diff --git a/_sources/tutorials/installation.md.txt b/_sources/tutorials/installation.md.txt index 39b757ab..660e4e78 100644 --- a/_sources/tutorials/installation.md.txt +++ b/_sources/tutorials/installation.md.txt @@ -191,6 +191,43 @@ You should see the kAFL ACSII art logo: =================================================== << kAFL Fuzzer >> + +Warning: Launching without --seed-dir? +No PT trace region defined. +00:00:00: 0 exec/s, 0 edges, 0% favs pending, findings: <0, 0, 0> +Worker-00 Launching virtual machine... +/home/mtarral/kafl/kafl/qemu/x86_64-softmmu/qemu-system-x86_64 + -enable-kvm + -machine kAFL64-v1 + -cpu kAFL64-Hypervisor-v1,+vmx + -no-reboot + -net none + -display none + -chardev socket,server,id=nyx_socket,path=/dev/shm/kafl_mtarral/interface_0 + -device nyx,chardev=nyx_socket,workdir=/dev/shm/kafl_mtarral,worker_id=0,bitmap_size=65536,input_buffer_size=131072 + -device isa-serial,chardev=kafl_serial + -chardev file,id=kafl_serial,mux=on,path=/dev/shm/kafl_mtarral/serial_00.log + -m 256 + -fast_vm_reload path=/dev/shm/kafl_mtarral/snapshot/,load=off +[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536) +qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.01H:ECX.pcid [bit 17] +qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4] +qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11] +[QEMU-NYX] Dirty ring mmap region located at 0x767b25d00000 +[QEMU-NYX] Warning: Invalid sharedir... +[QEMU-NYX] Booting VM to start fuzzing... +... +~~~ + +If that's the case, kAFL is **correctly configured** ! + +You can now send a `CTRL-C` to stop kAFL: + +~~~ +^CReceived Ctrl-C, killing workers... +Waiting for Workers to shutdown... +Worker-00 Shutting down Qemu after 0 execs.. +qemu-system-x86_64: terminating on signal 15 from pid 115166 (/home/mtarral/kafl/kafl/.venv/bin/python3) ~~~ :::{note} diff --git a/searchindex.js b/searchindex.js index 469a7de3..1223f52c 100644 --- a/searchindex.js +++ b/searchindex.js @@ -1 +1 @@ -Search.setIndex({"docnames": ["context/research_papers", "dev/documentation", "how_to/github_actions", "index", "reference/deployment", "reference/fuzzer_configuration", "reference/hypercall_api", "reference/user_interface", "reference/workdir_layout", "tutorials/concepts", "tutorials/gui", "tutorials/installation", "tutorials/introduction", "tutorials/linux/dvkm/agent", "tutorials/linux/dvkm/fuzzing", "tutorials/linux/dvkm/improvements", "tutorials/linux/dvkm/index", "tutorials/linux/dvkm/results", "tutorials/linux/dvkm/target", "tutorials/linux/dvkm/workflow", "tutorials/linux/fuzzing_linux_kernel", "tutorials/linux/index", "tutorials/windows/driver/campaign", "tutorials/windows/driver/crash", "tutorials/windows/driver/index", "tutorials/windows/driver/target", "tutorials/windows/driver/target_setup", "tutorials/windows/index", "tutorials/windows/userspace/campaign", "tutorials/windows/userspace/improvements", "tutorials/windows/userspace/index", "tutorials/windows/userspace/target", "tutorials/windows/userspace/target_setup", "tutorials/windows/windows_template"], "filenames": ["context/research_papers.md", "dev/documentation.md", "how_to/github_actions.md", "index.md", "reference/deployment.md", "reference/fuzzer_configuration.md", "reference/hypercall_api.md", "reference/user_interface.md", "reference/workdir_layout.md", "tutorials/concepts.md", "tutorials/gui.md", "tutorials/installation.md", "tutorials/introduction.md", "tutorials/linux/dvkm/agent.md", "tutorials/linux/dvkm/fuzzing.md", "tutorials/linux/dvkm/improvements.md", "tutorials/linux/dvkm/index.md", "tutorials/linux/dvkm/results.md", "tutorials/linux/dvkm/target.md", "tutorials/linux/dvkm/workflow.md", "tutorials/linux/fuzzing_linux_kernel.md", "tutorials/linux/index.md", "tutorials/windows/driver/campaign.md", "tutorials/windows/driver/crash.md", "tutorials/windows/driver/index.md", "tutorials/windows/driver/target.md", "tutorials/windows/driver/target_setup.md", "tutorials/windows/index.md", "tutorials/windows/userspace/campaign.md", "tutorials/windows/userspace/improvements.md", "tutorials/windows/userspace/index.md", "tutorials/windows/userspace/target.md", "tutorials/windows/userspace/target_setup.md", "tutorials/windows/windows_template.md"], "titles": ["Research Papers", "Building the documentation", "Github Actions CI/CD", "\ud83d\udcd7 kAFL\u2019s Documentation", "Deployment", "Fuzzer Configuration", "kAFL/Nyx Hypercall API", "kAFL User Interface", "kAFL Workdir", "Concepts", "<no title>", "Installation", "Introduction", "3 - Building the agent", "4 - Fuzzing campaign", "6 - Improvements: KASAN", "DVKM", "5 - Exploring campaign results", "1 - Target analysis", "2 - kAFL workflow", "Linux Kernel target", "Linux Target", "Fuzzing Campaign", "Crash Analysis", "Driver", "Target analysis", "Provision the guest VM", "Windows Target", "Fuzzing Campaign", "Improvments", "Userspace", "Target analysis", "Provision the guest VM", "Windows VM Template"], "terms": {"kafl": [0, 5, 10, 12, 13, 15, 16, 18, 20, 21, 23, 24, 26, 27, 29, 30, 32, 33], "project": [0, 1, 3, 4], "develop": [0, 4, 8, 18, 19, 33], "ruhr": 0, "univers": 0, "bochum": 0, "sergej": 0, "schumilo": 0, "corneliu": 0, "aschermann": 0, "fund": 0, "intellab": [0, 2, 3, 11, 20], "relat": [0, 4, 8, 15], "hardwar": [0, 4, 6, 17, 25], "assist": [0, 17], "feedback": [0, 3, 5, 6, 7, 8, 9, 13, 17, 19, 25], "fuzz": [0, 2, 3, 5, 7, 8, 9, 11, 12, 13, 15, 16, 17, 18, 19, 29, 31, 33], "o": [0, 3, 7, 8, 13, 15, 17, 19, 20, 25, 26, 32], "kernel": [0, 3, 4, 5, 11, 12, 15, 16, 17, 18, 21, 25], "2017": 0, "slide": 0, "talk": 0, "redqueen": [0, 3, 7, 8, 20, 25], "input": [0, 3, 6, 7, 8, 17, 19, 20, 31, 33], "state": [0, 6, 8, 15, 17, 20, 25], "correspond": [0, 5, 6, 8, 13, 20, 23], "2019": 0, "nautilu": 0, "fish": 0, "deep": [0, 17], "bug": [0, 6, 12, 15, 22], "grammar": 0, "grimoir": [0, 3, 7, 20], "synthes": 0, "structur": [0, 3, 19], "while": [0, 5, 6, 17, 19], "ijon": [0, 3, 8], "explor": [0, 16, 21, 24], "space": [0, 17], "via": [0, 4, 5, 7, 11, 25, 33], "2020": 0, "hyper": 0, "cube": 0, "high": [0, 6], "dimension": 0, "hypervisor": [0, 5, 6, 17, 20, 22], "nyx": [0, 2, 3, 5, 8, 17, 20, 22], "greybox": [0, 3], "us": [0, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 23, 25, 33], "fast": [0, 3, 6, 15, 20], "snapshot": [0, 3, 5, 8, 13, 17, 19, 20, 22, 25, 26, 32, 33], "affin": 0, "type": [0, 4, 5, 6, 7, 17, 18, 23, 33], "2021": 0, "net": [0, 5, 17, 20, 22], "network": 0, "increment": [0, 5, 6], "The": [1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 13, 14, 17, 18, 19, 20, 21, 22, 23, 25, 31, 33], "": [1, 2, 4, 5, 6, 7, 9, 11, 12, 13, 14, 15, 17, 18, 19, 20, 22, 23, 25, 29, 31, 33], "i": [1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 25, 26, 30, 31, 32, 33], "host": [1, 2, 4, 6, 8, 13, 14, 17, 19, 20, 22, 25, 33], "onlin": 1, "To": [1, 8, 11, 13, 14, 17, 19, 20, 22, 25, 26, 32, 33], "doc": [1, 33], "local": [1, 2, 4, 5, 11, 17, 20, 22, 33], "cd": [1, 3, 11, 14, 15, 17, 19, 20, 22, 26, 32, 33], "make": [1, 2, 3, 4, 6, 15, 17, 19, 20, 22, 25, 26, 32, 33], "html": 1, "xdg": [1, 5], "open": [1, 15, 17, 19], "index": [1, 6, 15], "can": [2, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 25, 27, 28, 31, 33], "integr": [2, 3, 8, 33], "your": [2, 4, 7, 10, 11, 12, 13, 14, 15, 17, 21, 22, 27, 33], "pipelin": 2, "thank": [2, 15], "It": [2, 3, 4, 5, 6, 8, 13, 15, 17, 18, 19, 20, 25, 29], "act": [2, 17], "basic": [2, 6, 7], "block": [2, 7, 14, 15, 22, 25], "compos": [2, 3, 25], "workflow": [2, 11, 15, 16, 18, 21, 33], "With": [2, 4, 6, 14, 18, 19], "thi": [2, 4, 5, 6, 7, 8, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 23, 24, 25, 26, 27, 29, 30, 31, 33], "you": [2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 22, 23, 24, 26, 28, 30, 31, 32, 33], "autom": [2, 4, 5, 33], "process": [2, 6, 7, 8, 11, 13, 14, 16, 19, 20, 22, 25], "target": [2, 3, 5, 6, 8, 11, 12, 14, 15, 16, 17, 22, 24, 26, 30, 32, 33], "build": [2, 3, 4, 5, 6, 8, 11, 15, 16, 17, 19, 21, 24, 27, 30], "reusabl": [2, 4], "deleg": [2, 18], "from": [2, 3, 4, 6, 8, 11, 13, 17, 18, 19, 20, 22, 23, 25, 26, 28, 32, 33], "machin": [2, 4, 5, 9, 11, 12, 17, 20, 22, 25, 27, 33], "reproduc": [2, 5, 6, 17, 18, 20], "infrastuctur": 2, "regress": [2, 17], "test": [2, 5, 6, 8, 9, 11, 17, 18, 33], "suit": [2, 25], "continu": [2, 6, 9, 11, 17, 33], "updat": [2, 4, 11, 19, 20, 29, 33], "new": [2, 4, 5, 7, 11, 12, 14, 15, 17, 20, 25], "seed": [2, 5, 7, 8, 14, 15, 22], "execut": [2, 3, 4, 5, 6, 7, 8, 10, 11, 13, 14, 17, 19, 20, 22, 25, 26, 32, 33], "conveni": [2, 6, 19], "everi": [2, 4, 5, 15, 19], "pr": 2, "dai": 2, "week": 2, "requir": [2, 3, 4, 6, 14, 19, 20, 22, 25, 33], "A": [2, 4, 6, 7, 11, 14, 15, 18, 19, 22, 31, 33], "compat": [2, 4, 11, 23], "server": [2, 5, 6, 17, 19, 20, 22], "intel": [2, 3, 4, 5, 6, 11, 13, 17, 22, 33], "pt": [2, 3, 5, 6, 7, 8, 11, 13, 17, 20, 22], "self": [2, 18], "first": [2, 5, 6, 8, 11, 13, 15, 17, 20, 25, 33], "step": [2, 3, 5, 6, 8, 9, 12, 13, 14, 17, 19, 21, 22, 23, 24, 25, 30, 33], "instal": [2, 3, 4, 12, 19, 20, 26, 33], "choic": [2, 5], "we": [2, 4, 6, 9, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 31, 32, 33], "leverag": [2, 4, 29], "ansibl": [2, 3, 11, 19, 26, 32, 33], "playbook": [2, 4, 11, 19, 26, 32, 33], "part": [2, 5, 6, 15, 17, 19], "rewrit": [2, 4, 6, 20, 25, 29], "inventori": [2, 4], "remot": [2, 4, 17], "specifi": [2, 4, 5, 7, 11, 13, 17, 25, 33], "echo": [2, 6, 11, 19], "exampl": [2, 3, 4, 5, 6, 9, 13, 14, 17, 18, 19, 20, 22, 25, 26, 30, 32, 33], "com": [2, 3, 4, 11, 20, 33], "onli": [2, 4, 5, 6, 8, 11, 13, 25, 30, 33], "tag": [2, 3, 8, 11, 19, 33], "command": [2, 4, 5, 7, 11, 14, 17, 18, 22, 33], "grub": [2, 4], "reboot": [2, 4, 5, 11, 17, 20, 22], "onc": [2, 6, 11, 14, 17, 22, 25], "done": [2, 6, 7, 11, 15, 17, 25, 33], "should": [2, 5, 6, 10, 11, 12, 13, 14, 15, 17, 22, 23, 33], "find": [2, 7, 10, 12, 14, 15, 17, 20, 22, 23, 25], "unam": 2, "grep": [2, 11], "6": [2, 3, 7, 16, 17, 21, 22, 25, 26, 31, 33], "0": [2, 5, 6, 7, 9, 13, 14, 15, 17, 18, 20, 22, 25, 26, 29, 31, 32, 33], "pull": [2, 4, 11], "latest": [2, 11, 33], "imag": [2, 4, 5, 11, 17, 20, 22, 27, 33], "run": [2, 3, 4, 5, 6, 8, 11, 16, 17, 20, 23, 24, 25, 26, 27, 32, 33], "userspac": [2, 3, 11, 12, 19, 20, 22, 25, 26, 27, 31, 32], "let": [2, 5, 6, 11, 12, 15, 17, 18, 23, 25, 33], "well": [2, 3, 5, 17, 25], "engin": 2, "ubuntu": [2, 11, 19], "final": [2, 5, 33], "follow": [2, 3, 5, 6, 11, 13, 16, 19, 21, 24, 25, 28, 31, 33], "offici": [2, 15], "guid": [2, 12, 13, 17, 25], "add": [2, 5, 11, 13, 20, 23, 25, 33], "repositori": [2, 3, 4, 11, 13], "now": [2, 6, 9, 11, 12, 13, 15, 17, 19, 22, 23, 25, 33], "have": [2, 4, 6, 11, 12, 13, 14, 15, 17, 19, 22, 23, 25, 26, 30, 31, 33], "avail": [2, 4, 5, 6, 7, 11, 19, 20, 21, 25, 33], "under": [2, 9, 17, 18, 23, 27, 33], "go": [2, 11, 23, 33], "check": [2, 3, 4, 5, 6, 11, 15, 17, 18, 20, 22, 31], "readm": [2, 19], "yml": [2, 4], "linux": [2, 3, 4, 5, 6, 9, 11, 12, 13, 14, 15, 16, 17, 19], "boil": 2, "down": [2, 5, 7, 17, 23], "invok": [2, 13, 17], "specif": [2, 5, 6, 9, 13, 16, 18, 29], "subcommand": [2, 5, 11, 17, 20], "workdir": [2, 3, 5, 7, 17, 20, 22], "mount": [2, 11, 20], "contain": [2, 11, 17, 18, 23, 25], "few": [2, 12, 14, 22, 33], "extra_arg": 2, "line": [2, 4, 5, 11, 13, 14, 17, 18, 21, 22, 23, 33], "name": [2, 4, 6, 15, 17, 23, 33], "master": [2, 4], "own": [2, 4, 6, 13, 23, 31], "all": [2, 3, 4, 5, 7, 10, 11, 14, 17, 22], "thing": [2, 20], "default": [2, 4, 5, 6, 8, 14, 22, 26, 32, 33], "timeout": [2, 5, 6, 7, 8, 10, 14, 15, 17, 20, 22], "job": 2, "limit": [2, 5, 6, 13], "6h": 2, "possibl": [2, 4, 23, 29, 33], "bypass": 2, "higher": 2, "valu": [2, 5, 6, 8, 14, 22, 26, 32, 33], "job_id": 2, "minut": [2, 14, 22, 33], "For": [2, 3, 5, 6, 13, 14, 17, 18, 20, 22, 25], "max": [2, 5, 22], "time": [2, 5, 6, 7, 8, 15, 17, 23, 25, 33], "60": [2, 7, 15, 17], "24": [2, 15, 17, 20], "7": [2, 7, 14, 15, 17, 18, 21, 22, 31, 33], "20160": 2, "And": [2, 4, 11, 15, 17, 26, 32], "ani": [2, 3, 5, 6, 8, 11, 14, 20, 25, 32, 33], "want": [2, 4, 6, 11, 25, 33], "threshold": 2, "259200": 2, "second": [2, 5, 7, 15], "ha": [2, 4, 5, 6, 7, 9, 11, 20, 22, 33], "been": [2, 5, 6, 7, 9, 11, 12, 14, 17, 22, 25, 26, 30, 31, 33], "introduc": [2, 4, 9, 11, 12, 19], "tianocor": 2, "commun": [2, 4, 5, 8, 9, 19, 25, 33], "meet": [2, 11], "mai": [2, 5, 8, 19, 20, 33], "4th": 2, "2023": 2, "fuzzer": [3, 4, 6, 8, 9, 11, 12, 13, 14, 17, 20, 22, 25], "x86": [3, 6, 14, 17, 19, 20], "vm": [3, 5, 6, 11, 13, 17, 19, 20, 22, 24, 27, 30], "great": 3, "anyth": [3, 11, 31], "qemu": [3, 4, 5, 6, 7, 8, 10, 13, 14, 15, 17, 20, 22, 25, 33], "kvm": [3, 4, 5, 11, 17, 19, 20, 22, 33], "guest": [3, 4, 5, 6, 8, 9, 13, 17, 19, 20, 23, 24, 25, 27, 30, 33], "particular": [3, 17, 20], "firmwar": [3, 19], "full": [3, 6, 14, 17, 19, 22], "blown": 3, "oper": [3, 5, 6, 13, 18], "system": [3, 5, 9, 11, 14, 17, 19, 20, 22, 23, 25], "vt": 3, "pml": 3, "achiev": [3, 4, 6], "effici": [3, 19], "reset": [3, 6, 17, 25], "coverag": [3, 5, 6, 7, 8, 13, 21, 25], "whitebox": 3, "scenario": [3, 17], "allow": [3, 11, 17, 33], "mani": [3, 8], "fw": 3, "desir": [3, 4, 6], "toolchain": [3, 11], "minim": [3, 5, 6, 19], "code": [3, 5, 6, 8, 13, 16, 17, 20, 21, 23, 24, 30], "modif": [3, 11, 19, 33], "written": 3, "python": [3, 5, 8, 11], "design": [3, 18], "parallel": [3, 5, 20], "multipl": [3, 5, 6, 20, 23], "instanc": [3, 5, 8, 14, 17, 20, 22], "an": [3, 4, 5, 6, 7, 8, 11, 12, 16, 17, 18, 19, 20, 21, 22, 26, 32, 33], "afl": [3, 5], "like": [3, 4, 5, 6, 18, 31], "easi": [3, 4], "extend": [3, 5, 33], "custom": [3, 5, 6, 19], "mutat": [3, 5, 7], "analysi": [3, 5, 8, 14, 16, 17, 21, 24, 27, 30], "schedul": [3, 7], "option": [3, 4, 5, 13, 17, 19, 20, 33], "radamsa": [3, 4, 7, 8, 20], "extens": 3, "introspect": [3, 25], "extract": [3, 5, 23], "runtim": [3, 7, 15], "condit": [3, 17, 25], "instruct": [3, 20, 25], "overcom": 3, "typic": [3, 5, 6, 8], "magic": 3, "byte": [3, 5, 6, 7, 13, 15, 17], "other": [3, 4, 5, 6, 8, 20, 33], "attempt": [3, 20, 26, 32], "identifi": [3, 13, 17, 23, 25], "keyword": [3, 4], "syntax": 3, "order": [3, 5, 17, 25, 33], "gener": [3, 6, 13, 17, 33], "more": [3, 5, 6, 8, 11, 14, 17, 18, 19, 22, 25, 33], "clever": 3, "larg": [3, 6], "scale": 3, "detail": [3, 7, 15, 17, 19, 33], "pleas": [3, 13, 14, 22, 33], "visit": 3, "around": [3, 4, 6, 13, 15, 25, 31], "main": [3, 5, 8, 11, 13, 33], "which": [3, 6, 7, 8, 11, 13, 14, 15, 17, 18, 20, 22, 25], "organis": 3, "subcompon": 3, "frontend": [3, 4, 6], "modifi": [3, 5, 11, 15, 17, 33], "hypercal": [3, 5, 7, 9, 10, 13, 14, 17, 19, 21, 22, 23, 25, 29, 31], "support": [3, 5, 6, 8, 11, 17, 22], "libxdc": [3, 4, 5, 6, 20], "decod": [3, 5, 6, 8, 20], "librari": [3, 6], "action": 3, "github": [3, 4, 11, 20], "ci": [3, 4], "introduct": 3, "1": [3, 6, 7, 13, 14, 15, 16, 17, 21, 22, 23, 25, 26, 31, 32, 33], "2": [3, 6, 7, 14, 15, 16, 17, 21, 22, 23, 25, 26, 31, 32, 33], "clone": [3, 4, 20], "sourc": [3, 4, 13, 16, 19, 20, 21, 24, 26, 30, 32, 33], "3": [3, 6, 7, 14, 15, 16, 17, 19, 21, 22, 25, 31, 32, 33], "deploi": [3, 4, 19, 33], "4": [3, 5, 6, 7, 10, 13, 16, 17, 19, 21, 22, 25, 31, 33], "set": [3, 4, 6, 8, 9, 13, 14, 17, 18, 19, 20, 26, 32, 33], "environ": [3, 4, 7, 8, 9, 19, 33], "env": [3, 4, 8, 14], "5": [3, 4, 5, 7, 15, 16, 21, 22, 25, 26, 31, 32, 33], "verifi": [3, 5, 6, 17, 33], "On": 3, "next": [3, 5, 6, 9, 13, 14, 17, 18, 19, 21, 22, 23, 26], "concept": [3, 19, 21], "agent": [3, 5, 6, 16, 17, 20, 21, 24, 30], "pick": [3, 4, 20], "dvkm": [3, 4, 14, 15, 17, 18, 21], "window": [3, 4, 6, 7, 9, 11, 12, 19, 22, 25, 26, 30, 31, 32], "driver": [3, 12, 18, 19, 23, 25, 26, 27, 28, 30, 31, 32, 33], "up": [3, 5, 7, 8, 18, 19, 20, 33], "docker": [3, 4, 11, 20], "setup": [3, 4, 7, 11, 12, 15, 16, 20, 24, 26, 30, 32], "runner": 3, "configur": [3, 6, 9, 11, 12, 13, 14, 17, 19, 21, 22, 25, 33], "preced": 3, "overrid": [3, 6, 8, 33], "variabl": [3, 4, 8, 11, 17, 18, 33], "kei": [3, 13, 17, 21], "deploy": [3, 8, 11], "makefil": [3, 15, 17, 19, 26, 32, 33], "galaxi": 3, "api": [3, 19, 29], "essenti": [3, 4, 11], "further": [3, 13, 17, 33], "util": [3, 17, 19], "function": [3, 5, 9, 13, 17, 18, 20, 25, 31], "untest": 3, "fulli": [3, 5], "deprec": [3, 5], "usag": [3, 7], "convent": 3, "user": [3, 4, 5, 6, 11, 12, 14, 15, 17, 18, 19, 20, 26, 32, 33], "interfac": [3, 6, 12, 14, 19, 20], "gui": [3, 10, 16, 21, 24, 33], "research": 3, "paper": 3, "built": [4, 6, 18, 20, 25, 31], "IT": 4, "framework": [4, 5], "cloud": 4, "servic": [4, 26, 32], "provis": [4, 24, 27, 30, 33], "virtual": [4, 6, 9, 16, 17, 20, 22, 25], "As": [4, 5, 33], "ar": [4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 17, 18, 19, 20, 22, 23, 25, 26, 31, 32, 33], "expect": [4, 6, 8, 20, 26, 32, 33], "perform": [4, 5, 6, 7, 8, 13, 18, 19, 20, 25], "see": [4, 5, 6, 7, 8, 10, 11, 14, 17, 20, 22, 33], "document": [4, 5, 6, 11, 12, 15, 20, 28], "list": [4, 5, 33], "level": [4, 5, 6, 7, 17, 20], "made": [4, 5, 6, 11, 12], "when": [4, 5, 6, 8, 13, 17, 20, 22, 23, 25, 33], "If": [4, 6, 11, 17, 25, 33], "necessari": [4, 6, 11, 12, 25, 33], "download": [4, 5, 11, 19, 21], "10": [4, 5, 6, 7, 15, 17, 18, 20, 22, 23, 33], "73": [4, 17], "ensur": [4, 6, 13, 14, 20, 31], "current": [4, 5, 6, 7, 8, 11, 15, 17], "group": [4, 11, 20], "dev": [4, 5, 8, 11, 14, 15, 17, 20, 22, 23], "devic": [4, 5, 11, 17, 20, 22, 25], "permiss": 4, "noth": [4, 6, 11], "els": [4, 11], "descript": [4, 5, 33], "compon": [4, 11, 13, 25, 33], "accord": 4, "file": [4, 5, 6, 7, 8, 11, 14, 17, 18, 19, 20, 22, 23, 33], "Will": [4, 5, 25], "localhost": [4, 17], "enter": [4, 11, 20, 22, 26, 32, 33], "sub": [4, 11], "shell": [4, 11, 12, 17, 33], "clean": [4, 15], "remov": [4, 14, 33], "virtualenv": [4, 14, 22], "venv": [4, 11, 14, 15, 17, 19, 22, 23, 33], "forc": 4, "git": [4, 11, 12, 20], "manag": [4, 5, 8, 33], "orient": 4, "rebuild": 4, "some": [4, 6, 8, 11, 33], "accept": [4, 5, 6], "addit": [4, 5, 6, 7, 8, 14, 17, 20], "argument": [4, 5, 6, 8, 18, 33], "them": [4, 8, 11, 15, 17, 23, 25, 33], "after": [4, 5, 6, 13, 14, 15, 17, 18, 22], "end": [4, 12, 13, 15, 17, 25], "symbol": [4, 17], "doubl": [4, 18], "dash": 4, "These": [4, 17], "pass": [4, 6], "underli": 4, "toggl": [4, 5], "3rd": 4, "verbos": [4, 14, 33], "vvv": 4, "skip": [4, 5, 6, 11, 20, 26, 32, 33], "hardware_check": 4, "hardare_check": 4, "sinc": [4, 6, 7, 11, 20, 30], "hack": [4, 6], "convert": 4, "quot": 4, "string": [4, 5, 6, 13, 15, 17, 19, 23], "doesn": [4, 11, 17, 22, 25, 31], "t": [4, 5, 11, 17, 20, 22, 25, 31], "work": [4, 5, 8, 17, 20], "extra": [4, 5, 6, 33], "var": [4, 33], "ansible_connect": 4, "fine": [4, 17], "grain": [4, 17], "control": [4, 6, 17], "thei": [4, 6, 8, 25], "paramet": [4, 14, 17, 19, 22, 25], "directli": [4, 5, 6, 17, 20, 33], "ad": [4, 5, 7, 17, 33], "featur": [4, 6, 11, 17, 19, 21, 22, 33], "describ": 4, "previous": [4, 6, 8, 20, 31, 32], "select": [4, 7], "task": [4, 6, 7, 15, 17, 26, 32], "capston": 4, "kvm_devic": 4, "fix": [4, 17], "node": [4, 7, 15, 22, 33], "reboot_kernel": 4, "respons": [4, 9, 13, 18], "update_grub": 4, "entri": [4, 8, 17, 18, 22, 25], "where": [4, 5, 6, 14, 17, 22, 23], "etc": [4, 5, 6, 9, 20, 25, 33], "templat": [4, 6, 24, 27, 30], "tool": [4, 8, 11, 17, 19, 20, 24, 30], "packer": [4, 19, 33], "vagrant": [4, 19, 24, 26, 30, 32], "agrant": 4, "plugin": [4, 33], "bridg": 4, "helper": [4, 8, 17], "packag": [4, 5], "submodul": 4, "damn": [4, 16, 18, 21], "vulner": [4, 12, 16, 17, 18, 21, 24, 30], "modul": [4, 13, 15, 16, 17, 18, 19, 21, 25], "One": 4, "reason": [4, 6, 17, 21, 25, 33], "scratch": 4, "v0": [4, 33], "releas": [4, 7, 10, 13, 14, 17, 22], "wa": [4, 6, 15, 17, 18, 33], "better": [4, 6, 8, 11, 12, 15, 17, 18, 19, 20, 25, 33], "In": [4, 5, 6, 11, 15, 17, 18, 19, 20, 33], "fact": [4, 11, 15, 26, 32], "base": [4, 5, 7, 11, 13, 18, 19, 20, 25, 33], "ccc": 4, "harden": 4, "repo": [4, 26, 27, 32], "case": [4, 5, 6, 20, 23], "cherri": 4, "goal": 4, "mind": 