Add Isolated VM

Add a new isolated VM for machines that you cannot easily manage. It
assumes the machine is only available through SSH and create a reverse
proxy to ensure the machine can connect back to syz-manager.

Signed-off-by: Thomas Garnier <thgarnie@google.com>

2 files changed, 109 insertions, 0 deletions

diff --git a/docs/setup.md b/docs/setup.md
index cadc4ca26..933db69cb 100644
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -7,6 +7,7 @@ Instructions for a particular VM or kernel arch can be found on these pages:
 - [Setup: Ubuntu host, Odroid C2 board, arm64 kernel](setup_ubuntu-host_odroid-c2-board_arm64-kernel.md)
 - [Setup: Linux host, QEMU vm, arm64 kernel](setup_linux-host_qemu-vm_arm64-kernel.md)
 - [Setup: Linux host, Android device, arm64 kernel](setup_linux-host_android-device_arm64-kernel.md)
+- [Setup: Linux isolated host](setup_linux-host_isolated.md)
 
 After following these instructions you should be able to run `syz-manager`, see it executing programs and be able to access statistics exposed at `http://127.0.0.1:56741`:
 
diff --git a/docs/setup_linux-host_isolated.md b/docs/setup_linux-host_isolated.md
new file mode 100644
index 000000000..7f26efd75
--- /dev/null
+++ b/docs/setup_linux-host_isolated.md
@@ -0,0 +1,108 @@
+# Setup: Linux isolated host
+
+These are the instructions on how to fuzz the kernel on isolated machines.
+Isolated machines are separated in a way that limits remote management. They can
+be interesting to fuzz due to specific hardware setups.
+
+This syzkaller configuration uses only ssh to launch and monitor an isolated
+machine.
+
+## Setup reverse proxy support
+
+Given only ssh may work, a reverse ssh proxy will be used to allow the fuzzing
+instance and the manager to communicate.
+
+Ensure the sshd configuration on the target machine has AllowTcpForwarding to yes.
+```
+machine:~# grep Forwarding /etc/ssh/sshd_config
+AllowTcpForwarding yes
+```
+
+## Kernel
+
+The isolated VM does not deploy kernel images so ensure the kernel on the target
+machine is build with these options:
+```
+CONFIG_KCOV=y
+CONFIG_DEBUG_INFO=y
+CONFIG_KASAN=y
+CONFIG_KASAN_INLINE=y
+```
+
+Code coverage works better when KASLR Is disabled too:
+```
+# CONFIG_RANDOMIZE_BASE is not set
+```
+
+## Optional: Reuse existing ssh connection
+
+In most scenarios, you should use an ssh key to connect to the target machine.
+The isolated configuration supports ssh keys as described in the generic
+[setup](setup_generic.md).
+
+If you cannot use an ssh key, you should configure your manager machine to reuse
+existing ssh connections.
+
+Add these lines to your ~/.ssh/config file:
+```
+Host *
+	ControlMaster auto
+	ControlPath ~/.ssh/control:%h:%p:%r
+```
+
+Before fuzzing, connect to the machine and keep the connection open so all scp
+and ssh usage will reuse it.
+
+## Go
+
+Install Go 1.8.1:
+``` bash
+wget https://storage.googleapis.com/golang/go1.8.1.linux-amd64.tar.gz
+tar -xf go1.8.1.linux-amd64.tar.gz
+mv go goroot
+export GOROOT=`pwd`/goroot
+export PATH=$PATH:$GOROOT/bin
+mkdir gopath
+export GOPATH=`pwd`/gopath
+```
+
+## Syzkaller
+
+Get and build syzkaller:
+``` bash
+go get -u -d github.com/google/syzkaller/...
+cd gopath/src/github.com/google/syzkaller/
+make
+```
+
+Use the following config:
+```
+{
+	"http": "127.0.0.1:56741",
+	"rpc": "127.0.0.1:0",
+	"sshkey" : "/path/to/optional/sshkey",
+	"workdir": "/syzkaller/workdir",
+	"vmlinux": "/linux-next/vmlinux",
+	"syzkaller": "/go/src/github.com/google/syzkaller",
+	"sandbox": "setuid",
+	"type": "isolated",
+	"vm": {
+		"targets" : [ "10.0.0.1" ],
+		"target_dir" : "/home/user/tmp/syzkaller",
+                "target_reboot" : false,
+	}
+}
+```
+
+Don't forget to update:
+ - `workdir` (path to the workdir)
+ - `vmlinux` (path to the `vmlinux` binary)
+ - `sshkey` You can setup an sshkey (optional)
+ - `vm.targets` List of hosts to use for fufzzing
+ - `vm.target_dir` Working directory on the target host
+ - `vm.target_reboot` Reboot the machine if remote process hang (useful for wide fuzzing, false by default)
+
+Run syzkaller manager:
+``` bash
+./bin/syz-manager -config=my.cfg
+```