Google engineers today introduced KFuzzTest as a new lightweight framework for in-kernel fuzz targets for internal kernel functions. KFuzzTest aims to make it easier to exercise Linux kernel code paths that are difficult to do from the system call boundary.
Google engineer Ethan Graham describes KFuzzTest as:
“This patch series introduces KFuzzTest, a lightweight framework for creating in-kernel fuzz targets for internal kernel functions.
The primary motivation for KFuzzTest is to simplify the fuzzing of low-level, relatively stateless functions (e.g., data parsers, format converters) that are difficult to exercise effectively from the syscall boundary. It is intended for in-situ fuzzing of kernel code without requiring that it be built as a separate userspace library or that its dependencies be stubbed out. Using a simple macro-based API, developers can add a new fuzz target with minimal boilerplate code.
The core design consists of three main parts:
1. A `FUZZ_TEST(name, struct_type)` macro that allows developers to easily define a fuzz test.
2. A binary input format that allows a userspace fuzzer to serialize complex, pointer-rich C structures into a single buffer.
3. Metadata for test targets, constraints, and annotations, which is emitted into dedicated ELF sections to allow for discovery and inspection by userspace tools. These are found in “.kfuzztest_{targets, constraints, annotations}”.”
The KFuzzTest code in its current form includes the framework code itself, documentation a user-facing API and data structures, and some sample fuzz targets for the Linux kernel.
Those wishing to learn more about this new KFuzzTest initiative for the Linux kernel can see this LKML thread for all the details.
