{"id":15144839,"url":"https://github.com/zhyfeng/dependency","last_synced_at":"2025-10-05T17:53:56.774Z","repository":{"id":57653315,"uuid":"167417084","full_name":"ZHYfeng/Dependency","owner":"ZHYfeng","description":null,"archived":false,"fork":false,"pushed_at":"2024-04-21T23:18:45.000Z","size":130529,"stargazers_count":21,"open_issues_count":0,"forks_count":6,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-01-30T21:12:18.532Z","etag":null,"topics":["kernel-fuzzing","llvm","syzkaller"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ZHYfeng.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-01-24T18:35:29.000Z","updated_at":"2024-09-27T20:51:57.000Z","dependencies_parsed_at":"2022-09-01T01:20:18.165Z","dependency_job_id":"ef157041-8980-4781-826d-f2b569e5e9e9","html_url":"https://github.com/ZHYfeng/Dependency","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZHYfeng%2FDependency","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZHYfeng%2FDependency/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZHYfeng%2FDependency/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZHYfeng%2FDependency/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ZHYfeng","download_url":"https://codeload.github.com/ZHYfeng/Dependency/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237890775,"owners_count":19382562,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kernel-fuzzing","llvm","syzkaller"],"created_at":"2024-09-26T11:01:04.201Z","updated_at":"2025-10-05T17:53:51.737Z","avatar_url":"https://github.com/ZHYfeng.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 1. what the artifact does\n\nThis artifact is for paper \"Demystifying the Dependency Challenge in Kernel Fuzzing\". \nFuzz testing operating system kernels remains a daunting task to date. \nOne known challenge is that much of the kernel code is locked under specific kernel states and current kernel fuzzers are not effective in exploring such an enormous state space. \nWe refer to this problem as the dependency challenge. \nThough there are some efforts trying to address the dependency challenge, the prevalence and categorization of dependencies have never been studied. \nMost prior work simply attempted to recover dependencies opportunistically whenever they are relatively easy to recognize. \nWe undertake a substantial measurement study to systematically understand the real challenge behind dependencies.\nIn one word, the artifact is to help researchers to understand the dependency challenge in kernel fuzzing.\n\n# 2. where it can be obtained\n\n## Virtual Machine and other files ready for Artifact Evaluation\n- username \u0026 password: icse22ae\n- zenodo archive: `https://doi.org/10.5281/zenodo.6029158`\n- also available in Google driver: `https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing`\n\n## Source Code\n- zenodo archive: `https://doi.org/10.5281/zenodo.6029520`\n- github and update: `https://github.com/ZHYfeng/Dependency`\n\n## Evaluation Data\n- zenodo archive: `https://doi.org/10.5281/zenodo.5441138`\n- also available in Google driver: `data.tar.gz` in `https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing`\n\n# 3. how to repeat/replicate/reproduce the results presented in the paper\n\n## build our tools (skip this step if using virtual machine)\n```\nsudo apt install -y git\ngit clone https://github.com/ZHYfeng/Dependency.git\ncd Dependency\nbash build_script/build.bash\n```\n\n## prepare kernel and image (skip this step if using virtual machine)\n1. configure the kernel and image based on the requirement of syzkaller, mv image to `path-of-Dependency/workdir/image`\n \u003e doc of syzkaller: https://github.com/google/syzkaller/blob/master/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md \n \u003e the image we build: image.tar.gz in `https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing`\n2. add `-fsanitize-coverage=no-prune` to `CFLAGS_KCOV` in kernel config\n3. build kernel using clang and mv it to `path-of-Dependency/workdir/13-linux-clang-np`\n \u003e the kernel we build: linux-clang-np.tar.gz in `https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing`\n4. copy the kernel and generate bitcode of kernel using `-fembed-bitcode -save-temps=obj`\n \u003e https://github.com/ZHYfeng/Generate_Linux_Kernel_Bitcode/tree/master/Achieve/01-change-makefile \n \u003e the bitcode we build: linux-clang-np-bc-f.tar.gz in `https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing`\n5. preprocess kernel in order to save time\n ```\n cd path-of-Dependency/workdir/13-linux-clang-np\n objdump -d vmlinux \u003e vmlinux.objdump\n a2l -objdump=vmlinux.objdump\n ```\n\n## prepare workdir (skip this step if using virtual machine)\n\u003e the workdir we prepare: workdir.tar.gz in `https://drive.google.com/drive/folders/1Ts4P4iC2PHihtBviSXMUkn3My0PLkowN?usp=sharing`\n1. make a directory called `dev_xxx` in `path-of-Dependency/workdir`\n2. copy the bitcode(.bc) and assembly code(.s) to the directory and rename it to `built-in.bc` and `built-in.s`\n3. copy the configuration files `path-of-Dependency/04-experiment_script/json/dra.json` and `path-of-Dependency/04-experiment_script/json/syzkaller.json`.