• Stars
    star
    156
  • Rank 239,589 (Top 5 %)
  • Language
    C
  • License
    MIT License
  • Created over 5 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Hydra: an Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems

Hydra: An Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems

Paper

Overview

Hydra is a state-of-the-art fuzzing framework for file systems. It provides building blocks for file system fuzzing, including multi-dimensional input mutators, feedback engines, a libOS-based executor, and a bug reproducer with test case minimizer. Developers only need to focus on writing (or bringing in) a checker which defines the core logic for finding the types of bugs of their own interests. Along with the framework, this repository includes our in-house developed crash consistency checker (SymC3), with which 11 new crash consistency bugs were revealed from ext4, Btrfs, F2FS, and from two verified file systems: FSCQ and Yxv6.

This repository is provided under the terms of MIT license.

Contents

  • General code base

    • src/combined: Hydra input mutator
    • src/lkl/tools/lkl/{FS}-combined-consistency: Hydra LibOS-based Executor (will be downloaded and compiled during setup)
  • Checkers

    • src/emulator: Hydra's in-house crash consistency checker, SymC3

System requirements

Hydra requires Ubuntu 18.04. A compatibility issue is found in Ubuntu 20.04, and we are working on a fix.

Setup

1. All setup should be done under src

$ cd src

2. Install dependencies

./dep.sh

3. Compile for each file system

$ make build-btrfs-imgwrp
  • We can do the same for other file systems:
$ make build-ext4-imgwrp
$ make build-f2fs-imgwrp
$ make build-xfs-imgwrp
  • (Skip if you want to test the latest kernel) To reproduce bugs presented in the SOSP'19 paper, do the following to back-port LKL to kernel 4.16.
$ mv lkl lkl-master # (pwd: proj_root/src)
$ git clone https://github.com/sslab-gatech/lkl-hydra.git lkl
$ cd lkl
$ git checkout v4.16-backport
$ ./compile -t btrfs
$ cd .. (pwd: proj_root/src)

4. Set up environments

$ sudo ./prepare_fuzzing.sh
$ ./prepare_env.sh

5. Run fuzzing (single / multiple instance)

  • Single instance
$ ./run.py -t [fstype] -c [cpu_id] -l [tmpfs_id] -g [fuzz_group]

-t: choose from btrfs, f2fs, ext4, xfs
-c: cpu id to run this fuzzer instance
-l: tmpfs id to store logs (choose one from /tmp/mosbench/tmpfs-separate/)
-g: specify group id for parallel fuzzing, default: 0

e.g., ./run.py -t btrfs -c 4 -l 10 -g 1
Runs btrfs fuzzer, and pins the instance to Core #4.
Logs will be accumulated under /tmp/mosbench/tmpfs-separate/10/log/ .
  • You can also run multiple fuzzers in parallel by doing:
[Terminal 1] ./run.py -t btrfs -c 1 -l 10 -g 1
[Terminal 2] ./run.py -t btrfs -c 2 -l 10 -g 1
[Terminal 3] ./run.py -t btrfs -c 3 -l 10 -g 1
[Terminal 4] ./run.py -t btrfs -c 4 -l 10 -g 1
// all btrfs bug logs will be under /tmp/mosbench/tmpfs-separate/10/log/

[Terminal 5] ./run.py -t f2fs -c 5 -l 11 -g 2
[Terminal 6] ./run.py -t f2fs -c 6 -l 11 -g 2
[Terminal 7] ./run.py -t f2fs -c 7 -l 11 -g 2
[Terminal 8] ./run.py -t f2fs -c 8 -l 11 -g 2
// all f2fs bug logs will be under /tmp/mosbench/tmpfs-separate/11/log/

6. Important note

It is highly encouraged that you use separate input, output, log directories for each file system, unless you are running fuzzers in parallel. If you reuse the same directories from previous testings of other file systems, it won't work properly.

7. Experiments

Please refer to EXPERIMENTS.md for detailed experiment information.

