GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → rigred → sandsifter

rigred / sandsifter

Licence: BSD-3-Clause License
The x86 processor fuzzer

Programming Languages

python
139335 projects - #7 most used programming language
c
50402 projects - #5 most used programming language
Makefile
30231 projects
shell
77523 projects

Labels

x86fuzzing

Projects that are alternatives of or similar to sandsifter

Baresifter
A bare-metal x86 instruction set fuzzer a la Sandsifter
Stars: ✭ 33 (+57.14%)
Mutual labels:  x86, fuzzing
fadec
A fast and lightweight decoder for x86 and x86-64 and encoder for x86-64.
Stars: ✭ 44 (+109.52%)
Mutual labels:  x86
x86-Assembly-Reverse-Engineering
🛠 Knowledge about the topic of x86 assembly & disassembly 🛠
Stars: ✭ 27 (+28.57%)
Mutual labels:  x86
AEGPaper
Automatic Exploit Generation Paper
Stars: ✭ 30 (+42.86%)
Mutual labels:  fuzzing
LuckyCAT
A distributed fuzzing management framework
Stars: ✭ 55 (+161.9%)
Mutual labels:  fuzzing
x86-csv
A machine-readable representation of the Intel x86 Instruction Set Reference.
Stars: ✭ 20 (-4.76%)
Mutual labels:  x86
microgp4
A multi-purpose extensible self-adaptive evolutionary tool
Stars: ✭ 21 (+0%)
Mutual labels:  fuzzing
katnip
Extension library for the Kitty fuzzing framework
Stars: ✭ 73 (+247.62%)
Mutual labels:  fuzzing
fuzza
Customizable TCP fuzzing tool to test for remote buffer overflows.
Stars: ✭ 29 (+38.1%)
Mutual labels:  fuzzing
ts-c99-compiler
ANSI C 16bit Compiler + NASM Assembler + Intel 8086 / 80186 + X87 emulator written entirely in TypeScript
Stars: ✭ 78 (+271.43%)
Mutual labels:  x86
evine
Interactive CLI Web Crawler
Stars: ✭ 140 (+566.67%)
Mutual labels:  fuzzing
xgadget
Fast, parallel, cross-variant ROP/JOP gadget search for x86/x64 binaries.
Stars: ✭ 33 (+57.14%)
Mutual labels:  x86
binary-decompilation
Extracting high level semantic information from binary code
Stars: ✭ 55 (+161.9%)
Mutual labels:  x86
ria-jit
Lightweight and performant dynamic binary translation for RISC–V code on x86–64
Stars: ✭ 38 (+80.95%)
Mutual labels:  x86
Assembly-Lib
A 16-bits x86 DOS Assembly library that provides many useful functions for developing programs. It has both VGA grapics functions as well as general purpose utilities. The main purpose of this library was to be able to implement simple DOS games (in Assembly) using VGA (320x200, 256 colors) display.
Stars: ✭ 36 (+71.43%)
Mutual labels:  x86
variorum
Tool for hardware-level feature control
Stars: ✭ 21 (+0%)
Mutual labels:  x86
TravorOS
A simple OS running on Intel x86 architecture | No longer updating
Stars: ✭ 24 (+14.29%)
Mutual labels:  x86
LanOS
one mini operating system simplified from linux0.12
Stars: ✭ 61 (+190.48%)
Mutual labels:  x86
emu
cybozu labs youth 7th
Stars: ✭ 50 (+138.1%)
Mutual labels:  x86
OpenWrt-Buildbot
Customized Pure OpenWrt & Self-Build OpenWrt Packages Project.
Stars: ✭ 305 (+1352.38%)
Mutual labels:  x86
View All Similar Projects ➔

s a n d s i f t e r

: the x86 processor fuzzer

Overview

The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor's instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips.

With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.

To run a basic audit against your processor:

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

demo_sandsifter

The computer is systematically scanned for anomalous instructions. In the upper half, you can view the instructions that the sandsifter is currently testing on the processor. In the bottom half, the sandsifter reports anomalies it finds.

The search will take from a few hours to a few days, depending on the speed of and complexity of your processor. When it is complete, summarize the results:

./sifter-summarize.py log {log_file}

demo_summarizer

Typically, several million undocumented instructions on your processor will be found, but these generally fall into a small number of different groups. After binning the anomalies, the summarize tool attempts to assign each instruction to an issue category:

  • Software bug (for example, a bug in your hypervisor or disassembler),
  • Hardware bug (a bug in your CPU), or
  • Undocumented instruction (an instruction that exists in the processor, but is not acknowledged by the manufacturer)

Press 'Q' to quit and obtain a text based summary of the system scan:

The results of a scan can sometimes be difficult for the tools to automatically classify, and may require manual analysis. For help analyzing your results, feel free to send the ./data/log file to [email protected]. No personal information, other than the processor make, model, and revision (from /proc/cpuinfo) are included in this log.

Results

Scanning with the sandsifter has uncovered undocumented processor features across dozens of opcode categories, flaws in enterprise hypervisors, bugs in nearly every major disassembly and emulation tool, and critical hardware bugs opening security vulnerabilities in the processor itself.

Details of the results can be found in the project whitepaper.

