Sunflower

Sunflower is an initial corpus generator that leverages existing exploits and proof-of-concept examples that specifically designed to meet the criticalrequirements of industry deployments by facilitating the construction of a high-quality seed corpus based on bugs found in the wild. By collecting and analyzing numerous real-world exploits responsible for kernel vulnerabilities, the tool extracts essential system call sequences while also rectifying execution dependency errors.

we will provide installation steps that how to build and use sunflower for kernel fuzzing here.

Build

The latest copy of the Corpus file corpus.db is available in the releases for this repository. Meanwhile, The explotis-datas folder contains the exploits raw data. The files folder contains some trace examples that we obtained by executing the compiled expoits program with the strace tool.

Install Prerequisites

Basic dependencies install (take for example on debain or ubuntu):

sudo apt update
sudo apt install make gcc flex bison libncurses-dev libelf-dev libssl-dev

GCC

If your distro's GCC is older, it's preferable to get the latest GCC from this list. Download and unpack into $GCC, and you should have GCC binaries in $GCC/bin/

Ubuntu 20.04 LTS: You can ignore this section. GCC is up-to-date.

ls $GCC/bin/
# Sample output:
# cpp     gcc-ranlib  x86_64-pc-linux-gnu-gcc        x86_64-pc-linux-gnu-gcc-ranlib
# gcc     gcov        x86_64-pc-linux-gnu-gcc-9.0.0
# gcc-ar  gcov-dump   x86_64-pc-linux-gnu-gcc-ar
# gcc-nm  gcov-tool   x86_64-pc-linux-gnu-gcc-nm

Install golang

We use golang in Sunflower, so make sure golang is installed before build Sunflower.

wget https://dl.google.com/go/go1.22.4.linux-amd64.tar.gz
tar -xf go1.22.4.linux-amd64.tar.gz
mv go goroot
mkdir gopath
export GOPATH=`pwd`/gopath
export GOROOT=`pwd`/goroot
export PATH=$GOPATH/bin:$PATH
export PATH=$GOROOT/bin:$PATH

Prepare Kernel

In here we use Linux Kernel(Enable Real time Config) v6.5 as an example. First we need to have have a compilable Linux

