You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/source/tutorials/linux/dvkm/results.md
+8-11Lines changed: 8 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -222,7 +222,7 @@ The `kafl debug` subcommand provides various utilities for debugging your fuzzin
222
222
223
223
By using this subcommand, you can replay payloads to better understand the control flow leading to a crash, verify the stability and determinism of a payload, and even debug the guest state live while replaying the payload.
224
224
225
-
In this section, we'll explore two key [`actions`](../../../reference/fuzzer_configuration.md#action) provided by the kafl debug subcommand:
225
+
In this section, we'll explore two key [`actions`](../../../reference/fuzzer_configuration.md#action) provided by `kafl debug`:
226
226
227
227
-`single`
228
228
-`gdb`
@@ -234,9 +234,7 @@ The `single` action let's you replay a single payload and observe its results:
234
234
The payload should be specified throught the [`--input`](../../../reference/fuzzer_configuration.md#input) parameter.
235
235
236
236
:::{Important}
237
-
We should always specify [`--resume`](../../../reference/fuzzer_configuration.md#resume) when using either `kafl cov` or `kafl debug`, since it will replay from the original snapshot taken by the first call on [`NEXT_PAYLAOD`](../../../reference/hypercall_api.md#next_payload), and will make our execution deterministic.
238
-
239
-
That's one of the key benefits of snapshot fuzzers !
237
+
When replaying a payload from an previous kAFL run at $KAFL_WORKDIR, it is recommended to use [`--resume`](../../../reference/fuzzer_configuration.md#resume) so that the tool will use the exact same snapshot and page cache as in the fuzzing run. This improves our odds at reproducing the crash. If the workdir does not exist anymore or the snapshot is not found, running kafl single without `--resume` will simply boot a new VM with the given configuration and execute the agent a single time with the given input.
240
238
:::
241
239
242
240
:::{code-block} shell
@@ -396,7 +394,7 @@ For example when the target code will be fixed, we could replay that payload and
396
394
397
395
The `gdb` action is particularly valuable for deep-diving into the issues discovered during fuzzing.
398
396
399
-
When using this action, QEMU is started in `gdbserver` mode, which allows it to act as a server for the GDB debugger. This means you can interact with the target application in real-time as the payload is being executed.
397
+
This action working similar to `single`, but QEMU is started in `gdbserver` mode, allowing it to act as a server for the GDB debugger. This means you can interact with the target application in real-time as the payload is being executed.
400
398
401
399
The use of GDB provides fine-grained control over the execution of the program and allows you to inspect the program's state, variables, and call stack, offering a clear view into what led to a particular crash or unexpected behavior.
402
400
@@ -580,16 +578,15 @@ Breakpoint 2, oops_enter () at kernel/panic.c:623
580
578
581
579
:::{Important}
582
580
We need to use GDB hardware breakpoints, as software breakpoints in QEMU's embedded GDB server seems unrealiable.
583
-
584
-
::::{Note}
581
+
:::
582
+
:::{Note}
585
583
To reach the `dvkm_ioctl` hardware breakpoint, we had to send a `CTRL-C` to the GDB client.
586
584
The execution was hanging somewhere, for reasons that are not clear at the time of this writing.
587
-
::::
588
-
::::{Note}
589
-
Also remember that in order to load the symbols reliably, at the same location, we had to disable the Kernel `ASLR`.
585
+
:::
586
+
:::{Note}
587
+
Additionaly, in order to load the symbols reliably, at the same location, Kernel `ASLR` (_Address Space Layout Randomization_) had to be disabled.
590
588
591
589
Have a look at the `kafl.yaml``qemu_append` line, where [`nokaslr`](https://www.kernel.org/doc/html/v4.14/admin-guide/kernel-parameters.html) option is set.
592
-
::::
593
590
:::
594
591
595
592
Hopefully by now, you should have a better understanding of the kAFL workdir's corpus directory, the captured logs and how to interpret them, as well as having the capacity to replay payloads as you will !
Copy file name to clipboardExpand all lines: docs/source/tutorials/linux/dvkm/target.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
3
3
## Objectives
4
4
5
-
The aim is to fuzz the [DVKM (Damned Vulnerable Kernel Module)](https://github.com/hardik05/Damn_Vulnerable_Kernel_Module), an example kernel module developed by[Hardik Shah](https://github.com/hardik05).
5
+
The aim is to fuzz the [DVKM (Damned Vulnerable Kernel Module)](https://github.com/hardik05/Damn_Vulnerable_Kernel_Module), an example kernel module developed by[Hardik Shah](https://github.com/hardik05).
6
6
7
7
Designed for fuzzing training, DVKM contains deliberately vulnerable code that exposes to a range of security vulnerabilities, including:
If you want to have a look at this kind of workflow, the [Windows driver](../../windows/driver/index.md) target is a good example.
63
-
64
-
It combines [Packer](https://www.packer.io/), [Vagrant](https://www.vagrantup.com/), and [Ansible](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html) with [WinRM](https://learn.microsoft.com/en-us/windows/win32/winrm/portal) channel to provide a convenient setup.
62
+
The [Windows driver](../../windows/driver/index.md) example target demonstrates how to combine [Packer](https://www.packer.io/), [Vagrant](https://www.vagrantup.com/), and [Ansible](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html) with [WinRM](https://learn.microsoft.com/en-us/windows/win32/winrm/portal) channel to provide a convenient setup.
65
63
:::
66
64
67
65
### Direct Kernel Boot and initrd
68
66
69
-
For targets that are kernel-based, such as ours, a more efficient approach is to use QEMU's [Direct Linux Boot](https://qemu-project.gitlab.io/qemu/system/linuxboot.html) feature in tandem with a custom initrd.
67
+
Open source kernel and firmware targets can often be booted using QEMU's [Direct Linux Boot](https://qemu-project.gitlab.io/qemu/system/linuxboot.html) feature.
70
68
71
-
This configuration forms a lightweight execution environment that can bypass the need for a full OS image.
69
+
This approach is often more efficient than bootng a full-VM image and easier to customize and script.
72
70
73
71
```{code-block} shell
74
72
---
@@ -77,8 +75,6 @@ caption: Example using `qemu_kernel` (`--kernel`) and `qemu_initrd` (`--initrd`)
0 commit comments