Sys2Syz is a tool which automates the conversion of syscalls and other Ioctl calls to syzkaller's representation. This tool was created with a motive of increasing the syscall coverage for leveling up the support of syzkaller for NetBSD. Currently, the tool only supports grammar generation for NetBSD - we plan to add support for other operating systems soon.
Below are the reports on the tool - written as a part of Google Summer of Code - 2020
- Enhancing Syzkaller support for NetBSD - Part 1
- Enhancing Syzkaller support for NetBSD - Part 2
- Enhancing Syzkaller support for NetBSD - Part 3
Work flow of the tool -
The tool supports generation of syzkaller descriptions for NetBSD device driver's ioctl calls. Following steps are involved:
- Extraction of all ioctl commands of a given device driver along with their arguments from the header files. Ioctl commands in NetBSD can be identified with the help of some specific macros(
_IO,_IOR,_IOW,_IOWR) - (core/Extractor.py). - Preprocessing of the device driver's files using compile_commands.json generated during the setup of tool using Bear - (core/Bear.py)
- XML files are generated by running c2xml on preprocessed device files. This eases the process of fetching the information related to arguments of commands - (core/C2xml.py)
- Generates descriptions for the ioctl commands and their arguments (builtin-types, arrays, pointers, structures and unions) using the XML files - (core/Description.py)
Here are the installation instructions for Sys2syz
- Bear setup
- NetBSD src files
This tool is written in python3
- Clone the repo
git clone https://github.com/ais2397/sys2syz.git
cd sys2syz- Install the python dependencies using
pip3 install -r requirements.txt- Run the setup script
Note: This step requires
- NetBSD toolchain.
- Directory storing compiled modules should be cleaned before performing this step
./setup.sh -b <path_to_netbsd_src>To generate descriptions for a particular device driver(device_driver)/syscall run sys2syz.py:
python3 sys2syz.py -i <syscall/ioctl> -t <absolute_path_to_device_driver_source> -c compile_commands.json -v -o <target_operating_system>This would generate a dev_<device_driver>.txt file in the out directory
Example description file generated by sys2syz for i2c device-
# Copyright 2018 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
# Autogenerated by sys2syz
include <dev/i2c/i2c_io.h>
resource fd_i2c[fd]
openat$i2c(fd const[AT_FDCWD], file ptr[in, string["/dev/i2c"]], flags flags[open_flags], mode const[0]) fd_i2c
ioctl$I2C_IOCTL_EXEC(fd fd_i2c, cmd const[I2C_IOCTL_EXEC], arg ptr[in, i2c_ioctl_exec])
i2c_ioctl_exec {
iie_op flags[i2c_op_t_flags, int8]
iie_addr int16
iie_cmd buffer[in]
iie_cmdlen len[iie_cmd, intptr]
iie_buf buffer[in]
iie_buflen len[iie_buf, intptr]
}
i2c_op_t_flags- Fetches ioctl calls of a particular device driver.
- Generates a file having syzkaller specific descriptions for fetched ioctl calls.
- Generation of syzkaller descriptions for syscalls.
- Generation of descriptions for functions, passed as arguments to syscalls.
- Detection of flag values for enums
Features yet to be implemented:
- Calculating Attributes for structs and unions
This tool is developed by Ayushi Sharma
Added support to get descriptions for FreeBSD syscalls and ioctl calls for syzkaller in linux environment.
To build, run the setup.sh script in a freebsd host(could be a vm) with same path for src as your freebsd src will be in linux and scp the json file from FreeBSD to Linux. The usage is same as given.
The modifications will soon be integrated with the original repository and will support both NetBSD and FreeBSD.