4, "power": [4, 5], "breakdown": 4, "modular": 4, "role": [4, 19], "distribut": 4, "directori": [4, 5, 11, 14, 17, 19, 26, 32, 33], "regroup": [4, 15], "depend": [4, 6, 14, 19, 20, 22], "each": [4, 5, 6, 7, 8, 17, 18, 19, 20, 25], "wai": [4, 11, 23], "includ": [4, 6, 13, 15, 17, 18, 19], "out": [4, 7, 15, 33], "share": [4, 6, 8, 13, 22, 33], "same": [4, 6, 17, 28], "top": [4, 6, 19], "path": [4, 5, 7, 8, 11, 14, 15, 17, 19, 20, 22, 25, 31, 33], "hand": 4, "need": [4, 6, 9, 11, 13, 17, 19, 20, 23, 25, 33], "subfold": 4, "yet": [4, 5, 6, 8, 14, 19, 22], "publicli": 4, "websit": 4, "referenc": 4, "http": [4, 11, 20, 33], "version": [4, 6, 33], "chang": [5, 6, 11, 12, 25, 26, 32, 33], "config": [5, 8, 13, 14, 15, 17, 20], "switch": [5, 19], "dynaconf": 5, "behind": 5, "scene": 5, "so": [5, 6, 17, 25, 33], "everyth": [5, 13, 22], "learn": [5, 7, 31], "also": [5, 6, 7, 8, 20], "applic": [5, 17, 25], "yaml": [5, 8, 14, 17, 19, 20, 22], "format": [5, 6, 13, 14, 33], "kafl_fuzz": [5, 8], "common": [5, 6, 25], "default_set": 5, "home": [5, 17, 20, 22, 26, 32, 33], "pwd": [5, 14, 20], "kafl_config_fil": [5, 20], "ex": [5, 17, 22, 25, 26, 32], "shm": [5, 8, 15, 17, 20, 22, 23], "kafl_test_featur": 5, "prefix": [5, 6], "kafl_": [5, 20], "kafl_process": 5, "8": [5, 7, 15, 17, 20, 22, 23, 31, 33], "note": [5, 8, 13, 20], "point": [5, 6, 8, 11, 13, 20], "non": [5, 6, 7, 8, 17, 18, 20], "exist": [5, 6, 8, 14, 17, 20], "valid": [5, 6, 13, 20], "error": [5, 6, 15, 17, 20, 33], "rais": [5, 6], "warn": [5, 17, 20, 22], "export": [5, 19], "kafl_qemu_memori": 5, "1024": [5, 6], "kafl_log_hrpintf": 5, "true": [5, 6, 33], "section": [5, 12, 13, 15, 17, 18, 19, 21, 33], "avaialbl": 5, "insensit": 5, "256": [5, 6, 17], "exit": [5, 6, 8, 13, 17, 20, 22], "n": [5, 6, 7, 8, 11, 13, 14, 15, 18, 22, 25, 31, 33], "total": [5, 7, 14, 15, 17, 22, 23], "abort": [5, 6, 11, 20], "exec": [5, 7, 8, 15, 17, 20, 22, 23], "builtin": [5, 25, 33], "stop": [5, 6, 13, 15, 22], "elaps": [5, 7], "benchmark": 5, "gdb": 5, "payload": [5, 6, 7, 8, 9, 13, 14, 15, 17, 23, 25, 31], "must": [5, 6, 11, 13, 17, 19], "compil": [5, 16, 17, 19, 20, 21, 23, 25, 26, 32, 33], "peform": 5, "print": [5, 6, 13], "stdout": [5, 17, 22, 26, 32], "nois": 5, "measur": 5, "determin": [5, 6, 17], "printk": [5, 6, 13, 14, 17], "redirect": [5, 14, 17], "call": [5, 6, 9, 13, 17, 20, 25, 31], "debugg": [5, 17], "verif": 5, "maximum": 5, "number": [5, 6, 7, 17], "decrement": 5, "style": 5, "arithmet": 5, "affect": 5, "determinist": [5, 7, 8, 20], "stage": [5, 7, 26], "havoc": [5, 7], "34": [5, 7], "arith": 5, "bitflip": 5, "interest": [5, 8, 20], "fals": [5, 33], "dumb": 5, "mode": [5, 6, 17, 33], "d": [5, 11, 13, 17, 18, 20, 33], "zero": [5, 18], "size": [5, 6, 7, 9, 13, 15, 17, 18, 22, 25, 29, 31], "bitmap": [5, 6, 7, 8, 14, 15, 22], "65536": [5, 17, 20, 22], "cpu": [5, 7, 11, 14, 15, 17, 20, 22, 33], "pin": 5, "start": [5, 6, 7, 9, 10, 11, 13, 14, 17, 21, 22, 23, 25, 26, 32, 33], "vcpu": [5, 7], "assign": [5, 7, 13], "worker": [5, 6, 7, 8, 15, 17, 20, 22], "p": [5, 7, 14, 15, 20, 22, 25, 26, 31, 32, 33], "offset": [5, 33], "enabl": [5, 6, 9, 13, 15, 17, 19, 20, 22, 25, 33], "expens": 5, "messag": [5, 11, 14, 17, 22], "dure": [5, 8, 13, 17, 19, 20, 23, 25, 26, 32, 33], "item": 5, "effect": [5, 6, 8, 19, 25], "store": [5, 6, 8, 17, 20], "data": [5, 6, 9, 13, 17, 18, 25, 29], "refer": [5, 9, 11, 12, 13, 14, 20, 22], "impli": 5, "dictionari": 5, "none": [5, 14, 17, 20, 22], "crash": [5, 6, 7, 8, 10, 14, 15, 16, 20, 21, 22, 24, 25, 27, 31], "corpu": [5, 8, 15, 16, 20, 24], "consist": [5, 13], "found": [5, 6, 7, 14, 17, 22, 23, 27, 33], "major": 5, "re": [5, 14, 20], "75": [5, 7, 15, 17], "probabl": [5, 7, 17], "combin": [5, 6, 17, 19, 25], "kafl_workdir": [5, 8, 14, 15, 17, 20, 23], "cov": [5, 8, 20], "output": [5, 8, 13, 17, 20, 26, 32, 33], "help": [5, 9, 20], "shorthand": 5, "tcp": 5, "1234": [5, 17], "freez": 5, "startup": [5, 6, 8], "c": [5, 6, 13, 14, 15, 17, 18, 19, 20, 23, 25, 26, 29, 31, 32], "inform": [5, 6, 13, 17, 23, 25], "automat": [5, 6, 7], "kasan": [5, 7, 8, 10, 13, 14, 16, 17, 21, 22], "regular": [5, 6, 7, 8, 10, 14, 15, 22], "session": [5, 8, 17, 33], "ip": [5, 6, 13, 20, 33], "filter": [5, 6, 9, 13, 20], "rang": [5, 6, 13, 18, 20, 31], "range_submit": [5, 13], "hypercall_api": 5, "md": [5, 6, 19, 20], "Not": [5, 33], "region": [5, 15, 17, 20, 22], "ip1": 5, "ip2": 5, "ip3": 5, "queue": [5, 7], "than": [5, 6, 8, 19], "random": [5, 17], "length": 5, "har": [5, 6, 8, 9, 17, 19, 20, 22, 29, 31, 33], "defin": [5, 6, 8, 13, 17, 18, 20, 22, 33], "disabl": [5, 6, 9, 15, 17, 20], "handler": [5, 6, 13, 17, 18, 22], "qemu_trace_nn": 5, "copi": [5, 8, 18, 33], "hprintf": [5, 8, 13, 14, 15, 17, 19, 20, 22, 23], "truncat": [5, 8], "recommend": [5, 8, 11, 17, 20, 21, 33], "collect": [5, 6, 9, 13, 20, 33], "live": [5, 10, 13, 14, 17, 22], "avoid": [5, 8, 20], "oom": 5, "due": [5, 6, 8, 15, 33], "huge": 5, "hprintf_nn": [5, 8], "printf": 5, "creat": [5, 6, 8, 11, 17, 18, 19, 20, 26, 32, 33], "linear": 5, "across": [5, 17], "restor": [5, 13, 19, 26, 32, 33], "page": [5, 6, 8, 13, 14, 15, 17, 22], "4096": [5, 6, 22], "131072": [5, 17, 20, 22], "launch": [5, 7, 14, 17, 20, 22, 33], "ptdump": [5, 20], "libxdc_root": 5, "ptdump_stat": 5, "append": [5, 6, 17, 20], "cmdline": 5, "nokaslr": [5, 14, 17, 20], "oop": [5, 13, 14, 17, 20], "panic": [5, 7, 10, 13, 14, 17, 20, 22, 31], "nopti": [5, 14, 17, 20], "mitig": [5, 14, 17, 20], "off": [5, 14, 17, 20, 22], "consol": [5, 14, 17], "ttys0": [5, 14, 17], "baselin": 5, "kafl64": [5, 17, 20, 22], "v1": [5, 17, 20, 22, 33], "vmx": [5, 17, 20, 22], "displai": [5, 11, 17, 20, 22, 23], "bio": [5, 15, 17], "flag": 5, "disk": [5, 8, 33], "drive": [5, 22], "initi": [5, 6, 8, 18, 19, 20, 22, 31, 33], "ram": [5, 7, 8, 15, 22, 27, 33], "initrd": [5, 16, 17], "bzimag": [5, 14, 15, 17, 19, 20], "amount": 5, "memori": [5, 6, 13, 15, 17, 18, 20, 25, 33], "mb": 5, "m": [5, 17, 20, 22], "patch": [5, 21], "qemu_root": 5, "x86_64": [5, 17, 20, 22, 26, 32, 33], "softmmu": [5, 17, 20, 22], "chardev": [5, 17, 20, 22], "id": [5, 6, 7, 11, 17, 20, 22, 23, 33], "kafl_seri": [5, 17, 20, 22], "mux": [5, 17, 20, 22], "serial_": 5, "qemu_pid": 5, "isa": [5, 17, 20, 22], "serial": [5, 8, 14, 17, 20, 22], "pre": [5, 6, 9, 11], "manual": [5, 6, 33], "creation": 5, "lock": [5, 8, 13, 15, 31], "radamsa_root": 5, "bin": [5, 17, 20, 26, 32, 33], "simpl": [5, 19, 20], "would": [5, 19, 23], "subsequ": [5, 6], "jump": [5, 12, 20, 22], "tabl": [5, 8], "hammer": 5, "checksum": [5, 33], "fixer": 5, "broken": 5, "hash": [5, 7, 8, 17], "persist": [5, 6, 25], "partial": 5, "somewher": [5, 17], "100": [5, 6, 14, 15, 17], "tend": [5, 8], "yield": [5, 7], "good": [5, 11, 25], "stabil": [5, 7, 15, 17], "trade": 5, "r": [5, 6, 7, 15, 17, 20, 22, 23, 31], "tell": [5, 6], "caus": [5, 12, 20], "page_cach": [5, 8, 20], "complet": [5, 11, 13, 17, 19, 33], "campaign": [5, 7, 8, 10, 13, 16, 19, 21, 23, 24, 27, 30], "travers": [5, 7], "recurs": 5, "import": [5, 8, 24, 30], "seed_xxx": 5, "consum": [5, 20], "upon": [5, 17], "dir": [5, 7, 8, 22], "folder": [5, 6, 8, 23, 26, 32, 33], "req_stream_data": [5, 19], "both": [5, 9, 13, 17, 18, 26], "report": [5, 6, 7, 14, 16, 17, 22, 23], "produc": [5, 20], "hard": [5, 8], "soft": 5, "lower": [5, 7], "adapt": [5, 12, 18, 33], "seen": [5, 7], "001": 5, "callback": 5, "significantli": [5, 6, 21], "slow": 5, "result": [5, 6, 8, 12, 15, 16, 18, 20, 21, 26, 32, 33], "differ": [5, 6, 20, 30], "edge_cb_trac": 5, "cb": [5, 7], "dump": [5, 6, 8, 15, 17, 20], "binari": [5, 6, 11, 19, 20, 26, 32], "discov": [5, 7, 8, 17], "later": 5, "recommed": 5, "incurr": 5, "dump_pt_trac": 5, "load": [5, 17, 19, 20, 22, 25, 33], "tutori": [5, 9, 12, 13, 15, 18, 21, 24, 25, 27, 30, 31, 33], "were": 5, "mtarral": [5, 15, 17, 22, 23], "kafl_config": 5, "Then": [5, 33], "parser": 5, "argpars": 5, "env_glob": 5, "config_fil": 5, "root": [5, 11, 12, 14, 17, 19, 20, 26, 32], "kafl_mtarr": [5, 15, 17, 22, 23], "workspac": 5, "supersed": 5, "definit": [5, 6, 33], "accumul": [5, 8], "primari": [5, 8], "locat": [5, 6, 8, 13, 15, 17, 21, 22, 24, 25, 26, 31, 32], "inspect": [5, 8, 17], "statu": [5, 7, 8, 17], "previou": [5, 8, 17], "still": [5, 8, 17, 33], "post": [5, 8], "triag": [5, 8], "layout": [5, 17], "issu": [6, 17, 21, 31, 33], "special": [6, 8], "bootstrap": [6, 20], "coordin": 6, "approach": [6, 19], "offer": [6, 17, 20, 21], "low": [6, 20], "take": [6, 10, 13, 14, 22, 33], "inject": [6, 20], "nyx_api": [6, 13, 15], "h": [6, 7, 13, 15, 17], "header": [6, 13], "hypercall_kafl_": 6, "handshak": [6, 9, 13, 22], "kafl_hypercal": [6, 9, 13, 15, 25, 29], "hypercall_kafl_acquir": [6, 9, 13, 25], "hypercall_kafl_releas": [6, 8, 9, 13, 25, 29], "kafl_hypercall_acquir": [6, 9], "func": [6, 9], "kafl_hypercall_releas": [6, 9], "mark": [6, 15], "singl": [6, 18], "reach": [6, 17, 22], "mean": [6, 8, 14, 17, 22], "newer": [6, 11], "backend": [6, 33], "actual": [6, 11, 23, 33], "get": [6, 11, 20, 21, 23, 25, 33], "instead": [6, 20], "write": [6, 8, 13, 17, 23, 25], "provid": [6, 15, 17, 18, 19, 20, 26, 32, 33], "address": [6, 15, 17, 18, 25, 33], "mmap": [6, 22], "buffer": [6, 9, 13, 18, 25, 31], "care": 6, "alloc": [6, 9, 13, 14, 15, 18, 22, 25, 27, 31, 33], "suffici": [6, 20], "align": [6, 13], "sure": [6, 11, 17, 20, 22, 26, 32, 33], "resid": [6, 13], "pagefault": 6, "unistd": 6, "stdlib": 6, "sy": [6, 25, 26, 32], "mman": 6, "64kb": 6, "long": [6, 17], "page_s": 6, "sysconf": [6, 13], "_sc_pages": [6, 13], "size_t": [6, 13, 15, 25], "buffer_s": 6, "64": [6, 7, 15, 17, 22], "kafl_payload": [6, 9, 13], "payload_buff": [6, 9, 13, 25, 29], "aligned_alloc": [6, 13], "mlock": [6, 13], "between": [6, 8, 18, 19, 25, 33], "hypercall_kafl_get_payload": 6, "uintptr_t": 6, "virtualalloc": 6, "garante": 6, "null": [6, 17, 25], "mem_reserv": 6, "mem_commit": 6, "page_readwrit": 6, "virtuallock": 6, "struct": [6, 13, 17, 18], "typedef": 6, "int32_t": 6, "uint8_t": [6, 31], "trigger": [6, 11, 15, 17, 18, 25, 26, 32, 33], "regist": [6, 13], "invoc": 6, "befor": [6, 9, 11, 13, 14, 17, 20], "how": [6, 11, 12, 15, 17, 18, 19, 20], "hi": 6, "implement": [6, 9, 13, 19, 20, 24, 30], "most": [6, 19, 20], "straightforward": [6, 21, 31], "No": [6, 17, 20, 22, 33], "loop": [6, 20, 22], "iter": [6, 7, 19, 25], "hypercall_kafl_next_payload": [6, 13, 25], "target_entri": [6, 13], "less": 6, "nontheless": 6, "advanc": [6, 12], "ie": 6, "surviv": 6, "gain": [6, 17], "agent_non_reload_mod": [6, 25], "field": [6, 10, 13, 14, 22], "agent_config_t": 6, "agent_config": 6, "agent_mag": 6, "nyx_agent_mag": 6, "agent_vers": 6, "nyx_agent_vers": 6, "hypercall_kafl_set_agent_config": 6, "here": [6, 8, 9, 11, 15, 17, 18, 19, 20, 23, 25, 30], "alwai": 6, "reload": [6, 8, 20], "tweak": [6, 17], "infinit": 6, "Be": [6, 20], "pollut": 6, "might": [6, 11, 18], "becom": [6, 11, 33], "imposs": 6, "queri": [6, 13], "host_config_t": 6, "host_config": [6, 13, 22], "hypercall_kafl_get_host_config": 6, "dkb": 6, "payload_buffer_s": [6, 13, 22], "safeti": [6, 8, 15], "against": 6, "nyx_host_mag": 6, "uint32_t": 6, "host_mag": 6, "host_vers": 6, "bitmap_s": [6, 17, 20, 22], "todo": 6, "ijon_bitmap_s": [6, 22], "equal": 6, "larger": 6, "worker_id": [6, 17, 20, 22], "protocol": [6, 16, 33], "otherwis": 6, "kvm_exit_kafl_get_host_config": 6, "about": [6, 13, 20, 25], "capabl": [6, 14, 22, 25], "trace": [6, 8, 11, 15, 17, 20, 22, 25], "agent_timeout_detect": 6, "agent_trac": 6, "agent_ijon_trac": 6, "fuzzer_configur": [6, 20], "softwar": [6, 17, 33], "instrument": [6, 9, 15], "our": [6, 9, 11, 12, 13, 15, 16, 17, 18, 22, 23, 25, 33], "uint64_t": 6, "trace_buffer_vaddr": 6, "ijon_trace_buffer_vaddr": 6, "coverage_bitmap_s": 6, "input_buffer_s": [6, 17, 20, 22], "dump_payload": 6, "kvm_exit_kafl_set_agent_config": 6, "event": [6, 15, 17], "hypercall_kafl_pan": [6, 8, 13], "hypercall_kafl_kasan": [6, 8, 15], "sanit": [6, 15, 21], "overwrit": 6, "detect": [6, 7, 13, 15, 20, 33], "log": [6, 8, 14, 15, 16, 20, 22], "side": [6, 8, 25], "panic_kebugcheck": 6, "resolve_kebugcheck": [6, 25], "kebugcheck": [6, 25], "panic_kebugcheck2": 6, "kebugcheckex": [6, 25], "hypercall_kafl_submit_pan": [6, 25], "unexpect": [6, 17, 20], "inlin": 6, "macro": [6, 18], "often": [6, 19], "prefer": [6, 21], "flexibl": [6, 19], "place": [6, 17, 22], "except": [6, 31], "20": [6, 7, 11, 15, 17, 20, 22], "26": [6, 7, 15, 23], "overwritten": 6, "whether": 6, "protect": [6, 17], "notifi": [6, 13], "fa": [6, 7, 17], "cli": 6, "48": [6, 15, 17], "c7": [6, 7, 15, 17], "c0": [6, 7, 15, 17, 23], "1f": [6, 7, 15, 17], "00": [6, 7, 15, 17, 20, 22, 23], "mov": [6, 17], "rax": [6, 17], "0x1f": [6, 17], "c3": 6, "08": [6, 15, 17], "rbx": [6, 15, 17], "0x8": [6, 18], "c1": [6, 17], "rcx": [6, 15, 17], "0x0": [6, 15, 18, 25], "0f": [6, 15, 17], "01": [6, 15, 17, 20], "vmcall": [6, 25], "f4": [6, 7, 17], "hlt": 6, "panic_payload_64": 6, "xfa": 6, "x48": 6, "xc7": 6, "xc0": 6, "x1f": 6, "x00": 6, "xc3": 6, "x08": 6, "xc1": 6, "x0f": 6, "x01": 6, "xf4": 6, "send": [6, 17, 19], "pointer": [6, 13, 17, 25], "veri": [6, 7, 11, 25, 30], "debug": [6, 8, 15, 16], "forward": [6, 32, 33], "stack": [6, 11, 17, 18], "hypercall_kafl_printf": 6, "impact": 6, "propos": 6, "wrapper": 6, "variad": 6, "known": [6, 21], "simpli": [6, 9, 17, 20, 25, 33], "easier": [6, 19], "obtain": [6, 7, 13, 19], "0xfffff8010e0b0000": 6, "0xfffff8010e0b7000": 6, "hypercall_kafl_range_submit": [6, 25], "ipn": 6, "cr3": [6, 13, 17], "context": [6, 17], "hypercall_kafl_submit_cr3": 6, "least": [6, 14, 22, 33], "keep": [6, 8, 17, 25], "userland": [6, 13, 25], "howev": [6, 13], "especi": [6, 10, 14, 20, 22], "fork": 6, "being": [6, 17], "signal": [6, 17], "fatal": 6, "mainli": [6, 8, 20, 33], "kind": 6, "assert": [6, 20], "perspect": 6, "auto": [6, 20], "resum": [6, 8, 17, 20], "hang": [6, 17], "hypercall_kafl_user_abort": 6, "too": [6, 21], "explicitli": 6, "32": [6, 7, 15, 18, 20, 22], "bit": [6, 7, 17, 20, 22], "influenc": 6, "possibli": 6, "submit": [6, 13, 22, 25], "hypercall_kafl_user_submit_mod": 6, "kafl_mode_64": 6, "advis": 6, "kafl_rang": 6, "inttyp": 6, "intel_pt_max_rang": 6, "hypercall_kafl_user_range_advis": 6, "int": [6, 13, 17, 18, 31], "prid64": 6, "prix64": 6, "prid8": 6, "suppos": 6, "prefetch": 6, "chanc": 6, "longer": 6, "even": [6, 17, 20], "present": [6, 17, 19], "breakpoint": [6, 17], "nevertheless": 6, "fetch": [6, 19], "correspondingli": 6, "sharedir": [6, 14, 17, 20, 22], "assum": [6, 9, 12, 27], "content": [6, 17, 23], "hello": [6, 19, 20], "txt": [6, 8, 19, 20], "sharedir_filenam": 6, "0x1000": [6, 22], "strncpy": 6, "strlen": 6, "hypercall_kafl_req_stream_data": 6, "work_dir": [6, 8], "suppli": [6, 8], "mkstemp": 6, "filenam": [6, 23], "uniqu": [6, 7, 17, 18], "kafl_dump_file_t": 6, "file_name_str_ptr": 6, "data_ptr": 6, "f": [6, 7, 17, 23, 31], "fopen": 6, "proc": [6, 11, 13, 18, 19], "kallsym": 6, "rb": 6, "char": [6, 13, 18], "fread": 6, "4095": 6, "hypercall_kafl_dump_fil": [6, 8], "save": [6, 33], "usermod": 6, "hypercall_kafl_user_fast_acquir": [6, 29], "solv": 6, "emploi": [6, 9], "row": 6, "termin": [6, 10, 14, 17, 22], "correctli": 6, "program": [6, 8, 9, 11, 17, 22, 31], "brought": 6, "complex": [6, 11, 25], "begin": [6, 17], "boot": [6, 12, 14, 17, 20, 21, 22, 26, 32, 33], "hypercall_kafl_lock": 6, "do": [6, 17, 20, 25], "serv": [6, 13, 19, 21], "purpos": [6, 25, 31], "much": 6, "transfer": 6, "speed": [6, 7, 13, 14, 22, 25, 29], "bulk": 6, "4kb": 6, "per": [6, 7, 23], "file_nam": 6, "request": [6, 17, 22, 25], "num_address": 6, "arrai": 6, "count": 6, "479": 6, "req_data_bulk_t": 6, "slightli": 6, "slower": 6, "smaller": 6, "1mb": 6, "exclud": [6, 25], "frame": 6, "mechan": 6, "pfn": [6, 15], "0x8048000": 6, "hypercall_kafl_persist_page_past_snapshot": 6, "static": [6, 13], "void": [6, 13, 15, 17, 25, 31], "msg": 6, "const": [6, 15], "equival": [6, 19], "kafl_hypercall_printf": 6, "lp": 6, "panic_extend": [6, 7, 10, 14, 22], "mix": [6, 8], "create_tmp_snapshot": 6, "posit": 6, "debug_tmp_snapshot": 6, "nested_": 6, "roughli": 6, "nest": 6, "l2": 6, "get_program": 6, "get_argv": 6, "replac": [6, 13], "info": [6, 7, 8, 13, 15, 17, 18, 33], "push": [6, 17, 19], "printk_addr": 6, "interpret": [6, 11, 17, 20], "arg": [6, 17], "render": 7, "variou": [7, 8, 17, 20], "metadata": [7, 8, 33], "curs": 7, "text": [7, 20], "ui": [7, 15], "old": 7, "archiv": 7, "quick": [7, 15, 19], "overview": [7, 16], "averag": 7, "through": [7, 9, 12, 13, 14, 16, 17, 19, 24, 25, 30, 33], "explicit": 7, "w": [7, 17, 20, 25, 31], "workdir_path": 7, "grand": [7, 15], "2h00m": 7, "0m": 7, "16": [7, 15, 17, 20, 22], "72": [7, 17], "curexec": [7, 15], "4018": 7, "funki": [7, 8, 15], "est": [7, 15], "74": [7, 17, 23], "avgexec": [7, 15], "3616": 7, "progress": [7, 10, 15, 16, 24, 25], "141": 7, "1h57m": 7, "45": [7, 17], "edg": [7, 14, 15, 20, 22], "11": [7, 15, 17, 20, 22, 23], "1k": 7, "addsan": [7, 10, 14, 15, 22], "fav": [7, 14, 15, 20, 22], "18": [7, 14, 15, 17, 20, 22], "21": [7, 17, 20, 22], "2k": 7, "9": [7, 11, 17, 19, 20, 22, 31, 33], "13m15": 7, "norm": [7, 14, 15, 22], "123": 7, "col": [7, 14, 15, 22], "3m27": 7, "yld": 7, "init": [7, 33], "38": [7, 14, 15, 17, 23], "grim": 7, "redq": 7, "det": 7, "hvc": 7, "66": [7, 17], "rq": 7, "gr": 7, "fin": 7, "12": [7, 15, 17, 18, 20, 22, 33], "nrm": 7, "120": [7, 17], "activ": [7, 17, 20, 22, 33], "afl_splic": [7, 22], "140": 7, "lvl": [7, 22], "399": 7, "afl_havoc": [7, 22], "97": [7, 17, 23], "395": [7, 20], "afl_flip_2": 7, "96": 7, "400": 7, "106": 7, "371": 7, "85": [7, 17], "243": 7, "103": 7, "244": 7, "58": [7, 23], "245": 7, "62": 7, "25": [7, 15, 17], "242": 7, "50": [7, 13, 23], "153": 7, "233": 7, "84": [7, 17], "99": 7, "30": [7, 15, 17, 22, 23], "239": 7, "13": [7, 17, 20, 22], "241": 7, "14": [7, 17, 20, 22, 23], "146": 7, "27": 7, "240": 7, "15": [7, 17, 20, 22, 23], "afl_arith_2": 7, "0kb": [7, 20], "perf": 7, "75m": 7, "score": 7, "0h02m": 7, "0x0000000": 7, "17": [7, 17, 20, 22], "9d": 7, "e4": [7, 23], "47": [7, 22], "90": [7, 17], "f5": 7, "52": 7, "61": [7, 17, 22], "59": [7, 15, 17], "7c": [7, 17], "dd": 7, "ac": 7, "8e": 7, "e": [7, 8, 17, 20], "g": [7, 8, 11, 15, 17, 20], "rai": 7, "0x0000010": 7, "8c": 7, "86": [7, 17], "b0": 7, "92": [7, 17], "77": [7, 15, 17, 23], "fb": [7, 15], "28": [7, 14, 15, 17], "f0": [7, 15, 17], "4c": [7, 17], "f7": 7, "23": [7, 15, 17, 22], "49": [7, 17], "94": 7, "l": [7, 15, 17, 19, 20, 23, 31], "iu": 7, "0x0000020": 7, "d5": 7, "76": [7, 17], "1b": 7, "5b": [7, 17], "9e": 7, "e7": 7, "c6": [7, 17], "91": [7, 17], "51": 7, "6d": 7, "35": [7, 17, 20], "40": [7, 15, 17], "v": [7, 17, 20], "qm5": 7, "0x0000030": 7, "80": [7, 17], "8d": [7, 15, 17], "1a": [7, 17], "fe": [7, 17], "b4": 7, "22": [7, 14, 17, 20, 22], "a0": 7, "a4": [7, 17], "89": [7, 15, 17], "4f": [7, 17], "0x0000040": 7, "ef": 7, "ea": [7, 17], "6a": 7, "b2": [7, 17], "7a": 7, "bc": [7, 23], "79": [7, 20], "f9": 7, "d1": 7, "da": 7, "j": [7, 20], "z": 7, "y": [7, 11, 15, 33], "0x0000050": 7, "3b": 7, "63": [7, 17], "93": 7, "1e": [7, 23], "41": [7, 15, 17], "xcy": 7, "0x0000060": 7, "df": 7, "3a": 7, "98": [7, 20], "31": [7, 15, 17], "37": [7, 17], "q": [7, 11, 17], "170141": 7, "0x0000070": 7, "33": [7, 17], "36": [7, 20], "39": [7, 18], "1834604692317316": 7, "0x0000080": 7, "83": [7, 17], "68": [7, 17], "87303": 7, "0x0000090": 7, "70": 7, "71": 7, "46": 7, "x": [7, 19], "fq": 7, "0x00000a0": 7, "f2": 7, "cf": 7, "1d": 7, "81": [7, 17], "2c": 7, "f6": [7, 17], "3e": 7, "5e": [7, 17], "67": [7, 17], "split": 7, "increasingli": 7, "indic": [7, 10, 14, 22], "estim": 7, "rough": 7, "sum": 7, "overal": [7, 12, 30], "fraction": 7, "watch": [7, 10, 14, 15, 22, 33], "frequent": [7, 8], "shallow": 7, "adjust": [7, 19], "kickstart": [7, 20, 22], "favorit": 7, "normal": [7, 17], "transit": 7, "tracer": 7, "collis": 7, "last": [7, 33], "return": [7, 10, 14, 17, 18, 22, 25], "intercept": [7, 10, 14, 22, 