Hydra: an Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems

Related tags

Deep Learning hydra
Overview

Hydra: An Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems

Paper

Overview

Hydra is a state-of-the-art fuzzing framework for file systems. It provides building blocks for file system fuzzing, including multi-dimensional input mutators, feedback engines, a libOS-based executor, and a bug reproducer with test case minimizer. Developers only need to focus on writing (or bringing in) a checker which defines the core logic for finding the types of bugs of their own interests. Along with the framework, this repository includes our in-house developed crash consistency checker (SymC3), with which 11 new crash consistency bugs were revealed from ext4, Btrfs, F2FS, and from two verified file systems: FSCQ and Yxv6.

Contents

  • General code base

    • src/combined: Hydra input mutator
    • src/lkl/tools/lkl/{FS}-combined-consistency: Hydra LibOS-based Executor (will be downloaded and compiled during setup)
  • Checkers

    • src/emulator: Hydra's in-house crash consistency checker, SymC3

Setup

1. All setup should be done under src

$ cd src

2. Install dependencies

./dep.sh

3. Compile for each file system

$ make build-btrfs-imgwrp
  • We can do the same for other file systems:
$ make build-ext4-imgwrp
$ make build-f2fs-imgwrp
$ make build-xfs-imgwrp
  • (Skip if you want to test the latest kernel) To reproduce bugs presented in the SOSP'19 paper, do the following to back-port LKL to kernel 4.16.
$ cd lkl (pwd: proj_root/src/lkl) # assuming that you are in the src directory
$ make mrproper
$ git pull
$ git checkout v4.16-backport
$ ./compile -t btrfs
$ cd .. (pwd: proj_root/src)

4. Set up environments

$ sudo ./prepare_fuzzing.sh
$ ./prepare_env.sh

5. Run fuzzing (single / multiple instance)

  • Single instance
$ ./run.py -t [fstype] -c [cpu_id] -l [tmpfs_id] -g [fuzz_group]

-t: choose from btrfs, f2fs, ext4, xfs
-c: cpu id to run this fuzzer instance
-l: tmpfs id to store logs (choose one from /tmp/mosbench/tmpfs-separate/)
-g: specify group id for parallel fuzzing, default: 0

e.g., ./run.py -t btrfs -c 4 -l 10 -g 1
Runs btrfs fuzzer, and pins the instance to Core #4.
Logs will be accumulated under /tmp/mosbench/tmpfs-separate/10/log/ .
  • You can also run multiple fuzzers in parallel by doing:
[Terminal 1] ./run.py -t btrfs -c 1 -l 10 -g 1
[Terminal 2] ./run.py -t btrfs -c 2 -l 10 -g 1
[Terminal 3] ./run.py -t btrfs -c 3 -l 10 -g 1
[Terminal 4] ./run.py -t btrfs -c 4 -l 10 -g 1
// all btrfs bug logs will be under /tmp/mosbench/tmpfs-separate/10/log/

[Terminal 5] ./run.py -t f2fs -c 5 -l 11 -g 2
[Terminal 6] ./run.py -t f2fs -c 6 -l 11 -g 2
[Terminal 7] ./run.py -t f2fs -c 7 -l 11 -g 2
[Terminal 8] ./run.py -t f2fs -c 8 -l 11 -g 2
// all f2fs bug logs will be under /tmp/mosbench/tmpfs-separate/11/log/

6. Important note

It is highly encouraged that you use separate input, output, log directories for each file system, unless you are running fuzzers in parallel. If you reuse the same directories from previous testings of other file systems, it won't work properly.

7. Experiments

Please refer to EXPERIMENTS.md for detailed experiment information.

Contacts

Comments
  • Step 3: Errors

    Step 3: Errors

    Dear Author, I am having some error while running the make file, here;s the error command look like any suggestions how to fix it. As I fixed couple of errors that previously found but now this one taking my lot of time to make it work,

    make build-xfs-imgwrp Makefile:594: arch/x86/auto.conf: No such file or directory make: *** No rule to make target 'arch/x86/auto.conf'. Stop.

    Additionally $ git checkout v4.16-backport this one also does not work, did the branch checkout name correct or its changed??

    @tsgates @setuid0x0 @meng-xu

    Thank you.

    opened by jahidhasanlinix 18
  • Question about new image

    Question about new image

    @squizz617 I have few specific question to ask,

    1. does hydra able to run external image filesys or its not feasible for that?
    2. What are the parameters or code need to modify to run on hydra-fuzzer?
    opened by junchoi999 7
  • No instrumentation detected

    No instrumentation detected

    Followed instructions in the README. I also tried compiling again with CC=afl-gcc but whenever I run the run.py command and the reset is "No instrumentation detected".

