• Stars
    star
    206
  • Rank 190,504 (Top 4 %)
  • Language
    C
  • License
    MIT License
  • Created over 5 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Janus: a state-of-the-art file system fuzzer on Linux

Janus: Fuzzing File Systems via Two-Dimensional Input Space Exploration

Paper

Overview

Please check our latest project Hydra, which is published on SOSP19 and involves the latest version of Janus.

Janus is a general file system fuzzer. Janus finds memory corruptions in in-kernel file systems on Linux by exploring the input space of both images and syscalls simultaneously in an efficient and effective manner. Janus is implemented as an AFL variant. As an OS fuzzer, its target is not traditional VMs but Linux Kernel Library (https://github.com/lkl). Janus has found around 100 unique crashes in mainstream file systems with 32 CVEs assigned so far.

We currently release the image parsing support for ext4, btrfs and F2FS. Stay tuned for more extensions and the details of the found bugs!

Here we explain the usage of Janus by fuzzing btrfs as an example.

Tested Environment

  • OS: Ubuntu 16.04 LTS
  • clang 6.0.0 built from source
  • gcc 5.0.0 by default

Preparation

  • Compile ff-gcc (for instrumentation)

    • cd ff-gcc
    • make
  • Compile the core fuzzing engine

    • cd core
    • make
  • Compile (ported) lkl 4.17

    • cd lkl
    • For example, if you want to fuzz btrfs, ./compile -t btrfs -c
    • there are three target applications generated
      • ./tools/lkl/btrfs-fsfuzz for fuzzing images only
      • ./tools/lkl/btrfs-executor for fuzzing file operations only
      • ./tools/lkl/btrfs-combined for fuzzing both (Janus)
  • Compile image parser

    • cd fs/btrfs
    • make
    • two output generated
      • btrfs_wrapper.so: AFL linked with this .so to compress and decompress an image
      • btrfs_standalone: this is used to release image offline given a compressed image and the original seed image. If you use online mode, you can release a batch of compressed images in an efficient way for reproducing.
    • Check fs/[fs name]/README.md for how to build in detail!
  • Seed images

    • Check samples.zip for a few seed images to start
    • Let's assume we use samples/evaluation/btrfs-00.image here
      • Build the istat file for generating starting program
        • cd istat
        • ./istat -i ../samples/evaluation/btrfs-00.image -t btrfs -o btrfs.istat
          • Usage: -i: seed image -t: file system type -o: output
        • Then we get the initial image status file: istat/btrfs-00.istat
  • Run fuzzer

    • We need a directory to store seed programs based on the initial image status

      • mkdir prog
    • Create seed programs

      • ./core/create_corpus istat/btrfs.istat prog
        • Usage: create_corpus [istat file] [output dir]
      • To show readable C code of a serialized program
        • ./core/program_show prog/open_read0
    • Create the input directory and the output directory for Janus

      • mkdir input
      • mkdir output
      • ./core/afl-image-syscall/afl-fuzz -b btrfs -s fs/btrfs/btrfs_wrapper.so -e ./samples/evaluation/btrfs-00.image -S btrfs -y prog -i input -o output -m none -u 2 -- ./lkl/tools/lkl/btrfs-combined -t btrfs -p @@
        • -b: shared memory name for storing image (which should be distinct)
        • -s: fs (de)compressor
        • -e: seed image
        • -S: AFL argument (slave name) (which should be distinct)
          • No -M support
        • -y: the seed program directory
        • -i: AFL argument (input directory) (which should be distinct)
        • -o: AFL argument (output directory)
        • -u: #CPU
      • Janus supports fuzzing in parallel
        • Create a new tmux window
        • mkdir input2
        • ./core/afl-image-syscall/afl-fuzz -b btrfs2 -s fs/btrfs/btrfs_wrapper.so -e ./samples/evaluation/btrfs-00.image -S btrfs2 -y prog -i input2 -o output -m none -u 3 -- ./lkl/tools/lkl/btrfs-combined -t btrfs -p @@
          • Remember to use the same output folder for collaborative fuzzing
        • Off course, you can create more Janus instances like this.
      • How to check a generated testcase (compressed image + serialized program)
        • ./utils/afl-parse -i ./samples/evaluation/btrfs-00.image -t btrfs -f output/btrfs/crashes/id:000000,sig:11,src:000000,op:havoc,rep:32 -o tmp
          • Usage: -i: seed image -t: file system type -f: generated test case -o: output name
        • it will generate tmp.img: the mutated image to be mounted
        • tmp.c.raw: the serialized program
        • tmp.c: the compilable program performed on the mutated image (for reproducing on a real OS)
        • You can use tmp.img and tmp.c.raw to reproduce the bug by btrfs-combined in LKL
    • If you only want to fuzz images (and run the fixed operations in LKL's fsfuzz.c):

