{"id":48996246,"url":"https://github.com/rub-syssec/kafl","last_synced_at":"2026-05-21T10:01:11.154Z","repository":{"id":43961400,"uuid":"100175701","full_name":"RUB-SysSec/kAFL","owner":"RUB-SysSec","description":"Code for the USENIX 2017 paper: kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels","archived":false,"fork":false,"pushed_at":"2019-01-10T21:23:25.000Z","size":416,"stargazers_count":573,"open_issues_count":15,"forks_count":129,"subscribers_count":41,"default_branch":"master","last_synced_at":"2024-12-24T09:02:16.734Z","etag":null,"topics":["fuzzing","intel-pt","intelpt","kernel","kernel-fuzzing","processor-trace"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RUB-SysSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-13T12:38:59.000Z","updated_at":"2024-12-18T10:02:49.000Z","dependencies_parsed_at":"2022-09-05T09:50:37.603Z","dependency_job_id":null,"html_url":"https://github.com/RUB-SysSec/kAFL","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/RUB-SysSec/kAFL","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-SysSec%2FkAFL","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-SysSec%2FkAFL/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-SysSec%2FkAFL/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-SysSec%2FkAFL/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RUB-SysSec","download_url":"https://codeload.github.com/RUB-SysSec/kAFL/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-SysSec%2FkAFL/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33297101,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-21T02:57:32.698Z","status":"ssl_error","status_checked_at":"2026-05-21T02:57:31.990Z","response_time":62,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fuzzing","intel-pt","intelpt","kernel","kernel-fuzzing","processor-trace"],"created_at":"2026-04-18T17:00:46.517Z","updated_at":"2026-05-21T10:01:11.139Z","avatar_url":"https://github.com/RUB-SysSec.png","language":"Python","funding_links":[],"categories":["Tools"],"sub_categories":["Kernel"],"readme":"# kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels\n\nBlazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS and Windows.\n\nPublished at USENIX Security 2017.\n\n### Currently missing: \n\n- full documentation\n- agents for macOS and Windows (except for our test driver)\n\n## BibTex:\n```\n@inproceedings{schumilo2017kafl,\n    author = {Schumilo, Sergej and Aschermann, Cornelius and Gawlik, Robert and Schinzel, Sebastian and Holz, Thorsten},\n    title = {{kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels}},\n    year = {2017},\n    booktitle = {USENIX Security Symposium} \n}\n```\n\n## Trophies\n\n- [Linux keyctl null pointer dereference](http://seclists.org/fulldisclosure/2016/Nov/76) (**CVE-2016-8650**)\n- [Linux EXT4 memory corruption](http://seclists.org/fulldisclosure/2016/Nov/75)\n- [Linux EXT4 denial of service](http://seclists.org/bugtraq/2016/Nov/1) \n- [macOS APFS memory corruption](https://support.apple.com/en-us/HT208221) (**CVE-2017-13800**)\n- [macOS HFS memory corruption](https://support.apple.com/en-us/HT208221) (**CVE-2017-13830**)\n\n\n## Setup\n\nThis is a short introduction on how to setup kAFL to fuzz Linux kernel components.\n\n### Download kAFL and install necessary components\n```\n$ git clone https://github.com/RUB-SysSec/kAFL.git\n$ cd kAFL\n$ chmod u+x install.sh\n$ sudo ./install.sh\n$ sudo reboot\n```\n\n### Setup VM\n* Create QEMU hard drive image:\n\n```\n$ qemu-img create -f qcow2 linux.qcow2 20G\n```\n\n* Retrieve an ISO file of the desired OS and install it inside a VM (in this case Ubuntu 16.04 server):\n\n```\n$ wget -O /path/to/where/to/store/ubuntu.iso http://de.releases.ubuntu.com/16.04/ubuntu-16.04.3-server-amd64.iso\n$ qemu-system-x86_64 -cpu host -enable-kvm -m 512 -hda linux.qcow2 -cdrom ubuntu.iso -usbdevice tablet\n```\n\n* Download kAFL and compile the loader agent:\n\n```\ngit clone https://github.com/RUB-SysSec/kAFL.git\ncd path/to/kAFL/kAFL-Fuzzer/agents\nchmod u+x compile.sh\n./compile.sh\n```\n\n* Shutdown the VM\n\n### Prepare VM for kAFL fuzzing\n\n* On the host: Create Overlay and Snapshot Files:\n\n```\nmkdir snapshot \u0026\u0026 cd snapshot\nqemu-img create -b /absolute/path/to/hdd/linux.qcow2 -f qcow2 overlay_0.qcow2\nqemu-img create -f qcow2 ram.qcow2 512\n```\n\n* Start the VM using QEMU-PT:\n\n```\ncd /path/to/kAFL\n./qemu-2.9.0/x86_64-softmmu/qemu-system-x86_64 -hdb /path/to/snapshot/ram.qcow2 -hda /path/to/snapshot/overlay_0.qcow2 -machine pc-i440fx-2.6 -serial mon:stdio -enable-kvm -k de -m 512\n```\n\n* (Optional) Install and load the vulnerable Test Driver:\n\n```\ncd path/to/kAFl/kAFL-Fuzzer/vuln_drivers/simple/linux_x86-64/\nchmod u+x load.sh\nsudo ./load.sh\n```\n\n* Execute loader binary which is in `path/to/kAFL/kAFL-Fuzzer/agents/linux_x86_64/loader/` as `root`. VM should freeze. Switch to the QEMU management console and create a snapshot:\n\n```\n# press CTRL-a + c\nsavevm kafl\nq \n```\n\n### Compile and configure kAFL components\n* Edit `/path/to/kAFL/kAFL-Fuzzer/kafl.ini` (`qemu-kafl_location` to point to `path/to/kAFL/qemu-2.9.0/x86_64-softmmu/qemu-system-x86_64`)\n\n* Compile agents:\n\n```\ncd \u003cKERNEL_AFL_ROOT\u003e/kAFL-Fuzzer/agents\nchmod u+x compile.sh\n./compile.sh\n```\n\n* Retrieve address ranges of loaded drivers:\n\n```\ncd /path/to/kAFL/kAFL-Fuzzer\npython kafl_info.py /path/to/snapshot/ram.qcow2 /path/to/snapshot/ agents/linux_x86_64/info/info 512 -v\n```\n\n### Start Fuzzing!\n\n```\npython kafl_fuzz.py /path/to/snapshot/ram.qcow2 /path/to/snapshot agents/linux_x86_64/fuzzer/kafl_vuln_test 512 /path/to/input/directory /path/to/working/directory -ip0 0xffffffffc0287000-0xffffffffc028b000 -v --Purge\n```\n\nThe value `ip0` is the address range of the fuzzing target.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frub-syssec%2Fkafl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frub-syssec%2Fkafl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frub-syssec%2Fkafl/lists"}