    Also unrelated how to add other filesystems or update btrfs.

    opened by docfate111 5
  •  error: 'FALLOC_FL_COLLAPSE_RANGE' was not declared in this scope

    error: 'FALLOC_FL_COLLAPSE_RANGE' was not declared in this scope

    I tried to install hydra and make install by executing the command make build-btrfs-imgwrp But it failed and throwed the error message " error: 'FALLOC_FL_COLLAPSE_RANGE' was not declared in this scope". What's the problem here? image Besides, I have installed clang already, with a soft link to the path ..../hydra-master/src/llvm-build/bin/ image

    opened by Chr1s-T 5
  • Tested ext4 36h+ and reported 398 uniq crashes?

    Tested ext4 36h+ and reported 398 uniq crashes?

    Tested ext4 36h+ and reported 398 uniq crashes. I doubt this. Is there anything wrong?

     american fuzzy lop 2.52b (fuzzer_ext4-cpu4log4grp4)
    
    ┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐
    │        run time : 1 days, 12 hrs, 40 min, 3 sec      │  cycles done : 97     │
    │   last new path : 0 days, 0 hrs, 24 min, 6 sec       │  total paths : 3658   │
    │ last uniq crash : 0 days, 22 hrs, 12 min, 26 sec     │ uniq crashes : 398    │
    │  last uniq hang : 1 days, 12 hrs, 10 min, 13 sec     │   uniq hangs : 5      │
    
    opened by uestcmahone 3
  • can't find setup logic bug

    can't find setup logic bug

    In EXPERIMENTS.md it says to run setup_logicbug.sh. I checked out the logicbug branch and

    $ find . -name setup_logicbug.sh
    

    returns nothing. Is the file under a different name? how do i instrument this fuzzer for other filesystems?

    opened by docfate111 2
  • Who did u report the bug to?

    Who did u report the bug to?

    LOVE YOUR WORK. I read the paper and noticed that most of the bugs detected by HYDR were acknowledged or fixed. Did u report the bug to official email account of LINUX or report them on some communities?

    opened by ikaroso 2
  • How to test FUSE filesystems?

    How to test FUSE filesystems?

    The instructions seem geared towards traditional filesystems like ext4 and btrfs. Can you provide instructions for FUSE filesystems, e.g., s3fs? The paper suggests that this is possible.

    opened by gaul 2
  • how to enable kasan?

    how to enable kasan?

    I started fuzzing according to the readme, the version of lkl is 5.0.0, but I suspected that kasan was not turned on, so I debugged it with gdb and found that the program did not execute kasan_malloc. Looking forward to your reply, thanks~

    opened by PKFXXXX 2
  • How do the raw images generate?

    How do the raw images generate?

    1. How are hydra/src/samples/oracle/*. image generated, what are the difference between * -00.image and * -10.image, can images of other filesystems be made in the same way?
    opened by uestcmahone 2
  • c5d1b0c make build-xfs-imgwrp failed

    c5d1b0c make build-xfs-imgwrp failed

    make -C afl-syscall
    g++ -std=c++11 -g -fPIC -c -o FSCQ-consistency-exec.o FSCQ-consistency-exec.cpp
    g++ -std=c++11 -g -fPIC -c -o yxv6-consistency-exec.o yxv6-consistency-exec.cpp
    make[2]: Entering directory '/home/m00292095/git/hydra/src/combined'
    make[2]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
    make[2]: *** afl-syscall: No such file or directory.  Stop.
    make[2]: Leaving directory '/home/m00292095/git/hydra/src/combined'
    Makefile:33: recipe for target 'afl' failed
    make[1]: *** [afl] Error 2
    make[1]: *** Waiting for unfinished jobs....
    

    may caused by ed561e5 update Makefile?

    git diff combined/Makefile
    diff --git a/src/combined/Makefile b/src/combined/Makefile
    index 0f4b411..08371f3 100644
    --- a/src/combined/Makefile
    +++ b/src/combined/Makefile
    @@ -30,7 +30,7 @@ yxv6-cc: yxv6-consistency-exec.o Image.o Program.o Utils.o Constants.o
            $(CXX) $(CXXFLAGS) -o $@ $^
    
     afl:
    -       make -C afl-syscall
    +       make -C afl-image-syscall
    
     %.o: %.cpp
            $(CXX) $(CXXFLAGS) -fPIC -c -o $@ $<
    
    opened by uestcmahone 1
  • make build-xfs-imgwrp error

    make build-xfs-imgwrp error

    When I try to build XFS, I get the following error. No, other FS build throws any error.

