Attachment 184876 Details for Bug 221132 – test version

[patch] test version

sandsifter.patch (text/plain), 7.43 KB, created by Ivan Rozhuk on 2017-08-01 00:47:42 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ivan Rozhuk

Created: 2017-08-01 00:47:42 UTC

Size: 7.43 KB

patch

obsolete

>Index: security/sandsifter/Makefile
>===================================================================
>--- security/sandsifter/Makefile	(nonexistent)
>+++ security/sandsifter/Makefile	(working copy)
>@@ -0,0 +1,22 @@
>+# Created by: Rozhuk Ivan <rozhuk.im@gmail.com>
>+# $FreeBSD$
>+
>+PORTNAME=	sandsifter
>+PORTVERSION=	0.1
>+CATEGORIES=	security
>+
>+MAINTAINER=	ports@FreeBSD.org
>+COMMENT=	x86 processor fuzzer
>+
>+USE_GITHUB=	yes
>+GH_ACCOUNT=	xoreaxeaxeax
>+GH_TAGNAME=	dff63246fed84d90118441b8ba5b5d3bdd094427
>+
>+BUILD_DEPENDS=	${LOCALBASE}/include/capstone/capstone.h:devel/capstone3
>+RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}capstone>0:devel/py-capstone
>+USES=		gmake python localbase
>+
>+#do-install:
>+#	${INSTALL_PROGRAM} ${WRKSRC}/sasp ${STAGEDIR}${PREFIX}/sbin
>+
>+.include <bsd.port.mk>
>Index: security/sandsifter/distinfo
>===================================================================
>--- security/sandsifter/distinfo	(nonexistent)
>+++ security/sandsifter/distinfo	(working copy)
>@@ -0,0 +1,3 @@
>+TIMESTAMP = 1501534237
>+SHA256 (xoreaxeaxeax-sandsifter-0.1-dff63246fed84d90118441b8ba5b5d3bdd094427_GH0.tar.gz) = 010d662705bb67035e3d6b93a0fbe0bcf7ab2b5ba93e6eb977eb614c7dec3691
>+SIZE (xoreaxeaxeax-sandsifter-0.1-dff63246fed84d90118441b8ba5b5d3bdd094427_GH0.tar.gz) = 5284438
>Index: security/sandsifter/files/patch-Makefile
>===================================================================
>--- security/sandsifter/files/patch-Makefile	(nonexistent)
>+++ security/sandsifter/files/patch-Makefile	(working copy)
>@@ -0,0 +1,11 @@
>+--- Makefile.orig	2017-07-27 22:17:30.000000000 +0300
>++++ Makefile	2017-08-01 02:08:49.396326000 +0300
>+@@ -32,7 +32,7 @@
>+ all: injector
>+ 
>+ injector: injector.o
>+-	$(CC) $(CFLAGS) $< -O3 -Wall -l:libcapstone.a -o $@ -pthread
>++	$(CC) $(CFLAGS) $(LIBS) $(LDFLAGS) $< -O3 -Wall -l:libcapstone.a -o $@ -pthread
>+ 
>+ %.o: %.c
>+ 	$(CC) $(CFLAGS) -c $< -o $@ -Wall
>Index: security/sandsifter/files/patch-injector.c
>===================================================================
>--- security/sandsifter/files/patch-injector.c	(nonexistent)
>+++ security/sandsifter/files/patch-injector.c	(working copy)
>@@ -0,0 +1,96 @@
>+--- injector.c.orig	2017-07-27 22:17:30.000000000 +0300
>++++ injector.c	2017-08-01 01:54:04.885858000 +0300
>+@@ -77,10 +77,24 @@
>+ 
>+ /* 32 vs 64 */
>+ 
>+-#if __x86_64__
>+-	#define IP REG_RIP 
>++#ifdef __linux__ /* Linux specific code. */
>++#	define PAGE_SIZE 4096
>++#	define EFL gregs[REG_EFL]
>++#	if __x86_64__
>++#		define IP gregs[REG_RIP]
>++#	else
>++#		define IP gregs[REG_EIP]
>++#	endif
>+ #else
>+-	#define IP REG_EIP 
>++#	include <pthread_np.h>
>++	typedef cpuset_t cpu_set_t;
>++#	if __x86_64__
>++#		define IP mc_rip
>++#		define EFL mc_rflags
>++#	else
>++#		define IP mc_eip
>++#		define EFL mc_eflags
>++#	endif
>+ #endif
>+ 
>+ /* leave state as 0 */
>+@@ -155,7 +169,6 @@
>+ /* x86/64 */
>+ 
>+ #define UD2_SIZE  2
>+-#define PAGE_SIZE 4096
>+ #define TF        0x100
>+ 
>+ /* injection */
>+@@ -850,7 +863,7 @@
>+ void state_handler(int signum, siginfo_t* si, void* p)
>+ {
>+ 	fault_context=((ucontext_t*)p)->uc_mcontext;
>+-	((ucontext_t*)p)->uc_mcontext.gregs[IP]+=UD2_SIZE;
>++	((ucontext_t*)p)->uc_mcontext.IP+=UD2_SIZE;
>+ }
>+ 
>+ void fault_handler(int signum, siginfo_t* si, void* p)
>+@@ -863,7 +876,7 @@
>+ 
>+ 	/* make an initial estimate on the instruction length from the fault address */
>+ 	insn_length=
>+-		(uintptr_t)uc->uc_mcontext.gregs[IP]-(uintptr_t)packet-preamble_length;
>++		(uintptr_t)uc->uc_mcontext.IP-(uintptr_t)packet-preamble_length;
>+ 
>+ 	if (insn_length<0) {
>+ 		insn_length=JMP_LENGTH;
>+@@ -880,9 +893,13 @@
>+ 		(signum==SIGSEGV||signum==SIGBUS)?(uint32_t)(uintptr_t)si->si_addr:(uint32_t)-1
>+ 	};
>+ 
>++#ifdef __linux__ /* Linux specific code. */
