Dependency

module
v0.0.0-...-f0d17a2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 6, 2023 License: Apache-2.0

README

1. what the artifact does

This artifact is for paper "Demystifying the Dependency Challenge in Kernel Fuzzing". Fuzz testing operating system kernels remains a daunting task to date. One known challenge is that much of the kernel code is locked under specific kernel states and current kernel fuzzers are not effective in exploring such an enormous state space. We refer to this problem as the dependency challenge. Though there are some efforts trying to address the dependency challenge, the prevalence and categorization of dependencies have never been studied. Most prior work simply attempted to recover dependencies opportunistically whenever they are relatively easy to recognize. We undertake a substantial measurement study to systematically understand the real challenge behind dependencies. In one word, the artifact is to help researchers to understand the dependency challenge in kernel fuzzing.

2. where it can be obtained

Virtual Machine and other files ready for Artifact Evaluation

  • username & password: icse22ae
  • zenodo archive: https://doi.org/10.5281/zenodo.6029158
  • also available in Google driver: https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing

Source Code

  • zenodo archive: https://doi.org/10.5281/zenodo.6029520
  • github and update: https://github.com/ZHYfeng/Dependency

Evaluation Data

  • zenodo archive: https://doi.org/10.5281/zenodo.5441138
  • also available in Google driver: data.tar.gz in https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing

3. how to repeat/replicate/reproduce the results presented in the paper

build our tools (skip this step if using virtual machine)

sudo apt install -y git
git clone https://github.com/ZHYfeng/Dependency.git
cd Dependency
bash build_script/build.bash

prepare kernel and image (skip this step if using virtual machine)

  1. configure the kernel and image based on the requirement of syzkaller, mv image to path-of-Dependency/workdir/image

    doc of syzkaller: https://github.com/google/syzkaller/blob/master/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md
    the image we build: image.tar.gz in https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing

  2. add -fsanitize-coverage=no-prune to CFLAGS_KCOV in kernel config
  3. build kernel using clang and mv it to path-of-Dependency/workdir/13-linux-clang-np

    the kernel we build: linux-clang-np.tar.gz in https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing

  4. copy the kernel and generate bitcode of kernel using -fembed-bitcode -save-temps=obj

    https://github.com/ZHYfeng/Generate_Linux_Kernel_Bitcode/tree/master/Achieve/01-change-makefile
    the bitcode we build: linux-clang-np-bc-f.tar.gz in https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing

  5. preprocess kernel in order to save time 
    cd path-of-Dependency/workdir/13-linux-clang-np
objdump -d vmlinux > vmlinux.objdump
a2l -objdump=vmlinux.objdump

prepare workdir (skip this step if using virtual machine)

the workdir we prepare: workdir.tar.gz in https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing

  1. make a directory called dev_xxx in path-of-Dependency/workdir
  2. copy the bitcode(.bc) and assembly code(.s) to the directory and rename it to built-in.bc and built-in.s
  3. copy the configuration files path-of-Dependency/04-experiment_script/json/dra.json and path-of-Dependency/04-experiment_script/json/syzkaller.json.

    change the value of file_bc in dra.json to the relative path for the bitcode of device driver you test
    change the value of path_s in dra.json to the relative path of device driver you test

  4. copy the run script path-of-Dependency/04-experiment_script/python/run.py
  5. generate static analysis results based on the static-taint-analysis-component https://zenodo.org/record/5348989/files/static-taint-analysis-component.zip

running the fuzzing

(the path based on virtual machine)

  1. active the environment

    source /home/icse22ae/Dependency/environment.sh

  2. pick one device driver in /home/icse22ae/Dependency/workdir/workdir, for examplecdrom:

    cd /home/icse22ae/Dependency/workdir/workdir/dev_cdrom

  3. configure the run script

    time_run: the second of fuzzing time.
    number_execute: the number of fuzzing runs.
    number_vm_count: the number of vm in each fuzzing.

    In our paper, time_run is at least 48 hours, number_execute is 3 and number_vm_count is 32.
    For artifact evaluation, number_execute and number_vm_count could be 1.
    time_run should be at least 5 mins(20 mins for device driver kvm)

  4. run our tool using script It will automatically stop after time_run.

    python3 run.py

  5. read the results
    still in the same environment in step 1 and the same path in step 2.

    go run /home/icse22ae/Dependency/03-syzkaller/tools/read_result/ -a2i

    Based on the different fuzzing configuration and device driver, the time would be differnet.
    For cdrom, it should be several mins. For kvm, it needs several hours.

understand the results

You can find the results used in our paper in /home/icse22ae/Dependency/workdir/data.

Results after step 4 run our tool using script
  1. The dataDependency.bin, dataResult.bin, dataRunTime.bin, statistics.bin in ./0 or ./1 or ./2 are the resutls in protobuf format.

