FuzzNG is a system-call fuzzer for the Linux Kernel, designed to minimize the need for system-call descriptions. For details, see our NDSS 2023 paper.
FuzzNG is composed of 4 main components.
- agent-ng is the user-space process that executes fuzzing system-calls. Located in
agent/ - mod-ng is the set of kernel modifications that "reshape" the pointer and
file-descriptor input spaces. Located in
kernel-patches/ - qemu-ng is the full-vm snapshot fuzzer which places new inputs into ng-agent
and resets the entire VM after each input. Located in
qemu-patches/ - libfuzzer-ng is a modified version of libfuzzer used for input generation. Located in
libfuzzer-ng
These instructions were tested on Debian 12. A CPU with VT-x support is preferable. The user needs rw permissions for /dev/kvm
Install Requirements:
# QEMU:
sudo apt-get install git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build
# Kernel:
sudo apt-get install build-essential linux-source bc kmod cpio flex libncurses5-dev libelf-dev libssl-dev dwarves bison
# Misc:
sudo apt install llvm deboostrap qemu-imgBuild Kernel + FuzzNG (mod-ng/qemu-ng/libfuzzer-ng/agent-ng)
Note that clang is required.
NPROC=4 CC=clang-15 CXX=clang++15 make
# This may ask for your password to set up the disk-image for the fuzzing VM.Now pick a fuzzing-config from configs/ and start the fuzzer:
# Fuzz KVM with 4 workers
./scripts/fuzz.sh 4 configs/kvm.hOr, to run a single worker with serial-output from the VM enabled:
# Manually copy the KVM config:
cp configs/kvm.h agent/fuzz_config.h
# Run a fuzzer
EXTRA_ARGS="-serial stdio" PROJECT_ROOT="./" ./scripts/run.shIf you use FuzzNG for your publication, please consider citing the paper:
@inproceedings{fuzzng,
title={{No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions}},
author={Bulekov, Alexander and Das, Bandan and Hajnoczi, Stefan, and Egele, Manuel},
booktitle={Symposium on Network and Distributed System Security (NDSS)},
year={2023}
}