EDK2 fuzzing and possible roadmap


Pedro Falcato
 

Hi all,

Reposting (https://bugzilla.tianocore.org/show_bug.cgi?id=3927) as this is more likely to gain attention and meaningful discussion here.

Fuzzing EDK2 could provide a greater insight into the firmware and its safety/stability, by using automated guided testing.

I took the time to look at Google's syzkaller (https://github.com/google/syzkaller), which is a tool commonly used to fuzz operating system kernels such as Linux, Windows, FreeBSD, and others; it does this by having its own system call description format which it then parses and uses to fuzz interfaces (it spins up QEMU instances when actually fuzzing the interface).
According to one of the main authors (https://github.com/google/syzkaller/issues/3132), it should be possible to fuzz UEFI interfaces with this. Other alternatives include Clang's libFuzzer and AFL++, but I believe this approach is better as syzkaller is a tool that is already successfully used to fuzz operating system kernel interfaces with similarities to EDK2, with an established track record (see https://groups.google.com/g/syzkaller-bugs for linux kernel bugs).

To make fuzzing actually effective, we would first need to get sanitizer support for compilers (see UBSAN for undefined behavior, ASAN for catching memory safety issues and alloc/free misuse, MSAN for uninitialized memory reads). Finally, we'd need a way to grab code coverage information (see https://clang.llvm.org/docs/SanitizerCoverage.html for Clang/GCC based toolchains); code coverage could also be useful for our unit testing.

My proposed roadmap is:

1) Add sanitizer support (UBSAN, ASAN at the very least)
2) Add code coverage support, as it's useful for both unit testing and fuzzing
3) Make syzkaller (or any other fuzzer) support EDK2 by teaching it how to fuzz UEFI interfaces and how to run in a UEFI environment
4) Attempt to upstream patches and set up hardware to continuously fuzz EDK2 (EDK2 stewards should be consulted on this)

Any feedback is greatly appreciated. I think that adding this could meaningfully improve EDK2, as I don't believe anyone has ever done this before.

Best regards,

Pedro

Join devel@edk2.groups.io to automatically receive all group messages.