kAFL is a blazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS and Windows. It works by running the target operating system inside a hardware accelerated VM, giving it full controll over the environment. This very helpfull to properly recover from crashes. Intels Processor Trace (Intel PT) feature is used to obtain coverage information from the code running inside of the VM. This way, the fuzzing logic that is running outside of the VM can use the coverage information to guided fuzzing.
kAFL helped find and report multiple bugs, including:
- Linux keyctl null pointer dereference (CVE-2016-8650)
- Linux EXT4 memory corruption
- Linux EXT4 denial of service
- macOS APFS memory corruption (CVE-2017-13800)
- macOS HFS memory corruption (CVE-2017-13830)
The paper describing kAFL was published at USENIX Security 2017. A recording of the presentation and the slides can be found here: