{"id":13538910,"url":"https://github.com/kernelslacker/trinity","last_synced_at":"2025-04-02T05:32:11.490Z","repository":{"id":5409554,"uuid":"6600033","full_name":"kernelslacker/trinity","owner":"kernelslacker","description":"Linux system call fuzzer","archived":false,"fork":false,"pushed_at":"2024-09-19T18:38:26.000Z","size":5315,"stargazers_count":867,"open_issues_count":3,"forks_count":241,"subscribers_count":74,"default_branch":"master","last_synced_at":"2024-11-03T03:32:19.539Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kernelslacker.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2012-11-08T17:18:45.000Z","updated_at":"2024-10-26T00:14:56.000Z","dependencies_parsed_at":"2023-01-11T16:48:25.982Z","dependency_job_id":"5a0b05ee-a17a-4e22-8af4-e83d79d9d429","html_url":"https://github.com/kernelslacker/trinity","commit_stats":{"total_commits":5186,"total_committers":86,"mean_commits":60.30232558139535,"dds":0.3578866178172001,"last_synced_commit":"87f15303f1487de58fcb012560cb2eac59229a64"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kernelslacker%2Ftrinity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kernelslacker%2Ftrinity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kernelslacker%2Ftrinity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kernelslacker%2Ftrinity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kernelslacker","download_url":"https://codeload.github.com/kernelslacker/trinity/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246763809,"owners_count":20829795,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:17.591Z","updated_at":"2025-04-02T05:32:09.124Z","avatar_url":"https://github.com/kernelslacker.png","language":"C","funding_links":[],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","Tools"],"sub_categories":["功能","Kernel","二进制"],"readme":"Trinity: Linux system call fuzzer.\n\n\t\"After the initial euphoria of witnessing the explosion had passed, test\n\t director Kenneth Bainbridge commented to Los Alamos director J. Robert\n\t Oppenheimer, \"Now we are all sons of bitches.\"   Oppenheimer later stated\n\t that while watching the test he was reminded of a line from the Hindu\n\t scripture the Bhagavad Gita:\n\n\t\tNow I am become Death, the destroyer of worlds.\"\n\n\n#######################################################################\n\nWARNINGS:\n* This program may seriously corrupt your files, including any of those\n  that may be writable on mounted network file shares.  It may create network\n  packets that may cause disruption on your local network.\n\n* Trinity may generate the right selection of syscalls to start sending random network\n  packets to other hosts. While every effort is made to restrict this to IP addresses\n  on local lans, multicast \u0026 broadcast, care should be taken to not allow the\n  packets it generates to go out onto the internet.\n\n  Run at your own risk.\n\n\n#######################################################################\n\nSystem call fuzzers aren't a particularly new idea.   As far back as 1991,\npeople have written apps that bomb syscall inputs with garbage data,\nthat have had a variety of success in crashing assorted operating systems.\n\nAfter fixing the obvious dumb bugs however, a majority of the time\nthese calls will just by rejected by the kernel very near the beginning\nof their function entry point as basic parameter validation is performed.\n\nTrinity is a system call fuzzer which employs some techniques to\npass semi-intelligent arguments to the syscalls being called.\n\nThe intelligence features include:\n\n- If a system call expects a certain datatype as an argument\n  (for example a file descriptor) it gets passed one.\n  This is the reason for the slow initial startup, as it generates a\n  list of fd's of files it can read from /sys, /proc and /dev\n  and then supplements this with fd's for various network protocol sockets.\n  (Information on which protocols succeed/fail is cached on the first run,\n   greatly increasing the speed of subsequent runs).\n\n- If a system call only accepts certain values as an argument,\n  (for example a 'flags' field), trinity has a list of all the valid\n  flags that may be passed.\n  Just to throw a spanner in the works, occasionally, it will bitflip\n  one of the flags, just to make things more interesting.\n\n- If a system call only takes a range of values, the random value\n  passed is biased to usually fit within that range.\n\n\nTrinity logs it's output to a files (1 for each child process), and fsync's\nthe files before it actually makes the system call. This way, should you trigger\nsomething which panics the kernel, you should be able to find out exactly what\nhappened by examining the log.