# Download linux kernel 
git clone https://github.com/torvalds/linux
cd linux
export Kernel=$pwd
git checkout -f 2dde18c

After we have the Linux Kernel, we need to compile it.
``` bash
# Modified configuration
make defconfig  
make kvmconfig
vim .config

# modified configuration
CONFIG_KCOV=y 
CONFIG_DEBUG_INFO=y 
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y 
CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y

make it!

make olddefconfig
make -j32

Now we should have vmlinux (kernel binary) and bzImage (packed kernel image):

$ ls $KERNEL/vmlinux
$KERNEL/vmlinux
$ ls $KERNEL/arch/x86/boot/bzImage
$KERNEL/arch/x86/boot/bzImage

Prepare Image

sudo apt-get install debootstrap 
export IMAGE=$pwd
cd $IMAGE/
wget https://raw.githubusercontent.com/google/syzkaller/master/tools/create-image.sh -O create-image.sh
chmod +x create-image.sh
./create-image.sh

Now we have a image stretch.img and a public key.

Compile sunflower

make 
mkdir workdir
cd workdir
wget https://github.com/zzqq0212/Sunflower/releases/download/latest/corpus.db

As the result compiled binaries should appear in the bin/ dir.

Ready QEMU

Install QEMU:

sudo apt-get install qemu-system-x86

Make sure the kernel boots and sshd starts:

qemu-system-x86_64 \
	-m 2G \
	-smp 2 \
	-kernel $KERNEL/arch/x86/boot/bzImage \
	-append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0" \
	-drive file=$IMAGE/stretch.img,format=raw \
	-net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \
	-net nic,model=e1000 \
	-enable-kvm \
	-nographic \
	-pidfile vm.pid \
	2>&1 | tee vm.log

see if ssh works

ssh -i $IMAGE/stretch.id_rsa -p 10021 ``-o "StrictHostKeyChecking no" 

To kill the running QEMU instance press Ctrl+A and then X or run:

kill $(cat vm.pid)

If QEMU works, the kernel boots and ssh succeeds, we can shutdown QEMU and try to run sunflower.

Now we can start to prepare a config.json file.

{
        "target": "linux/amd64",
        "http": "127.0.0.1:56295",
        "workdir": "./workdir",
        "cover": false,
        "kernel_obj": "$(Kernel)/vmlinux",
        "image": "$(image)/stretch.img",
        "sshkey": "$(image)/stretch.id_rsa",
        "syzkaller": "$pwd",
        "procs": 2,
        "type": "qemu",
        "vm": {
                "count": 2,
                "kernel": "$(Kernel)/bzImage",
                "cpu": 2,
                "mem": 4096
        }

Now we can run it.

./bin/syz-manager -config config.json

The syz-manager process will wind up VMs and start fuzzing in them. Found crashes, statistics and other information is exposed on the HTTP address specified in the manager config.

Experiment Results

Host Machine System Configuration

  CPU: 128 core
  Memory: 32GB
  Ubuntu 22.04.4 LTS jammy 

Virtal Machine Resource Configration

  2 core CPU + 2GB Memory

Test targeted Linux Version

We chose Linux kernel v5.15, v6.1, v6.3.4, and v6.5 as our test kernel targets. In detail, the Linux v6.5 is the latest release version when we were conducting experiments. Each version of the kernel uses the same compilation configuration, while KCOV and KASAN options are enabled in order to collect code coverage and detect memory errors. When setting up the KCSAN configuration, the same configuration is used in the control test.

Coverage over time

10 VM (2vCPU and 2G RAM) average for 48 hours.

CVEs:

• CVE-2023-40791
• CVE-2023-40792
• CVE-2023-40793

New Bugs Reported:

Modules	Versions	Locations	Bug Types	Bug Descriptions
fs/ext4	v6.5	ext4_es_insert_extent	use-after-free	incorrect read task access causes use-after-free error
arch/x86/kvm	v6.3.4	kvm_vcpu_reset	logic error	kvm virtual cpu reset process causes error
net/8021q	v6.5	unregister_vlan_dev	logic error	invalid opcode at net/8021q/vlan.c causes error
fs/dcache	v6.3.4	__d_add	data race	contention with read operation at __d_add function
net/ipv4	v6.3.4	__netlink_create	memory leak	unreleased memory objects causes leaks
net/ipv6	v6.5	ip6_tnl_exit_batch_net	logic error	unregistering process of network devices results error
mm/slab	v6.3.4	cache_grow_begin	memory leak	unreferenced object causes memory leak
net/can	v6.5	raw_setsockopt	deadlock	circular lock acquisition results in a deadlock
fs/proc	v6.3.4	proc_pid_status	data race	data race invoking tasks causes system hang
mm/memory	v6.3.4	copy_page_range	data race	unsynchronized access to shared data by threads results in error
fs/dcache	v6.3.4	dentry_unlink_inode	data race	file unlinking operations results error
fs/proc	v6.3.4	task_dump_owner	data race	unsynchronized thread access to shared data leads to error
fs/f2fs	v6.3.4	f2fs_truncate_data_blocks_range	out-of-bounds	incorrect read operation results out-of-bounds error
fs/buffer	v6.3.4	submit_bh_wbc	logic error	incorrect write operation causes invalid opcode error
fs/xfs	v6.3.4	xfs_btree_lookup_get_block	logic error	invalid memory access results error
drivers/block/aoe	v6.3.4	aoecmd_cfg	logic error	jump labels operation causes kernel hang error
mm/mmap	v6.3.4	do_vmi_munmap	logic error	incorrect instruction execution causes kernel panic
fs/udf	v6.3.4	udf_finalize_lvid	use-after-free	invoking deprecated mand mount option results use-after-free bug
drivers/block	v6.5	sock_xmit	use-after-free	incorrect memory deallocation causes the use-after-free error
kernel/sched	v6.3.4	run_rebalance_domains	logic error	incorrect scheduling operation causes RCU (Read-Copy-Update) error
block/bdev	v6.3.4	blkdev_flush_mapping	dead lock	incorrect filesystem operation causes error
mm/swap	v6.3.4	folio_batch_move_lru / folio_mark_accessed	data race	unsynchronized thread access to shared data leads to error
lib/find_bit	v6.3.4	_find_first_bit	data race	unsynchronized thread access to shared data causes error
mm/filemap	v6.3.4	filemap_fault / page_add_file_rmap	data race	inconsistent read and write operations results data race
fs/ext4	v6.3.4	ext4_do_writepages / ext4_mark_iloc_dirty	data race	unsynchronized thread access to shared data causes race contention