Requires KVM-VMI setup for VM introspection.
- Build syzkaller
$ cd syzkaller
$ make generate
$ make
- Build syz-bp-cov
$ cd syz-bp-cov
$ make
- Extract addresses of control flow instructions from your target with
extract-breakpoints.py. - Create syscall descriptions for your target.
- Create a syzkaller configuration file similarly to
sample.cfg. Make sure to add the following line for syz-bp-cov to specify target modules and related breakpoint files.
"command": ["./syz-bp-cov.py", "/tmp/introspector{{INDEX}}", "<kernel profile>", "<first module name>", "<first module breakpoints file>", "<second module name>", "<second module breakpoints file>", ...]
- Start syzkaller
$ syz-manager -config <config file>