Trinity – A Linux System call fuzz tester
Trinity is a Fuzz testing engine. One that has been done many times before on Linux, and on other operating systems, where Trinity differs is that the arguments it passes are not purely random. Trinity is slightly different from traditional fuzzing.
Trinity Fuzzer knows how to do “really evil call to syscalls”
Trinity Fuzzer is really good at locating bugs in FS.
Trinity creates up a pool of file descriptors, from pipes, sysfs, procfs, /dev and sockets when a system call needs a file descriptor. Trinity also uses information about system calls to provide “something at least semi-sensible”.
Trinity supports Alpha, Aarch64, ARM, i386, IA-64, MIPS, PowerPC-32 etc.
Trinity adding support for additional architectures is a small amount of work mostly involving just defining the order of the syscall table. Trinity also has improved reproducibility so that, when a kernel oops occurs, Trinity records the last random seed used so a developer can use its value to recreate the problem.
Trinity is a system call fuzzer which employs some techniques to pass semi-intelligent arguments to the syscalls.
Trinity has a “syscalls group” dedicated to VFS syscalls.
The intelligence features include in Trinity:
- If a system call expects a certain datatype as an argument (for example a file descriptor) Trinity gets passed one.
- If a system call only accepts certain values as an argument, (for example a ‘flags’ field), Trinity has a list of all the valid flags that may be passed.
Trinity logs it’s output to files (1 for each child process), and fsync’s the files before Trinity actually makes the system call.
If one run Trinity without any arguments as a non-root user, it will scan for fd’s as mentioned above, then create a number of child processes.
With warning out of the way: Trinity has a neat feature called ‘victim files’.
There are almost always new kernel bugs being triggered by trinity.
Sometimes, trinity causes the oom-killer to trigger.
Trinity put the light on the Bug