How to create muiltiple kAFL instances for different target

[ycdxsb]

I am currently working with kAFL to fuzz Windows kernel drivers and have a question about its capabilities. Specifically, I want to know if it is possible to run multiple kAFL instances simultaneously on the same host to fuzz different targets, such as distinct Windows kernel drivers. For instance, I would like to fuzz Driver A with 4 CPU cores and, at the same time, fuzz Driver B with another 4 CPU cores, leveraging available system resources.

Based on my understanding of kAFL, I first need to duplicate the directory: kAFL/kafl/examples/windows_x86_64, for example, into kAFL/kafl/examples/windows_x86_64_driver1 and kAFL/kafl/examples/windows_x86_64_driver2. Then, I need to modify the corresponding Makefile and other files for each driver to compile the harness and prepare the respective snapshot. However, I am unsure whether this approach might lead to conflicts during the subsequent fuzzing process, such as issues with communication between QEMU and kAFL. Could you provide some suggestions?

[ycdxsb]

I tried the above method, copying windows_x86_64 to driver1 and driver2, and modified the Vagrantfile and kafl.yaml. However, when I start instance2 after instance1, instance1 exits due to a socket error. I checked the QEMU configurations and found no settings causing a socket conflict. Below are the QEMU configurations for the two instances.

• Instance 1

Worker-00 Launching virtual machine...
/root/kAFL/kafl/qemu/x86_64-softmmu/qemu-system-x86_64
        -enable-kvm
        -machine kAFL64-v1
        -cpu kAFL64-Hypervisor-v1,+vmx
        -no-reboot
        -net none
        -display none
        -chardev socket,server,id=nyx_socket,path=/root/kAFL/kafl/examples/driver1/kafl_work/interface_0
        -device nyx,chardev=nyx_socket,workdir=/root/kAFL/kafl/examples/driver1/kafl_work,worker_id=0,bitmap_size=65536,input_buffer_size=131072,dump_pt_trace
        -device isa-serial,chardev=kafl_serial
        -chardev file,id=kafl_serial,mux=on,path=/root/kAFL/kafl/examples/driver1/kafl_work/serial_00.log
        -m 4096
        -drive file=/root/.local/share/libvirt/images/driver1_driver1-kafl-windows.img
        -monitor unix:/tmp/monitor-driver1.sock,server,nowait
        -fast_vm_reload path=/root/kAFL/kafl/examples/driver1/kafl_work/snapshot/,load=off

• Instance 2

Worker-00 Launching virtual machine...
/root/kAFL/kafl/qemu/x86_64-softmmu/qemu-system-x86_64
        -enable-kvm
        -machine kAFL64-v1
        -cpu kAFL64-Hypervisor-v1,+vmx
        -no-reboot
        -net none
        -display none
        -chardev socket,server,id=nyx_socket,path=/root/kAFL/kafl/examples/driver2/kafl_work/interface_0
        -device nyx,chardev=nyx_socket,workdir=/root/kAFL/kafl/examples/driver2/kafl_work2,worker_id=0,bitmap_size=65536,input_buffer_size=131072,dump_pt_trace
        -device isa-serial,chardev=kafl_serial
        -chardev file,id=kafl_serial,mux=on,path=/root/kAFL/kafl/examples/driver2/kafl_work/serial_00.log
        -m 4096
        -drive file=/root/.local/share/libvirt/images/driver2_driver2-kafl-windows.img
        -monitor unix:/tmp/monitor-driver2.sock,server,nowait
        -fast_vm_reload path=/root/kAFL/kafl/examples/driver2/kafl_work/snapshot/,load=off

Error Info:

  File "/root/kAFL/kafl/fuzzer/kafl_fuzzer/worker/qemu.py", line 509, in send_payload
    self.run_qemu()
  File "/root/kAFL/kafl/fuzzer/kafl_fuzzer/worker/qemu.py", line 303, in run_qemu
    self.control.recv(1)
ConnectionResetError: [Errno 104] Connection reset by peer

After starting QEMU instance2, I observed that QEMU instance1 terminates and remains in a (zombie) state.

[ycdxsb]

I think the issue might be with how kvm-nyx and qemu handle Intel PT. Instance2 submitted a new PT range that conflicts with instance1's PT range, causing instance1's qemu virtual machine to exit abnormally.