Android Kernel Fuzzer v0.2b

This version consists of some minor changes from v0.2a

Changes in fuzzer.h

- Fix a logic error that only generates random negative signed int

Changes in mkdir.c

- Combine all fuzzing fuctions into 1 function grayBoxFuzzing()


Android Kernel Fuzzer v0.3 will be out soon. New features:

- Introducing white box fuzzing to mkdir()

- Fuzz with possible invalid characters

- Fuzz with invalid pointers.


Download Link:


Android Kernel Fuzzer v0.2a

We made some improvements from Android Kernel Fuzzer v0.2. Also, we have finally tested our fuzzer on the Android Kernel

Changes in fuzzer.h:

- Modified the generation of random unsigned & signed char data

- Increase from 5 sets to 50 sets

- Increase the byte length range from 1024 alone to (256,512,1024,2048,4096)

Changes in mkdir.c:

- All for loops used for fuzzing are organized into separate functions

- fuzzCharData(), fuzzRanCharData(), fuzzRanIntData()

- Removed function pointer

- Declaration of Android’s mkdir():

extern int mkdir(const char *, mode_t);


Screen Shots (Fuzzer output on Android 2.2):



- Although we have increased the range for testing unsigend & signed char data, we still keep it at a fixed length in order to have control over what we have to intend to fuzz.

- We removed function pointer as we have decided to develop individual classes for each syscall in future. This will allow better control as well as customization to fuzzing a particular syscall.

- We used the AVD emulator running Android 2.2. We cross compile our fuzzer as an executable using the Android NDK. Finally, we ran our fuzzer executable using the adb shell.

- Sometimes when fuzzing random unsigned & signed char data, it may hit errno 2 (No such file or directory). Reason being there is a chance that the random data is like “^@bhs/su123″. Because of the ‘/’, they treat the front part as a parent directory, but ended up failing because there is no such parent directory.


Download Link:

Android Kernel Fuzzer v0.2

In the previous Android Kernel Fuzzer v0.1, we only fuzz the 1st parameter of mkdir() syscall.

mkdir() syscall takes in 2 parameter:

1st – char * (Directory Name)

2nd – int      (Permissions)


In this new program, Android Kernel Fuzzer v0.2, there are some changes as well as more fuzzing on mkdir() syscall.

Changes in fuzzer.h:

- added new function genRanData()

- randomly generate 5 sets of unsigned & signed char data of 1024 byte length

- randomly generate array of unsigened & signed int data, size 1024

Changes in mkdir.c:

- fuzz the 1st parameter of mkdir() through 5 sets of random unsigned & signed char data

- fuzz the 2nd parameter of mkdir() through the array of random unsigned& signed int data

- only print the status when fuzzing mkdir() face an error


Screen Shot (Fuzzer output on Ubuntu 10):


Note that we only fuzz 1024 random unsigned & signed data instead of the whole range.

Range of unsigned int:    0..UINT_MAX

Range of signed int:         INT_MIN..INT_MAX

We did attempt fuzzing the entire range of unsigned int data. However it took more than 2 hours, but the fuzzing was far from being complete. Therefore we scaled down to fuzzing only 1024 random unsigned & signed int data.


Download Link:

Android Kernel Fuzzer v0.1

Hello World. This is our very first post on our Android Kernel Fuzzer program. Our current version is currently at v0.2a, but we will be posting about how our program progress starting from v0.1.


Android Kernel Fuzzer v0.1:

As the Android Kernel is rather big, we are scaling down to just fuzz system calls for now. For a start, we attempt to fuzz mkdir(), a common syscall.

*Note: for a start, the program  is written and compiled for Ubuntu 10 at the moment.

We created 2 seperate classes:

1. fuzzer.h

- Generate the entire range of  unsigned char data type (0..UCHAR_MAX)

- Generate the entire range of  signed char data type (SCHAR_MIN..SCHAR_MAX)


- fuzz  mkdir(__const char *__path, __mode_t __mode) syscall using for loop

- fuzz through the entire range of unsigned & signed char data type

- use errno to check whether an error is handled when it occurs

- print the results into the terminal


Screen Shot (Fuzzer output on Ubuntu 10):

V0.1 Example Output


Download Link:

What is a Fuzzer?

A Fuzzer is a program used for fuzzing or fuzz testing. Fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. This program is then monitored for unexpected results such as crashes or failing built-in code assertions. This technique is often adopted to test for security vulnerabilities of a software program or a computer system.

For the purpose of security, input that crosses a trust boundary is often the most interesting. For example, it is more important to fuzz code that handles the upload of a file by any user than it is to fuzz the code that parses a configuration file that is accessible only to a privileged user.

Fuzz testing is one of the techniques which offer a high benefit to cost ratio. (Cost saving)

As well as testing for outright crashes, fuzz testing is used to find bugs such as assertion failures and memory leaks (when coupled with a memory debugger). The methodology is useful against large applications, where any bug affecting memory safety is likely to be a severe vulnerability.

The main problem with fuzzing to find program faults is that it generally only finds very simple faults. Every fuzzer takes shortcuts to find something interesting in a timeframe that a human cares about.

Fuzz testing enhances software security and software safety because it often finds odd oversights and defects which human testers would fail to find, and even careful human test designers would fail to create tests for.

Example of a fuzzer

IOCTL Fuzzer locates IOCTL vulnerabilities in Windows drivers.

Taken from

Hello world!

Hello World, indeed! This is our first post here. In summary, we are bascially a group of 3 students who have been tasked to develop a fuzzer application and porting it over to the Android platform. We hope to penetrate the kernel level finding bugs, vulnerabilities and basically want to crash it! We will update this site with our content (source codes, how-to’s) very soon! But for now this site in under maintenance!




Get every new post delivered to your Inbox.