25], "individu": 7, "respect": 7, "prioriti": 7, "compar": 7, "script": [8, 14, 15, 17, 19, 33], "sh": [8, 11, 16], "rather": 8, "unnecessari": 8, "prototyp": 8, "entir": 8, "perman": 8, "commandlin": [8, 19], "By": [8, 17, 23], "popul": 8, "sever": [8, 17, 19], "purg": [8, 14, 20], "opposit": 8, "delet": [8, 33], "itself": 8, "doe": [8, 17, 20, 25], "one": [8, 9, 11, 14, 15, 17, 18, 22, 33], "corpus": [8, 20], "intern": 8, "ipc": 8, "sort": 8, "relev": [8, 13, 20, 25], "mcat": 8, "view": [8, 16, 17, 23, 33], "msgpack": 8, "encod": 8, "tree": 8, "plot": 8, "gnuplot": 8, "stat": 8, "aggreg": 8, "csv": 8, "over": [8, 17, 33], "worker_stats_n": 8, "serial_nn": 8, "excerpt": 8, "irregular": 8, "crash_xxxxxx": 8, "kasan_xxxxxx": 8, "timeo_xxxxxx": 8, "evalu": 8, "upload": [8, 26, 32, 33], "payload_aaaaa": 8, "payload_bbbbb": 8, "payload_ccccc": 8, "payload_ddddd": 8, "catch": 8, "meta": 8, "node_aaaaa": 8, "node_bbbbb": 8, "node_ccccc": 8, "node_ddddd": 8, "kafl_socket": 8, "socket": [8, 17, 20, 22], "interface_n": 8, "payload_n": 8, "aux_buffer_n": 8, "aux_buff": 8, "bitmap_n": 8, "ijon_n": 8, "radamsa_n": 8, "redqueen_workdir_n": 8, "addr": [8, 15], "cach": [8, 15, 17, 33], "global": [8, 18, 33], "main_crash_bitmap": 8, "main_kasan_bitmap": 8, "main_normal_bitmap": 8, "main_timeout_bitmap": 8, "fast_snapshot": 8, "mem_dump": 8, "mem_meta": 8, "qemu_st": 8, "fs_cach": 8, "readi": [8, 9, 11, 13, 14, 26, 33], "dive": [9, 11, 17], "alreadi": [9, 14, 15, 20, 22, 33], "familiar": [9, 11], "vocabulari": 9, "googl": 9, "glossari": 9, "term": 9, "overse": 9, "portion": 9, "sut": 9, "consid": [9, 33], "constitu": 9, "channel": [9, 19, 33], "extern": 9, "akin": 9, "simplifi": [9, 33], "malloc": 9, "payload_s": 9, "bake": [9, 11], "among": [10, 13, 14, 22], "closer": [10, 14, 22], "look": [10, 14, 15, 17, 19, 20, 22, 25, 33], "panel": [10, 14, 22], "column": [10, 14, 22], "processor": 11, "gen": 11, "skylak": 11, "although": [11, 19], "broadwel": 11, "addion": 11, "properli": 11, "intel_pt": 11, "cpuinfo": 11, "fi": 11, "prebuilt": [11, 15, 17], "dockerhub": 11, "method": 11, "give": [11, 17], "understand": [11, 12, 13, 15, 17, 18, 20, 25, 31], "what": [11, 17, 25], "furthermor": 11, "abl": [11, 12, 15, 23], "addition": [11, 19], "volum": [11, 20, 33], "isn": [11, 25], "unless": 11, "either": [11, 33], "gcc": [11, 26, 32], "sudo": [11, 20], "apt": [11, 20], "python3": [11, 17], "recent": 11, "04": [11, 15, 17], "debian": 11, "bullsey": 11, "insid": [11, 14, 22], "move": [11, 17, 18, 33], "glimps": 11, "without": [11, 17, 20, 22, 33], "touch": 11, "dry": 11, "prompt": 11, "press": 11, "confort": 11, "password": [11, 33], "passwordless": 11, "nopasswd": 11, "sudoer": 11, "just": [11, 15, 17], "newli": 11, "ti": [11, 20], "rm": [11, 20], "u": [11, 17, 20, 33], "getent": [11, 20], "cut": [11, 17, 20], "f3": [11, 20], "acsii": 11, "art": 11, "logo": 11, "__": [11, 17, 20], "___": [11, 17, 20], "________": [11, 17, 20], "_____": [11, 17, 20], "_________": [11, 17, 20], "____": [11, 17, 20], "_": [11, 17, 20], "regard": 11, "walk": [12, 16, 24, 30], "prepar": [12, 13], "insert": [12, 13, 15, 21, 25, 31], "analyz": [12, 17, 23], "At": [12, 23, 26], "comfort": 12, "grasp": 12, "onto": [12, 22], "tailor": 13, "broadli": 13, "categor": 13, "two": [13, 17, 21, 25, 31], "phase": [13, 20, 33], "optim": 13, "behavior": [13, 17], "map": [13, 15], "enhanc": [13, 16, 29, 31], "precis": [13, 23], "criteria": 13, "crucial": 13, "accur": [13, 20], "strictli": 13, "mandat": 13, "certain": [13, 25], "sequenc": [13, 19, 21, 22, 25, 26, 31, 32], "get_host_config": 13, "set_agent_config": 13, "acquir": 13, "get_payload": 13, "submit_pan": 13, "submit_kasan": 13, "submit_cr3": 13, "involv": 13, "But": [13, 17], "logic": [13, 25], "come": 13, "plai": [13, 17, 26, 32, 33], "next_payload": 13, "handl": [13, 33], "routin": 13, "checkout": 13, "agent_tutori": 13, "branch": [13, 20], "commit": 13, "oops_exit": 13, "kasan_report": [13, 15], "discuss": [13, 18], "appear": [13, 33], "improv": [13, 16, 17, 21, 25, 27, 30, 33], "alter": 13, "architectur": 13, "its": [13, 17, 18, 19, 22], "do_oops_enter_exit": 13, "print_oops_end_mark": 13, "kmsg_dump": 13, "kmsg_dump_oop": 13, "remain": [13, 25], "within": [13, 17, 19], "test_dvkm": [13, 18, 19], "pars": 13, "detectrang": 13, "mapfil": 13, "pattern": 13, "24576": 13, "0xffffffffc0201000": 13, "ret": [13, 17], "sscanf": 13, "lu": 13, "lx": [13, 17], "module_nam": 13, "module_s": 13, "instances_load": 13, "load_stat": 13, "kernel_offset": 13, "construct": 13, "ioctl": [13, 17, 18, 25], "io_buff": 13, "0xc": [13, 18], "ioctl_cod": 13, "0xd": 13, "ioctl_num": 13, "width": [13, 17, 18], "height": [13, 17, 18], "datas": [13, 15, 17, 18], "write_s": 13, "sizeof": [13, 18], "dvkm_obj": [13, 17, 18], "memcpi": [13, 18], "rest": 13, "fd": 13, "modulo": 13, "calcul": [13, 17, 18], "fill": 13, "ve": [13, 14, 31], "prevent": [13, 25], "congest": 13, "use_after_free_ioctl_handl": [13, 15], "io": [13, 18], "kernel_data_buff": [13, 18], "congratul": [13, 33], "comprehens": [13, 15, 18], "proce": [13, 14], "commenc": [13, 14], "review": [14, 22], "qemu_kernel": [14, 19], "qemu_initrd": [14, 19], "qemu_append": [14, 17, 19], "expos": [14, 18, 19], "examples_root": [14, 15, 17, 20], "linux_kafl_ag": [14, 17], "arch": [14, 17, 19, 20], "kafl_initrd": [14, 17], "cpio": [14, 17, 19], "gz": [14, 17, 19], "vda1": [14, 17, 20], "rw": [14, 15, 17, 20, 23], "earlyprintk": [14, 17], "ignore_loglevel": [14, 17], "increas": [14, 22], "dedic": [14, 22], "ressourc": [14, 22, 33], "resourc": 14, "2m00": 14, "149": 14, "1m27": 14, "observ": [14, 17], "ctrl": [14, 17], "room": 15, "dynam": [15, 20], "detector": 15, "solut": [15, 19], "free": [15, 18], "bound": 15, "access": [15, 17, 21], "again": [15, 33], "rule": [15, 17], "linux_agent_bzimag": [15, 17], "linux_agent_dir": [15, 17], "x86_64_defconfig": [15, 17], "module_sig": [15, 17], "debug_info_dwarf5": [15, 17], "gdb_script": [15, 17], "ifdef": 15, "dvkm_kasan": 15, "kasan_inlin": 15, "endif": 15, "recompil": [15, 19], "corrupt": [15, 33], "mm": [15, 17], "asm": [15, 17], "slab": 15, "588": 15, "590": 15, "bool": 15, "is_writ": 15, "print_report": 15, "end_report": 15, "irq_flag": 15, "user_access_restor": 15, "ua_flag": 15, "0m33": 15, "249": 15, "7k": 15, "9824": 15, "7529": 15, "0m27": 15, "0m23": 15, "150": 15, "0m08": 15, "0m15": 15, "oct": [15, 17], "06": [15, 17], "payload_00026": 15, "payload_00036": 15, "payload_00038": 15, "payload_00039": 15, "payload_00040": 15, "payload_00044": 15, "payload_00048": 15, "payload_00059": 15, "associ": [15, 18, 23], "kasan_": 15, "3376": 15, "kasan_020e1d": 15, "3565": 15, "kasan_1bfee1": 15, "2773": 15, "kasan_2253d6": 15, "3101": 15, "kasan_79191f": 15, "3517": 15, "kasan_9251db": 15, "3365": 15, "kasan_a034f": 15, "3514": 15, "kasan_b91a90": 15, "3388": 15, "kasan_f0e92d": 15, "6dvkm": [15, 17], "3bug": 15, "0x2a0": 15, "0x320": 15, "3read": 15, "ffff888008511390": 15, "fuzz_dvkm": [15, 17, 19], "3cpu": 15, "pid": [15, 17], "comm": [15, 17], "taint": [15, 17], "00004": [15, 17], "g6521682f674d": [15, 17], "3hardwar": 15, "standard": [15, 17], "pc": [15, 17], "i440fx": [15, 17], "piix": [15, 17], "1996": [15, 17], "rel": [15, 17], "gc9ba5276e321": [15, 17], "org": [15, 17], "2014": [15, 17], "3call": 15, "dump_stack_lvl": 15, "0x37": [15, 17], "0x50": [15, 17], "0xcc": 15, "0x620": 15, "0xb0": 15, "0xf0": 15, "__x64_sys_ioctl": [15, 17], "0x12d": 15, "0x1a0": 15, "__pfx_string": 15, "0x10": 15, "__pte_offset_map_lock": 15, "0xdf": 15, "0x1e0": 15, "vsnprintf": [15, 17], "0x809": 15, "0x1600": 15, "__pfx_vsnprintf": 15, "ioctl_has_perm": 15, "constprop": 15, "isra": 15, "0x274": 15, "0x440": 15, "_printk": [15, 17], "0xce": 15, "0x120": 15, "__pfx__printk": 15, "kasan_set_track": 15, "0x25": 15, "0x30": [15, 17], "__kasan_kmalloc": 15, "0x7f": [15, 17], "0x90": [15, 17], "0x71": 15, "dvkm_ioctl": [15, 17], "0x1b2": [15, 17], "0x230": [15, 17], "proc_reg_unlocked_ioctl": [15, 17], "0x1a1": 15, "0x270": 15, "do_syscall_64": [15, 17], "0x3c": [15, 17], "entry_syscall_64_after_hwfram": [15, 17], "0x6e": [15, 17], "0xd8": [15, 17], "3rip": 15, "0033": [15, 17], "0x7fec88b37b3f": 15, "3code": 15, "44": [15, 17], "b8": [15, 17], "05": [15, 17, 23], "3d": [15, 17, 33], "ff": [15, 17], "8b": [15, 17], "2b": [15, 17], "3rsp": 15, "002b": [15, 17], "00007ffe5d840a80": 15, "eflag": [15, 17], "00000246c": [15, 17], "orig_rax": [15, 17], "0000000000000010": [15, 17], "3rax": 15, "ffffffffffffffda": [15, 17], "0000000000000000": [15, 17], "00007fec88b37b3f": 15, "3rdx": 15, "000056144fe16000": 15, "rsi": [15, 17], "00000000c018440a": 15, "rdi": [15, 17], "0000000000000003": [15, 17], "3rbp": 15, "00007ffe5d840b10": 15, "r08": [15, 17], "r09": [15, 17], "00007ffe5d83f7f0": 15, "3r10": 15, "r11": [15, 17], "0000000000000246": [15, 17], "r12": [15, 17], "00007ffe5d840c28": 15, "3r13": 15, "000056144fe119e0": 15, "r14": [15, 17], "000056144fe13d48": 15, "r15": [15, 17], "00007fec88c81040": 15, "3alloc": 15, "kasan_save_stack": 15, "0x22": 15, "__kmalloc": [15, 17], "0x5a": 15, "0x140": [15, 17], "0x2f": 15, "3the": 15, "buggi": 15, "belong": 15, "object": [15, 16, 24, 30], "ffff888008511380": 15, "kmalloc": [15, 18], "right": [15, 33], "physic": 15, "4page": 15, "____ptrval____": 15, "refcount": 15, "mapcount": 15, "0x8511": 15, "4flag": 15, "0x100000000000200": 15, "zone": 15, "4page_typ": 15, "0xffffffff": [15, 18], "4raw": 15, "0100000000000200": 15, "ffff8880064413c0": 15, "dead000000000122": 15, "0000000080800080": 15, "00000001ffffffff": 15, "becaus": [15, 25, 33], "bad": 15, "3memori": 15, "ffff888008511280": 15, "fc": [15, 17], "ffff888008511300": 15, "03": [15, 20], "ffff888008511400": 15, "ffff888008511480": 15, "07": [15, 17], "4disabl": 15, "feel": 15, "investig": 15, "consult": 15, "solid": 15, "insight": [15, 17], "focu": [16, 17, 19], "integ": [16, 17], "overflow": [16, 17], "brief": 17, "navig": [17, 19], "payload_00030": 17, "pushd": [17, 23], "b49691bd4b34": 17, "payload_00031": 17, "payload_00033": 17, "payload_00060": 17, "examin": 17, "hexdump": [17, 23], "represent": [17, 23, 25], "00000000": [17, 23], "6f": [17, 23], "00000007": 17, "9f": 17, "a8": 17, "0a": 17, "0000000c": 17, "usual": [17, 23, 31], "repres": [17, 18], "therefor": [17, 23, 25], "vari": 17, "suggest": 17, "5143": 17, "crash_3f7f7a": 17, "1714": 17, "crash_881bd2": 17, "5139": 17, "crash_908bf": 17, "2609": 17, "crash_fcdaa4": 17, "timeo_05da3a": 17, "timeo_153a4": 17, "timeo_1cfa76": 17, "timeo_2059ab": 17, "5124": 17, "timeo_3f7f7a": 17, "timeo_5ad762": 17, "2650": 17, "timeo_5d47b8": 17, "124": 17, "timeo_72bc3d": 17, "2668": 17, "timeo_72cc5a": 17, "2690": 17, "timeo_7c2cf3": 17, "timeo_828a72": 17, "4294": 17, "timeo_908bf": 17, "timeo_9d4034": 17, "timeo_acefe": 17, "timeo_e87026": 17, "117": 17, "timeo_f94ae": 17, "4022": 17, "timeo_fcdaa4": 17, "underflow": [17, 18], "1444607": 17, "1626121354": 17, "1297563293": 17, "\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4": 17, "\u00ee": 17, "\u00e0": 17, "b\u00e16": 17, "776200999": 17, "4warn": 17, "page_alloc": 17, "4453": 17, "__alloc_pag": 17, "0x2f0": 17, "link": 17, "rip": 17, "0010": 17, "eb": 17, "a3": 17, "09": 17, "0b": 17, "65": 17, "rsp": 17, "0018": 17, "ffffc900001cbe08": 17, "00010246c": 17, "0000000000040cc0": 17, "rdx": 17, "rbp": 17, "0000000000000027": 17, "r10": 17, "0000000000000008": 17, "203a657a69732064": 17, "0000000000000012": 17, "r13": 17, "ffffffffc0000522": 17, "00007fe4272b4740": 17, "0000": 17, "ffff88800f600000": 17, "knlg": 17, "cr0": 17, "0000000080050033": 17, "cr2": 17, "00007fe4273f0000": 17, "0000000004cdc006": 17, "cr4": 17, "00000000001706f0": 17, "__warn": 17, "0x130": 17, "report_bug": 17, "0x199": 17, "0x1b0": 17, "handle_bug": 17, "0x70": 17, "exc_invalid_op": 17, "0x18": 17, "asm_exc_invalid_op": 17, "0x1a": 17, "0x20": 17, "integer_underflow_ioctl_handl": 17, "0x112": 17, "0x170": 17, "0x3aa": 17, "0x560": 17, "__kmalloc_large_nod": 17, "0x79": 17, "0x150": 17, "0xbb": 17, "0x52": 17, "0xa0": 17, "0x89": 17, "0xc0": 17, "0x7fe4273d1b3f": 17, "00007ffd5dee4e10": 17, "00007fe4273d1b3f": 17, "000055c56318b000": 17, "00000000c0184401": 17, "00007ffd5dee4ea0": 17, "00007ffd5dee3b80": 17, "00007ffd5dee4fb8": 17, "000055c5631869e0": 17, "000055c563188d48": 17, "00007fe42751b040": 17, "1bug": 17, "derefer": [17, 25], "pf": 17, "supervisor": 17, "error_cod": 17, "0x0002": 17, "6pgd": 17, "cp4d": 17, "0002": 17, "preempt": 17, "smp": 17, "memcpy_orig": 17, "0x31": 17, "82": 17, "4e": 17, "56": 17, "57": 17, "5f": 17, "7f": 17, "d4": 17, "ffffc900001cbec0": 17, "00010202c": 17, "0000000051bc1cd9": 17, "0000000000000011": 17, "0000000000160abf": 17, "ffff888004e00020": 17, "ffff888004e00000": 17, "0fe40fe40fe40fe4": 17, "10e40fe40fe40fe4": 17, "000000002e43e327": 17, "ffff888004cf2500": 17, "__die": 17, "page_fault_oop": 17, "0x156": 17, "0x420": 17, "search_exception_t": 17, "fixup_except": 17, "0x21": 17, "0x310": 17, "exc_page_fault": 17, "0x69": 17, "asm_exc_page_fault": 17, "0x26": 17, "0x124": 17, "sometim": 17, "hasn": 17, "translat": 17, "proper": 17, "facil": [17, 23], "kern_level": 17, "kern_emerg": 17, "kern_soh": 17, "unus": 17, "kern_alert": 17, "taken": 17, "immedi": 17, "kern_crit": 17, "critic": [17, 21], "kern_err": 17, "kern_warn": 17, "kern_notic": 17, "signific": 17, "kern_info": 17, "kern_debug": 17, "replai": 17, "flow": [17, 18], "lead": [17, 20, 25, 31], "ll": [17, 19], "throught": 17, "exact": 17, "odd": 17, "anymor": [17, 20], "given": [17, 18, 20], "1337": 17, "nyx_socket": [17, 20, 22], "interface_1337": 17, "serial_1337": 17, "fast_vm_reload": [17, 20, 22], "cpuid": [17, 22], "07h": [17, 22], "ebx": [17, 22], "hle": [17, 22], "rtm": [17, 22], "wait": [17, 20, 33], "1626121446": 17, "1371282556": 17, "0000000000000028": 17, "0000000000000009": 17, "0000000000000013": 17, "ffffffffc00003aa": 17, "integer_overflow_ioctl_handl": [17, 18], "0x10a": 17, "0x160": 17, "0x16a": 17, "00000000c0184400": 17, "0000000051bc1c7c": 17, "abababababababab": 17, "000000009f135b1a": 17, "0x11c": 17, "908bfe7fc5777d10": 17, "shut": 17, "1303499": 17, "got": [17, 20, 22], "confirm": [17, 33], "receiv": [17, 25, 33], "could": [17, 33], "benefici": 17, "futur": 17, "particularli": 17, "valuabl": 17, "similar": [17, 30, 31], "gdbserver": 17, "interact": [17, 19, 25, 31], "real": 17, "clear": [17, 32], "led": 17, "paus": 17, "client": 17, "connect": [17, 33], "thu": 17, "thorough": 17, "preconfigur": 17, "dwarf5": 17, "vmlinux": 17, "damn_vulnerable_kernel_modul": [17, 19], "read": [17, 20], "0x000055561177f34d": 17, "scan": [17, 20], "0xffffffffc0000000": 17, "ko": [17, 19], "try": [17, 33], "put": 17, "oops_ent": 17, "hbreak": 17, "0xffffffffc0000c30": 17, "410": 17, "0xffffffff8114c660": 17, "623": 17, "405": 17, "406": 17, "407": 17, "408": 17, "409": 17, "noinlin": 17, "unsign": 17, "cmd": 17, "411": 17, "einval": 17, "412": 17, "__user": 17, "arg_us": 17, "413": 17, "414": 17, "disa": 17, "assembl": 17, "endbr64": 17, "0xffffffffc0000c34": 17, "0xffffffffc0000c37": 17, "je": 17, "0xffffffffc0000d65": 17, "309": 17, "0xffffffffc0000c3d": 17, "0xffffffffc0000c3e": 17, "0xffffffffc0000c41": 17, "cmp": 17, "0xc0184406": 17, "esi": 17, "0xffffffffc0000c47": 17, "0xffffffffc0000dff": 17, "463": 17, "0xffffffffc0000c4d": 17, "29": [17, 18], "ja": 17, "0xffffffffc0000c91": 17, "0xffffffffc0000c4f": 17, "0xc0184402": 17, "0xffffffffc0000c55": 17, "0xffffffffc0000e18": 17, "488": 17, "0xffffffffc0000c5b": 17, "43": [17, 18], "jbe": 17, "0xffffffffc0000d1e": 17, "238": 17, "0xffffffffc0000c61": 17, "0xc0184403": 17, "0xffffffffc0000c67": 17, "55": 17, "0xffffffffc0000d9f": 17, "367": 17, "0xffffffffc0000c6d": 17, "0xc0184405": 17, "0xffffffffc0000c73": 17, "jne": 17, "0xffffffffc0000c89": 17, "0xffffffffc0000c75": 17, "69": [17, 23], "0xffffffffc00104a0": 17, "0xffffffffc0000c7c": 17, "0xffffffff8127e7a0": 17, "0xffffffffc0000c81": 17, "0xffffffffc0000c84": 17, "0xffffffffc0000a20": 17, "stack_oobr_ioctl_handl": 17, "xor": 17, "eax": 17, "0xffffffffc0000c8b": 17, "pop": 17, "0xffffffffc0000c8c": 17, "bt": 17, "0xffffffff810812dc": 17, "oops_begin": 17, "dumpstack": 17, "338": 17, "0xffffffff81081cfe": 17, "die_addr": 17, "str": 17, "0xffff888007f27b2c": 17, "fault": 17, "canon": 17, "0xe0000be0d732a202": 17, "reg": 17, "0xffff888007f27bb8": 17, "err": 17, "gp_addr": 17, "2305829948902694398": 17, "454": 17, "0xffffffff83c43378": 17, "__exc_general_protect": 17, "trap": 17, "784": 17, "exc_general_protect": 17, "729": 17, "0xffffffff83e01206": 17, "asm_exc_general_protect": 17, "idtentri": 17, "564": 17, "0xffff888007f27e80": 17, "0xffffffff86060000": 17, "hprintf_buff": 17, "0x1ffff11000fe4f90": 17, "0xffffffff8605f044": 17, "0xffffffff8605f012": 17, "0x00007f06b9951016": 17, "0x1ffffffff092a03d": 17, "0xffffffffc0010175": 17, "0x203a61746164205d": 17, "0xdffffc0000000000": 17, "0x00000fe0d732a202": 17, "0x00320a00ffffff04": 17, "0x0000000000000005": 17, "fixed_percpu_data": 17, "19": [17, 20, 22], "0x0000000000000000": 17, "embed": 17, "seem": 17, "unreali": 17, "had": 17, "additionali": 17, "reliabl": 17, "aslr": 17, "hopefulli": 17, "captur": 17, "capac": 17, "stai": 17, "tune": 17, "aim": 18, "hardik": 18, "shah": 18, "train": 18, "deliber": 18, "secur": [18, 25], "heap": 18, "origin": 18, "syzkal": 18, "show": [18, 20], "module_init": 18, "dvkm_init": 18, "turn": 18, "outlin": [18, 19], "below": 18, "geneat": 18, "num": 18, "_iowr": 18, "dvkm_ioctl_mag": 18, "dvkm_ioctl_integer_overflow": 18, "dvkm_ioctl_integer_underflow": 18, "0x1": 18, "dvkm_ioctl_stack_buffer_overflow": 18, "0x2": 18, "dvkm_ioctl_heap_buffer_overflow": 18, "0x3": 18, "dvkm_ioctl_divide_by_zero": 18, "0x4": 18, "dvkm_ioctl_stack_oobr": 18, "0x5": 18, "dvkm_ioctl_stack_oobw": 18, "0x6": 18, "dvkm_ioctl_heap_oobr": 18, "0x7": 18, "dvkm_ioctl_heap_oobw": 18, "dvkm_ioctl_memory_leak": 18, "0x9": 18, "dvkm_ioctl_use_after_fre": 18, "0xa": 18, "dvkm_ioctl_use_double_fre": 18, "0xb": 18, "dvkm_ioctl_null_pointer_derefr": 18, "k_dvkm_obj": 18, "supplementari": 18, "diagram": [18, 25], "flaw": [18, 25], "dissect": 18, "kernel_buff": 18, "copy_from_us": 18, "fail": [18, 20, 26, 32, 33], "gfp_kernel": 18, "kfree": 18, "summari": 18, "incorrect": 18, "nuanc": 18, "exploit": 18, "obj": 18, "2399610": 18, "305747497": 18, "focus": 19, "streamlin": 19, "rapid": 19, "qemu_imag": [19, 22], "tradit": 19, "necessit": 19, "bootabl": 19, "feasibl": 19, "practic": 19, "challeng": 19, "fresh": 19, "qcow2": [19, 33], "repeat": 19, "cumbersom": 19, "ssh": [19, 33], "plan": 19, "virtf": 19, "smb": 19, "nf": 19, "demonstr": 19, "winrm": [19, 33], "bootng": 19, "reli": [19, 23], "craft": 19, "busybox": 19, "filesystem": [19, 20], "expedi": 19, "req_stream_data_bulk": 19, "dump_fil": 19, "hcat": 19, "hget": 19, "hpush": 19, "elimin": 19, "loader": 19, "multifacet": 19, "ideal": 19, "gather": [19, 20, 26, 32], "organ": 19, "licens": [19, 33], "symver": 19, "successfulli": [19, 33], "benefit": 20, "cross": 20, "silli": 20, "world": 20, "tdx": 20, "pci": 20, "mmio": 20, "pio": 20, "virtio": [20, 33], "b": 20, "depth": 20, "gawk": 20, "bison": 20, "flex": 20, "openssl": 20, "libssl": 20, "libelf": 20, "lz4": 20, "dwarv": 20, "cp": 20, "vanilla": 20, "nproc": 20, "512": 20, "mkdir": [20, 26, 32], "un": 20, "mnt": 20, "seed_dir": 20, "pend": [20, 22], "netdev": 20, "mynet0": 20, "nowait": [20, 22], "interface_0": [20, 22], "serial_00": [20, 22], "invalid": [20, 22], "02": 20, "5637": 20, "56msec": 20, "2kb": [20, 22], "261": 20, "605": 20, "743": 20, "55msec": 20, "2298": 20, "2785": 20, "20msec": 20, "576": 20, "62msec": 20, "644": 20, "2072": 20, "99msec": 20, "52msec": 20, "49msec": 20, "25msec": 20, "42": 20, "3502": 20, "80msec": 20, "k": [20, 31], "8667": 20, "15msec": 20, "calibr": 20, "1516": 20, "796": 20, "27msec": 20, "19msec": 20, "61msec": 20, "636": 20, "1132": 20, "54msec": 20, "trim": 20, "272": 20, "50msec": 20, "26msec": 20, "81msec": 20, "247": 20, "41msec": 20, "670": 20, "44msec": 20, "1kb": 20, "trim_cent": 20, "graphic": [20, 33], "pt_trace_dump_nn": 20, "best": [20, 23], "big": 20, "complain": 20, "miss": 20, "retain": 20, "finish": [20, 25], "never": 20, "happen": 20, "op": 20, "did": 20, "libxdc_decode_error": 20, "altern": 20, "unsupport": 20, "libcapston": 20, "minor": 20, "ftrace": 20, "label": 20, "xyz": 20, "emul": 20, "leak": 20, "explan": 21, "cover": [21, 31], "foundat": 21, "beginnn": 21, "excel": 21, "candid": 21, "aid": 21, "identif": 21, "faulti": [21, 23], "port": [21, 32, 33], "kalf": 22, "windows_x86_64": [22, 25, 26, 27, 31, 32, 33], "xeon": 22, "core": [22, 25], "250gb": 22, "almost": [22, 33], "90k": 22, "sec": 22, "2698": 22, "2838": 22, "2817": 22, "2762": 22, "2763": 22, "2861": 22, "2816": 22, "2806": 22, "2844": 22, "2799": 22, "2779": 22, "2802": 22, "2789": 22, "2833": 22, "2803": 22, "2818": 22, "2794": 22, "2739": 22, "2712": 22, "2881": 22, "2863": 22, "vuln_test": [22, 25, 26, 32], "afterward": 22, "know": 22, "successfuli": 22, "soon": 22, "libvirt": [22, 24, 30], "windows_x86_64_vagr": [22, 33], "img": [22, 33], "monitor": 22, "unix": 22, "tmp": 22, "sock": 22, "dirti": 22, "ring": 22, "1048576": 22, "0x7f3065101000": 22, "0x10000": 22, "0x20000": 22, "85msec": 22, "18m51": 22, "19m38": 22, "18m54": 22, "sep": 23, "54": 23, "payload_00015": 23, "payload_00018": 23, "00015": 23, "00018": 23, "highlight": [23, 30], "6e": 23, "c5": 23, "ab": 23, "pwntownto": 23, "00000010": 23, "b9": 23, "0000001a": 23, "w00twi": 23, "8x": 23, "0000000e": 23, "clearli": 23, "earlier": 23, "pwntown": [23, 25], "w00t": [23, 25], "occur": 23, "contextu": 23, "minidump": 23, "systemroot": 23, "windbg": 23, "reveal": 23, "anoth": 23, "statement": 23, "nail": 23, "msvc": [23, 25, 33], "coupl": 23, "dbgprint": [23, 25], "educ": [25, 31], "nor": 25, "src": [25, 26, 31, 32], "crashm": 25, "ntstatu": 25, "IN": 25, "pio_stack_loc": 25, "irpstack": 25, "pchar": 25, "userbuff": 25, "deviceiocontrol": 25, "type3inputbuff": 25, "inputbufferlength": 25, "0xe": 25, "status_success": 25, "vuln": [25, 26, 32], "drv": 25, "pw": 25, "pwn": 25, "pwnt": 25, "pwnto": 25, "pwntow": 25, "w0": 25, "w00": 25, "psize_t": 25, "recogn": [25, 31], "showcas": 25, "quickli": 25, "comparison": 25, "deeper": 25, "untouch": 25, "along": 25, "microsoft": [25, 33], "init_agent_handshak": 25, "kafl_vuln_handl": 25, "ioctl_kafl_input": 25, "lpvoid": 25, "dword": 25, "back": 25, "awar": 25, "hook": 25, "enumdevicedriv": 25, "retriev": [25, 33], "getdevicedriverfilenam": 25, "ntoskrnl": 25, "loadlibrari": 25, "getprocaddress": 25, "sent": 25, "kaflvulnerabledriv": [25, 26], "ntquerysysteminform": 25, "systemobjectinform": 25, "why": 25, "lot": 25, "lucki": 25, "situat": 25, "ditch": 25, "symlink": [26, 32], "sartup": [26, 32], "provision_driv": 26, "w64": [26, 32], "mingw32": [26, 32], "selffuzz_test": [26, 31, 32], "wall": [26, 32], "mwindow": [26, 32], "lntdll": [26, 32], "lpsapi": [26, 32], "ready_provis": [26, 32, 33], "target_har": [26, 32], "provision": [26, 32, 33], "host_shel": [26, 32], "ok": [26, 32], "192": [26, 32, 33], "168": [26, 32, 33], "122": [26, 32, 33], "login": [26, 32], "msbuild": [26, 32], "vuln_driv": [26, 32], "recap": [26, 32], "unreach": [26, 32], "rescu": [26, 32], "ignor": [26, 32], "halt": [26, 32], "grace": [26, 32], "shutdown": [26, 32], "leav": [26, 32, 33], "4g": [27, 33], "selffuzz": [29, 32], "fuzzm": [29, 31], "procedur": 30, "user_fast_acquir": 30, "deliberatli": 31, "kept": 31, "experi": 31, "0x11": 31, "provision_userspac": 32, "fortun": 33, "enterpris": 33, "x64": 33, "22h2": 33, "sdk": 33, "wdk": 33, "visual": 33, "studio": 33, "testsign": 33, "recip": 33, "mention": 33, "abov": 33, "third": 33, "parti": 33, "edit": 33, "conjonct": 33, "reus": 33, "those": 33, "win10": 33, "pkrvar": 33, "hcl": 33, "8192": 33, "pkr": 33, "wish": 33, "opt": 33, "yourself": 33, "legal": 33, "color": 33, "iso": 33, "fwlink": 33, "linkid": 33, "2208844": 33, "clcid": 33, "0x409": 33, "cultur": 33, "en": 33, "countri": 33, "sha256": 33, "3aef7312733a9f5d7d51cfa04ac497671995674ca5e1058d5164d6028f0938d668": 33, "d731b3f758e61d53033aa8a67d3d8a3050aa1122": 33, "floppi": 33, "flatli": 33, "floppy_fil": 33, "answer_fil": 33, "autounattend": 33, "xml": 33, "fixnetwork": 33, "ps1": 33, "setup_winrm_publ": 33, "bat": 33, "floppy_dir": 33, "floppy_cont": 33, "3573": 33, "5900": 33, "6000": 33, "rom": 33, "headless": 33, "screen": 33, "vnc": 33, "5973": 33, "qemuarg": 33, "netbridg": 33, "stepwaitguestaddress": 33, "127": 33, "artifact": 33, "1h": 33, "packer_log": 33, "packer_windows_libvirt": 33, "box": 33, "kafl_window": 33, "destroi": 33, "aa61f0e482954cec9b853f9b8837a088": 33, "storag": 33, "pool": 33, "virsh": 33, "virt": 33, "unpack": 33, "awai": 33, "bring": 33, "timestamp": 33, "www": 33, "vagrantup": 33, "domain": 33, "vagrantfil": 33, "acpi": 33, "apic": 33, "pae": 33, "clock": 33, "utc": 33, "4096m": 33, "vda": 33, "64g": 33, "spice": 33, "websocket": 33, "video": 33, "cirru": 33, "vram": 33, "16384": 33, "accel": 33, "keymap": 33, "tpm": 33, "passthrough": 33, "mous": 33, "bu": 33, "ps2": 33, "spicevmc": 33, "target_typ": 33, "target_nam": 33, "redhat": 33, "5985": 33, "usernam": 33, "execution_time_limit": 33, "pt2h": 33, "transport": 33, "negoti": 33, "55985": 33, "eth0": 33, "5986": 33, "55986": 33}, "objects": {}, "objtypes": {}, "objnames": {}, "titleterms": {"research": 0, "paper": 0, "build": [1, 13, 20, 33], "document": [1, 3], "github": 2, "action": [2, 5, 17], "ci": 2, "cd": 2, "1": [2, 5, 11, 18, 20], "deploi": [2, 11], "kernel": [2, 13, 19, 20], "2": [2, 5, 11, 19, 20], "set": [2, 5, 11, 25], "up": 2, "docker": 2, "3": [2, 5, 11, 13, 20], "setup": [2, 19, 33], "runner": 2, "4": [2, 11, 14, 20], "us": 2, "kafl": [2, 3, 4, 6, 7, 8, 9, 11, 14, 17, 19, 22, 25, 31], "refer": [2, 3], "": 3, "featur": 3, "compon": 3, "content": [3, 8], "tutori": [3, 16], "how": 3, "guid": 3, "context": 3, "develop": 3, "deploy": 4, "system": 4, "modif": 4, "makefil": 4, "target": [4, 9, 13, 18, 19, 20, 21, 25, 27, 31], "extra_arg": 4, "ansibl": 4, "tag": 4, "galaxi": 4, "compos": 4, "intellab": 4, "collect": 4, "reus": 4, "fuzzer": 5, "configur": [5, 8, 20], "sourc": [5, 11, 18, 25, 31], "preced": 5, "overrid": 5, "from": 5, "environ": [5, 11], "variabl": 5, "kei": 5, "abort_exec": 5, "abort_tim": 5, "afl_arith_max": 5, "afl_dumb_mod": 5, "afl_skip_zero": 5, "bitmap_s": 5, "cpu_offset": 5, "debug": [5, 17, 23], "dict": 5, "funki": 5, "gdbserver": 5, "grimoir": 5, "input": 5, "ip0": 5, "iter": 5, "kickstart": 5, "log": [5, 17, 23], "log_crash": 5, "log_hprintf": 5, "payload_s": 5, "process": 5, "ptdump_path": 5, "purg": 5, "qemu_append": 5, "qemu_bas": 5, "qemu_bio": 5, "qemu_extra": 5, "qemu_imag": 5, "qemu_initrd": 5, "qemu_kernel": 5, "qemu_memori": 5, "qemu_path": 5, "qemu_seri": 5, "qemu_snapshot": 5, "quiet": 5, "radamsa_path": 5, "radamsa": 5, "redqueen_simpl": 5, "redqueen_hamm": 5, "redqueen_hash": 5, "redqueen": 5, "reload": [5, 25], "resum": 5, "seed_dir": 5, "sharedir": [5, 19], "timeout_check": 5, "timeout_hard": 5, "timeout_soft": 5, "trace_cb": 5, "trace": 5, "verbos": 5, "work_dir": 5, "nyx": 6, "hypercal": 6, "api": 6, "essenti": 6, "acquir": 6, "releas": 6, "get_payload": 6, "next_payload": 6, "fuzz": [6, 14, 20, 21, 22, 24, 25, 27, 28, 30], "snapshot": 6, "restor": 6, "without": 6, "get_host_config": 6, "set_agent_config": 6, "panic": [6, 25], "kasan": [6, 15], "submit_pan": 6, "submit_kasan": 6, "further": 6, "option": [6, 8], "printf": 6, "range_submit": 6, "submit_cr3": 6, "user_abort": 6, "user_submit_mod": 6, "user_range_advis": 6, "req_stream_data": 6, "dump_fil": 6, "user_fast_acquir": [6, 29], "lock": 6, "req_stream_data_bulk": 6, "persist_page_past_snapshot": 6, "util": 6, "function": 6, "habort": 6, "hprintf": 6, "untest": 6, "fulli": 6, "integr": 6, "deprec": 6, "user": 7, "interfac": 7, "gui": [7, 14, 20, 22], "workdir": 8, "usag": 8, "convent": 8, "detail": 8, "concept": 9, "agent": [9, 13, 19, 25, 31], "pick": 9, "instal": 11, "requir": 11, "hardwar": 11, "softwar": 11, "clone": 11, "make": 11, "env": 11, "5": [11, 17, 20], "verifi": 11, "6": [11, 15, 20], "On": 11, "next": [11, 20], "step": [11, 20], "introduct": 12, "protocol": 13, "initi": [13, 25], "har": [13, 25], "dvkm": [13, 16, 19], "crash": [13, 17, 23], "campaign": [14, 15, 17, 22, 28], "run": [14, 15, 22], "follow": [14, 22], "progress": [14, 22], "improv": [15, 29], "compil": 15, "an": 15, "enhanc": 15, "view": 15, "report": 15, "section": 16, "explor": [17, 23], "result": 17, "corpu": [17, 23], "singl": 17, "gdb": 17, "analysi": [18, 23, 25, 31], "object": [18, 25, 31], "code": [18, 25, 31], "overview": 18, "integ": 18, "overflow": 18, "workflow": 19, "virtual": 19, "our": 19, "qemu": 19, "imag": 19, "direct": 19, "boot": 19, "initrd": 19, "sh": 19, "gen_initrd": 19, "vmcall": 19, "summari": 19, "linux": [20, 21], "download": 20, "patch": 20, "port": 20, "your": 20, "prefer": 20, "start": 20, "coverag": 20, "7": 20, "known": 20, "issu": 20, "locat": 23, "vulner": [23, 25, 31], "window": [23, 24, 27, 33], "dump": 23, "ad": 23, "driver": 24, "implement": [25, 31], "specif": 25, "handler": 25, "ip": 25, "rang": 25, "non": 25, "mode": 25, "provis": [26, 32], "guest": [26, 32], "vm": [26, 32, 33], "userspac": 30, "program": 30, "templat": 33, "tool": 33, "import": 33, "vagrant": 33, "libvirt": 33}, "envversion": {"sphinx.domains.c": 3, "sphinx.domains.changeset": 1, "sphinx.domains.citation": 1, "sphinx.domains.cpp": 9, "sphinx.domains.index": 1, "sphinx.domains.javascript": 3, "sphinx.domains.math": 2, "sphinx.domains.python": 4, "sphinx.domains.rst": 2, "sphinx.domains.std": 2, "sphinx": 60}, "alltitles": {"Research Papers": [[0, "research-papers"]], "Building the documentation": [[1, "building-the-documentation"]], "Github Actions CI/CD": [[2, "github-actions-ci-cd"]], "1 - Deploying the kernel": [[2, "deploying-the-kernel"]], "2 - Setting up Docker": [[2, "setting-up-docker"]], "3 - Setup the Github Actions Runner": [[2, "setup-the-github-actions-runner"]], "4 - Using kafl.actions": [[2, "using-kafl-actions"]], "References": [[2, "references"]], "\ud83d\udcd7 kAFL\u2019s Documentation": [[3, "kafl-s-documentation"]], "Features": [[3, "features"]], "Components": [[3, "components"]], "Contents": [[3, "contents"]], "Tutorials": [[3, null]], "How-to guides": [[3, null]], "Reference": [[3, null]], "Context": [[3, null]], "Development": [[3, null]], "Deployment": [[4, "deployment"]], "System modifications": [[4, "system-modifications"]], "Makefile targets": [[4, "makefile-targets"]], "EXTRA_ARGS": [[4, null]], "Ansible tags": [[4, "ansible-tags"]], "Ansible Galaxy and composability": [[4, "ansible-galaxy-and-composability"]], "intellabs.kafl Ansible collection": [[4, "intellabs-kafl-ansible-collection"]], "Reusing the collection": [[4, "reusing-the-collection"]], "Fuzzer Configuration": [[5, "fuzzer-configuration"]], "Configuration sources and precedence": [[5, "configuration-sources-and-precedence"]], "Overriding settings from environment variables": [[5, "overriding-settings-from-environment-variables"]], "Configuration keys": [[5, "configuration-keys"]], "abort_exec": [[5, "abort-exec"]], "abort_time": [[5, "abort-time"]], "action": [[5, "action"]], "afl_arith_max": [[5, "afl-arith-max"]], "afl_dumb_mode": [[5, "afl-dumb-mode"]], "afl_skip_zero": [[5, "afl-skip-zero"]], "bitmap_size": [[5, "bitmap-size"]], "cpu_offset": [[5, "cpu-offset"]], "debug": [[5, "debug"]], "dict": [[5, "dict"]], "funky": [[5, "funky"]], "gdbserver": [[5, "gdbserver"]], "grimoire": [[5, "grimoire"]], "input": [[5, "input"]], "ip0-1-2-3": [[5, "ip0-1-2-3"]], "iterations": [[5, "iterations"]], "kickstart": [[5, "kickstart"]], "log": [[5, "log"]], "log_crashes": [[5, "log-crashes"]], "log_hprintf": [[5, "log-hprintf"]], "payload_size": [[5, "payload-size"]], "processes": [[5, "processes"]], "ptdump_path": [[5, "ptdump-path"]], "purge": [[5, "purge"]], "qemu_append": [[5, "qemu-append"]], "qemu_base": [[5, "qemu-base"]], "qemu_bios": [[5, "qemu-bios"]], "qemu_extra": [[5, "qemu-extra"]], "qemu_image": [[5, "qemu-image"]], "qemu_initrd": [[5, "qemu-initrd"]], "qemu_kernel": [[5, "qemu-kernel"]], "qemu_memory": [[5, "qemu-memory"]], "qemu_path": [[5, "qemu-path"]], "qemu_serial": [[5, "qemu-serial"]], "qemu_snapshot": [[5, "qemu-snapshot"]], "quiet": [[5, "quiet"]], "radamsa_path": [[5, "radamsa-path"]], "radamsa": [[5, "radamsa"]], "redqueen_simple": [[5, "redqueen-simple"]], "redqueen_hammer": [[5, "redqueen-hammer"]], "redqueen_hashes": [[5, "redqueen-hashes"]], "redqueen": [[5, "redqueen"]], "reload": [[5, "reload"]], "resume": [[5, "resume"]], "seed_dir": [[5, "seed-dir"]], "sharedir": [[5, "sharedir"], [19, "sharedir"]], "timeout_check": [[5, "timeout-check"]], "timeout_hard": [[5, "timeout-hard"]], "timeout_soft": [[5, "timeout-soft"]], "trace_cb": [[5, "trace-cb"]], "trace": [[5, "trace"]], "verbose": [[5, "verbose"]], "work_dir": [[5, "work-dir"]], "kAFL/Nyx Hypercall API": [[6, "kafl-nyx-hypercall-api"]], "Essential hypercalls": [[6, "essential-hypercalls"]], "ACQUIRE / RELEASE": [[6, "acquire-release"]], "GET_PAYLOAD": [[6, "get-payload"]], "NEXT_PAYLOAD": [[6, "next-payload"]], "Fuzzing with snapshot restore": [[6, "fuzzing-with-snapshot-restore"]], "Fuzzing without snapshot restore": [[6, "fuzzing-without-snapshot-restore"]], "GET_HOST_CONFIG": [[6, "get-host-config"]], "SET_AGENT_CONFIG": [[6, "set-agent-config"]], "PANIC / KASAN": [[6, "panic-kasan"]], "SUBMIT_PANIC / SUBMIT_KASAN": [[6, "submit-panic-submit-kasan"]], "Further optional hypercalls": [[6, "further-optional-hypercalls"]], "PRINTF": [[6, "printf"]], "RANGE_SUBMIT": [[6, "range-submit"]], "SUBMIT_CR3": [[6, "submit-cr3"]], "USER_ABORT": [[6, "user-abort"]], "USER_SUBMIT_MODE": [[6, "user-submit-mode"]], "USER_RANGE_ADVISE": [[6, "user-range-advise"]], "REQ_STREAM_DATA": [[6, "req-stream-data"]], "DUMP_FILE": [[6, "dump-file"]], "USER_FAST_ACQUIRE": [[6, "user-fast-acquire"], [29, "user-fast-acquire"]], "LOCK": [[6, "lock"]], "REQ_STREAM_DATA_BULK": [[6, "req-stream-data-bulk"]], "PERSIST_PAGE_PAST_SNAPSHOT": [[6, "persist-page-past-snapshot"]], "Utility functions": [[6, "utility-functions"]], "habort": [[6, "habort"]], "hprintf": [[6, "hprintf"]], "Untested and not fully integrated": [[6, "untested-and-not-fully-integrated"]], "Deprecated": [[6, "deprecated"]], "kAFL User Interface": [[7, "kafl-user-interface"]], "kAFL GUI": [[7, "kafl-gui"]], "kAFL Workdir": [[8, "kafl-workdir"]], "Usage Conventions": [[8, "usage-conventions"]], "Configuration Options": [[8, "configuration-options"]], "Detailed Content": [[8, "detailed-content"]], "Concepts": [[9, "concepts"]], "kAFL Agent": [[9, "kafl-agent"]], "Pick a Target !": [[9, "pick-a-target"]], "Installation": [[11, "installation"]], "1. Requirements": [[11, "requirements"]], "1.1 Hardware": [[11, "hardware"]], "1.2 Software": [[11, "software"]], "2. Cloning the sources": [[11, "cloning-the-sources"]], "3. Deploying kAFL : make deploy": [[11, "deploying-kafl-make-deploy"]], "4. Setting kAFL environment : make env": [[11, "setting-kafl-environment-make-env"]], "5. Verify the installation": [[11, "verify-the-installation"]], "6. On to the next steps !": [[11, "on-to-the-next-steps"]], "Introduction": [[12, "introduction"]], "3 - Building the agent": [[13, "building-the-agent"]], "Agent protocol": [[13, "agent-protocol"]], "Initialization": [[13, "initialization"], [13, "id1"]], "Harness": [[13, "harness"], [13, "id2"]], "DVKM target": [[13, "dvkm-target"]], "Kernel crash": [[13, "kernel-crash"]], "4 - Fuzzing campaign": [[14, "fuzzing-campaign"]], "Running kafl fuzz": [[14, "running-kafl-fuzz"], [22, "running-kafl-fuzz"]], "Follow the progress with kafl gui": [[14, "follow-the-progress-with-kafl-gui"], [22, "follow-the-progress-with-kafl-gui"]], "6 - Improvements: KASAN": [[15, "improvements-kasan"]], "Compiling with KASAN": [[15, "compiling-with-kasan"]], "Running an enhanced campaign": [[15, "running-an-enhanced-campaign"]], "Viewing a KASAN report": [[15, "viewing-a-kasan-report"]], "DVKM": [[16, "dvkm"]], "DVKM tutorial sections": [[16, null]], "5 - Exploring campaign results": [[17, "exploring-campaign-results"]], "Exploring the corpus": [[17, "exploring-the-corpus"], [23, "exploring-the-corpus"]], "Crash logs": [[17, "crash-logs"]], "kafl debug": [[17, "kafl-debug"]], "Action single": [[17, "action-single"]], "Action gdb": [[17, "action-gdb"]], "1 - Target analysis": [[18, "target-analysis"]], "Objectives": [[18, "objectives"], [25, "objectives"], [31, "objectives"]], "Source code overview": [[18, "source-code-overview"]], "Integer Overflow": [[18, "integer-overflow"]], "2 - kAFL workflow": [[19, "kafl-workflow"]], "Virtualizing our target": [[19, "virtualizing-our-target"]], "QEMU Image": [[19, "qemu-image"]], "Direct Kernel Boot and initrd": [[19, "direct-kernel-boot-and-initrd"]], "Initrd and agent.sh workflow": [[19, "initrd-and-agent-sh-workflow"]], "gen_initrd.sh": [[19, "gen-initrd-sh"]], "vmcall": [[19, "vmcall"]], "agent.sh": [[19, "agent-sh"]], "Summary": [[19, "summary"]], "DVKM workflow setup": [[19, "dvkm-workflow-setup"]], "Linux Kernel target": [[20, "linux-kernel-target"]], "1. Download patched Linux kernel (or port to your preferred kernel)": [[20, "download-patched-linux-kernel-or-port-to-your-preferred-kernel"]], "2. Configure and build target kernel": [[20, "configure-and-build-target-kernel"]], "3. Start fuzzing!": [[20, "start-fuzzing"]], "4. GUI": [[20, "gui"]], "5. Coverage": [[20, "coverage"]], "6. Next Steps": [[20, "next-steps"]], "7) Known Issues": [[20, "known-issues"]], "Linux Target": [[21, "linux-target"]], "Fuzzing on Linux": [[21, null]], "Fuzzing Campaign": [[22, "fuzzing-campaign"], [28, "fuzzing-campaign"]], "Crash Analysis": [[23, "crash-analysis"]], "Locating the vulnerability": [[23, "locating-the-vulnerability"]], "Windows crash dumps": [[23, "windows-crash-dumps"]], "Adding debug logs": [[23, "adding-debug-logs"]], "Driver": [[24, "driver"]], "Fuzzing a Windows driver": [[24, null]], "Target analysis": [[25, "target-analysis"], [31, "target-analysis"]], "Source code": [[25, "source-code"], [31, "source-code"]], "Vulnerability": [[25, "vulnerability"], [31, "vulnerability"]], "kAFL agent implementation": [[25, "kafl-agent-implementation"]], "Agent initialization": [[25, "agent-initialization"]], "Fuzzing harness": [[25, "fuzzing-harness"]], "Target specific": [[25, "target-specific"]], "Panic handlers": [[25, "panic-handlers"]], "Set IP ranges": [[25, "set-ip-ranges"]], "Non reload mode": [[25, "non-reload-mode"]], "Provision the guest VM": [[26, "provision-the-guest-vm"], [32, "provision-the-guest-vm"]], "Windows Target": [[27, "windows-target"]], "Fuzzing on Windows": [[27, null]], "Improvments": [[29, "improvments"]], "Userspace": [[30, "userspace"]], "Fuzzing a userspace program": [[30, null]], "kAFL Agent Implementation": [[31, "kafl-agent-implementation"]], "Windows VM Template": [[33, "windows-vm-template"]], "Setup the tooling": [[33, "setup-the-tooling"]], "Build the Windows VM Template": [[33, "build-the-windows-vm-template"]], "Import the template into Vagrant": [[33, "import-the-template-into-vagrant"]], "Import into libvirt": [[33, "import-into-libvirt"]]}, "indexentries": {}}) \ No newline at end of file +Search.setIndex({"docnames": ["context/research_papers", "dev/documentation", "how_to/github_actions", "index", "reference/deployment", "reference/fuzzer_configuration", "reference/hypercall_api", "reference/user_interface", "reference/workdir_layout", "tutorials/concepts", "tutorials/gui", "tutorials/installation", "tutorials/introduction", "tutorials/linux/dvkm/agent", "tutorials/linux/dvkm/fuzzing", "tutorials/linux/dvkm/improvements", "tutorials/linux/dvkm/index", "tutorials/linux/dvkm/results", "tutorials/linux/dvkm/target", "tutorials/linux/dvkm/workflow", "tutorials/linux/fuzzing_linux_kernel", "tutorials/linux/index", "tutorials/windows/driver/campaign", "tutorials/windows/driver/crash", "tutorials/windows/driver/index", "tutorials/windows/driver/target", "tutorials/windows/driver/target_setup", "tutorials/windows/index", "tutorials/windows/userspace/campaign", "tutorials/windows/userspace/improvements", "tutorials/windows/userspace/index", "tutorials/windows/userspace/target", "tutorials/windows/userspace/target_setup", "tutorials/windows/windows_template"], "filenames": ["context/research_papers.md", "dev/documentation.md", "how_to/github_actions.md", "index.md", "reference/deployment.md", "reference/fuzzer_configuration.md", "reference/hypercall_api.md", "reference/user_interface.md", "reference/workdir_layout.md", "tutorials/concepts.md", "tutorials/gui.md", "tutorials/installation.md", "tutorials/introduction.md", "tutorials/linux/dvkm/agent.md", "tutorials/linux/dvkm/fuzzing.md", "tutorials/linux/dvkm/improvements.md", "tutorials/linux/dvkm/index.md", "tutorials/linux/dvkm/results.md", "tutorials/linux/dvkm/target.md", "tutorials/linux/dvkm/workflow.md", "tutorials/linux/fuzzing_linux_kernel.md", "tutorials/linux/index.md", "tutorials/windows/driver/campaign.md", "tutorials/windows/driver/crash.md", "tutorials/windows/driver/index.md", "tutorials/windows/driver/target.md", "tutorials/windows/driver/target_setup.md", "tutorials/windows/index.md", "tutorials/windows/userspace/campaign.md", "tutorials/windows/userspace/improvements.md", "tutorials/windows/userspace/index.md", "tutorials/windows/userspace/target.md", "tutorials/windows/userspace/target_setup.md", "tutorials/windows/windows_template.md"], "titles": ["Research Papers", "Building the documentation", "Github Actions CI/CD", "\ud83d\udcd7 kAFL\u2019s Documentation", "Deployment", "Fuzzer Configuration", "kAFL/Nyx Hypercall API", "kAFL User Interface", "kAFL Workdir", "Concepts", "<no title>", "Installation", "Introduction", "3 - Building the agent", "4 - Fuzzing campaign", "6 - Improvements: KASAN", "DVKM", "5 - Exploring campaign results", "1 - Target analysis", "2 - kAFL workflow", "Linux Kernel target", "Linux Target", "Fuzzing Campaign", "Crash Analysis", "Driver", "Target analysis", "Provision the guest VM", "Windows Target", "Fuzzing Campaign", "Improvments", "Userspace", "Target analysis", "Provision the guest VM", "Windows VM Template"], "terms": {"kafl": [0, 5, 10, 12, 13, 15, 16, 18, 20, 21, 23, 24, 26, 27, 29, 30, 32, 33], "project": [0, 1, 3, 4], "develop": [0, 4, 8, 18, 19, 33], "ruhr": 0, "univers": 0, "bochum": 0, "sergej": 0, "schumilo": 0, "corneliu": 0, "aschermann": 0, "fund": 0, "intellab": [0, 2, 3, 11, 20], "relat": [0, 4, 8, 15], "hardwar": [0, 4, 6, 17, 25], "assist": [0, 17], "feedback": [0, 3, 5, 6, 7, 8, 9, 13, 17, 19, 25], "fuzz": [0, 2, 3, 5, 7, 8, 9, 11, 12, 13, 15, 16, 17, 18, 19, 29, 31, 33], "o": [0, 3, 7, 8, 13, 15, 17, 19, 20, 25, 26, 32], "kernel": [0, 3, 4, 5, 11, 12, 15, 16, 17, 18, 21, 25], "2017": 0, "slide": 0, "talk": 0, "redqueen": [0, 3, 7, 8, 20, 25], "input": [0, 3, 6, 7, 8, 17, 19, 20, 31, 33], "state": [0, 6, 8, 15, 17, 20, 25], "correspond": [0, 5, 6, 8, 13, 20, 23], "2019": 0, "nautilu": 0, "fish": 0, "deep": [0, 17], "bug": [0, 6, 12, 15, 22], "grammar": 0, "grimoir": [0, 3, 7, 20], "synthes": 0, "structur": [0, 3, 19], "while": [0, 5, 6, 17, 19], "ijon": [0, 3, 8], "explor": [0, 16, 21, 24], "space": [0, 17], "via": [0, 4, 5, 7, 11, 25, 33], "2020": 0, "hyper": 0, "cube": 0, "high": [0, 6], "dimension": 0, "hypervisor": [0, 5, 6, 11, 17, 20, 22], "nyx": [0, 2, 3, 5, 8, 11, 17, 20, 22], "greybox": [0, 3], "us": [0, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 23, 25, 33], "fast": [0, 3, 6, 15, 20], "snapshot": [0, 3, 5, 8, 11, 13, 17, 19, 20, 22, 25, 26, 32, 33], "affin": 0, "type": [0, 4, 5, 6, 7, 17, 18, 23, 33], "2021": 0, "net": [0, 5, 11, 17, 20, 22], "network": 0, "increment": [0, 5, 6], "The": [1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 13, 14, 17, 18, 19, 20, 21, 22, 23, 25, 31, 33], "": [1, 2, 4, 5, 6, 7, 9, 11, 12, 13, 14, 15, 17, 18, 19, 20, 22, 23, 25, 29, 31, 33], "i": [1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 25, 26, 30, 31, 32, 33], "host": [1, 2, 4, 6, 8, 11, 13, 14, 17, 19, 20, 22, 25, 33], "onlin": 1, "To": [1, 8, 11, 13, 14, 17, 19, 20, 22, 25, 26, 32, 33], "doc": [1, 33], "local": [1, 2, 4, 5, 11, 17, 20, 22, 33], "cd": [1, 3, 11, 14, 15, 17, 19, 20, 22, 26, 32, 33], "make": [1, 2, 3, 4, 6, 15, 17, 19, 20, 22, 25, 26, 32, 33], "html": 1, "xdg": [1, 5], "open": [1, 15, 17, 19], "index": [1, 6, 15], "can": [2, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 25, 27, 28, 31, 33], "integr": [2, 3, 8, 33], "your": [2, 4, 7, 10, 11, 12, 13, 14, 15, 17, 21, 22, 27, 33], "pipelin": 2, "thank": [2, 15], "It": [2, 3, 4, 5, 6, 8, 13, 15, 17, 18, 19, 20, 25, 29], "act": [2, 17], "basic": [2, 6, 7], "block": [2, 7, 14, 15, 22, 25], "compos": [2, 3, 25], "workflow": [2, 11, 15, 16, 18, 21, 33], "With": [2, 4, 6, 14, 18, 19], "thi": [2, 4, 5, 6, 7, 8, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 23, 24, 25, 26, 27, 29, 30, 31, 33], "you": [2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 22, 23, 24, 26, 28, 30, 31, 32, 33], "autom": [2, 4, 5, 33], "process": [2, 6, 7, 8, 11, 13, 14, 16, 19, 20, 22, 25], "target": [2, 3, 5, 6, 8, 11, 12, 14, 15, 16, 17, 22, 24, 26, 30, 32, 33], "build": [2, 3, 4, 5, 6, 8, 11, 15, 16, 17, 19, 21, 24, 27, 30], "reusabl": [2, 4], "deleg": [2, 18], "from": [2, 3, 4, 6, 8, 11, 13, 17, 18, 19, 20, 22, 23, 25, 26, 28, 32, 33], "machin": [2, 4, 5, 9, 11, 12, 17, 20, 22, 25, 27, 33], "reproduc": [2, 5, 6, 17, 18, 20], "infrastuctur": 2, "regress": [2, 17], "test": [2, 5, 6, 8, 9, 11, 17, 18, 33], "suit": [2, 25], "continu": [2, 6, 9, 11, 17, 33], "updat": [2, 4, 11, 19, 20, 29, 33], "new": [2, 4, 5, 7, 11, 12, 14, 15, 17, 20, 25], "seed": [2, 5, 7, 8, 11, 14, 15, 22], "execut": [2, 3, 4, 5, 6, 7, 8, 10, 11, 13, 14, 17, 19, 20, 22, 25, 26, 32, 33], "conveni": [2, 6, 19], "everi": [2, 4, 5, 15, 19], "pr": 2, "dai": 2, "week": 2, "requir": [2, 3, 4, 6, 14, 19, 20, 22, 25, 33], "A": [2, 4, 6, 7, 11, 14, 15, 18, 19, 22, 31, 33], "compat": [2, 4, 11, 23], "server": [2, 5, 6, 11, 17, 19, 20, 22], "intel": [2, 3, 4, 5, 6, 11, 13, 17, 22, 33], "pt": [2, 3, 5, 6, 7, 8, 11, 13, 17, 20, 22], "self": [2, 18], "first": [2, 5, 6, 8, 11, 13, 15, 17, 20, 25, 33], "step": [2, 3, 5, 6, 8, 9, 12, 13, 14, 17, 19, 21, 22, 23, 24, 25, 30, 33], "instal": [2, 3, 4, 12, 19, 20, 26, 33], "choic": [2, 5], "we": [2, 4, 6, 9, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 31, 32, 33], "leverag": [2, 4, 29], "ansibl": [2, 3, 11, 19, 26, 32, 33], "playbook": [2, 4, 11, 19, 26, 32, 33], "part": [2, 5, 6, 15, 17, 19], "rewrit": [2, 4, 6, 20, 25, 29], "inventori": [2, 4], "remot": [2, 4, 17], "specifi": [2, 4, 5, 7, 11, 13, 17, 25, 33], "echo": [2, 6, 11, 19], "exampl": [2, 3, 4, 5, 6, 9, 13, 14, 17, 18, 19, 20, 22, 25, 26, 30, 32, 33], "com": [2, 3, 4, 11, 20, 33], "onli": [2, 4, 5, 6, 8, 11, 13, 25, 30, 33], "tag": [2, 3, 8, 11, 19, 33], "command": [2, 4, 5, 7, 11, 14, 17, 18, 22, 33], "grub": [2, 4], "reboot": [2, 4, 5, 11, 17, 20, 22], "onc": [2, 6, 11, 14, 17, 22, 25], "done": [2, 6, 7, 11, 15, 17, 25, 33], "should": [2, 5, 6, 10, 11, 12, 13, 14, 15, 17, 22, 23, 33], "find": [2, 7, 10, 11, 12, 14, 15, 17, 20, 22, 23, 25], "unam": 2, "grep": [2, 11], "6": [2, 3, 7, 16, 17, 21, 22, 25, 26, 31, 33], "0": [2, 5, 6, 7, 9, 11, 13, 14, 15, 17, 18, 20, 22, 25, 26, 29, 31, 32, 33], "pull": [2, 4, 11], "latest": [2, 11, 33], "imag": [2, 4, 5, 11, 17, 20, 22, 27, 33], "run": [2, 3, 4, 5, 6, 8, 11, 16, 17, 20, 23, 24, 25, 26, 27, 32, 33], "userspac": [2, 3, 11, 12, 19, 20, 22, 25, 26, 27, 31, 32], "let": [2, 5, 6, 11, 12, 15, 17, 18, 23, 25, 33], "well": [2, 3, 5, 17, 25], "engin": 2, "ubuntu": [2, 11, 19], "final": [2, 5, 33], "follow": [2, 3, 5, 6, 11, 13, 16, 19, 21, 24, 25, 28, 31, 33], "offici": [2, 15], "guid": [2, 12, 13, 17, 25], "add": [2, 5, 11, 13, 20, 23, 25, 33], "repositori": [2, 3, 4, 11, 13], "now": [2, 6, 9, 11, 12, 13, 15, 17, 19, 22, 23, 25, 33], "have": [2, 4, 6, 11, 12, 13, 14, 15, 17, 19, 22, 23, 25, 26, 30, 31, 33], "avail": [2, 4, 5, 6, 7, 11, 19, 20, 21, 25, 33], "under": [2, 9, 17, 18, 23, 27, 33], "go": [2, 11, 23, 33], "check": [2, 3, 4, 5, 6, 11, 15, 17, 18, 20, 22, 31], "readm": [2, 19], "yml": [2, 4], "linux": [2, 3, 4, 5, 6, 9, 11, 12, 13, 14, 15, 16, 17, 19], "boil": 2, "down": [2, 5, 7, 11, 17, 23], "invok": [2, 13, 17], "specif": [2, 5, 6, 9, 13, 16, 18, 29], "subcommand": [2, 5, 11, 17, 20], "workdir": [2, 3, 5, 7, 11, 17, 20, 22], "mount": [2, 11, 20], "contain": [2, 11, 17, 18, 23, 25], "few": [2, 12, 14, 22, 33], "extra_arg": 2, "line": [2, 4, 5, 11, 13, 14, 17, 18, 21, 22, 23, 33], "name": [2, 4, 6, 15, 17, 23, 33], "master": [2, 4], "own": [2, 4, 6, 13, 23, 31], "all": [2, 3, 4, 5, 7, 10, 11, 14, 17, 22], "thing": [2, 20], "default": [2, 4, 5, 6, 8, 14, 22, 26, 32, 33], "timeout": [2, 5, 6, 7, 8, 10, 14, 15, 17, 20, 22], "job": 2, "limit": [2, 5, 6, 13], "6h": 2, "possibl": [2, 4, 23, 29, 33], "bypass": 2, "higher": 2, "valu": [2, 5, 6, 8, 14, 22, 26, 32, 33], "job_id": 2, "minut": [2, 14, 22, 33], "For": [2, 3, 5, 6, 13, 14, 17, 18, 20, 22, 25], "max": [2, 5, 11, 22], "time": [2, 5, 6, 7, 8, 15, 17, 23, 25, 33], "60": [2, 7, 15, 17], "24": [2, 15, 17, 20], "7": [2, 7, 14, 15, 17, 18, 21, 22, 31, 33], "20160": 2, "And": [2, 4, 11, 15, 17, 26, 32], "ani": [2, 3, 5, 6, 8, 11, 14, 20, 25, 32, 33], "want": [2, 4, 6, 11, 25, 33], "threshold": 2, "259200": 2, "second": [2, 5, 7, 15], "ha": [2, 4, 5, 6, 7, 9, 11, 20, 22, 33], "been": [2, 5, 6, 7, 9, 11, 12, 14, 17, 22, 25, 26, 30, 31, 33], "introduc": [2, 4, 9, 11, 12, 19], "tianocor": 2, "commun": [2, 4, 5, 8, 9, 19, 25, 33], "meet": [2, 11], "mai": [2, 5, 8, 19, 20, 33], "4th": 2, "2023": 2, "fuzzer": [3, 4, 6, 8, 9, 11, 12, 13, 14, 17, 20, 22, 25], "x86": [3, 6, 14, 17, 19, 20], "vm": [3, 5, 6, 11, 13, 17, 19, 20, 22, 24, 27, 30], "great": 3, "anyth": [3, 11, 31], "qemu": [3, 4, 5, 6, 7, 8, 10, 11, 13, 14, 15, 17, 20, 22, 25, 33], "kvm": [3, 4, 5, 11, 17, 19, 20, 22, 33], "guest": [3, 4, 5, 6, 8, 9, 13, 17, 19, 20, 23, 24, 25, 27, 30, 33], "particular": [3, 17, 20], "firmwar": [3, 19], "full": [3, 6, 14, 17, 19, 22], "blown": 3, "oper": [3, 5, 6, 13, 18], "system": [3, 5, 9, 11, 14, 17, 19, 20, 22, 23, 25], "vt": 3, "pml": 3, "achiev": [3, 4, 6], "effici": [3, 19], "reset": [3, 6, 17, 25], "coverag": [3, 5, 6, 7, 8, 13, 21, 25], "whitebox": 3, "scenario": [3, 17], "allow": [3, 11, 17, 33], "mani": [3, 8], "fw": 3, "desir": [3, 4, 6], "toolchain": [3, 11], "minim": [3, 5, 6, 19], "code": [3, 5, 6, 8, 13, 16, 17, 20, 21, 23, 24, 30], "modif": [3, 11, 19, 33], "written": 3, "python": [3, 5, 8, 11], "design": [3, 18], "parallel": [3, 5, 20], "multipl": [3, 5, 6, 20, 23], "instanc": [3, 5, 8, 14, 17, 20, 22], "an": [3, 4, 5, 6, 7, 8, 11, 12, 16, 17, 18, 19, 20, 21, 22, 26, 32, 33], "afl": [3, 5], "like": [3, 4, 5, 6, 18, 31], "easi": [3, 4], "extend": [3, 5, 33], "custom": [3, 5, 6, 19], "mutat": [3, 5, 7], "analysi": [3, 5, 8, 14, 16, 17, 21, 24, 27, 30], "schedul": [3, 7], "option": [3, 4, 5, 13, 17, 19, 20, 33], "radamsa": [3, 4, 7, 8, 20], "extens": 3, "introspect": [3, 25], "extract": [3, 5, 23], "runtim": [3, 7, 15], "condit": [3, 17, 25], "instruct": [3, 20, 25], "overcom": 3, "typic": [3, 5, 6, 8], "magic": 3, "byte": [3, 5, 6, 7, 13, 15, 17], "other": [3, 4, 5, 6, 8, 20, 33], "attempt": [3, 20, 26, 32], "identifi": [3, 13, 17, 23, 25], "keyword": [3, 4], "syntax": 3, "order": [3, 5, 17, 25, 33], "gener": [3, 6, 13, 17, 33], "more": [3, 5, 6, 8, 11, 14, 17, 18, 19, 22, 25, 33], "clever": 3, "larg": [3, 6], "scale": 3, "detail": [3, 7, 15, 17, 19, 33], "pleas": [3, 13, 14, 22, 33], "visit": 3, "around": [3, 4, 6, 13, 15, 25, 31], "main": [3, 5, 8, 11, 13, 33], "which": [3, 6, 7, 8, 11, 13, 14, 15, 17, 18, 20, 22, 25], "organis": 3, "subcompon": 3, "frontend": [3, 4, 6], "modifi": [3, 5, 11, 15, 17, 33], "hypercal": [3, 5, 7, 9, 10, 13, 14, 17, 19, 21, 22, 23, 25, 29, 31], "support": [3, 5, 6, 8, 11, 17, 22], "libxdc": [3, 4, 5, 6, 20], "decod": [3, 5, 6, 8, 20], "librari": [3, 6], "action": 3, "github": [3, 4, 11, 20], "ci": [3, 4], "introduct": 3, "1": [3, 6, 7, 13, 14, 15, 16, 17, 21, 22, 23, 25, 26, 31, 32, 33], "2": [3, 6, 7, 14, 15, 16, 17, 21, 22, 23, 25, 26, 31, 32, 33], "clone": [3, 4, 20], "sourc": [3, 4, 13, 16, 19, 20, 21, 24, 26, 30, 32, 33], "3": [3, 6, 7, 14, 15, 16, 17, 19, 21, 22, 25, 31, 32, 33], "deploi": [3, 4, 19, 33], "4": [3, 5, 6, 7, 10, 13, 16, 17, 19, 21, 22, 25, 31, 33], "set": [3, 4, 6, 8, 9, 13, 14, 17, 18, 19, 20, 26, 32, 33], "environ": [3, 4, 7, 8, 9, 19, 33], "env": [3, 4, 8, 14], "5": [3, 4, 5, 7, 15, 16, 21, 22, 25, 26, 31, 32, 33], "verifi": [3, 5, 6, 17, 33], "On": 3, "next": [3, 5, 6, 9, 13, 14, 17, 18, 19, 21, 22, 23, 26], "concept": [3, 19, 21], "agent": [3, 5, 6, 16, 17, 20, 21, 24, 30], "pick": [3, 4, 20], "dvkm": [3, 4, 14, 15, 17, 18, 21], "window": [3, 4, 6, 7, 9, 11, 12, 19, 22, 25, 26, 30, 31, 32], "driver": [3, 12, 18, 19, 23, 25, 26, 27, 28, 30, 31, 32, 33], "up": [3, 5, 7, 8, 18, 19, 20, 33], "docker": [3, 4, 11, 20], "setup": [3, 4, 7, 11, 12, 15, 16, 20, 24, 26, 30, 32], "runner": 3, "configur": [3, 6, 9, 11, 12, 13, 14, 17, 19, 21, 22, 25, 33], "preced": 3, "overrid": [3, 6, 8, 33], "variabl": [3, 4, 8, 11, 17, 18, 33], "kei": [3, 13, 17, 21], "deploy": [3, 8, 11], "makefil": [3, 15, 17, 19, 26, 32, 33], "galaxi": 3, "api": [3, 19, 29], "essenti": [3, 4, 11], "further": [3, 13, 17, 33], "util": [3, 17, 19], "function": [3, 5, 9, 13, 17, 18, 20, 25, 31], "untest": 3, "fulli": [3, 5], "deprec": [3, 5], "usag": [3, 7], "convent": 3, "user": [3, 4, 5, 6, 11, 12, 14, 15, 17, 18, 19, 20, 26, 32, 33], "interfac": [3, 6, 12, 14, 19, 20], "gui": [3, 10, 16, 21, 24, 33], "research": 3, "paper": 3, "built": [4, 6, 18, 20, 25, 31], "IT": 4, "framework": [4, 5], "cloud": 4, "servic": [4, 26, 32], "provis": [4, 24, 27, 30, 33], "virtual": [4, 6, 9, 11, 16, 17, 20, 22, 25], "As": [4, 5, 33], "ar": [4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 17, 18, 19, 20, 22, 23, 25, 26, 31, 32, 33], "expect": [4, 6, 8, 20, 26, 32, 33], "perform": [4, 5, 6, 7, 8, 13, 18, 19, 20, 25], "see": [4, 5, 6, 7, 8, 10, 11, 14, 17, 20, 22, 33], "document": [4, 5, 6, 11, 12, 15, 20, 28], "list": [4, 5, 33], "level": [4, 5, 6, 7, 17, 20], "made": [4, 5, 6, 11, 12], "when": [4, 5, 6, 8, 13, 17, 20, 22, 23, 25, 33], "If": [4, 6, 11, 17, 25, 33], "necessari": [4, 6, 11, 12, 25, 33], "download": [4, 5, 11, 19, 21], "10": [4, 5, 6, 7, 15, 17, 18, 20, 22, 23, 33], "73": [4, 17], "ensur": [4, 6, 13, 14, 20, 31], "current": [4, 5, 6, 7, 8, 11, 15, 17], "group": [4, 11, 20], "dev": [4, 5, 8, 11, 14, 15, 17, 20, 22, 23], "devic": [4, 5, 11, 17, 20, 22, 25], "permiss": 4, "noth": [4, 6, 11], "els": [4, 11], "descript": [4, 5, 33], "compon": [4, 11, 13, 25, 33], "accord": 4, "file": [4, 5, 6, 7, 8, 11, 14, 17, 18, 19, 20, 22, 23, 33], "Will": [4, 5, 25], "localhost": [4, 17], "enter": [4, 11, 20, 22, 26, 32, 33], "sub": [4, 11], "shell": [4, 11, 12, 17, 33], "clean": [4, 15], "remov": [4, 14, 33], "virtualenv": [4, 14, 22], "venv": [4, 11, 14, 15, 17, 19, 22, 23, 33], "forc": 4, "git": [4, 11, 12, 20], "manag": [4, 5, 8, 33], "orient": 4, "rebuild": 4, "some": [4, 6, 8, 11, 33], "accept": [4, 5, 6], "addit": [4, 5, 6, 7, 8, 14, 17, 20], "argument": [4, 5, 6, 8, 18, 33], "them": [4, 8, 11, 15, 17, 23, 25, 33], "after": [4, 5, 6, 11, 13, 14, 15, 17, 18, 22], "end": [4, 12, 13, 15, 17, 25], "symbol": [4, 17], "doubl": [4, 18], "dash": 4, "These": [4, 17], "pass": [4, 6], "underli": 4, "toggl": [4, 5], "3rd": 4, "verbos": [4, 14, 33], "vvv": 4, "skip": [4, 5, 6, 11, 20, 26, 32, 33], "hardware_check": 4, "hardare_check": 4, "sinc": [4, 6, 7, 11, 20, 30], "hack": [4, 6], "convert": 4, "quot": 4, "string": [4, 5, 6, 13, 15, 17, 19, 23], "doesn": [4, 11, 17, 22, 25, 31], "t": [4, 5, 11, 17, 20, 22, 25, 31], "work": [4, 5, 8, 17, 20], "extra": [4, 5, 6, 33], "var": [4, 33], "ansible_connect": 4, "fine": [4, 17], "grain": [4, 17], "control": [4, 6, 17], "thei": [4, 6, 8, 25], "paramet": [4, 14, 17, 19, 22, 25], "directli": [4, 5, 6, 17, 20, 33], "ad": [4, 5, 7, 17, 33], "featur": [4, 6, 11, 17, 19, 21, 22, 33], "describ": 4, "previous": [4, 6, 8, 20, 31, 32], "select": [4, 7], "task": [4, 6, 7, 15, 17, 26, 32], "capston": 4, "kvm_devic": 4, "fix": [4, 17], "node": [4, 7, 15, 22, 33], "reboot_kernel": 4, "respons": [4, 9, 13, 18], "update_grub": 4, "entri": [4, 8, 11, 17, 18, 22, 25], "where": [4, 5, 6, 14, 17, 22, 23], "etc": [4, 5, 6, 9, 20, 25, 33], "templat": [4, 6, 24, 27, 30], "tool": [4, 8, 11, 17, 19, 20, 24, 30], "packer": [4, 19, 33], "vagrant": [4, 19, 24, 26, 30, 32], "agrant": 4, "plugin": [4, 33], "bridg": 4, "helper": [4, 8, 17], "packag": [4, 5], "submodul": 4, "damn": [4, 16, 18, 21], "vulner": [4, 12, 16, 17, 18, 21, 24, 30], "modul": [4, 13, 15, 16, 17, 18, 19, 21, 25], "One": 4, "reason": [4, 6, 17, 21, 25, 33], "scratch": 4, "v0": [4, 33], "releas": [4, 7, 10, 13, 14, 17, 22], "wa": [4, 6, 15, 17, 18, 33], "better": [4, 6, 8, 11, 12, 15, 17, 18, 19, 20, 25, 33], "In": [4, 5, 6, 11, 15, 17, 18, 19, 20, 33], "fact": [4, 11, 15, 26, 32], "base": [4, 5, 7, 11, 13, 18, 19, 20, 25, 33], "ccc": 4, "harden": 4, "repo": [4, 26, 27, 32], "case": [4, 5, 6, 11, 20, 23], "cherri": 4, "goal": 4, "mind": 4, "power": [4, 5], "breakdown": 4, "modular": 4, "role": [4, 19], "distribut": 4, "directori": [4, 5, 11, 14, 17, 19, 26, 32, 33], "regroup": [4, 15], "depend": [4, 6, 14, 19, 20, 22], "each": [4, 5, 6, 7, 8, 17, 18, 19, 20, 25], "wai": [4, 11, 23], "includ": [4, 6, 13, 15, 17, 18, 19], "out": [4, 7, 15, 33], "share": [4, 6, 8, 13, 22, 33], "same": [4, 6, 17, 28], "top": [4, 6, 19], "path": [4, 5, 7, 8, 11, 14, 15, 17, 19, 20, 22, 25, 31, 33], "hand": 4, "need": [4, 6, 9, 11, 13, 17, 19, 20, 23, 25, 33], "subfold": 4, "yet": [4, 5, 6, 8, 14, 19, 22], "publicli": 4, "websit": 4, "referenc": 4, "http": [4, 11, 20, 33], "version": [4, 6, 33], "chang": [5, 6, 11, 12, 25, 26, 32, 33], "config": [5, 8, 13, 14, 15, 17, 20], "switch": [5, 19], "dynaconf": 5, "behind": 5, "scene": 5, "so": [5, 6, 17, 25, 33], "everyth": [5, 13, 22], "learn": [5, 7, 31], "also": [5, 6, 7, 8, 20], "applic": [5, 17, 25], "yaml": [5, 8, 14, 17, 19, 20, 22], "format": [5, 6, 13, 14, 33], "kafl_fuzz": [5, 8], "common": [5, 6, 25], "default_set": 5, "home": [5, 11, 17, 20, 22, 26, 32, 33], "pwd": [5, 14, 20], "kafl_config_fil": [5, 20], "ex": [5, 17, 22, 25, 26, 32], "shm": [5, 8, 11, 15, 17, 20, 22, 23], "kafl_test_featur": 5, "prefix": [5, 6], "kafl_": [5, 20], "kafl_process": 5, "8": [5, 7, 15, 17, 20, 22, 23, 31, 33], "note": [5, 8, 13, 20], "point": [5, 6, 8, 11, 13, 20], "non": [5, 6, 7, 8, 17, 18, 20], "exist": [5, 6, 8, 14, 17, 20], "valid": [5, 6, 13, 20], "error": [5, 6, 15, 17, 20, 33], "rais": [5, 6], "warn": [5, 11, 17, 20, 22], "export": [5, 19], "kafl_qemu_memori": 5, "1024": [5, 6], "kafl_log_hrpintf": 5, "true": [5, 6, 33], "section": [5, 12, 13, 15, 17, 18, 19, 21, 33], "avaialbl": 5, "insensit": 5, "256": [5, 6, 11, 17], "exit": [5, 6, 8, 13, 17, 20, 22], "n": [5, 6, 7, 8, 11, 13, 14, 15, 18, 22, 25, 31, 33], "total": [5, 7, 14, 15, 17, 22, 23], "abort": [5, 6, 11, 20], "exec": [5, 7, 8, 11, 15, 17, 20, 22, 23], "builtin": [5, 25, 33], "stop": [5, 6, 11, 13, 15, 22], "elaps": [5, 7], "benchmark": 5, "gdb": 5, "payload": [5, 6, 7, 8, 9, 13, 14, 15, 17, 23, 25, 31], "must": [5, 6, 11, 13, 17, 19], "compil": [5, 16, 17, 19, 20, 21, 23, 25, 26, 32, 33], "peform": 5, "print": [5, 6, 13], "stdout": [5, 17, 22, 26, 32], "nois": 5, "measur": 5, "determin": [5, 6, 17], "printk": [5, 6, 13, 14, 17], "redirect": [5, 14, 17], "call": [5, 6, 9, 13, 17, 20, 25, 