(TODO: detailed results enumeration here)

Building

Sandsifter requires first installing the Capstone disassembler: http://www.capstone-engine.org/.
Capstone can typically be installed with:

sudo apt-get install libcapstone3 libcapstone-dev
sudo pip install capstone

Sandsifter can be built with:

make

and is then run with

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

Flags

Flags are passed to the sifter with --flag, and to the injector with -- -f.

Example:

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

Sifter flags:

--len
	search for length differences in all instructions (instructions that
	executed differently than the disassembler expected, or did not
	exist when the disassembler expected them to

--dis
	search for length differences in valid instructions (instructions that
	executed differently than the disassembler expected)

--unk
	search for unknown instructions (instructions that the disassembler doesn't
	know about but successfully execute)

--ill
	the inverse of --unk, search for invalid disassemblies (instructions that do
	not successfully execute but that the disassembler acknowledges)

--tick
	periodically write the current instruction to disk

--save
	save search progress on exit

--resume
	resume search from last saved state

--sync
	write search results to disk as they are found

--low-mem
	do not store results in memory

--out
    explicitly specify folder path to write sandsifter log files

Injector flags:

-b
	mode: brute force

-r
	mode: randomized fuzzing

-t
	mode: tunneled fuzzing

-d
	mode: externally directed fuzzing

-R
	raw output mode

-T
	text output mode

-x
	write periodic progress to stderr

-0
	allow null dereference (requires sudo)

-D
	allow duplicate prefixes

-N
	no nx bit support

-s seed
	in random search, seed value

-B brute_depth
	in brute search, maximum search depth

-P max_prefix
	maximum number of prefixes to search

-i instruction
	instruction at which to start search (inclusive)

-e instruction
	instruction at which to end search (exclusive)

-c core
	core on which to perform search

-X blacklist
	blacklist the specified instruction

-j jobs
	number of simultaneous jobs to run

-l range_bytes
	number of base instruction bytes in each sub range

Keys

m: Mode - change the search mode (brute force, random, or tunnel) for the sifter

q: Quit - exit the sifter

p: Pause - pause or unpause the search

Algorithms

The scanning supports four different search algorithms, which can be set at the command line, or cycled via hotkeys.

  • Random searching generates random instructions to test; it generally produces results quickly, but is unable to find complex hidden instructions and bugs.
  • Brute force searching tries instructions incrementally, up to a user-specified length; in almost all situations, it performs worse than random searching.
  • Driven or mutation driven searching is designed to create new, increasingly complex instructions through genetic algorithms; while promising, this approach was never fully realized, and is left as a stub for future research.
  • Tunneling is the approach described in the presentation and white paper, and in almost all cases provides the best trade-off between thoroughness and speed.

Tips

  • sudo

    For best results, the tool should be run as the root user. This is necessary so that the process can map into memory a page at address 0, which requires root permissions. This page prevents many instructions from seg-faulting on memory accesses, which allows a more accurate fault analysis.

  • Prefixes

    The primary limitation for the depth of an instruction search is the number of prefix bytes to explore, with each additional prefix byte increasing the search space by around a factor of 10. Limit prefix bytes with the -P flag.

  • Colors

    The interface for the sifter is designed for a 256 color terminal. While the details vary greatly depending on your terminal, this can roughly be accomplished with:

     export TERM='xterm-256color'

  • GUI

    The interface assumes the terminal is of at least a certain size; if the interface is not rendering properly, try increasing the terminal size; this can often be accomplished by decreasing the terminal font size.

    In some cases, it may be desirable or necessary to run the tool without the graphical front end. This can be done by running the injector directly:

     sudo ./sifter-injector -P1 -t -0

    To filter the results of a direct injector invocation, grep can be used. For example,

     sudo ./sifter-injector -P1 -r -0 | grep '\.r' | grep -v sigill

    searches for instructions for which the processor and disassembler disagreed on the instruction length (grep '.r'), but the instruction successfully executed (grep -v sigill).

  • Targeted fuzzing

    In many cases, it is valuable to direct the fuzzer to a specific target. For example, if you suspect that an emulator has flaws around repeated 'lock' prefixes (0xf0), you could direct the fuzzer to search this region of the instruction space with the -i and -e flags:

     sudo ./sifter.py --unk --dis --len --sync --tick -- -t -i f0f0 -e f0f1 -D -P15

  • Legacy systems

    For scanning much older systems (i586 class processors, low memory systems), pass the --low-mem flag to the sifter and the -N flag to the injector:

     sudo ./sifter.py --unk --dis --len --sync --tick --low-mem -- -P1 -t -N

    If you observe your scans completing too quickly (for example, a scan completes in seconds), it is typically because these flags are required for the processor you are scanning.

  • 32 vs. 64 bit

    By default, sandsifter is built to target the bitness of the host operating system. However, some instructions have different behaviors when run in a 32 bit process compared to when run in a 64 bit process. To explore these scenarios, it is sometimes valuable to run a 32 bit sandsifter on a 64 bit system.

    To build a 32 bit sandsifter on a 64 bit system, Capstone must be installed as 32 bit; the instructions for this can be found at http://www.capstone-engine.org/.

    Then sandsifter must be built for a 32 bit architecture:

     make CFLAGS=-m32

    With this, the 32 bit instruction space can be explored on a 64 bit system.

References

  • A discussion of the techniques and results can be found in the Black Hat presentation.
  • Technical details are described in the whitepaper.
  • Slides from the Black Hat presentation are here.

Author

sandsifter is a research effort from Christopher Domas (@xoreaxeaxeax).

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].