kAFL

HW-assisted Feedback Fuzzer for x86 VMs

kAFL/Nyx is a fast guided fuzzer for the x86 VM. It is great for anything that executes as QEMU/KVM guest, in particular x86 firmware, kernels and full-blown operating systems.

Note: All components are provided for research and validation purposes only. Use at your own Risk

Targets

kAFL is the main fuzzer driving the Linux Security Hardening for Confidential Compute effort, identifing vulnerabilities in a complex setup and improving the security of the Linux kernel for all CC solutions.

Among other successful targets for kAFL/Nyx :

• Intel SGX enclaves
• Intel TDX TDVF firmware
• Mozilla Firefox IPCs
• Linux network applications
• Windows drivers
• Hypervisors
• Play Super Mario at 10-30x speedups !

Additionally, kAFL has been used internally at Intel for x86 firmware and drivers validation as well as SMM handlers fuzzing.

Features

• kAFL/Nyx uses Intel VT, Intel PML and Intel PT to achieve efficient execution, snapshot reset and coverage feedback for greybox or whitebox fuzzing scenarios. It allows to run many x86 FW and OS kernels with any desired toolchain and minimal code modifications.

• kAFL uses a custom kAFL-Fuzzer written in Python. The kAFL-Fuzzer follows an AFL-like design and is optimized for working with many Qemu instances in parallel, supporting flexible VM configuration, logging and debug options.

• kAFL integrates the Radamsa fuzzer as well as Redqueen and Grimoire extensions. Redqueen uses VM introspection to extract runtime inputs to conditional instructions, overcoming typical magic byte and other input checks. Grimoire attempts to identify keywords and syntax from fuzz inputs in order to generate more clever large-scale mutations.

For details on Redqueen, Grimoire, IJON, Nyx, please visit nyx-fuzz.com.

Requirements

• Intel Skylake or later: The setup requires a Gen-6 or newer Intel CPU (for Intel PT) and adequate system memory (~2GB RAM per CPU)

• Patched Host Kernel: A modified Linux host kernel will be installed as part of the setup. Running kAFL inside a VM may work starting IceLake or later CPU.

• Recent Debian/Ubuntu: The installation and tutorials are tested for recent Ubuntu LTS (>=20.04) and Debian (>=bullseye).

Getting Started

Once you have python3-venv and make installed, you can install kAFL using make deploy:

sudo apt install python3-venv make git
git clone https://github.com/IntelLabs/kAFL.git
cd kAFl
make deploy

Installation make take some time and require a reboot to update your kernel.

Check the detailed installation guide in case of trouble, or the deployment guide for detailed information and customizing the kAFL setup for your project.

Fuzzing your first target

As a first fuzzing example, we recommend Fuzzing the Linux Kernel.

Other targets are available such as:

• Windows driver/userspace
• Linux userspace
• UEFI OVMF

A improved documentation is under work for these targets.

Maintainers

• @Wenzel - Mathieu Tarral (Intel)
• @il-steffen - Steffen Schulz (IntelLabs)

License