Trinity 1.1

I finally got around to polishing up a new Trinity release, just in time for my talk next week at LCA.

Looking over the changelog, here are the main changes in the last six months since 1.0 that have occurred.

  • Updated syscall tables to include support for all syscalls up to kernel 3.8rc4
  • UI changes:
    • add -C argument to specify number of child processes
    • You can now specify -q multiple times for even less verbose output
  • Some biarch=FALSE fixes.
  • cleaned up some pid handling.
  • Fixed locking primitives so they don’t get optimised out.
  • clear any potential SO_LINGER on sockets, so we don’t hang in close on exit.
  • More shm sanity checks
  • The reason for exiting is now printed.
  • New architecture support: MIPS, SuperH
  • Improved ARM support.
  • Fix race when trying to log from child before child had been setup in the pid map.
  • Improved sanitise routines for modify_ldt, msgctl, mlock, socket
  • Fabricate sockaddr structs.
    Pass them to accept, accept4, bind, connect, getpeername, getsockname, recvfrom, send, sendto

  • ARG_PID no longer gives out random pids, just child pids.
  • Disable rt_sigqueueinfo, tkill, tgkill
  • Improved reproducibility / Various fixes to the seeding code.
    The random seed gets reseeded every 10 seconds, and relogged, which should narrow the window between runs when trying to reproduce a bug.

    • When a kernel oops is detected, trinity now outputs the last seed used.

    • Now the seed gets set in the parent too, so the files/sockets are properly random.
      Note: There is still a known bug that means two runs with the same seed are not guaranteed to be identical. This will be worked on in the next release.
  • Log files no longer have the pid in the filenames
  • Syscall structures are now properly shared between children instead of COW’d
  • ARG_PATHNAME now pulls from all possible files in scan locations instead of 750.
  • Numerous memory leaks fixed.
  • Various size optimisations (Tommi Rantala)
  • Better ctrl-C handling.
  • Socket creation now uses more random packet families instead of the same every time.
  • Makefile improvements:
    • Added an ‘install’ target
    • Should now handle dependencies correctly. Previously .h file changes wouldn’t trigger a rebuild.
    • configure script added to better handle differences between older distributions.
  • Victim files are now used exclusively when passed.
  • Watchdog improvements:
    • Fixed an occasional time-wrap bug.
    • reap dead children when we wait for the watchdog to exit.
  • Use various sizes when generating mmaps on startup.
    Should now occasionally generate ‘huge’ pages.

  • Lower alarm timeouts from 3 seconds to 1.

There were dozens of other ‘behind the scenes’ changes that should hopefully mean that Trinity is now a lot more reliable, while adding a bunch of new features to find shiny new kernel bugs.

With 1.1 out the door, I’ll be opening up 1.2 development soon where I hope to tackle some of the things I’ve been putting off for a while, like trying to get a better solution to fuzzing ioctl than the current situation.

The Ohloh stats for Trinity have been interesting to watch over the last year, with the number of contributors steadily rising. I’m hoping that my evangelism at LCA and SCALE will attract further contributors this year. (There have been definite spikes in contributor activity when I’ve spoken about it at conferences in the past).

No related posts.

spacer Author davejPosted on Categories Fuzzing, TrinityTags fuzzing, trinity