# This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # security/sandsifter/ # security/sandsifter/pkg-plist # security/sandsifter/files # security/sandsifter/files/patch-injector.c # security/sandsifter/files/patch-Makefile # security/sandsifter/files/pkg-message.in # security/sandsifter/files/patch-sifter.py # security/sandsifter/distinfo # security/sandsifter/Makefile # security/sandsifter/pkg-descr # echo c - security/sandsifter/ mkdir -p security/sandsifter/ > /dev/null 2>&1 echo x - security/sandsifter/pkg-plist sed 's/^X//' >security/sandsifter/pkg-plist << 'd9dbe2783fe7d092b537ce28ef038ed3' Xbin/injector Xbin/sifter Xbin/summarize X%%PORTDOCS%%%%DOCSDIR%%/README.md X%%PORTDOCS%%%%DOCSDIR%%/domas_breaking_the_x86_isa.pdf X%%PORTDOCS%%%%DOCSDIR%%/domas_breaking_the_x86_isa_wp.pdf X%%PORTDOCS%%%%DOCSDIR%%/sandsifter.gif X%%PORTDOCS%%%%DOCSDIR%%/screenshot.png X%%PORTDOCS%%%%DOCSDIR%%/summarizer.png X%%DATADIR%%/gui/__init__.py X%%DATADIR%%/gui/gui.py X%%DATADIR%%/pyutil/__init__.py X%%DATADIR%%/pyutil/colors.py X%%DATADIR%%/pyutil/progress.py X%%DATADIR%%/sifter.py X%%DATADIR%%/summarize.py d9dbe2783fe7d092b537ce28ef038ed3 echo c - security/sandsifter/files mkdir -p security/sandsifter/files > /dev/null 2>&1 echo x - security/sandsifter/files/patch-injector.c sed 's/^X//' >security/sandsifter/files/patch-injector.c << '1168543107b696442b9afaf7d275c545' X--- injector.c.orig 2017-07-27 19:17:30 UTC X+++ injector.c X@@ -77,10 +77,24 @@ cs_insn *capstone_insn; X X /* 32 vs 64 */ X X-#if __x86_64__ X- #define IP REG_RIP X+#ifdef __linux__ X+# define PAGE_SIZE 4096 X+# define EFL gregs[REG_EFL] X+# if __x86_64__ X+# define IP gregs[REG_RIP] X+# else X+# define IP gregs[REG_EIP] X+# endif X #else X- #define IP REG_EIP X+# include X+ typedef cpuset_t cpu_set_t; X+# if __x86_64__ X+# define IP mc_rip X+# define EFL mc_rflags X+# else X+# define IP mc_eip X+# define EFL mc_eflags X+# endif X #endif X X /* leave state as 0 */ X@@ -155,7 +169,6 @@ state_t inject_state={ X /* x86/64 */ X X #define UD2_SIZE 2 X-#define PAGE_SIZE 4096 X #define TF 0x100 X X /* injection */ X@@ -850,7 +863,7 @@ void inject(int insn_size) X void state_handler(int signum, siginfo_t* si, void* p) X { X fault_context=((ucontext_t*)p)->uc_mcontext; X- ((ucontext_t*)p)->uc_mcontext.gregs[IP]+=UD2_SIZE; X+ ((ucontext_t*)p)->uc_mcontext.IP+=UD2_SIZE; X } X X void fault_handler(int signum, siginfo_t* si, void* p) X@@ -863,7 +876,7 @@ void fault_handler(int signum, siginfo_t* si, void* p) X X /* make an initial estimate on the instruction length from the fault address */ X insn_length= X- (uintptr_t)uc->uc_mcontext.gregs[IP]-(uintptr_t)packet-preamble_length; X+ (uintptr_t)uc->uc_mcontext.IP-(uintptr_t)packet-preamble_length; X X if (insn_length<0) { X insn_length=JMP_LENGTH; X@@ -880,9 +893,13 @@ void fault_handler(int signum, siginfo_t* si, void* p) X (signum==SIGSEGV||signum==SIGBUS)?