    NAME="Ubuntu"
    VERSION="18.04.6 LTS (Bionic Beaver)"
    ID=ubuntu
    ID_LIKE=debian
    PRETTY_NAME="Ubuntu 18.04.6 LTS"
    VERSION_ID="18.04"
    HOME_URL="https://www.ubuntu.com/"
    SUPPORT_URL="https://help.ubuntu.com/"
    BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
    PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
    VERSION_CODENAME=bionic
    UBUNTU_CODENAME=bionic
    
    which pkg-config
    /usr/bin/pkg-config
    
    find /usr -name "pkg.m4"
    /usr/share/aclocal/pkg.m4
    
    ./configure: line 15293: PKG_PROG_PKG_CONFIG: command not found
    ./configure: line 15308: syntax error near unexpected token `systemd,'
    ./configure: line 15308: `			PKG_CHECK_MODULES(systemd, systemd,'
    Makefile:115: recipe for target 'include/builddefs' failed
    make[2]: *** [include/builddefs] Error 2
    make[2]: Leaving directory '/home/ubuntu/hydra/src/fs/xfs/xfsprogs-dev'
    Makefile:9: recipe for target 'lib' failed
    make[1]: *** [lib] Error 2
    make[1]: Leaving directory '/home/ubuntu/hydra/src/fs/xfs'
    Makefile:87: recipe for target 'build-xfs-imgwrp' failed
    make: *** [build-xfs-imgwrp] Error 2
    
    opened by ayushman4 0
  • Image Failed

    Image Failed

    Hello Author, Any suggestions why the image compression failed occur in hydra, I created the ext4 image using -O casefold feature? Error Message: [-] image samples/oracle/ext4.image compression failed Location: compress() ext4_fuzzer.cc:222. @squizz617

    opened by jahidhasanlinix 0
  • Can not reproduce bugs with ubuntu 18.04 and back-port LKL kernel 4.16

    Can not reproduce bugs with ubuntu 18.04 and back-port LKL kernel 4.16

    Hi,

    I tested f2fs and btrfs exactly as mentioned in https://github.com/sslab-gatech/hydra/blob/master/README.md . All works good except:

     $ sudo ./prepare_fuzzing.sh
    returns:
    tee: 'cpu*/cpufreq/scaling_governor': No such file or directory
    performance
    

    I have found no bugs for btrfs and f2fs.

    The command i used for testing btrfs: $ ./run.py -t btrfs -c 4 -l 10 -g 1 no-bug-btrfs

    The command i used for testing f2fs: $ ./run.py -t f2fs -c 4 -l 10 -g 1 no_bug_f2fs

    Could please help me on this issue, thank you.

    Kind Regards, Jiyang

    opened by JiyangLiuG 2
  • test image fail on my os

    test image fail on my os

    Hi, i encounter a problem, i create a ext4 image file , then call test command , but it fail.

    how to create ext4 image: use my script:

    #! /bin/bash
    
    # i keep the same file list with sample/oracle/ext4-10.image
    
    set -x
    
    umount /tmp/ext4
    rm -rf /tmp/ext4
    mkdir /tmp/ext4
    rm -f ext4.img
    
    dd if=/dev/zero of=ext4.img bs=4k count=4096
    mke2fs -t ext4 -c ext4.img
    tune2fs -c0 -i0 ext4.img
    
    mount -t ext4 ./ext4.img /tmp/ext4
    
    cd /tmp/ext4
    mkdir foo
    mkdir foo/bar
    touch foo/bar/baz
    ln foo/bar/baz foo/bar/hln
    echo "hello world\n" > foo/bar/baz
    touch foo/bar/xattr
    touch foo/bar/acl
    touch foo/bar/æøå
    echo "xyz\n" > foo/bar/æøå
    #mkfifo foo/bar/fifo
    touch foo/bar/fifo
    ln -s mnt/foo/bar/baz foo/bar/sln
    
    tree /tmp/ext4
    
    

    how to test: run below command

    # below command is copy from the terminal when i call "run.py ......"
    # and i replace the image name to my image
    
    sudo AFL_SKIP_BIN_CHECK=1 ./combined/afl-image-syscall/afl-fuzz -S fuzzer_ext4-cpu1log1grp1 -b shm_ext4-1 -s fs/ext4/ext4_wrapper.so -e ./ext4.img -y seed -i in-ext4-1 -o out-ext4-1 -u 1 -- lkl/tools/lkl/ext4-combined-consistency -t ext4 -i ./ext4.img -e emulator/emulator.py -l /tmp/mosbench/tmpfs-separate/1/log -d "/tmp/mosbench/tmpfs-separate/1/" -r -p @@
    

