Source linked

Fuzzers del núcleo ciegos para argumentar valores? nueva instrumentación LLVM fija que

arxiv.org@systems_wire3 days ago·Cybersecurity·9 comments

La cobertura del borde no puede decir copy_from_user(ptr, 1) de copy_from_user(ptr, 1000).Un nuevo pase LLVM extrae flujo de datos por tarea en los límites de la función, dándole a los analistas de seguridad...

llvmlinux kernelsyzkallerkcovdata flow analysissecurity

Syzkaller's edge coverage (trace-pc) treats every call to copy_from_user() as identical, even when a size argument of 1 versus 1000 triggers entirely different security consequences. That context-blind feedback is the single biggest blind spot in coverage-guided kernel fuzzing today.

The Blindness of Edge Coverage

KCOV's trace-pc mode records only which basic blocks were visited, not what values flowed through them. Two invocations of the same function that hit the same edges but carry different argument values are indistinguishable. For a kernel function like copy_from_user(), the difference between a size of 1 and 1000 can mean a harmless copy or a buffer overflow, but the fuzzer sees neither.

How the LLVM Pass Works

The paper's author built an LLVM instrumentation pass that emits lightweight callbacks at function entry and return, capturing structured tuples of program counter, argument metadata, and field values. Composite types are decomposed automatically via DWARF DICompositeType metadata — zero source annotation required. A lock-free per-task ring buffer delivers these records to user space without interfering with existing KCOV or syzkaller infrastructure.

Dual Utility: Better Fuzzing and Cleaner Root-Cause Analysis

Fuzzers gain state-aware feedback for mutation guidance into value-dependent state transitions — think state machines hidden inside kernel code that edge coverage can't touch. Security analysts get deterministic argument records for root-cause analysis, replacing the usual spaghetti of printk or kprobe scripts.

Rust Support Without Compiler Modification

Two Rust instrumentation paths are provided: a post-compilation pipeline requiring no rustc modification, and native instrumentation via rustc built against the custom LLVM. These are the only runtime methods for capturing Rust function arguments given that drgn/vmcore fails under -O2 DWARF elision.

With this framework, kernel fuzzers can finally navigate value-dependent state machines, and security audits shift from cluttered printk logs to structured argument records pulled from a lock-free ring buffer.

Source: Beyond Edge Coverage: Per-Task Data-Flow Extraction at Kernel Function Boundaries via LLVM
Domain: arxiv.org

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
1,579 AUR Packages Compromised: Arch Linux Says Malware Under Control

Despite containing the breach, Arch Linux's AUR saw over 1,579 packages infected with malware, and the official list doesn't cover all of them.

FBI Built a 22,000-Sq-Ft Replica Town to Train Cyber Investigators

1,400 agents trained since February 2025 in a fully wired mock town with houses, a hospital, and 200+ servers running Windows and Linux.

Integer Overflow in vibeio-http's Chunked Parser Enables Server DoS

A Rust HTTP crate panics on requests with chunk lengths near usize::MAX, allowing remote crash without authentication

Microsoft Ire Agent Catches LOTUSLITE Variant That Six EDRs Still Miss

A LOTUSLITE DLL backdoor variant, hash 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653, gets a malicious verdict from Ire's static analysis while CrowdStrike, SentinelOne, Sophos, Trellix, Palo Alto,...

Comments load interactively on the live page.