31], "debugg": [5, 17], "verif": 5, "maximum": 5, "number": [5, 6, 7, 17], "decrement": 5, "style": 5, "arithmet": 5, "affect": 5, "determinist": [5, 7, 8, 20], "stage": [5, 7, 26], "havoc": [5, 7], "34": [5, 7], "arith": 5, "bitflip": 5, "interest": [5, 8, 20], "fals": [5, 33], "dumb": 5, "mode": [5, 6, 17, 33], "d": [5, 11, 13, 17, 18, 20, 33], "zero": [5, 18], "size": [5, 6, 7, 9, 11, 13, 15, 17, 18, 22, 25, 29, 31], "bitmap": [5, 6, 7, 8, 14, 15, 22], "65536": [5, 11, 17, 20, 22], "cpu": [5, 7, 11, 14, 15, 17, 20, 22, 33], "pin": 5, "start": [5, 6, 7, 9, 10, 11, 13, 14, 17, 21, 22, 23, 25, 26, 32, 33], "vcpu": [5, 7], "assign": [5, 7, 13], "worker": [5, 6, 7, 8, 11, 15, 17, 20, 22], "p": [5, 7, 14, 15, 20, 22, 25, 26, 31, 32, 33], "offset": [5, 33], "enabl": [5, 6, 9, 11, 13, 15, 17, 19, 20, 22, 25, 33], "expens": 5, "messag": [5, 11, 14, 17, 22], "dure": [5, 8, 13, 17, 19, 20, 23, 25, 26, 32, 33], "item": 5, "effect": [5, 6, 8, 19, 25], "store": [5, 6, 8, 17, 20], "data": [5, 6, 9, 13, 17, 18, 25, 29], "refer": [5, 9, 11, 12, 13, 14, 20, 22], "impli": 5, "dictionari": 5, "none": [5, 11, 14, 17, 20, 22], "crash": [5, 6, 7, 8, 10, 14, 15, 16, 20, 21, 22, 24, 25, 27, 31], "corpu": [5, 8, 15, 16, 20, 24], "consist": [5, 13], "found": [5, 6, 7, 14, 17, 22, 23, 27, 33], "major": 5, "re": [5, 14, 20], "75": [5, 7, 15, 17], "probabl": [5, 7, 17], "combin": [5, 6, 17, 19, 25], "kafl_workdir": [5, 8, 14, 15, 17, 20, 23], "cov": [5, 8, 20], "output": [5, 8, 13, 17, 20, 26, 32, 33], "help": [5, 9, 20], "shorthand": 5, "tcp": 5, "1234": [5, 17], "freez": 5, "startup": [5, 6, 8], "c": [5, 6, 11, 13, 14, 15, 17, 18, 19, 20, 23, 25, 26, 29, 31, 32], "inform": [5, 6, 13, 17, 23, 25], "automat": [5, 6, 7], "kasan": [5, 7, 8, 10, 13, 14, 16, 17, 21, 22], "regular": [5, 6, 7, 8, 10, 14, 15, 22], "session": [5, 8, 17, 33], "ip": [5, 6, 13, 20, 33], "filter": [5, 6, 9, 13, 20], "rang": [5, 6, 13, 18, 20, 31], "range_submit": [5, 13], "hypercall_api": 5, "md": [5, 6, 19, 20], "Not": [5, 33], "region": [5, 11, 15, 17, 20, 22], "ip1": 5, "ip2": 5, "ip3": 5, "queue": [5, 7], "than": [5, 6, 8, 19], "random": [5, 17], "length": 5, "har": [5, 6, 8, 9, 17, 19, 20, 22, 29, 31, 33], "defin": [5, 6, 8, 11, 13, 17, 18, 20, 22, 33], "disabl": [5, 6, 9, 15, 17, 20], "handler": [5, 6, 13, 17, 18, 22], "qemu_trace_nn": 5, "copi": [5, 8, 18, 33], "hprintf": [5, 8, 13, 14, 15, 17, 19, 20, 22, 23], "truncat": [5, 8], "recommend": [5, 8, 11, 17, 20, 21, 33], "collect": [5, 6, 9, 13, 20, 33], "live": [5, 10, 13, 14, 17, 22], "avoid": [5, 8, 20], "oom": 5, "due": [5, 6, 8, 15, 33], "huge": 5, "hprintf_nn": [5, 8], "printf": 5, "creat": [5, 6, 8, 11, 17, 18, 19, 20, 26, 32, 33], "linear": 5, "across": [5, 17], "restor": [5, 13, 19, 26, 32, 33], "page": [5, 6, 8, 13, 14, 15, 17, 22], "4096": [5, 6, 22], "131072": [5, 11, 17, 20, 22], "launch": [5, 7, 11, 14, 17, 20, 22, 33], "ptdump": [5, 20], "libxdc_root": 5, "ptdump_stat": 5, "append": [5, 6, 17, 20], "cmdline": 5, "nokaslr": [5, 14, 17, 20], "oop": [5, 13, 14, 17, 20], "panic": [5, 7, 10, 13, 14, 17, 20, 22, 31], "nopti": [5, 14, 17, 20], "mitig": [5, 14, 17, 20], "off": [5, 11, 14, 17, 20, 22], "consol": [5, 14, 17], "ttys0": [5, 14, 17], "baselin": 5, "kafl64": [5, 11, 17, 20, 22], "v1": [5, 11, 17, 20, 22, 33], "vmx": [5, 11, 17, 20, 22], "displai": [5, 11, 17, 20, 22, 23], "bio": [5, 15, 17], "flag": 5, "disk": [5, 8, 33], "drive": [5, 22], "initi": [5, 6, 8, 18, 19, 20, 22, 31, 33], "ram": [5, 7, 8, 15, 22, 27, 33], "initrd": [5, 16, 17], "bzimag": [5, 14, 15, 17, 19, 20], "amount": 5, "memori": [5, 6, 13, 15, 17, 18, 20, 25, 33], "mb": 5, "m": [5, 11, 17, 20, 22], "patch": [5, 21], "qemu_root": 5, "x86_64": [5, 11, 17, 20, 22, 26, 32, 33], "softmmu": [5, 11, 17, 20, 22], "chardev": [5, 11, 17, 20, 22], "id": [5, 6, 7, 11, 17, 20, 22, 23, 33], "kafl_seri": [5, 11, 17, 20, 22], "mux": [5, 11, 17, 20, 22], "serial_": 5, "qemu_pid": 5, "isa": [5, 11, 17, 20, 22], "serial": [5, 8, 11, 14, 17, 20, 22], "pre": [5, 6, 9, 11], "manual": [5, 6, 33], "creation": 5, "lock": [5, 8, 13, 15, 31], "radamsa_root": 5, "bin": [5, 11, 17, 20, 26, 32, 33], "simpl": [5, 19, 20], "would": [5, 19, 23], "subsequ": [5, 6], "jump": [5, 12, 20, 22], "tabl": [5, 8], "hammer": 5, "checksum": [5, 33], "fixer": 5, "broken": 5, "hash": [5, 7, 8, 17], "persist": [5, 6, 25], "partial": 5, "somewher": [5, 17], "100": [5, 6, 14, 15, 17], "tend": [5, 8], "yield": [5, 7], "good": [5, 11, 25], "stabil": [5, 7, 15, 17], "trade": 5, "r": [5, 6, 7, 15, 17, 20, 22, 23, 31], "tell": [5, 6], "caus": [5, 12, 20], "page_cach": [5, 8, 20], "complet": [5, 11, 13, 17, 19, 33], "campaign": [5, 7, 8, 10, 13, 16, 19, 21, 23, 24, 27, 30], "travers": [5, 7], "recurs": 5, "import": [5, 8, 24, 30], "seed_xxx": 5, "consum": [5, 20], "upon": [5, 17], "dir": [5, 7, 8, 11, 22], "folder": [5, 6, 8, 23, 26, 32, 33], "req_stream_data": [5, 19], "both": [5, 9, 13, 17, 18, 26], "report": [5, 6, 7, 14, 16, 17, 22, 23], "produc": [5, 20], "hard": [5, 8], "soft": 5, "lower": [5, 7], "adapt": [5, 12, 18, 33], "seen": [5, 7], "001": 5, "callback": 5, "significantli": [5, 6, 21], "slow": 5, "result": [5, 6, 8, 12, 15, 16, 18, 20, 21, 26, 32, 33], "differ": [5, 6, 20, 30], "edge_cb_trac": 5, "cb": [5, 7], "dump": [5, 6, 8, 15, 17, 20], "binari": [5, 6, 11, 19, 20, 26, 32], "discov": [5, 7, 8, 17], "later": 5, "recommed": 5, "incurr": 5, "dump_pt_trac": 5, "load": [5, 11, 17, 19, 20, 22, 25, 33], "tutori": [5, 9, 12, 13, 15, 18, 21, 24, 25, 27, 30, 31, 33], "were": 5, "mtarral": [5, 11, 15, 17, 22, 23], "kafl_config": 5, "Then": [5, 33], "parser": 5, "argpars": 5, "env_glob": 5, "config_fil": 5, "root": [5, 11, 12, 14, 17, 19, 20, 26, 32], "kafl_mtarr": [5, 11, 15, 17, 22, 23], "workspac": 5, "supersed": 5, "definit": [5, 6, 33], "accumul": [5, 8], "primari": [5, 8], "locat": [5, 6, 8, 11, 13, 15, 17, 21, 22, 24, 25, 26, 31, 32], "inspect": [5, 8, 17], "statu": [5, 7, 8, 17], "previou": [5, 8, 17], "still": [5, 8, 17, 33], "post": [5, 8], "triag": [5, 8], "layout": [5, 17], "issu": [6, 17, 21, 31, 33], "special": [6, 8], "bootstrap": [6, 20], "coordin": 6, "approach": [6, 19], "offer": [6, 17, 20, 21], "low": [6, 20], "take": [6, 10, 13, 14, 22, 33], "inject": [6, 20], "nyx_api": [6, 13, 15], "h": [6, 7, 13, 15, 17], "header": [6, 13], "hypercall_kafl_": 6, "handshak": [6, 9, 13, 22], "kafl_hypercal": [6, 9, 13, 15, 25, 29], "hypercall_kafl_acquir": [6, 9, 13, 25], "hypercall_kafl_releas": [6, 8, 9, 13, 25, 29], "kafl_hypercall_acquir": [6, 9], "func": [6, 9], "kafl_hypercall_releas": [6, 9], "mark": [6, 15], "singl": [6, 18], "reach": [6, 17, 22], "mean": [6, 8, 14, 17, 22], "newer": [6, 11], "backend": [6, 33], "actual": [6, 11, 23, 33], "get": [6, 11, 20, 21, 23, 25, 33], "instead": [6, 20], "write": [6, 8, 13, 17, 23, 25], "provid": [6, 15, 17, 18, 19, 20, 26, 32, 33], "address": [6, 15, 17, 18, 25, 33], "mmap": [6, 11, 22], "buffer": [6, 9, 13, 18, 25, 31], "care": 6, "alloc": [6, 9, 13, 14, 15, 18, 22, 25, 27, 31, 33], "suffici": [6, 20], "align": [6, 13], "sure": [6, 11, 17, 20, 22, 26, 32, 33], "resid": [6, 13], "pagefault": 6, "unistd": 6, "stdlib": 6, "sy": [6, 25, 26, 32], "mman": 6, "64kb": 6, "long": [6, 17], "page_s": 6, "sysconf": [6, 13], "_sc_pages": [6, 13], "size_t": [6, 13, 15, 25], "buffer_s": 6, "64": [6, 7, 15, 17, 22], "kafl_payload": [6, 9, 13], "payload_buff": [6, 9, 13, 25, 29], "aligned_alloc": [6, 13], "mlock": [6, 13], "between": [6, 8, 18, 19, 25, 33], "hypercall_kafl_get_payload": 6, "uintptr_t": 6, "virtualalloc": 6, "garante": 6, "null": [6, 17, 25], "mem_reserv": 6, "mem_commit": 6, "page_readwrit": 6, "virtuallock": 6, "struct": [6, 13, 17, 18], "typedef": 6, "int32_t": 6, "uint8_t": [6, 31], "trigger": [6, 11, 15, 17, 18, 25, 26, 32, 33], "regist": [6, 13], "invoc": 6, "befor": [6, 9, 11, 13, 14, 17, 20], "how": [6, 11, 12, 15, 17, 18, 19, 20], "hi": 6, "implement": [6, 9, 13, 19, 20, 24, 30], "most": [6, 19, 20], "straightforward": [6, 21, 31], "No": [6, 11, 17, 20, 22, 33], "loop": [6, 20, 22], "iter": [6, 7, 19, 25], "hypercall_kafl_next_payload": [6, 13, 25], "target_entri": [6, 13], "less": 6, "nontheless": 6, "advanc": [6, 12], "ie": 6, "surviv": 6, "gain": [6, 17], "agent_non_reload_mod": [6, 25], "field": [6, 10, 13, 14, 22], "agent_config_t": 6, "agent_config": 6, "agent_mag": 6, "nyx_agent_mag": 6, "agent_vers": 6, "nyx_agent_vers": 6, "hypercall_kafl_set_agent_config": 6, "here": [6, 8, 9, 11, 15, 17, 18, 19, 20, 23, 25, 30], "alwai": 6, "reload": [6, 8, 20], "tweak": [6, 17], "infinit": 6, "Be": [6, 20], "pollut": 6, "might": [6, 11, 18], "becom": [6, 11, 33], "imposs": 6, "queri": [6, 13], "host_config_t": 6, "host_config": [6, 13, 22], "hypercall_kafl_get_host_config": 6, "dkb": 6, "payload_buffer_s": [6, 13, 22], "safeti": [6, 8, 15], "against": 6, "nyx_host_mag": 6, "uint32_t": 6, "host_mag": 6, "host_vers": 6, "bitmap_s": [6, 11, 17, 20, 22], "todo": 6, "ijon_bitmap_s": [6, 22], "equal": 6, "larger": 6, "worker_id": [6, 11, 17, 20, 22], "protocol": [6, 16, 33], "otherwis": 6, "kvm_exit_kafl_get_host_config": 6, "about": [6, 13, 20, 25], "capabl": [6, 14, 22, 25], "trace": [6, 8, 11, 15, 17, 20, 22, 25], "agent_timeout_detect": 6, "agent_trac": 6, "agent_ijon_trac": 6, "fuzzer_configur": [6, 20], "softwar": [6, 17, 33], "instrument": [6, 9, 15], "our": [6, 9, 11, 12, 13, 15, 16, 17, 18, 22, 23, 25, 33], "uint64_t": 6, "trace_buffer_vaddr": 6, "ijon_trace_buffer_vaddr": 6, "coverage_bitmap_s": 6, "input_buffer_s": [6, 11, 17, 20, 22], "dump_payload": 6, "kvm_exit_kafl_set_agent_config": 6, "event": [6, 15, 17], "hypercall_kafl_pan": [6, 8, 13], "hypercall_kafl_kasan": [6, 8, 15], "sanit": [6, 15, 21], "overwrit": 6, "detect": [6, 7, 13, 15, 20, 33], "log": [6, 8, 11, 14, 15, 16, 20, 22], "side": [6, 8, 25], "panic_kebugcheck": 6, "resolve_kebugcheck": [6, 25], "kebugcheck": [6, 25], "panic_kebugcheck2": 6, "kebugcheckex": [6, 25], "hypercall_kafl_submit_pan": [6, 25], "unexpect": [6, 17, 20], "inlin": 6, "macro": [6, 18], "often": [6, 19], "prefer": [6, 21], "flexibl": [6, 19], "place": [6, 17, 22], "except": [6, 31], "20": [6, 7, 11, 15, 17, 20, 22], "26": [6, 7, 15, 23], "overwritten": 6, "whether": 6, "protect": [6, 17], "notifi": [6, 13], "fa": [6, 7, 17], "cli": 6, "48": [6, 15, 17], "c7": [6, 7, 15, 17], "c0": [6, 7, 15, 17, 23], "1f": [6, 7, 15, 17], "00": [6, 7, 11, 15, 17, 20, 22, 23], "mov": [6, 17], "rax": [6, 17], "0x1f": [6, 17], "c3": 6, "08": [6, 15, 17], "rbx": [6, 15, 17], "0x8": [6, 18], "c1": [6, 17], "rcx": [6, 15, 17], "0x0": [6, 15, 18, 25], "0f": [6, 15, 17], "01": [6, 15, 17, 20], "vmcall": [6, 25], "f4": [6, 7, 17], "hlt": 6, "panic_payload_64": 6, "xfa": 6, "x48": 6, "xc7": 6, "xc0": 6, "x1f": 6, "x00": 6, "xc3": 6, "x08": 6, "xc1": 6, "x0f": 6, "x01": 6, "xf4": 6, "send": [6, 11, 17, 19], "pointer": [6, 13, 17, 25], "veri": [6, 7, 11, 25, 30], "debug": [6, 8, 15, 16], "forward": [6, 32, 33], "stack": [6, 11, 17, 18], "hypercall_kafl_printf": 6, "impact": 6, "propos": 6, "wrapper": 6, "variad": 6, "known": [6, 21], "simpli": [6, 9, 17, 20, 25, 33], "easier": [6, 19], "obtain": [6, 7, 13, 19], "0xfffff8010e0b0000": 6, "0xfffff8010e0b7000": 6, "hypercall_kafl_range_submit": [6, 25], "ipn": 6, "cr3": [6, 13, 17], "context": [6, 17], "hypercall_kafl_submit_cr3": 6, "least": [6, 14, 22, 33], "keep": [6, 8, 17, 25], "userland": [6, 13, 25], "howev": [6, 13], "especi": [6, 10, 14, 20, 22], "fork": 6, "being": [6, 17], "signal": [6, 11, 17], "fatal": 6, "mainli": [6, 8, 20, 33], "kind": 6, "assert": [6, 20], "perspect": 6, "auto": [6, 20], "resum": [6, 8, 17, 20], "hang": [6, 17], "hypercall_kafl_user_abort": 6, "too": [6, 21], "explicitli": 6, "32": [6, 7, 15, 18, 20, 22], "bit": [6, 7, 11, 17, 20, 22], "influenc": 6, "possibli": 6, "submit": [6, 13, 22, 25], "hypercall_kafl_user_submit_mod": 6, "kafl_mode_64": 6, "advis": 6, "kafl_rang": 6, "inttyp": 6, "intel_pt_max_rang": 6, "hypercall_kafl_user_range_advis": 6, "int": [6, 13, 17, 18, 31], "prid64": 6, "prix64": 6, "prid8": 6, "suppos": 6, "prefetch": 6, "chanc": 6, "longer": 6, "even": [6, 17, 20], "present": [6, 17, 19], "breakpoint": [6, 17], "nevertheless": 6, "fetch": [6, 19], "correspondingli": 6, "sharedir": [6, 11, 14, 17, 20, 22], "assum": [6, 9, 12, 27], "content": [6, 17, 23], "hello": [6, 19, 20], "txt": [6, 8, 19, 20], "sharedir_filenam": 6, "0x1000": [6, 22], "strncpy": 6, "strlen": 6, "hypercall_kafl_req_stream_data": 6, "work_dir": [6, 8], "suppli": [6, 8], "mkstemp": 6, "filenam": [6, 23], "uniqu": [6, 7, 17, 18], "kafl_dump_file_t": 6, "file_name_str_ptr": 6, "data_ptr": 6, "f": [6, 7, 17, 23, 31], "fopen": 6, "proc": [6, 11, 13, 18, 19], "kallsym": 6, "rb": 6, "char": [6, 13, 18], "fread": 6, "4095": 6, "hypercall_kafl_dump_fil": [6, 8], "save": [6, 33], "usermod": 6, "hypercall_kafl_user_fast_acquir": [6, 29], "solv": 6, "emploi": [6, 9], "row": 6, "termin": [6, 10, 11, 14, 17, 22], "correctli": [6, 11], "program": [6, 8, 9, 11, 17, 22, 31], "brought": 6, "complex": [6, 11, 25], "begin": [6, 17], "boot": [6, 11, 12, 14, 17, 20, 21, 22, 26, 32, 33], "hypercall_kafl_lock": 6, "do": [6, 17, 20, 25], "serv": [6, 13, 19, 21], "purpos": [6, 25, 31], "much": 6, "transfer": 6, "speed": [6, 7, 13, 14, 22, 25, 29], "bulk": 6, "4kb": 6, "per": [6, 7, 23], "file_nam": 6, "request": [6, 11, 17, 22, 25], "num_address": 6, "arrai": 6, "count": 6, "479": 6, "req_data_bulk_t": 6, "slightli": 6, "slower": 6, "smaller": 6, "1mb": 6, "exclud": [6, 25], "frame": 6, "mechan": 6, "pfn": [6, 15], "0x8048000": 6, "hypercall_kafl_persist_page_past_snapshot": 6, "static": [6, 13], "void": [6, 13, 15, 17, 25, 31], "msg": 6, "const": [6, 15], "equival": [6, 19], "kafl_hypercall_printf": 6, "lp": 6, "panic_extend": [6, 7, 10, 14, 22], "mix": [6, 8], "create_tmp_snapshot": 6, "posit": 6, "debug_tmp_snapshot": 6, "nested_": 6, "roughli": 6, "nest": 6, "l2": 6, "get_program": 6, "get_argv": 6, "replac": [6, 13], "info": [6, 7, 8, 13, 15, 17, 18, 33], "push": [6, 17, 19], "printk_addr": 6, "interpret": [6, 11, 17, 20], "arg": [6, 17], "render": 7, "variou": [7, 8, 17, 20], "metadata": [7, 8, 33], "curs": 7, "text": [7, 20], "ui": [7, 15], "old": 7, "archiv": 7, "quick": [7, 15, 19], "overview": [7, 16], "averag": 7, "through": [7, 9, 12, 13, 14, 16, 17, 19, 24, 25, 30, 33], "explicit": 7, "w": [7, 17, 20, 25, 31], "workdir_path": 7, "grand": [7, 15], "2h00m": 7, "0m": 7, "16": [7, 15, 17, 20, 22], "72": [7, 17], "curexec": [7, 15], "4018": 7, "funki": [7, 8, 15], "est": [7, 15], "74": [7, 17, 23], "avgexec": [7, 15], "3616": 7, "progress": [7, 10, 15, 16, 24, 25], "141": 7, "1h57m": 7, "45": [7, 17], "edg": [7, 11, 14, 15, 20, 22], "11": [7, 11, 15, 17, 20, 22, 23], "1k": 7, "addsan": [7, 10, 14, 15, 22], "fav": [7, 11, 14, 15, 20, 22], "18": [7, 14, 15, 17, 20, 22], "21": [7, 17, 20, 22], "2k": 7, "9": [7, 11, 17, 19, 20, 22, 31, 33], "13m15": 7, "norm": [7, 14, 15, 22], "123": 7, "col": [7, 14, 15, 22], "3m27": 7, "yld": 7, "init": [7, 33], "38": [7, 14, 15, 17, 23], "grim": 7, "redq": 7, "det": 7, "hvc": 7, "66": [7, 17], "rq": 7, "gr": 7, "fin": 7, "12": [7, 15, 17, 18, 20, 22, 33], "nrm": 7, "120": [7, 17], "activ": [7, 17, 20, 22, 33], "afl_splic": [7, 22], "140": 7, "lvl": [7, 22], "399": 7, "afl_havoc": [7, 22], "97": [7, 17, 23], "395": [7, 20], "afl_flip_2": 7, "96": 7, "400": 7, "106": 7, "371": 7, "85": [7, 17], "243": 7, "103": 7, "244": 7, "58": [7, 23], "245": 7, "62": 7, "25": [7, 15, 17], "242": 7, "50": [7, 13, 23], "153": 7, "233": 7, "84": [7, 17], "99": 7, "30": [7, 15, 17, 22, 23], "239": 7, "13": [7, 17, 20, 22], "241": 7, "14": [7, 17, 20, 22, 23], "146": 7, "27": 7, "240": 7, "15": [7, 11, 17, 20, 22, 23], "afl_arith_2": 7, "0kb": [7, 20], "perf": 7, "75m": 7, "score": 7, "0h02m": 7, "0x0000000": 7, "17": [7, 11, 17, 20, 22], "9d": 7, "e4": [7, 23], "47": [7, 22], "90": [7, 17], "f5": 7, "52": 7, "61": [7, 17, 22], "59": [7, 15, 17], "7c": [7, 17], "dd": 7, "ac": 7, "8e": 7, "e": [7, 8, 17, 20], "g": [7, 8, 11, 15, 17, 20], "rai": 7, "0x0000010": 7, "8c": 7, "86": [7, 17], "b0": 7, "92": [7, 17], "77": [7, 15, 17, 23], "fb": [7, 15], "28": [7, 14, 15, 17], "f0": [7, 15, 17], "4c": [7, 17], "f7": 7, "23": [7, 15, 17, 22], "49": [7, 17], "94": 7, "l": [7, 15, 17, 19, 20, 23, 31], "iu": 7, "0x0000020": 7, "d5": 7, "76": [7, 17], "1b": 7, "5b": [7, 17], "9e": 7, "e7": 7, "c6": [7, 17], "91": [7, 17], "51": 7, "6d": 7, "35": [7, 17, 20], "40": [7, 15, 17], "v": [7, 17, 20], "qm5": 7, "0x0000030": 7, "80": [7, 17], "8d": [7, 15, 17], "1a": [7, 17], "fe": [7, 17], "b4": 7, "22": [7, 14, 17, 20, 22], "a0": 7, "a4": [7, 17], "89": [7, 15, 17], "4f": [7, 17], "0x0000040": 7, "ef": 7, "ea": [7, 17], "6a": 7, "b2": [7, 17], "7a": 7, "bc": [7, 23], "79": [7, 20], "f9": 7, "d1": 7, "da": 7, "j": [7, 20], "z": 7, "y": [7, 11, 15, 33], "0x0000050": 7, "3b": 7, "63": [7, 17], "93": 7, "1e": [7, 23], "41": [7, 15, 17], "xcy": 7, "0x0000060": 7, "df": 7, "3a": 7, "98": [7, 20], "31": [7, 15, 17], "37": [7, 17], "q": [7, 11, 17], "170141": 7, "0x0000070": 7, "33": [7, 17], "36": [7, 20], "39": [7, 18], "1834604692317316": 7, "0x0000080": 7, "83": [7, 17], "68": [7, 17], "87303": 7, "0x0000090": 7, "70": 7, "71": 7, "46": 7, "x": [7, 19], "fq": 7, "0x00000a0": 7, "f2": 7, "cf": 7, "1d": 7, "81": [7, 17], "2c": 7, "f6": [7, 17], "3e": 7, "5e": [7, 17], "67": [7, 17], "split": 7, "increasingli": 7, "indic": [7, 10, 14, 22], "estim": 7, "rough": 7, "sum": 7, "overal": [7, 12, 30], "fraction": 7, "watch": [7, 10, 14, 15, 22, 33], "frequent": [7, 8], "shallow": 7, "adjust": [7, 19], "kickstart": [7, 20, 22], "favorit": 7, "normal": [7, 17], "transit": 7, "tracer": 7, "collis": 7, "last": [7, 33], "return": [7, 10, 14, 17, 18, 22, 25], "intercept": [7, 10, 14, 22, 25], "individu": 7, "respect": 7, "prioriti": 7, "compar": 7, "script": [8, 14, 15, 17, 19, 33], "sh": [8, 11, 16], "rather": 8, "unnecessari": 8, "prototyp": 8, "entir": 8, "perman": 8, "commandlin": [8, 19], "By": [8, 17, 23], "popul": 8, "sever": [8, 17, 19], "purg": [8, 14, 20], "opposit": 8, "delet": [8, 33], "itself": 8, "doe": [8, 17, 20, 25], "one": [8, 9, 11, 14, 15, 17, 18, 22, 33], "corpus": [8, 20], "intern": 8, "ipc": 8, "sort": 8, "relev": [8, 13, 20, 25], "mcat": 8, "view": [8, 16, 17, 23, 33], "msgpack": 8, "encod": 8, "tree": 8, "plot": 8, "gnuplot": 8, "stat": 8, "aggreg": 8, "csv": 8, "over": [8, 17, 33], "worker_stats_n": 8, "serial_nn": 8, "excerpt": 8, "irregular": 8, "crash_xxxxxx": 8, "kasan_xxxxxx": 8, "timeo_xxxxxx": 8, "evalu": 8, "upload": [8, 26, 32, 33], "payload_aaaaa": 8, "payload_bbbbb": 8, "payload_ccccc": 8, "payload_ddddd": 8, "catch": 8, "meta": 8, "node_aaaaa": 8, "node_bbbbb": 8, "node_ccccc": 8, "node_ddddd": 8, "kafl_socket": 8, "socket": [8, 11, 17, 20, 22], "interface_n": 8, "payload_n": 8, "aux_buffer_n": 8, "aux_buff": 8, "bitmap_n": 8, "ijon_n": 8, "radamsa_n": 8, "redqueen_workdir_n": 8, "addr": [8, 15], "cach": [8, 15, 17, 33], "global": [8, 18, 33], "main_crash_bitmap": 8, "main_kasan_bitmap": 8, "main_normal_bitmap": 8, "main_timeout_bitmap": 8, "fast_snapshot": 8, "mem_dump": 8, "mem_meta": 8, "qemu_st": 8, "fs_cach": 8, "readi": [8, 9, 11, 13, 14, 26, 33], "dive": [9, 11, 17], "alreadi": [9, 14, 15, 20, 22, 33], "familiar": [9, 11], "vocabulari": 9, "googl": 9, "glossari": 9, "term": 9, "overse": 9, "portion": 9, "sut": 9, "consid": [9, 33], "constitu": 9, "channel": [9, 19, 33], "extern": 9, "akin": 9, "simplifi": [9, 33], "malloc": 9, "payload_s": 9, "bake": [9, 11], "among": [10, 13, 14, 22], "closer": [10, 14, 22], "look": [10, 14, 15, 17, 19, 20, 22, 25, 33], "panel": [10, 14, 22], "column": [10, 14, 22], "processor": 11, "gen": 11, "skylak": 11, "although": [11, 19], "broadwel": 11, "addion": 11, "properli": 11, "intel_pt": 11, "cpuinfo": 11, "fi": 11, "prebuilt": [11, 15, 17], "dockerhub": 11, "method": 11, "give": [11, 17], "understand": [11, 12, 13, 15, 17, 18, 20, 