    the fail message:

    terminate called after throwing an instance of 'std::bad_alloc' [cpu001:100%] what(): std::bad_alloc Aborted sudo AFL_SKIP_BIN_CHECK=1 ./combined/afl-image-syscall/afl-fuzz -S fuzzer_ext4-cpu1log1grp1 -b shm_ext4-1 -s fs/ext4/ext4_wrapper.so -e ./ext4.img -y seed -i in-ext4-1 -o out-ext4-1 -u 1 -- lkl/tools/lkl/ext4-combined-consistency -t ext4 -i ./ext4.img -e emulator/emulator.py -l /tmp/mosbench/tmpfs-separate/1/log -d "/tmp/mosbench/tmpfs-separate/1/" -r -p @@

    my system info:

    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 18.04.6 LTS
    Release:	18.04
    Codename:	bionic
    
    $ uname -a
    Linux ub1804 5.0.0-050000-generic #201903032031 SMP Mon Mar 4 01:33:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc -v
    clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
    Target: x86_64-pc-linux-gnu
    Thread model: posix
    

    my other try:

    my ubuntu system have kernel version 4.15 at first, i then upgrade it to 5.0, but same error. my gcc version have version 4.7 at first, i then replace it to clang, but same error.

    i also do a test, i run the test command with default ext4-10.image, it work perfectly, then i mount ext4-10.image, and edit the file fool/bar/baz as follow: delete a charactor, then save the file; then add back the charactor, and save the file , then i rerun the command with ext4-10.image, then it rise Segmentation fault.
    it seems that, once the image file edit by my os, even though file content not change, it will rise a error.

    what i want:

    1. i hope you will help me to fix the issue.
    2. i guess the problem is because of my os(kernel, lib version, gcc version...) is different to yours. so could you paste your local machine info, include, os release version, gcc version, os kernel version.

    Thanks!

    opened by yizhiren 0
  • got crashes reported in ALF UI, but there is no .c exists in 'log directory'

    got crashes reported in ALF UI, but there is no .c exists in 'log directory'

    Hi Seulbae Kim, I’m using hydra (based on commit id: e7f0c5f) for Linux-4.19 FS fuzzing. I encountered the following problems during the test, hope you can give pointers:

    1. In EXPERIMENTS.md, you mentioned "Test cases that trigger crash consistency bugs are stored under the specified log directory.", Is the ‘log directory’ refers to /tmp/mosbench/tmpfs-separate/4/log as below, and if so, I got crashes reported in ALF UI, but there is no .c exists? Current, my approach is referring to Janus's utils/afl-parse tool for out-ext4-1/fuzzer_ext4-cpu1log1grp1/crashes/id: 000000, sig: 12, src: 000000, op: fs-havoc-generate, rep: 32, after parsing, I got three files, .c/.c.raw/.img. Am I doing this correctly?
    ~/hydra/src$ cat out-ext4-4/fuzzer_ext4-cpu4log4grp4/crashes/README.txt
    Command line used to find this crash:
    
    ./combined/afl-image-syscall/afl-fuzz -S fuzzer_ext4-cpu4log4grp4 -b shm_ext4-4 -s fs/ext4/ext4_wrapper.so -e samples/oracle/ext4-10.image -y seed_ext4-10 -i in-ext4-4 -o out-ext4-4 -u 4 -- lkl/tools/lkl/ext4-combined-consistency -t ext4 -i samples/oracle/ext4-10.image -e emulator/emulator.py -l /tmp/mosbench/tmpfs-separate/4/log -d /tmp/mosbench/tmpfs-separate/4/ -r -p @@
    
    ~/hydra/src$ ./utils/afl-parse_janus -i samples/oracle/ext4-10.image -t ext4 -f out-ext4-4/fuzzer_ext4-cpu4log4grp4/crashes/id\:000000\,sig\:12\,src\:000002\,op\:fs-havoc-generate\,rep\:64 -o poc_id\:000000
    

    output 3 files as below: poc_id:000000.c poc_id:000000.c.raw poc_id:000000.img

    opened by uestcmahone 10
Owner
gts3.org (SSLab@Gatech)
https://gts3.org
gts3.org (SSLab@Gatech)
A Kernel fuzzer focusing on race bugs

Razzer: Finding kernel race bugs through fuzzing Environment setup $ source scripts/envsetup.sh scripts/envsetup.sh sets up necessary environment var

Systems and Software Security Lab at Seoul National University (SNU) 328 Dec 26, 2022
Generic template to bootstrap your PyTorch project with PyTorch Lightning, Hydra, W&B, and DVC.

