- 了解linux kernel fuzzing test - trinity
1.What is it?
Trinity, a system call fuzzing tester for the Linux kernel. Fuzzing is a security technique which feeds random arguments into functions to see what breaks.
Trinity is developed using the latest glibc/kernel, which means from time to time changes are introduced which may make it fail to compile on older distributions (especially enterprise ones). The preferred way to fix this is to add the missing declarations to compat.h.
The basic idea is fairly simple. As ‘fuzz testing‘ suggests, we call syscalls at random, with random arguments. Not an original idea, and one that has been done many times before on Linux, and on other operating systems. Where Trinity differs is that the arguments it passes are not purely random.
2.What does trinity support for ?
Trinity supports Alpha, Aarch64, ARM, i386, IA-64, MIPS, PowerPC-32, PowerPC-64, S390, S390x, SPARC-64, x86-64.
3.Download and Install Triniy
Download the source code :
git clone https://github.com/kernelslacker/trinity.git
Or you can download the release version to do trinity test
https://github.com/kernelslacker/trinity/releases (the latest version is v1.7)
unzip trinity-<version>.zip
cd trinity-<version>
./configure
make
sudo make install
4.The intelligence features include:
- If a system call expects a certain datatype as an argument (for example a file descriptor) it gets passed one. This is the reason for the slow initial startup, as it generates a list of fd’s of files it can read from /sys, /proc and /dev and then supplements this with fd’s for various network protocol sockets. (Information on which protocols succeed/fail is cached on the first run, greatly increasing the speed of subsequent runs).
- If a system call only accepts certain values as an argument, (for example a ‘flags’ field), Trinity has a list of all the valid flags that may be passed. Just to throw a spanner in the works, occasionally, it will bitflip one of the flags, just to make things more interesting.
- If a system call only takes a range of values, the random value passed is biased to usually fit within that range.
Trinity logs it’s output to files (1 for each child process), and fsync’s the files before it actually makes the system call. This way, should you trigger something which panics the kernel, you should be able to find out exactly what happened by examining the log.
There are several test harnesses provided (test-*.sh), which run trinity in various modes and takes care of things like CPU affinity and makes sure it runs from the tmp directory. (Handy for cleaning up any garbage named files; just rm -rf tmp afterward)
5.Options
--quiet/-q: reduce verbosity.
Specify once to not output register values, or twice to also suppress syscall count.
--verbose: increase verbosity.
-D: Debug mode.
This is useful for catching core dumps if trinity is segfaulting, as by default
the child processes ignore those signals.
-sN: use N as random seed. (Omitting this uses time of day as a seed).
Note: There are currently a few bugs that mean no two runs are necessary 100%
identical with the same seed. See the TODO for details.
--kernel_taint/-T: controls which kernel taint flags should be considered.
The following flag names are supported: PROPRIETARY_MODULE, FORCED_MODULE, UNSAFE_SMP,
FORCED_RMMOD, MACHINE_CHECK, BAD_PAGE, USER, DIE, OVERRIDDEN_ACPI_TABLE, WARN, CRAP,
FIRMWARE_WORKAROUND, and OOT_MODULE. For instance, to set trinity to monitor only BAD,
WARN and MACHINE_CHECK flags one should specify "-T BAD,WARN,MACHINE_CHECK" parameter.
--list/-L: list known syscalls and their offsets
--proto/-P: For network sockets, only use a specific packet family.
--victims/-V: Victim file/dirs. By default, on startup trinity tree-walks /dev, /sys and /proc.
Using this option you can specify a different path.
(Currently limited to just one path)
-p: Pause after making a syscall
--children/-C: Number of child processes.
-x: Exclude a syscall from being called. Useful when there's a known kernel bug
you keep hitting that you want to avoid.
Can be specified multiple times.
-cN: do syscall N with random inputs.
Good for concentrating on a certain syscall, if for eg, you just added one.
Can be specified multiple times.
--group/-g
Used to specify enabling a group of syscalls. Current groups defined are 'vm' and 'vfs'.
--logging/-l <arg>
off: This disables logging to files. Useful if you have a serial console, though you
will likely lose any information about what system call was being called,
what maps got set up etc. Does make things go considerably faster however,
as it no longer fsync()'s after every syscall
<hostname> : sends packets over udp to a trinity server running on another host.
Note: Still in development. Enabling this feature disables log-to-file.
<dir> : Specify a directory where trinity will dump its log files.
--ioctls/-I will dump all available ioctls.
--arch/-a Explicit selection of 32 or 64 bit variant of system calls.
#######################################################################
Examples:
./trinity -c splice
Stress test the splice syscall
./trinity -x splice
Call every syscall except for splice.
./trinity -qq -l off -C16
Turn off logging, and suppress most output to run as fast as possible. Use 16 child processes
refer to
- https://github.com/kernelslacker/trinity
- https://securityonline.info/trinity-a-linux-system-call-fuzz-tester/