On 28/06/19 11:33, Alexander Graf wrote:
>
>
> On 28.06.19 11:26, Sam Caccavale wrote:
>> Dear all,
>>
>> This series aims to provide an entrypoint for, and fuzz KVM's x86
>> instruction
>> emulator from userspace. It mirrors Xen's application of the AFL
>> fuzzer to
>> it's instruction emulator in the hopes of discovering vulnerabilities.
>> Since this entrypoint also allows arbitrary execution of the emulators
>> code
>> from userspace, it may also be useful for testing.
>>
>> The current 4 patches build the emulator and 2 harnesses:
>> simple-harness is
>> an example of unit testing; afl-harness is a frontend for the AFL fuzzer.
>> The fifth patch contains useful scripts for development but is not
>> intended
>> for usptream consumption.
>>
>> Patches
>> =======
>>
>> - 01: Builds and links afl-harness with the required kernel objects.
>> - 02: Introduces the minimal set of emulator operations and supporting
>> code
>> to emulate simple instructions.
>> - 03: Demonstrates simple-harness as a unit test.
>> - 04: Adds scripts for install and building.
>> - 05: Useful scripts for development
>>
>>
>> Issues
>> =======
>>
>> Currently, fuzzing results in a large amount of FPU related crashes.
>> Xen's
>> fuzzing efforts had this issue too. Their (temporary?) solution was to
>> disable FPU exceptions after every instruction iteration? Some solution
>> is desired for this project.
>>
>>
>> Changelog
>> =======
>>
>> v1 -> v2:
>> - Moved -O0 to ifdef DEBUG
>> - Building with ASAN by default
>> - Removed a number of macros from emulator_ops.c and moved them as
>> static inline functions in emulator_ops.h
>> - Accidentally changed the example in simple-harness (reverted in v3)
>> - Introduced patch 4 for scripts
>>
>> v2 -> v3:
>> - Removed a workaround for printf smashing the stack when compiled
>> with -mcmodel=kernel, and stopped compiling with -mcmodel=kernel
>> - Added a null check for malloc's return value
>> - Moved more macros from emulator_ops.c into emulator_ops.h as
>> static inline functions
>> - Removed commented out code
>> - Moved changes to emulator_ops.h into the first patch
>> - Moved addition of afl-many script to the script patch
>> - Fixed spelling mistakes in documentation
>> - Reverted the simple-harness example back to the more useful
>> original one
>> - Moved non-essential development scripts from patch 4 to new patch 5
>>
>> v3 -> v4:
>> - Stubbed out all unimplemented emulator_ops with a unimplemented_op
>> macro
>> - Setting FAIL_ON_UNIMPLEMENTED_OP on compile decides whether
>> calling these
>> is treated as a crash or ignored
>> - Moved setting up core dumps out of the default build/install path and
>> detailed this change in the README
>> - Added a .sh extention to afl-many
>> - Added an optional timeout to afl-many.sh and made deploy_remote.sh
>> use it
>> - Building no longer creates a new .config each time and does not
>> force any
>> config options
>> - Fixed a path bug in afl-many.sh
>>
>> Any comments/suggestions are greatly appreciated.
>>
>> Best,
>> Sam Caccavale
>>
>> Sam Caccavale (5):
>> Build target for emulate.o as a userspace binary
>> Emulate simple x86 instructions in userspace
>> Demonstrating unit testing via simple-harness
>> Added build and install scripts
>> Development scripts for crash triage and deploy
>>
>> tools/Makefile | 9 +
>> tools/fuzz/x86ie/.gitignore | 2 +
>> tools/fuzz/x86ie/Makefile | 54 ++
>> tools/fuzz/x86ie/README.md | 21 +
>> tools/fuzz/x86ie/afl-harness.c | 151 +++++
>> tools/fuzz/x86ie/common.h | 87 +++
>> tools/fuzz/x86ie/emulator_ops.c | 590 ++++++++++++++++++
>> tools/fuzz/x86ie/emulator_ops.h | 134 ++++
>> tools/fuzz/x86ie/scripts/afl-many.sh | 31 +
>> tools/fuzz/x86ie/scripts/bin.sh | 49 ++
>> tools/fuzz/x86ie/scripts/build.sh | 34 +
>> tools/fuzz/x86ie/scripts/coalesce.sh | 5 +
>> tools/fuzz/x86ie/scripts/deploy.sh | 9 +
>> tools/fuzz/x86ie/scripts/deploy_remote.sh | 10 +
>> tools/fuzz/x86ie/scripts/gen_output.sh | 11 +
>> tools/fuzz/x86ie/scripts/install_afl.sh | 15 +
>> .../fuzz/x86ie/scripts/install_deps_ubuntu.sh | 5 +
>> tools/fuzz/x86ie/scripts/rebuild.sh | 6 +
>> tools/fuzz/x86ie/scripts/run.sh | 10 +
>> tools/fuzz/x86ie/scripts/summarize.sh | 9 +
>> tools/fuzz/x86ie/simple-harness.c | 49 ++
>> tools/fuzz/x86ie/stubs.c | 59 ++
>> tools/fuzz/x86ie/stubs.h | 52 ++
>
> Sorry I didn't realize it before. Isn't that missing a patch to the
> MAINTAINERS file?
Yeah, and the directory should probably be tools/fuzz/kvm_emulate so as
not to puzzle people. Also:
- let's limit the scripts to the minimum, i.e. only the run script which
should be something like
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0+
FUZZDIR="${FUZZDIR:-$(pwd)/fuzz}"
mkdir -p $FUZZDIR/in
cp tools/fuzz/kvm_emulate/rand_sample.bin $FUZZDIR/in
mkdir -p $FUZZDIR/out
${TIMEOUT:+TIMEOUT=$TIMEOUT} ${AFL_FUZZ-afl-fuzz} "$@" \
-i $FUZZDIR/in -o $FUZZDIR/out tools/fuzz/kvm_emulate/afl-harness @@
where people can substitute afl-many.sh or add their own options using
the AFL_FUZZ variable or the command line. Likewise for screen.
- the build should be just "make -C tools/fuzz/kvm_emulate" and it
should just work. Feel free to steal the Makefile magic from other
tools/ directories.
- finally, rand_sample.bin is missing.
Otherwise, it looks very nice.
Paolo
