├── source_codes ├── ub │ ├── zz_lkm │ │ ├── fail_cnt │ │ ├── sys.h │ │ ├── Makefile │ │ ├── stat.h │ │ ├── exe.h │ │ ├── debug.h │ │ ├── zz_lkm_main.c │ │ ├── error_handler.h │ │ ├── stat.c │ │ ├── sys.c │ │ └── exe.c │ ├── zz_daemon │ │ ├── asm │ │ │ ├── ij_table.txt │ │ │ ├── callee_table.txt │ │ │ ├── jit.o │ │ │ ├── jit.bin │ │ │ ├── asm_head.h │ │ │ └── wrapper.S │ │ ├── 0x7ffff7fa1abb │ │ │ └── asm │ │ │ │ ├── callee_table.txt │ │ │ │ ├── jit.o │ │ │ │ ├── ij_table.txt │ │ │ │ ├── jit.bin │ │ │ │ ├── asm_head.h │ │ │ │ └── wrapper.S │ │ ├── zz_daemon │ │ ├── 0x7ffff7de6487 │ │ │ └── asm │ │ │ │ ├── callee_table.txt │ │ │ │ ├── jit.o │ │ │ │ ├── ij_table.txt │ │ │ │ ├── jit.bin │ │ │ │ ├── asm_head.h │ │ │ │ └── wrapper.S │ │ ├── Makefile │ │ ├── 0x7ffff7df274e │ │ │ └── asm │ │ │ │ ├── jit.o │ │ │ │ ├── jit.bin │ │ │ │ ├── callee_table.txt │ │ │ │ ├── ij_table.txt │ │ │ │ ├── asm_head.h │ │ │ │ └── wrapper.S │ │ ├── 0x7ffff7fa1437 │ │ │ └── asm │ │ │ │ ├── jit.o │ │ │ │ ├── jit.bin │ │ │ │ ├── callee_table.txt │ │ │ │ ├── ij_table.txt │ │ │ │ ├── asm_head.h │ │ │ │ └── wrapper.S │ │ ├── exe.h │ │ └── main.c │ ├── zz_disassem │ │ ├── asm │ │ │ ├── jit.o │ │ │ ├── jit.bin │ │ │ ├── callee_table.txt │ │ │ ├── ij_table.txt │ │ │ ├── asm_head.h │ │ │ └── wrapper.S │ │ ├── translation.py │ │ ├── indirect_jump.py │ │ ├── memread.py │ │ ├── assist.py │ │ ├── special_inst.py │ │ ├── normal.py │ │ ├── disassem.py │ │ └── conflict.py │ └── start.sh ├── scripts │ ├── compile_kernel │ │ └── zz_compile.sh │ ├── nvme_mem_read │ │ └── test.sh │ ├── nginx │ │ └── test_nginx.sh │ └── redis │ │ └── test_redis.sh ├── apps │ ├── io_file │ │ ├── Makefile │ │ ├── syscall_read.c │ │ └── common.h │ ├── socket │ │ ├── udp │ │ │ ├── Makefile │ │ │ └── raw_socket_udp.c │ │ ├── bpf │ │ │ ├── wrapper.py │ │ │ ├── main.py │ │ │ └── udp_counter.c │ │ └── send_udp.c │ └── nginx │ │ ├── scgi_params │ │ ├── scgi_params.default │ │ ├── uwsgi_params │ │ ├── uwsgi_params.default │ │ ├── fastcgi_params │ │ ├── fastcgi_params.default │ │ ├── fastcgi.conf │ │ ├── fastcgi.conf.default │ │ ├── nginx.conf │ │ ├── koi-win │ │ ├── sites-enabled │ │ └── default │ │ ├── sites-available │ │ └── default │ │ ├── nginx.conf.default │ │ ├── koi-utf │ │ ├── win-utf │ │ ├── mime.types │ │ └── mime.types.default └── kernel_modify │ ├── linux-5.4.44.patch │ └── common.c └── Readme.md /source_codes/ub/zz_lkm/fail_cnt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/asm/ij_table.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/asm/callee_table.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1abb/asm/callee_table.txt: -------------------------------------------------------------------------------- 1 | 0x55555556cd00 2 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/asm/jit.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/asm/jit.o -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/zz_daemon: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/zz_daemon -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/asm/jit.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/asm/jit.bin -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/asm/jit.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_disassem/asm/jit.o -------------------------------------------------------------------------------- /source_codes/ub/zz_lkm/sys.h: -------------------------------------------------------------------------------- 1 | #ifndef SYS_H 2 | #define SYS_H 3 | 4 | void sys_init(void); 5 | void sys_exit(void); 6 | 7 | #endif -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7de6487/asm/callee_table.txt: -------------------------------------------------------------------------------- 1 | 0x555555572304 2 | 0x555555592a34 3 | 0x55555557227a 4 | 0x55555556ce20 5 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/asm/jit.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_disassem/asm/jit.bin -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/asm/callee_table.txt: -------------------------------------------------------------------------------- 1 | 0x55555557e6e0 2 | 0x5555555c43d0 3 | 0x5555555c1830 4 | 0x5555555c29b0 5 | 0x5555555c0cf0 6 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/Makefile: -------------------------------------------------------------------------------- 1 | target: zz_daemon 2 | 3 | zz_daemon: main.c 4 | gcc main.c -o zz_daemon 5 | 6 | clean: 7 | rm -f zz_daemon 8 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7de6487/asm/jit.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/0x7ffff7de6487/asm/jit.o -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7df274e/asm/jit.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/0x7ffff7df274e/asm/jit.o -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1437/asm/jit.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/0x7ffff7fa1437/asm/jit.o -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1abb/asm/jit.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/0x7ffff7fa1abb/asm/jit.o -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7de6487/asm/ij_table.txt: -------------------------------------------------------------------------------- 1 | 0x7ffff7de6490 0x555555592bb0 2 | 0x555555592bf3 0x555555597f0c 3 | 0x55555556ce2b 0x7ffff7de4fa0 4 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7de6487/asm/jit.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/0x7ffff7de6487/asm/jit.bin -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7df274e/asm/jit.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/0x7ffff7df274e/asm/jit.bin -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1437/asm/jit.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/0x7ffff7fa1437/asm/jit.bin -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1abb/asm/ij_table.txt: -------------------------------------------------------------------------------- 1 | 0x7ffff7fa1ae3 0x55555558a8ec 2 | 0x55555558a91a 0x55555558adc0 3 | 0x55555556cd0b 0x7ffff7ddf500 4 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1abb/asm/jit.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/glarer/UserspaceBypass/HEAD/source_codes/ub/zz_daemon/0x7ffff7fa1abb/asm/jit.bin -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1437/asm/callee_table.txt: -------------------------------------------------------------------------------- 1 | 0x55555556c980 2 | 0x7ffff7d678a0 3 | 0x55555558e3b2 4 | 0x5555555705f3 5 | 0x55555559243b 6 | 0x55555556ca70 7 | -------------------------------------------------------------------------------- /source_codes/scripts/compile_kernel/zz_compile.sh: -------------------------------------------------------------------------------- 1 | make -j 24 2 | make modules_install 3 | find /lib/modules/5.4.44 -name *.ko -exec strip --strip-unneeded {} + 4 | make install 5 | rm -f /boot/*.old -------------------------------------------------------------------------------- /source_codes/apps/io_file/Makefile: -------------------------------------------------------------------------------- 1 | default: syscall_read 2 | 3 | .PHONY: syscall_read clean 4 | 5 | syscall_read: 6 | gcc -D_GNU_SOURCE syscall_read.c -o syscall_read 7 | 8 | clean: 9 | rm syscall_read 10 | -------------------------------------------------------------------------------- /source_codes/apps/socket/udp/Makefile: -------------------------------------------------------------------------------- 1 | default: sniff 2 | 3 | .PHONY: sniff clean 4 | sniff: 5 | gcc raw_socket_udp.c -o sniff -pthread 6 | 7 | # send_udp: 8 | # gcc send_udp.c -o send_udp -pthread 9 | 10 | clean: 11 | rm sniff 12 | -------------------------------------------------------------------------------- /source_codes/ub/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | insed=`lsmod | sed -n '/zz_lkm/p'` 3 | if [ ! -n "$insed" ]; then 4 | echo "" 5 | else 6 | sudo rmmod zz_lkm 7 | fi 8 | 9 | cd zz_lkm/ 10 | sudo insmod zz_lkm.ko 11 | 12 | cd .. 13 | cd zz_daemon 14 | sudo ./zz_daemon 15 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7df274e/asm/callee_table.txt: -------------------------------------------------------------------------------- 1 | 0x555555592b91 2 | 0x55555556ca40 3 | 0x55555557f71a 4 | 0x55555557b14c 5 | 0x5555555a36ff 6 | 0x5555555704d8 7 | 0x5555555702c9 8 | 0x55555559186a 9 | 0x55555556ceb0 10 | 0x55555556c9c0 11 | 0x55555556c990 12 | -------------------------------------------------------------------------------- /source_codes/ub/zz_lkm/Makefile: -------------------------------------------------------------------------------- 1 | obj-m += zz_lkm.o 2 | 3 | zz_lkm-objs := zz_lkm_main.o stat.o sys.o exe.o 4 | 5 | all: 6 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules 7 | 8 | clean: 9 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean 10 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1437/asm/ij_table.txt: -------------------------------------------------------------------------------- 1 | 0x7ffff7fa1440 0x55555557028c 2 | 0x555555570298 0x555555570453 3 | 0x55555556c98b 0x7ffff7d6c6d0 4 | 0x7ffff7d68998 0x55555557042e 5 | 0x555555570474 0x5555555a3946 6 | 0x5555555a3965 0x5555555a468d 7 | 0x7ffff7d68998 0x555555570620 8 | 0x55555556ca7b 0x7ffff7df2740 9 | -------------------------------------------------------------------------------- /source_codes/apps/socket/bpf/wrapper.py: -------------------------------------------------------------------------------- 1 | import os 2 | import subprocess 3 | import signal 4 | import time 5 | import statistics as ss 6 | import numpy as np 7 | 8 | def run(): 9 | cmd = "python3 main.py" 10 | process = subprocess.Popen(['python3','main.py']) 11 | 12 | time.sleep(10) 13 | process.send_signal(signal.SIGINT) 14 | time.sleep(5) 15 | 16 | if __name__ == '__main__': 17 | for i in range(10): 18 | run() 19 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/exe.h: -------------------------------------------------------------------------------- 1 | #define un_init -1 2 | #define normal 0 3 | #define call_miss 1 4 | #define ij_miss 2 5 | #define error_inst 3 6 | 7 | struct exe_info{ 8 | int status_code; 9 | int pid; 10 | unsigned long RIP; 11 | void* code_block; 12 | unsigned long jump_from; 13 | unsigned long tgt_addr; 14 | unsigned long success_cnt; 15 | unsigned long fail_cnt; 16 | }; 17 | 18 | struct recv_pkt{ 19 | int status_code; 20 | int pid; 21 | unsigned long RIP; 22 | unsigned long offset; 23 | }; 24 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/scgi_params: -------------------------------------------------------------------------------- 1 | 2 | scgi_param REQUEST_METHOD $request_method; 3 | scgi_param REQUEST_URI $request_uri; 4 | scgi_param QUERY_STRING $query_string; 5 | scgi_param CONTENT_TYPE $content_type; 6 | 7 | scgi_param DOCUMENT_URI $document_uri; 8 | scgi_param DOCUMENT_ROOT $document_root; 9 | scgi_param SCGI 1; 10 | scgi_param SERVER_PROTOCOL $server_protocol; 11 | scgi_param REQUEST_SCHEME $scheme; 12 | scgi_param HTTPS $https if_not_empty; 13 | 14 | scgi_param REMOTE_ADDR $remote_addr; 15 | scgi_param REMOTE_PORT $remote_port; 16 | scgi_param SERVER_PORT $server_port; 17 | scgi_param SERVER_NAME $server_name; 18 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/scgi_params.default: -------------------------------------------------------------------------------- 1 | 2 | scgi_param REQUEST_METHOD $request_method; 3 | scgi_param REQUEST_URI $request_uri; 4 | scgi_param QUERY_STRING $query_string; 5 | scgi_param CONTENT_TYPE $content_type; 6 | 7 | scgi_param DOCUMENT_URI $document_uri; 8 | scgi_param DOCUMENT_ROOT $document_root; 9 | scgi_param SCGI 1; 10 | scgi_param SERVER_PROTOCOL $server_protocol; 11 | scgi_param REQUEST_SCHEME $scheme; 12 | scgi_param HTTPS $https if_not_empty; 13 | 14 | scgi_param REMOTE_ADDR $remote_addr; 15 | scgi_param REMOTE_PORT $remote_port; 16 | scgi_param SERVER_PORT $server_port; 17 | scgi_param SERVER_NAME $server_name; 18 | -------------------------------------------------------------------------------- /source_codes/apps/socket/bpf/main.py: -------------------------------------------------------------------------------- 1 | from bcc import BPF 2 | from bcc.utils import printb 3 | import time 4 | import signal 5 | 6 | device = "xxx" 7 | b = BPF(src_file="udp_counter.c") 8 | fn = b.load_func("udp_counter", BPF.XDP) 9 | 10 | b.attach_xdp(device, fn, 0) 11 | 12 | try: 13 | c = time.time() 14 | b.trace_print() 15 | 16 | except KeyboardInterrupt: 17 | d = time.time() 18 | 19 | dist = b.get_table("counter") 20 | dist2 = b.get_table("time") 21 | V = 0 22 | for k, v in sorted(dist.items()): 23 | V = v.value 24 | diff = d - c 25 | 26 | times = 0 27 | for k, v in sorted(dist.items()): 28 | times = v.value 29 | 30 | print("%.2f k"% (V/diff/1000)) 31 | b.remove_xdp(device, 0) 32 | -------------------------------------------------------------------------------- /source_codes/ub/zz_lkm/stat.h: -------------------------------------------------------------------------------- 1 | #ifndef STAT_H 2 | #define STAT_H 3 | 4 | #include 5 | #include "exe.h" 6 | #define max_caller 16 7 | 8 | struct caller_info{ 9 | unsigned long rip; 10 | int pid; 11 | unsigned long cnt; 12 | }; 13 | 14 | struct per_cpu_info{ 15 | unsigned long last_caller; 16 | unsigned long last_ts; 17 | unsigned long call_cnt; 18 | unsigned long milestone_ts; 19 | struct caller_info caller[max_caller]; 20 | bool interested; 21 | }; 22 | 23 | void stat_init(void); 24 | void stat_exit(void); 25 | void stat_func(struct pt_regs* regs, unsigned long ts); 26 | 27 | static inline unsigned int zz_hash(unsigned int pid, unsigned long ip){ 28 | return (((unsigned int)ip^1674567091) + (pid^569809)); 29 | } 30 | 31 | #endif -------------------------------------------------------------------------------- /source_codes/apps/nginx/uwsgi_params: -------------------------------------------------------------------------------- 1 | 2 | uwsgi_param QUERY_STRING $query_string; 3 | uwsgi_param REQUEST_METHOD $request_method; 4 | uwsgi_param CONTENT_TYPE $content_type; 5 | uwsgi_param CONTENT_LENGTH $content_length; 6 | 7 | uwsgi_param REQUEST_URI $request_uri; 8 | uwsgi_param PATH_INFO $document_uri; 9 | uwsgi_param DOCUMENT_ROOT $document_root; 10 | uwsgi_param SERVER_PROTOCOL $server_protocol; 11 | uwsgi_param REQUEST_SCHEME $scheme; 12 | uwsgi_param HTTPS $https if_not_empty; 13 | 14 | uwsgi_param REMOTE_ADDR $remote_addr; 15 | uwsgi_param REMOTE_PORT $remote_port; 16 | uwsgi_param SERVER_PORT $server_port; 17 | uwsgi_param SERVER_NAME $server_name; 18 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/uwsgi_params.default: -------------------------------------------------------------------------------- 1 | 2 | uwsgi_param QUERY_STRING $query_string; 3 | uwsgi_param REQUEST_METHOD $request_method; 4 | uwsgi_param CONTENT_TYPE $content_type; 5 | uwsgi_param CONTENT_LENGTH $content_length; 6 | 7 | uwsgi_param REQUEST_URI $request_uri; 8 | uwsgi_param PATH_INFO $document_uri; 9 | uwsgi_param DOCUMENT_ROOT $document_root; 10 | uwsgi_param SERVER_PROTOCOL $server_protocol; 11 | uwsgi_param REQUEST_SCHEME $scheme; 12 | uwsgi_param HTTPS $https if_not_empty; 13 | 14 | uwsgi_param REMOTE_ADDR $remote_addr; 15 | uwsgi_param REMOTE_PORT $remote_port; 16 | uwsgi_param SERVER_PORT $server_port; 17 | uwsgi_param SERVER_NAME $server_name; 18 | -------------------------------------------------------------------------------- /source_codes/ub/zz_lkm/exe.h: -------------------------------------------------------------------------------- 1 | #ifndef EXE_H 2 | #define EXE_H 3 | 4 | #define un_used -2 5 | #define un_init -1 6 | #define normal 0 7 | #define call_miss 1 8 | #define ij_miss 2 9 | #define error_inst 3 10 | 11 | static const int max_exe = 511; 12 | 13 | struct exe_info{ 14 | int status_code; 15 | int pid; 16 | unsigned long RIP; 17 | void* code_block; 18 | unsigned long jump_from; 19 | unsigned long tgt_addr; 20 | unsigned long success_cnt; 21 | unsigned long fail_cnt; 22 | }; 23 | 24 | void exe_add(int pid, unsigned long RIP); 25 | void exe_init(void); 26 | void exe_exit(void); 27 | void exe_on_call(struct pt_regs* regs); 28 | unsigned long rdtscp(void); 29 | 30 | struct exe_info* get_exe(unsigned int pid, unsigned long ip); 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/asm/ij_table.txt: -------------------------------------------------------------------------------- 1 | 0x7ffff7a6efb7 0x5555555a9b1b 2 | 0x5555555a9b91 0x5555555e40e8 3 | 0x5555555e3d18 0x5555555e55ec 4 | 0x5555555e560f 0x5555555eabdc 5 | 0x5555555eabff 0x5555555ee342 6 | 0x5555555ec9d3 0x5555555f1c78 7 | 0x5555555f17e6 0x7ffff79426bc 8 | 0x7ffff79426df 0x7ffff7fc71b6 9 | 0x7ffff7fc71d9 0x5555555f407c 10 | 0x5555555f4099 0x5555555f4a34 11 | 0x5555555f46ce 0x5555555f627d 12 | 0x5555555f62a0 0x55555557f1b3 13 | 0x55555557eefc 0x5555555f6f59 14 | 0x5555555f6fa2 0x5555555be89e 15 | 0x5555555be8b0 0x555555601891 16 | 0x555555601692 0x5555555bed6e 17 | 0x5555555bed4e 0x5555555b90fd 18 | 0x5555555b9121 0x5555555bfb7f 19 | 0x5555555bfb88 0x555555605ee1 20 | 0x555555605b30 0x5555555bed6e 21 | 0x5555555c0d25 0x5555555cc550 22 | 0x5555555cc975 0x5555555c0d25 23 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/translation.py: -------------------------------------------------------------------------------- 1 | from miasm.expression.expression import ExprMem, ExprId, ExprInt, ExprLoc, ExprOp 2 | 3 | from special_inst import * 4 | 5 | from normal import * 6 | 7 | 8 | def translate(line, offset, db, reg_map, block_end, can_check = 1): 9 | args = line.args 10 | name = get_inst_name(line) 11 | if line.name in special_instruction: 12 | return special_inst_dispatch(line, args, offset, db, reg_map, block_end) 13 | elif line.name in conditional_branch or line.name in unconditional_branch: 14 | return process_jump(line.name, line, args[0], offset, db, reg_map) 15 | else: 16 | return process_normal(name, args, offset, reg_map, can_check) + \ 17 | release_conflict(reg_map, block_end) 18 | 19 | 20 | -------------------------------------------------------------------------------- /source_codes/scripts/nvme_mem_read/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # usage: ./test.sh 3 | # The result will save in 4 | 5 | repeat_time=10 6 | bytes_size=(64 256 1024 4096) 7 | 8 | do_test(){ 9 | echo "$1 test" 10 | touch $1 11 | for each in ${bytes_size[*]} 12 | do 13 | echo "'$each' running:" 14 | # awk 'BEGIN{print '$each'}' 15 | for j in `seq 1 $repeat_time` 16 | do 17 | echo "----- times: $j -----" 18 | # ./syscall_read $each | sed -n '/IOPS/p' | awk '{printf("'$each' %f\n",$2)}' >> $1 19 | ./syscall_read $each | sed -n '/IOPS/p' | awk '{printf("%f\n",$2)}' >> $1 20 | echo "***** ending *****" 21 | sleep 2 22 | done 23 | echo >> $1 24 | done 25 | } 26 | 27 | do_test $1 28 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7df274e/asm/ij_table.txt: -------------------------------------------------------------------------------- 1 | 0x7ffff7df2757 0x555555592425 2 | 0x555555592436 0x555555597fe3 3 | 0x7ffff7df2757 0x555555592476 4 | 0x555555592487 0x5555555a49d4 5 | 0x55555556ca4b 0x7ffff7de6470 6 | 0x55555557b16c 0x55555557b3c9 7 | 0x55555557b405 0x55555557b16c 8 | 0x5555555a448a 0x5555555a4ff8 9 | 0x5555555a4c4e 0x5555555a0b61 10 | 0x5555555a0b08 0x55555559b0e4 11 | 0x55555559b0f0 0x55555559b18e 12 | 0x55555559b193 0x5555555a36e1 13 | 0x5555555a36e6 0x5555555a5ae8 14 | 0x5555555a5aab 0x5555555a5e0f 15 | 0x5555555a5e60 0x5555555a672b 16 | 0x5555555a6614 0x555555597c25 17 | 0x555555597c25 0x5555555a653f 18 | 0x55555556cebb 0x7ffff7d6c0e0 19 | 0x7ffff7d6c18e 0x55555559187d 20 | 0x55555556c9cb 0x7ffff7fa4520 21 | 0x7ffff7fa4535 0x5555555a659c 22 | 0x5555555a65b3 0x55555559248c 23 | 0x55555556c99b 0x7ffff7fa15f0 24 | -------------------------------------------------------------------------------- /source_codes/scripts/nginx/test_nginx.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage: 1. update the server ip and port and change in the line 23 `$url_xxx$` 3 | # 2. Make files in the server and give them the proper name as said in Readme. 4 | # 3. run ./test_nginx.sh 5 | 6 | 7 | repeat_time=10 8 | bytes_size=(1 4 16 64 256) 9 | url_ws="http://192.168.10.1:8088/" 10 | url_esxi="http://10.176.65.25:8088/" 11 | url_kvm="http://192.168.20.1:8088/" 12 | suffix="k.html" 13 | 14 | nginx_test(){ 15 | echo "nginx test" 16 | touch $1 17 | 18 | for each in ${bytes_size[*]} 19 | do 20 | # echo $each >> $1 21 | echo "'$each$suffix' running:" 22 | for j in `seq 1 $repeat_time` 23 | do 24 | echo "times: $j" 25 | ./wrk -t8 -c1024 -d12 $url_kvm$each$suffix | sed -n '/Requests/p' | awk '{print $2}' >> $1 26 | 27 | sleep 2 28 | done 29 | echo >> $1 30 | done 31 | } 32 | 33 | # naming convention: 34 | # w_i_(no)pti_(no)ub 35 | nginx_test $1 36 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/fastcgi_params: -------------------------------------------------------------------------------- 1 | 2 | fastcgi_param QUERY_STRING $query_string; 3 | fastcgi_param REQUEST_METHOD $request_method; 4 | fastcgi_param CONTENT_TYPE $content_type; 5 | fastcgi_param CONTENT_LENGTH $content_length; 6 | 7 | fastcgi_param SCRIPT_NAME $fastcgi_script_name; 8 | fastcgi_param REQUEST_URI $request_uri; 9 | fastcgi_param DOCUMENT_URI $document_uri; 10 | fastcgi_param DOCUMENT_ROOT $document_root; 11 | fastcgi_param SERVER_PROTOCOL $server_protocol; 12 | fastcgi_param REQUEST_SCHEME $scheme; 13 | fastcgi_param HTTPS $https if_not_empty; 14 | 15 | fastcgi_param GATEWAY_INTERFACE CGI/1.1; 16 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 17 | 18 | fastcgi_param REMOTE_ADDR $remote_addr; 19 | fastcgi_param REMOTE_PORT $remote_port; 20 | fastcgi_param SERVER_ADDR $server_addr; 21 | fastcgi_param SERVER_PORT $server_port; 22 | fastcgi_param SERVER_NAME $server_name; 23 | 24 | # PHP only, required if PHP was built with --enable-force-cgi-redirect 25 | fastcgi_param REDIRECT_STATUS 200; 26 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/fastcgi_params.default: -------------------------------------------------------------------------------- 1 | 2 | fastcgi_param QUERY_STRING $query_string; 3 | fastcgi_param REQUEST_METHOD $request_method; 4 | fastcgi_param CONTENT_TYPE $content_type; 5 | fastcgi_param CONTENT_LENGTH $content_length; 6 | 7 | fastcgi_param SCRIPT_NAME $fastcgi_script_name; 8 | fastcgi_param REQUEST_URI $request_uri; 9 | fastcgi_param DOCUMENT_URI $document_uri; 10 | fastcgi_param DOCUMENT_ROOT $document_root; 11 | fastcgi_param SERVER_PROTOCOL $server_protocol; 12 | fastcgi_param REQUEST_SCHEME $scheme; 13 | fastcgi_param HTTPS $https if_not_empty; 14 | 15 | fastcgi_param GATEWAY_INTERFACE CGI/1.1; 16 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 17 | 18 | fastcgi_param REMOTE_ADDR $remote_addr; 19 | fastcgi_param REMOTE_PORT $remote_port; 20 | fastcgi_param SERVER_ADDR $server_addr; 21 | fastcgi_param SERVER_PORT $server_port; 22 | fastcgi_param SERVER_NAME $server_name; 23 | 24 | # PHP only, required if PHP was built with --enable-force-cgi-redirect 25 | fastcgi_param REDIRECT_STATUS 200; 26 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/fastcgi.conf: -------------------------------------------------------------------------------- 1 | 2 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 3 | fastcgi_param QUERY_STRING $query_string; 4 | fastcgi_param REQUEST_METHOD $request_method; 5 | fastcgi_param CONTENT_TYPE $content_type; 6 | fastcgi_param CONTENT_LENGTH $content_length; 7 | 8 | fastcgi_param SCRIPT_NAME $fastcgi_script_name; 9 | fastcgi_param REQUEST_URI $request_uri; 10 | fastcgi_param DOCUMENT_URI $document_uri; 11 | fastcgi_param DOCUMENT_ROOT $document_root; 12 | fastcgi_param SERVER_PROTOCOL $server_protocol; 13 | fastcgi_param REQUEST_SCHEME $scheme; 14 | fastcgi_param HTTPS $https if_not_empty; 15 | 16 | fastcgi_param GATEWAY_INTERFACE CGI/1.1; 17 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 18 | 19 | fastcgi_param REMOTE_ADDR $remote_addr; 20 | fastcgi_param REMOTE_PORT $remote_port; 21 | fastcgi_param SERVER_ADDR $server_addr; 22 | fastcgi_param SERVER_PORT $server_port; 23 | fastcgi_param SERVER_NAME $server_name; 24 | 25 | # PHP only, required if PHP was built with --enable-force-cgi-redirect 26 | fastcgi_param REDIRECT_STATUS 200; 27 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/fastcgi.conf.default: -------------------------------------------------------------------------------- 1 | 2 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 3 | fastcgi_param QUERY_STRING $query_string; 4 | fastcgi_param REQUEST_METHOD $request_method; 5 | fastcgi_param CONTENT_TYPE $content_type; 6 | fastcgi_param CONTENT_LENGTH $content_length; 7 | 8 | fastcgi_param SCRIPT_NAME $fastcgi_script_name; 9 | fastcgi_param REQUEST_URI $request_uri; 10 | fastcgi_param DOCUMENT_URI $document_uri; 11 | fastcgi_param DOCUMENT_ROOT $document_root; 12 | fastcgi_param SERVER_PROTOCOL $server_protocol; 13 | fastcgi_param REQUEST_SCHEME $scheme; 14 | fastcgi_param HTTPS $https if_not_empty; 15 | 16 | fastcgi_param GATEWAY_INTERFACE CGI/1.1; 17 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 18 | 19 | fastcgi_param REMOTE_ADDR $remote_addr; 20 | fastcgi_param REMOTE_PORT $remote_port; 21 | fastcgi_param SERVER_ADDR $server_addr; 22 | fastcgi_param SERVER_PORT $server_port; 23 | fastcgi_param SERVER_NAME $server_name; 24 | 25 | # PHP only, required if PHP was built with --enable-force-cgi-redirect 26 | fastcgi_param REDIRECT_STATUS 200; 27 | -------------------------------------------------------------------------------- /source_codes/ub/zz_lkm/debug.h: -------------------------------------------------------------------------------- 1 | #ifndef DEBUG_H 2 | #define DEBUG_H 3 | 4 | #define UB_DEBUG 0 5 | #if(UB_DEBUG!