Deployment#

kAFL’s deployment system (or installation) is built around Ansible, an IT automation framework useful for deploying Cloud services and provisioning virtual machines.

Note

As a user, you are only expected to update the Ansible 🗋 deploy/inventory if you want to perform a remote deployment. See Ansible’s inventory documentation.

System modifications#

This is the list system level modifications made by the Ansible playbook when installing kAFL:

  • checking for KVM’s compatibility with kAFL. If necessary, setup a new kernel:

    • download

    • install (5.10.73)

    • update GRUB

    • reboot

  • ensure current user is in kvm group

  • ensure /dev/kvm device has permissions for the kvm group

Makefile targets#

Target

Description

EXTRA_ARGS

deploy

Deploys kAFL components according to the playbook and the deploy/inventory file. Will be deployed on localhost by default.

☑️

env

Enters a new sub-shell with the kAFL environment variables set.

clean

Removes the virtualenv deploy/venv

update

Forces to git pull on every repository managed by the playbook. Developer oriented target. Uses the clone Ansible tag.

☑️

build

Rebuilds every component that can be built. Developer oriented target. Uses the build Ansible tag.

☑️

EXTRA_ARGS

Some Makefile targets can accept additional command line arguments (EXTRA_ARGS) by specifying them after the end of command options symbol (a double dash --).

These arguments will be passed to the underlying Ansible command line.

Example:

# toggle Ansible 3rd level verbosity
make deploy -- -vvv
# toggle the 'kernel' Ansible tag
make deploy -- --tags kernel
# skip the hardware_check Ansible tag
make deploy -- --skip-tags hardare_check

Warning

Since we use a Makefile hack to convert additional targets as EXTRA_ARGS, it’s not possible to use keyword arguments, or pass a quoted string:

Example:

# doesn't work
make deploy -- --extra-vars ansible_connection=local
make deploy -- --extra-vars '{"ansible_connection": "local"}'

Ansible tags#

A set of Ansible tags are available to have fine grained control on the playbook’s execution.

They can be toggled or skipped with the --tags and --skip-tags Ansible command line parameters, and directly added from the makefile target via EXTRA_ARGS feature (described previously).

Tag

Description

kernel

Selects the kernel tasks

radamsa

Selects the radamsa tasks

capstone

Selects the capstone tasks

libxdc

Selects the libxdc tasks

qemu

Selects the QEMU tasks

fuzzer

Selects the fuzzer tasks

hardware_check

Selects the hardware/kernel requirements checking tasks. Introduced to be skipped on the CI runs.

kvm_device

Selects the tasks related to fixing permissions on the KVM node device. Introduced to be skipped on the CI runs.

reboot_kernel

Selects the task responsible for rebooting the remote node after kernel installation. Introduced to be skipped on the CI runs.

update_grub

Selects the tasks related to GRUB entry update after kernel installation. Introduced to be skipped on the CI runs.

build

Selects all tasks where a component can be rebuild (QEMU, libxdc, etc …). Developer oriented tag.

clone

Selects all tasks where a repository is cloned. Developer oriented tag.

Note

You can list available tags with

make deploy -- --list-tags

Ansible Galaxy and composability#

One of the reasons to rewrite kAFL’s deployment from scratching for the v0.5 release was to achieve a better composability.

In fact, other projects at Intel are based on kAFL, like the ccc-linux-guest-hardening repo. And we expect the community to develop their own tooling and use cases based on kAFL.

We wanted to make it as easy as possible to reuse the current kAFL deployment and cherry-pick the desired components. With this goal in mind, we leveraged a powerful feature of Ansible: Ansible Galaxy to breakdown kAFL’s setup into modular roles, and distribute them into a reusable collection.

intellabs.kafl Ansible collection#

The intellabs.kafl collection is available in the 📁deploy directory.

It regroups all the essential components required to setup kAFL (kernel package, QEMU, libxdc, capstone, fuzzer frontend …).

The roles are depending on each other, in such a way that including the fuzzer role will pull out the others:

  roles:
    - role: intellabs.kafl.fuzzer
flowchart LR fuzzer --> kernel fuzzer --> qemu fuzzer --> radamsa qemu --> capstone qemu --> libxdc

Reusing the collection#

kAFL and ccc-linux-guest-hardening are sharing the same deployment for kAFL.

Note

Since the collection is hosted in the top-level kAFL repository, it is included locally by specifying the source directory path.

ccc-linux-guest-hardening on the other hand, needs to specify the git repository and the subfolder.

flowchart LR kAFL==>|source: ./intellabs/kafl|intellabs.kafl ccc-linux-guest-hardening==>|source: git+https://github.com/IntelLabs/kAFL#/deploy/intellabs/|intellabs.kafl

Note

The intellabs.kafl Ansible collection is not yet publicly distributed on the Ansible Galaxy website.

It can be referenced in your requirements.yml via the git repository:

collections:
  - name: intellabs.kafl
    source: git+https://github.com/IntelLabs/kAFL#/deploy/intellabs/
    type: git
    version: master