README
¶
Buzzer - An eBPF Fuzzer toolchain
Buzzer is a fuzzer toolchain that allows to write eBPF fuzzing strategies.
A Fuzzing strategy is a way to generate random eBPF Programs and then validate that they don't have unexpected behaviour.
To run the fuzzer follow the next steps
-
Install bazel.
-
Install clang
-
Setup the correct CC and CXX env variables
export CC=clang export CXX=clang++ -
Run
bazel build :buzzer -
Run buzzer either as root:
sudo ./bazel-bin/buzzer_/buzzerOR with CAP_BPF:
sudo setcap CAP_BPF=eip bazel-bin/buzzer_/buzzer ./bazel-bin/buzzer_/buzzer
Documents:
Trophies
Did you find a cool bug using Buzzer? Let us know via a pull request! We'd like to collect all issues discovered with this framework under this section.
-
CVE-2023-2163: An error in the branch pruning logic of the eBPF verifier can cause unsafe paths to not be explored. The unsafe pruned paths are the actual paths taken at runtime which causes a mismatch in what the verifier thinks the values of certain registers are versus what they actually are. This mismatch can be abused to read/write arbitrary memory in the kernel by using the confused registers as base registers for memory operations.
-
CVE-2024-41003: A bug in the verifier's register limit tracking allows an attacker to trick the verifier into thinking a register holds a value of 0 when at run time this register could take a value of 1. This can be then leveraged to achieve arbitrary kernel memory read/write and lead to a local privilege escalation or container escape.
Documentation
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
pkg
|
|
|
strategies
Package strategies contains the base that all strategies need to be implemented, this is defined in order to prevent repetition of code among strategies.
|
Package strategies contains the base that all strategies need to be implemented, this is defined in order to prevent repetition of code among strategies. |
|
strategies/deprecated/parse_verifier
Package parseverifier implements a strategy of generating random ALU operations and then attempting to hunt verifier logic errors by parsing the output of the vierifier log and comparing the values the verifier thinks the registers will have vs the actual values that are observed at run time.
|
Package parseverifier implements a strategy of generating random ALU operations and then attempting to hunt verifier logic errors by parsing the output of the vierifier log and comparing the values the verifier thinks the registers will have vs the actual values that are observed at run time. |
|
strategies/deprecated/parse_verifier/oracle
Package oracle is a set of abstractions for tracking the state of register sets at different offsets in an eBPF program.
|
Package oracle is a set of abstractions for tracking the state of register sets at different offsets in an eBPF program. |
|
strategies/deprecated/playground
Package playground is meant to be a strategy where different functionalities of ebpf can be tested more easily, it's purpose is to experiment more so than fuzz.
|
Package playground is meant to be a strategy where different functionalities of ebpf can be tested more easily, it's purpose is to experiment more so than fuzz. |
|
strategies/deprecated/pointer_arithmetic
Package pointerarithmetic implements a strategy of generating random ALU operations and then performing pointer arithmetic with a map pointer and attempting to write to that pointer.
|
Package pointerarithmetic implements a strategy of generating random ALU operations and then performing pointer arithmetic with a map pointer and attempting to write to that pointer. |
|
strategies/deprecated/stack_corruption
Package playground is meant to be a strategy where different functionalities of ebpf can be tested more easily, it's purpose is to experiment more so than fuzz.
|
Package playground is meant to be a strategy where different functionalities of ebpf can be tested more easily, it's purpose is to experiment more so than fuzz. |
|
units
Package units implements the business logic to make the fuzzer work
|
Package units implements the business logic to make the fuzzer work |