Adapting TriforceAFL for NetBSD, Part 1


June 26, 2019 posted by Kamil Rytarowski

Prepared by Akul Pillai as part of GSoC 2019.

The first coding period of The Google Summer of Code has come to an end. It has been a great experience so far and I got the opportunity to learn a lot of new stuff. This is a report on the work I have during this coding period.

About TriforceAFL

TriforceAFL is a modified version of AFL that supports fuzzing using QEMU's full system emulation. This offers several advantages such as the fact that pieces of the kernel need not be recompiled with AFL or that the kernel does not need to be built with coverage support. More details on other advantages, design and implementation of TriforceAFL can be found here.

The TriforceLinuxSyscallFuzzer and the TriforceOpenBSDSyscallFuzzer are syscall fuzzers built on top of TriforceAFL. The end goal of this project is to adapt TriforceAFL for NetBSD syscall fuzzing.

Adapted TriforceAFL for pkgsrc-wip

One of the end goals of the project is to make the fuzzer available as a pkgsrc package. To do so, TriforceAFL had to be first ported to pkgsrc. TriforceAFL uses qemu, so the appropriate patches to qemu for NetBSD were applied and few other minor issues resolved. The working package is now available in pkgsrc-wip.

The NetBSD Syscall Fuzzer

TriforceNetBSDSyscallFuzzer can be now used to perform system call fuzzing of NetBSD kernels using AFL and QEMU. The setup scripts and the driver program are functioning. The syscalls list has been updated for NetBSD and basic input generation works. Documentation detailing the process of setup(of the NetBSD installation/kernel image), building and fuzzing along with the code is available on github.

The fuzzer functions properly and detects crashes which can be reproduced using the driver. Although it can severely benefit from better input generation and optimisation. This will be the focus in the next coding period.

Summary

In the coming weeks, the work of optimizing the fuzzer is to be done, so that it is more efficient at catching bugs, I am looking forward to doing so and making TriforceNetBSDSyscallFuzzer available on NetBSD through pkgsrc.

Lastly I would like to thank my mentor, Kamil Rytarowski for always helping me through the process and guiding me whenever I needed any help.

[4 comments]

 



Comments:

Find any good bugs?

Posted by Skepta on June 26, 2019 at 09:56 PM UTC #

@Skepta Just started fuzzing, got a few crashes, need to look at them!

Posted by Akul Pillai on June 27, 2019 at 03:43 AM UTC #

awesome!

Posted by Tim Newsham on June 27, 2019 at 06:40 AM UTC #

This is awesome work. Work on stability in NetBSD is highly desired, and the fuzzing thing is a great step towards achieving this. I have some idea… maybe TNF should become a business, not the fundation. I think it is slowly becoming that getting donations is harder and harder these days. Maybe making the NetBSD business by the TNF itself, and not looking for outside entities is an interesting idea?

Posted by Bialy on June 27, 2019 at 09:03 AM UTC #

Post a Comment:
  • HTML Syntax: NOT allowed