25, 31], "what": [11, 17, 25], "furthermor": 11, "abl": [11, 12, 15, 23], "addition": [11, 19], "volum": [11, 20, 33], "isn": [11, 25], "unless": 11, "either": [11, 33], "gcc": [11, 26, 32], "sudo": [11, 20], "apt": [11, 20], "python3": [11, 17], "recent": 11, "04": [11, 15, 17], "debian": 11, "bullsey": 11, "insid": [11, 14, 22], "move": [11, 17, 18, 33], "glimps": 11, "without": [11, 17, 20, 22, 33], "touch": 11, "dry": 11, "prompt": 11, "press": 11, "confort": 11, "password": [11, 33], "passwordless": 11, "nopasswd": 11, "sudoer": 11, "just": [11, 15, 17], "newli": 11, "ti": [11, 20], "rm": [11, 20], "u": [11, 17, 20, 33], "getent": [11, 20], "cut": [11, 17, 20], "f3": [11, 20], "acsii": 11, "art": 11, "logo": 11, "__": [11, 17, 20], "___": [11, 17, 20], "________": [11, 17, 20], "_____": [11, 17, 20], "_________": [11, 17, 20], "____": [11, 17, 20], "_": [11, 17, 20], "pend": [11, 20, 22], "nyx_socket": [11, 17, 20, 22], "interface_0": [11, 20, 22], "serial_00": [11, 20, 22], "fast_vm_reload": [11, 17, 20, 22], "dirti": [11, 22], "ring": [11, 22], "1048576": [11, 22], "cpuid": [11, 17, 22], "01h": 11, "ecx": 11, "pcid": 11, "07h": [11, 17, 22], "ebx": [11, 17, 22], "hle": [11, 17, 22], "rtm": [11, 17, 22], "0x767b25d00000": 11, "invalid": [11, 20, 22], "ctrl": [11, 14, 17], "creceiv": 11, "kill": 11, "wait": [11, 17, 20, 33], "shutdown": [11, 26, 32], "shut": [11, 17], "pid": [11, 15, 17], "115166": 11, "regard": 11, "walk": [12, 16, 24, 30], "prepar": [12, 13], "insert": [12, 13, 15, 21, 25, 31], "analyz": [12, 17, 23], "At": [12, 23, 26], "comfort": 12, "grasp": 12, "onto": [12, 22], "tailor": 13, "broadli": 13, "categor": 13, "two": [13, 17, 21, 25, 31], "phase": [13, 20, 33], "optim": 13, "behavior": [13, 17], "map": [13, 15], "enhanc": [13, 16, 29, 31], "precis": [13, 23], "criteria": 13, "crucial": 13, "accur": [13, 20], "strictli": 13, "mandat": 13, "certain": [13, 25], "sequenc": [13, 19, 21, 22, 25, 26, 31, 32], "get_host_config": 13, "set_agent_config": 13, "acquir": 13, "get_payload": 13, "submit_pan": 13, "submit_kasan": 13, "submit_cr3": 13, "involv": 13, "But": [13, 17], "logic": [13, 25], "come": 13, "plai": [13, 17, 26, 32, 33], "next_payload": 13, "handl": [13, 33], "routin": 13, "checkout": 13, "agent_tutori": 13, "branch": [13, 20], "commit": 13, "oops_exit": 13, "kasan_report": [13, 15], "discuss": [13, 18], "appear": [13, 33], "improv": [13, 16, 17, 21, 25, 27, 30, 33], "alter": 13, "architectur": 13, "its": [13, 17, 18, 19, 22], "do_oops_enter_exit": 13, "print_oops_end_mark": 13, "kmsg_dump": 13, "kmsg_dump_oop": 13, "remain": [13, 25], "within": [13, 17, 19], "test_dvkm": [13, 18, 19], "pars": 13, "detectrang": 13, "mapfil": 13, "pattern": 13, "24576": 13, "0xffffffffc0201000": 13, "ret": [13, 17], "sscanf": 13, "lu": 13, "lx": [13, 17], "module_nam": 13, "module_s": 13, "instances_load": 13, "load_stat": 13, "kernel_offset": 13, "construct": 13, "ioctl": [13, 17, 18, 25], "io_buff": 13, "0xc": [13, 18], "ioctl_cod": 13, "0xd": 13, "ioctl_num": 13, "width": [13, 17, 18], "height": [13, 17, 18], "datas": [13, 15, 17, 18], "write_s": 13, "sizeof": [13, 18], "dvkm_obj": [13, 17, 18], "memcpi": [13, 18], "rest": 13, "fd": 13, "modulo": 13, "calcul": [13, 17, 18], "fill": 13, "ve": [13, 14, 31], "prevent": [13, 25], "congest": 13, "use_after_free_ioctl_handl": [13, 15], "io": [13, 18], "kernel_data_buff": [13, 18], "congratul": [13, 33], "comprehens": [13, 15, 18], "proce": [13, 14], "commenc": [13, 14], "review": [14, 22], "qemu_kernel": [14, 19], "qemu_initrd": [14, 19], "qemu_append": [14, 17, 19], "expos": [14, 18, 19], "examples_root": [14, 15, 17, 20], "linux_kafl_ag": [14, 17], "arch": [14, 17, 19, 20], "kafl_initrd": [14, 17], "cpio": [14, 17, 19], "gz": [14, 17, 19], "vda1": [14, 17, 20], "rw": [14, 15, 17, 20, 23], "earlyprintk": [14, 17], "ignore_loglevel": [14, 17], "increas": [14, 22], "dedic": [14, 22], "ressourc": [14, 22, 33], "resourc": 14, "2m00": 14, "149": 14, "1m27": 14, "observ": [14, 17], "room": 15, "dynam": [15, 20], "detector": 15, "solut": [15, 19], "free": [15, 18], "bound": 15, "access": [15, 17, 21], "again": [15, 33], "rule": [15, 17], "linux_agent_bzimag": [15, 17], "linux_agent_dir": [15, 17], "x86_64_defconfig": [15, 17], "module_sig": [15, 17], "debug_info_dwarf5": [15, 17], "gdb_script": [15, 17], "ifdef": 15, "dvkm_kasan": 15, "kasan_inlin": 15, "endif": 15, "recompil": [15, 19], "corrupt": [15, 33], "mm": [15, 17], "asm": [15, 17], "slab": 15, "588": 15, "590": 15, "bool": 15, "is_writ": 15, "print_report": 15, "end_report": 15, "irq_flag": 15, "user_access_restor": 15, "ua_flag": 15, "0m33": 15, "249": 15, "7k": 15, "9824": 15, "7529": 15, "0m27": 15, "0m23": 15, "150": 15, "0m08": 15, "0m15": 15, "oct": [15, 17], "06": [15, 17], "payload_00026": 15, "payload_00036": 15, "payload_00038": 15, "payload_00039": 15, "payload_00040": 15, "payload_00044": 15, "payload_00048": 15, "payload_00059": 15, "associ": [15, 18, 23], "kasan_": 15, "3376": 15, "kasan_020e1d": 15, "3565": 15, "kasan_1bfee1": 15, "2773": 15, "kasan_2253d6": 15, "3101": 15, "kasan_79191f": 15, "3517": 15, "kasan_9251db": 15, "3365": 15, "kasan_a034f": 15, "3514": 15, "kasan_b91a90": 15, "3388": 15, "kasan_f0e92d": 15, "6dvkm": [15, 17], "3bug": 15, "0x2a0": 15, "0x320": 15, "3read": 15, "ffff888008511390": 15, "fuzz_dvkm": [15, 17, 19], "3cpu": 15, "comm": [15, 17], "taint": [15, 17], "00004": [15, 17], "g6521682f674d": [15, 17], "3hardwar": 15, "standard": [15, 17], "pc": [15, 17], "i440fx": [15, 17], "piix": [15, 17], "1996": [15, 17], "rel": [15, 17], "gc9ba5276e321": [15, 17], "org": [15, 17], "2014": [15, 17], "3call": 15, "dump_stack_lvl": 15, "0x37": [15, 17], "0x50": [15, 17], "0xcc": 15, "0x620": 15, "0xb0": 15, "0xf0": 15, "__x64_sys_ioctl": [15, 17], "0x12d": 15, "0x1a0": 15, "__pfx_string": 15, "0x10": 15, "__pte_offset_map_lock": 15, "0xdf": 15, "0x1e0": 15, "vsnprintf": [15, 17], "0x809": 15, "0x1600": 15, "__pfx_vsnprintf": 15, "ioctl_has_perm": 15, "constprop": 15, "isra": 15, "0x274": 15, "0x440": 15, "_printk": [15, 17], "0xce": 15, "0x120": 15, "__pfx__printk": 15, "kasan_set_track": 15, "0x25": 15, "0x30": [15, 17], "__kasan_kmalloc": 15, "0x7f": [15, 17], "0x90": [15, 17], "0x71": 15, "dvkm_ioctl": [15, 17], "0x1b2": [15, 17], "0x230": [15, 17], "proc_reg_unlocked_ioctl": [15, 17], "0x1a1": 15, "0x270": 15, "do_syscall_64": [15, 17], "0x3c": [15, 17], "entry_syscall_64_after_hwfram": [15, 17], "0x6e": [15, 17], "0xd8": [15, 17], "3rip": 15, "0033": [15, 17], "0x7fec88b37b3f": 15, "3code": 15, "44": [15, 17], "b8": [15, 17], "05": [15, 17, 23], "3d": [15, 17, 33], "ff": [15, 17], "8b": [15, 17], "2b": [15, 17], "3rsp": 15, "002b": [15, 17], "00007ffe5d840a80": 15, "eflag": [15, 17], "00000246c": [15, 17], "orig_rax": [15, 17], "0000000000000010": [15, 17], "3rax": 15, "ffffffffffffffda": [15, 17], "0000000000000000": [15, 17], "00007fec88b37b3f": 15, "3rdx": 15, "000056144fe16000": 15, "rsi": [15, 17], "00000000c018440a": 15, "rdi": [15, 17], "0000000000000003": [15, 17], "3rbp": 15, "00007ffe5d840b10": 15, "r08": [15, 17], "r09": [15, 17], "00007ffe5d83f7f0": 15, "3r10": 15, "r11": [15, 17], "0000000000000246": [15, 17], "r12": [15, 17], "00007ffe5d840c28": 15, "3r13": 15, "000056144fe119e0": 15, "r14": [15, 17], "000056144fe13d48": 15, "r15": [15, 17], "00007fec88c81040": 15, "3alloc": 15, "kasan_save_stack": 15, "0x22": 15, "__kmalloc": [15, 17], "0x5a": 15, "0x140": [15, 17], "0x2f": 15, "3the": 15, "buggi": 15, "belong": 15, "object": [15, 16, 24, 30], "ffff888008511380": 15, "kmalloc": [15, 18], "right": [15, 33], "physic": 15, "4page": 15, "____ptrval____": 15, "refcount": 15, "mapcount": 15, "0x8511": 15, "4flag": 15, "0x100000000000200": 15, "zone": 15, "4page_typ": 15, "0xffffffff": [15, 18], "4raw": 15, "0100000000000200": 15, "ffff8880064413c0": 15, "dead000000000122": 15, "0000000080800080": 15, "00000001ffffffff": 15, "becaus": [15, 25, 33], "bad": 15, "3memori": 15, "ffff888008511280": 15, "fc": [15, 17], "ffff888008511300": 15, "03": [15, 20], "ffff888008511400": 15, "ffff888008511480": 15, "07": [15, 17], "4disabl": 15, "feel": 15, "investig": 15, "consult": 15, "solid": 15, "insight": [15, 17], "focu": [16, 17, 19], "integ": [16, 17], "overflow": [16, 17], "brief": 17, "navig": [17, 19], "payload_00030": 17, "pushd": [17, 23], "b49691bd4b34": 17, "payload_00031": 17, "payload_00033": 17, "payload_00060": 17, "examin": 17, "hexdump": [17, 23], "represent": [17, 23, 25], "00000000": [17, 23], "6f": [17, 23], "00000007": 17, "9f": 17, "a8": 17, "0a": 17, "0000000c": 17, "usual": [17, 23, 31], "repres": [17, 18], "therefor": [17, 23, 25], "vari": 17, "suggest": 17, "5143": 17, "crash_3f7f7a": 17, "1714": 17, "crash_881bd2": 17, "5139": 17, "crash_908bf": 17, "2609": 17, "crash_fcdaa4": 17, "timeo_05da3a": 17, "timeo_153a4": 17, "timeo_1cfa76": 17, "timeo_2059ab": 17, "5124": 17, "timeo_3f7f7a": 17, "timeo_5ad762": 17, "2650": 17, "timeo_5d47b8": 17, "124": 17, "timeo_72bc3d": 17, "2668": 17, "timeo_72cc5a": 17, "2690": 17, "timeo_7c2cf3": 17, "timeo_828a72": 17, "4294": 17, "timeo_908bf": 17, "timeo_9d4034": 17, "timeo_acefe": 17, "timeo_e87026": 17, "117": 17, "timeo_f94ae": 17, "4022": 17, "timeo_fcdaa4": 17, "underflow": [17, 18], "1444607": 17, "1626121354": 17, "1297563293": 17, "\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4\u00e4": 17, "\u00ee": 17, "\u00e0": 17, "b\u00e16": 17, "776200999": 17, "4warn": 17, "page_alloc": 17, "4453": 17, "__alloc_pag": 17, "0x2f0": 17, "link": 17, "rip": 17, "0010": 17, "eb": 17, "a3": 17, "09": 17, "0b": 17, "65": 17, "rsp": 17, "0018": 17, "ffffc900001cbe08": 17, "00010246c": 17, "0000000000040cc0": 17, "rdx": 17, "rbp": 17, "0000000000000027": 17, "r10": 17, "0000000000000008": 17, "203a657a69732064": 17, "0000000000000012": 17, "r13": 17, "ffffffffc0000522": 17, "00007fe4272b4740": 17, "0000": 17, "ffff88800f600000": 17, "knlg": 17, "cr0": 17, "0000000080050033": 17, "cr2": 17, "00007fe4273f0000": 17, "0000000004cdc006": 17, "cr4": 17, "00000000001706f0": 17, "__warn": 17, "0x130": 17, "report_bug": 17, "0x199": 17, "0x1b0": 17, "handle_bug": 17, "0x70": 17, "exc_invalid_op": 17, "0x18": 17, "asm_exc_invalid_op": 17, "0x1a": 17, "0x20": 17, "integer_underflow_ioctl_handl": 17, "0x112": 17, "0x170": 17, "0x3aa": 17, "0x560": 17, "__kmalloc_large_nod": 17, "0x79": 17, "0x150": 17, "0xbb": 17, "0x52": 17, "0xa0": 17, "0x89": 17, "0xc0": 17, "0x7fe4273d1b3f": 17, "00007ffd5dee4e10": 17, "00007fe4273d1b3f": 17, "000055c56318b000": 17, "00000000c0184401": 17, "00007ffd5dee4ea0": 17, "00007ffd5dee3b80": 17, "00007ffd5dee4fb8": 17, "000055c5631869e0": 17, "000055c563188d48": 17, "00007fe42751b040": 17, "1bug": 17, "derefer": [17, 25], "pf": 17, "supervisor": 17, "error_cod": 17, "0x0002": 17, "6pgd": 17, "cp4d": 17, "0002": 17, "preempt": 17, "smp": 17, "memcpy_orig": 17, "0x31": 17, "82": 17, "4e": 17, "56": 17, "57": 17, "5f": 17, "7f": 17, "d4": 17, "ffffc900001cbec0": 17, "00010202c": 17, "0000000051bc1cd9": 17, "0000000000000011": 17, "0000000000160abf": 17, "ffff888004e00020": 17, "ffff888004e00000": 17, "0fe40fe40fe40fe4": 17, "10e40fe40fe40fe4": 17, "000000002e43e327": 17, "ffff888004cf2500": 17, "__die": 17, "page_fault_oop": 17, "0x156": 17, "0x420": 17, "search_exception_t": 17, "fixup_except": 17, "0x21": 17, "0x310": 17, "exc_page_fault": 17, "0x69": 17, "asm_exc_page_fault": 17, "0x26": 17, "0x124": 17, "sometim": 17, "hasn": 17, "translat": 17, "proper": 17, "facil": [17, 23], "kern_level": 17, "kern_emerg": 17, "kern_soh": 17, "unus": 17, "kern_alert": 17, "taken": 17, "immedi": 17, "kern_crit": 17, "critic": [17, 21], "kern_err": 17, "kern_warn": 17, "kern_notic": 17, "signific": 17, "kern_info": 17, "kern_debug": 17, "replai": 17, "flow": [17, 18], "lead": [17, 20, 25, 31], "ll": [17, 19], "throught": 17, "exact": 17, "odd": 17, "anymor": [17, 20], "given": [17, 18, 20], "1337": 17, "interface_1337": 17, "serial_1337": 17, "1626121446": 17, "1371282556": 17, "0000000000000028": 17, "0000000000000009": 17, "0000000000000013": 17, "ffffffffc00003aa": 17, "integer_overflow_ioctl_handl": [17, 18], "0x10a": 17, "0x160": 17, "0x16a": 17, "00000000c0184400": 17, "0000000051bc1c7c": 17, "abababababababab": 17, "000000009f135b1a": 17, "0x11c": 17, "908bfe7fc5777d10": 17, "1303499": 17, "got": [17, 20, 22], "confirm": [17, 33], "receiv": [17, 25, 33], "could": [17, 33], "benefici": 17, "futur": 17, "particularli": 17, "valuabl": 17, "similar": [17, 30, 31], "gdbserver": 17, "interact": [17, 19, 25, 31], "real": 17, "clear": [17, 32], "led": 17, "paus": 17, "client": 17, "connect": [17, 33], "thu": 17, "thorough": 17, "preconfigur": 17, "dwarf5": 17, "vmlinux": 17, "damn_vulnerable_kernel_modul": [17, 19], "read": [17, 20], "0x000055561177f34d": 17, "scan": [17, 20], "0xffffffffc0000000": 17, "ko": [17, 19], "try": [17, 33], "put": 17, "oops_ent": 17, "hbreak": 17, "0xffffffffc0000c30": 17, "410": 17, "0xffffffff8114c660": 17, "623": 17, "405": 17, "406": 17, "407": 17, "408": 17, "409": 17, "noinlin": 17, "unsign": 17, "cmd": 17, "411": 17, "einval": 17, "412": 17, "__user": 17, "arg_us": 17, "413": 17, "414": 17, "disa": 17, "assembl": 17, "endbr64": 17, "0xffffffffc0000c34": 17, "0xffffffffc0000c37": 17, "je": 17, "0xffffffffc0000d65": 17, "309": 17, "0xffffffffc0000c3d": 17, "0xffffffffc0000c3e": 17, "0xffffffffc0000c41": 17, "cmp": 17, "0xc0184406": 17, "esi": 17, "0xffffffffc0000c47": 17, "0xffffffffc0000dff": 17, "463": 17, "0xffffffffc0000c4d": 17, "29": [17, 18], "ja": 17, "0xffffffffc0000c91": 17, "0xffffffffc0000c4f": 17, "0xc0184402": 17, "0xffffffffc0000c55": 17, "0xffffffffc0000e18": 17, "488": 17, "0xffffffffc0000c5b": 17, "43": [17, 18], "jbe": 17, "0xffffffffc0000d1e": 17, "238": 17, "0xffffffffc0000c61": 17, "0xc0184403": 17, "0xffffffffc0000c67": 17, "55": 17, "0xffffffffc0000d9f": 17, "367": 17, "0xffffffffc0000c6d": 17, "0xc0184405": 17, "0xffffffffc0000c73": 17, "jne": 17, "0xffffffffc0000c89": 17, "0xffffffffc0000c75": 17, "69": [17, 23], "0xffffffffc00104a0": 17, "0xffffffffc0000c7c": 17, "0xffffffff8127e7a0": 17, "0xffffffffc0000c81": 17, "0xffffffffc0000c84": 17, "0xffffffffc0000a20": 17, "stack_oobr_ioctl_handl": 17, "xor": 17, "eax": 17, "0xffffffffc0000c8b": 17, "pop": 17, "0xffffffffc0000c8c": 17, "bt": 17, "0xffffffff810812dc": 17, "oops_begin": 17, "dumpstack": 17, "338": 17, "0xffffffff81081cfe": 17, "die_addr": 17, "str": 17, "0xffff888007f27b2c": 17, "fault": 17, "canon": 17, "0xe0000be0d732a202": 17, "reg": 17, "0xffff888007f27bb8": 17, "err": 17, "gp_addr": 17, "2305829948902694398": 17, "454": 17, "0xffffffff83c43378": 17, "__exc_general_protect": 17, "trap": 17, "784": 17, "exc_general_protect": 17, "729": 17, "0xffffffff83e01206": 17, "asm_exc_general_protect": 17, "idtentri": 17, "564": 17, "0xffff888007f27e80": 17, "0xffffffff86060000": 17, "hprintf_buff": 17, "0x1ffff11000fe4f90": 17, "0xffffffff8605f044": 17, "0xffffffff8605f012": 17, "0x00007f06b9951016": 17, "0x1ffffffff092a03d": 17, "0xffffffffc0010175": 17, "0x203a61746164205d": 17, "0xdffffc0000000000": 17, "0x00000fe0d732a202": 17, "0x00320a00ffffff04": 17, "0x0000000000000005": 17, "fixed_percpu_data": 17, "19": [17, 20, 22], "0x0000000000000000": 17, "embed": 17, "seem": 17, "unreali": 17, "had": 17, "additionali": 17, "reliabl": 17, "aslr": 17, "hopefulli": 17, "captur": 17, "capac": 17, "stai": 17, "tune": 17, "aim": 18, "hardik": 18, "shah": 18, "train": 18, "deliber": 18, "secur": [18, 25], "heap": 18, "origin": 18, "syzkal": 18, "show": [18, 20], "module_init": 18, "dvkm_init": 18, "turn": 18, "outlin": [18, 19], "below": 18, "geneat": 18, "num": 18, "_iowr": 18, "dvkm_ioctl_mag": 18, "dvkm_ioctl_integer_overflow": 18, "dvkm_ioctl_integer_underflow": 18, "0x1": 18, "dvkm_ioctl_stack_buffer_overflow": 18, "0x2": 18, "dvkm_ioctl_heap_buffer_overflow": 18, "0x3": 18, "dvkm_ioctl_divide_by_zero": 18, "0x4": 18, "dvkm_ioctl_stack_oobr": 18, "0x5": 18, "dvkm_ioctl_stack_oobw": 18, "0x6": 18, "dvkm_ioctl_heap_oobr": 18, "0x7": 18, "dvkm_ioctl_heap_oobw": 18, "dvkm_ioctl_memory_leak": 18, "0x9": 18, "dvkm_ioctl_use_after_fre": 18, "0xa": 18, "dvkm_ioctl_use_double_fre": 18, "0xb": 18, "dvkm_ioctl_null_pointer_derefr": 18, "k_dvkm_obj": 18, "supplementari": 18, "diagram": [18, 25], "flaw": [18, 25], "dissect": 18, "kernel_buff": 18, "copy_from_us": 18, "fail": [18, 20, 26, 32, 33], "gfp_kernel": 18, "kfree": 18, "summari": 18, "incorrect": 18, "nuanc": 18, "exploit": 18, "obj": 18, "2399610": 18, "305747497": 18, "focus": 19, "streamlin": 19, "rapid": 19, "qemu_imag": [19, 22], "tradit": 19, "necessit": 19, "bootabl": 19, "feasibl": 19, "practic": 19, "challeng": 19, "fresh": 19, "qcow2": [19, 33], "repeat": 19, "cumbersom": 19, "ssh": [19, 33], "plan": 19, "virtf": 19, "smb": 19, "nf": 19, "demonstr": 19, "winrm": [19, 33], "bootng": 19, "reli": [19, 23], "craft": 19, "busybox": 19, "filesystem": [19, 20], "expedi": 19, "req_stream_data_bulk": 19, "dump_fil": 19, "hcat": 19, "hget": 19, "hpush": 19, "elimin": 19, "loader": 19, "multifacet": 19, "ideal": 19, "gather": [19, 20, 26, 32], "organ": 19, "licens": [19, 33], "symver": 19, "successfulli": [19, 33], "benefit": 20, "cross": 20, "silli": 20, "world": 20, "tdx": 20, "pci": 20, "mmio": 20, "pio": 20, "virtio": [20, 33], "b": 20, "depth": 20, "gawk": 20, "bison": 20, "flex": 20, "openssl": 20, "libssl": 20, "libelf": 20, "lz4": 20, "dwarv": 20, "cp": 20, "vanilla": 20, "nproc": 20, "512": 20, "mkdir": [20, 26, 32], "un": 20, "mnt": 20, "seed_dir": 20, "netdev": 20, "mynet0": 20, "nowait": [20, 22], "02": 20, "5637": 20, "56msec": 20, "2kb": [20, 22], "261": 20, "605": 20, "743": 20, "55msec": 20, "2298": 20, "2785": 20, "20msec": 20, "576": 20, "62msec": 20, "644": 20, "2072": 20, "99msec": 20, "52msec": 20, "49msec": 20, "25msec": 20, "42": 20, "3502": 20, "80msec": 20, "k": [20, 31], "8667": 20, "15msec": 20, "calibr": 20, "1516": 20, "796": 20, "27msec": 20, "19msec": 20, "61msec": 20, "636": 20, "1132": 20, "54msec": 20, "trim": 20, "272": 20, "50msec": 20, "26msec": 20, "81msec": 20, "247": 20, "41msec": 20, "670": 20, "44msec": 20, "1kb": 20, "trim_cent": 20, "graphic": [20, 33], "pt_trace_dump_nn": 20, "best": [20, 23], "big": 20, "complain": 20, "miss": 20, "retain": 20, "finish": [20, 25], "never": 20, "happen": 20, "op": 20, "did": 20, "libxdc_decode_error": 20, "altern": 20, "unsupport": 20, "libcapston": 20, "minor": 20, "ftrace": 20, "label": 20, "xyz": 20, "emul": 20, "leak": 20, "explan": 21, "cover": [21, 31], "foundat": 21, "beginnn": 21, "excel": 21, "candid": 21, "aid": 21, "identif": 21, "faulti": [21, 23], "port": [21, 32, 33], "kalf": 22, "windows_x86_64": [22, 25, 26, 27, 31, 32, 33], "xeon": 22, "core": [22, 25], "250gb": 22, "almost": [22, 33], "90k": 22, "sec": 22, "2698": 22, "2838": 22, "2817": 22, "2762": 22, "2763": 22, "2861": 22, "2816": 22, "2806": 22, "2844": 22, "2799": 22, "2779": 22, "2802": 22, "2789": 22, "2833": 22, "2803": 22, "2818": 22, "2794": 22, "2739": 22, "2712": 22, "2881": 22, "2863": 22, "vuln_test": [22, 25, 26, 32], "afterward": 22, "know": 22, "successfuli": 22, "soon": 22, "libvirt": [22, 24, 30], "windows_x86_64_vagr": [22, 33], "img": [22, 33], "monitor": 22, "unix": 22, "tmp": 22, "sock": 22, "0x7f3065101000": 22, "0x10000": 22, "0x20000": 22, "85msec": 22, "18m51": 22, "19m38": 22, "18m54": 22, "sep": 23, "54": 23, "payload_00015": 23, "payload_00018": 23, "00015": 23, "00018": 23, "highlight": [23, 30], "6e": 23, "c5": 23, "ab": 23, "pwntownto": 23, "00000010": 23, "b9": 23, "0000001a": 23, "w00twi": 23, "8x": 23, "0000000e": 23, "clearli": 23, "earlier": 23, "pwntown": [23, 25], "w00t": [23, 25], "occur": 23, "contextu": 23, "minidump": 23, "systemroot": 23, "windbg": 23, "reveal": 23, "anoth": 23, "statement": 23, "nail": 23, "msvc": [23, 25, 33], "coupl": 23, "dbgprint": [23, 25], "educ": [25, 31], "nor": 25, "src": [25, 