=0) 6 | #define UB_debug(msg, ...) \ 7 | do { \ 8 | printk(KERN_INFO msg "", ##__VA_ARGS__); \ 9 | } while (0) 10 | 11 | #define UB_warning(msg, ...) \ 12 | do { \ 13 | printk(KERN_WARNING msg "\n", ##__VA_ARGS__); \ 14 | } while (0) 15 | 16 | #else 17 | #define UB_debug(fmt, ...) \ 18 | do { \ 19 | } while (0) 20 | 21 | #define UB_warning(fmt, ...) \ 22 | do { \ 23 | } while (0) 24 | 25 | #endif 26 | 27 | #define UB_err(msg, ...) \ 28 | do { \ 29 | printk(KERN_ERR "[UB_ERR] %s:%d %s(): ", __FILE__, __LINE__, __func__); \ 30 | printk(KERN_ERR msg "\n", ##__VA_ARGS__); \ 31 | } while (0) 32 | 33 | #endif 34 | -------------------------------------------------------------------------------- /source_codes/ub/zz_lkm/zz_lkm_main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | 12 | #include 13 | #include "stat.h" 14 | #include "sys.h" 15 | 16 | #include "error_handler.h" 17 | MODULE_LICENSE("GPL"); 18 | MODULE_AUTHOR("Zhe Zhou"); 19 | MODULE_DESCRIPTION("zz module."); 20 | MODULE_VERSION("0.01"); 21 | 22 | extern void(*zz_var)(struct pt_regs* , unsigned long ts); 23 | extern unsigned long zz_sys_call_table; 24 | 25 | int stat_flag = 1; 26 | 27 | static void func(struct pt_regs* regs, unsigned long ts){ 28 | 29 | exe_on_call(regs); 30 | if(stat_flag < 100) 31 | stat_func(regs, ts); 32 | } 33 | 34 | static int __init zz_lkm_init(void) { 35 | printk(KERN_INFO "zz module init\n"); 36 | stat_init(); 37 | exe_init(); 38 | sys_init(); 39 | zz_var = func; 40 | zz_sys_call_table = kallsyms_lookup_name("sys_call_table"); 41 | return 0; 42 | } 43 | 44 | static void __exit zz_lkm_exit(void) { 45 | zz_var = NULL; 46 | stat_exit(); 47 | sys_exit(); 48 | exe_exit(); 49 | printk(KERN_INFO "Goodbye, zz module!\n"); 50 | } 51 | module_init(zz_lkm_init); 52 | module_exit(zz_lkm_exit); 53 | -------------------------------------------------------------------------------- /source_codes/apps/socket/send_udp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #define gettid() syscall(__NR_gettid) 14 | 15 | const int SEND_NUM = 1; 16 | void* send_udp(){ 17 | 18 | char * msg = (char*)malloc(SEND_NUM); 19 | int brdcFd; 20 | if((brdcFd = socket(AF_INET, SOCK_DGRAM, 0)) == -1){ 21 | printf("socket fail\n"); 22 | return -1; 23 | } 24 | int optval = 1; 25 | setsockopt(brdcFd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(int)); 26 | struct sockaddr_in theirAddr; 27 | memset(&theirAddr, 0, sizeof(struct sockaddr_in)); 28 | theirAddr.sin_family = AF_INET; 29 | theirAddr.sin_addr.s_addr = inet_addr("xxx.xxx.xxx.xxx"); 30 | theirAddr.sin_port = htons(gettid()%10000); 31 | int sendBytes; 32 | 33 | for(int i=0; i<500000000000; i++){ 34 | if((sendBytes = sendto(brdcFd, msg, SEND_NUM, 0, 35 | (struct sockaddr *)&theirAddr, sizeof(struct sockaddr))) == -1){ 36 | printf("sendto fail, errno=%d\n", errno); 37 | return -1; 38 | } 39 | } 40 | close(brdcFd); 41 | } 42 | 43 | int main(){ 44 | int N=10; 45 | pthread_t ids[N]; 46 | 47 | for(int i=0; i 3 | # this script will test both set and get method. 4 | 5 | repeat_time=10 6 | bytes_size=(1 4 16 64 256 1024 4096 16384) 7 | 8 | 9 | do_test(){ 10 | echo "redis $1 test" 11 | 12 | for each in ${bytes_size[*]} 13 | do 14 | if [ $1 == "get" ] 15 | then 16 | # Here you need to change the ip address and port to the server's redis. 17 | ./redis-benchmark -h 192.168.20.1 -p 6379 -t set -n 1000000 -d $each --threads 2 18 | sleep 2 19 | echo 'set done' 20 | fi 21 | echo "running '$each' :" 22 | echo "running '$each' :" >> $2 23 | for j in `seq 1 $repeat_time` 24 | do 25 | echo "----- times: $j -----" 26 | ./redis-benchmark -h 192.168.20.1 -p 6379 -t $1 -n 1000000 -d $each --threads 2 | sed -n '/per second/p' | awk '{printf("'$each' %.3f\n",$1/1000)}' >> $2 27 | 28 | echo "***** $each ending *****" 29 | 30 | sleep 3 31 | done 32 | 33 | echo >> $2 34 | if [ $1 == "get" ] 35 | then 36 | ./redis-cli -h 192.168.20.1 -p 6379 flushall 37 | echo 'flush done' 38 | fi 39 | 40 | # awk 'BEGIN{cnt=0;sum=0} {if($1=='$each'){sum+=$2;cnt++;}} END{print sum/cnt}' $1_result_file 41 | sleep 1 42 | done 43 | 44 | } 45 | 46 | touch $2/$1 47 | ./redis-cli -h 192.168.20.1 -p 6379 flushall 48 | echo 'set set' >> $2/$1 49 | do_test set $2/$1 50 | 51 | ./redis-cli -h 192.168.20.1 -p 6379 flushall 52 | 53 | echo 'get get' >> $2/$1 54 | sleep 3 55 | do_test get $2/$1 56 | -------------------------------------------------------------------------------- /source_codes/apps/socket/bpf/udp_counter.c: -------------------------------------------------------------------------------- 1 | // #define KBUILD_MODNAME "udp_counter" 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | BPF_HISTOGRAM(counter, u64); 8 | BPF_HISTOGRAM(time, u64); 9 | // static __u64 counter = 0; 10 | 11 | static inline uint64_t rdtscp(){ 12 | uint64_t rax,rdx; 13 | asm volatile ( "rdtscp\n" : "=a" (rax), "=d" (rdx)::"%rcx","memory"); 14 | return (rdx << 32) | rax; 15 | } 16 | 17 | int udp_counter(struct xdp_md *ctx) 18 | { 19 | void *data = (void *)(long)ctx->data; 20 | void *data_end = (void *)(long)ctx->data_end; 21 | struct ethhdr *eth = data; 22 | volatile int sum=0; 23 | int cal = 0; 24 | u64 start = 0; 25 | u64 temp = 0; 26 | if ((void *)eth + sizeof(*eth) <= data_end) 27 | { 28 | u64 value = 1; 29 | counter.increment(value); 30 | 31 | struct iphdr *ip = data + sizeof(*eth); 32 | 33 | if ((void *)ip + sizeof(*ip) <= data_end) 34 | { 35 | struct udphdr * udp = data + sizeof(*eth)+sizeof(*ip); 36 | 37 | if (ip->protocol == IPPROTO_UDP) 38 | { 39 | start = bpf_ktime_get_ns(); 40 | if((void *)udp + sizeof(*udp) <= data_end){ 41 | int * MESG = (int*)(data + sizeof(*eth)+sizeof(*ip)+sizeof(struct udphdr)); 42 | // bpf_trace_printk("ip packet received\n"); 43 | u64 value = 1;//htons(1); 44 | counter.increment(value); 45 | if(cal) 46 | for(int i=0; i<1024 && MESG+i+4 < (int*)data_end; i++) 47 | sum += MESG[i]; 48 | } 49 | temp = bpf_ktime_get_ns() - start; 50 | time.increment(temp); 51 | } 52 | } 53 | 54 | } 55 | return XDP_PASS; 56 | } 57 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/asm/asm_head.h: -------------------------------------------------------------------------------- 1 | #define PT_REG R14 2 | #define ARG_REG R15 3 | 4 | #define MEM_ARG QWORD PTR [ARG_REG] 5 | #define MEM_ARG2 QWORD PTR [ARG_REG+8] 6 | 7 | #define PT_R15 QWORD PTR [PT_REG] 8 | #define PT_R14 QWORD PTR [PT_REG + 8*1] 9 | #define PT_R13 QWORD PTR [PT_REG + 8*2] 10 | #define PT_R12 QWORD PTR [PT_REG + 8*3] 11 | #define PT_RBP QWORD PTR [PT_REG + 8*4] 12 | #define PT_RBX QWORD PTR [PT_REG + 8*5] 13 | #define PT_R11 QWORD PTR [PT_REG + 8*6] 14 | #define PT_R10 QWORD PTR [PT_REG + 8*7] 15 | #define PT_R9 QWORD PTR [PT_REG + 8*8] 16 | #define PT_R8 QWORD PTR [PT_REG + 8*9] 17 | #define PT_RAX QWORD PTR [PT_REG + 8*10] 18 | #define PT_RCX QWORD PTR [PT_REG + 8*11] 19 | #define PT_RDX QWORD PTR [PT_REG + 8*12] 20 | #define PT_RSI QWORD PTR [PT_REG + 8*13] 21 | #define PT_RDI QWORD PTR [PT_REG + 8*14] 22 | // orig_rax 23 | #define PT_RIP QWORD PTR [PT_REG + 8*16] 24 | // cs 25 | #define PT_EFLAGS QWORD PTR [PT_REG + 8*18] 26 | #define PT_RSP QWORD PTR [PT_REG + 8*19] 27 | 28 | 29 | #define Stack_PT_REG QWORD PTR [RBP - 8*6] 30 | #define Stack_ARG_REG QWORD PTR [RBP - 8*7] 31 | 32 | #define Stack_RBP QWORD PTR [RBP - 8*8] 33 | #define Stack_RSP QWORD PTR [RBP - 8*9] 34 | #define Stack_R15 QWORD PTR [RBP - 8*10] 35 | #define Stack_R14 QWORD PTR [RBP - 8*11] 36 | #define Stack_R13 QWORD PTR [RBP - 8*12] 37 | #define Stack_R12 QWORD PTR [RBP - 8*13] 38 | 39 | #define Stack_RGS QWORD PTR [RBP - 8*14] 40 | #define Stack_RFS QWORD PTR [RBP - 8*15] 41 | 42 | #define Stack_RIP QWORD PTR [RBP - 8*16] 43 | #define Stack_IJ QWORD PTR [RBP - 8*17] 44 | #define Stack_INST_CNT QWORD PTR [RBP - 8*18] 45 | 46 | #define PT_FS QWORD PTR [ARG_REG] 47 | #define PT_GS QWORD PTR [ARG_REG + 8] 48 | 49 | #define Stack_RIPL DWORD PTR [RBP - 8*16] 50 | #define Stack_RIPH DWORD PTR [RBP - 8*16+4] 51 | 52 | // R13 for RSP 53 | // R14 for RIP (indirect jump target) 54 | // R15 for indirect jump offset 55 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/asm/asm_head.h: -------------------------------------------------------------------------------- 1 | #define PT_REG R14 2 | #define ARG_REG R15 3 | 4 | #define MEM_ARG QWORD PTR [ARG_REG] 5 | #define MEM_ARG2 QWORD PTR [ARG_REG+8] 6 | 7 | #define PT_R15 QWORD PTR [PT_REG] 8 | #define PT_R14 QWORD PTR [PT_REG + 8*1] 9 | #define PT_R13 QWORD PTR [PT_REG + 8*2] 10 | #define PT_R12 QWORD PTR [PT_REG + 8*3] 11 | #define PT_RBP QWORD PTR [PT_REG + 8*4] 12 | #define PT_RBX QWORD PTR [PT_REG + 8*5] 13 | #define PT_R11 QWORD PTR [PT_REG + 8*6] 14 | #define PT_R10 QWORD PTR [PT_REG + 8*7] 15 | #define PT_R9 QWORD PTR [PT_REG + 8*8] 16 | #define PT_R8 QWORD PTR [PT_REG + 8*9] 17 | #define PT_RAX QWORD PTR [PT_REG + 8*10] 18 | #define PT_RCX QWORD PTR [PT_REG + 8*11] 19 | #define PT_RDX QWORD PTR [PT_REG + 8*12] 20 | #define PT_RSI QWORD PTR [PT_REG + 8*13] 21 | #define PT_RDI QWORD PTR [PT_REG + 8*14] 22 | // orig_rax 23 | #define PT_RIP QWORD PTR [PT_REG + 8*16] 24 | // cs 25 | #define PT_EFLAGS QWORD PTR [PT_REG + 8*18] 26 | #define PT_RSP QWORD PTR [PT_REG + 8*19] 27 | 28 | 29 | #define Stack_PT_REG QWORD PTR [RBP - 8*6] 30 | #define Stack_ARG_REG QWORD PTR [RBP - 8*7] 31 | 32 | #define Stack_RBP QWORD PTR [RBP - 8*8] 33 | #define Stack_RSP QWORD PTR [RBP - 8*9] 34 | #define Stack_R15 QWORD PTR [RBP - 8*10] 35 | #define Stack_R14 QWORD PTR [RBP - 8*11] 36 | #define Stack_R13 QWORD PTR [RBP - 8*12] 37 | #define Stack_R12 QWORD PTR [RBP - 8*13] 38 | 39 | #define Stack_RGS QWORD PTR [RBP - 8*14] 40 | #define Stack_RFS QWORD PTR [RBP - 8*15] 41 | 42 | #define Stack_RIP QWORD PTR [RBP - 8*16] 43 | #define Stack_IJ QWORD PTR [RBP - 8*17] 44 | #define Stack_INST_CNT QWORD PTR [RBP - 8*18] 45 | 46 | #define PT_FS QWORD PTR [ARG_REG] 47 | #define PT_GS QWORD PTR [ARG_REG + 8] 48 | 49 | #define Stack_RIPL DWORD PTR [RBP - 8*16] 50 | #define Stack_RIPH DWORD PTR [RBP - 8*16+4] 51 | 52 | // R13 for RSP 53 | // R14 for RIP (indirect jump target) 54 | // R15 for indirect jump offset 55 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7de6487/asm/asm_head.h: -------------------------------------------------------------------------------- 1 | #define PT_REG R14 2 | #define ARG_REG R15 3 | 4 | #define MEM_ARG QWORD PTR [ARG_REG] 5 | #define MEM_ARG2 QWORD PTR [ARG_REG+8] 6 | 7 | #define PT_R15 QWORD PTR [PT_REG] 8 | #define PT_R14 QWORD PTR [PT_REG + 8*1] 9 | #define PT_R13 QWORD PTR [PT_REG + 8*2] 10 | #define PT_R12 QWORD PTR [PT_REG + 8*3] 11 | #define PT_RBP QWORD PTR [PT_REG + 8*4] 12 | #define PT_RBX QWORD PTR [PT_REG + 8*5] 13 | #define PT_R11 QWORD PTR [PT_REG + 8*6] 14 | #define PT_R10 QWORD PTR [PT_REG + 8*7] 15 | #define PT_R9 QWORD PTR [PT_REG + 8*8] 16 | #define PT_R8 QWORD PTR [PT_REG + 8*9] 17 | #define PT_RAX QWORD PTR [PT_REG + 8*10] 18 | #define PT_RCX QWORD PTR [PT_REG + 8*11] 19 | #define PT_RDX QWORD PTR [PT_REG + 8*12] 20 | #define PT_RSI QWORD PTR [PT_REG + 8*13] 21 | #define PT_RDI QWORD PTR [PT_REG + 8*14] 22 | // orig_rax 23 | #define PT_RIP QWORD PTR [PT_REG + 8*16] 24 | // cs 25 | #define PT_EFLAGS QWORD PTR [PT_REG + 8*18] 26 | #define PT_RSP QWORD PTR [PT_REG + 8*19] 27 | 28 | 29 | #define Stack_PT_REG QWORD PTR [RBP - 8*6] 30 | #define Stack_ARG_REG QWORD PTR [RBP - 8*7] 31 | 32 | #define Stack_RBP QWORD PTR [RBP - 8*8] 33 | #define Stack_RSP QWORD PTR [RBP - 8*9] 34 | #define Stack_R15 QWORD PTR [RBP - 8*10] 35 | #define Stack_R14 QWORD PTR [RBP - 8*11] 36 | #define Stack_R13 QWORD PTR [RBP - 8*12] 37 | #define Stack_R12 QWORD PTR [RBP - 8*13] 38 | 39 | #define Stack_RGS QWORD PTR [RBP - 8*14] 40 | #define Stack_RFS QWORD PTR [RBP - 8*15] 41 | 42 | #define Stack_RIP QWORD PTR [RBP - 8*16] 43 | #define Stack_IJ QWORD PTR [RBP - 8*17] 44 | #define Stack_INST_CNT QWORD PTR [RBP - 8*18] 45 | 46 | #define PT_FS QWORD PTR [ARG_REG] 47 | #define PT_GS QWORD PTR [ARG_REG + 8] 48 | 49 | #define Stack_RIPL DWORD PTR [RBP - 8*16] 50 | #define Stack_RIPH DWORD PTR [RBP - 8*16+4] 51 | 52 | // R13 for RSP 53 | // R14 for RIP (indirect jump target) 54 | // R15 for indirect jump offset 55 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7df274e/asm/asm_head.h: -------------------------------------------------------------------------------- 1 | #define PT_REG R14 2 | #define ARG_REG R15 3 | 4 | #define MEM_ARG QWORD PTR [ARG_REG] 5 | #define MEM_ARG2 QWORD PTR [ARG_REG+8] 6 | 7 | #define PT_R15 QWORD PTR [PT_REG] 8 | #define PT_R14 QWORD PTR [PT_REG + 8*1] 9 | #define PT_R13 QWORD PTR [PT_REG + 8*2] 10 | #define PT_R12 QWORD PTR [PT_REG + 8*3] 11 | #define PT_RBP QWORD PTR [PT_REG + 8*4] 12 | #define PT_RBX QWORD PTR [PT_REG + 8*5] 13 | #define PT_R11 QWORD PTR [PT_REG + 8*6] 14 | #define PT_R10 QWORD PTR [PT_REG + 8*7] 15 | #define PT_R9 QWORD PTR [PT_REG + 8*8] 16 | #define PT_R8 QWORD PTR [PT_REG + 8*9] 17 | #define PT_RAX QWORD PTR [PT_REG + 8*10] 18 | #define PT_RCX QWORD PTR [PT_REG + 8*11] 19 | #define PT_RDX QWORD PTR [PT_REG + 8*12] 20 | #define PT_RSI QWORD PTR [PT_REG + 8*13] 21 | #define PT_RDI QWORD PTR [PT_REG + 8*14] 22 | // orig_rax 23 | #define PT_RIP QWORD PTR [PT_REG + 8*16] 24 | // cs 25 | #define PT_EFLAGS QWORD PTR [PT_REG + 8*18] 26 | #define PT_RSP QWORD PTR [PT_REG + 8*19] 27 | 28 | 29 | #define Stack_PT_REG QWORD PTR [RBP - 8*6] 30 | #define Stack_ARG_REG QWORD PTR [RBP - 8*7] 31 | 32 | #define Stack_RBP QWORD PTR [RBP - 8*8] 33 | #define Stack_RSP QWORD PTR [RBP - 8*9] 34 | #define Stack_R15 QWORD PTR [RBP - 8*10] 35 | #define Stack_R14 QWORD PTR [RBP - 8*11] 36 | #define Stack_R13 QWORD PTR [RBP - 8*12] 37 | #define Stack_R12 QWORD PTR [RBP - 8*13] 38 | 39 | #define Stack_RGS QWORD PTR [RBP - 8*14] 40 | #define Stack_RFS QWORD PTR [RBP - 8*15] 41 | 42 | #define Stack_RIP QWORD PTR [RBP - 8*16] 43 | #define Stack_IJ QWORD PTR [RBP - 8*17] 44 | #define Stack_INST_CNT QWORD PTR [RBP - 8*18] 45 | 46 | #define PT_FS QWORD PTR [ARG_REG] 47 | #define PT_GS QWORD PTR [ARG_REG + 8] 48 | 49 | #define Stack_RIPL DWORD PTR [RBP - 8*16] 50 | #define Stack_RIPH DWORD PTR [RBP - 8*16+4] 51 | 52 | // R13 for RSP 53 | // R14 for RIP (indirect jump target) 54 | // R15 for indirect jump offset 55 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1437/asm/asm_head.h: -------------------------------------------------------------------------------- 1 | #define PT_REG R14 2 | #define ARG_REG R15 3 | 4 | #define MEM_ARG QWORD PTR [ARG_REG] 5 | #define MEM_ARG2 QWORD PTR [ARG_REG+8] 6 | 7 | #define PT_R15 QWORD PTR [PT_REG] 8 | #define PT_R14 QWORD PTR [PT_REG + 8*1] 9 | #define PT_R13 QWORD PTR [PT_REG + 8*2] 10 | #define PT_R12 QWORD PTR [PT_REG + 8*3] 11 | #define PT_RBP QWORD PTR [PT_REG + 8*4] 12 | #define PT_RBX QWORD PTR [PT_REG + 8*5] 13 | #define PT_R11 QWORD PTR [PT_REG + 8*6] 14 | #define PT_R10 QWORD PTR [PT_REG + 8*7] 15 | #define PT_R9 QWORD PTR [PT_REG + 8*8] 16 | #define PT_R8 QWORD PTR [PT_REG + 8*9] 17 | #define PT_RAX QWORD PTR [PT_REG + 8*10] 18 | #define PT_RCX QWORD PTR [PT_REG + 8*11] 19 | #define PT_RDX QWORD PTR [PT_REG + 8*12] 20 | #define PT_RSI QWORD PTR [PT_REG + 8*13] 21 | #define PT_RDI QWORD PTR [PT_REG + 8*14] 22 | // orig_rax 23 | #define PT_RIP QWORD PTR [PT_REG + 8*16] 24 | // cs 25 | #define PT_EFLAGS QWORD PTR [PT_REG + 8*18] 26 | #define PT_RSP QWORD PTR [PT_REG + 8*19] 27 | 28 | 29 | #define Stack_PT_REG QWORD PTR [RBP - 8*6] 30 | #define Stack_ARG_REG QWORD PTR [RBP - 8*7] 31 | 32 | #define Stack_RBP QWORD PTR [RBP - 8*8] 33 | #define Stack_RSP QWORD PTR [RBP - 8*9] 34 | #define Stack_R15 QWORD PTR [RBP - 8*10] 35 | #define Stack_R14 QWORD PTR [RBP - 8*11] 36 | #define Stack_R13 QWORD PTR [RBP - 8*12] 37 | #define Stack_R12 QWORD PTR [RBP - 8*13] 38 | 39 | #define Stack_RGS QWORD PTR [RBP - 8*14] 40 | #define Stack_RFS QWORD PTR [RBP - 8*15] 41 | 42 | #define Stack_RIP QWORD PTR [RBP - 8*16] 43 | #define Stack_IJ QWORD PTR [RBP - 8*17] 44 | #define Stack_INST_CNT QWORD PTR [RBP - 8*18] 45 | 46 | #define PT_FS QWORD PTR [ARG_REG] 47 | #define PT_GS QWORD PTR [ARG_REG + 8] 48 | 49 | #define Stack_RIPL DWORD PTR [RBP - 8*16] 50 | #define Stack_RIPH DWORD PTR [RBP - 8*16+4] 51 | 52 | // R13 for RSP 53 | // R14 for RIP (indirect jump target) 54 | // R15 for indirect jump offset 55 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1abb/asm/asm_head.h: -------------------------------------------------------------------------------- 1 | #define PT_REG R14 2 | #define ARG_REG R15 3 | 4 | #define MEM_ARG QWORD PTR [ARG_REG] 5 | #define MEM_ARG2 QWORD PTR [ARG_REG+8] 6 | 7 | #define PT_R15 QWORD PTR [PT_REG] 8 | #define PT_R14 QWORD PTR [PT_REG + 8*1] 9 | #define PT_R13 QWORD PTR [PT_REG + 8*2] 10 | #define PT_R12 QWORD PTR [PT_REG + 8*3] 11 | #define PT_RBP QWORD PTR [PT_REG + 8*4] 12 | #define PT_RBX QWORD PTR [PT_REG + 8*5] 13 | #define PT_R11 QWORD PTR [PT_REG + 8*6] 14 | #define PT_R10 QWORD PTR [PT_REG + 8*7] 15 | #define PT_R9 QWORD PTR [PT_REG + 8*8] 16 | #define PT_R8 QWORD PTR [PT_REG + 8*9] 17 | #define PT_RAX QWORD PTR [PT_REG + 8*10] 18 | #define PT_RCX QWORD PTR [PT_REG + 8*11] 19 | #define PT_RDX QWORD PTR [PT_REG + 8*12] 20 | #define PT_RSI QWORD PTR [PT_REG + 8*13] 21 | #define PT_RDI QWORD PTR [PT_REG + 8*14] 22 | // orig_rax 23 | #define PT_RIP QWORD PTR [PT_REG + 8*16] 24 | // cs 25 | #define PT_EFLAGS QWORD PTR [PT_REG + 8*18] 26 | #define PT_RSP QWORD PTR [PT_REG + 8*19] 27 | 28 | 29 | #define Stack_PT_REG QWORD PTR [RBP - 8*6] 30 | #define Stack_ARG_REG QWORD PTR [RBP - 8*7] 31 | 32 | #define Stack_RBP QWORD PTR [RBP - 8*8] 33 | #define Stack_RSP QWORD PTR [RBP - 8*9] 34 | #define Stack_R15 QWORD PTR [RBP - 8*10] 35 | #define Stack_R14 QWORD PTR [RBP - 8*11] 36 | #define Stack_R13 QWORD PTR [RBP - 8*12] 37 | #define Stack_R12 QWORD PTR [RBP - 8*13] 38 | 39 | #define Stack_RGS QWORD PTR [RBP - 8*14] 40 | #define Stack_RFS QWORD PTR [RBP - 8*15] 41 | 42 | #define Stack_RIP QWORD PTR [RBP - 8*16] 43 | #define Stack_IJ QWORD PTR [RBP - 8*17] 44 | #define Stack_INST_CNT QWORD PTR [RBP - 8*18] 45 | 46 | #define PT_FS QWORD PTR [ARG_REG] 47 | #define PT_GS QWORD PTR [ARG_REG + 8] 48 | 49 | #define Stack_RIPL DWORD PTR [RBP - 8*16] 50 | #define Stack_RIPH DWORD PTR [RBP - 8*16+4] 51 | 52 | // R13 for RSP 53 | // R14 for RIP (indirect jump target) 54 | // R15 for indirect jump offset 55 | -------------------------------------------------------------------------------- /source_codes/ub/zz_lkm/error_handler.h: -------------------------------------------------------------------------------- 1 | #ifndef ERROR_HANDLER_H 2 | #define ERROR_HANDLER_H 3 | 4 | 5 | #define UB_ERROR_MEMORY_ACCESS -0x200 6 | #define UB_ERROR_MEMORY_ACCESS_STR "-0x200" 7 | 8 | #define UB_DEFAULT -0x300 9 | #define UB_DEFAULT_STR "-0x300" 10 | 11 | #include "debug.h" 12 | /* 13 | * handle SFI error 14 | * this function serves error handler 15 | * in interrupt context 16 | */ 17 | unsigned long UB_error_handler(int error_type){ 18 | 19 | switch(error_type){ 20 | case UB_ERROR_MEMORY_ACCESS: 21 | return (unsigned long)&&UB_memory_access_error; 22 | break; 23 | default: 24 | return (unsigned long)&&UB_default_error; 25 | break; 26 | } 27 | 28 | UB_memory_access_error: 29 | UB_err("Unmmaped memory accessed"); 30 | 31 | 32 | UB_default_error: 33 | UB_err("Undefined error"); 34 | 35 | /* will never execute here*/ 36 | return (unsigned long)&&UB_default_error; 37 | } 38 | EXPORT_SYMBOL(UB_error_handler); 39 | 40 | 41 | /* 42 | * This function is used by page fault handler to determined if UB caused this PageFault 43 | * return value 44 | * 0: not mind 45 | * 1: caused by UB 46 | */ 47 | int UB_fault_address_space(unsigned long address, struct task_struct *tsk, unsigned long user_r13){ 48 | UB_warning( "[UB, PAGE FAULT] UB Fault Address: %lx", address); 49 | UB_warning( "[UB, PAGE FAULT] pid: %d", tsk->pid); 50 | UB_warning( "[UB, PAGE FAULT] rip: %lx", task_pt_regs(tsk)->ip); 51 | UB_warning( "[UB, PAGE FAULT] rdi: %ld", task_pt_regs(tsk)->di); 52 | UB_warning( "[UB, PAGE FAULT] rsi: %ld", task_pt_regs(tsk)->si); 53 | UB_warning( "[UB, PAGE FAULT] rdx: %lx", task_pt_regs(tsk)->dx); 54 | UB_warning( "[UB, PAGE FAULT] r13: %lx", user_r13); 55 | 56 | // this function for UB is not implemented yet. (For Hybriddrv, it could be judged by R13 register.) 57 | return 1; 58 | } 59 | EXPORT_SYMBOL(UB_fault_address_space); 60 | 61 | #endif 62 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/asm/wrapper.S: -------------------------------------------------------------------------------- 1 | #include "asm_head.h" 2 | .intel_syntax noprefix 3 | 4 | main: 5 | push rbp //Save stack 6 | mov rbp, rsp 7 | 8 | push rbx //Callee-saved regs 9 | push r12 10 | push r13 11 | push r14 12 | push r15 13 | 14 | push rdi //Stack_PT_REG -6 15 | push rsi //Stack_ARG_REG -7 16 | 17 | mov PT_REG, rdi //Try to load context 18 | mov ARG_REG, rsi 19 | 20 | mov rbx, PT_RBX 21 | mov r11, PT_R11 22 | mov r10, PT_R10 23 | mov r9, PT_R9 24 | mov r8, PT_R8 25 | mov rax, PT_RAX 26 | mov rcx, PT_RCX 27 | mov rdx, PT_RDX 28 | mov rsi, PT_RSI 29 | mov rdi, PT_RDI 30 | 31 | push PT_RBP // Stack_RBP -8 32 | push PT_RSP // Stack_RSP 33 | push PT_R15 // Stack_R15 34 | push PT_R14 // Stack_R14 35 | push PT_R13 // Stack_R13 36 | push PT_R12 // Stack_R12 37 | push PT_GS // Stack_GS 38 | push PT_FS // Stack_FS 39 | sub RSP, 3*8 // For Stack_RIP, Strack_IJ and INST_CNT 40 | 41 | mov R13, Stack_RSP 42 | mov R12, Stack_RBP 43 | 44 | #include "jit.S" 45 | 46 | comp_syscall: 47 | MOV Stack_IJ, 0x0 48 | JMP exit 49 | 50 | ij_failed: 51 | MOV Stack_IJ, R15 52 | JMP exit 53 | 54 | seg_error: 55 | JMP exit 56 | 57 | seg_error2: 58 | POPF 59 | JMP exit 60 | 61 | inst_limit: 62 | 63 | exit: 64 | mov Stack_RIP, R14 65 | mov Stack_RSP, R13 66 | mov Stack_RBP, R12 67 | 68 | mov PT_REG, Stack_PT_REG 69 | mov ARG_REG, Stack_ARG_REG 70 | 71 | pop MEM_ARG2 // [arg+8] <- Stack_INST_CNT 72 | pop MEM_ARG //[arg] <- Stack_IJ 73 | pop PT_RIP 74 | Add RSP, 2*8 //Stack_GS and Stack_FS 75 | 76 | pop PT_R12 //Context Recovery 77 | pop PT_R13 78 | pop PT_R14 79 | pop PT_R15 80 | pop PT_RSP 81 | pop PT_RBP 82 | 83 | mov PT_RBX, rbx 84 | mov PT_R11, r11 85 | mov PT_R10, r10 86 | mov PT_R9, r9 87 | mov PT_R8, r8 88 | mov PT_RAX, rax 89 | mov PT_RCX, rcx 90 | mov PT_RDX, rdx 91 | mov PT_RSI, rsi 92 | mov PT_RDI, rdi 93 | 94 | add rsp, 2*8 //release Stack_PT_REG and Stack_ARG 95 | pop r15 96 | pop r14 97 | pop r13 98 | pop r12 99 | pop rbx 100 | pop rbp 101 | ret 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/asm/wrapper.S: -------------------------------------------------------------------------------- 1 | #include "asm_head.h" 2 | .intel_syntax noprefix 3 | 4 | main: 5 | push rbp //Save stack 6 | mov rbp, rsp 7 | 8 | push rbx //Callee-saved regs 9 | push r12 10 | push r13 11 | push r14 12 | push r15 13 | 14 | push rdi //Stack_PT_REG -6 15 | push rsi //Stack_ARG_REG -7 16 | 17 | mov PT_REG, rdi //Try to load context 18 | mov ARG_REG, rsi 19 | 20 | mov rbx, PT_RBX 21 | mov r11, PT_R11 22 | mov r10, PT_R10 23 | mov r9, PT_R9 24 | mov r8, PT_R8 25 | mov rax, PT_RAX 26 | mov rcx, PT_RCX 27 | mov rdx, PT_RDX 28 | mov rsi, PT_RSI 29 | mov rdi, PT_RDI 30 | 31 | push PT_RBP // Stack_RBP -8 32 | push PT_RSP // Stack_RSP 33 | push PT_R15 // Stack_R15 34 | push PT_R14 // Stack_R14 35 | push PT_R13 // Stack_R13 36 | push PT_R12 // Stack_R12 37 | push PT_GS // Stack_GS 38 | push PT_FS // Stack_FS 39 | sub RSP, 3*8 // For Stack_RIP, Strack_IJ and INST_CNT 40 | 41 | mov R13, Stack_RSP 