NN Template Generic template to bootstrap your PyTorch project. Click on Use this Template and avoid writing boilerplate code for: PyTorch Lightning,

Luca Moschella 520 Dec 30, 2022
Hydra Lightning Template for Structured Configs

Hydra Lightning Template for Structured Configs Template for creating projects with pytorch-lightning and hydra. How to use this template? Create your

Model-driven Machine Learning 4 Jul 19, 2022
A fuzzing framework for SMT solvers

yinyang A fuzzing framework for SMT solvers. Given a set of seed SMT formulas, yinyang generates mutant formulas to stress-test SMT solvers. yinyang c

Project Yin-Yang for SMT Solver Testing 145 Jan 4, 2023
PolyGlot, a fuzzing framework for language processors

PolyGlot, a fuzzing framework for language processors Build We tested PolyGlot on Ubuntu 18.04. Get the source code: git clone https://github.com/s3te

Software Systems Security Team at Penn State University 79 Dec 27, 2022
Code for Private Recommender Systems: How Can Users Build Their Own Fair Recommender Systems without Log Data? (SDM 2022)

Private Recommender Systems: How Can Users Build Their Own Fair Recommender Systems without Log Data? (SDM 2022) We consider how a user of a web servi

joisino 20 Aug 21, 2022
Differential fuzzing for the masses!

NEZHA NEZHA is an efficient and domain-independent differential fuzzer developed at Columbia University. NEZHA exploits the behavioral asymmetries bet

null 147 Dec 5, 2022
InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing

InsTrim The paper: InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing Build Prerequisite llvm-8.0-dev clang-8.0 cmake >= 3.2 Make git cl

null 75 Dec 23, 2022
ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing

ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing ProFuzzBench is a benchmark for stateful fuzzing of network protocols. It includes a suite of

null 155 Jan 8, 2023
Emulation and Feedback Fuzzing of Firmware with Memory Sanitization

BaseSAFE This repository contains the BaseSAFE Rust APIs, introduced by "BaseSAFE: Baseband SAnitized Fuzzing through Emulation". The example/ directo

Security in Telecommunications 138 Dec 16, 2022
AntiFuzz: Impeding Fuzzing Audits of Binary Executables

AntiFuzz: Impeding Fuzzing Audits of Binary Executables Get the paper here: https://www.usenix.org/system/files/sec19-guler.pdf Usage: The python scri

Chair for Sys­tems Se­cu­ri­ty 88 Dec 21, 2022
Fuzzification helps developers protect the released, binary-only software from attackers who are capable of applying state-of-the-art fuzzing techniques

About Fuzzification Fuzzification helps developers protect the released, binary-only software from attackers who are capable of applying state-of-the-

gts3.org (SSLab@Gatech) 55 Oct 25, 2022
Fuzzing the Kernel Using Unicornafl and AFL++

Unicorefuzz Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19. Is it any good? ye

Security in Telecommunications 283 Dec 26, 2022
Code for the USENIX 2017 paper: kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Blazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS an

Chair for Sys­tems Se­cu­ri­ty 541 Nov 27, 2022
QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing Environment Tested on Ubuntu 14.04 64bit and 16.04 64bit Installation # disabl

gts3.org (SSLab@Gatech) 581 Dec 30, 2022
Fuzzing JavaScript Engines with Aspect-preserving Mutation

DIE Repository for "Fuzzing JavaScript Engines with Aspect-preserving Mutation" (in S&P'20). You can check the paper for technical details. Environmen

gts3.org (SSLab@Gatech) 190 Dec 11, 2022
ParmeSan: Sanitizer-guided Greybox Fuzzing

ParmeSan: Sanitizer-guided Greybox Fuzzing ParmeSan is a sanitizer-guided greybox fuzzer based on Angora. Published Work USENIX Security 2020: ParmeSa

VUSec 158 Dec 31, 2022
Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference

Ankou Ankou is a source-based grey-box fuzzer. It intends to use a more rich fitness function by going beyond simple branch coverage and considering t

SoftSec Lab 54 Dec 24, 2022
Directed Greybox Fuzzing with AFL

AFLGo: Directed Greybox Fuzzing AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo ge

null 380 Nov 24, 2022