Home

Awesome

SyzScope

  1. What is SyzScope?
  2. Why did we develop SyzScope?
  3. Access the paper
  4. Setup
    1. Dokcer - Recommend
      1. image - ready2go
      2. image - mini
    2. Manually setup
      1. Let's warm up
      2. Install requirements
      3. Tweak pwntools
      4. Using UTF-8 encoding
  5. Tutorial
  6. Common Issues

THIS VERSION CONDUCTED ALL EXPERIMENT FOR USENIX SECURITY 22. PURSUING UPDATE, FOLLOW MAIN REPO -> SyzScope

What is SyzScope?

<a name="What_is_SyzScope"></a>

SyzScope is a system that can automatically uncover high-risk impacts given a bug with only low-risk impacts.

Why did we develop SyzScope?

<a name="Why_did_we_develop_SyzScope"></a>

A major problem of current fuzzing platforms is that they neglect a critical function that should have been built-in: evaluation of a bug's security impact. It is well-known that the lack of understanding of security impact can lead to delayed bug fixes as well as patch propagation. Therefore, we developed SyzScope to reveal the potential high-risk bugs among seemingly low-risk bugs on syzbot.

More details?

<a name="access_the_paper"></a>

Access our paper here

@inproceedings {277242,
title = {{SyzScope}: Revealing {High-Risk} Security Impacts of {Fuzzer-Exposed} Bugs in Linux kernel},
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
year = {2022},
address = {Boston, MA},
url = {https://www.usenix.org/conference/usenixsecurity22/presentation/zou},
publisher = {USENIX Association},
month = aug,
}

Setup

<a name="Setup"></a>

Dokcer - Recommend

<a name="Dokcer"></a>

Image - ready2go(18.39 Gb)

<a name="Dokcer_ready2go"></a>

docker pull etenal/syzscope:ready2go
docker run -it -d --name syzscope -p 2222:22 --privileged etenal/syzscope:ready2go
docker attach syzscope
Inside docker container

Everything is ready to go

cd /root/SyzScope
git pull
Image - mini(400 MB)

<a name="Dokcer_mini"></a>

docker pull etenal/syzscope:mini
docker run -it -d --name syzscope --privileged etenal/syzscope:mini
docker attach syzscope
Inside docker container
cd /root/SyzScope
git pull
. venv/bin/activate
python3 syzscope --install-requirements

Manually setup

<a name="Manually_setup"></a>

Note: SyzScope was only tested on Ubuntu 18.04.

Let's warm up

<a name="warm_up"></a>

apt-get update
apt-get -y install git python3 python3-pip python3-venv sudo
git clone https://github.com/plummm/SyzScope.git
cd SyzScope/
python3 -m venv venv
. venv/bin/activate
pip3 install -r requirements.txt
Install required packages and compile essential tools

<a name="install_requirements"></a>

python3 syzscope --install-requirements
Tweak pwntools

<a name="Tweak_pwntools"></a>

Pwntools print unnecessary debug information when starting or stoping new process (e.g., gdb), or opening new connection (e.g., connect to QEMU monitor). To disable such info, we add one line in its source code.

vim venv/lib/<YOUR_PYTHON>/site-packages/pwnlib/log.py

Add logger.propagate = False to class Logger(object)

class Logger(object):
...
	def __init__(self, logger=None):
	...
		logger = logging.getLogger(logger_name)
		logger.propagate = False #<-- Overhere
Make sure using UTF-8 encoding

<a name="Using_UTF_8_encoding"></a>

Using UTF-8 encoding to run pwndbg properly

SyzScope should install UTF-8 when you install the requirements.

To make sure use UTF-8 by default, add the following commands to .bashrc or other shell init script you're using.

export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8

Tutorial

<a name="tutorial"></a>

Getting started

Workzone Structure

Inpsect results

PoC Reproduce

Fuzzing

Static Taint Analysis

Symbolic Execution

Example

WARNING: held lock freed! (CVE-2018-25015)


Common Issues

<a name="common_issues"></a>

Check out common issues