1# Setup: Linux isolated host 2 3These are the instructions on how to fuzz the kernel on isolated machines. 4Isolated machines are separated in a way that limits remote management. They can 5be interesting to fuzz due to specific hardware setups. 6 7This syzkaller configuration uses only ssh to launch and monitor an isolated 8machine. 9 10## Setup reverse proxy support 11 12Given only ssh may work, a reverse ssh proxy will be used to allow the fuzzing 13instance and the manager to communicate. 14 15Ensure the sshd configuration on the target machine has AllowTcpForwarding to yes. 16``` 17machine:~# grep Forwarding /etc/ssh/sshd_config 18AllowTcpForwarding yes 19``` 20 21## Kernel 22 23The isolated VM does not deploy kernel images so ensure the kernel on the target 24machine is build with these options: 25``` 26CONFIG_KCOV=y 27CONFIG_DEBUG_INFO=y 28CONFIG_KASAN=y 29CONFIG_KASAN_INLINE=y 30``` 31 32Code coverage works better when KASLR Is disabled too: 33``` 34# CONFIG_RANDOMIZE_BASE is not set 35``` 36 37## Optional: Reuse existing ssh connection 38 39In most scenarios, you should use an ssh key to connect to the target machine. 40The isolated configuration supports ssh keys as described in the generic 41[setup](setup.md). 42 43If you cannot use an ssh key, you should configure your manager machine to reuse 44existing ssh connections. 45 46Add these lines to your ~/.ssh/config file: 47``` 48Host * 49 ControlMaster auto 50 ControlPath ~/.ssh/control:%h:%p:%r 51``` 52 53Before fuzzing, connect to the machine and keep the connection open so all scp 54and ssh usage will reuse it. 55 56## Go 57 58Install Go 1.8.1: 59``` bash 60wget https://storage.googleapis.com/golang/go1.8.1.linux-amd64.tar.gz 61tar -xf go1.8.1.linux-amd64.tar.gz 62mv go goroot 63export GOROOT=`pwd`/goroot 64export PATH=$PATH:$GOROOT/bin 65mkdir gopath 66export GOPATH=`pwd`/gopath 67``` 68 69## Syzkaller 70 71Get and build syzkaller: 72``` bash 73go get -u -d github.com/google/syzkaller/... 74cd gopath/src/github.com/google/syzkaller/ 75make 76``` 77 78Use the following config: 79``` 80{ 81 "target": "linux/amd64", 82 "http": "127.0.0.1:56741", 83 "rpc": "127.0.0.1:0", 84 "sshkey" : "/path/to/optional/sshkey", 85 "workdir": "/syzkaller/workdir", 86 "kernel_obj": "/linux-next", 87 "syzkaller": "/go/src/github.com/google/syzkaller", 88 "sandbox": "setuid", 89 "type": "isolated", 90 "vm": { 91 "targets" : [ "10.0.0.1" ], 92 "target_dir" : "/home/user/tmp/syzkaller", 93 "target_reboot" : false 94 } 95} 96``` 97 98Don't forget to update: 99 - `target` (target OS/arch) 100 - `workdir` (path to the workdir) 101 - `kernel_obj` (path to kernel build directory) 102 - `sshkey` You can setup an sshkey (optional) 103 - `vm.targets` List of hosts to use for fufzzing 104 - `vm.target_dir` Working directory on the target host 105 - `vm.target_reboot` Reboot the machine if remote process hang (useful for wide fuzzing, false by default) 106 107Run syzkaller manager: 108``` bash 109./bin/syz-manager -config=my.cfg 110``` 111 112If you get issues after `syz-manager` starts, consider running it with the `-debug` flag. 113Also see [this page](/docs/troubleshooting.md) for troubleshooting tips. 114