Kernel code coverage + syscall tracer + coverage-guided fuzzer — in one tool.
Map any userspace program to the exact kernel code it exercises, then fuzz those paths.
make && ./vock /bin/ip addr showNo dependencies beyond a C compiler. Just make and run.
┌─────────────┐ ┌──────────────┐ ┌──────────────┐
│ Your App │────▶│ vock trace │────▶│ Kernel PCs │
│ /bin/ip │ │ (coverage) │ │ kerncov.log │
└─────────────┘ └──────────────┘ └──────────────┘
│
▼
┌──────────────┐ ┌──────────────┐
│ vock fuzz │────▶│ New paths │
│ (mutate) │ │ fuzz.log │
└──────────────┘ └──────────────┘
git clone https://github.com/yskzalloc/vock && cd vock
makeSee which kernel code your program touches:
# Intel PT (works on any kernel, needs Intel CPU)
./vock /bin/ip addr show
# → kerncov.log + coverage.html
# KCOV (needs CONFIG_KCOV)
./vock --mode kcov /bin/ip addr show
# → kerncov.log + coverage.htmlRecord all syscalls in strace format:
./vock --syscall /bin/ls /tmp
# → trace.log (human-readable strace format)
./vock --syzlang /bin/ls /tmp
# → trace.log + trace.syz (for syzkaller's syz-trace2syz)Mutate the program's syscalls to explore nearby kernel paths:
./vock fuzz /bin/ip addr show
# Runs until Ctrl+C
# → trace.syz (baseline) + fuzz_N.log (rankings)
./vock fuzz -repeat=100 /bin/ip addr show
# 100 iterations then stop
./vock fuzz -procs=8 /bin/ip addr show
# 8 parallel workers, until Ctrl+CEach iteration: mutate baseline syscalls → fork child → child executes
mutated syscalls directly via syscall() → parent traces with Intel PT →
rank by coverage novelty. No compilation in the loop.
See FUZZ.md for algorithm details.
Coverage + syscall trace in one shot:
./vock --syscall /bin/ip addr show
# → kerncov.log + trace.log + coverage.html| Backend | Flag | Speed | Requirements |
|---|---|---|---|
| ptrace | --syscall ptrace |
Moderate | Any kernel |
| SUD | --syscall sud |
Fast | Kernel ≥ 5.11, x86_64, mmap_min_addr=0 |
| eBPF | --syscall ebpf |
Fastest | Kernel with BTF (/sys/kernel/btf/vmlinux) |
SUD setup:
echo 0 | sudo tee /proc/sys/vm/mmap_min_addr| Feature | Intel x86_64 | ARM64 | AMD x86_64 |
|---|---|---|---|
| Intel PT coverage | ✓ | — | — |
| AMD LBR coverage | — | — | ✓ |
| CoreSight coverage | — | ✓ | — |
| KCOV coverage | ✓ | ✓ | ✓ |
| Syscall trace | ✓ | ✓ | ✓ |
| Fuzzing | ✓ | ✓ | ✓ |
# 1. What kernel code does the target reach?
./vock /bin/ip addr show
# → kerncov.log (5000+ kernel PCs)
# 2. Get syscall trace for syzkaller
./vock --syzlang /bin/ip addr show
# → trace.syz
# 3. Feed to syzkaller
syz-trace2syz -file trace.syz
# → syzkaller corpus
# 4. Or fuzz directly with vock
./vock fuzz /bin/ip addr show
# → finds new kernel paths near the original execution./vock selftest 1 --on vng-kvm # coverage + syscall (VM)
sudo ./vock selftest 2 --on host # Intel PT (bare metal)
./vock selftest 2 --on vng-kvm # AMD LBR (works in VM)
./vock selftest --help # all optionsSee SELFTEST.md for kernel configuration and VM testing details.
| Output | Description |
|---|---|
kerncov.log |
Merged kernel coverage (local + remote) |
local.log |
KCOV local coverage (direct syscall paths) |
remote.log |
KCOV remote coverage (softirqs, workqueues) |
coverage.html |
Source-annotated coverage report |
trace.log |
Strace-format decoded syscall log |
trace.syz |
Syzlang format (for syz-trace2syz) |
fuzz.log |
Fuzzer rankings (similarity, coverage, novelty) |
make # default (includes eBPF backend)
make CC=clang # use clang
make CC=gcc # use gccSee LICENSE.
