From: Sam Caccavale <samcacc@amazon.de>
To: unlisted-recipients:; (no To-header on input)
Cc: <samcaccavale@gmail.com>, <nmanthey@amazon.de>,
<wipawel@amazon.de>, <dwmw@amazon.co.uk>, <mpohlack@amazon.de>,
<graf@amazon.de>, <karahmed@amazon.de>,
<andrew.cooper3@citrix.com>, <JBeulich@suse.com>,
<pbonzini@redhat.com>, <rkrcmar@redhat.com>, <tglx@linutronix.de>,
<mingo@redhat.com>, <bp@alien8.de>, <hpa@zytor.com>,
<paullangton4@gmail.com>, <anirudhkaushik@google.com>,
<x86@kernel.org>, <kvm@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, Sam Caccavale <samcacc@amazon.de>
Subject: [v2, 0/4] x86 instruction emulator fuzzing
Date: Wed, 12 Jun 2019 17:35:56 +0200 [thread overview]
Message-ID: <20190612153600.13073-1-samcacc@amazon.de> (raw)
Dear all,
This series aims to provide an entrypoint for, and fuzz KVM's x86 instruction
emulator from userspace. It mirrors Xen's application of the AFL fuzzer to
it's instruction emulator in the hopes of discovering vulnerabilities.
Since this entrypoint also allows arbitrary execution of the emulators code
from userspace, it may also be useful for testing.
The current 4 patches build the emulator and 2 harnesses: simple-harness is
an example of unit testing; afl-harness is a frontend for the AFL fuzzer.
Patches
=======
- 01: Builds and links afl-harness with the required kernel objects.
- 02: Introduces the minimal set of emulator operations and supporting code
to emulate simple instructions.
- 03: Demonstrates simple-harness as a unit test.
- 04: Adds scripts for install, running, and crash triage.
Any comments/suggestions are greatly appreciated.
Best,
Sam Caccavale
Sam Caccavale (4):
Build target for emulate.o as a userspace binary
Emulate simple x86 instructions in userspace
Demonstrating unit testing via simple-harness
Added scripts for filtering, building, deploying
tools/Makefile | 9 +
tools/fuzz/x86ie/.gitignore | 2 +
tools/fuzz/x86ie/Makefile | 54 +++
tools/fuzz/x86ie/README.md | 12 +
tools/fuzz/x86ie/afl-harness.c | 151 +++++++
tools/fuzz/x86ie/common.h | 87 ++++
tools/fuzz/x86ie/emulator_ops.c | 398 ++++++++++++++++++
tools/fuzz/x86ie/emulator_ops.h | 120 ++++++
tools/fuzz/x86ie/scripts/afl-many | 28 ++
tools/fuzz/x86ie/scripts/bin.sh | 49 +++
tools/fuzz/x86ie/scripts/build.sh | 32 ++
tools/fuzz/x86ie/scripts/coalesce.sh | 6 +
tools/fuzz/x86ie/scripts/deploy.sh | 9 +
tools/fuzz/x86ie/scripts/deploy_remote.sh | 9 +
tools/fuzz/x86ie/scripts/gen_output.sh | 11 +
tools/fuzz/x86ie/scripts/install_afl.sh | 14 +
.../fuzz/x86ie/scripts/install_deps_ubuntu.sh | 5 +
tools/fuzz/x86ie/scripts/rebuild.sh | 6 +
tools/fuzz/x86ie/scripts/run.sh | 10 +
tools/fuzz/x86ie/scripts/summarize.sh | 9 +
tools/fuzz/x86ie/simple-harness.c | 42 ++
tools/fuzz/x86ie/stubs.c | 56 +++
tools/fuzz/x86ie/stubs.h | 52 +++
23 files changed, 1171 insertions(+)
create mode 100644 tools/fuzz/x86ie/.gitignore
create mode 100644 tools/fuzz/x86ie/Makefile
create mode 100644 tools/fuzz/x86ie/README.md
create mode 100644 tools/fuzz/x86ie/afl-harness.c
create mode 100644 tools/fuzz/x86ie/common.h
create mode 100644 tools/fuzz/x86ie/emulator_ops.c
create mode 100644 tools/fuzz/x86ie/emulator_ops.h
create mode 100755 tools/fuzz/x86ie/scripts/afl-many
create mode 100755 tools/fuzz/x86ie/scripts/bin.sh
create mode 100755 tools/fuzz/x86ie/scripts/build.sh
create mode 100755 tools/fuzz/x86ie/scripts/coalesce.sh
create mode 100644 tools/fuzz/x86ie/scripts/deploy.sh
create mode 100755 tools/fuzz/x86ie/scripts/deploy_remote.sh
create mode 100755 tools/fuzz/x86ie/scripts/gen_output.sh
create mode 100755 tools/fuzz/x86ie/scripts/install_afl.sh
create mode 100755 tools/fuzz/x86ie/scripts/install_deps_ubuntu.sh
create mode 100755 tools/fuzz/x86ie/scripts/rebuild.sh
create mode 100755 tools/fuzz/x86ie/scripts/run.sh
create mode 100755 tools/fuzz/x86ie/scripts/summarize.sh
create mode 100644 tools/fuzz/x86ie/simple-harness.c
create mode 100644 tools/fuzz/x86ie/stubs.c
create mode 100644 tools/fuzz/x86ie/stubs.h
--
2.17.1
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Ralf Herbrich
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879
next reply other threads:[~2019-06-12 15:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-12 15:35 Sam Caccavale [this message]
2019-06-12 15:35 ` [v2, 1/4] Build target for emulate.o as a userspace binary Sam Caccavale
2019-06-21 13:33 ` Alexander Graf
2019-06-12 15:35 ` [v2, 2/4] Emulate simple x86 instructions in userspace Sam Caccavale
2019-06-21 13:40 ` Alexander Graf
2019-06-12 15:35 ` [v2, 3/4] Demonstrating unit testing via simple-harness Sam Caccavale
2019-06-21 13:43 ` Alexander Graf
2019-06-12 15:36 ` [v2, 4/4] Added scripts for filtering, building, deploying Sam Caccavale
2019-06-21 13:50 ` Alexander Graf
2019-06-21 13:30 ` [v2, 0/4] x86 instruction emulator fuzzing Alexander Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190612153600.13073-1-samcacc@amazon.de \
--to=samcacc@amazon.de \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=anirudhkaushik@google.com \
--cc=bp@alien8.de \
--cc=dwmw@amazon.co.uk \
--cc=graf@amazon.de \
--cc=hpa@zytor.com \
--cc=karahmed@amazon.de \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=mpohlack@amazon.de \
--cc=nmanthey@amazon.de \
--cc=paullangton4@gmail.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=samcaccavale@gmail.com \
--cc=tglx@linutronix.de \
--cc=wipawel@amazon.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox