Snapchange is a Rust framework that can be used to fuzz a target binary with minimal modifications, offering useful insight into the process. It works by replaying physical memory snapshots in order to make the fuzzing of various targets more efficient and less complex.
As it is agnostic to the target operating system, the snapshot process is primarily focused on Linux-based targets to capture the necessary debugging data. This is made possible by utilizing the features of the Linux kernel’s KVM (Kernel Virtual Machine) feature.
The project started out as an experiment by the AWS Find and Fix (F2) open-source security research teams to explore the potential of using KVM in enabling snapshot fuzzing.
Snapchange works by injecting mutated data into the virtual machine and provides a breakpoint-based hooking system. It offers real-time coverage reports in formats such as Lighthouse and LCOV, as well as single-step traces which are useful for debugging. With Snapchange, it is possible to fuzz a given physical memory snapshot across multiple CPU cores in parallel, whilst simultaneously monitoring for crashing states such as a segmentation fault or a call to an Address Sanitizer report.
“A snapshot is a pairing of a physical memory dump of a running VM and its accompanying register state. Fuzzing with a snapshot enables granular execution in order to reach code blocks that are traditionally difficult to fuzz without the complexities of managing state within the target,” Cory Duplantis, a senior security engineer at AWS wrote in a blog post. “The only information needed by Snapchange in order to continue the execution of the target in a virtual machine is the snapshot itself. Prior work exploring this technique include brownie, falkervisor, chocolate_milk, Nyx, and what the fuzz.”
Because Snapchange relies on KVM for executing a snapshot, Snapchange must be used on a machine that has KVM access. The project is available today under the Apache License 2.0 via GitHub.