42 | mov R12, Stack_RBP 43 | 44 | #include "jit.S" 45 | 46 | comp_syscall: 47 | MOV Stack_IJ, 0x0 48 | JMP exit 49 | 50 | ij_failed: 51 | MOV Stack_IJ, R15 52 | JMP exit 53 | 54 | seg_error: 55 | JMP exit 56 | 57 | seg_error2: 58 | POPF 59 | JMP exit 60 | 61 | inst_limit: 62 | 63 | exit: 64 | mov Stack_RIP, R14 65 | mov Stack_RSP, R13 66 | mov Stack_RBP, R12 67 | 68 | mov PT_REG, Stack_PT_REG 69 | mov ARG_REG, Stack_ARG_REG 70 | 71 | pop MEM_ARG2 // [arg+8] <- Stack_INST_CNT 72 | pop MEM_ARG //[arg] <- Stack_IJ 73 | pop PT_RIP 74 | Add RSP, 2*8 //Stack_GS and Stack_FS 75 | 76 | pop PT_R12 //Context Recovery 77 | pop PT_R13 78 | pop PT_R14 79 | pop PT_R15 80 | pop PT_RSP 81 | pop PT_RBP 82 | 83 | mov PT_RBX, rbx 84 | mov PT_R11, r11 85 | mov PT_R10, r10 86 | mov PT_R9, r9 87 | mov PT_R8, r8 88 | mov PT_RAX, rax 89 | mov PT_RCX, rcx 90 | mov PT_RDX, rdx 91 | mov PT_RSI, rsi 92 | mov PT_RDI, rdi 93 | 94 | add rsp, 2*8 //release Stack_PT_REG and Stack_ARG 95 | pop r15 96 | pop r14 97 | pop r13 98 | pop r12 99 | pop rbx 100 | pop rbp 101 | ret 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7de6487/asm/wrapper.S: -------------------------------------------------------------------------------- 1 | #include "asm_head.h" 2 | .intel_syntax noprefix 3 | 4 | main: 5 | push rbp //Save stack 6 | mov rbp, rsp 7 | 8 | push rbx //Callee-saved regs 9 | push r12 10 | push r13 11 | push r14 12 | push r15 13 | 14 | push rdi //Stack_PT_REG -6 15 | push rsi //Stack_ARG_REG -7 16 | 17 | mov PT_REG, rdi //Try to load context 18 | mov ARG_REG, rsi 19 | 20 | mov rbx, PT_RBX 21 | mov r11, PT_R11 22 | mov r10, PT_R10 23 | mov r9, PT_R9 24 | mov r8, PT_R8 25 | mov rax, PT_RAX 26 | mov rcx, PT_RCX 27 | mov rdx, PT_RDX 28 | mov rsi, PT_RSI 29 | mov rdi, PT_RDI 30 | 31 | push PT_RBP // Stack_RBP -8 32 | push PT_RSP // Stack_RSP 33 | push PT_R15 // Stack_R15 34 | push PT_R14 // Stack_R14 35 | push PT_R13 // Stack_R13 36 | push PT_R12 // Stack_R12 37 | push PT_GS // Stack_GS 38 | push PT_FS // Stack_FS 39 | sub RSP, 3*8 // For Stack_RIP, Strack_IJ and INST_CNT 40 | 41 | mov R13, Stack_RSP 42 | mov R12, Stack_RBP 43 | 44 | #include "jit.S" 45 | 46 | comp_syscall: 47 | MOV Stack_IJ, 0x0 48 | JMP exit 49 | 50 | ij_failed: 51 | MOV Stack_IJ, R15 52 | JMP exit 53 | 54 | seg_error: 55 | JMP exit 56 | 57 | seg_error2: 58 | POPF 59 | JMP exit 60 | 61 | inst_limit: 62 | 63 | exit: 64 | mov Stack_RIP, R14 65 | mov Stack_RSP, R13 66 | mov Stack_RBP, R12 67 | 68 | mov PT_REG, Stack_PT_REG 69 | mov ARG_REG, Stack_ARG_REG 70 | 71 | pop MEM_ARG2 // [arg+8] <- Stack_INST_CNT 72 | pop MEM_ARG //[arg] <- Stack_IJ 73 | pop PT_RIP 74 | Add RSP, 2*8 //Stack_GS and Stack_FS 75 | 76 | pop PT_R12 //Context Recovery 77 | pop PT_R13 78 | pop PT_R14 79 | pop PT_R15 80 | pop PT_RSP 81 | pop PT_RBP 82 | 83 | mov PT_RBX, rbx 84 | mov PT_R11, r11 85 | mov PT_R10, r10 86 | mov PT_R9, r9 87 | mov PT_R8, r8 88 | mov PT_RAX, rax 89 | mov PT_RCX, rcx 90 | mov PT_RDX, rdx 91 | mov PT_RSI, rsi 92 | mov PT_RDI, rdi 93 | 94 | add rsp, 2*8 //release Stack_PT_REG and Stack_ARG 95 | pop r15 96 | pop r14 97 | pop r13 98 | pop r12 99 | pop rbx 100 | pop rbp 101 | ret 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7df274e/asm/wrapper.S: -------------------------------------------------------------------------------- 1 | #include "asm_head.h" 2 | .intel_syntax noprefix 3 | 4 | main: 5 | push rbp //Save stack 6 | mov rbp, rsp 7 | 8 | push rbx //Callee-saved regs 9 | push r12 10 | push r13 11 | push r14 12 | push r15 13 | 14 | push rdi //Stack_PT_REG -6 15 | push rsi //Stack_ARG_REG -7 16 | 17 | mov PT_REG, rdi //Try to load context 18 | mov ARG_REG, rsi 19 | 20 | mov rbx, PT_RBX 21 | mov r11, PT_R11 22 | mov r10, PT_R10 23 | mov r9, PT_R9 24 | mov r8, PT_R8 25 | mov rax, PT_RAX 26 | mov rcx, PT_RCX 27 | mov rdx, PT_RDX 28 | mov rsi, PT_RSI 29 | mov rdi, PT_RDI 30 | 31 | push PT_RBP // Stack_RBP -8 32 | push PT_RSP // Stack_RSP 33 | push PT_R15 // Stack_R15 34 | push PT_R14 // Stack_R14 35 | push PT_R13 // Stack_R13 36 | push PT_R12 // Stack_R12 37 | push PT_GS // Stack_GS 38 | push PT_FS // Stack_FS 39 | sub RSP, 3*8 // For Stack_RIP, Strack_IJ and INST_CNT 40 | 41 | mov R13, Stack_RSP 42 | mov R12, Stack_RBP 43 | 44 | #include "jit.S" 45 | 46 | comp_syscall: 47 | MOV Stack_IJ, 0x0 48 | JMP exit 49 | 50 | ij_failed: 51 | MOV Stack_IJ, R15 52 | JMP exit 53 | 54 | seg_error: 55 | JMP exit 56 | 57 | seg_error2: 58 | POPF 59 | JMP exit 60 | 61 | inst_limit: 62 | 63 | exit: 64 | mov Stack_RIP, R14 65 | mov Stack_RSP, R13 66 | mov Stack_RBP, R12 67 | 68 | mov PT_REG, Stack_PT_REG 69 | mov ARG_REG, Stack_ARG_REG 70 | 71 | pop MEM_ARG2 // [arg+8] <- Stack_INST_CNT 72 | pop MEM_ARG //[arg] <- Stack_IJ 73 | pop PT_RIP 74 | Add RSP, 2*8 //Stack_GS and Stack_FS 75 | 76 | pop PT_R12 //Context Recovery 77 | pop PT_R13 78 | pop PT_R14 79 | pop PT_R15 80 | pop PT_RSP 81 | pop PT_RBP 82 | 83 | mov PT_RBX, rbx 84 | mov PT_R11, r11 85 | mov PT_R10, r10 86 | mov PT_R9, r9 87 | mov PT_R8, r8 88 | mov PT_RAX, rax 89 | mov PT_RCX, rcx 90 | mov PT_RDX, rdx 91 | mov PT_RSI, rsi 92 | mov PT_RDI, rdi 93 | 94 | add rsp, 2*8 //release Stack_PT_REG and Stack_ARG 95 | pop r15 96 | pop r14 97 | pop r13 98 | pop r12 99 | pop rbx 100 | pop rbp 101 | ret 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1437/asm/wrapper.S: -------------------------------------------------------------------------------- 1 | #include "asm_head.h" 2 | .intel_syntax noprefix 3 | 4 | main: 5 | push rbp //Save stack 6 | mov rbp, rsp 7 | 8 | push rbx //Callee-saved regs 9 | push r12 10 | push r13 11 | push r14 12 | push r15 13 | 14 | push rdi //Stack_PT_REG -6 15 | push rsi //Stack_ARG_REG -7 16 | 17 | mov PT_REG, rdi //Try to load context 18 | mov ARG_REG, rsi 19 | 20 | mov rbx, PT_RBX 21 | mov r11, PT_R11 22 | mov r10, PT_R10 23 | mov r9, PT_R9 24 | mov r8, PT_R8 25 | mov rax, PT_RAX 26 | mov rcx, PT_RCX 27 | mov rdx, PT_RDX 28 | mov rsi, PT_RSI 29 | mov rdi, PT_RDI 30 | 31 | push PT_RBP // Stack_RBP -8 32 | push PT_RSP // Stack_RSP 33 | push PT_R15 // Stack_R15 34 | push PT_R14 // Stack_R14 35 | push PT_R13 // Stack_R13 36 | push PT_R12 // Stack_R12 37 | push PT_GS // Stack_GS 38 | push PT_FS // Stack_FS 39 | sub RSP, 3*8 // For Stack_RIP, Strack_IJ and INST_CNT 40 | 41 | mov R13, Stack_RSP 42 | mov R12, Stack_RBP 43 | 44 | #include "jit.S" 45 | 46 | comp_syscall: 47 | MOV Stack_IJ, 0x0 48 | JMP exit 49 | 50 | ij_failed: 51 | MOV Stack_IJ, R15 52 | JMP exit 53 | 54 | seg_error: 55 | JMP exit 56 | 57 | seg_error2: 58 | POPF 59 | JMP exit 60 | 61 | inst_limit: 62 | 63 | exit: 64 | mov Stack_RIP, R14 65 | mov Stack_RSP, R13 66 | mov Stack_RBP, R12 67 | 68 | mov PT_REG, Stack_PT_REG 69 | mov ARG_REG, Stack_ARG_REG 70 | 71 | pop MEM_ARG2 // [arg+8] <- Stack_INST_CNT 72 | pop MEM_ARG //[arg] <- Stack_IJ 73 | pop PT_RIP 74 | Add RSP, 2*8 //Stack_GS and Stack_FS 75 | 76 | pop PT_R12 //Context Recovery 77 | pop PT_R13 78 | pop PT_R14 79 | pop PT_R15 80 | pop PT_RSP 81 | pop PT_RBP 82 | 83 | mov PT_RBX, rbx 84 | mov PT_R11, r11 85 | mov PT_R10, r10 86 | mov PT_R9, r9 87 | mov PT_R8, r8 88 | mov PT_RAX, rax 89 | mov PT_RCX, rcx 90 | mov PT_RDX, rdx 91 | mov PT_RSI, rsi 92 | mov PT_RDI, rdi 93 | 94 | add rsp, 2*8 //release Stack_PT_REG and Stack_ARG 95 | pop r15 96 | pop r14 97 | pop r13 98 | pop r12 99 | pop rbx 100 | pop rbp 101 | ret 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/0x7ffff7fa1abb/asm/wrapper.S: -------------------------------------------------------------------------------- 1 | #include "asm_head.h" 2 | .intel_syntax noprefix 3 | 4 | main: 5 | push rbp //Save stack 6 | mov rbp, rsp 7 | 8 | push rbx //Callee-saved regs 9 | push r12 10 | push r13 11 | push r14 12 | push r15 13 | 14 | push rdi //Stack_PT_REG -6 15 | push rsi //Stack_ARG_REG -7 16 | 17 | mov PT_REG, rdi //Try to load context 18 | mov ARG_REG, rsi 19 | 20 | mov rbx, PT_RBX 21 | mov r11, PT_R11 22 | mov r10, PT_R10 23 | mov r9, PT_R9 24 | mov r8, PT_R8 25 | mov rax, PT_RAX 26 | mov rcx, PT_RCX 27 | mov rdx, PT_RDX 28 | mov rsi, PT_RSI 29 | mov rdi, PT_RDI 30 | 31 | push PT_RBP // Stack_RBP -8 32 | push PT_RSP // Stack_RSP 33 | push PT_R15 // Stack_R15 34 | push PT_R14 // Stack_R14 35 | push PT_R13 // Stack_R13 36 | push PT_R12 // Stack_R12 37 | push PT_GS // Stack_GS 38 | push PT_FS // Stack_FS 39 | sub RSP, 3*8 // For Stack_RIP, Strack_IJ and INST_CNT 40 | 41 | mov R13, Stack_RSP 42 | mov R12, Stack_RBP 43 | 44 | #include "jit.S" 45 | 46 | comp_syscall: 47 | MOV Stack_IJ, 0x0 48 | JMP exit 49 | 50 | ij_failed: 51 | MOV Stack_IJ, R15 52 | JMP exit 53 | 54 | seg_error: 55 | JMP exit 56 | 57 | seg_error2: 58 | POPF 59 | JMP exit 60 | 61 | inst_limit: 62 | 63 | exit: 64 | mov Stack_RIP, R14 65 | mov Stack_RSP, R13 66 | mov Stack_RBP, R12 67 | 68 | mov PT_REG, Stack_PT_REG 69 | mov ARG_REG, Stack_ARG_REG 70 | 71 | pop MEM_ARG2 // [arg+8] <- Stack_INST_CNT 72 | pop MEM_ARG //[arg] <- Stack_IJ 73 | pop PT_RIP 74 | Add RSP, 2*8 //Stack_GS and Stack_FS 75 | 76 | pop PT_R12 //Context Recovery 77 | pop PT_R13 78 | pop PT_R14 79 | pop PT_R15 80 | pop PT_RSP 81 | pop PT_RBP 82 | 83 | mov PT_RBX, rbx 84 | mov PT_R11, r11 85 | mov PT_R10, r10 86 | mov PT_R9, r9 87 | mov PT_R8, r8 88 | mov PT_RAX, rax 89 | mov PT_RCX, rcx 90 | mov PT_RDX, rdx 91 | mov PT_RSI, rsi 92 | mov PT_RDI, rdi 93 | 94 | add rsp, 2*8 //release Stack_PT_REG and Stack_ARG 95 | pop r15 96 | pop r14 97 | pop r13 98 | pop r12 99 | pop rbx 100 | pop rbp 101 | ret 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /source_codes/ub/zz_lkm/stat.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "stat.h" 5 | #include "exe.h" 6 | 7 | struct per_cpu_info* info; 8 | static const int syscall_short_th = 1300; // 1200; //800; //0.4us gap to be short syscall + 0.4 syscall entry&exit 9 | static const int hot_caller_th = 900; // 1000 short calls per mislestone to be hot 10 | static const int milestone_cnt = 30000; // check if hot every 50,000 syscalls 11 | static const int milestone_duration_th = 1000000000; // check if milestone finished within the duration 12 | 13 | int num_cpus; 14 | 15 | void stat_init(void){ 16 | num_cpus = num_online_cpus(); 17 | info = vmalloc(sizeof(struct per_cpu_info) * num_cpus); 18 | memset(info, 0, sizeof(struct per_cpu_info) * num_cpus); 19 | } 20 | 21 | void stat_exit(void){ 22 | vfree(info); 23 | }; 24 | 25 | 26 | void stat_func(struct pt_regs* regs, unsigned long ts){ 27 | unsigned long cpu_id = smp_processor_id(); 28 | unsigned long current_time = ktime_get_boottime_ns(); 29 | int pid = task_pid_nr(current); 30 | 31 | struct per_cpu_info* my_info = &info[cpu_id]; 32 | struct caller_info* my_caller; 33 | // struct caller_info* writev_as_caller; 34 | int pos; 35 | my_info->call_cnt++; 36 | 37 | 38 | if(my_info->call_cnt > milestone_cnt ){ 39 | if(my_info->interested){ 40 | for(pos =0;poscaller[pos]); 42 | if(my_caller->cnt > hot_caller_th){ 43 | // printk(KERN_INFO "%d %lx %ld",my_caller->pid, my_caller->rip, my_caller->cnt); 44 | exe_add(my_caller->pid, my_caller->rip); 45 | } 46 | my_caller->cnt = 0; 47 | } 48 | } 49 | 50 | my_info->call_cnt = 0; 51 | my_info->interested = (current_time - my_info->milestone_ts) < milestone_duration_th; 52 | my_info->milestone_ts = current_time; 53 | } 54 | 55 | if(my_info->interested){ 56 | if(ts - my_info->last_ts < syscall_short_th){ //short syscall 57 | pos = zz_hash(pid, my_info->last_caller) % max_caller; 58 | 59 | my_caller = &(my_info->caller[pos]); 60 | if(my_caller->cnt == 0){ // create new one 61 | my_caller->pid = pid; 62 | my_caller->rip = my_info->last_caller; 63 | } 64 | if(my_caller->rip == my_info->last_caller) 65 | my_caller->cnt++; 66 | } 67 | my_info->last_ts = current_time; 68 | my_info->last_caller = regs->ip; 69 | } 70 | 71 | } 72 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes 1; 3 | # bind to core 14 4 | worker_cpu_affinity 0010000000000000; # 0001000000000000 0000100000000000 0000010000000000 0000001000000000 0000000100000000 0000000010000000 0000000001000000; # 00000000000100000 0000000000010000 0000000000001000 0000000000000100; 5 | pid /run/nginx.pid; 6 | include /etc/nginx/modules-enabled/*.conf; 7 | 8 | events { 9 | worker_connections 1024; 10 | # multi_accept on; 11 | } 12 | 13 | http { 14 | 15 | ## 16 | # Basic Settings 17 | ## 18 | 19 | sendfile on; 20 | tcp_nopush on; 21 | tcp_nodelay on; 22 | keepalive_timeout 150; 23 | types_hash_max_size 2048; 24 | # server_tokens off; 25 | 26 | # server_names_hash_bucket_size 64; 27 | # server_name_in_redirect off; 28 | 29 | include /etc/nginx/mime.types; 30 | default_type application/octet-stream; 31 | 32 | ## 33 | # SSL Settings 34 | ## 35 | 36 | # ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE 37 | # ssl_prefer_server_ciphers on; 38 | 39 | ## 40 | # Logging Settings 41 | ## 42 | 43 | # access_log /var/log/nginx/access.log; 44 | # error_log /var/log/nginx/error.log; 45 | access_log off; 46 | error_log off; 47 | 48 | ## 49 | # Gzip Settings 50 | ## 51 | 52 | gzip on; 53 | 54 | gzip_vary on; 55 | # gzip_proxied any; 56 | gzip_min_length 32; 57 | gzip_comp_level 1; 58 | gzip_buffers 64 4k; 59 | # gzip_http_version 1.1; 60 | # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; 61 | gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png application/vnd.ms-fontobject font/ttf 62 | font/opentype font/x-woff image/svg+xml; 63 | ## 64 | # Virtual Host Configs 65 | ## 66 | 67 | include /etc/nginx/conf.d/*.conf; 68 | include /etc/nginx/sites-enabled/*; 69 | } 70 | 71 | 72 | #mail { 73 | # # See sample authentication script at: 74 | # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript 75 | # 76 | # # auth_http localhost/auth.php; 77 | # # pop3_capabilities "TOP" "USER"; 78 | # # imap_capabilities "IMAP4rev1" "UIDPLUS"; 79 | # 80 | # server { 81 | # listen localhost:110; 82 | # protocol pop3; 83 | # proxy on; 84 | # } 85 | # 86 | # server { 87 | # listen localhost:143; 88 | # protocol imap; 89 | # proxy on; 90 | # } 91 | #} 92 | -------------------------------------------------------------------------------- /source_codes/apps/io_file/syscall_read.