Skip to content

Commit

Permalink
!50 翻译完成:sources/syzkaller/linux/external_fuzzing_network.md
Browse files Browse the repository at this point in the history
Merge pull request !50 from 索晨昊/master
  • Loading branch information
gitveg authored and gitee-org committed Mar 17, 2024
2 parents e6d3c8a + eaae8d2 commit 8343bf3
Showing 1 changed file with 33 additions and 26 deletions.
59 changes: 33 additions & 26 deletions sources/syzkaller/linux/external_fuzzing_network.md
Original file line number Diff line number Diff line change
@@ -1,42 +1,49 @@
---
status: translating
status: translated
title: "External network fuzzing for Linux kernel"
author: Syzkaller Community
collector: chengziqiu
translator:squirrel_sch
collected_date: 20240314
translator:squirrel_sch
translated_date: 20240317
link: https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_network.md
---

External network fuzzing for Linux kernel

Linux 内核的外部网络模糊测试
=========================================

syzkaller has support for external fuzzing of the network stack.
This is achieved by using the [TUN/TAP](https://www.kernel.org/doc/Documentation/networking/tuntap.txt) interface.
It allows to set up a virtual network interface and send packets to the kernel as they are being received from an external network.
This triggers the same paths as a real packet delivered through a real network interface (except for the driver layer).

You need to enable the `CONFIG_TUN` kernel config to enable external network fuzzing.
See `initialize_tun()` in [executor/common_linux.h](/executor/common_linux.h) for the exact way the virtual interface is set up.
syzkaller 支持对网络栈的外部模糊测试。
这是通过使用[TUN/TAP](https://www.kernel.org/doc/Documentation/networking/tuntap.txt)接口来实现的.
它允许设置一个虚拟网络接口,并将从外部网络接收到的数据包发送到内核。
这触发了与通过真实网络接口传递的真实数据包拥有相同的路径(除了驱动层)。


您需要启用 CONFIG_TUN 内核配置来启用外部网络模糊测试。
关于如何具体设置虚拟接口,请参考 [executor/common_linux.h](/executor/common_linux.h) 中的`initialize_tun()`函数

The template descriptions can be found in [sys/linux/vnet.txt](/sys/linux/vnet.txt).
At this moment there are 2 fake syscalls: `syz_emit_ethernet` and `syz_extract_tcp_res`.
The first one externally sends a packet through the virtual interface.
The second one tries to externally receive a packet back and parse TCP sequence numbers from it for use in subsequent packets.
There are many protocols or protocol extensions that are not described yet, so the additions are welcome!

Since fuzzing may be done in multiple executor processes within the same VM instance, we need a way to isolate the virtual networks for different executors.
Right now this is done by creating one virtual interface per executor and assigning different MAC, IPv4 and IPv6 addresses to each of these interfaces.
Then the template descriptions make use of the `proc` type to generate proper addresses for each executor.
对于模板的描述可以在 [sys/linux/vnet.txt](/sys/linux/vnet.txt) 中找到。
目前有两个系统调用: `syz_emit_ethernet``syz_extract_tcp_res`
第一个伪系统调用通过虚拟接口向外发送数据包。
第二个伪系统调用尝试从外部接收数据包,并从中解析 TCP 序列号,以便在后续的数据包中使用。
目前还有很多协议或协议扩展尚未描述,因此非常欢迎补充!

Since many network protocols require checksum fields to be embedded into packets, there's a support for describing such fields.
There's a `csum` type, which right now supports two different kinds of checksumming:
[the Internet checksum](https://tools.ietf.org/html/rfc1071): `csum[parent, inet, int16be]`,
and TCP-like pseudo header checksum: `csum[tcp_packet, pseudo, IPPROTO_TCP, int16be]`.
The checksums are computed and embedded right before emitting a packet through the virtual interface.
There's also a nice feature: when syzkaller generates a C reproducer, it generates code to compute checksums in runtime as well.

By using `syz_emit_ethernet` and `syz_extract_tcp_res` the following syzkaller program is able to establish a TCP connection over IPv4:
由于模糊测试可能在同一个虚拟机实例内的多个执行器进程中进行,我们需要一种方式来隔离不同执行器的虚拟网络。
目前,这是通过为每个执行器创建一个虚拟接口,并为这些接口分配不同的 MAC 地址、IPv4 地址和 IPv6 地址来实现的。
然后,模板描述利用 `proc` 类型来为每个执行器生成适当的地址。


由于许多网络协议需要将校验和字段嵌入到数据包中,因此支持描述此类字段。
这里存在一个 `csum` 类型,目前支持两种不同类型的校验和计算:
Internet 校验和 [the Internet checksum](https://tools.ietf.org/html/rfc1071) : `csum[parent, inet, int16be]`,
以及类似于 TCP 的伪头部校验和: `csum[tcp_packet, pseudo, IPPROTO_TCP, int16be]`
在通过虚拟接口发送数据包之前,会计算并嵌入这些校验和。
这里还有一个很好的特性:当 syzkaller 生成 C 语言重现器时,它也会生成在运行时计算校验和的代码。

通过使用 `syz_emit_ethernet` and `syz_extract_tcp_res` 以下 syzkaller 程序能够建立基于 IPv4 的 TCP 连接:

```
mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
Expand All @@ -55,7 +62,7 @@ tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN
tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out
```

Similar program for IPv6:
对于 IPV6 来说也有类似的程序:

```
mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
Expand All @@ -72,4 +79,4 @@ r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0,
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::20001 :::* LISTEN 5527/a.out
tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out
```
```

0 comments on commit 8343bf3

Please sign in to comment.