Contacts

More Repositories

1

Rudra

Rust Memory Safety & Undefined Behavior Detection
Rust
1,314
star
2

qsym

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
C++
627
star
3

winnie

Winnie is an end-to-end system that makes fuzzing Windows applications easy
C
528
star
4

pwn2own2020

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities
C++
401
star
5

DrK

The DrK Attack - Proof of concept
Python
343
star
6

opensgx

OpenSGX
C
288
star
7

avpass

Tool for leaking and bypassing Android malware detection system
Smali
283
star
8

DIE

Fuzzing JavaScript Engines with Aspect-preserving Mutation
TypeScript
221
star
9

janus

Janus: a state-of-the-art file system fuzzer on Linux
C
206
star
10

ArcHeap

ArcHeap: Automatic Techniques to Systematically Discover New Heap Exploitation Primitives
C
141
star
11

freedom

A DOM fuzzer
Python
139
star
12

cs3210-rustos-public

Lab assignments for Georgia Tech CS 3210 "Design of Operating Systems"
Rust
111
star
13

perf-fuzz

C
94
star
14

sgx-tutorial-ccs17

SGX Tutorial at CCS17: SGX Security and Privacy
83
star
15

mosaic

C++
78
star
16

autofz

autofz: Automated Fuzzer Composition at Runtime
C
72
star
17

apollo

A toolchain for automatically detecting, reporting, and diagnosing performance bugs in DBMSs.
HCL
68
star
18

kernel-analyzer

C++
65
star
19

fuzzification

We hinder fuzzing
C
64
star
20

apisan

APISan: Sanitizing API Usages through Semantic Cross-Checking
C++
60
star
21

fxmark

FxMark: Filesystem Multicore Scalability Benchmark
Filebench WML
58
star
22

libmpk

C
48
star
23

deadline

C++
45
star
24

unisan

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
C++
43
star
25

shfllock

C
40
star
26

Rudra-PoC

Trophy case for Rudra bugs.
Rust
36
star
27

DIE-corpus

Corpus set used by DIE
Raku
36
star
28

aslr-guard

Preventing code-reuse attacks by stopping code pointer leakages
35
star
29

sgx101-gitbook

Synced with SGX101 gitbook.
30
star
30

kenali-kernel

Modified Nexus 9 kernel for Kenali Project
C
29
star
31

krace

Source code release for the KRace project
Python
27
star
32

hdfi

Hardware-assisted Data-flow Isolation
C
26
star
33

t-sgx

Compiler-based tool that protects Intel SGX applications against controlled-channel attacks
C++
26
star
34

caver

C++
25
star
35

juxta

C++
23
star
36

sgx-bomb

Makefile
15
star
37

RoboFuzz

Fuzzing framework for Robot Operating System (ROS) and ROS-based robotic systems
Python
15
star
38

cst-locks

C
13
star
39

SNAP

C
12
star
40

platpal

C++
12
star
41

blockchain-lab-pwneth

Solidity
11
star
42

ucognito

C
11
star
43

branch-shadowing

The branch shadowing attack: Proof of concept
C++
10
star
44

latr

Latr: Lazy Translation Coherence - ASPLOS'18
C
10
star
45

desensitization

Python
10
star
46

Rudra-Artifacts

Rudra's artifact evaluation submission
Rust
8
star
47

fakeroot-p

Makefile
8
star
48

vbench

VBench: Multicore Scalability Application Benchmark
Python
8
star
49

lkl-hydra

C
7
star
50

Pridwen

Universally Hardening SGX Programs via Load-Time Synthesis
C++
7
star
51

Sense

Code for Sense (NDSS'24)
C++
6
star
52

AndroidCoverageAgent

Coverage gathering JVMTI agent for Android
C++
6
star
53

kup

Prototype for seamlessly updating Linux kernel with application checkpoint-and-restart
5
star
54

eCS

Enlightened Critical Sections
C
4
star
55

bunshin

Python
4
star
56

playcrawl

Crawler for Googleplay
HTML
4
star
57

ordo

C
3
star
58

ACon2

Solidity
3
star
59

lkl

C
2
star
60

sgx101

A place to start designing application with Intel SGX in mind.
HTML
2
star
61

AndroidIntentFuzzer

Greybox fuzzing for Android Intent receivers
Kotlin
1
star