26, 31, 32], "crashm": 25, "ntstatu": 25, "IN": 25, "pio_stack_loc": 25, "irpstack": 25, "pchar": 25, "userbuff": 25, "deviceiocontrol": 25, "type3inputbuff": 25, "inputbufferlength": 25, "0xe": 25, "status_success": 25, "vuln": [25, 26, 32], "drv": 25, "pw": 25, "pwn": 25, "pwnt": 25, "pwnto": 25, "pwntow": 25, "w0": 25, "w00": 25, "psize_t": 25, "recogn": [25, 31], "showcas": 25, "quickli": 25, "comparison": 25, "deeper": 25, "untouch": 25, "along": 25, "microsoft": [25, 33], "init_agent_handshak": 25, "kafl_vuln_handl": 25, "ioctl_kafl_input": 25, "lpvoid": 25, "dword": 25, "back": 25, "awar": 25, "hook": 25, "enumdevicedriv": 25, "retriev": [25, 33], "getdevicedriverfilenam": 25, "ntoskrnl": 25, "loadlibrari": 25, "getprocaddress": 25, "sent": 25, "kaflvulnerabledriv": [25, 26], "ntquerysysteminform": 25, "systemobjectinform": 25, "why": 25, "lot": 25, "lucki": 25, "situat": 25, "ditch": 25, "symlink": [26, 32], "sartup": [26, 32], "provision_driv": 26, "w64": [26, 32], "mingw32": [26, 32], "selffuzz_test": [26, 31, 32], "wall": [26, 32], "mwindow": [26, 32], "lntdll": [26, 32], "lpsapi": [26, 32], "ready_provis": [26, 32, 33], "target_har": [26, 32], "provision": [26, 32, 33], "host_shel": [26, 32], "ok": [26, 32], "192": [26, 32, 33], "168": [26, 32, 33], "122": [26, 32, 33], "login": [26, 32], "msbuild": [26, 32], "vuln_driv": [26, 32], "recap": [26, 32], "unreach": [26, 32], "rescu": [26, 32], "ignor": [26, 32], "halt": [26, 32], "grace": [26, 32], "leav": [26, 32, 33], "4g": [27, 33], "selffuzz": [29, 32], "fuzzm": [29, 31], "procedur": 30, "user_fast_acquir": 30, "deliberatli": 31, "kept": 31, "experi": 31, "0x11": 31, "provision_userspac": 32, "fortun": 33, "enterpris": 33, "x64": 33, "22h2": 33, "sdk": 33, "wdk": 33, "visual": 33, "studio": 33, "testsign": 33, "recip": 33, "mention": 33, "abov": 33, "third": 33, "parti": 33, "edit": 33, "conjonct": 33, "reus": 33, "those": 33, "win10": 33, "pkrvar": 33, "hcl": 33, "8192": 33, "pkr": 33, "wish": 33, "opt": 33, "yourself": 33, "legal": 33, "color": 33, "iso": 33, "fwlink": 33, "linkid": 33, "2208844": 33, "clcid": 33, "0x409": 33, "cultur": 33, "en": 33, "countri": 33, "sha256": 33, "3aef7312733a9f5d7d51cfa04ac497671995674ca5e1058d5164d6028f0938d668": 33, "d731b3f758e61d53033aa8a67d3d8a3050aa1122": 33, "floppi": 33, "flatli": 33, "floppy_fil": 33, "answer_fil": 33, "autounattend": 33, "xml": 33, "fixnetwork": 33, "ps1": 33, "setup_winrm_publ": 33, "bat": 33, "floppy_dir": 33, "floppy_cont": 33, "3573": 33, "5900": 33, "6000": 33, "rom": 33, "headless": 33, "screen": 33, "vnc": 33, "5973": 33, "qemuarg": 33, "netbridg": 33, "stepwaitguestaddress": 33, "127": 33, "artifact": 33, "1h": 33, "packer_log": 33, "packer_windows_libvirt": 33, "box": 33, "kafl_window": 33, "destroi": 33, "aa61f0e482954cec9b853f9b8837a088": 33, "storag": 33, "pool": 33, "virsh": 33, "virt": 33, "unpack": 33, "awai": 33, "bring": 33, "timestamp": 33, "www": 33, "vagrantup": 33, "domain": 33, "vagrantfil": 33, "acpi": 33, "apic": 33, "pae": 33, "clock": 33, "utc": 33, "4096m": 33, "vda": 33, "64g": 33, "spice": 33, "websocket": 33, "video": 33, "cirru": 33, "vram": 33, "16384": 33, "accel": 33, "keymap": 33, "tpm": 33, "passthrough": 33, "mous": 33, "bu": 33, "ps2": 33, "spicevmc": 33, "target_typ": 33, "target_nam": 33, "redhat": 33, "5985": 33, "usernam": 33, "execution_time_limit": 33, "pt2h": 33, "transport": 33, "negoti": 33, "55985": 33, "eth0": 33, "5986": 33, "55986": 33}, "objects": {}, "objtypes": {}, "objnames": {}, "titleterms": {"research": 0, "paper": 0, "build": [1, 13, 20, 33], "document": [1, 3], "github": 2, "action": [2, 5, 17], "ci": 2, "cd": 2, "1": [2, 5, 11, 18, 20], "deploi": [2, 11], "kernel": [2, 13, 19, 20], "2": [2, 5, 11, 19, 20], "set": [2, 5, 11, 25], "up": 2, "docker": 2, "3": [2, 5, 11, 13, 20], "setup": [2, 19, 33], "runner": 2, "4": [2, 11, 14, 20], "us": 2, "kafl": [2, 3, 4, 6, 7, 8, 9, 11, 14, 17, 19, 22, 25, 31], "refer": [2, 3], "": 3, "featur": 3, "compon": 3, "content": [3, 8], "tutori": [3, 16], "how": 3, "guid": 3, "context": 3, "develop": 3, "deploy": 4, "system": 4, "modif": 4, "makefil": 4, "target": [4, 9, 13, 18, 19, 20, 21, 25, 27, 31], "extra_arg": 4, "ansibl": 4, "tag": 4, "galaxi": 4, "compos": 4, "intellab": 4, "collect": 4, "reus": 4, "fuzzer": 5, "configur": [5, 8, 20], "sourc": [5, 11, 18, 25, 31], "preced": 5, "overrid": 5, "from": 5, "environ": [5, 11], "variabl": 5, "kei": 5, "abort_exec": 5, "abort_tim": 5, "afl_arith_max": 5, "afl_dumb_mod": 5, "afl_skip_zero": 5, "bitmap_s": 5, "cpu_offset": 5, "debug": [5, 17, 23], "dict": 5, "funki": 5, "gdbserver": 5, "grimoir": 5, "input": 5, "ip0": 5, "iter": 5, "kickstart": 5, "log": [5, 17, 23], "log_crash": 5, "log_hprintf": 5, "payload_s": 5, "process": 5, "ptdump_path": 5, "purg": 5, "qemu_append": 5, "qemu_bas": 5, "qemu_bio": 5, "qemu_extra": 5, "qemu_imag": 5, "qemu_initrd": 5, "qemu_kernel": 5, "qemu_memori": 5, "qemu_path": 5, "qemu_seri": 5, "qemu_snapshot": 5, "quiet": 5, "radamsa_path": 5, "radamsa": 5, "redqueen_simpl": 5, "redqueen_hamm": 5, "redqueen_hash": 5, "redqueen": 5, "reload": [5, 25], "resum": 5, "seed_dir": 5, "sharedir": [5, 19], "timeout_check": 5, "timeout_hard": 5, "timeout_soft": 5, "trace_cb": 5, "trace": 5, "verbos": 5, "work_dir": 5, "nyx": 6, "hypercal": 6, "api": 6, "essenti": 6, "acquir": 6, "releas": 6, "get_payload": 6, "next_payload": 6, "fuzz": [6, 14, 20, 21, 22, 24, 25, 27, 28, 30], "snapshot": 6, "restor": 6, "without": 6, "get_host_config": 6, "set_agent_config": 6, "panic": [6, 25], "kasan": [6, 15], "submit_pan": 6, "submit_kasan": 6, "further": 6, "option": [6, 8], "printf": 6, "range_submit": 6, "submit_cr3": 6, "user_abort": 6, "user_submit_mod": 6, "user_range_advis": 6, "req_stream_data": 6, "dump_fil": 6, "user_fast_acquir": [6, 29], "lock": 6, "req_stream_data_bulk": 6, "persist_page_past_snapshot": 6, "util": 6, "function": 6, "habort": 6, "hprintf": 6, "untest": 6, "fulli": 6, "integr": 6, "deprec": 6, "user": 7, "interfac": 7, "gui": [7, 14, 20, 22], "workdir": 8, "usag": 8, "convent": 8, "detail": 8, "concept": 9, "agent": [9, 13, 19, 25, 31], "pick": 9, "instal": 11, "requir": 11, "hardwar": 11, "softwar": 11, "clone": 11, "make": 11, "env": 11, "5": [11, 17, 20], "verifi": 11, "6": [11, 15, 20], "On": 11, "next": [11, 20], "step": [11, 20], "introduct": 12, "protocol": 13, "initi": [13, 25], "har": [13, 25], "dvkm": [13, 16, 19], "crash": [13, 17, 23], "campaign": [14, 15, 17, 22, 28], "run": [14, 15, 22], "follow": [14, 22], "progress": [14, 22], "improv": [15, 29], "compil": 15, "an": 15, "enhanc": 15, "view": 15, "report": 15, "section": 16, "explor": [17, 23], "result": 17, "corpu": [17, 23], "singl": 17, "gdb": 17, "analysi": [18, 23, 25, 31], "object": [18, 25, 31], "code": [18, 25, 31], "overview": 18, "integ": 18, "overflow": 18, "workflow": 19, "virtual": 19, "our": 19, "qemu": 19, "imag": 19, "direct": 19, "boot": 19, "initrd": 19, "sh": 19, "gen_initrd": 19, "vmcall": 19, "summari": 19, "linux": [20, 21], "download": 20, "patch": 20, "port": 20, "your": 20, "prefer": 20, "start": 20, "coverag": 20, "7": 20, "known": 20, "issu": 20, "locat": 23, "vulner": [23, 25, 31], "window": [23, 24, 27, 33], "dump": 23, "ad": 23, "driver": 24, "implement": [25, 31], "specif": 25, "handler": 25, "ip": 25, "rang": 25, "non": 25, "mode": 25, "provis": [26, 32], "guest": [26, 32], "vm": [26, 32, 33], "userspac": 30, "program": 30, "templat": 33, "tool": 33, "import": 33, "vagrant": 33, "libvirt": 33}, "envversion": {"sphinx.domains.c": 3, "sphinx.domains.changeset": 1, "sphinx.domains.citation": 1, "sphinx.domains.cpp": 9, "sphinx.domains.index": 1, "sphinx.domains.javascript": 3, "sphinx.domains.math": 2, "sphinx.domains.python": 4, "sphinx.domains.rst": 2, "sphinx.domains.std": 2, "sphinx": 60}, "alltitles": {"Research Papers": [[0, "research-papers"]], "Building the documentation": [[1, "building-the-documentation"]], "Github Actions CI/CD": [[2, "github-actions-ci-cd"]], "1 - Deploying the kernel": [[2, "deploying-the-kernel"]], "2 - Setting up Docker": [[2, "setting-up-docker"]], "3 - Setup the Github Actions Runner": [[2, "setup-the-github-actions-runner"]], "4 - Using kafl.actions": [[2, "using-kafl-actions"]], "References": [[2, "references"]], "\ud83d\udcd7 kAFL\u2019s Documentation": [[3, "kafl-s-documentation"]], "Features": [[3, "features"]], "Components": [[3, "components"]], "Contents": [[3, "contents"]], "Tutorials": [[3, null]], "How-to guides": [[3, null]], "Reference": [[3, null]], "Context": [[3, null]], "Development": [[3, null]], "Deployment": [[4, "deployment"]], "System modifications": [[4, "system-modifications"]], "Makefile targets": [[4, "makefile-targets"]], "EXTRA_ARGS": [[4, null]], "Ansible tags": [[4, "ansible-tags"]], "Ansible Galaxy and composability": [[4, "ansible-galaxy-and-composability"]], "intellabs.kafl Ansible collection": [[4, "intellabs-kafl-ansible-collection"]], "Reusing the collection": [[4, "reusing-the-collection"]], "Fuzzer Configuration": [[5, "fuzzer-configuration"]], "Configuration sources and precedence": [[5, "configuration-sources-and-precedence"]], "Overriding settings from environment variables": [[5, "overriding-settings-from-environment-variables"]], "Configuration keys": [[5, "configuration-keys"]], "abort_exec": [[5, "abort-exec"]], "abort_time": [[5, "abort-time"]], "action": [[5, "action"]], "afl_arith_max": [[5, "afl-arith-max"]], "afl_dumb_mode": [[5, "afl-dumb-mode"]], "afl_skip_zero": [[5, "afl-skip-zero"]], "bitmap_size": [[5, "bitmap-size"]], "cpu_offset": [[5, "cpu-offset"]], "debug": [[5, "debug"]], "dict": [[5, "dict"]], "funky": [[5, "funky"]], "gdbserver": [[5, "gdbserver"]], "grimoire": [[5, "grimoire"]], "input": [[5, "input"]], "ip0-1-2-3": [[5, "ip0-1-2-3"]], "iterations": [[5, "iterations"]], "kickstart": [[5, "kickstart"]], "log": [[5, "log"]], "log_crashes": [[5, "log-crashes"]], "log_hprintf": [[5, "log-hprintf"]], "payload_size": [[5, "payload-size"]], "processes": [[5, "processes"]], "ptdump_path": [[5, "ptdump-path"]], "purge": [[5, "purge"]], "qemu_append": [[5, "qemu-append"]], "qemu_base": [[5, "qemu-base"]], "qemu_bios": [[5, "qemu-bios"]], "qemu_extra": [[5, "qemu-extra"]], "qemu_image": [[5, "qemu-image"]], "qemu_initrd": [[5, "qemu-initrd"]], "qemu_kernel": [[5, "qemu-kernel"]], "qemu_memory": [[5, "qemu-memory"]], "qemu_path": [[5, "qemu-path"]], "qemu_serial": [[5, "qemu-serial"]], "qemu_snapshot": [[5, "qemu-snapshot"]], "quiet": [[5, "quiet"]], "radamsa_path": [[5, "radamsa-path"]], "radamsa": [[5, "radamsa"]], "redqueen_simple": [[5, "redqueen-simple"]], "redqueen_hammer": [[5, "redqueen-hammer"]], "redqueen_hashes": [[5, "redqueen-hashes"]], "redqueen": [[5, "redqueen"]], "reload": [[5, "reload"]], "resume": [[5, "resume"]], "seed_dir": [[5, "seed-dir"]], "sharedir": [[5, "sharedir"], [19, "sharedir"]], "timeout_check": [[5, "timeout-check"]], "timeout_hard": [[5, "timeout-hard"]], "timeout_soft": [[5, "timeout-soft"]], "trace_cb": [[5, "trace-cb"]], "trace": [[5, "trace"]], "verbose": [[5, "verbose"]], "work_dir": [[5, "work-dir"]], "kAFL/Nyx Hypercall API": [[6, "kafl-nyx-hypercall-api"]], "Essential hypercalls": [[6, "essential-hypercalls"]], "ACQUIRE / RELEASE": [[6, "acquire-release"]], "GET_PAYLOAD": [[6, "get-payload"]], "NEXT_PAYLOAD": [[6, "next-payload"]], "Fuzzing with snapshot restore": [[6, "fuzzing-with-snapshot-restore"]], "Fuzzing without snapshot restore": [[6, "fuzzing-without-snapshot-restore"]], "GET_HOST_CONFIG": [[6, "get-host-config"]], "SET_AGENT_CONFIG": [[6, "set-agent-config"]], "PANIC / KASAN": [[6, "panic-kasan"]], "SUBMIT_PANIC / SUBMIT_KASAN": [[6, "submit-panic-submit-kasan"]], "Further optional hypercalls": [[6, "further-optional-hypercalls"]], "PRINTF": [[6, "printf"]], "RANGE_SUBMIT": [[6, "range-submit"]], "SUBMIT_CR3": [[6, "submit-cr3"]], "USER_ABORT": [[6, "user-abort"]], "USER_SUBMIT_MODE": [[6, "user-submit-mode"]], "USER_RANGE_ADVISE": [[6, "user-range-advise"]], "REQ_STREAM_DATA": [[6, "req-stream-data"]], "DUMP_FILE": [[6, "dump-file"]], "USER_FAST_ACQUIRE": [[6, "user-fast-acquire"], [29, "user-fast-acquire"]], "LOCK": [[6, "lock"]], "REQ_STREAM_DATA_BULK": [[6, "req-stream-data-bulk"]], "PERSIST_PAGE_PAST_SNAPSHOT": [[6, "persist-page-past-snapshot"]], "Utility functions": [[6, "utility-functions"]], "habort": [[6, "habort"]], "hprintf": [[6, "hprintf"]], "Untested and not fully integrated": [[6, "untested-and-not-fully-integrated"]], "Deprecated": [[6, "deprecated"]], "kAFL User Interface": [[7, "kafl-user-interface"]], "kAFL GUI": [[7, "kafl-gui"]], "kAFL Workdir": [[8, "kafl-workdir"]], "Usage Conventions": [[8, "usage-conventions"]], "Configuration Options": [[8, "configuration-options"]], "Detailed Content": [[8, "detailed-content"]], "Concepts": [[9, "concepts"]], "kAFL Agent": [[9, "kafl-agent"]], "Pick a Target !": [[9, "pick-a-target"]], "Installation": [[11, "installation"]], "1. Requirements": [[11, "requirements"]], "1.1 Hardware": [[11, "hardware"]], "1.2 Software": [[11, "software"]], "2. Cloning the sources": [[11, "cloning-the-sources"]], "3. Deploying kAFL : make deploy": [[11, "deploying-kafl-make-deploy"]], "4. Setting kAFL environment : make env": [[11, "setting-kafl-environment-make-env"]], "5. Verify the installation": [[11, "verify-the-installation"]], "6. On to the next steps !": [[11, "on-to-the-next-steps"]], "Introduction": [[12, "introduction"]], "3 - Building the agent": [[13, "building-the-agent"]], "Agent protocol": [[13, "agent-protocol"]], "Initialization": [[13, "initialization"], [13, "id1"]], "Harness": [[13, "harness"], [13, "id2"]], "DVKM target": [[13, "dvkm-target"]], "Kernel crash": [[13, "kernel-crash"]], "4 - Fuzzing campaign": [[14, "fuzzing-campaign"]], "Running kafl fuzz": [[14, "running-kafl-fuzz"], [22, "running-kafl-fuzz"]], "Follow the progress with kafl gui": [[14, "follow-the-progress-with-kafl-gui"], [22, "follow-the-progress-with-kafl-gui"]], "6 - Improvements: KASAN": [[15, "improvements-kasan"]], "Compiling with KASAN": [[15, "compiling-with-kasan"]], "Running an enhanced campaign": [[15, "running-an-enhanced-campaign"]], "Viewing a KASAN report": [[15, "viewing-a-kasan-report"]], "DVKM": [[16, "dvkm"]], "DVKM tutorial sections": [[16, null]], "5 - Exploring campaign results": [[17, "exploring-campaign-results"]], "Exploring the corpus": [[17, "exploring-the-corpus"], [23, "exploring-the-corpus"]], "Crash logs": [[17, "crash-logs"]], "kafl debug": [[17, "kafl-debug"]], "Action single": [[17, "action-single"]], "Action gdb": [[17, "action-gdb"]], "1 - Target analysis": [[18, "target-analysis"]], "Objectives": [[18, "objectives"], [25, "objectives"], [31, "objectives"]], "Source code overview": [[18, "source-code-overview"]], "Integer Overflow": [[18, "integer-overflow"]], "2 - kAFL workflow": [[19, "kafl-workflow"]], "Virtualizing our target": [[19, "virtualizing-our-target"]], "QEMU Image": [[19, "qemu-image"]], "Direct Kernel Boot and initrd": [[19, "direct-kernel-boot-and-initrd"]], "Initrd and agent.sh workflow": [[19, "initrd-and-agent-sh-workflow"]], "gen_initrd.sh": [[19, "gen-initrd-sh"]], "vmcall": [[19, "vmcall"]], "agent.sh": [[19, "agent-sh"]], "Summary": [[19, "summary"]], "DVKM workflow setup": [[19, "dvkm-workflow-setup"]], "Linux Kernel target": [[20, "linux-kernel-target"]], "1. Download patched Linux kernel (or port to your preferred kernel)": [[20, "download-patched-linux-kernel-or-port-to-your-preferred-kernel"]], "2. Configure and build target kernel": [[20, "configure-and-build-target-kernel"]], "3. Start fuzzing!": [[20, "start-fuzzing"]], "4. GUI": [[20, "gui"]], "5. Coverage": [[20, "coverage"]], "6. Next Steps": [[20, "next-steps"]], "7) Known Issues": [[20, "known-issues"]], "Linux Target": [[21, "linux-target"]], "Fuzzing on Linux": [[21, null]], "Fuzzing Campaign": [[22, "fuzzing-campaign"], [28, "fuzzing-campaign"]], "Crash Analysis": [[23, "crash-analysis"]], "Locating the vulnerability": [[23, "locating-the-vulnerability"]], "Windows crash dumps": [[23, "windows-crash-dumps"]], "Adding debug logs": [[23, "adding-debug-logs"]], "Driver": [[24, "driver"]], "Fuzzing a Windows driver": [[24, null]], "Target analysis": [[25, "target-analysis"], [31, "target-analysis"]], "Source code": [[25, "source-code"], [31, "source-code"]], "Vulnerability": [[25, "vulnerability"], [31, "vulnerability"]], "kAFL agent implementation": [[25, "kafl-agent-implementation"]], "Agent initialization": [[25, "agent-initialization"]], "Fuzzing harness": [[25, "fuzzing-harness"]], "Target specific": [[25, "target-specific"]], "Panic handlers": [[25, "panic-handlers"]], "Set IP ranges": [[25, "set-ip-ranges"]], "Non reload mode": [[25, "non-reload-mode"]], "Provision the guest VM": [[26, "provision-the-guest-vm"], [32, "provision-the-guest-vm"]], "Windows Target": [[27, "windows-target"]], "Fuzzing on Windows": [[27, null]], "Improvments": [[29, "improvments"]], "Userspace": [[30, "userspace"]], "Fuzzing a userspace program": [[30, null]], "kAFL Agent Implementation": [[31, "kafl-agent-implementation"]], "Windows VM Template": [[33, "windows-vm-template"]], "Setup the tooling": [[33, "setup-the-tooling"]], "Build the Windows VM Template": [[33, "build-the-windows-vm-template"]], "Import the template into Vagrant": [[33, "import-the-template-into-vagrant"]], "Import into libvirt": [[33, "import-into-libvirt"]]}, "indexentries": {}}) \ No newline at end of file diff --git a/tutorials/installation.html b/tutorials/installation.html index 0b2db044..ecc2d0a2 100644 --- a/tutorials/installation.html +++ b/tutorials/installation.html @@ -442,14 +442,48 @@

5. Verify the installation

-    __                        __  ___    ________
-   / /_____  _________  ___  / / /   |  / ____/ /
-  / //_/ _ \/ ___/ __ \/ _ \/ / / /| | / /_  / /
- / ,< /  __/ /  / / / /  __/ / / ___ |/ __/ / /___
-/_/|_|\___/_/  /_/ /_/\___/_/ /_/  |_/_/   /_____/
-===================================================
+    __                        __  ___    ________
+   / /_____  _________  ___  / / /   |  / ____/ /
+  / //_/ _ \/ ___/ __ \/ _ \/ / / /| | / /_  / /
+ / ,< /  __/ /  / / / /  __/ / / ___ |/ __/ / /___
+/_/|_|\___/_/  /_/ /_/\___/_/ /_/  |_/_/   /_____/
+===================================================
 
-<< kAFL Fuzzer >>
+<< kAFL Fuzzer >>
+
+Warning: Launching without --seed-dir?
+No PT trace region defined.
+00:00:00:     0 exec/s,    0 edges,  0% favs pending, findings: <0, 0, 0>
+Worker-00 Launching virtual machine...
+/home/mtarral/kafl/kafl/qemu/x86_64-softmmu/qemu-system-x86_64
+        -enable-kvm
+        -machine kAFL64-v1
+        -cpu kAFL64-Hypervisor-v1,+vmx
+        -no-reboot
+        -net none
+        -display none
+        -chardev socket,server,id=nyx_socket,path=/dev/shm/kafl_mtarral/interface_0
+        -device nyx,chardev=nyx_socket,workdir=/dev/shm/kafl_mtarral,worker_id=0,bitmap_size=65536,input_buffer_size=131072
+        -device isa-serial,chardev=kafl_serial
+        -chardev file,id=kafl_serial,mux=on,path=/dev/shm/kafl_mtarral/serial_00.log
+        -m 256
+        -fast_vm_reload path=/dev/shm/kafl_mtarral/snapshot/,load=off
+[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
+qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.01H:ECX.pcid [bit 17]
+qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
+qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
+[QEMU-NYX] Dirty ring mmap region located at 0x767b25d00000
+[QEMU-NYX] Warning: Invalid sharedir...
+[QEMU-NYX] Booting VM to start fuzzing...
+...
+
+ +

If that’s the case, kAFL is correctly configured !

+

You can now send a CTRL-C to stop kAFL:

+
^CReceived Ctrl-C, killing workers...
+Waiting for Workers to shutdown...
+Worker-00 Shutting down Qemu after 0 execs..
+qemu-system-x86_64: terminating on signal 15 from pid 115166 (/home/mtarral/kafl/kafl/.venv/bin/python3)