perf_fuzzer perf_event syscall fuzzer
As of the upcoming Linux 5.0 release, it is *finally* (after 6 years) possible
to fuzz indefinitely on recent Intel x86 machines without crashing.
This is a great development, both for security reasons, but also means
now it is finally going to be in theory a lot easier to bisect new bugs.
The perf_fuzzer tool automatically tests the
perf_event_open() system call and attempts to find mostly-valid
inputs that potentially crash (or worse) the Linux kernel.
The fuzzer has found 28 serious bugs in the Linux kernel
which have all been fixed.
See the publications section below for more documentation.
Please send me an e-mail if you use perf_fuzzer and find bugs!
It's a struggle trying to get publications/funding for this work, which
is one of the reasons why development has slowed. If you've used
perf_fuzzer to get a CVE or bug bounty, please let me know so I can use
the info in my reports to show how important fuzzing can be.
CVE-2015-0805, CVE-2015-0819 (major Qualcomm Android root exploits
found by Wish Wu, possibly with the perf_fuzzer, but I couldn't verify
this for sure.
here and here)
The code has already found numerous denial of service bugs and various
local root exploits. At least five CVE entries were directly a result
of this work, and many more probably are (but are harder to verify).
See here for a list of current/fixed mainline
Linux kernel bugs found.
I have not had much success getting this work published in any "real"
academic venue. USENIX security says it is incremental and thus
uninteresting. The NSF was uninterested in funding this as well.
(Though reviewers often stress this is important work and I should keep
working on it in my free time).
The perf_fuzzer is available as part of the
perf_event_test test suite.
Currently development is done via git at
; you can check out a version
of the development tree via:
git clone git://github.com/deater/perf_event_tests
Read the README
Back to unofficial perf_events page