- Run one case
- Run multiple cases
- Filter cases by string match
- Filter cases shared the same patches
- Run cases from cache
- Reproduce a bug
- Run fuzzing
- Run static taint analysis
- Run symbolic execution
- Guide symbolic
- Run multiple cases at the same time
python3 syzscope -i f99edaeec58ad40380ed5813d89e205861be2896 ...python3 syzscope -i dataset ...dataset contains multiple lines of case hash.
if no value gives to --url or -u, SyzScope by default only pick up cases from Fixed section on syzbot.
The following command pick up all WARNING bugs and INFO bugs from syzbot's Fixed section
python3 syzscope -k="WARNING" -k="INFO:" ...Now pick all WARNING bugs and INFO bugs from syzbot's Open section
python3 syzscope -k="WARNING" -k="INFO:" -u https://syzkaller.appspot.com/upstream ...Sometime we want to deduplicate bugs. For example, the following command rules out all WARNING and INFO bugs that shared the same patch as a UAF/OOB bug. Please note that ignore_UAF_OOB is a file that contain all UAF/OOB bugs' hash
python3 syzscope -k="WARNING" -k="INFO:" --ignore-batch ignore_UAF_OOB ...Every time SyzScope runs new cases, it store the case info into cases.json. By using --use-cache, we can import the case info directly from cache without crawling syzbot again.
python3 syzscope --use-cache ...Fuzzing used to capture the very first bug impact, but SyzScope allows to capture multiple impacts without panicking the kernel. To find out if any high-risk impacts are right behind a low-risk impact, we can simply reproduce a bug by using --reproduce or -RP.
python3 syzscope -i f99edaeec58ad40380ed5813d89e205861be2896 -RPIf reproducing a bug finds at least one high-risk impact behind the low-risk impact, SyzScope will write the bug hash into confirmed impact file (ConfirmedAbnormallyMemWrite, ConfirmedDoubleFree)
To apply fuzzing on one or more cases, using --kernel-fuzzing or -KF. We can also specify the timeout for fuzzing by providing --timeout-kernel-fuzzing.
The following command applied fuzzing on all WARNING and INFO bugs from syzbot's fixed section, and the time for fuzzing is 3 hours. See more details about fuzzing on tutorial fuzzing.
python3 syzscope -k="WARNING" -k="INFO:" -RP -KF --timeout-kernel-fuzzing 3To apply static taint analysis on one or more cases, using --static-analysis or -SA. We can also specify the timeout for static taint analysis by providing --timeout-static-analysis.
The following command applied static taint analysis on all WARNING and INFO bugs from syzbot's fixed section, and the time for static taint analysis is 3600 seconds(1 hour). See more details about it on tutorial static taint analysis. Please note that static taint analysis relies on UAF/OOB contexts, if we don't run fuzzing to explore UAF/OOB contexts for non-KASAN bugs, static analysis will fail.
python3 syzscope -k="WARNING" -k="INFO:" -RP -KF --timeout-kernel-fuzzing 3 -SA --timeout-static-analysis 3600To apply symbolic execution on one or more cases, using --symbolic-execution or -SE to enable it. We can also specify the timeout for symbolic execution by providing --timeout-symbolic-execution.
The following command applied symbolic execution on all WARNING and INFO bugs from syzbot's fixed section, and the time for symbolic execution is 14400 seconds(4 hour). See more details about it on tutorial symbolic execution. Please note that symbolic execution relies on UAF/OOB contexts, if we don't run fuzzing to explore UAF/OOB contexts for non-KASAN bugs, symbolic execution will fail.
python3 syzscope -k="WARNING" -k="INFO:" -RP -KF --timeout-kernel-fuzzing 3 -SE --timeout-symbolic-execution 14400Due to some internal bugs in Z3 solver, symbolic execution may be interrupted and leave the QEMU frozen. This will block further cases since the frozen QEMU occupied the ports for both ssh and gdb.
SyzScope can terminate old frozen QEMU at once we found it's unused by providing --be-bully.
python3 syzscope -k="WARNING" -k="INFO:" -RP -KF --timeout-kernel-fuzzing 3 -SE --timeout-symbolic-execution 14400 --be-bullyUsing static taint analysis to guide symbolic execution is useful when coming across a large scale experiment. To let symbolic execution be guided, enable static taint analysis and use --guided.
python3 syzscope -k="WARNING" -k="INFO:" -RP -KF --timeout-kernel-fuzzing 3 -SA --timeout-static-analysis 3600 -SE --timeout-symbolic-execution 14400 --guided --be-bullySyzScope supports concurrent execution. To run several cases at the same time, provide --parallel-max or -pm. For example, run up to 8 cases at the same time.
python3 syzscope -i dataset -KF -SA -SE -pm 8See more usage of SyzScope by python3 syzscope -h