SyzScope is a system that can automatically uncover high-risk impacts given a bug with only low-risk impacts.
A major problem of current fuzzing platforms is that they neglect a critical function that should have been built-in: evaluation of a bug's security impact. It is well-known that the lack of understanding of security impact can lead to delayed bug fixes as well as patch propagation. Therefore, we developed SyzScope to reveal the potential high-risk bugs among seemingly low-risk bugs from syzbot.
Access our paper here
@inproceedings {277242,
title = {{SyzScope}: Revealing {High-Risk} Security Impacts of {Fuzzer-Exposed} Bugs in Linux kernel},
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
year = {2022},
address = {Boston, MA},
url = {https://www.usenix.org/conference/usenixsecurity22/presentation/zou},
publisher = {USENIX Association},
month = aug,
}
docker pull etenal/syzscope:ready2go
docker run -it -d --name syzscope -p 2222:22 --privileged etenal/syzscope:ready2go
docker attach syzscope
Everything is ready to go
cd /root/SyzScope
git pull
docker pull etenal/syzscope:mini
docker run -it -d --name syzscope --privileged etenal/syzscope:mini
docker attach syzscope
cd /root/SyzScope
git pull
. venv/bin/activate
python3 syzscope --install-requirements
The ready2go docker image contains pre-built syzkaller binaries and a pre-built Linux kernel for analyzing CVE-2018-25015.
As an alternative, the syzscope docker image can be built using the following docker build
command.
docker build -t syzscope --build-arg UID=$(id -u) --build-arg GID=$(id -g) .
This container image has all python and system dependencies for running syzscope
; however, syzkaller and the target Linux kernel will be built at run-time.
Note: SyzScope was only tested on Ubuntu 18.04.
apt-get update
apt-get -y install git python3 python3-pip python3-venv sudo
git clone https://github.com/plummm/SyzScope.git
cd SyzScope/
python3 -m venv venv
. venv/bin/activate
pip3 install -r requirements.txt
python3 syzscope --install-requirements
Pwntools
print unnecessary debug information when starting or stoping new process (e.g., gdb), or opening new connection (e.g., connect to QEMU monitor). To disable such info, we insert one line of new code.
vim venv/lib/<YOUR_PYTHON>/site-packages/pwnlib/log.py
Add logger.propagate = False
to class Logger(object)
class Logger(object):
...
def __init__(self, logger=None):
...
logger = logging.getLogger(logger_name)
logger.propagate = False #<-- Overhere
Using UTF-8 encoding to run pwndbg
properly
SyzScope should install UTF-8 when you install the requirements.
To make sure use UTF-8 by default, add the following commands to .bashrc
or other shell init script you're using.
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
WARNING: held lock freed! (CVE-2018-25015)
Check out common issues