PrIntFuzz is an efficient and universal fuzzing framework that can test the Linux driver code, include the PRobing code and INTerrupt handlers.
The following instructions guide you to set up the fuzzing environment and perform multi-dimension fuzzing on various device drivers.
Tested on Ubuntu 20.04.1.
Please install the following python package:
pip3 install kconfiglib==14.1.0
pip3 install GitPythonpython3 /path/to/PrIntFuzz/scripts/python/setup.py-
Build the LLVM
python3 /path/to/PrIntFuzz/scripts/python/setup.py --build_llvm
-
Build the Linux kernel with
allmodconfigpython3 /path/to/PrIntFuzz/scripts/python/setup.py --build_linux_all
-
Build the static analyzer
python3 /path/to/PrIntFuzz/scripts/python/setup.py --build_analyzer
-
Perform static analysis
python3 /path/to/PrIntFuzz/scripts/python/setup.py --analyze
-
Build the syzkaller
python3 /path/to/PrIntFuzz/scripts/python/setup.py --build_syz
-
Build the Linux kernel for fuzzing
python3 /path/to/PrIntFuzz/scripts/python/setup.py --build_linux_fuzz
-
Build the disk image for fuzzing
python3 /path/to/PrIntFuzz/scripts/python/setup.py --build_image
-
Build the Linux kernel for fault injection
python3 /path/to/PrIntFuzz/scripts/python/setup.py --build_linux_fault
-
Build the qemu with fake devices
python3 /path/to/PrIntFuzz/scripts/python/setup.py --build_qemu
-
Build the docker image for fuzzing
python3 /path/to/PrIntFuzz/scripts/python/setup.py --create_docker
-
Get the source code of the current kernel
sudo apt-get source linux-image-unsigned-$(uname -r)
-
Patch the kernel’s KVM module
sudo patch -p1 < /path/to/PrIntFuzz/patch/linux_host.patch (for Linux 5.13) -
Build and install the kernel
make olddefconfig make make INSTALL_MOD_STRIP=1 modules_install make install
-
Change the default kernel to boot, then reboot and ensure that the kernel is new.
[WARNING]: This operation will change your default kernel, please back up your data first!
-
Boot the virtual machine with a virtual device (
-e)python3 /path/to/PrIntFuzz/scripts/python/qemu.py -m fuzz -e drivers_atm_he
-
Check whether the driver is loaded
lspci -k
The result shows that
00:05.0 Unassigned class [ffff]: FORE Systems Inc ForeRunnerHE ATM Adapter Kernel driver in use: heThis indicates that the virtual device is matched with the
hedriver successfully.
python3 /path/to/PrIntFuzz/scripts/python/evaluation/probe.py -t PCIDrivers that match successfully are in the /path/to/PrIntFuzz/out/probe/success/pci, drivers that fail to match are in the /path/to/PrIntFuzz/out/probe/fail/pci directory, and drivers that cause system crashes are in the /path/to/PrIntFuzz/out/probe/crash directory.
Each driver has a separate folder where the relevant logs are stored, and we can check the logs to determine if the driver is crashing the kernel.
python3 /path/to/PrIntFuzz/scripts/python/evaluation/fuzz.pyoptional arguments:
-h, --help show this help message and exit
-i, --interrupt Use this option to enable the interrupt syscall
-s, --syscall Use this option to enable other syscalls
-t, --test Use this option to add "test" to the output dir
-d, --debug Use this option to debug the setting of experiment
-f, --fake Use this option to enable fake devices@inproceedings{ma2022printfuzz,
title={PrIntFuzz: fuzzing Linux drivers via automated virtual device simulation},
author={Ma, Zheyu and Zhao, Bodong and Ren, Letu and Li, Zheming and Ma, Siqi and Luo, Xiapu and Zhang, Chao},
booktitle={Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis},
pages={404--416},
year={2022}
}