    The protobuf files are in /home/icse22ae/Dependency/05-proto

Results after step 5 read the results
  1. 0_coverage.txt is the coverage of the fuzzing in ./0. coverage.txt is the average coverage of all runs.Each line is time@number-of-edge.
  2. conditionD.txt lists all unresolved condition related to dependency.
  3. conditionND.txt lists all unresolved condition not related to dependency.
  4. conditionDN.txt lists all unresolved condition related to dependency but our static analysis can not find their write statements.
  5. intersection.txt is the intersection coverage of all runs and union_coverage.txt is the union coverage of all runs. Each line is the address of the edge.
  6. OutsideFunctions.txt is the Unreachable Functions Elimination mentioned in our paper.
  7. statistic.txt is the statistic used in our paper.
  8. uncovered.txt lists all uncovered edge and its unresovled conditions, and uncovered_more.txt lists more details about them.
Example for one unresolved dependency

Still use dev_cdrom as example and the results can be found in data.tar.gz as mentioned in Section Evaluation Data

All unresolved condition related to dependency in conditionD.txt, for example:

0xffffffff8579b9b7@https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2279@0xffffffff8579b960@https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2279@mmc_ioctl_cdrom_read_audio@if.end11.i@
 @ @0xffffffff857a3eaa@https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2124@1@
 @ @0xffffffff8579b421@https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2228@0@
 @ @0xffffffff8579b05a@https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2187@1@

0xffffffff8579b9b7 is the assembly address of unresovled branch in binary and https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2279 is the source code of the unresolved dependency. 0xffffffff8579b960 is the assembly address of condition of the unresovled branch and also https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2279 is the source code. if.end11.i is the name of basic block in LLVM bitcode.
Next lines are the write addresses for the unresolved dependency.

Then we can find a file 0xffffffff8579b9b7.txt, which is named by the assembly address of unresovled branch. Inside this file, we can find the number of dominator instructions of this unresolved dpendnecy, the inputs (test cases) from syzkaller which can arrive unresolved dpendnecy, the inputs which can arrive the write address. We can also find the call chain of write address starting from entry function.

4. the structure and function of the source code

  • 02-dependency
    • 02-dependency/lib/DMM/: mapping between assembly address in the binary and basic block in LLVM bitcode
    • 02-dependency/lib/RPC/: work with fuzzing component (syzkaller) using Protobuf and gRPC
    • 02-dependency/lib/STA/: work with static analysis component using JSON
    • 02-dependency/lib/DCC/: output human-readable information and statistics for unresolved conditions
  • 03-syzkaller
    • 03-syzkaller/syz-fuzzer/: modification for collecting more complete coverage and other related useful information from fuzzing
    • 03-syzkaller/pkg/dra/: work with mapping component and output results using Protobuf and gRPC
  • 05-proto: all Protobuf files

