On 7/15/24 01:09, Simon Hamelin wrote:
Hello Pierrick,
Could you share a bit more information on the final goal, if possible?
Is that used for fuzzing binaries, security analysis, or other things?
I'm currently using this plugin for security analysis purposes.
Basically my goal is to simulate fault injection using QEMU. To do so
I'm using this plugin along with another plugin that skips an
instruction at a given address. With this plugin I'm able to see how the
program reacts to the fault and stop it with a custom return code.
Basically there are 4 cases:
- The fault does not disrupt the program and it reaches the expected
address.
- The fault disrupt the program and it reaches an unexpected address
known as the "target" address.
- The fault disrupt the program in such a way that it executes a lot
of instructions without reaching the expected address, this situation is
known as a "timeout".
- The fault crashes the guest, causing it to reach an error handler
address.
Thanks for sharing this, it's an interesting use case.
How did you implement instruction skipping?
Is that based on current API, or do you have a QEMU fork?
In short, here's a command line that illustrates how I use the plugin:
$ qemu-system-aarch64 $(QEMU_ARGS) -plugin
./contrib/plugins/libstoptrigger.so,icount=timeout_count,addr=addr=expected_addr:0,error_handler_addr:1,target_addr:2
-d plugin
--
Simon Hamelin