(uint32_t)(uintptr_t)si->si_addr:(uint32_t)-1 X }; X X+#ifdef __linux__ X memcpy(uc->uc_mcontext.gregs, fault_context.gregs, sizeof(fault_context.gregs)); X- uc->uc_mcontext.gregs[IP]=(uintptr_t)&resume; X- uc->uc_mcontext.gregs[REG_EFL]&=~TF; X+#else X+ memcpy(&uc->uc_mcontext, &fault_context, sizeof(fault_context)); X+#endif X+ uc->uc_mcontext.IP=(uintptr_t)&resume; X+ uc->uc_mcontext.EFL&=~TF; X } X X void configure_sig_handler(void (*handler)(int, siginfo_t*, void*)) X@@ -1341,7 +1358,13 @@ void pin_core(void) X cpu_set_t mask; X CPU_ZERO(&mask); X CPU_SET(config.core,&mask); X- if (sched_setaffinity(0, sizeof(mask), &mask)) { X+#ifdef __linux__ X+ if (sched_setaffinity(0, sizeof(mask), &mask)) X+#else X+ if (cpuset_setaffinity(CPU_LEVEL_WHICH, CPU_WHICH_PID, X+ -1, sizeof(mask), &mask)) X+#endif X+ { X printf("error: failed to set cpu\n"); X exit(1); X } X@@ -1439,7 +1462,7 @@ int main(int argc, char** argv) X null_p=mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE, X MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); X if (null_p==MAP_FAILED) { X- printf("null access requires running as root\n"); X+ printf("null access requires running as root, %i\n", errno); X exit(1); X } X } 1168543107b696442b9afaf7d275c545 echo x - security/sandsifter/files/patch-Makefile sed 's/^X//' >security/sandsifter/files/patch-Makefile << 'f056f4586c3dd2d6dc3a9d1874555749' X--- Makefile.orig 2017-07-27 19:17:30 UTC X+++ Makefile X@@ -32,7 +32,7 @@ X all: injector X X injector: injector.o X- $(CC) $(CFLAGS) $< -O3 -Wall -l:libcapstone.a -o $@ -pthread X+ $(CC) $(CFLAGS) $(LIBS) $(LDFLAGS) $< -Wall -l:libcapstone.a -o $@ -pthread X X %.o: %.c X $(CC) $(CFLAGS) -c $< -o $@ -Wall f056f4586c3dd2d6dc3a9d1874555749 echo x - security/sandsifter/files/pkg-message.in sed 's/^X//' >security/sandsifter/files/pkg-message.in << '74b53304807b6ca027952891ccf0830a' X XAttention X XBefore use this tool You should set: X Xsysctl security.bsd.map_at_zero=1 X X 74b53304807b6ca027952891ccf0830a echo x - security/sandsifter/files/patch-sifter.py sed 's/^X//' >security/sandsifter/files/patch-sifter.py << '530291b84bed0380790b321a4b628262' X--- sifter.py.orig 2017-09-19 16:25:44 UTC X+++ sifter.py X@@ -27,10 +27,10 @@ import code X import copy X from ctypes import * X X-INJECTOR = "./injector" X+INJECTOR = "injector" X arch = "" X X-OUTPUT = "./data/" X+OUTPUT = os.getenv("HOME") + "/.sandsifter/" X LOG = OUTPUT + "log" X SYNC = OUTPUT + "sync" X TICK = OUTPUT + "tick" X@@ -679,9 +679,7 @@ class Gui: X time.sleep(self.TIME_SLICE) X X def get_cpu_info(): X- with open("/proc/cpuinfo", "r") as f: X- cpu = [l.strip() for l in f.readlines()[:7]] X- return cpu X+ return "01234567" X X def dump_artifacts(r, injector, command_line): X global arch X@@ -808,9 +806,16 @@ def main(): X if not os.path.exists(OUTPUT): X os.makedirs(OUTPUT) X X+ real_injector, errors = \ X+ subprocess.Popen( X+ ['which', INJECTOR], X+ stdout=subprocess.PIPE, X+ stderr=subprocess.PIPE X+ ).communicate() X+ real_injector = real_injector.replace('\n', '') # strip newline