Hi, (sorry for the missing message ID, I wasn't subscribed to this list beforehand so I did not get the original message) On Fri, Dec 09, 2016 at 12:38:23AM +0100, Andrey Konovalov wrote: > Hi, > > I'm working on a way to extend syzkaller [1] to support fuzzing of the > USB subsystem. The idea is to be able to emulate various USB devices > and fuzz communication between the emulated device and the kernel. I'm > looking for a way to emulate devices from userspace. Similar to how > tuntap allows to create virtual network interfaces and emit ethernet > traffic by writing to /dev/net/tun. FYI: I've started working on a similiar project a week ago, although it's structured a bit differently. It's made so that a USB gadget device is used to fuzz arbitrary USB hosts. On the one side, it uses the usbredir protocol that is used by vUSBf (https://github.com/schumilo/vUSBf) and on the other side it uses usb_gadget configfs (libcomposite) + usb functionfs for the gadget. This means it can also be used to forward a physical USB device over network to a physical USB host, which makes it useful beyond fuzzing as well. I haven't tried using dummy_hcd with it, but I suppose that it just works (tm). It's currently just a PoC with WIP, but so far the device already has the right descriptors: https://github.com/Vogtinator/usbredir2phys (Excuse the code, I developed understanding of the API only after I wrote it) The code itself is too tightly coupled with the usbredir side, so while it may not be useful for you that way, I'm glad if I could give you a few pointers where to look at. Sadly the documentation of usb functionfs is IMO a bit lacking. A different approach for only host-side fuzzing would be to use the USB/IP protocol, which (AFAIK) has some support available in the kernel. Cheers, Fabian -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
