Kernel Fuzzing: Understanding Syzkaller and Coverage Improvements
a project by jpovoas
Updated about 1 hour ago. No love. 1 follower.

Description

I want to set up a local kernel fuzzing environment using Syzkaller [0] to better understand its architecture. My focus will be on input mutation logic, subsystem modeling, and how coverage descriptions are currently structured. I'm particularly interested in rapidly evolving subsystems like io_uring and BPF to see where fuzzing descriptions might be incomplete or outdated. I'd like to write at least one custom syzlang definition to better understand the process and identify potential coverage improvements.

Goals

  1. Infrastructure: Build and tune a self-hosted fuzzing setup optimized for kernel testing on my home server.
  2. Research: Understand how Syzkaller generates and mutates inputs, how subsystem descriptions are structured in syzlang, and where improvements or new descriptions could help expand coverage in undertested areas.
  3. Coverage Work: Write at least one custom Syzkaller description to reach currently untested kernel paths, with documentation of what gap it fills.
  4. Crash Analysis (if any occur): Triage and analyze any unique crashes discovered during the project.

Stretch Goals (Time Permitting)

I have a backlog of previously triaged CVEs. While Syzkaller runs, I'd like to attempt exploiting at least one of them. My focus would primarily be privilege escalation exploits, though I have several CVEs with some possible unusual attack paths worth investigating.

Resources

[0] https://github.com/google/syzkaller

Join this project

Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 25

Activity

  • about 1 hour ago: jpovoas started this project.
  • about 1 hour ago: jpovoas originated this project.


    • Comments

    Be the first to comment!

    Similar Projects

    This project is one of its kind!