Directories

Path Synopsis
03-syzkaller
dashboard/app
dashboard/dashapi
Package dashapi defines data structures used in dashboard communication and provides client interface.
 Package dashapi defines data structures used in dashboard communication and provides client interface.
executor
pkg/ast
Package ast parses and formats sys files.
 Package ast parses and formats sys files.
pkg/bisect
pkg/build
Package build contains helper functions for building kernels/images.
 Package build contains helper functions for building kernels/images.
pkg/compiler
Package compiler generates sys descriptions of syscalls, types and resources from textual descriptions.
 Package compiler generates sys descriptions of syscalls, types and resources from textual descriptions.
pkg/config
pkg/cover
Package cover provides types for working with coverage information (arrays of covered PCs).
 Package cover provides types for working with coverage information (arrays of covered PCs).
pkg/csource
Package csource generates [almost] equivalent C programs from syzkaller programs.
 Package csource generates [almost] equivalent C programs from syzkaller programs.
pkg/db
Package db implements a simple key-value database.
 Package db implements a simple key-value database.
pkg/dra
pkg/email
pkg/gce
Package gce provides wrappers around Google Compute Engine (GCE) APIs.
 Package gce provides wrappers around Google Compute Engine (GCE) APIs.
pkg/gcs
Package gcs provides wrappers around Google Cloud Storage (GCS) APIs.
 Package gcs provides wrappers around Google Cloud Storage (GCS) APIs.
pkg/hash
pkg/host
pkg/html
pkg/ifuzz
Package ifuzz allows to generate and mutate x86 machine code.
 Package ifuzz allows to generate and mutate x86 machine code.
pkg/ifuzz/gen
gen generates instruction tables (ifuzz/insns.go) from Intel XED tables.
 gen generates instruction tables (ifuzz/insns.go) from Intel XED tables.
pkg/ifuzz/generated
pkg/instance
Package instance provides helper functions for creation of temporal instances used for testing of images, patches and bisection.
 Package instance provides helper functions for creation of temporal instances used for testing of images, patches and bisection.
pkg/ipc
pkg/ipc/ipcconfig
pkg/kd
Minimal KD protocol decoder.
 Minimal KD protocol decoder.
pkg/log
Package log provides functionality similar to standard log package with some extensions:
 Package log provides functionality similar to standard log package with some extensions:
pkg/mgrconfig
pkg/osutil
pkg/report
Package report contains functions that process kernel output, detect/extract crash messages, symbolize them, etc.
 Package report contains functions that process kernel output, detect/extract crash messages, symbolize them, etc.
pkg/repro
pkg/rpctype
Package rpctype contains types of message passed via net/rpc connections between various parts of the system.
 Package rpctype contains types of message passed via net/rpc connections between various parts of the system.
pkg/runtest
Package runtest is a driver for end-to-end testing of syzkaller programs.
 Package runtest is a driver for end-to-end testing of syzkaller programs.
pkg/serializer
pkg/signal
Package signal provides types for working with feedback signal.
 Package signal provides types for working with feedback signal.
pkg/symbolizer
pkg/vcs
Package vcs provides helper functions for working with various repositories (e.g.
 Package vcs provides helper functions for working with various repositories (e.g.
prog
prog/test
sys
sys/akaros
sys/akaros/gen
AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
 AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
sys/freebsd
sys/freebsd/gen
AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
 AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
sys/fuchsia
sys/fuchsia/fidlgen
sys/fuchsia/gen
AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
 AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
sys/linux
sys/linux/gen
AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
 AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
sys/netbsd
sys/netbsd/gen
AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
 AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
sys/openbsd
sys/openbsd/gen
AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
 AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
sys/syz-extract
sys/syz-sysgen
sys/targets
sys/test
sys/test/gen
AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
 AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
sys/trusty
sys/trusty/gen
AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
 AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
sys/windows
sys/windows/gen
AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
 AUTOGENERATED FILE This file is needed if OS is completely excluded by build tags.
syz-ci
syz-ci is a continuous fuzzing system for syzkaller.
 syz-ci is a continuous fuzzing system for syzkaller.
syz-fuzzer
syz-hub
syz-hub/state
syz-manager
tools/read_result
tools/syz-benchcmp
syz-benchcmp visualizes syz-manager benchmarking results.
 syz-benchcmp visualizes syz-manager benchmarking results.
tools/syz-bisect
tools/syz-cover
syz-cover generates coverage HTML report from raw coverage files.
 syz-cover generates coverage HTML report from raw coverage files.
tools/syz-crush
syz-crush replays crash log on multiple VMs.
 syz-crush replays crash log on multiple VMs.
tools/syz-db
tools/syz-env
tools/syz-execprog
execprog executes a single program or a set of programs and optionally prints information about execution.
 execprog executes a single program or a set of programs and optionally prints information about execution.
tools/syz-fmt
syz-fmt re-formats sys files into standard form.
 syz-fmt re-formats sys files into standard form.
tools/syz-imagegen
imagegen generates syz_mount_image/syz_read_part_table calls from disk images.
 imagegen generates syz_mount_image/syz_read_part_table calls from disk images.
tools/syz-mutate
mutates mutates a given program and prints result.
 mutates mutates a given program and prints result.
tools/syz-prog2c
tools/syz-repro
tools/syz-runtest
Runtest runs syzkaller test programs in sys/*/test/*.
 Runtest runs syzkaller test programs in sys/*/test/*.
tools/syz-stress
tools/syz-symbolize
tools/syz-testbuild
syz-testbuild tests kernel build/boot on releases as it will be done by pkg/bisect.
 syz-testbuild tests kernel build/boot on releases as it will be done by pkg/bisect.
tools/syz-trace2syz
syz-trace2syz converts strace traces to syzkaller programs.
 syz-trace2syz converts strace traces to syzkaller programs.
tools/syz-trace2syz/parser
nolint
 nolint
tools/syz-trace2syz/proggen
tools/syz-tty
syz-tty is utility for testing of usb console reading code.
 syz-tty is utility for testing of usb console reading code.
tools/syz-upgrade
upgrade upgrades corpus from an old format to a new format.
 upgrade upgrades corpus from an old format to a new format.
tools/syz-usbgen
vm
Package vm provides an abstract test machine (VM, physical machine, etc) interface for the rest of the system.
 Package vm provides an abstract test machine (VM, physical machine, etc) interface for the rest of the system.
vm/adb
vm/gce
Package gce allows to use Google Compute Engine (GCE) virtual machines as VMs.
 Package gce allows to use Google Compute Engine (GCE) virtual machines as VMs.
vm/gvisor
Package gvisor provides support for gVisor, user-space kernel, testing.
 Package gvisor provides support for gVisor, user-space kernel, testing.
vm/isolated
vm/kvm
Package kvm provides VMs based on lkvm (kvmtool) virtualization.
 Package kvm provides VMs based on lkvm (kvmtool) virtualization.
vm/odroid
vm/qemu
vm/vmimpl
Package vmimpl provides an abstract test machine (VM, physical machine, etc) interface for the rest of the system.
 Package vmimpl provides an abstract test machine (VM, physical machine, etc) interface for the rest of the system.
vm/vmm
Package vmm provides VMs based on OpenBSD vmm virtualization.
 Package vmm provides VMs based on OpenBSD vmm virtualization.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.