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | 4 | #define FILE_POS 0 //0: memory 1: ssd 5 | #define WITH_SUM 0 6 | 7 | #define SSD_O_DIRECT_SWITCH 0 // 0: off 1:on 8 | 9 | #if FILE_POS 10 | // ssd 11 | #define Test_file "/home/artifact/apps/io_file/toRead/test.file" 12 | #if SSD_O_DIRECT_SWITCH 13 | #define FLAGS O_DIRECT 14 | #else 15 | #define FLAGS 0 16 | #endif 17 | #else 18 | // memory 19 | #define Test_file "/dev/shm/test.file" 20 | #define FLAGS 0 21 | #endif 22 | 23 | uint64_t syscall_read(){ 24 | #if FILE_POS 25 | int _fd; 26 | _fd = open(Test_file, O_RDONLY); 27 | fdatasync(_fd); 28 | posix_fadvise(_fd, 0, 0, POSIX_FADV_DONTNEED); 29 | close(_fd); 30 | #endif 31 | 32 | int fd = open(Test_file, O_RDONLY | FLAGS); 33 | 34 | if (fd < 0) { 35 | perror("open"); 36 | return 1; 37 | } 38 | #define USE_PAGES 16384 39 | #define PAGE 131072 40 | 41 | void* buf_arr[USE_PAGES+1]; 42 | 43 | for(int i=0; i 2 | #include 3 | #include "sys.h" 4 | #include "stat.h" 5 | #include "exe.h" 6 | extern struct per_cpu_info* info; 7 | extern struct exe_info* exes; 8 | 9 | struct recv_pkt{ 10 | int status_code; 11 | int pid; 12 | unsigned long RIP; 13 | unsigned long offset; 14 | }; 15 | 16 | struct kobject *kobj_ref = NULL; 17 | static int etx_value = 0; 18 | extern struct per_cpu_info* info; 19 | 20 | extern int stat_flag; 21 | 22 | static ssize_t sysfs_show(struct kobject *kobj, 23 | struct kobj_attribute *attr, char *buf) 24 | { 25 | int i,len = 0; 26 | const int sz = sizeof(struct exe_info); 27 | 28 | for(i=0;ipid,head->RIP); 46 | 47 | //printk(KERN_INFO "write to kernel %d %p %d %ld\n",head->pid,(void*)head->RIP, head->status_code, head->offset); 48 | if(p->RIP == head->RIP && p->pid == head->pid){ 49 | memcpy(p->code_block + head->offset, payload, len); 50 | p->status_code = head->status_code; 51 | return count; 52 | } 53 | 54 | printk(KERN_INFO "exe to be written not found %d %p\n",head->pid,(void*)head->RIP); 55 | return count; 56 | 57 | } 58 | 59 | 60 | void sys_init(void){ 61 | 62 | int ret_val = 0; 63 | static struct kobj_attribute etx_attr = __ATTR(etx_value, 0700, sysfs_show, sysfs_store); 64 | struct file *filp; 65 | 66 | etx_value = 0; 67 | filp = filp_open("/sys/zz_sys", O_RDONLY, 0); 68 | if (!IS_ERR(filp)) { 69 | printk(KERN_INFO "/sys/zz_sys already exists!\n"); 70 | return; 71 | } 72 | 73 | kobj_ref = kobject_create_and_add("zz_sys", kernel_kobj); 74 | if(kobj_ref == NULL){ 75 | printk(KERN_INFO "NULL kobject\n"); 76 | return; 77 | } 78 | 79 | ret_val = sysfs_create_file(kobj_ref, &etx_attr.attr); 80 | if(ret_val ){ 81 | printk(KERN_INFO "sys_file not created!\n"); 82 | } 83 | 84 | } 85 | 86 | void sys_exit(void){ 87 | if(kobj_ref) 88 | kobject_del(kobj_ref); 89 | } 90 | 91 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/koi-win: -------------------------------------------------------------------------------- 1 | 2 | charset_map koi8-r windows-1251 { 3 | 4 | 80 88 ; # euro 5 | 6 | 95 95 ; # bullet 7 | 8 | 9A A0 ; #   9 | 10 | 9E B7 ; # · 11 | 12 | A3 B8 ; # small yo 13 | A4 BA ; # small Ukrainian ye 14 | 15 | A6 B3 ; # small Ukrainian i 16 | A7 BF ; # small Ukrainian yi 17 | 18 | AD B4 ; # small Ukrainian soft g 19 | AE A2 ; # small Byelorussian short u 20 | 21 | B0 B0 ; # ° 22 | 23 | B3 A8 ; # capital YO 24 | B4 AA ; # capital Ukrainian YE 25 | 26 | B6 B2 ; # capital Ukrainian I 27 | B7 AF ; # capital Ukrainian YI 28 | 29 | B9 B9 ; # numero sign 30 | 31 | BD A5 ; # capital Ukrainian soft G 32 | BE A1 ; # capital Byelorussian short U 33 | 34 | BF A9 ; # (C) 35 | 36 | C0 FE ; # small yu 37 | C1 E0 ; # small a 38 | C2 E1 ; # small b 39 | C3 F6 ; # small ts 40 | C4 E4 ; # small d 41 | C5 E5 ; # small ye 42 | C6 F4 ; # small f 43 | C7 E3 ; # small g 44 | C8 F5 ; # small kh 45 | C9 E8 ; # small i 46 | CA E9 ; # small j 47 | CB EA ; # small k 48 | CC EB ; # small l 49 | CD EC ; # small m 50 | CE ED ; # small n 51 | CF EE ; # small o 52 | 53 | D0 EF ; # small p 54 | D1 FF ; # small ya 55 | D2 F0 ; # small r 56 | D3 F1 ; # small s 57 | D4 F2 ; # small t 58 | D5 F3 ; # small u 59 | D6 E6 ; # small zh 60 | D7 E2 ; # small v 61 | D8 FC ; # small soft sign 62 | D9 FB ; # small y 63 | DA E7 ; # small z 64 | DB F8 ; # small sh 65 | DC FD ; # small e 66 | DD F9 ; # small shch 67 | DE F7 ; # small ch 68 | DF FA ; # small hard sign 69 | 70 | E0 DE ; # capital YU 71 | E1 C0 ; # capital A 72 | E2 C1 ; # capital B 73 | E3 D6 ; # capital TS 74 | E4 C4 ; # capital D 75 | E5 C5 ; # capital YE 76 | E6 D4 ; # capital F 77 | E7 C3 ; # capital G 78 | E8 D5 ; # capital KH 79 | E9 C8 ; # capital I 80 | EA C9 ; # capital J 81 | EB CA ; # capital K 82 | EC CB ; # capital L 83 | ED CC ; # capital M 84 | EE CD ; # capital N 85 | EF CE ; # capital O 86 | 87 | F0 CF ; # capital P 88 | F1 DF ; # capital YA 89 | F2 D0 ; # capital R 90 | F3 D1 ; # capital S 91 | F4 D2 ; # capital T 92 | F5 D3 ; # capital U 93 | F6 C6 ; # capital ZH 94 | F7 C2 ; # capital V 95 | F8 DC ; # capital soft sign 96 | F9 DB ; # capital Y 97 | FA C7 ; # capital Z 98 | FB D8 ; # capital SH 99 | FC DD ; # capital E 100 | FD D9 ; # capital SHCH 101 | FE D7 ; # capital CH 102 | FF DA ; # capital hard sign 103 | } 104 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/sites-enabled/default: -------------------------------------------------------------------------------- 1 | ## 2 | # You should look at the following URL's in order to grasp a solid understanding 3 | # of Nginx configuration files in order to fully unleash the power of Nginx. 4 | # https://www.nginx.com/resources/wiki/start/ 5 | # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ 6 | # https://wiki.debian.org/Nginx/DirectoryStructure 7 | # 8 | # In most cases, administrators will remove this file from sites-enabled/ and 9 | # leave it as reference inside of sites-available where it will continue to be 10 | # updated by the nginx packaging team. 11 | # 12 | # This file will automatically load configuration files provided by other 13 | # applications, such as Drupal or Wordpress. These applications will be made 14 | # available underneath a path with that package name, such as /drupal8. 15 | # 16 | # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. 17 | ## 18 | 19 | # Default server configuration 20 | # 21 | server { 22 | listen 8088 default_server; 23 | listen [::]:8088 default_server; 24 | 25 | # SSL configuration 26 | # 27 | # listen 443 ssl default_server; 28 | # listen [::]:443 ssl default_server; 29 | # 30 | # Note: You should disable gzip for SSL traffic. 31 | # See: https://bugs.debian.org/773332 32 | # 33 | # Read up on ssl_ciphers to ensure a secure configuration. 34 | # See: https://bugs.debian.org/765782 35 | # 36 | # Self signed certs generated by the ssl-cert package 37 | # Don't use them in a production server! 38 | # 39 | # include snippets/snakeoil.conf; 40 | 41 | root /var/www/html; 42 | 43 | # Add index.php to the list if you are using PHP 44 | index index.html index.htm index.nginx-debian.html; 45 | 46 | server_name _; 47 | 48 | location / { 49 | # First attempt to serve request as file, then 50 | # as directory, then fall back to displaying a 404. 51 | try_files $uri $uri/ =404; 52 | # return 200; 53 | } 54 | 55 | location ~* ^.+\.(html|htm)$ { 56 | expires 30d; 57 | } 58 | 59 | # pass PHP scripts to FastCGI server 60 | # 61 | #location ~ \.php$ { 62 | # include snippets/fastcgi-php.conf; 63 | # 64 | # # With php-fpm (or other unix sockets): 65 | # fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; 66 | # # With php-cgi (or other tcp sockets): 67 | # fastcgi_pass 127.0.0.1:9000; 68 | #} 69 | 70 | # deny access to .htaccess files, if Apache's document root 71 | # concurs with nginx's one 72 | # 73 | #location ~ /\.ht { 74 | # deny all; 75 | #} 76 | } 77 | 78 | 79 | # Virtual Host configuration for example.com 80 | # 81 | # You can move that to a different file under sites-available/ and symlink that 82 | # to sites-enabled/ to enable it. 83 | # 84 | #server { 85 | # listen 80; 86 | # listen [::]:80; 87 | # 88 | # server_name example.com; 89 | # 90 | # root /var/www/example.com; 91 | # index index.html; 92 | # 93 | # location / { 94 | # try_files $uri $uri/ =404; 95 | # } 96 | #} 97 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/indirect_jump.py: -------------------------------------------------------------------------------- 1 | from miasm.expression.expression import ExprMem, ExprId, ExprInt, ExprLoc 2 | from assist import * 3 | def dfs(entry, blocks, ret_addr, db_dict): 4 | global visited 5 | global jump_table 6 | offset = entry 7 | for line in blocks[entry].lines: 8 | offset = offset + line.l 9 | if line.name == 'RET': 10 | if offset not in jump_table: 11 | jump_table[offset] = [] 12 | jump_table[offset].append(ret_addr) 13 | for fork_dst in blocks[entry].bto: 14 | db = db_dict[blocks[entry]] 15 | tgt = db.pretty_str(fork_dst.loc_key) 16 | tgt = tgt.split('_')[1] 17 | tgt = int(tgt, 16) 18 | if tgt not in visited: 19 | visited.add(tgt) 20 | dfs(tgt, blocks, ret_addr, db_dict) 21 | 22 | 23 | 24 | def find(blocks, db_dict, pre_jump_table): 25 | global jump_table 26 | jump_table = pre_jump_table 27 | missing_callees = set() 28 | for offset, block in blocks.items(): 29 | db = db_dict[block] 30 | for line in block.lines: 31 | offset = offset + line.l 32 | if line.name == 'CALL' and isinstance(line.args[0], ExprLoc): 33 | callee = int(line.arg2str(line.args[0], 0, db).split('_')[1], 16) 34 | if callee in blocks: 35 | global visited 36 | visited = set() 37 | dfs(callee, blocks, offset, db_dict) 38 | else: 39 | missing_callees.add(callee) 40 | elif (line.name[0] == 'J' or line.name == 'CALL') and not isinstance(line.args[0], ExprLoc) \ 41 | or line.name == 'RET': 42 | if offset not in jump_table: 43 | jump_table[offset] = [] 44 | return list(missing_callees) 45 | 46 | def make_jump_table(jump_table): 47 | ret_str = '' 48 | for offset, psb_targets in jump_table.items(): 49 | ret_str += 'ij_'+hex(offset)[2:] +':\n' 50 | dst_reg = 'R14' #jump_regs[offset] 51 | psb_reg = 'R15' #if dst_reg != 'R15' else 'R14' 52 | 53 | for psb_tgt in psb_targets: 54 | ret_str += make_inst('MOVABS', [psb_reg, hex(psb_tgt)]) 55 | ret_str += make_inst('CMP', [dst_reg, psb_reg]) 56 | ret_str += make_inst('JZ', ["loc_" + hex(psb_tgt)[2:]]) 57 | ret_str += make_inst('MOVABS', ['R15', hex(offset)]) 58 | ret_str += make_inst('JMP', ['ij_failed'] ) 59 | ret_str += '\n' 60 | return ret_str 61 | 62 | def make_callee_table(callee_list): 63 | ret_str = '' 64 | for offset in callee_list: 65 | ret_str += 'loc_' + hex(offset)[2:] +':\n' 66 | ret_str += make_inst('MOVABS', ['R14', hex(offset)]) 67 | ret_str += make_inst('MOV', ['Stack_IJ', '0x1']) 68 | ret_str += make_inst('JMP', ['exit'] ) 69 | ret_str += '\n' 70 | return ret_str 71 | 72 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/sites-available/default: -------------------------------------------------------------------------------- 1 | ## 2 | # You should look at the following URL's in order to grasp a solid understanding 3 | # of Nginx configuration files in order to fully unleash the power of Nginx. 