Skip to content

Commit 1f5373e

Browse files
authored
Merge pull request #257 from IntelLabs/docs/fixes_dvkm
dvkm: fixes
2 parents 245db56 + 33e37c2 commit 1f5373e

3 files changed

Lines changed: 12 additions & 19 deletions

File tree

docs/source/tutorials/linux/dvkm/results.md

Lines changed: 8 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -222,7 +222,7 @@ The `kafl debug` subcommand provides various utilities for debugging your fuzzin
222222

223223
By using this subcommand, you can replay payloads to better understand the control flow leading to a crash, verify the stability and determinism of a payload, and even debug the guest state live while replaying the payload.
224224

225-
In this section, we'll explore two key [`actions`](../../../reference/fuzzer_configuration.md#action) provided by the kafl debug subcommand:
225+
In this section, we'll explore two key [`actions`](../../../reference/fuzzer_configuration.md#action) provided by `kafl debug`:
226226

227227
- `single`
228228
- `gdb`
@@ -234,9 +234,7 @@ The `single` action let's you replay a single payload and observe its results:
234234
The payload should be specified throught the [`--input`](../../../reference/fuzzer_configuration.md#input) parameter.
235235

236236
:::{Important}
237-
We should always specify [`--resume`](../../../reference/fuzzer_configuration.md#resume) when using either `kafl cov` or `kafl debug`, since it will replay from the original snapshot taken by the first call on [`NEXT_PAYLAOD`](../../../reference/hypercall_api.md#next_payload), and will make our execution deterministic.
238-
239-
That's one of the key benefits of snapshot fuzzers !
237+
When replaying a payload from an previous kAFL run at $KAFL_WORKDIR, it is recommended to use [`--resume`](../../../reference/fuzzer_configuration.md#resume) so that the tool will use the exact same snapshot and page cache as in the fuzzing run. This improves our odds at reproducing the crash. If the workdir does not exist anymore or the snapshot is not found, running kafl single without `--resume` will simply boot a new VM with the given configuration and execute the agent a single time with the given input.
240238
:::
241239

242240
:::{code-block} shell
@@ -396,7 +394,7 @@ For example when the target code will be fixed, we could replay that payload and
396394

397395
The `gdb` action is particularly valuable for deep-diving into the issues discovered during fuzzing.
398396

399-
When using this action, QEMU is started in `gdbserver` mode, which allows it to act as a server for the GDB debugger. This means you can interact with the target application in real-time as the payload is being executed.
397+
This action working similar to `single`, but QEMU is started in `gdbserver` mode, allowing it to act as a server for the GDB debugger. This means you can interact with the target application in real-time as the payload is being executed.
400398

401399
The use of GDB provides fine-grained control over the execution of the program and allows you to inspect the program's state, variables, and call stack, offering a clear view into what led to a particular crash or unexpected behavior.
402400

@@ -580,16 +578,15 @@ Breakpoint 2, oops_enter () at kernel/panic.c:623
580578

581579
:::{Important}
582580
We need to use GDB hardware breakpoints, as software breakpoints in QEMU's embedded GDB server seems unrealiable.
583-
584-
::::{Note}
581+
:::
582+
:::{Note}
585583
To reach the `dvkm_ioctl` hardware breakpoint, we had to send a `CTRL-C` to the GDB client.
586584
The execution was hanging somewhere, for reasons that are not clear at the time of this writing.
587-
::::
588-
::::{Note}
589-
Also remember that in order to load the symbols reliably, at the same location, we had to disable the Kernel `ASLR`.
585+
:::
586+
:::{Note}
587+
Additionaly, in order to load the symbols reliably, at the same location, Kernel `ASLR` (_Address Space Layout Randomization_) had to be disabled.
590588

591589
Have a look at the `kafl.yaml` `qemu_append` line, where [`nokaslr`](https://www.kernel.org/doc/html/v4.14/admin-guide/kernel-parameters.html) option is set.
592-
::::
593590
:::
594591

595592
Hopefully by now, you should have a better understanding of the kAFL workdir's corpus directory, the captured logs and how to interpret them, as well as having the capacity to replay payloads as you will !

docs/source/tutorials/linux/dvkm/target.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
## Objectives
44

5-
The aim is to fuzz the [DVKM (Damned Vulnerable Kernel Module)](https://github.com/hardik05/Damn_Vulnerable_Kernel_Module), an example kernel module developed by[Hardik Shah](https://github.com/hardik05).
5+
The aim is to fuzz the [DVKM (Damned Vulnerable Kernel Module)](https://github.com/hardik05/Damn_Vulnerable_Kernel_Module), an example kernel module developed by [Hardik Shah](https://github.com/hardik05).
66

77
Designed for fuzzing training, DVKM contains deliberately vulnerable code that exposes to a range of security vulnerabilities, including:
88
- integer overflow / underflow

docs/source/tutorials/linux/dvkm/workflow.md

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -59,16 +59,14 @@ Additionally, you must set up a communication channel with the VM. Several optio
5959
- [Ansible playbook](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html)
6060

6161
:::{note}
62-
If you want to have a look at this kind of workflow, the [Windows driver](../../windows/driver/index.md) target is a good example.
63-
64-
It combines [Packer](https://www.packer.io/), [Vagrant](https://www.vagrantup.com/), and [Ansible](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html) with [WinRM](https://learn.microsoft.com/en-us/windows/win32/winrm/portal) channel to provide a convenient setup.
62+
The [Windows driver](../../windows/driver/index.md) example target demonstrates how to combine [Packer](https://www.packer.io/), [Vagrant](https://www.vagrantup.com/), and [Ansible](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html) with [WinRM](https://learn.microsoft.com/en-us/windows/win32/winrm/portal) channel to provide a convenient setup.
6563
:::
6664

6765
### Direct Kernel Boot and initrd
6866

69-
For targets that are kernel-based, such as ours, a more efficient approach is to use QEMU's [Direct Linux Boot](https://qemu-project.gitlab.io/qemu/system/linuxboot.html) feature in tandem with a custom initrd.
67+
Open source kernel and firmware targets can often be booted using QEMU's [Direct Linux Boot](https://qemu-project.gitlab.io/qemu/system/linuxboot.html) feature.
7068

71-
This configuration forms a lightweight execution environment that can bypass the need for a full OS image.
69+
This approach is often more efficient than bootng a full-VM image and easier to customize and script.
7270

7371
```{code-block} shell
7472
---
@@ -77,8 +75,6 @@ caption: Example using `qemu_kernel` (`--kernel`) and `qemu_initrd` (`--initrd`)
7775
(venv) $ kafl fuzz --kernel /path/to/linux/arch/x86/boot/bzImage --initrd /path/to/initrd.cpio.gz
7876
```
7977

80-
Below, we outline how to construct an efficient development workflow leveraging this approach.
81-
8278
## Initrd and `agent.sh` workflow
8379

8480
The approach outlined here relies on crafting a custom initrd that boots into a minimal BusyBox root filesystem.

0 commit comments

Comments
 (0)