plummm / SyzScope

SyzScope is a research project that aims to reveal high-risk security bugs on Syzbot. Learn more details in our paper.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SyzScope

  1. What is SyzScope?
  2. Why did we develop SyzScope?
  3. Access our paper
  4. Setup
    1. Docker - Recommend
      1. image - ready2go
      2. image - mini
      3. image - syzscope
    2. Manually setup
      1. Let's warm up
      2. Install requirements
      3. Tweak pwntools
      4. Using UTF-8 encoding
  5. Tutorial
  6. Common Issues

What is SyzScope?

SyzScope is a system that can automatically uncover high-risk impacts given a bug with only low-risk impacts.

Why did we develop SyzScope?

A major problem of current fuzzing platforms is that they neglect a critical function that should have been built-in: evaluation of a bug's security impact. It is well-known that the lack of understanding of security impact can lead to delayed bug fixes as well as patch propagation. Therefore, we developed SyzScope to reveal the potential high-risk bugs among seemingly low-risk bugs from syzbot.

More details?

Access our paper here

@inproceedings {277242,
title = {{SyzScope}: Revealing {High-Risk} Security Impacts of {Fuzzer-Exposed} Bugs in Linux kernel},
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
year = {2022},
address = {Boston, MA},
url = {https://www.usenix.org/conference/usenixsecurity22/presentation/zou},
publisher = {USENIX Association},
month = aug,
}

Setup

Docker - Recommend

Image - ready2go(18.39 Gb)

docker pull etenal/syzscope:ready2go
docker run -it -d --name syzscope -p 2222:22 --privileged etenal/syzscope:ready2go
docker attach syzscope
Inside docker container

Everything is ready to go

cd /root/SyzScope
git pull
Image - mini(400 MB)

docker pull etenal/syzscope:mini
docker run -it -d --name syzscope --privileged etenal/syzscope:mini
docker attach syzscope
Inside docker container
cd /root/SyzScope
git pull
. venv/bin/activate
python3 syzscope --install-requirements
Image - syzscope(16.5 GB)

The ready2go docker image contains pre-built syzkaller binaries and a pre-built Linux kernel for analyzing CVE-2018-25015.

As an alternative, the syzscope docker image can be built using the following docker build command.

docker build -t syzscope --build-arg UID=$(id -u) --build-arg GID=$(id -g) .

This container image has all python and system dependencies for running syzscope; however, syzkaller and the target Linux kernel will be built at run-time.

Manually setup

Note: SyzScope was only tested on Ubuntu 18.04.

Let's warm up

apt-get update
apt-get -y install git python3 python3-pip python3-venv sudo
git clone https://github.com/plummm/SyzScope.git
cd SyzScope/
python3 -m venv venv
. venv/bin/activate
pip3 install -r requirements.txt
Install required packages and compile essential tools

python3 syzscope --install-requirements
Tweak pwntools

Pwntools print unnecessary debug information when starting or stoping new process (e.g., gdb), or opening new connection (e.g., connect to QEMU monitor). To disable such info, we insert one line of new code.

vim venv/lib/<YOUR_PYTHON>/site-packages/pwnlib/log.py

Add logger.propagate = False to class Logger(object)

class Logger(object):
...
	def __init__(self, logger=None):
	...
		logger = logging.getLogger(logger_name)
		logger.propagate = False #<-- Overhere
Make sure using UTF-8 encoding

Using UTF-8 encoding to run pwndbg properly

SyzScope should install UTF-8 when you install the requirements.

To make sure use UTF-8 by default, add the following commands to .bashrc or other shell init script you're using.

export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8

Tutorial

Getting started

Workzone Structure

Inpsect results

PoC Reproduce

Fuzzing

Static Taint Analysis

Symbolic Execution

Example

WARNING: held lock freed! (CVE-2018-25015)


Common Issues

Check out common issues

About

SyzScope is a research project that aims to reveal high-risk security bugs on Syzbot. Learn more details in our paper.

License:MIT License


Languages

Language:Python 91.2%Language:Shell 8.4%Language:Dockerfile 0.4%