- A more powerful and general SyzDescribe based on under constrained symbolic execution.
- To support net device drivers.
- Now SyzDescribe supports Linux kernel v6.1/v6.2.
- Add a script to run all bitcode
@inproceedings{conf/sp/SyzDescribe23,
author = {Yu Hao and
Guoren Li and
Xiaochen Zou and
Weiteng Chen and
Shitong Zhu and
Zhiyun Qian and
Ardalan Amiri Sani},
title = {SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers},
booktitle = {44rd {IEEE} Symposium on Security and Privacy, {SP} 2023, San Francisco,
CA, USA, May 22-25, 2023},
publisher = {{IEEE}},
year = {2023},
}
Requirements: Ubuntu 22.04
sudo apt install -y git llvm cmake
git clone https://github.com/seclab-ucr/SyzDescribe.git
cd SyzDescribe
bash ./script/build.bash
Note: The version of LLVM/Clang is 14.
build/tools/SyzDescribe/SyzDescribe --config=config.json
The config.json refers to
config/config.json
, for example:
{
"bitcode": "built-in.bc",
// the path of the linked bitcode file of kernel modules
"knowledge": "~/SyzDescribe/config/knowledge.json",
// the path of the knowledge file
"version": "v6.2"
// the version of the kernel, used to generate debug info
}
The generated syscall descriptions are syz_describe_*.txt
, which can directly used in syzkaller based on doc.
There are two knowledge files for different versions of the kernel. Please choose the correct one.
There are two scripts to help run SyzDescribe on all bitcode.
script/syzlang_run.py
script/syzlang_run_all.py
Usage:
- copy two scripts to the bitcode dir.
- change the value in syzlang_run.py based on comments
- rename all other bitcode to built-in.bc if needed
python3 syzlang_run_all.py rename_bc
- copy script to all subdirectories of built-in.bc
python3 syzlang_run_all.py copy_script
- run script in all subdirectories of built-in.bc
python3 syzlang_run_all.py run_script
- copy all generate syzlang files to all_syscall_descriptions
python3 syzlang_run_all.py copy_syzlang
refer to https://github.com/ZHYfeng/Generate_Linux_Kernel_Bitcode/tree/master/v5.12
use
-save-temps
and-g
to generate LLVM bitcode with debug info and less optimization
Please do not use a huge bitcode file, e.g., drivers/built-in.bc
.
I would suggest to generate syscall descriptions for each drivers/*/built-in.bc
.
SyzDescribe/SyzDescribe_Syscall_Description for v5.12.
SyzDescribe_Syscall_Description for all.
Ported DIFUZE used in paper: https://github.com/ZHYfeng/PortedDIFUZE