1. What is SyzScope?
2. Why did we develop SyzScope?
3. Access our paper
4. Setup
   1. Docker - Recommend
      1. image - ready2go
      2. image - mini
      3. image - syzscope
   2. Manually setup
      1. Let's warm up
      2. Install requirements
      3. Tweak pwntools
      4. Using UTF-8 encoding
5. Tutorial
6. Common Issues

SyzScope is a system that can automatically uncover high-risk impacts given a bug with only low-risk impacts.

A major problem of current fuzzing platforms is that they neglect a critical function that should have been built-in: evaluation of a bug's security impact. It is well-known that the lack of understanding of security impact can lead to delayed bug fixes as well as patch propagation. Therefore, we developed SyzScope to reveal the potential high-risk bugs among seemingly low-risk bugs from syzbot.

Access our paper here

@inproceedings {277242,
title = {{SyzScope}: Revealing {High-Risk} Security Impacts of {Fuzzer-Exposed} Bugs in Linux kernel},
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
year = {2022},
address = {Boston, MA},
url = {https://www.usenix.org/conference/usenixsecurity22/presentation/zou},
publisher = {USENIX Association},
month = aug,
}

docker pull etenal/syzscope:ready2go
docker run -it -d --name syzscope -p 2222:22 --privileged etenal/syzscope:ready2go
docker attach syzscope

Everything is ready to go

cd /root/SyzScope
git pull

docker pull etenal/syzscope:mini
docker run -it -d --name syzscope --privileged etenal/syzscope:mini
docker attach syzscope

cd /root/SyzScope
git pull
. venv/bin/activate
python3 syzscope --install-requirements

The ready2go docker image contains pre-built syzkaller binaries and a pre-built Linux kernel for analyzing CVE-2018-25015.

As an alternative, the syzscope docker image can be built using the following docker build command.

docker build -t syzscope --build-arg UID=$(id -u) --build-arg GID=$(id -g) .

This container image has all python and system dependencies for running syzscope; however, syzkaller and the target Linux kernel will be built at run-time.

Note: SyzScope was only tested on Ubuntu 18.04.

apt-get update
apt-get -y install git python3 python3-pip python3-venv sudo
git clone https://github.com/plummm/SyzScope.git
cd SyzScope/
python3 -m venv venv
. venv/bin/activate
pip3 install -r requirements.txt

python3 syzscope --install-requirements

Pwntools print unnecessary debug information when starting or stoping new process (e.g., gdb), or opening new connection (e.g., connect to QEMU monitor). To disable such info, we insert one line of new code.

vim venv/lib/<YOUR_PYTHON>/site-packages/pwnlib/log.py

Add logger.propagate = False to class Logger(object)

class Logger(object):
...
	def __init__(self, logger=None):
	...
		logger = logging.getLogger(logger_name)
		logger.propagate = False #<-- Overhere

Using UTF-8 encoding to run pwndbg properly

SyzScope should install UTF-8 when you install the requirements.

To make sure use UTF-8 by default, add the following commands to .bashrc or other shell init script you're using.

export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8

Getting started

Workzone Structure

Inpsect results

PoC Reproduce

Fuzzing

Static Taint Analysis

Symbolic Execution

WARNING: held lock freed! (CVE-2018-25015)

Check out common issues