      • ./core/afl-image/afl-fuzz -b btrfs -s fs/btrfs/btrfs_wrapper.so -e ./samples/evaluation/btrfs-00.image -S btrfs -i input -o output -m none -u 2 -- ./lkl/tools/lkl/btrfs-fsfuzz -t btrfs
    • If you only want to fuzz file operations (which are performed always on the same seed image):

      • ./core/afl-syscall/afl-fuzz -k -S btrfs -i prog -o output -m none -u 2 -- ./lkl/tools/lkl/btrfs-executor -t btrfs -i ./samples/evaluation/btrfs-00.image -p @@
      • Here the starting program folder is just the input directory

Contacts

More Repositories

1

Rudra

Rust Memory Safety & Undefined Behavior Detection
Rust
1,314
star
2

qsym

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
C++
627
star
3

winnie

Winnie is an end-to-end system that makes fuzzing Windows applications easy
C
528
star
4

pwn2own2020

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities
C++
401
star
5

DrK

The DrK Attack - Proof of concept
Python
343
star
6

opensgx

OpenSGX
C
288
star
7

avpass

Tool for leaking and bypassing Android malware detection system
Smali
283
star
8

DIE

Fuzzing JavaScript Engines with Aspect-preserving Mutation
TypeScript
221
star
9

hydra

Hydra: an Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems
C
156
star
10

ArcHeap

ArcHeap: Automatic Techniques to Systematically Discover New Heap Exploitation Primitives
C
141
star
11

freedom

A DOM fuzzer
Python
139
star
12

cs3210-rustos-public

Lab assignments for Georgia Tech CS 3210 "Design of Operating Systems"
Rust
111
star
13

perf-fuzz

C
94
star
14

sgx-tutorial-ccs17

SGX Tutorial at CCS17: SGX Security and Privacy
83
star
15

mosaic

C++
78
star
16

autofz

autofz: Automated Fuzzer Composition at Runtime
C
72
star
17

apollo

A toolchain for automatically detecting, reporting, and diagnosing performance bugs in DBMSs.
HCL
68
star
18

kernel-analyzer

C++
65
star
19

fuzzification

We hinder fuzzing
C
64
star
20

apisan

APISan: Sanitizing API Usages through Semantic Cross-Checking
C++
60
star
21

fxmark

FxMark: Filesystem Multicore Scalability Benchmark
Filebench WML
58
star
22

libmpk

C
48
star
23

deadline

C++
45
star
24

unisan

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
C++
43
star
25

shfllock

C
40
star
26

Rudra-PoC

Trophy case for Rudra bugs.
Rust
36
star
27

DIE-corpus

Corpus set used by DIE
Raku
36
star
28

aslr-guard

Preventing code-reuse attacks by stopping code pointer leakages
35
star
29

sgx101-gitbook

Synced with SGX101 gitbook.
30
star
30

kenali-kernel

Modified Nexus 9 kernel for Kenali Project
C
29
star
31

krace

Source code release for the KRace project
Python
27
star
32

hdfi

Hardware-assisted Data-flow Isolation
C
26
star
33

t-sgx

Compiler-based tool that protects Intel SGX applications against controlled-channel attacks
C++
26
star
34

caver

C++
25
star
35

juxta

C++
23
star
36

sgx-bomb

Makefile
15
star
37

RoboFuzz

Fuzzing framework for Robot Operating System (ROS) and ROS-based robotic systems
Python
15
star
38

cst-locks

C
13
star
39

SNAP

C
12
star
40

platpal

C++
12
star
41

blockchain-lab-pwneth

Solidity
11
star
42

ucognito

C
11
star
43

branch-shadowing

The branch shadowing attack: Proof of concept
C++
10
star
44

latr

Latr: Lazy Translation Coherence - ASPLOS'18
C
10
star
45

desensitization

Python
10
star
46

Rudra-Artifacts

Rudra's artifact evaluation submission
Rust
8
star
47

fakeroot-p

Makefile
8
star
48

vbench

VBench: Multicore Scalability Application Benchmark
Python
8
star
49

lkl-hydra

C
7
star
50

Pridwen

Universally Hardening SGX Programs via Load-Time Synthesis
C++
7
star
51

Sense

Code for Sense (NDSS'24)
C++
6
star
52

AndroidCoverageAgent

Coverage gathering JVMTI agent for Android
C++
6
star
53

kup

Prototype for seamlessly updating Linux kernel with application checkpoint-and-restart
5
star
54

eCS

Enlightened Critical Sections
C
4
star
55

bunshin

Python
4
star
56

playcrawl

Crawler for Googleplay
HTML
4
star
57

ordo

C
3
star
58

ACon2

Solidity
3
star
59

lkl

C
2
star
60

sgx101

A place to start designing application with Intel SGX in mind.
HTML
2
star
61

AndroidIntentFuzzer

Greybox fuzzing for Android Intent receivers
Kotlin
1
star