Technical analysis of fuzzing based on syzkaller implementation: from a department that is not a VaultFuzzer story

HardenedVault wrote , “Later in 2017, an anonymous hacker suggested that HardenedLinux could attempt to form probabilistic associations between corpora and specific code paths, through HardenedLinux

The internal discussion of maintiner believes that syzkaller, as a general framework, still has a lot of room for improvement in the production environment of large-scale QA. If GCP engineers also think the same way, it can indeed complete more comprehensive QA engineering. In 2018, the maintainer of HardenedLinux tried to use eBPF to collect some structures and their values ​​in the function interface at the function entry and exit, even if the data has not yet had any effect on the execution flow (because at the function entry), and called it.

Kernel state. After completing the PoC prototype and discussing with the Syzkaller community, after discussions and some more fine-grained tests, it was found that this method itself is not suitable for the daily work of QA engineers. Until 2020, the general-purpose fuzzing tool was finally completed. Designed and implemented, this project is officially named Harbian-QA , which is also the predecessor of VaultFuzzer. Later, in a discussion on the topic of controlled concurrency testing , the content involved some content related to state. In the discussion, Vegard
Nossum came up with a way to collect data access by hashing structs and members, and in less than 24 hours released the GCC he developed for this
The PoC prototype of the plugin. This method is actually the same as in 2020
The Clang/LLVM released by Harbian-QA is very similar to the implementation of instrumentation, but only collects the hash of the access structure and its member names, Vegard
Nossum seems to be developed for this trigger concurrency bug, which is different from the Harbian-QA design goal. A recent paper “GREBE: Unveiling Exploitation Potential for Linux
In “Kernel Bugs”, GREBE claimed that they developed a “kernel object-driven” fuzzing method . After analysis by the HardenedVault team, it was found that it was very similar to the solutions of Harbian-QA and Vegard . Vault Labs contacted HardenedLinux once Full-time maintainer confirms Dongliang, one of the authors of the GREBE paper
Not only did Mu pay attention to the progress of Harbian-QA for a long time, he even asked HardenedLinux for help on the content of Harbian-QA, while Dongliang
Mu is also active in the syzkaller community and may have read Vegard’s PoC. Unfortunately, after replacing these terms and explanations, GREBE claims that its design is a new type of kernel fuzzer completed by itself. The GREBE paper spends a lot of space describing the reasons why other fuzzers cannot meet its application scenarios. The whole paper does not Citing Harbian-QA and not citing Vegard’s PoC, although we don’t know how modern academia works, it is obviously contrary to Plato’s time to judge this kind of “copy+paste+replace” with common sense and not give a citation Academic school. Hope RR’s HardenedVault should remain “We’re
neither academia bitch nor industry leech. “Not a red pill choice, is it?”

This article is reprinted from: https://www.solidot.org/story?sid=72384
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment