目录
- .githubUpdate ci-linux.yml3年前
- healer_corefix strategy of get free port3年前
- healer_fuzzerfix3年前
- healer_utilsfix strategy of get free port3年前
- syz_wrapperdo not reset on handshake failure3年前
- toolsadd support for unix socket based comm3年前
- .gitignoreignore .idea3年前
- Cargo.lockfix strategy of get free port3年前
- Cargo.tomladd seq minimization3年前
- LICENSEupdate3年前
- README.mdUpdate README.md3年前
- rustfmt.tomlupdate3年前
邀请码
Healer
Healer is a kernel fuzzer inspired by Syzkaller.
Similar to Syzkaller, Healer uses the syscall information provided by the Syzlang description to generate sequences of system calls that confirm to the parameter structure constraints and partial semantic constraints, and finds kernel bugs by continuously executing the generated call sequences to cause kernel crashes.
Unlike Syzkaller, Healer does not use an empirical choice-table, but detects the influence relationships between syscalls by dynamically removing calls in the minimized call sequences and observing coverage changes, and uses the influence relationships to guide the generation and mutation of call sequences. In addition, Healer also uses a different architectural design than Syzkaller.
NOTE: This is just a prototype and many important features haven’t been published.
Build Healer
Healer is written in pure rust, except for some patching code. Therefore, rust toolchain should be installed first.
In order to use the Syzlang descriptions, Healer’s build script will automatically download Syzkaller and add patches to the source code and build Syzkaller, which may increase the build time. Therefore, the build tool required by Syzkaller needs to be installed, e.g., golang compiler with GO111MODULE on, GCC 6.1.0 or later. You can also skip the automated building process via setting related env variables. However, you need provide syscall description in json format manually in this case.
Once all the required tools have been installed, Healer can be easily built using following command:
Finally, Healer itself and the patched Syzkaller binary (
syz-bin) can be found in thetarget/releasedirectory.Fuzz Linux Kernel
Overall, fuzzing Linux kernel with Healer requires three steps: (1) prepare the disk image, (2) compile the kernel, and (3) start Healer.
Healer uses qumu to boot the kernel, so the disk image and kernel image need to be prepared. The booted qemu needs to be able to login via the ssh key, and the kernel needs to have at least the
kcovfeature. This document from Syzkaller describes in detail about how to buildstretch.imgand compile the Linux kernel with specific configuration, so follow the instructions there to complete the first two steps.Once the
stretch.img,ssh-stretch.id_rsa,bzImageare ready, my recommendation is to create a working directory. Then, create abindirectory inside the workdir and copy the patched Syzkaller binary and healer binary to that directory, taking care not to change thesyz-bindirectory structure. The final working directory needs to have the following files.Finally, executing following command to start the fuzzing, where
-dspecifies the path to disk image,-kspecifies the path to kernel image and--ssh-keyspecifies the path to ssh key.One can also specify the parallel fuzzing instance (thread) via
-j, the path to kernel object file (vmlinux) and srouce code via-band-rso that Healer can symbolize the kernel crash log. See more options viahealer --help. If everything works ok, you’ll see following log:Contributing
All contributions are welcome, if you have a feature request don’t hesitate to open an issue!