planner The graph-based local trajectory planner is python-based and comes with open interfaces as well as debug, visuali

TUM - Institute of Automotive Technology 160 Jan 4, 2023
Deepface is a lightweight face recognition and facial attribute analysis (age, gender, emotion and race) framework for python

deepface Deepface is a lightweight face recognition and facial attribute analysis (age, gender, emotion and race) framework for python. It is a hybrid

Kushal Shingote 2 Feb 10, 2022
Hydra: an Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems

Hydra: An Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems Paper Finding Semantic Bugs in File Systems with an Extensible Fuzzin

gts3.org (SSLab@Gatech) 129 Dec 15, 2022
SSD: Single Shot MultiBox Detector pytorch implementation focusing on simplicity

SSD: Single Shot MultiBox Detector Introduction Here is my pytorch implementation of 2 models: SSD-Resnet50 and SSDLite-MobilenetV2.

Viet Nguyen 149 Jan 7, 2023
A simple PyTorch Implementation of Generative Adversarial Networks, focusing on anime face drawing.

AnimeGAN A simple PyTorch Implementation of Generative Adversarial Networks, focusing on anime face drawing. Randomly Generated Images The images are

Jie Lei 雷杰 1.2k Jan 3, 2023
Simulation of self-focusing of laser beams in condensed media

What is it? Program for scientific research, which allows to simulate the phenomenon of self-focusing of different laser beams (including Gaussian, ri

Evgeny Vasilyev 13 Dec 24, 2022
DiAne is a smart fuzzer for IoT devices

Diane Diane is a fuzzer for IoT devices. Diane works by identifying fuzzing triggers in the IoT companion apps to produce valid yet under-constrained

seclab 28 Jan 4, 2023
AFLNet: A Greybox Fuzzer for Network Protocols

AFLNet: A Greybox Fuzzer for Network Protocols AFLNet is a greybox fuzzer for protocol implementations. Unlike existing protocol fuzzers, it takes a m

null 626 Jan 6, 2023
FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

FIRM-AFL FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it

null 356 Dec 23, 2022
Inferred Model-based Fuzzer

IMF: Inferred Model-based Fuzzer IMF is a kernel API fuzzer that leverages an automated API model inferrence techinque proposed in our paper at CCS. I

SoftSec Lab 104 Sep 28, 2022
Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.

Angora Angora is a mutation-based coverage guided fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without s

null 833 Jan 7, 2023
a grammar based feedback fuzzer

Nautilus NOTE: THIS IS AN OUTDATE REPOSITORY, THE CURRENT RELEASE IS AVAILABLE HERE. THIS REPO ONLY SERVES AS A REFERENCE FOR THE PAPER Nautilus is a

Chair for Sys­tems Se­cu­ri­ty 158 Dec 28, 2022
Code for Mesh Convolution Using a Learned Kernel Basis

Mesh Convolution This repository contains the implementation (in PyTorch) of the paper FULLY CONVOLUTIONAL MESH AUTOENCODER USING EFFICIENT SPATIALLY

Yi_Zhou 35 Jan 3, 2023
(CVPR 2021) PAConv: Position Adaptive Convolution with Dynamic Kernel Assembling on Point Clouds

PAConv: Position Adaptive Convolution with Dynamic Kernel Assembling on Point Clouds by Mutian Xu*, Runyu Ding*, Hengshuang Zhao, and Xiaojuan Qi. Int

CVMI Lab 228 Dec 25, 2022
Official PyTorch code for CVPR 2020 paper "Deep Active Learning for Biased Datasets via Fisher Kernel Self-Supervision"

Deep Active Learning for Biased Datasets via Fisher Kernel Self-Supervision https://arxiv.org/abs/2003.00393 Abstract Active learning (AL) aims to min

Denis 29 Nov 21, 2022
Exploring Image Deblurring via Blur Kernel Space (CVPR'21)

Exploring Image Deblurring via Encoded Blur Kernel Space About the project We introduce a method to encode the blur operators of an arbitrary dataset

VinAI Research 118 Dec 19, 2022
tinykernel - A minimal Python kernel so you can run Python in your Python

tinykernel - A minimal Python kernel so you can run Python in your Python

fast.ai 37 Dec 2, 2022