syzkaller on FreeBSD
Contact: Mark Johnston <markj@FreeBSD.org> Contact: Simran Kathpalia <skathpalia3@gmail.com>
See the syzkaller entry in the 2019q1 quarterly report for an introduction to syzkaller.
Steady progress has been made on fixing bugs found by syzkaller, both by private instances and by the public syzbot instance. Bugs have been fixed in TCP, ktrace(2), kqueue(2), POSIX timers, fork(2), crypto(4), and in the VFS and UFS code. Work has also progressed on adding additional definition to syzkaller, so unfortunately the size of backlog remains more or less steady. Simran Kathpalia, a student participating in this year’s Google Summer Of Code (GSOC) program for FreeBSD, has made excellent progress in extending syzkaller to cover more of the FreeBSD kernel. She has added definitions for a number of system calls and has also been working on automating the generation of such definitions.
Some work has been done towards making it easier to easier to set up syzkaller instances with minimal effort. For example, much of the work can be automated using a BastilleBSD template, which uses a jail to simplify configuration. While this example still requires some manual configuration and is not very flexible, it is much simpler than setting up an instance manually, and helps motivate some planned UI improvements and bug fixes for FreeBSD jails.
Future work includes:
-
Further effort to try and reduce the size of the syzkaller backlog.
-
Completion of some proof-of-concept work to extend syzkaller to fuzz the Linuxulator subsystem.
-
Additional system call and ioctl definitions.
-
Automated fuzzing with kernel sanitizers enabled.
Sponsor: The FreeBSD Foundation
Last modified on: July 24, 2021 by Daniel Ebdrup Jensen