1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
# Setup: Ubuntu host, VMware vm, x86-64 kernel
These are the instructions on how to fuzz the x86-64 kernel in VMware Workstation with Ubuntu on the host machine and Debian Bullseye in the virtual machines.
In the instructions below, the `$VAR` notation (e.g. `$GCC`, `$KERNEL`, etc.) is used to denote paths to directories that are either created when executing the instructions (e.g. when unpacking GCC archive, a directory will be created), or that you have to create yourself before running the instructions. Substitute the values for those variables manually.
## GCC and Kernel
You can follow the same [instructions](/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md) for obtaining GCC and building the Linux kernel as when using QEMU.
## Image
Install debootstrap:
``` bash
sudo apt-get install debootstrap
```
To create a Debian Bullseye Linux user space in the $USERSPACE dir do:
```
sudo mkdir -p $USERSPACE
sudo debootstrap --include=openssh-server,curl,tar,gcc,libc6-dev,time,strace,sudo,less,psmisc,selinux-utils,policycoreutils,checkpolicy,selinux-policy-default,firmware-atheros,open-vm-tools --components=main,contrib,non-free bullseye $USERSPACE
```
Note: it is important to include the `open-vm-tools` package in the user space as it provides better VM management.
To create a Debian Bullseye Linux VMDK do:
```
wget https://raw.githubusercontent.com/google/syzkaller/master/tools/create-gce-image.sh -O create-gce-image.sh
chmod +x create-gce-image.sh
./create-gce-image.sh $USERSPACE $KERNEL/arch/x86/boot/bzImage
qemu-img convert disk.raw -O vmdk disk.vmdk
```
The result should be `disk.vmdk` for the disk image and `key` for the root SSH key. You can delete `disk.raw` if you want.
## VMware Workstation
Open VMware Workstation and start the New Virtual Machine Wizard.
Assuming you want to create the new VM in `$VMPATH`, complete the wizard as follows:
* Virtual Machine Configuration: Custom (advanced)
* Hardware compatibility: select the latest version
* Guest OS: select "I will install the operating system later"
* Guest OS type: Linux
* Virtual Machine Name and Location: select `$VMPATH` as location and "debian" as name
* Processors and Memory: select as appropriate
* Network connection: Use host-only networking
* I/O Controller Type: LSI Logic
* Virtual Disk Type: IDE
* Disk: select "Use an existing virtual disk"
* Existing Disk File: enter the path of `disk.vmdk` created above
* Select "Customize Hardware..." and remove the "Printer" device if you have one. Add a new "Serial Port" device. For the serial port connection choose "Use socket (named pipe)" and enter "serial" for the socket path. At the end it should look like this:
When you complete the wizard, you should have `$VMPATH/debian.vmx`. From this point onward, you no longer need the Workstation UI.
Starting the Debian VM (headless):
``` bash
vmrun start $VMPATH/debian.vmx nogui
```
Getting the IP address of the Debian VM:
``` bash
vmrun getGuestIPAddress $VMPATH/debian.vmx -wait
```
SSH into the VM:
``` bash
ssh -i key root@<vm-ip-address>
```
Connecting to the serial port of the VM (after it is started):
``` bash
nc -U $VMPATH/serial
```
Stopping the VM:
``` bash
vmrun stop $VMPATH/debian.vmx
```
If all of the above `vmrun` commands work, then you can proceed to running syzkaller.
## syzkaller
Create a manager config like the following, replacing the environment variables $GOPATH, $KERNEL and $VMPATH with their actual values.
```
{
"target": "linux/amd64",
"http": "127.0.0.1:56741",
"workdir": "$GOPATH/src/github.com/google/syzkaller/workdir",
"kernel_obj": "$KERNEL",
"sshkey": "$IMAGE/key",
"syzkaller": "$GOPATH/src/github.com/google/syzkaller",
"procs": 8,
"type": "vmware",
"vm": {
"count": 4,
"base_vmx": "$VMPATH/debian.vmx",
}
}
```
Run syzkaller manager:
``` bash
mkdir workdir
./bin/syz-manager -config=my.cfg
```
Syzkaller will create full clone VMs from the `base_vmx` VM and then use ssh to copy and execute programs in them.
The `base_vmx` VM will not be started and its disk will remain unmodified.
If you get issues after `syz-manager` starts, consider running it with the `-debug` flag.
Also see [this page](/docs/troubleshooting.md) for troubleshooting tips.
|
