| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cf3eef898266e5a8064c6cc5d2c12a9b0971f75c.camel@sipsolutions.net> Date: Thu, 11 Sep 2025 15:59:50 +0200 From: Johannes Berg <johannes@...solutions.net> To: Alexander Potapenko <glider@...gle.com> Cc: Ethan Graham <ethan.w.s.graham@...il.com>, ethangraham@...gle.com, andreyknvl@...il.com, brendan.higgins@...ux.dev, davidgow@...gle.com, dvyukov@...gle.com, jannh@...gle.com, elver@...gle.com, rmoar@...gle.com, shuah@...nel.org, tarasmadan@...gle.com, kasan-dev@...glegroups.com, kunit-dev@...glegroups.com, linux-kernel@...r.kernel.org, linux-mm@...ck.org, dhowells@...hat.com, lukas@...ner.de, ignat@...udflare.com, herbert@...dor.apana.org.au, davem@...emloft.net, linux-crypto@...r.kernel.org Subject: Re: [PATCH v2 RFC 0/7] KFuzzTest: a new kernel fuzzing framework Hi again :-) So I've been spending another day on this, looking at kafl/nyx as promised, and thinking about afl++ integration. > I've been looking also at broader fuzzing tools such as nyx-fuzz and > related kafl [1] which are cool in theory (and are intended to address > your "cannot fork VMs quickly enough" issue), but ... while running a > modified host kernel etc. is sufficient for research, it's practically > impossible for deploying things since you have to stay on top of > security etc. > > [1] https://intellabs.github.io/kAFL/tutorials/linux/fuzzing_linux_kernel.html > > That said, it seems to me that upstream kvm code actually has Intel-PT > support and also dirty page logging (presumably for VM migration), so > I'm not entirely sure what the nyx/kafl host kernel actually really > adds. But I have yet to research this in detail, I've now asked some > folks at Intel who work(ed) on it. It's actually a bit more nuanced - it can work without Intel-PT using instrumentation for feedback and using the upstream kvm PML APIs, but then it requires the "vmware backdoor" enabled. Also, the qemu they have is based on version 4.2, according to the bug tracker there were two failed attempts at forward-porting it. > Which I'm not arguing is bad, quite the opposite, but I'm also close to > just giving up on the whole UML thing precisely _because_ of it, since > there's no way anyone can compete with Google's deployment, and adding > somewhat competing infrastructure to the kernel will just complicate > matters. Which is maybe unfortunate, because a fork/fuzz model often > seems more usable in practice, and in particular can also be used more > easily for regression tests. Or maybe not given the state of the kafl/nyx world... :) I also just spent a bunch of time looking at integrating afl++ with kcov and it seems ... tricky? There seem to be assumptions on the data format in afl++, but the kcov data format is entirely different, both for block and compare tracking. I think it could be made to work most easily by first supporting -fsanitize-coverage=trace-pc-guard in kcov (which is clang only at this point), and adding a new KCOV_TRACE_ mode for it, one that indexes by guard pointer and assigns incrementing numbers to those like afl does, or so? I'd think it'd be useful to also be able to run afl++ on the kfuzztests proposed here by forwarding the kcov data. For this though, it seems it might also be useful to actually wait for remote kcov to finish? Yeah there's still the whole state issue, but at least (remote) kcov will only trace code that's actually relevant to the injected data. This would be with afl running as a normal userspace process against the kfuzztest of the kernel it's running in, but with some additional setup it'd also be possible to apply it to UML with forking to avoid state issues. (And yes, kcov seems to work fine on UML.) I guess I'll go play with this some unless someone sees total show- stoppers. johannes
Powered by blists - more mailing lists