# Created by: Rozhuk Ivan <rozhuk.im@gmail.com>

# $FreeBSD$

PORTNAME=	sandsifter

PORTVERSION=	0.1

CATEGORIES=	security

MAINTAINER=	ports@FreeBSD.org

COMMENT=	x86 processor fuzzer

USE_GITHUB=	yes

GH_ACCOUNT=	xoreaxeaxeax

GH_TAGNAME=	dff63246fed84d90118441b8ba5b5d3bdd094427

BUILD_DEPENDS=	${LOCALBASE}/include/capstone/capstone.h:devel/capstone3

RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}capstone>0:devel/py-capstone

USES=		gmake python localbase

#do-install:

#	${INSTALL_PROGRAM} ${WRKSRC}/sasp ${STAGEDIR}${PREFIX}/sbin

.include <bsd.port.mk>

TIMESTAMP = 1501534237

SHA256 (xoreaxeaxeax-sandsifter-0.1-dff63246fed84d90118441b8ba5b5d3bdd094427_GH0.tar.gz) = 010d662705bb67035e3d6b93a0fbe0bcf7ab2b5ba93e6eb977eb614c7dec3691

SIZE (xoreaxeaxeax-sandsifter-0.1-dff63246fed84d90118441b8ba5b5d3bdd094427_GH0.tar.gz) = 5284438

--- Makefile.orig	2017-07-27 22:17:30.000000000 +0300

+++ Makefile	2017-08-01 02:08:49.396326000 +0300

@@ -32,7 +32,7 @@

 all: injector

 injector: injector.o

-	$(CC) $(CFLAGS) $< -O3 -Wall -l:libcapstone.a -o $@ -pthread

+	$(CC) $(CFLAGS) $(LIBS) $(LDFLAGS) $< -O3 -Wall -l:libcapstone.a -o $@ -pthread

 %.o: %.c

 	$(CC) $(CFLAGS) -c $< -o $@ -Wall

--- injector.c.orig	2017-07-27 22:17:30.000000000 +0300

+++ injector.c	2017-08-01 01:54:04.885858000 +0300

@@ -77,10 +77,24 @@

 /* 32 vs 64 */

-#if __x86_64__

-	#define IP REG_RIP 

+#ifdef __linux__ /* Linux specific code. */

+#	define PAGE_SIZE 4096

+#	define EFL gregs[REG_EFL]

+#	if __x86_64__

+#		define IP gregs[REG_RIP]

+#	else

+#		define IP gregs[REG_EIP]

+#	endif

 #else

-	#define IP REG_EIP 

+#	include <pthread_np.h>

+	typedef cpuset_t cpu_set_t;

+#	if __x86_64__

+#		define IP mc_rip

+#		define EFL mc_rflags

+#	else

+#		define IP mc_eip

+#		define EFL mc_eflags

+#	endif

 #endif

 /* leave state as 0 */

@@ -155,7 +169,6 @@

 /* x86/64 */

 #define UD2_SIZE  2

-#define PAGE_SIZE 4096

 #define TF        0x100

 /* injection */

@@ -850,7 +863,7 @@

 void state_handler(int signum, siginfo_t* si, void* p)

 {

 	fault_context=((ucontext_t*)p)->uc_mcontext;

-	((ucontext_t*)p)->uc_mcontext.gregs[IP]+=UD2_SIZE;

+	((ucontext_t*)p)->uc_mcontext.IP+=UD2_SIZE;

 }

 void fault_handler(int signum, siginfo_t* si, void* p)

@@ -863,7 +876,7 @@

 	/* make an initial estimate on the instruction length from the fault address */

 	insn_length=

-		(uintptr_t)uc->uc_mcontext.gregs[IP]-(uintptr_t)packet-preamble_length;

+		(uintptr_t)uc->uc_mcontext.IP-(uintptr_t)packet-preamble_length;

 	if (insn_length<0) {

 		insn_length=JMP_LENGTH;

@@ -880,9 +893,13 @@

 		(signum==SIGSEGV||signum==SIGBUS)?(uint32_t)(uintptr_t)si->si_addr:(uint32_t)-1

 	};

+#ifdef __linux__ /* Linux specific code. */

 	memcpy(uc->uc_mcontext.gregs, fault_context.gregs, sizeof(fault_context.gregs));

-	uc->uc_mcontext.gregs[IP]=(uintptr_t)&resume;

-	uc->uc_mcontext.gregs[REG_EFL]&=~TF;

+#else

+	memcpy(&uc->uc_mcontext, &fault_context, sizeof(fault_context));

+#endif

+	uc->uc_mcontext.IP=(uintptr_t)&resume;

+	uc->uc_mcontext.EFL&=~TF;

 }

 void configure_sig_handler(void (*handler)(int, siginfo_t*, void*))

@@ -1341,7 +1358,13 @@

 		cpu_set_t mask;

 		CPU_ZERO(&mask);

 		CPU_SET(config.core,&mask);

-		if (sched_setaffinity(0, sizeof(mask), &mask)) {

+#ifdef __linux__ /* Linux specific code. */

+		if (sched_setaffinity(0, sizeof(mask), &mask))

+#else

+		if (cpuset_setaffinity(CPU_LEVEL_WHICH, CPU_WHICH_PID,

+		    -1, sizeof(mask), &mask))

+#endif

+		{

 			printf("error: failed to set cpu\n");

 			exit(1);

 		}

@@ -1439,7 +1462,7 @@

 		null_p=mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE,

 			MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);

 		if (null_p==MAP_FAILED) {

-			printf("null access requires running as root\n");

+			printf("null access requires running as root, %i\n", errno);

 			exit(1);

 		}

 	}

--- sifter.py.orig	2017-08-01 03:34:37.224624000 +0300

+++ sifter.py	2017-08-01 03:35:34.961522000 +0300

@@ -30,7 +30,7 @@

 INJECTOR = "./injector"

 arch = ""

-OUTPUT = "./data/"

+OUTPUT = "~/.sandsifter/"

 LOG  = OUTPUT + "log"

 SYNC = OUTPUT + "sync"

 TICK = OUTPUT + "tick"

@@ -679,9 +679,10 @@

             time.sleep(self.TIME_SLICE)

 def get_cpu_info():

-    with open("/proc/cpuinfo", "r") as f:

-        cpu = [l.strip() for l in f.readlines()[:7]]

-    return cpu

+    #with open("/proc/cpuinfo", "r") as f:

+    #    cpu = [l.strip() for l in f.readlines()[:7]]

+    #return cpu

+    return "01234567"

 def dump_artifacts(r, injector, command_line):

     global arch

Attention

Before use this tool You should set:

sysctl security.bsd.map_at_zero=1

s a n d s i f t e r

: the x86 processor fuzzer

Overview

The sandsifter audits x86 processors for hidden instructions and 

hardware bugs, by systematically generating machine code to search

through a processor's instruction set, and monitoring execution for

anomalies. Sandsifter has uncovered secret processor instructions from

every major vendor; ubiquitous software bugs in disassemblers,

assemblers, and emulators; flaws in enterprise hypervisors; and both

benign and security-critical hardware bugs in x86 chips.

With the multitude of x86 processors in existence, the goal of the tool

is to enable users to check their own systems for hidden instructions

and bugs.

To run a basic audit against your processor:

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

The computer is systematically scanned for anomalous instructions.

In the upper half, you can view the instructions that the sandsifter

is currently testing on the processor. In the bottom half, the

sandsifter reports anomalies it finds.

The search will take from a few hours to a few days, depending on the

speed of and complexity of your processor. When it is complete,

summarize the results:

./summarize.py data/log