from shell output X injector_bitness, errors = \ X subprocess.Popen( X- ['file', INJECTOR], X+ ['file', real_injector], X stdout=subprocess.PIPE, X stderr=subprocess.PIPE X ).communicate() 530291b84bed0380790b321a4b628262 echo x - security/sandsifter/distinfo sed 's/^X//' >security/sandsifter/distinfo << 'fadf11d6fede041a00e99201a90d6c0b' XTIMESTAMP = 1501534237 XSHA256 (xoreaxeaxeax-sandsifter-0.1-dff63246fed84d90118441b8ba5b5d3bdd094427_GH0.tar.gz) = 010d662705bb67035e3d6b93a0fbe0bcf7ab2b5ba93e6eb977eb614c7dec3691 XSIZE (xoreaxeaxeax-sandsifter-0.1-dff63246fed84d90118441b8ba5b5d3bdd094427_GH0.tar.gz) = 5284438 XTIMESTAMP = 1505751266 XSHA256 (xoreaxeaxeax-sandsifter-0.1-dff63246fed84d90118441b8ba5b5d3bdd094427_GH0.tar.gz) = 010d662705bb67035e3d6b93a0fbe0bcf7ab2b5ba93e6eb977eb614c7dec3691 XSIZE (xoreaxeaxeax-sandsifter-0.1-dff63246fed84d90118441b8ba5b5d3bdd094427_GH0.tar.gz) = 5284438 fadf11d6fede041a00e99201a90d6c0b echo x - security/sandsifter/Makefile sed 's/^X//' >security/sandsifter/Makefile << '4682dec6c69ed45ddcab39947a65f5b8' X# $FreeBSD$ X XPORTNAME= sandsifter XPORTVERSION= 0.1 XCATEGORIES= security X XMAINTAINER= rozhuk.im@gmail.com XCOMMENT= Processor fuzzer for x86 CPUs X XBUILD_DEPENDS= ${LOCALBASE}/include/capstone/capstone.h:devel/capstone3 XRUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}capstone>0:devel/py-capstone X XUSES= gmake python localbase shebangfix X XUSE_GITHUB= yes XGH_ACCOUNT= xoreaxeaxeax XGH_TAGNAME= dff63246fed84d90118441b8ba5b5d3bdd094427 XSHEBANG_FILES= sifter.py summarize.py X XOPTIONS_DEFINE= DOCS X XPORTDOCS= references/* X Xdo-install: X (cd ${WRKSRC} && ${COPYTREE_SHARE} gui ${STAGEDIR}${DATADIR}) X (cd ${WRKSRC} && ${COPYTREE_SHARE} pyutil ${STAGEDIR}${DATADIR}) X ${INSTALL_PROGRAM} ${WRKSRC}/injector ${STAGEDIR}${PREFIX}/bin X ${INSTALL_SCRIPT} ${WRKSRC}/sifter.py ${STAGEDIR}${DATADIR} X ${INSTALL_SCRIPT} ${WRKSRC}/summarize.py ${STAGEDIR}${DATADIR} X ${RLN} ${STAGEDIR}${DATADIR}/sifter.py ${STAGEDIR}${PREFIX}/bin/sifter X ${RLN} ${STAGEDIR}${DATADIR}/summarize.py ${STAGEDIR}${PREFIX}/bin/summarize X ${MKDIR} ${STAGEDIR}${DOCSDIR} X ${INSTALL_DATA} ${WRKSRC}/README.md ${STAGEDIR}${DOCSDIR} X Xpost-install-DOCS-on: X ${INSTALL_DATA} ${WRKSRC}/references/* ${STAGEDIR}${DOCSDIR} X X.include 4682dec6c69ed45ddcab39947a65f5b8 echo x - security/sandsifter/pkg-descr sed 's/^X//' >security/sandsifter/pkg-descr << '119de69cfc1a24ddbd2a90bec9b080f8' XThe sandsifter audits x86 processors for hidden instructions and Xhardware bugs, by systematically generating machine code to search Xthrough a processor's instruction set, and monitoring execution for Xanomalies. Sandsifter has uncovered secret processor instructions from Xevery major vendor; ubiquitous software bugs in disassemblers, Xassemblers, and emulators; flaws in enterprise hypervisors; and both Xbenign and security-critical hardware bugs in x86 chips. X XWWW: https://github.com/xoreaxeaxeax/sandsifter 119de69cfc1a24ddbd2a90bec9b080f8 exit