Awesome

Buzzer - An eBPF Fuzzer toolchain

Buzzer is a fuzzer toolchain that allows to write eBPF fuzzing strategies.

A Fuzzing strategy is a way to generate random eBPF Programs and then validate that they don't have unexpected behaviour.

To run the fuzzer follow the next steps

1. Install bazel.

2. Install clang

3. Setup the correct CC and CXX env variables

   export CC=clang
   export CXX=clang++
   

4. Run

   bazel build :buzzer
   

5. Run buzzer either as root:

   sudo ./bazel-bin/buzzer_/buzzer
   

   OR with CAP_BPF:

   sudo setcap CAP_BPF=eip bazel-bin/buzzer_/buzzer
   ./bazel-bin/buzzer_/buzzer
   

Documents:

• Overall Architecture of Buzzer
• How to run buzzer with coverage

Trophies

Did you find a cool bug using Buzzer? Let us know via a pull request! We'd like to collect all issues discovered with this framework under this section.

• CVE-2023-2163: An error in the branch pruning logic of the eBPF verifier can cause unsafe paths to not be explored. The unsafe pruned paths are the actual paths taken at runtime which causes a mismatch in what the verifier thinks the values of certain registers are versus what they actually are. This mismatch can be abused to read/write arbitrary memory in the kernel by using the confused registers as base registers for memory operations.

• CVE-2024-41003: A bug in the verifier's register limit tracking allows an attacker to trick the verifier into thinking a register holds a value of 0 when at run time this register could take a value of 1. This can be then leveraged to achieve arbitrary kernel memory read/write and lead to a local privilege escalation or container escape.