Trinity Linux system call fuzzer updated
Trinity, a system call fuzzing tester for the Linux kernel, has been updated to version 1.1, adding support in its tables for all syscalls up to Linux kernel 3.8rc4. Fuzzing is a security technique which feeds random arguments into functions to see what breaks.
Trinity is slightly different from traditional fuzzing though, as the data it feeds into Linux system calls isn't purely random. Creator Dave Jones had found that, after the "*really* dumb bugs" had been fixed, just passing random values would leave a fuzzer running and running. An example he gives is how system calls would reject a random file descriptor easily.
Instead, Trinity creates up a pool of file descriptors, from pipes, sysfs, procfs, /dev and sockets and, when a system call needs a file descriptor, a random one from the pool is selected. The software also shares the descriptor pool between threads, which "causes havoc sometimes". Trinity also uses information about system calls to provide "something at least semi-sensible", including good candidates for off-by-one errors.
The update improves ARM support and adds MIPS and SuperH architectures to its repertoire of i386, IA-64, PowerPC-64, SPARC-64 and x86-64. Trinity also has improved reproducibility so that, when a kernel oops occurs, Trinity records the last random seed used so a developer can use its value to recreate the problem. Runs with the same seed are not guaranteed to be identical, but Jones says that this issue will be worked on in the next release. When running Trinity, he suggests doing it on a system with "no data that you care about" and reminds users to check the Found Bugs page for any problems that have already been detected.
A fuller list of changes in Trinity 1.1 is available in the release announcement. The Trinity home page has links to download the code or access the Git repository. Jones will be talking about Trinity at next week's Linux.conf.au in Canberra, Australia.