Fuzzing with network namespaces
8 views
Skip to first unread message
Julia Keadey
Oct 16, 2025, 10:53:28 AM (3 days ago) Oct 16
to syzkaller
I'm trying to setup network fuzzing with syzkaller. I've written descriptions for the kernel module implementing the protocol I'm fuzzing, but I've gotten stuck debugging my results with a test program, and have a few questions from the process:
1) The test setup I've been using that seems to work best with the protocol involves setting up two net namespaces with different ips and routes to each other over a veth device. Essentially, I need to trick the kernel into thinking that traffic is coming from a non-local address and net namespaces do the trick. I know I'll eventually need to modify my module to start and stop remote coverage (any advice here is welcome...), but for now I'm just trying to get a test program POC working. I've drawn a lot of inspiration from the TCP setup - First, I setup the net namespaces with a script using the IP command. Then syzkaller opens a socket, binds to a port, then calls a pseudo syscall which sends the socket a message (similar to `syz_emit_ethernet`), which is then received. The pseudo syscall changes it's netns using `fd = open("/var/run/netns/$NETNS_NAME" ...);\n setns(fs ...);`. I have this working in a C program, but when I use the pseudo syscall, opening the netns fd fails with ENOENT. I was curious if there was some detail of syzkaller sandboxing I missed (I am using sandbox=none)? I also wanted to see if anyone had ever tried fuzzing network protocols with network namespace and veth instead of using the tun/tap interfaces and had any additional advice.
2) As far as tooling goes, I've had a lot of struggles with debugging and wondered if there were any better alternatives. I know there's a flag to attach gdb to `syz-execprog`, but I can't get that to actually break on pseudo syscall code. Similarly useful would be a repl of some kind, so I could run the program line by line inspect the state in between. Any advice?
3) Is there decent documentation of the ports used by syzkaller anywhere? The documentation broadly mentions picking high port numbers to avoid collisions with syzkaller internals, but I can't find anywhere that actually specific what ports syzkaller *does* use.
Thanks,
Julia
1) The test setup I've been using that seems to work best with the protocol involves setting up two net namespaces with different ips and routes to each other over a veth device. Essentially, I need to trick the kernel into thinking that traffic is coming from a non-local address and net namespaces do the trick. I know I'll eventually need to modify my module to start and stop remote coverage (any advice here is welcome...), but for now I'm just trying to get a test program POC working. I've drawn a lot of inspiration from the TCP setup - First, I setup the net namespaces with a script using the IP command. Then syzkaller opens a socket, binds to a port, then calls a pseudo syscall which sends the socket a message (similar to `syz_emit_ethernet`), which is then received. The pseudo syscall changes it's netns using `fd = open("/var/run/netns/$NETNS_NAME" ...);\n setns(fs ...);`. I have this working in a C program, but when I use the pseudo syscall, opening the netns fd fails with ENOENT. I was curious if there was some detail of syzkaller sandboxing I missed (I am using sandbox=none)? I also wanted to see if anyone had ever tried fuzzing network protocols with network namespace and veth instead of using the tun/tap interfaces and had any additional advice.
2) As far as tooling goes, I've had a lot of struggles with debugging and wondered if there were any better alternatives. I know there's a flag to attach gdb to `syz-execprog`, but I can't get that to actually break on pseudo syscall code. Similarly useful would be a repl of some kind, so I could run the program line by line inspect the state in between. Any advice?
3) Is there decent documentation of the ports used by syzkaller anywhere? The documentation broadly mentions picking high port numbers to avoid collisions with syzkaller internals, but I can't find anywhere that actually specific what ports syzkaller *does* use.
Thanks,
Julia
Aleksandr Nogikh
Oct 17, 2025, 1:53:25 PM (2 days ago) Oct 17
to Julia Keadey, syzkaller
Hi Julia,
On Thu, Oct 16, 2025 at 4:53 PM 'Julia Keadey' via syzkaller
<syzk...@googlegroups.com> wrote:
>
> I'm trying to setup network fuzzing with syzkaller. I've written descriptions for the kernel module implementing the protocol I'm fuzzing, but I've gotten stuck debugging my results with a test program, and have a few questions from the process:
>
> 1) The test setup I've been using that seems to work best with the protocol involves setting up two net namespaces with different ips and routes to each other over a veth device. Essentially, I need to trick the kernel into thinking that traffic is coming from a non-local address and net namespaces do the trick. I know I'll eventually need to modify my module to start and stop remote coverage (any advice here is welcome...), but for now I'm just trying to get a test program POC working. I've drawn a lot of inspiration from the TCP setup -
> First, I setup the net namespaces with a script using the IP command.
Do you do it inside the VM? At what point?
>Then syzkaller opens a socket, binds to a port, then calls a pseudo syscall which sends the socket a message (similar to `syz_emit_ethernet`), which is then received. The pseudo syscall changes it's netns using `fd = open("/var/run/netns/$NETNS_NAME" ...);\n setns(fs ...);`. I have this working in a C program, but when I use the pseudo syscall, opening the netns fd fails with ENOENT. I was curious if there was some detail of syzkaller sandboxing I missed (I am using sandbox=none)?
Even if sandbox is set to none, syzkaller still creates a networking namespace:
https://github.com/google/syzkaller/blob/master/executor/common_linux.h#L4205-L4207
But we remember the fd of the init namespace and e.g. provide a helper
pseudo syscall to create sockets in that namespace.
https://github.com/google/syzkaller/blob/master/executor/common_linux.h#L2482-L2501
More can be added if necessary.
