• 了解linux kernel fuzzing test - trinity

1.What is it?

  Trinity, a system call fuzzing tester for the Linux kernel. Fuzzing is a security technique which feeds random arguments into functions to see what breaks.

  Trinity is developed using the latest glibc/kernel, which means from time to time changes are introduced which may make it fail to compile on older distributions (especially enterprise ones). The preferred way to fix this is to add the missing declarations to compat.h.

  The basic idea is fairly simple. As ‘fuzz testing‘ suggests, we call syscalls at random, with random arguments. Not an original idea, and one that has been done many times before on Linux, and on other operating systems. Where Trinity differs is that the arguments it passes are not purely random.

2.What does trinity support for ?

  Trinity supports Alpha, Aarch64, ARM, i386, IA-64, MIPS, PowerPC-32, PowerPC-64, S390, S390x, SPARC-64, x86-64.

3.Download and Install Triniy

  Download the source code :

git clone https://github.com/kernelslacker/trinity.git

  Or you can download the release version to do trinity test

https://github.com/kernelslacker/trinity/releases (the latest version is v1.7)

unzip trinity-<version>.zip
cd trinity-<version>
./configure
make
sudo make install

4.The intelligence features include:

  • If a system call expects a certain datatype as an argument (for example a file descriptor) it gets passed one. This is the reason for the slow initial startup, as it generates a list of fd’s of files it can read from /sys, /proc and /dev and then supplements this with fd’s for various network protocol sockets. (Information on which protocols succeed/fail is cached on the first run, greatly increasing the speed of subsequent runs).
  • If a system call only accepts certain values as an argument, (for example a ‘flags’ field), Trinity has a list of all the valid flags that may be passed. Just to throw a spanner in the works, occasionally, it will bitflip one of the flags, just to make things more interesting.
  • If a system call only takes a range of values, the random value passed is biased to usually fit within that range.

  Trinity logs it’s output to files (1 for each child process), and fsync’s the files before it actually makes the system call. This way, should you trigger something which panics the kernel, you should be able to find out exactly what happened by examining the log.

  There are several test harnesses provided (test-*.sh), which run trinity in various modes and takes care of things like CPU affinity and makes sure it runs from the tmp directory. (Handy for cleaning up any garbage named files; just rm -rf tmp afterward)

5.Options

 --quiet/-q: reduce verbosity.Specify once to not output register values, or twice to also suppress syscall count.--verbose: increase verbosity.-D: Debug mode.This is useful for catching core dumps if trinity is segfaulting, as by defaultthe child processes ignore those signals.-sN: use N as random seed.  (Omitting this uses time of day as a seed).Note: There are currently a few bugs that mean no two runs are necessary 100%identical with the same seed. See the TODO for details.--kernel_taint/-T: controls which kernel taint flags should be considered.The following flag names are supported: PROPRIETARY_MODULE, FORCED_MODULE, UNSAFE_SMP,FORCED_RMMOD, MACHINE_CHECK, BAD_PAGE, USER, DIE, OVERRIDDEN_ACPI_TABLE, WARN, CRAP,FIRMWARE_WORKAROUND, and OOT_MODULE. For instance, to set trinity to monitor only BAD,WARN and MACHINE_CHECK flags one should specify "-T BAD,WARN,MACHINE_CHECK" parameter.--list/-L: list known syscalls and their offsets--proto/-P: For network sockets, only use a specific packet family.--victims/-V: Victim file/dirs.  By default, on startup trinity tree-walks /dev, /sys and /proc.Using this option you can specify a different path.(Currently limited to just one path)-p: Pause after making a syscall--children/-C: Number of child processes.-x: Exclude a syscall from being called.  Useful when there's a known kernel bugyou keep hitting that you want to avoid.Can be specified multiple times.-cN: do syscall N with random inputs.Good for concentrating on a certain syscall, if for eg, you just added one.Can be specified multiple times.--group/-gUsed to specify enabling a group of syscalls. Current groups defined are 'vm' and 'vfs'.--logging/-l <arg>off: This disables logging to files. Useful if you have a serial console, though youwill likely lose any information about what system call was being called,what maps got set up etc. Does make things go considerably faster however,as it no longer fsync()'s after every syscall<hostname> : sends packets over udp to a trinity server running on another host.Note: Still in development. Enabling this feature disables log-to-file.<dir> : Specify a directory where trinity will dump its log files.--ioctls/-I will dump all available ioctls.--arch/-a Explicit selection of 32 or 64 bit variant of system calls.#######################################################################Examples:
./trinity -c splice
Stress test the splice syscall./trinity -x splice
Call every syscall except for splice../trinity -qq -l off -C16
Turn off logging, and suppress most output to run as fast as possible. Use 16 child processes

refer to

  • https://github.com/kernelslacker/trinity
  • https://securityonline.info/trinity-a-linux-system-call-fuzz-tester/

Trinity 概述(一)相关推荐

  1. java实验五圣三一,什么是三位一体架构Trinity Architecture? – Oregor

    这里提出的Trinity Architecture是后端企业应用程序的架构模式.它源于采用依赖性倒置原理(DIP)的典型4层架构.它非常适合(但不限于)领域驱动设计(DDD)应用程序. 三位一体的三大 ...

  2. Java 多线程概述

    多线程技术概述 1.线程与进程 进程:内存中运行的应用程序,每个进程都拥有一个独立的内存空间. 线程:是进程中的一个执行路径,共享一个内存空间,线程之间可以自由切换.并发执行,一个进程最少有一个线程, ...

  3. 【SpringMVC】概述

    概述: SpringMVC:是基于spring的一个框架, 实际上就是spring的一个模块, 专门是做web开发的.                       理解是servlet的一个升级 Sp ...

  4. 梯度下降优化算法概述

    本文原文是 An overview of gradient descent optimization algorithms,同时作者也在 arXiv 上发了一篇同样内容的 论文. 本文结合了两者来翻译 ...

  5. Redis概述和基础

    Redis 1.NoSQL NoSQL = Not Only SQL(不仅仅是SQL) 泛指非关系型数据库的,随着web2.0互联网的诞生!传统的关系型数据库很难对付web2.0时代!尤其是超大规模的 ...

  6. OpenCL™(开放计算语言)概述

    OpenCL™(开放计算语言)概述 异构系统并行编程的开准 OpenCL™(开放计算语言)是一种开放的.免版税的标准,用于对超级计算机.云服务器.个人计算机.移动设备和嵌入式平台中的,各种加速器进行跨 ...

  7. 自动驾驶QNX,Linux,Autosar概述

    自动驾驶QNX,Linux,Autosar概述 QNX是一个分布式.嵌入式.可规模扩展的实时操作系统.遵循POSIX.1 (程序接口)和POSIX.2 (Shell和工具).部分遵循POSIX.1b( ...

  8. Tengine MLOps概述

    Tengine MLOps概述 大幅提高产业应用从云向边缘迁移的效率 MLOps Cloud Native 聚焦于提升云端的运营过程效率 MLOps Edge Native 聚焦于解决边缘应用开发及异 ...

  9. Tengine Web服务器概述

    Tengine Web服务器概述 Tengine是由淘宝网发起的Web服务器项目.在Nginx的基础上,针对大访问量网站的需求,添加了很多高级功能和特性.目的是打造一个高效.安全的Web平台. 发展 ...

最新文章

  1. Yolov4性能分析(上)
  2. flex 表格勾选后 鼠标滚动会自动勾选_办公鼠里的BBA,罗技MX Anywhere 3鼠标开箱体验...
  3. 「炫富」的GPT-3来了:31位作者,45TB数据,72页论文,1750亿个参数,会编故事,还会三位数加减法...
  4. Leetcode1688. 比赛中的配对次数[C++题解]:简单题模拟
  5. 教材管理系统紧张开发中
  6. ❤️ 爆肝一个月!JAVA零基础入门总结(下)❤️
  7. 工业以太网交换机的软件故障
  8. 打印python包含汉字报SyntaxError: Non-ASCII character '\xe4' in file
  9. elasticsearch-7.15.2 同时支持中文ik分词器和pinyin分词器
  10. 单多晶技术拉锯战升级
  11. Kafka 批量消费消息
  12. 项目管理学习总结(14)——优秀技术Leader应该具备什么哪些方面的能力
  13. rename批量修改文件名
  14. react 翻书效果_transition、class名称、React实现无限反复翻书效果
  15. Visual Studio 2012 下载地址 V11各种版本官方下载网址
  16. 大数据应用领域都有哪些(一)
  17. ubuntu编译安装PHP5.6 ipArchive支持 configure: error: system libzip must be upgraded to version = 0.11
  18. C语言编程>第十七周 ⑤ 请补充fun函数,该函数的功能是:用来求出数组的最小元素在数组中的下标并存放在k所指的存储单元。
  19. Python课程第六周笔记及作业练习
  20. Mysql性能衡量指标

热门文章

  1. 哈雷拆分LiveWire上市,冲击美股电摩第一股
  2. 构造方法--带参构造方法
  3. NOIP2018旅游记
  4. MPU6050陀螺仪 GY-25模块调试
  5. 小试牛刀 - WordCount
  6. 海外网红KOL营销的合作方式
  7. 给服务器安装BBR加速网络传输速度
  8. cetus权限连接主从mysql_网易开源中间件 -Cetus监控模块
  9. 【报错】部署portainer可视化工具报错
  10. 嵌入式系统232串口测试笔记