Below are the generic instructions for how to set up syzkaller to fuzz the Linux kernel. Instructions for a particular VM type or kernel arch can be found on these pages:
- Setup: Ubuntu host, QEMU vm, x86-64 kernel
- Setup: Ubuntu host, Odroid C2 board, arm64 kernel
- Setup: Linux host, QEMU vm, arm64 kernel
- Setup: Linux host, QEMU vm, arm kernel
- Setup: Linux host, Android device, arm64 kernel
- Setup: Ubuntu host, Android device, arm32 kernel
- Setup: Linux isolated host
The following components are needed to use syzkaller:
- C compiler with coverage support
- Linux kernel with coverage additions
- Virtual machine or a physical device
- syzkaller itself
Generic steps to set up syzkaller are described below.
If you encounter any troubles, check the troubleshooting page.
Syzkaller is a coverage-guided fuzzer and therefore it needs the kernel to be built with coverage support, which requires a recent GCC version. Coverage support was submitted to GCC, released in GCC 6.1.0 or later.
Besides coverage support in GCC, you also need support for it on the kernel side.
KCOV was committed upstream in Linux kernel version 4.6 and can be enabled by configuring the kernel with CONFIG_KCOV=y
.
For older kernels you need to backport commit kernel: add kcov code coverage.
To enable more syzkaller features and improve bug detection abilities, it's recommended to use additional config options. See this page for details.
Syzkaller performs kernel fuzzing on slave virtual machines or physical devices. These slave enviroments are referred to as VMs. Out-of-the-box syzkaller supports QEMU, kvmtool and GCE virtual machines, Android devices and Odroid C2 boards.
These are the generic requirements for a syzkaller VM:
- The fuzzing processes communicate with the outside world, so the VM image needs to include networking support.
- The program files for the fuzzer processes are transmitted into the VM using SSH, so the VM image needs a running SSH server.
- The VM's SSH configuration should be set up to allow root access for the identity that is
included in the
syz-manager
's configuration. In other words, you should be able to dossh -i $SSHID -p $PORT root@localhost
without being prompted for a password (whereSSHID
is the SSH identification file andPORT
is the port that are specified in thesyz-manager
configuration file). - The kernel exports coverage information via a debugfs entry, so the VM image needs to mount
the debugfs filesystem at
/sys/kernel/debug
.
To use QEMU syzkaller VMs you have to install QEMU on your host system, see QEMU docs for details. The create-image.sh script can be used to create a suitable Linux image. Detailed steps for setting up syzkaller with QEMU on a Linux host are avaialble for x86-64 and arm64 kernels.
For some details on fuzzing the kernel on an Android device check out this page and the explicit instructions for an Odroid C2 board are available here.
syzkaller
is written in Go, a Go 1.11+
toolchain is required for build.
See this for instructions on how to install Go and build syzkaller.