Awesome
GREBE
GREBE is an object-driven tool to identify Multiple Error Behavior of kernel bugs. GREBE consists of two components -- a static analysis tool to identify critical kernel objects of triggering the bug, and a fuzzing tool based Syzkaller to find its other error behavior. Refer to our paper for more details.
Usage scenario
You find a low-severity bug in kernel, and would like to know the true effect of the bug. Examples: CVE-2021-3715
You find a high-severity bug, and would like to know the bug's other memory corruption capability.
How to use fuzzer
Identify critical objects with the analyzer
see here
Patch kernel to support object coverage feedback
patch [target_kernel_dir]/kernel/kcov.c -p1 < ./kernel.patch
Build kernel with our gcc
export OBJ_FILE=[the_absolute_path_to_the_file_containing_critical_objects]
make CC=[path_to_our_gcc] -j`nproc`
Run the fuzzer
The fuzzer works like Syzkaller. It is noted that you should pass a POC to the syz-manager
with -auxiliary
flag.
Acknowledge
@INPROCEEDINGS{9833683,
author={Lin, Zhenpeng and Chen, Yueqi and Wu, Yuhang and Mu, Dongliang and Yu, Chensheng and Xing, Xinyu and Li, Kang},
booktitle={2022 IEEE Symposium on Security and Privacy (SP)},
title={GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs},
year={2022},
pages={2078-2095},
doi={10.1109/SP46214.2022.9833683}
}