Running scripts/envsetup.sh will set up necessary environment variables. One should select the kernel version during environment setup, for example, v4.17

Kernel source codes used in this project are in the other reprository which is included as a submodule. To initialize the submodule one should execute git submodule update command as a follow.

git submodule update --init --depth=1 kernels_repo

scripts/install.sh will try to install all toolchains and tools.

The Razzer's static analysis is based on the LLVM toolchain and the SVF static analysis tool. See documents in docs/static_analysis/.

Razzer's two-phases fuzzing is based on Syzkaller. The deterministic scheduler is implemented using QEMU/KVM. See documents in docs/fuzzing/.

Razzer: Finding Kernel Race Bugs through Fuzzing (IEEE S&P 2019)

• KASAN: slab-out-of-bounds write in tty_insert_flip_string_flag
• WARNING in __static_key_slow_dec
• Kernel BUG at net/packet/af_packet.c:LINE!
• WARNING in refcount_dec
• unable to handle kernel paging request in snd_seq_oss_readq_puts
• KASAN: use-after-free Read in loopback_active_get
• KASAN: null-ptr-deref Read in rds_ib_get_mr (assisted Syzkaller)
• KASAN: use-after-free Read in nd_jump_root (discussed more in the linux security mailing list)
• KASAN: use-after-free Read in link_path_walk (discussed in the linux security mailing list)
• WARNING in ip_recv_error
• KASAN: use-after-free Read in vhost_chr_write_iter
• BUG: soft lockup in snd_virmidi_output_trigger (assisted Syzkaller)
• KASAN: null-ptr-deref Read in smc_ioctl
• KASAN: null-ptr-deref Write in binder_update_page_range
• WARNING in port_delete
• KASAN: null-ptr-deref in inode_permission (discussed in the linux security mailing list)

• Dae R. Jeong (threeearcat@gmail.com)
• Kyungtae Kim (kim1798@purdue.edu)
• Basavesh Ammanaghatta Shivakumar (bammanag@purdue.edu)
• Byoungyoung Lee (byoungyoung@snu.ac.kr)
• Insik Shin (insik.shin@cs.kaist.ac.kr)