Syzkaller-Setup

Posted on Edited on In Views:
Symbols count in article: 3.1k Reading time ≈ 3 mins.

Setup

Paths

We need setup three paths: GOPATH, IMAGE and KERNEL.

GOPATH is the working directory for syzkaller

IMAGE is for Linux img and KERNEL is for kernel source and binary.

1
2
3
4
5
6
7
8
9
10
11
vim ~/.zshrc
add the following lines
export GOPATH=~/fuzz/syzkaller
export IMAGE=~/source/image
export KERNEL=~/source/linux

export export PATH=~/bin/gcc-8.1.0/bin:$PATH
export PATH=$GOROOT/bin:$PATH
export GCC=~/bin/gcc-8.1.0
export PATH=~/fuzz/syzkaller/bin:$PATH

Go

1
2
3
4
5
6
7
wget https://mirrors.ustc.edu.cn/golang//go1.13.3.linux-amd64.tar.gz
sha256sum go1.13.3.linux-amd64.tar.gz
tar -xvzf go1.8.1.linux-amd64.tar.gz -C ~/bin/go

add the following paths to .zshrc
export GOROOT=~/bin/go
export PATH=$GOROOT/bin:$PATH

GCC

1
2
3
4
5
6
7
8
wget https://ftp.gnu.org/gnu/gcc/gcc-8.1.0/gcc-8.1.0.tar.gz
tar -zxvf gcc-8.1.0.tar.gz
cd gcc-8.1.0
./configure --prefix=~/bin/gcc-8.1.0
make
make install
gcc --version
which gcc

syzkaller

1
2
3
4
5
6
7
8
set $GOPATH
source ~/.zshrc
go get -u -d github.com/google/syzkaller/...
cd $GOPATH/src/github.com/google/syzkaller
make

find compiled binaries in the $GOPATH/bin dir.

Linux Kernel

1
2
git clone https://mirrors.tuna.tsinghua.edu.cn/git/linux.git
cd ~/source/linux

GCC

1
2
make CC="$GCC/bin/gcc" defconfig
make CC="$GCC/bin/gcc" kvmconfig

Clang

1
2
3
4
make CC="$CLANGBIN/bin/clang" defconfig
make CC="$CLANGBIN/bin/clang" kvmconfig
make CC="$CLANGBIN/bin/clang" oldconfig
make CC="$CLANGBIN/bin/clang" -j64

Edit .config and enable:

1
2
3
4
5
6
7
8
CONFIG_KCOV=y
CONFIG_DEBUG_INFO=y
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y


CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y
1
2
make CC="$GCC/bin/gcc" oldconfig
make CC="$GCC/bin/gcc" -j64

Image

Prepare the Linux image file. 

1
2
3
4
cd $IMAGE
wget https://raw.githubusercontent.com/google/syzkaller/master/tools/create-image.sh -O create-image.sh
chmod +x create-image.sh\n./create-image.sh
./create-image.sh or ./create-image.sh --distribution wheezy

QEMU

1
sudo apt-get install qemu-system-x86

Test qemu

1
2
3
4
5
6
7
8
9
10
11
qemu-system-x86_64 \
  -kernel $KERNEL/arch/x86/boot/bzImage \
  -append "console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ"\
  -hda $IMAGE/stretch.img \
  -net user,hostfwd=tcp::10021-:22 -net nic \
  -enable-kvm \
  -nographic \
  -m 2G \
  -smp 2 \
  -pidfile vm.pid \
  2>&1 | tee vm.log

Kill qemu instance

1
kill $(cat vm.pid)

Start Fuzzing

Modify syzkaller configuration:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
    "target": "linux/amd64",
    "http": "127.0.0.1:56741",
    "workdir": "~/fuzz/syzkalls/workdir/",
    "kernel_obj": "~/source/linux/",
    "image": "~/source/image/stretch.img",
    "sshkey": "~/source/image/stretch.id_rsa",
    "syzkaller": "~/fuzz/syzkaller",
    "procs": 8,
    "type": "qemu",
    "vm": {
        "count": 4,
        "kernel": "~/source/linux/arch/x86/boot/bzImage",
        "cpu": 2,
        "mem": 2048
    }
}

Then start the syz-manager

1
sudo ./bin/syz-manager -config my.cfg