A lightweight, standalone kernel code coverage and syscall tracer for any command.
vock maps userspace program behavior to exact kernel code paths — the critical first step in targeted kernel vulnerability research. No external dependencies beyond a C compiler.
$ make
# make install
For eBPF syscall backend (optional):
$ sudo apt install libbpf-dev bpftool
$ make EBPF=1
# Build vock
make
# 1. Kernel coverage (Intel PT, default mode)
sudo vock /bin/ip addr show
# → kerncov.log
# 2. Kernel coverage (KCOV)
sudo vock --mode kcov /bin/ip addr show
# → kerncov.log
# 3. Syscall trace
vock --syscall /bin/ip addr show
# → trace.syz
# 4. All at once: coverage + syscall
sudo vock --syscall /bin/ip addr show
# → hw_trace.bin + trace.syz# Setup: build kernel with KCOV + Intel PT + BTF
cd ~/stable
scripts/config --enable CONFIG_DEBUG_KERNEL \
--enable CONFIG_KCOV \
--enable CONFIG_KCOV_INSTRUMENT_ALL \
--enable CONFIG_DEBUG_INFO \
--enable CONFIG_DEBUG_INFO_BTF \
--enable CONFIG_PERF_EVENTS \
--enable CONFIG_CPU_SUP_INTEL \
--enable CONFIG_BPF_SYSCALL \
--enable CONFIG_IKCONFIG \
--enable CONFIG_IKCONFIG_PROC \
--disable CONFIG_DEBUG_INFO_NONE
make olddefconfig
vng LLVM=-21 --build
# Test inside VM:
vng --rw -- bash
# (inside VM)
cd /path/to/vock
make CC=clang EBPF=1
# Coverage: kcov
./vock --mode kcov /bin/ls /tmp
cat kerncov.log | head
# Coverage: hw (skipped in VM — no Intel PT hardware)
# Run on host instead:
# sudo ./vock --mode hw /bin/ls /tmp
# Syscall: ptrace
./vock --syscall ptrace /bin/ls /tmp
cat trace.syz | head
# Syscall: sud
./vock --syscall sud /bin/ls /tmp
cat trace.syz | head
# Syscall: ebpf
./vock --syscall ebpf /bin/ls /tmp
cat trace.syz | head
# Syzlang (implies --syscall ptrace)
./vock --syzlang /bin/ls /tmp
cat trace.syz | head
# Combined: kcov + syscall
./vock --syscall --mode kcov /bin/ls /tmp
cat kerncov.log | wc -l
cat trace.syz | wc -l# Ensure perf access
echo -1 | sudo tee /proc/sys/kernel/perf_event_paranoid
# Intel PT kernel trace
sudo ./vock /bin/ip addr show
ls -la hw_trace.bin
# Intel PT + syscall trace
sudo ./vock --syscall /bin/ip addr show
ls -la hw_trace.bin trace.syzvock [--mode hw|kcov] [--syscall [ptrace|sud|ebpf]] [--syzlang] [--kernel-src PATH] [--vmlinux FILE] [--filter KW] <cmd> [args...]
vock selftest [--help]
vock --help
Captures kernel-only execution trace via hardware. Works on any kernel without CONFIG_KCOV.
Requirements:
CONFIG_PERF_EVENTS=y
CONFIG_CPU_SUP_INTEL=y # x86 (Intel PT)
# or CONFIG_CORESIGHT=y # ARM
# Needs root or perf_event_paranoid <= 0
sudo vock /bin/ls /tmp
sudo vock --vmlinux ~/linux/vmlinux /bin/ip route showOutput: hw_trace.bin (raw Intel PT / CoreSight packets)
Captures per-process kernel code coverage using /sys/kernel/debug/kcov.
Requirements:
CONFIG_KCOV=y
CONFIG_KCOV_INSTRUMENT_ALL=y
CONFIG_DEBUG_INFO=y
sudo vock --mode kcov /bin/ls /tmp
sudo vock --mode kcov --filter "net/" --vmlinux ~/linux/vmlinux /bin/ip addr showOutput: kerncov.log (kernel PC addresses)
Traces all syscalls in strace-compatible format. Can be combined with any coverage mode.
| Backend | Flag | Requirements | Speed |
|---|---|---|---|
| ptrace (default) | --syscall or --syscall ptrace |
Any kernel | Moderate |
| SUD/lazypoline | --syscall sud |
Kernel ≥ 5.11, x86_64 | Fast |
| eBPF | --syscall ebpf |
CONFIG_BPF + BTF, libbpf-dev | Fastest |
# Default (ptrace)
vock --syscall /bin/ls /tmp
# SUD — hybrid binary rewriting + Syscall User Dispatch
vock --syscall sud /bin/ip addr show
# eBPF — kernel tracepoints (needs: sudo apt install libbpf-dev bpftool && make EBPF=1)
sudo vock --syscall ebpf /bin/ip addr show
# Syzlang output (implies --syscall)
vock --syzlang /bin/ip addr show
# Combined: coverage + syscall trace
sudo vock --syscall /bin/ip addr showOutput: trace.syz (strace-compatible format, parseable by syz-trace2syz)
Output format:
execve(0x7fff..., 0x7fff..., 0x7fff..., 0, 0, 0) = 0
openat(AT_FDCWD, 0x7f..., 0x80000, 0, 0, 0) = 3
read(0x3, 0x7fff..., 0x340, 0, 0, 0) = 832
close(0x3, 0, 0, 0, 0, 0) = 0
# 1. What kernel code does the target reach?
sudo vock /usr/bin/target_app
# → hw_trace.bin (kernel execution trace)
# 2. What syscalls does it make? (strace format for syz-trace2syz)
vock --syzlang /usr/bin/target_app
# → trace.syz (feed to syz-trace2syz → syzkaller corpus)
# 3. Fuzz those specific paths
syz-trace2syz -file trace.syz
cp corpus.db ~/syzkaller/workdir/vock selftest # quick host test (default)
vock selftest --on vng-kvm # full test in KVM VM
vock selftest --on vng-tcg # full test without KVM
vock selftest 1 # kernel coverage only
vock selftest 2 # syscall engines only
vock selftest 3 # hw-only (KCOV disabled)
vock selftest --help # full optionscd ~/stable
vng LLVM=-21 --build
vng --rw -- /path/to/vock/selftest/run.py| Mode | Intel x86_64 | ARM64 | AMD x86_64 |
|---|---|---|---|
| hw (Intel PT) | ✓ | — | — |
| hw (CoreSight) | — | ✓ | — |
| kcov | ✓ | ✓ | ✓ |
| --syscall ptrace | ✓ | ✓ | ✓ |
| --syscall sud | ✓ | — | ✓ |
| --syscall ebpf | ✓ | ✓ | ✓ |
AMD CPUs have no hardware trace equivalent. Use --mode kcov or --syscall on AMD.
See LICENSE.