\n\nThere are several test harnesses provided (test-*.sh), which run trinity in\nvarious modes and takes care of things like cpu affinity, and makes sure it runs from the\ntmp directory. (Handy for cleaning up any garbage named files; just rm -rf tmp afterwards)\n\n######### options ###############################################\n\n --quiet/-q: reduce verbosity.\n   Specify once to not output register values, or twice to also suppress syscall count.\n\n --verbose: increase verbosity.\n\n -D: Debug mode.\n     This is useful for catching core dumps if trinity is segfaulting, as by default\n     the child processes ignore those signals.\n\n -sN: use N as random seed.  (Omitting this uses time of day as a seed).\n  Note: There are currently a few bugs that mean no two runs are necessary 100%\n  identical with the same seed. See the TODO for details.\n\n --kernel_taint/-T: controls which kernel taint flags should be considered.\n\tThe following flag names are supported: PROPRIETARY_MODULE, FORCED_MODULE, UNSAFE_SMP,\n\tFORCED_RMMOD, MACHINE_CHECK, BAD_PAGE, USER, DIE, OVERRIDDEN_ACPI_TABLE, WARN, CRAP,\n\tFIRMWARE_WORKAROUND, and OOT_MODULE. For instance, to set trinity to monitor only BAD,\n\tWARN and MACHINE_CHECK flags one should specify \"-T BAD,WARN,MACHINE_CHECK\" parameter.\n\n --list/-L: list known syscalls and their offsets\n\n --proto/-P: For network sockets, only use a specific packet family.\n\n --victims/-V: Victim file/dirs.  By default, on startup trinity tree-walks /dev, /sys and /proc.\n     Using this option you can specify a different path.\n     (Currently limited to just one path)\n\n -p: Pause after making a syscall\n\n --children/-C: Number of child processes.\n\n -x: Exclude a syscall from being called.  Useful when there's a known kernel bug\n     you keep hitting that you want to avoid.\n     Can be specified multiple times.\n\n -cN: do syscall N with random inputs.\n     Good for concentrating on a certain syscall, if for eg, you just added one.\n     Can be specified multiple times.\n\n --group/-g\n   Used to specify enabling a group of syscalls. Current groups defined are 'vm' and 'vfs'.\n\n --logging/-l \u003carg\u003e\n  off: This disables logging to files. Useful if you have a serial console, though you\n         will likely lose any information about what system call was being called,\n         what maps got set up etc. Does make things go considerably faster however,\n         as it no longer fsync()'s after every syscall\n  \u003chostname\u003e : sends packets over udp to a trinity server running on another host.\n         Note: Still in development. Enabling this feature disables log-to-file.\n  \u003cdir\u003e : Specify a directory where trinity will dump its log files.\n\n --ioctls/-I will dump all available ioctls.\n\n --arch/-a Explicit selection of 32 or 64 bit variant of system calls.\n\n#######################################################################\n\nExamples:\n./trinity -c splice\nStress test the splice syscall\n\n./trinity -x splice\nCall every syscall except for splice.\n\n./trinity -qq -l off -C16\nTurn off logging, and suppress most output to run as fast as possible. Use 16 child processes\n\n\n#######################################################################\n\nDevelopment discussion of trinity occurs at trinity@vger.kernel.org\nAs with all vger mailing lists, subscribe by sending 'subscribe trinity'\nin the body of a mail to majordomo@vger.kernel.org\n\n######### Links to similar projects ####################################\n\n= tsys - 1991.\n  http://groups.google.com/groups?q=syscall+crashme\u0026hl=en\u0026lr=\u0026ie=UTF-8\u0026selm=1991Sep20.232550.5013%40smsc.sony.com\u0026rnum=1\n\n= iknowthis\n  http://iknowthis.googlecode.com\n  Fuzzer by Tavis Ormandy with very similar goals to this project.\n\n= sysfuzz\n  basic fuzzer by Ilja van Sprundel\n  mentioned in http://events.ccc.de/congress/2005/fahrplan/attachments/683-slides_fuzzing.pdf\n  http://leetupload.com/dbindex2/index.php?dir=Linux/\u0026file=sysfuzz.tar.gz\n\n= xnufuzz\n  https://github.com/fintler/xnufuzz/tree/\n  basic fuzzer for XNU.  Looks to be based on Ilja's sysfuzz.\n\n= kg_crashme / ak_crashme / dj_crashme\n  Kurt Garloff wrote a fuzzer similar to Ilja's sysfuzz in 2003.\n  The ak / dj variants were improvements added by Andi Kleen, and Dave Jones.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkernelslacker%2Ftrinity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkernelslacker%2Ftrinity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkernelslacker%2Ftrinity/lists"}