4 | # https://www.nginx.com/resources/wiki/start/ 5 | # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ 6 | # https://wiki.debian.org/Nginx/DirectoryStructure 7 | # 8 | # In most cases, administrators will remove this file from sites-enabled/ and 9 | # leave it as reference inside of sites-available where it will continue to be 10 | # updated by the nginx packaging team. 11 | # 12 | # This file will automatically load configuration files provided by other 13 | # applications, such as Drupal or Wordpress. These applications will be made 14 | # available underneath a path with that package name, such as /drupal8. 15 | # 16 | # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. 17 | ## 18 | 19 | # Default server configuration 20 | # 21 | server { 22 | listen 8088 default_server; 23 | listen [::]:8088 default_server; 24 | 25 | # SSL configuration 26 | # 27 | # listen 443 ssl default_server; 28 | # listen [::]:443 ssl default_server; 29 | # 30 | # Note: You should disable gzip for SSL traffic. 31 | # See: https://bugs.debian.org/773332 32 | # 33 | # Read up on ssl_ciphers to ensure a secure configuration. 34 | # See: https://bugs.debian.org/765782 35 | # 36 | # Self signed certs generated by the ssl-cert package 37 | # Don't use them in a production server! 38 | # 39 | # include snippets/snakeoil.conf; 40 | 41 | root /var/www/html; 42 | 43 | # Add index.php to the list if you are using PHP 44 | index index.html index.htm index.nginx-debian.html; 45 | 46 | server_name _; 47 | 48 | location / { 49 | # First attempt to serve request as file, then 50 | # as directory, then fall back to displaying a 404. 51 | try_files $uri $uri/ =404; 52 | # return 200; 53 | } 54 | 55 | location ~* ^.+\.(html|htm)$ { 56 | expires 30d; 57 | } 58 | 59 | # pass PHP scripts to FastCGI server 60 | # 61 | #location ~ \.php$ { 62 | # include snippets/fastcgi-php.conf; 63 | # 64 | # # With php-fpm (or other unix sockets): 65 | # fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; 66 | # # With php-cgi (or other tcp sockets): 67 | # fastcgi_pass 127.0.0.1:9000; 68 | #} 69 | 70 | # deny access to .htaccess files, if Apache's document root 71 | # concurs with nginx's one 72 | # 73 | #location ~ /\.ht { 74 | # deny all; 75 | #} 76 | } 77 | 78 | 79 | # Virtual Host configuration for example.com 80 | # 81 | # You can move that to a different file under sites-available/ and symlink that 82 | # to sites-enabled/ to enable it. 83 | # 84 | #server { 85 | # listen 80; 86 | # listen [::]:80; 87 | # 88 | # server_name example.com; 89 | # 90 | # root /var/www/example.com; 91 | # index index.html; 92 | # 93 | # location / { 94 | # try_files $uri $uri/ =404; 95 | # } 96 | #} 97 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/memread.py: -------------------------------------------------------------------------------- 1 | def getmap(pid): 2 | path = "/proc/" + str(pid) +"/maps" 3 | f = open(path) 4 | lines = f.readlines() 5 | maps = [] 6 | for i in range(len(lines)): 7 | lines[i] = lines[i].split(' ') 8 | if 'x' not in lines[i][1]: 9 | continue 10 | [start, end] = lines[i][0].split('-') 11 | #maps.append([int(start,16), int(end,16), lines[i][1], lines[i][-1]]) 12 | maps.append([int(start,16), int(end,16)]) 13 | f.close() 14 | 15 | return maps 16 | 17 | def read(pid, entry, jump_table): 18 | try: 19 | ij_file = open('./asm/ij_table.txt', 'r', 4096).read() 20 | except Exception as e: 21 | ij_file = '' 22 | print('No ij_table') 23 | 24 | ij_file = list(set(ij_file.splitlines())) 25 | ij_his = [[int(x.split()[0], 16), int(x.split()[1], 16) ] for x in ij_file] 26 | 27 | for t in ij_his: 28 | if t[0] not in jump_table: 29 | jump_table[t[0]] = [] 30 | jump_table[t[0]].append(t[1]) 31 | for x in jump_table: 32 | jump_table[x] = list(set(jump_table[x])) 33 | 34 | targets = [x[1] for x in ij_his] 35 | targets.append(entry) 36 | 37 | try: 38 | calleefile = open('./asm/callee_table.txt', 'r', 4096).read() 39 | except Exception as e: 40 | calleefile = '' 41 | print('No callee_table') 42 | callees = [int(x, 16) for x in calleefile.splitlines()] 43 | targets += callees 44 | 45 | targets = list(set(targets)) 46 | 47 | maps = getmap(pid) 48 | targets_of= dict() #map file ID to a list of targets within 49 | for t in targets: 50 | found = 0 51 | for i in range(len(maps)): 52 | if maps[i][0] <= t and maps[i][1] > t: 53 | if i not in targets_of: 54 | targets_of[i] = [] 55 | targets_of[i].append(t) 56 | found = 1 57 | if found == 0: 58 | print('JMP/CALL target', hex(t), 'not found') 59 | exit(0) 60 | 61 | path = "/proc/" + str(pid) +"/mem" 62 | mem_file = open(path, 'rb', 4096) 63 | 64 | res = [] 65 | 66 | for t in targets_of: 67 | [start, end] = maps[t] 68 | mem_file.seek(start) 69 | chunk = mem_file.read(end - start) 70 | res.append([chunk, start, targets_of[t]]) 71 | 72 | mem_file.close() 73 | return res 74 | 75 | def read2(pid, entry): 76 | maps = getmap(pid) 77 | found = 0 78 | for m in maps: 79 | if m[0] <= entry and m[1] > entry: 80 | [start, end] = m[0:2] 81 | found = 1 82 | break 83 | if found == 0: 84 | print('start address not found in memory') 85 | exit(0) 86 | 87 | path = "/proc/" + str(pid) +"/mem" 88 | mem_file = open(path, 'rb', 4096) 89 | mem_file.seek(start) 90 | chunk = mem_file.read(end - start) 91 | mem_file.close() 92 | return chunk, [start, end] 93 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/nginx.conf.default: -------------------------------------------------------------------------------- 1 | 2 | #user nobody; 3 | worker_processes 1; 4 | 5 | #error_log logs/error.log; 6 | #error_log logs/error.log notice; 7 | #error_log logs/error.log info; 8 | 9 | #pid logs/nginx.pid; 10 | 11 | 12 | events { 13 | worker_connections 1024; 14 | } 15 | 16 | 17 | http { 18 | include mime.types; 19 | default_type application/octet-stream; 20 | 21 | #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 22 | # '$status $body_bytes_sent "$http_referer" ' 23 | # '"$http_user_agent" "$http_x_forwarded_for"'; 24 | 25 | #access_log logs/access.log main; 26 | 27 | sendfile on; 28 | #tcp_nopush on; 29 | 30 | #keepalive_timeout 0; 31 | keepalive_timeout 65; 32 | 33 | #gzip on; 34 | 35 | server { 36 | listen 80; 37 | server_name localhost; 38 | 39 | #charset koi8-r; 40 | 41 | #access_log logs/host.access.log main; 42 | 43 | location / { 44 | root html; 45 | index index.html index.htm; 46 | } 47 | 48 | #error_page 404 /404.html; 49 | 50 | # redirect server error pages to the static page /50x.html 51 | # 52 | error_page 500 502 503 504 /50x.html; 53 | location = /50x.html { 54 | root html; 55 | } 56 | 57 | # proxy the PHP scripts to Apache listening on 127.0.0.1:80 58 | # 59 | #location ~ \.php$ { 60 | # proxy_pass http://127.0.0.1; 61 | #} 62 | 63 | # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 64 | # 65 | #location ~ \.php$ { 66 | # root html; 67 | # fastcgi_pass 127.0.0.1:9000; 68 | # fastcgi_index index.php; 69 | # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; 70 | # include fastcgi_params; 71 | #} 72 | 73 | # deny access to .htaccess files, if Apache's document root 74 | # concurs with nginx's one 75 | # 76 | #location ~ /\.ht { 77 | # deny all; 78 | #} 79 | } 80 | 81 | 82 | # another virtual host using mix of IP-, name-, and port-based configuration 83 | # 84 | #server { 85 | # listen 8000; 86 | # listen somename:8080; 87 | # server_name somename alias another.alias; 88 | 89 | # location / { 90 | # root html; 91 | # index index.html index.htm; 92 | # } 93 | #} 94 | 95 | 96 | # HTTPS server 97 | # 98 | #server { 99 | # listen 443 ssl; 100 | # server_name localhost; 101 | 102 | # ssl_certificate cert.pem; 103 | # ssl_certificate_key cert.key; 104 | 105 | # ssl_session_cache shared:SSL:1m; 106 | # ssl_session_timeout 5m; 107 | 108 | # ssl_ciphers HIGH:!aNULL:!MD5; 109 | # ssl_prefer_server_ciphers on; 110 | 111 | # location / { 112 | # root html; 113 | # index index.html index.htm; 114 | # } 115 | #} 116 | 117 | } 118 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/assist.py: -------------------------------------------------------------------------------- 1 | from miasm.expression.expression import ExprMem, ExprId, ExprInt, ExprLoc 2 | 3 | conditional_branch = ["JO", "JNO", "JB", "JAE", 4 | "JZ", "JNZ", "JBE", "JA", 5 | "JS", "JNS", "JPE", "JNP", 6 | "JL", "JGE", "JLE", "JG", 7 | "JCXZ", "JECXZ", "JRCXZ"] 8 | 9 | unconditional_branch = ['JMP', 'JMPF'] 10 | 11 | ops_def_flags = ['CMP', 'TEST', 12 | 'ADD', 'SUB','NEG', 'INC', 'MUL', 'DIV', 13 | 'AND', 'OR', 'XOR', 'NOT', 'SHL', 'SAL', 14 | 'SHR', 'SAR', 'ROL', 'ROR', 'RCL', 'RCR', 15 | 'CLC', 'CLD', 'STC', 'STD'] 16 | 17 | ops_use_flags = conditional_branch + ['LAHF', 'SET', 'CMOV'] 18 | 19 | sz2pfx={128: 'XMMWORD PTR', 64:'QWORD PTR', 32:'DWORD PTR', 16:'WORD PTR', 8: 'BYTE PTR'} 20 | 21 | def check_in_list(name, l): 22 | for i in l: 23 | if name.find(i) != -1: 24 | return True 25 | return False 26 | 27 | def check_flag_def_use(lines): 28 | can_check = False 29 | ret = [] 30 | for line in reversed(lines): 31 | name = get_inst_name(line) 32 | if check_in_list(name, ops_def_flags): 33 | can_check = True 34 | elif check_in_list(name, ops_use_flags): 35 | can_check = False 36 | ret.append(can_check) 37 | return ret 38 | 39 | 40 | def make_mem_dict(size, regs=[], im=0): 41 | res = {'sz':size, 'regs':[], 'im':'','mul':[]} 42 | if im != 0: 43 | res['im'] = ExprInt(im, 64) 44 | for reg in regs: 45 | res['regs'].append(ExprId(reg, 64)) 46 | return res 47 | 48 | 49 | def im64_abs(arg): 50 | if isinstance(arg, ExprInt) and (arg.size == 64): 51 | return 'ABS' 52 | else: 53 | return '' 54 | 55 | def make_inst(name, args): 56 | processed_args = [] 57 | if not isinstance(args, list): 58 | args = [args] 59 | for arg in args: 60 | if isinstance(arg, str): 61 | processed_args.append(arg) 62 | elif isinstance(arg, dict): 63 | if len(arg['regs']) + len(arg['mul'])/2 > 3: 64 | print('Warning: segment register overflow') 65 | res =[] 66 | for reg in arg['regs']: 67 | res.append(str(reg)) 68 | if arg['im'] != '': 69 | res.append(str(arg['im'])) 70 | if arg['mul'] != []: 71 | res.append(str(arg['mul'][0]) + ' * ' + str(arg['mul'][1])) 72 | res = sz2pfx[arg['sz']] + ' [' + ' + '.join(res) + ']' 73 | processed_args.append(res) 74 | else: 75 | processed_args.append(str(arg)) 76 | return "%-15s "%name + ', '.join(processed_args) + '\n' 77 | 78 | def get_inst_name(inst ): 79 | o = inst.name 80 | if inst.additional_info.g1.value & 1: 81 | o = "LOCK %s" % o 82 | if inst.additional_info.g1.value & 2: 83 | if getattr(inst.additional_info.prefixed, 'default', b"") != b"\xF2": 84 | o = "REPNE %s" % o 85 | if inst.additional_info.g1.value & 8: 86 | if getattr(inst.additional_info.prefixed, 'default', b"") != b"\xF3": 87 | o = "REP %s" % o 88 | elif inst.additional_info.g1.value & 4: 89 | if getattr(inst.additional_info.prefixed, 'default', b"") != b"\xF3": 90 | o = "REPE %s" % o 91 | return o -------------------------------------------------------------------------------- /source_codes/apps/nginx/koi-utf: -------------------------------------------------------------------------------- 1 | 2 | # This map is not a full koi8-r <> utf8 map: it does not contain 3 | # box-drawing and some other characters. Besides this map contains 4 | # several koi8-u and Byelorussian letters which are not in koi8-r. 5 | # If you need a full and standard map, use contrib/unicode2nginx/koi-utf 6 | # map instead. 