\n \u003e change the value of `file_bc` in `dra.json` to the relative path for the bitcode of device driver you test \n \u003e change the value of `path_s` in `dra.json` to the relative path of device driver you test \n4. copy the run script `path-of-Dependency/04-experiment_script/python/run.py`\n5. generate static analysis results based on the static-taint-analysis-component `https://zenodo.org/record/5348989/files/static-taint-analysis-component.zip`\n\n## running the fuzzing\n(the path based on virtual machine)\n1. active the environment\n ```\n source /home/icse22ae/Dependency/environment.sh\n ```\n2. pick one device driver in `/home/icse22ae/Dependency/workdir/workdir`, for example`cdrom`:\n ```\n cd /home/icse22ae/Dependency/workdir/workdir/dev_cdrom\n ```\n3. configure the run script\n \u003e time_run: the second of fuzzing time. \n \u003e number_execute: the number of fuzzing runs. \n \u003e number_vm_count: the number of vm in each fuzzing. \n\n In our paper, `time_run` is at least 48 hours, `number_execute` is 3 and `number_vm_count` is 32. \n For artifact evaluation, `number_execute` and `number_vm_count` could be 1. \n `time_run` should be at least 5 mins(20 mins for device driver kvm)\n4. run our tool using script\n It will automatically stop after `time_run`.\n ```\n python3 run.py\n ```\n5. read the results \n still in the same environment in step 1 and the same path in step 2.\n ```\n go run /home/icse22ae/Dependency/03-syzkaller/tools/read_result/ -a2i\n ```\n Based on the different fuzzing configuration and device driver, the time would be differnet. \n For cdrom, it should be several mins. For kvm, it needs several hours.\n\n## understand the results\nYou can find the results used in our paper in `/home/icse22ae/Dependency/workdir/data`. \n### Results after step 4 run our tool using script\n1. The `dataDependency.bin`, `dataResult.bin`, `dataRunTime.bin`, `statistics.bin` in `./0` or `./1` or `./2` are the resutls in protobuf format.\n \u003e The protobuf files are in `/home/icse22ae/Dependency/05-proto`\n### Results after step 5 read the results\n2. `0_coverage.txt` is the coverage of the fuzzing in `./0`. `coverage.txt` is the average coverage of all runs.Each line is `time@number-of-edge`.\n3. `conditionD.txt` lists all unresolved condition related to dependency.\n4. `conditionND.txt` lists all unresolved condition not related to dependency.\n5. `conditionDN.txt` lists all unresolved condition related to dependency but our static analysis can not find their write statements.\n6. `intersection.txt` is the intersection coverage of all runs and `union_coverage.txt` is the union coverage of all runs. Each line is the address of the edge.\n7. `OutsideFunctions.txt` is the `Unreachable Functions Elimination` mentioned in our paper.\n8. `statistic.txt` is the statistic used in our paper.\n9. `uncovered.txt` lists all uncovered edge and its unresovled conditions, and `uncovered_more.txt` lists more details about them.\n\n### Example for one unresolved dependency\nStill use `dev_cdrom` as example and the results can be found in `data.tar.gz` as mentioned in Section Evaluation Data \n\nAll unresolved condition related to dependency in `conditionD.txt`, for example:\n```\n0xffffffff8579b9b7@https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2279@0xffffffff8579b960@https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2279@mmc_ioctl_cdrom_read_audio@if.end11.i@\n @ @0xffffffff857a3eaa@https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2124@1@\n @ @0xffffffff8579b421@https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2228@0@\n @ @0xffffffff8579b05a@https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2187@1@\n\n```\n`0xffffffff8579b9b7` is the assembly address of unresovled branch in binary and `https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2279` is the source code of the unresolved dependency. `0xffffffff8579b960` is the assembly address of condition of the unresovled branch and also `https://elixir.bootlin.com/linux/v4.16/source/drivers/cdrom/cdrom.c#L2279` is the source code. `if.end11.i` is the name of basic block in LLVM bitcode. \nNext lines are the write addresses for the unresolved dependency.\n\nThen we can find a file `0xffffffff8579b9b7.txt`, which is named by the assembly address of unresovled branch.\nInside this file, we can find the number of dominator instructions of this unresolved dpendnecy, \nthe inputs (test cases) from syzkaller which can arrive unresolved dpendnecy, the inputs which can arrive the write address.\nWe can also find the call chain of write address starting from entry function.\n\n\n\n# 4. the structure and function of the source code\n\n- `02-dependency`\n - `02-dependency/lib/DMM/`: mapping between assembly address in the binary and basic block in LLVM bitcode\n - `02-dependency/lib/RPC/`: work with fuzzing component (syzkaller) using Protobuf and gRPC\n - `02-dependency/lib/STA/`: work with static analysis component using JSON\n - `02-dependency/lib/DCC/`: output human-readable information and statistics for unresolved conditions\n- `03-syzkaller`\n - `03-syzkaller/syz-fuzzer/`: modification for collecting more complete coverage and other related useful information from fuzzing\n - `03-syzkaller/pkg/dra/`: work with mapping component and output results using Protobuf and gRPC\n- `05-proto`: all Protobuf files\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzhyfeng%2Fdependency","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzhyfeng%2Fdependency","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzhyfeng%2Fdependency/lists"}