Fuzzing the Linux Kernel // Andrey Konovalov

Virtual | March 22-28 | 32 Hours

BOOK NOW

📅 Lecture Schedule TBD

ABSTRACT

This training guides security researchers and software engineers through the field of Linux kernel fuzzing. In a series of lectures and practical labs, the training explores using fuzzing for finding kernel memory corruption bugs and analyzing their security impact.

The training starts with an introduction to Linux kernel fuzzing. This part covers making kernel-specific fuzzing harnesses for finding bugs, evaluating the harness effectiveness, and using KASAN to analyze the root cause and security impact of discovered vulnerabilities.

The second part of the training focuses on syzkaller — the most widely-used Linux kernel fuzzer. This part covers setting up and running syzkaller in its default configuration and also customizing syzkaller for targeted fuzzing of specific kernel subsystems.

INTENDED AUDIENCE

Security researchers, security engineers, software developers, or anyone interested in the Linux kernel security field.

KEY LEARNING OBJECTIVES

  • Security-relevant Linux kernel internals and attack surface.
  • Usage and internals of Kernel Address Sanitizer (KASAN).
  • Writing and evaluating kernel-specific fuzzing harnesses.
  • Collecting and analyzing kernel code coverage with KCOV.
  • Practical usage and internals of syzkaller.
  • Writing custom syscall descriptions for syzkaller.
  • Reproducing found bugs with syzkaller.
  • Implementing pseudo-syscalls for syzkaller.
BOOK NOW

COURSE DETAILS

Module 1 — Setup and KASAN:

  • Internals and setup: security-relevant Linux kernel internals; kernel attack surface; types of kernel vulnerabilities; running kernel in QEMU; setting up fuzzing environment.
  • Detecting bugs: using KASAN to detect and analyze memory corruptions; KASAN internals; reading kernel bug reports; assessing impact of kernel bugs.

Module 2 — Basics of kernel fuzzing:

  • Basics of kernel fuzzing: writing and evaluating kernel-specific fuzzing harnesses; Human-in-the-Loop fuzzing; collecting kernel code coverage with KCOV.
  • Introduction to syzkaller: API-aware fuzzing; coverage-guided fuzzing; building, configuring, and running syzkaller.
  • Using syzkaller: focused fuzzing of specific kernel subsystems; writing custom syscall descriptions in syzlang; evaluating written descriptions.

Module 3 — Advanced fuzzing with syzkaller:

  • Advanced syzlang features; adding pseudo-syscalls; working with corpus; adding seeds and runtests; reproducing crashes; working with syz and C reproducers.
BOOK NOW

Knowledge Prequisites

  • Working C knowledge.
  • Familiarity with common types of vulnerabilities in userspace applications.
  • Basic knowledge of Go would be a plus, but it is not strictly required.

No prior knowledge about Linux kernel internals is required.

Hardware Requirements

  • Relatively modern x86-64 laptop (or access to a remote server).
  • At least 100 GB of free disk space.
  • At least 16 GB of RAM.
  • Ability to plug in an untrusted USB drive (relevant for corporate laptops).

Software Requirements

  • Host OS: Linux ONLY
  • Docker

Students will be provided with

  • Presentation slides.
  • Detailed lab guides with step-by-step instructions.
  • Docker image with required tools and source code.
Important: The required tooling is only tested on x86-64-based systems. ARM based systems (e.g., Apple Silicon M1, M2 or M3), or systems based on other architectures are not supported.

YOUR INSTRUCTOR: Andrey Konovalov

Andrey Konovalov is a security researcher focusing on the Linux kernel.

Andrey found multiple zero-day bugs in the Linux kernel and published proof-of-concept exploits for these bugs to demonstrate the impact. Andrey contributed to several security-related Linux kernel subsystems and tools: KASAN — a fast dynamic bug detector; syzkaller — a production-grade kernel fuzzer; and Arm Memory Tagging Extension (MTE) — an exploit mitigation.

Andrey spoke at security conferences such as OffensiveCon, Android Security Symposium, Linux Security Summit, LinuxCon, and PHDays. Andrey also maintains a collection of Linux kernel security–related materials https://github.com/xairy/linux-kernel-exploitation and a channel on Linux kernel security https://x.com/linkersec.

See https://xairy.io for all of Andrey's articles, talks, and projects.

Ringzer0’s Virtual Training Experience & FAQ
What can I expect from a virtual training delivered by Ringzer0, and answers to frequently asked questions.
Ringzer0Ringzer0
BOOK NOW
Cancellation Policy

60+ days before the event 75% of fees refunded; 45-60 days before event 50% refunded, less than 45 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.

Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.

OTHER VIRTUAL TRAINING COURSES

Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated