Trinity - Linux system call fuzzer.

Trinity – Linux system call fuzzer.

Latest change v1.6-179-g6050c1c:
+ add some extra sanity checks inside the child process”) made trinity near unusable for me: the rec->tv sanity check fails rather quickly after first syscall capable of changing wall time.
+ The patch reworks trinity to use clock_gettime(CLOCK_MONOTONIC) instead of gettimeofday(). It makes trinity usable again.

#######################################################################

WARNINGS:
* This program may seriously corrupt your files, including any of those that may be writable on mounted network file shares. It may create network packets that may cause disruption on your local network.

* Trinity may generate the right selection of syscalls to start sending random network packets to other hosts. While every effort is made to restrict this to IP addresses on local lans, multicast & broadcast, care should be taken to not allow the packets it generates to go out onto the internet.

Run at your own risk.
#######################################################################

Trinity-v-1-6-179-g6050c1c Trinity: Linux system call fuzzer.

Trinity-v-1-6-179-g6050c1c
Trinity: Linux system call fuzzer.

System call fuzzers aren’t a particularly new idea. As far back as 1991, people have written apps that bomb syscall inputs with garbage data, that have had a variety of success in crashing assorted operating systems. After fixing the obvious dumb bugs however, a majority of the time these calls will just by rejected by the kernel very near the beginning of their function entry point as basic parameter validation is performed. Trinity is a system call fuzzer which employs some techniques to pass semi-intelligent arguments to the syscalls being called.

The intelligence features include:
– If a system call expects a certain datatype as an argument (for example a file descriptor) it gets passed one.
This is the reason for the slow initial startup, as it generates a list of fd’s of files it can read from /sys, /proc and /dev
and then supplements this with fd’s for various network protocol sockets. (Information on which protocols succeed/fail is cached on the first run, greatly increasing the speed of subsequent runs).
– If a system call only accepts certain values as an argument, (for example a ‘flags’ field), trinity has a list of all the valid flags that may be passed.
Just to throw a spanner in the works, occasionally, it will bitflip one of the flags, just to make things more interesting.
– If a system call only takes a range of values, the random value
passed is biased to usually fit within that range.
Trinity logs it’s output to a files (1 for each child process), and fsync’s the files before it actually makes the system call. This way, should you trigger something which panics the kernel, you should be able to find out exactly what happened by examining the log.

There are several test harnesses provided (test-*.sh), which run trinity in various modes and takes care of things like cpu affinity, and makes sure it runs from the tmp directory. (Handy for cleaning up any garbage named files; just rm -rf tmp afterwards)

Usage:

Source: https://github.com/kernelslacker