Skip to content

SyzScope is a research project that aims to reveal high-risk security bug from Syzbot. Learn more details in our paper.

License

Notifications You must be signed in to change notification settings

LinuxSafety-Security/SyzScope

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SyzScope

  1. What is SyzScope?
  2. Why did we develop SyzScope?
  3. Access the paper
  4. Setup
    1. Dokcer - Recommend
      1. image - ready2go
      2. image - mini
    2. Manually setup
      1. Let's warm up
      2. Install requirements
      3. Tweak pwntools
      4. Using UTF-8 encoding
  5. Tutorial
  6. Common Issues

THIS VERSION CONDUCTED ALL EXPERIMENT FOR USENIX SECURITY 22. PURSUING UPDATE, FOLLOW MAIN REPO -> SyzScope

What is SyzScope?

SyzScope is a system that can automatically uncover high-risk impacts given a bug with only low-risk impacts.

Why did we develop SyzScope?

A major problem of current fuzzing platforms is that they neglect a critical function that should have been built-in: evaluation of a bug's security impact. It is well-known that the lack of understanding of security impact can lead to delayed bug fixes as well as patch propagation. Therefore, we developed SyzScope to reveal the potential high-risk bugs among seemingly low-risk bugs on syzbot.

More details?

Access our paper here

@inproceedings {277242,
title = {{SyzScope}: Revealing {High-Risk} Security Impacts of {Fuzzer-Exposed} Bugs in Linux kernel},
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
year = {2022},
address = {Boston, MA},
url = {https://www.usenix.org/conference/usenixsecurity22/presentation/zou},
publisher = {USENIX Association},
month = aug,
}

Setup

Dokcer - Recommend

Image - ready2go(18.39 Gb)

docker pull etenal/syzscope:ready2go
docker run -it -d --name syzscope -p 2222:22 --privileged etenal/syzscope:ready2go
docker attach syzscope
Inside docker container

Everything is ready to go

cd /root/SyzScope
git pull
Image - mini(400 MB)

docker pull etenal/syzscope:mini
docker run -it -d --name syzscope --privileged etenal/syzscope:mini
docker attach syzscope
Inside docker container
cd /root/SyzScope
git pull
. venv/bin/activate
python3 syzscope --install-requirements

Manually setup

Note: SyzScope was only tested on Ubuntu 18.04.

Let's warm up

apt-get update
apt-get -y install git python3 python3-pip python3-venv sudo
git clone https://github.com/plummm/SyzScope.git
cd SyzScope/
python3 -m venv venv
. venv/bin/activate
pip3 install -r requirements.txt
Install required packages and compile essential tools

python3 syzscope --install-requirements
Tweak pwntools

Pwntools print unnecessary debug information when starting or stoping new process (e.g., gdb), or opening new connection (e.g., connect to QEMU monitor). To disable such info, we add one line in its source code.

vim venv/lib/<YOUR_PYTHON>/site-packages/pwnlib/log.py

Add logger.propagate = False to class Logger(object)

class Logger(object):
...
	def __init__(self, logger=None):
	...
		logger = logging.getLogger(logger_name)
		logger.propagate = False #<-- Overhere
Make sure using UTF-8 encoding

Using UTF-8 encoding to run pwndbg properly

SyzScope should install UTF-8 when you install the requirements.

To make sure use UTF-8 by default, add the following commands to .bashrc or other shell init script you're using.

export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8

Tutorial

Getting started

Workzone Structure

Inpsect results

PoC Reproduce

Fuzzing

Static Taint Analysis

Symbolic Execution

Example

WARNING: held lock freed! (CVE-2018-25015)


Common Issues

Check out common issues

About

SyzScope is a research project that aims to reveal high-risk security bug from Syzbot. Learn more details in our paper.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 91.6%
  • Shell 8.4%