--------------------------------------- iknowthis Linux SystemCall Fuzzer ------------------------------------------------- iknowthis is a fuzz testing framework for Linux system calls. It is designed to make system calls in random order, with random parameters in order to spot subtle kernel bugs. In order to get good coverage, each system call is annotated with a prototype, and optionally a simple routine to manage any resources that may have been created (sockets, file descriptors, etc.). These resources are then handed to other system calls, in order to try and reach some pathological state of operation. Here is a trivial example of a fuzzer: // Check real user’s permissions for a file. SYSFUZZ(access, __NR_access, SYS_NONE, CLONE_DEFAULT, 0) { gchar *pathname; gint retcode; retcode = spawn_syscall_lwp(this, NULL, __NR_access, // int typelib_get_pathname(&pathname), // const char *pathname typelib_get_integer_mask(R_OK | W_OK | X_OK | F_OK)); // int mode g_free(pathname); return retcode; } Typelib is a set of routines to manage common kernel parameters. spawn_syscall_lwp() is a syscall invokation routine that tries to isolate our main process from any damage by executing it in a new lwp. If you're certain that a system call can never timeout or damage us, then you can use a faster alternative. I've used glib for common data structures, so copied their naming convention where appropriate. * Making a fuzzer * Using and improving typelib * Debugging I usually run iknowthis in a virtual machine, for easier debugging, you can try something like this: $ while true; do (sleep 1h ; sudo killall -9 iknowthis) & sudo ./iknowthis --dangerous; kill %1; done