Sys2Syz is a tool which automates the conversion of syscalls and other Ioctl calls to syzkaller's representation. This tool was created with a motive of increasing the syscall coverage for leveling up the support of syzkaller for NetBSD. Currently, the tool only supports grammar generation for NetBSD - we plan to add support for other operating systems soon.
Below are the reports on the tool - written as a part of Google Summer of Code - 2020
- Enhancing Syzkaller support for NetBSD - Part 1
- Enhancing Syzkaller support for NetBSD - Part 2
- Enhancing Syzkaller support for NetBSD - Part 3
Work flow of the tool -
The tool supports generation of syzkaller descriptions for NetBSD device driver's ioctl calls. Following steps are involved:
- Extraction of all ioctl commands of a given device driver along with their arguments from the header files. Ioctl commands in NetBSD can be identified with the help of some specific macros(
_IO,_IOR,_IOW,_IOWR) - (core/Extractor.py). - Preprocessing of the device driver's files using compile_commands.json generated during the setup of tool using Bear - (core/Bear.py)
- XML files are generated by running c2xml on preprocessed device files. This eases the process of fetching the information related to arguments of commands - (core/C2xml.py)
- Generates descriptions for the ioctl commands and their arguments (builtin-types, arrays, pointers, structures and unions) using the XML files - (core/Description.py)
Here are the installation instructions for Sys2syz
- Bear setup
- NetBSD src files
This tool is written in python3
- Clone the repo
git clone https://github.com/ais2397/sys2syz.git
cd sys2syz- Install the python dependencies using
pip3 install -r requirements.txt- Run the setup script
Note: This step requires
- NetBSD toolchain.
- Directory storing compiled modules should be cleaned before performing this step
./setup.sh -b <path_to_netbsd_src>To generate descriptions for a particular device driver(device_driver)/syscall run sys2syz.py:
python3 sys2syz.py -i <syscall/ioctl> -t <absolute_path_to_device_driver_source> -c compile_commands.json -v -o <target_operating_system>This would generate a dev_<device_driver>.txt file in the out directory
Example description file generated by sys2syz for i2c device-
# Copyright 2018 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
# Autogenerated by sys2syz
include <dev/i2c/i2c_io.h>
resource fd_i2c[fd]
openat$i2c(fd const[AT_FDCWD], file ptr[in, string["/dev/i2c"]], flags flags[open_flags], mode const[0]) fd_i2c
ioctl$I2C_IOCTL_EXEC(fd fd_i2c, cmd const[I2C_IOCTL_EXEC], arg ptr[in, i2c_ioctl_exec])
i2c_ioctl_exec {
iie_op flags[i2c_op_t_flags, int8]
iie_addr int16
iie_cmd buffer[in]
iie_cmdlen len[iie_cmd, intptr]
iie_buf buffer[in]
iie_buflen len[iie_buf, intptr]
}
i2c_op_t_flags- Fetches ioctl calls of a particular device driver.
- Generates a file having syzkaller specific descriptions for fetched ioctl calls.
- Generation of syzkaller descriptions for syscalls.
- Generation of descriptions for functions, passed as arguments to syscalls.
- Detection of flag values for enums
Features yet to be implemented:
- Calculating Attributes for structs and unions
This tool is developed by Ayushi Sharma
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent