README

---------------------------------------
iknowthis Linux SystemCall Fuzzer
-------------------------------------------------

iknowthis is a fuzz testing framework for Linux system calls. It is designed to
make system calls in random order, with random parameters in order to spot
subtle kernel bugs.

In order to get good coverage, each system call is annotated with a prototype,
and optionally a simple routine to manage any resources that may have been
created (sockets, file descriptors, etc.). These resources are then handed to
other system calls, in order to try and reach some pathological state of
operation.

Here is a trivial example of a fuzzer:

// Check real user’s permissions for a file.
SYSFUZZ(access, __NR_access, SYS_NONE, CLONE_DEFAULT, 0)
{
    gchar   *pathname;
    gint     retcode;

    retcode = spawn_syscall_lwp(this, NULL, __NR_access,                                            // int
                                typelib_get_pathname(&pathname),                                    // const char *pathname
                                typelib_get_integer_mask(R_OK | W_OK | X_OK | F_OK));               // int mode

    g_free(pathname);
    return retcode;
}

Typelib is a set of routines to manage common kernel parameters.
spawn_syscall_lwp() is a syscall invokation routine that tries to isolate our
main process from any damage by executing it in a new lwp. If you're certain
that a system call can never timeout or damage us, then you can use a faster
alternative.

I've used glib for common data structures, so copied their naming convention
where appropriate.

* Making a fuzzer
* Using and improving typelib
* Debugging

I usually run iknowthis in a virtual machine, for easier debugging, you can try something like this:

$ while true; do (sleep 1h ; sudo killall -9 iknowthis) & sudo ./iknowthis --dangerous; kill %1; done