>+ 	memcpy(uc->uc_mcontext.gregs, fault_context.gregs, sizeof(fault_context.gregs));
>+-	uc->uc_mcontext.gregs[IP]=(uintptr_t)&resume;
>+-	uc->uc_mcontext.gregs[REG_EFL]&=~TF;
>++#else
>++	memcpy(&uc->uc_mcontext, &fault_context, sizeof(fault_context));
>++#endif
>++	uc->uc_mcontext.IP=(uintptr_t)&resume;
>++	uc->uc_mcontext.EFL&=~TF;
>+ }
>+ 
>+ void configure_sig_handler(void (*handler)(int, siginfo_t*, void*))
>+@@ -1341,7 +1358,13 @@
>+ 		cpu_set_t mask;
>+ 		CPU_ZERO(&mask);
>+ 		CPU_SET(config.core,&mask);
>+-		if (sched_setaffinity(0, sizeof(mask), &mask)) {
>++#ifdef __linux__ /* Linux specific code. */
>++		if (sched_setaffinity(0, sizeof(mask), &mask))
>++#else
>++		if (cpuset_setaffinity(CPU_LEVEL_WHICH, CPU_WHICH_PID,
>++		    -1, sizeof(mask), &mask))
>++#endif
>++		{
>+ 			printf("error: failed to set cpu\n");
>+ 			exit(1);
>+ 		}
>+@@ -1439,7 +1462,7 @@
>+ 		null_p=mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE,
>+ 			MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
>+ 		if (null_p==MAP_FAILED) {
>+-			printf("null access requires running as root\n");
>++			printf("null access requires running as root, %i\n", errno);
>+ 			exit(1);
>+ 		}
>+ 	}
>Index: security/sandsifter/files/patch-sifter.py
>===================================================================
>--- security/sandsifter/files/patch-sifter.py	(nonexistent)
>+++ security/sandsifter/files/patch-sifter.py	(working copy)
>@@ -0,0 +1,25 @@
>+--- sifter.py.orig	2017-08-01 03:34:37.224624000 +0300
>++++ sifter.py	2017-08-01 03:35:34.961522000 +0300
>+@@ -30,7 +30,7 @@
>+ INJECTOR = "./injector"
>+ arch = ""
>+ 
>+-OUTPUT = "./data/"
>++OUTPUT = "~/.sandsifter/"
>+ LOG  = OUTPUT + "log"
>+ SYNC = OUTPUT + "sync"
>+ TICK = OUTPUT + "tick"
>+@@ -679,9 +679,10 @@
>+             time.sleep(self.TIME_SLICE)
>+ 
>+ def get_cpu_info():
>+-    with open("/proc/cpuinfo", "r") as f:
>+-        cpu = [l.strip() for l in f.readlines()[:7]]
>+-    return cpu
>++    #with open("/proc/cpuinfo", "r") as f:
>++    #    cpu = [l.strip() for l in f.readlines()[:7]]
>++    #return cpu
>++    return "01234567"
>+ 
>+ def dump_artifacts(r, injector, command_line):
>+     global arch
>Index: security/sandsifter/files/pkg-message.in
>===================================================================
>--- security/sandsifter/files/pkg-message.in	(nonexistent)
>+++ security/sandsifter/files/pkg-message.in	(working copy)
>@@ -0,0 +1,8 @@
>+
>+Attention
>+
>+Before use this tool You should set:
>+
>+sysctl security.bsd.map_at_zero=1
>+
>+
>Index: security/sandsifter/pkg-descr
>===================================================================
>--- security/sandsifter/pkg-descr	(nonexistent)
>+++ security/sandsifter/pkg-descr	(working copy)
>@@ -0,0 +1,31 @@
>+s a n d s i f t e r
>+
>+: the x86 processor fuzzer
>+Overview
>+
>+The sandsifter audits x86 processors for hidden instructions and 
>+hardware bugs, by systematically generating machine code to search
>+through a processor's instruction set, and monitoring execution for
>+anomalies. Sandsifter has uncovered secret processor instructions from
>+every major vendor; ubiquitous software bugs in disassemblers,
>+assemblers, and emulators; flaws in enterprise hypervisors; and both
>+benign and security-critical hardware bugs in x86 chips.
>+
>+With the multitude of x86 processors in existence, the goal of the tool
>+is to enable users to check their own systems for hidden instructions
>+and bugs.
>+
>+To run a basic audit against your processor:
>+
>+sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t
>+
>+The computer is systematically scanned for anomalous instructions.
>+In the upper half, you can view the instructions that the sandsifter
>+is currently testing on the processor. In the bottom half, the
>+sandsifter reports anomalies it finds.
>+
>+The search will take from a few hours to a few days, depending on the
>+speed of and complexity of your processor. When it is complete,
>+summarize the results:
>+
>+./summarize.py data/log

Actions: View | Diff

Attachments on bug 221132: 184876 | 184923 | 184924 | 186552