You can also consider adding the code that sets up the devices to
initialize_netdevices() or initialize_netdevices_init(). This may be
much more straightforward than trying to create and configure them
with syzlang or by invoking some external commands/scripts.
> I also wanted to see if anyone had ever tried fuzzing network protocols with network namespace and veth instead of using the tun/tap interfaces and had any additional advice.
Do you mean using veth and e.g. AF_PACKET to inject the frames? We do
have descriptions for that (sys/linux/socket_packet.txt) and we do set
up some veth devices (grep common_linux.h for veth), but I don't know
to what extent it's covered.
Or do you mean something else?
>
> 2) As far as tooling goes, I've had a lot of struggles with debugging and wondered if there were any better alternatives. I know there's a flag to attach gdb to `syz-execprog`, but I can't get that to actually break on pseudo syscall code. Similarly useful would be a repl of some kind, so I could run the program line by line inspect the state in between. Any advice?
If you're debugging the behaviors that can be observed from the
userspace (e.g. the unexpected errno values), it may be easier to use
the tools/syz-prog2c (can be compiled with `make prog2c`) to convert
your syz program to a C program and debug that C program directly.
It also helps to use syz-execprog's -coverfile flag to record the
sequence of PCs executed in the kernel. You could then run it through
addr2line to see the exact point where execution diverged from your
expectations.
>
> 3) Is there decent documentation of the ports used by syzkaller anywhere? The documentation broadly mentions picking high port numbers to avoid collisions with syzkaller internals, but I can't find anywhere that actually specific what ports syzkaller *does* use.
Could you please point to the exact documentation file that mentions
high port numbers?
Syzkaller uses one port to serve the web dashboard (which you can
control) and another for receiving connections from the VMs (which can
also be controlled, or automatically assigned a random free port). If
the VM type is qemu, it will also pick port numbers for SSH
connections and serial port output monitoring, these ports will be
between 1024 and 65536.
But it's only relevant for the host machine - the one where you run
syz-manager. It shouldn't matter within the VMs / during fuzzing.
--
Aleksandr
>
> Thanks,
> Julia
>
On Thu, Oct 16, 2025 at 4:53 PM 'Julia Keadey' via syzkaller
<syzk...@googlegroups.com> wrote:
>
> I'm trying to setup network fuzzing with syzkaller. I've written descriptions for the kernel module implementing the protocol I'm fuzzing, but I've gotten stuck debugging my results with a test program, and have a few questions from the process:
>
> 1) The test setup I've been using that seems to work best with the protocol involves setting up two net namespaces with different ips and routes to each other over a veth device. Essentially, I need to trick the kernel into thinking that traffic is coming from a non-local address and net namespaces do the trick. I know I'll eventually need to modify my module to start and stop remote coverage (any advice here is welcome...), but for now I'm just trying to get a test program POC working. I've drawn a lot of inspiration from the TCP setup -
> First, I setup the net namespaces with a script using the IP command.
>Then syzkaller opens a socket, binds to a port, then calls a pseudo syscall which sends the socket a message (similar to `syz_emit_ethernet`), which is then received. The pseudo syscall changes it's netns using `fd = open("/var/run/netns/$NETNS_NAME" ...);\n setns(fs ...);`. I have this working in a C program, but when I use the pseudo syscall, opening the netns fd fails with ENOENT. I was curious if there was some detail of syzkaller sandboxing I missed (I am using sandbox=none)?
https://github.com/google/syzkaller/blob/master/executor/common_linux.h#L4205-L4207
But we remember the fd of the init namespace and e.g. provide a helper
pseudo syscall to create sockets in that namespace.
https://github.com/google/syzkaller/blob/master/executor/common_linux.h#L2482-L2501
More can be added if necessary.
You can also consider adding the code that sets up the devices to
initialize_netdevices() or initialize_netdevices_init(). This may be
much more straightforward than trying to create and configure them
with syzlang or by invoking some external commands/scripts.
> I also wanted to see if anyone had ever tried fuzzing network protocols with network namespace and veth instead of using the tun/tap interfaces and had any additional advice.
have descriptions for that (sys/linux/socket_packet.txt) and we do set
up some veth devices (grep common_linux.h for veth), but I don't know
to what extent it's covered.
Or do you mean something else?
>
> 2) As far as tooling goes, I've had a lot of struggles with debugging and wondered if there were any better alternatives. I know there's a flag to attach gdb to `syz-execprog`, but I can't get that to actually break on pseudo syscall code. Similarly useful would be a repl of some kind, so I could run the program line by line inspect the state in between. Any advice?
userspace (e.g. the unexpected errno values), it may be easier to use
the tools/syz-prog2c (can be compiled with `make prog2c`) to convert
your syz program to a C program and debug that C program directly.
It also helps to use syz-execprog's -coverfile flag to record the
sequence of PCs executed in the kernel. You could then run it through
addr2line to see the exact point where execution diverged from your
expectations.
>
> 3) Is there decent documentation of the ports used by syzkaller anywhere? The documentation broadly mentions picking high port numbers to avoid collisions with syzkaller internals, but I can't find anywhere that actually specific what ports syzkaller *does* use.
high port numbers?
Syzkaller uses one port to serve the web dashboard (which you can
control) and another for receiving connections from the VMs (which can
also be controlled, or automatically assigned a random free port). If
the VM type is qemu, it will also pick port numbers for SSH
connections and serial port output monitoring, these ports will be
between 1024 and 65536.
But it's only relevant for the host machine - the one where you run
syz-manager. It shouldn't matter within the VMs / during fuzzing.
--
Aleksandr
>
> Thanks,
> Julia
>
Reply all
Reply to author
Forward
0 new messages