Hypervisor fuzzing with syzkaller
107 views
Skip to first unread message
funkii
Jun 13, 2022, 7:12:04 AM6/13/22
to syzkaller
Hi everyone,
I'm currently trying to fuzz the secure monitor of Keystone Enclave(https://github.com/keystone-enclave), a TEE framework. I already fuzzed the kernel module of Keystone with success. The interface between userspace and Hypervisor is a kernel module, which i configured to just call one Hypervisor function which 100% leads to a nullpointer dereference for testing purposes. After the crash log of the Hypervisor the system freezes. Syzkaller is configured to fuzz the ioctl's of the kernel module.
My problem is now, Syzkaller doesn't recognize the crashes of the Hypervisor. I think the problem is, the Hypervisor crash messages are not sent through the "normal" linux channels like stdout, but directly to the console or that the linux kernel itself doesnt crash.
Shouldn't syzkaller detect if the machine hangs completely? Or is there a config option which i missed, e.g. to recognize hangs as crashes?
I'd appreciate any help.
Cheers
Dmitry Vyukov
Jun 13, 2022, 7:16:18 AM6/13/22
to funkii, syzkaller
"no output from test machine"
and "lost connection to test machine"
that are created even if nothing particular appears on the console.
So it should not be possible that the machine crashes and stops
fuzzing, but the syz-manager does not notice it.
Don't you see one of these crash types being detected?
funkii
Jun 17, 2022, 5:35:42 AM6/17/22
to syzkaller
Thanks for your answer!
I think my problem was i
didn't leave syzkaller running long enough, that was by bad.
The no output / lost
connection crashes take nearly 10-15 minutes to appear in my setup. Is
there a way to change the timeout limit?
I already looked in the documentation for the config file but didn't manage to find anything.
Dmitry Vyukov
Jun 17, 2022, 6:06:43 AM6/17/22
to funkii, syzkaller
On Fri, 17 Jun 2022 at 11:35, funkii <juda...@gmail.com> wrote:
>
> Thanks for your answer!
> I think my problem was i didn't leave syzkaller running long enough, that was by bad.
> The no output / lost connection crashes take nearly 10-15 minutes to appear in my setup. Is there a way to change the timeout limit?
> I already looked in the documentation for the config file but didn't manage to find anything.
This is not configurable. The target/vm must provide correct numbers.
>
> Thanks for your answer!
> I think my problem was i didn't leave syzkaller running long enough, that was by bad.
> The no output / lost connection crashes take nearly 10-15 minutes to appear in my setup. Is there a way to change the timeout limit?
> I already looked in the documentation for the config file but didn't manage to find anything.
You probably added your own target/vm, so they are giving wrong
numbers then. Start from these locations:
https://github.com/google/syzkaller/blob/cb58b3b231a677b1a6c89cd2af59e4fab10f9144/sys/targets/targets.go#L717
https://github.com/google/syzkaller/blob/cb58b3b231a677b1a6c89cd2af59e4fab10f9144/pkg/mgrconfig/load.go#L184
> Dmitry Vyukov schrieb am Montag, 13. Juni 2022 um 13:16:18 UTC+2:
>>
>> On Mon, 13 Jun 2022 at 13:12, funkii <juda...@gmail.com> wrote:
>> >
>> > Hi everyone,
>> > I'm currently trying to fuzz the secure monitor of Keystone Enclave(https://github.com/keystone-enclave), a TEE framework. I already fuzzed the kernel module of Keystone with success. The interface between userspace and Hypervisor is a kernel module, which i configured to just call one Hypervisor function which 100% leads to a nullpointer dereference for testing purposes. After the crash log of the Hypervisor the system freezes. Syzkaller is configured to fuzz the ioctl's of the kernel module.
>> >
>> > My problem is now, Syzkaller doesn't recognize the crashes of the Hypervisor. I think the problem is, the Hypervisor crash messages are not sent through the "normal" linux channels like stdout, but directly to the console or that the linux kernel itself doesnt crash.
>> >
>> > Shouldn't syzkaller detect if the machine hangs completely? Or is there a config option which i missed, e.g. to recognize hangs as crashes?
>> >
>> > I'd appreciate any help.
>>
>> Yes, syzkaller has 2 special crash types:
>> "no output from test machine"
>> and "lost connection to test machine"
>>
>> that are created even if nothing particular appears on the console.
>> So it should not be possible that the machine crashes and stops
>> fuzzing, but the syz-manager does not notice it.
>> Don't you see one of these crash types being detected?
>
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/b5d6cafa-2b40-4dff-8086-6128e5f0664an%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages