What does HackerNews think of syzkaller?

syzkaller is an unsupervised coverage-guided kernel fuzzer

Language: Go

#22 in Linux
#13 in Security
#1 in Security
#3 in Testing
Fuzz testing: the best thing to happen to our application tests | Aug 2023
Expand Context ↕
The key to modern fuzzing is feedback, usually some kind of coverage measurement of the program under test. This allows the fuzzer to be much smarter about how it finds new code paths and discards inputs that don't extend coverage. This makes fuzzing find bugs a lot quicker.

Google have a project to do fuzzing on Linux system calls using coverage feedback: https://github.com/google/syzkaller
Linux System Call Table – Chromiumos | Oct 2022
System call: https://en.wikipedia.org/wiki/System_call

Strace and similar tools can trace syscalls to see what kernel system calls are made by a process: https://en.wikipedia.org/wiki/Strace#Similar_tools

Google/syzkaller https://github.com/google/syzkaller :

> syzkaller ([siːzˈkɔːlə]) is an unsupervised coverage-guided kernel fuzzer. Supported OSes: Akaros, FreeBSD, Fuchsia, gVisor, Linux, NetBSD, OpenBSD, Windows

Fuschia / Zircon syscalls: https://fuchsia.dev/fuchsia-src/reference/syscalls

"How does Go make system calls?" https://stackoverflow.com/questions/55735864/how-does-go-mak...

Gustave – Embedded OS kernel fuzzer | Dec 2020
Expand Context ↕
Also see https://github.com/google/syzkaller - lots of kernel bugs found by this one
Kernel state based fuzzer: a LLVM approach | Jul 2020
Expand Context ↕
I'd start with reading the libfuzzer docs[0] and then read the syzkaller papers[1]

[0] https://llvm.org/docs/LibFuzzer.html [1] https://github.com/google/syzkaller

https://github.com/google/syzkaller
Linux 4.6 introduced unpriviledged user namespaces [pdf] | Dec 2019
Expand Context ↕
Syzkaller fuzzes that stuff. https://github.com/google/syzkaller
Bad Binder: Android In-the-Wild Exploit | Nov 2019
Expand Context ↕
> Why does the Linux kernel project continue to release code with flaws like this that can be found with automated tools?

Because they have no other option, it's a fuzzer. Therefore, it may take a long time(up to universe heat death) for it to finally exercise the path that causes the issue. And the kernel has a pretty enormous footprint.

Fuzzers never really terminate, so it is not like you can plug it on a CI/CD system and wait for reports.

> The process of reproducing one crash may take from a few minutes up to an hour depending on whether the crash is easily reproducible or non-reproducible at all.

That's for one known crash. But otherwise it will be running 24/7 (across multiple VMs!) looking for issues.

More details here: https://github.com/google/syzkaller
Fuzzing the OpenBSD Kernel [pdf] | Sep 2018
This seems to be slides from a recent OpenBSD meetup where they were discussing the implementation of syzkaller[1], an open source tool from Google written in Go, to fuzz C kernels.

Then it lists 9 issues found in the OpenBSD kernel, including two[2][3] issues with kqueue.

Pretty cool stuff!

[1] https://github.com/google/syzkaller

[2] https://marc.info/?l=openbsd-cvs&m=153364550327224&w=2

[3] https://marc.info/?l=openbsd-cvs&m=152930020005260&w=2

How I Found a 20-Year-Old Linux Kernel Bug | Jun 2017
Expand Context ↕
Something like https://github.com/google/syzkaller?
How Dirty COW works from the Linux kernel’s perspective | May 2017
Expand Context ↕
A very common methodology is using a technique called fuzzing. There exists many fuzzers which have produced great success finding a plethora of both non-exploitable and exploitable bugs for Linux [1] [2].

[1] https://github.com/kernelslacker/trinity [2] https://github.com/google/syzkaller/
Ways we harden our KVM hypervisor at Google Cloud: Security in plaintext | Jan 2017
Expand Context ↕
Some of the tools have been: https://github.com/google/syzkaller