syzkaller ([siːzˈkɔːlə]) is an unsupervised coverage-guided kernel fuzzer.
Supported OSes: Akaros, FreeBSD, Fuchsia, gVisor, Linux, NetBSD, OpenBSD, Windows.
Mailing list: syzkaller@googlegroups.com (join on web or by email).
Found bugs: Akaros, Darwin/XNU, FreeBSD, Linux, NetBSD, OpenBSD, Windows.
Initially, syzkaller was developed with Linux kernel fuzzing in mind, but now it's being extended to support other OS kernels as well. Most of the documentation at this moment is related to the Linux kernel. For other OS kernels check: Akaros, Darwin/XNU, FreeBSD, Fuchsia, NetBSD, OpenBSD, Starnix, Windows, gVisor.
- How to install syzkaller
- How to use syzkaller
- How syzkaller works
- How to install syzbot
- How to contribute to syzkaller
- How to report Linux kernel bugs
- Tech talks and articles
- Research work based on syzkaller
- Running syzkaller
go>=1.16must be pre-installed.- linux kernel must be cloned and built under the path
$LINUX. - Path to the working directory
$WORKDIRmust be set (e.g.,/syzkaller/workdir).
git clone -b gramine-fuzzing https://github.com/ohblee-systems/syzkaller
cd syzkaller
# Building gramine version $VERSION (e.g., v1.3.1)
VERSION=v1.3.1
mkdir images
ln -s $PWD/tools/create-image.sh $PWD/images/
ln -s $PWD/tools/create-gramine-image.sh $PWD/images/
ln -s $PWD/tools/gramine-scripts/build-scripts/$VERSION.sh $PWD/images/
cd images
./create-gramine-image.sh -v $VERSION -k $LINUX
cd ..
# Building syzkaller
GRAMINE=1 make
# Running syzkaller using example config (i.e., tools/gramine-scripts/example.cfg)
cp tools/gramine-scripts/example.cfg ./
sed -i "s|\$LINUX|$LINUX|" example.cfg
sed -i "s|\$WORKDIR|$WORKDIR|" example.cfg
GRAMINE=1 ./bin/syz-manager -config example.cfg
Once the fuzzer runs, it saves the crashes into $WORKDIR/gramine-outputs/crashes.
crash-<hash>.c contains the c source triggering the bug, crash-<hash> is the compiled binary, and crash-<hash>.log contains the gramine bug log.
- Reproducing crashes
ln -s $PWD/tools/gramine-scripts/Makefile $WORKDIR/gramine-outputs/crashes/
ln -s $PWD/tools/gramine-scripts/crash.manifest.template $WORKDIR/gramine-outputs/crashes/
cd $WORKDIR/gramine-outputs/crashes/
make CRASH=<hash>
gramine-direct crash
This is not an official Google product.
