|
| 1 | +# Setup: Ubuntu host, VirtualBox vm, x86-64 kernel |
| 2 | + |
| 3 | +These are the instructions on how to fuzz the x86-64 kernel in VirtualBox with Ubuntu on the host machine and Debian Bullseye in the virtual machines. |
| 4 | + |
| 5 | +In the instructions below, the `$VAR` notation (e.g. `$GCC`, `$KERNEL`, etc.) is used to denote paths to directories that are either created when executing the instructions (e.g. when unpacking GCC archive, a directory will be created), or that you have to create yourself before running the instructions. Substitute the values for those variables manually. |
| 6 | + |
| 7 | +## GCC and Kernel |
| 8 | + |
| 9 | +You can follow the same [instructions](/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md) for obtaining GCC and building the Linux kernel as when using QEMU. |
| 10 | + |
| 11 | +## Image |
| 12 | + |
| 13 | +Install debootstrap: |
| 14 | + |
| 15 | +``` bash |
| 16 | +sudo apt-get install debootstrap |
| 17 | +``` |
| 18 | + |
| 19 | +To create a Debian Bullseye Linux user space in the $USERSPACE dir do: |
| 20 | +``` |
| 21 | +sudo mkdir -p $USERSPACE |
| 22 | +sudo debootstrap --include=openssh-server,curl,tar,gcc,libc6-dev,time,strace,sudo,less,psmisc,selinux-utils,policycoreutils,checkpolicy,selinux-policy-default,firmware-atheros,open-vm-tools --components=main,contrib,non-free bullseye $USERSPACE |
| 23 | +``` |
| 24 | + |
| 25 | +Note: it is important to include the `open-vm-tools` package in the user space as it provides better VM management. |
| 26 | + |
| 27 | +To create a Debian Bullseye Linux VMDK do: |
| 28 | + |
| 29 | +``` |
| 30 | +wget https://raw.githubusercontent.com/google/syzkaller/master/tools/create-gce-image.sh -O create-gce-image.sh |
| 31 | +chmod +x create-gce-image.sh |
| 32 | +./create-gce-image.sh $USERSPACE $KERNEL/arch/x86/boot/bzImage |
| 33 | +qemu-img convert -f raw -O vdi disk.raw disk.vdi |
| 34 | +``` |
| 35 | + |
| 36 | +The result should be `disk.vdi` for the disk image. You can delete `disk.raw` if you want. |
| 37 | + |
| 38 | +## VirtualBox |
| 39 | + |
| 40 | +Open VirtualBox and start the New Virtual Machine Wizard. |
| 41 | +Assuming you want to create the new VM in `$VMPATH`, complete the wizard as follows: |
| 42 | + |
| 43 | +* Create New Virtual Machine |
| 44 | +* Virtual Machine Name and Location: select `$VMPATH` as location and "debian" as name |
| 45 | +* Guest OS type: Debian 64-bit |
| 46 | +* Disk: select "Use an existing virtual disk" |
| 47 | +* Import the `disk.vdi` file, and select the imported `.vdi` file as an Hard Disk File. |
| 48 | + |
| 49 | +When you complete the wizard, you should have `$VMPATH/debian.vbox`. From this point onward, you no longer need the VirtualBox UI. |
| 50 | + |
| 51 | +To test the fuzzing environment before getting started, follow the instructions below: |
| 52 | +Forwarding port 2222 on your host machine to port 22: |
| 53 | +``` bash |
| 54 | +VBoxManage modifyvm debian --natpf1 "test,tcp,,2222,,22" |
| 55 | +``` |
| 56 | + |
| 57 | +Starting the Debian VM (headless): |
| 58 | +``` bash |
| 59 | +VBoxManage startvm debian --type headless |
| 60 | +``` |
| 61 | + |
| 62 | +SSH into the VM: |
| 63 | +``` bash |
| 64 | +ssh -p 2222 root@127.0.0.1 |
| 65 | +``` |
| 66 | + |
| 67 | +Stopping the VM: |
| 68 | +``` bash |
| 69 | +VBoxManage controlvm debian poweroff |
| 70 | +``` |
| 71 | + |
| 72 | +If all of the above `VBoxManage` commands work, then you can proceed to running syzkaller. |
| 73 | + |
| 74 | +## syzkaller |
| 75 | + |
| 76 | +Create a manager config like the following, replacing the environment variables $GOPATH, $KERNEL and $VMPATH with their actual values. |
| 77 | + |
| 78 | +``` |
| 79 | +{ |
| 80 | + "target": "linux/amd64", |
| 81 | + "http": "127.0.0.1:56741", |
| 82 | + "workdir": "$GOPATH/src/github.com/google/syzkaller/workdir", |
| 83 | + "kernel_obj": "$KERNEL", |
| 84 | + "sshkey": "$IMAGE/key", |
| 85 | + "syzkaller": "$GOPATH/src/github.com/google/syzkaller", |
| 86 | + "procs": 8, |
| 87 | + "type": "virtualbox", |
| 88 | + "vm": { |
| 89 | + "count": 4, |
| 90 | + "base_vm_name": "debian" |
| 91 | + } |
| 92 | +} |
| 93 | +``` |
| 94 | + |
| 95 | +Run syzkaller manager: |
| 96 | + |
| 97 | +``` bash |
| 98 | +mkdir workdir |
| 99 | +./bin/syz-manager -config=my.cfg |
| 100 | +``` |
| 101 | + |
| 102 | +Syzkaller will create full clone VMs from the `debian` VM and then use ssh to copy and execute programs in them. |
| 103 | +The `debian` VM will not be started and its disk will remain unmodified. |
| 104 | + |
| 105 | +If you get issues after `syz-manager` starts, consider running it with the `-debug` flag. |
| 106 | +Also see [this page](/docs/troubleshooting.md) for troubleshooting tips. |
0 commit comments