7 | 8 | charset_map koi8-r utf-8 { 9 | 10 | 80 E282AC ; # euro 11 | 12 | 95 E280A2 ; # bullet 13 | 14 | 9A C2A0 ; #   15 | 16 | 9E C2B7 ; # · 17 | 18 | A3 D191 ; # small yo 19 | A4 D194 ; # small Ukrainian ye 20 | 21 | A6 D196 ; # small Ukrainian i 22 | A7 D197 ; # small Ukrainian yi 23 | 24 | AD D291 ; # small Ukrainian soft g 25 | AE D19E ; # small Byelorussian short u 26 | 27 | B0 C2B0 ; # ° 28 | 29 | B3 D081 ; # capital YO 30 | B4 D084 ; # capital Ukrainian YE 31 | 32 | B6 D086 ; # capital Ukrainian I 33 | B7 D087 ; # capital Ukrainian YI 34 | 35 | B9 E28496 ; # numero sign 36 | 37 | BD D290 ; # capital Ukrainian soft G 38 | BE D18E ; # capital Byelorussian short U 39 | 40 | BF C2A9 ; # (C) 41 | 42 | C0 D18E ; # small yu 43 | C1 D0B0 ; # small a 44 | C2 D0B1 ; # small b 45 | C3 D186 ; # small ts 46 | C4 D0B4 ; # small d 47 | C5 D0B5 ; # small ye 48 | C6 D184 ; # small f 49 | C7 D0B3 ; # small g 50 | C8 D185 ; # small kh 51 | C9 D0B8 ; # small i 52 | CA D0B9 ; # small j 53 | CB D0BA ; # small k 54 | CC D0BB ; # small l 55 | CD D0BC ; # small m 56 | CE D0BD ; # small n 57 | CF D0BE ; # small o 58 | 59 | D0 D0BF ; # small p 60 | D1 D18F ; # small ya 61 | D2 D180 ; # small r 62 | D3 D181 ; # small s 63 | D4 D182 ; # small t 64 | D5 D183 ; # small u 65 | D6 D0B6 ; # small zh 66 | D7 D0B2 ; # small v 67 | D8 D18C ; # small soft sign 68 | D9 D18B ; # small y 69 | DA D0B7 ; # small z 70 | DB D188 ; # small sh 71 | DC D18D ; # small e 72 | DD D189 ; # small shch 73 | DE D187 ; # small ch 74 | DF D18A ; # small hard sign 75 | 76 | E0 D0AE ; # capital YU 77 | E1 D090 ; # capital A 78 | E2 D091 ; # capital B 79 | E3 D0A6 ; # capital TS 80 | E4 D094 ; # capital D 81 | E5 D095 ; # capital YE 82 | E6 D0A4 ; # capital F 83 | E7 D093 ; # capital G 84 | E8 D0A5 ; # capital KH 85 | E9 D098 ; # capital I 86 | EA D099 ; # capital J 87 | EB D09A ; # capital K 88 | EC D09B ; # capital L 89 | ED D09C ; # capital M 90 | EE D09D ; # capital N 91 | EF D09E ; # capital O 92 | 93 | F0 D09F ; # capital P 94 | F1 D0AF ; # capital YA 95 | F2 D0A0 ; # capital R 96 | F3 D0A1 ; # capital S 97 | F4 D0A2 ; # capital T 98 | F5 D0A3 ; # capital U 99 | F6 D096 ; # capital ZH 100 | F7 D092 ; # capital V 101 | F8 D0AC ; # capital soft sign 102 | F9 D0AB ; # capital Y 103 | FA D097 ; # capital Z 104 | FB D0A8 ; # capital SH 105 | FC D0AD ; # capital E 106 | FD D0A9 ; # capital SHCH 107 | FE D0A7 ; # capital CH 108 | FF D0AA ; # capital hard sign 109 | } 110 | -------------------------------------------------------------------------------- /source_codes/kernel_modify/linux-5.4.44.patch: -------------------------------------------------------------------------------- 1 | diff --color -uNr linux-5.4.44/arch/x86/entry/common.c linux-5.4.44_cp/arch/x86/entry/common.c 2 | --- linux-5.4.44/arch/x86/entry/common.c 2020-06-03 14:21:39 3 | +++ linux-5.4.44_cp/arch/x86/entry/common.c 2023-05-08 10:35:38 4 | @@ -274,11 +274,15 @@ 5 | prepare_exit_to_usermode(regs); 6 | } 7 | 8 | +void(*zz_var)(struct pt_regs *, unsigned long ts); 9 | +EXPORT_SYMBOL(zz_var); 10 | + 11 | + 12 | #ifdef CONFIG_X86_64 13 | __visible void do_syscall_64(unsigned long nr, struct pt_regs *regs) 14 | { 15 | struct thread_info *ti; 16 | - 17 | + unsigned long ts = ktime_get_boottime_ns(); 18 | enter_from_user_mode(); 19 | local_irq_enable(); 20 | ti = current_thread_info(); 21 | @@ -290,13 +294,14 @@ 22 | regs->ax = sys_call_table[nr](regs); 23 | #ifdef CONFIG_X86_X32_ABI 24 | } else if (likely((nr & __X32_SYSCALL_BIT) && 25 | - (nr & ~__X32_SYSCALL_BIT) < X32_NR_syscalls)) { 26 | + (nr & ~__X32_SYSCALL_BIT) < X32_NR_syscalls)) { 27 | nr = array_index_nospec(nr & ~__X32_SYSCALL_BIT, 28 | - X32_NR_syscalls); 29 | + X32_NR_syscalls); 30 | regs->ax = x32_sys_call_table[nr](regs); 31 | #endif 32 | } 33 | - 34 | + if(zz_var != NULL) 35 | + (*zz_var)(regs, ts); 36 | syscall_return_slowpath(regs); 37 | } 38 | #endif 39 | diff --color -uNr linux-5.4.44/arch/x86/mm/fault.c linux-5.4.44_cp/arch/x86/mm/fault.c 40 | --- linux-5.4.44/arch/x86/mm/fault.c 2020-06-03 14:21:39 41 | +++ linux-5.4.44_cp/arch/x86/mm/fault.c 2023-05-08 10:39:20 42 | @@ -729,6 +729,7 @@ 43 | no_context(struct pt_regs *regs, unsigned long error_code, 44 | unsigned long address, int signal, int si_code) 45 | { 46 | + int (*UB_fault_address_space)(unsigned long, struct task_struct *, unsigned long); 47 | struct task_struct *tsk = current; 48 | unsigned long flags; 49 | int sig; 50 | @@ -769,6 +770,34 @@ 51 | * Barring that, we can do the fixup and be happy. 52 | */ 53 | return; 54 | + } 55 | + 56 | + UB_fault_address_space = (void*) kallsyms_lookup_name("UB_fault_address_space"); 57 | + 58 | + if(UB_fault_address_space){ 59 | + int ret = UB_fault_address_space(address, tsk, regs->r13); 60 | + /* 61 | + * ret = 1 means UB_fault_address_space() 62 | + * determins that this fault is caused by UB, 63 | + * (in UDS SFI calling, R13 will be the Base address) 64 | + * so we will handle that; 65 | + */ 66 | + if(ret==1){ 67 | + /* 68 | + * Return an error to UB; 69 | + * firstly we lookup and call UB_SFI_error_handler() 70 | + * it will return a fix_up function in the context 71 | + */ 72 | + unsigned long (*UB_SFI_error_handler)(int); 73 | + unsigned long UB_error_return; 74 | + 75 | + UB_SFI_error_handler = (void*) kallsyms_lookup_name("UB_SFI_error_handler"); 76 | + if(UB_SFI_error_handler){ 77 | + UB_error_return = UB_SFI_error_handler(-0x200); // -0x200 means address access error; 78 | + regs->ip = UB_error_return; 79 | + return; 80 | + } 81 | + } 82 | } 83 | 84 | #ifdef CONFIG_VMAP_STACK 85 | diff --color -uNr linux-5.4.44/arch/x86/mm/pageattr.c linux-5.4.44_cp/arch/x86/mm/pageattr.c 86 | --- linux-5.4.44/arch/x86/mm/pageattr.c 2020-06-03 14:21:39 87 | +++ linux-5.4.44_cp/arch/x86/mm/pageattr.c 2023-05-08 10:40:08 88 | @@ -1889,6 +1889,7 @@ 89 | 90 | return change_page_attr_clear(&addr, numpages, __pgprot(_PAGE_NX), 0); 91 | } 92 | +EXPORT_SYMBOL(set_memory_x); 93 | 94 | int set_memory_nx(unsigned long addr, int numpages) 95 | { 96 | -------------------------------------------------------------------------------- /source_codes/apps/socket/udp/raw_socket_udp.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include //For standard things 3 | #include //malloc 4 | #include //memset 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include //Provides declarations for icmp header 11 | #include //Provides declarations for udp header 12 | #include //Provides declarations for tcp header 13 | #include //Provides declarations for ip header 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include 24 | 25 | pthread_spinlock_t lock; 26 | 27 | void attach_cpu(int cpu){ 28 | cpu_set_t mask; 29 | cpu_set_t get; 30 | int num=48; 31 | CPU_ZERO(&mask); 32 | CPU_SET(cpu, &mask); 33 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) 34 | { 35 | printf("warning: could not set CPU affinity, continuing...\n"); 36 | } 37 | 38 | CPU_ZERO(&get); 39 | if (sched_getaffinity(0, sizeof(get), &get) == -1) 40 | { 41 | printf("warning: cound not get thread affinity, continuing...\n"); 42 | } 43 | for(int i=0; i< num; i++){ 44 | if(CPU_ISSET(i, &get)) 45 | printf("this thread is running on processor : %d\n",i); 46 | } 47 | } 48 | 49 | 50 | 51 | int sock_raw; 52 | int udp=0, total=0; 53 | 54 | //int Batch = 35619357; 55 | int Batch = 10000000; 56 | int Batch2 = 4000000; 57 | //int Batch2 = 35619357; 58 | clock_t sniff(int flag, int sum){ 59 | 60 | unsigned char *buffer = (unsigned char *)malloc(4096); 61 | int i=0; 62 | int total = 0; 63 | int saddr_size, data_size; 64 | struct sockaddr saddr; 65 | saddr_size = sizeof saddr; 66 | int threshold = flag?Batch:Batch2; 67 | clock_t start = clock(); 68 | while(i++ 2 | #include 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "stat.h" 10 | #include "exe.h" 11 | extern unsigned long start_do_syscall; 12 | 13 | extern struct per_cpu_info* info; 14 | extern int num_cpus; 15 | const int num_pg = 160; 16 | unsigned long zz_sys_call_table; 17 | 18 | unsigned long btc_t = 0; 19 | 20 | struct exe_info* exes; 21 | 22 | struct exe_info* get_exe(unsigned int pid, unsigned long ip){ 23 | int pos = zz_hash(pid, ip)%max_exe; 24 | return &exes[pos]; 25 | } 26 | 27 | void exe_init(){ 28 | int i; 29 | exes = (struct exe_info* ) vmalloc(sizeof(struct exe_info)*max_exe); 30 | for(i=0;istatus_code != un_used) 41 | return; 42 | 43 | if(added > 62){ 44 | return; 45 | } 46 | added ++; 47 | p->pid = pid; 48 | p->RIP = RIP; 49 | 50 | mem = vmalloc(4096*num_pg); 51 | set_memory_x((unsigned long)mem, num_pg); 52 | 53 | p->code_block = mem; 54 | p->status_code = un_init; 55 | 56 | } 57 | 58 | void exe_exit(void){ 59 | vfree(exes); 60 | return; 61 | } 62 | 63 | 64 | /*args is used to pass arguments to code block 65 | For input, the first arg is fs, and second being gs. 66 | For output, the first is return_code, or the address of indirect jump. 67 | */ 68 | 69 | void exe_on_call(struct pt_regs* regs){ 70 | 71 | int pid = task_pid_nr(current); 72 | unsigned long args[2]; 73 | void (*virt_ptr)(struct pt_regs* regs, unsigned long* args); 74 | unsigned long (*syscall_ptr)(struct pt_regs* regs); 75 | struct exe_info* exe; 76 | 77 | 78 | while(1){//chaining 79 | 80 | exe = get_exe(pid,regs->ip); 81 | if(exe->status_code != normal || \ 82 | exe->RIP != regs->ip || exe->pid != pid) 83 | break; 84 | 85 | stac(); 86 | virt_ptr = exe->code_block; 87 | args[0] = x86_fsbase_read_cpu(); 88 | args[1] = 0; 89 | 90 | virt_ptr(regs, args); 91 | // clac(); 92 | if(args[0] == normal){//syscall 93 | regs->ip += 2; 94 | regs->cx = regs->ip; 95 | regs->r11 = regs->flags; 96 | regs->orig_ax = regs->ax; 97 | regs->ax = -38; 98 | if(regs->orig_ax <= 436 && regs->orig_ax >= 0){ // legal syscall 99 | syscall_ptr = (void*)(*(unsigned long*)(zz_sys_call_table + 8*regs->orig_ax)); 100 | regs->ax = syscall_ptr(regs); 101 | exe->success_cnt++; 102 | } 103 | }else if(exe->success_cnt < exe->fail_cnt && args[0] == call_miss){//missing call 104 | exe->tgt_addr = regs->ip; 105 | exe->status_code = call_miss; 106 | exe->fail_cnt++; 107 | }else if(exe->success_cnt < exe->fail_cnt ){//ij 108 | exe->tgt_addr = regs->ip; 109 | exe->jump_from = args[0]; 110 | exe->status_code = ij_miss; 111 | exe->fail_cnt++; 112 | }else{ 113 | exe->fail_cnt++; 114 | } 115 | if((exe->success_cnt+exe->fail_cnt) % 500000 == 1){ 116 | printk(KERN_INFO "%d %lx %ld calls combined, %ld calls failed\n",exe->pid, exe->RIP, exe->success_cnt,exe->fail_cnt); 117 | } 118 | 119 | } 120 | 121 | 122 | clac(); 123 | // if(index) 124 | // clac(); 125 | } 126 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/win-utf: -------------------------------------------------------------------------------- 1 | 2 | # This map is not a full windows-1251 <> utf8 map: it does not 3 | # contain Serbian and Macedonian letters. If you need a full map, 4 | # use contrib/unicode2nginx/win-utf map instead. 5 | 6 | charset_map windows-1251 utf-8 { 7 | 8 | 82 E2809A ; # single low-9 quotation mark 9 | 10 | 84 E2809E ; # double low-9 quotation mark 11 | 85 E280A6 ; # ellipsis 12 | 86 E280A0 ; # dagger 13 | 87 E280A1 ; # double dagger 14 | 88 E282AC ; # euro 15 | 89 E280B0 ; # per mille 16 | 17 | 91 E28098 ; # left single quotation mark 18 | 92 E28099 ; # right single quotation mark 19 | 93 E2809C ; # left double quotation mark 20 | 94 E2809D ; # right double quotation mark 21 | 95 E280A2 ; # bullet 22 | 96 E28093 ; # en dash 23 | 97 E28094 ; # em dash 24 | 25 | 99 E284A2 ; # trade mark sign 26 | 27 | A0 C2A0 ; #   28 | A1 D18E ; # capital Byelorussian short U 29 | A2 D19E ; # small Byelorussian short u 30 | 31 | A4 C2A4 ; # currency sign 32 | A5 D290 ; # capital Ukrainian soft G 33 | A6 C2A6 ; # borken bar 34 | A7 C2A7 ; # section sign 35 | A8 D081 ; # capital YO 36 | A9 C2A9 ; # (C) 37 | AA D084 ; # capital Ukrainian YE 38 | AB C2AB ; # left-pointing double angle quotation mark 39 | AC C2AC ; # not sign 40 | AD C2AD ; # soft hypen 41 | AE C2AE ; # (R) 42 | AF D087 ; # capital Ukrainian YI 43 | 44 | B0 C2B0 ; # ° 45 | B1 C2B1 ; # plus-minus sign 46 | B2 D086 ; # capital Ukrainian I 47 | B3 D196 ; # small Ukrainian i 48 | B4 D291 ; # small Ukrainian soft g 49 | B5 C2B5 ; # micro sign 50 | B6 C2B6 ; # pilcrow sign 51 | B7 C2B7 ; # · 52 | B8 D191 ; # small yo 53 | B9 E28496 ; # numero sign 54 | BA D194 ; # small Ukrainian ye 55 | BB C2BB ; # right-pointing double angle quotation mark 56 | 57 | BF D197 ; # small Ukrainian yi 58 | 59 | C0 D090 ; # capital A 60 | C1 D091 ; # capital B 61 | C2 D092 ; # capital V 62 | C3 D093 ; # capital G 63 | C4 D094 ; # capital D 64 | C5 D095 ; # capital YE 65 | C6 D096 ; # capital ZH 66 | C7 D097 ; # capital Z 67 | C8 D098 ; # capital I 68 | C9 D099 ; # capital J 69 | CA D09A ; # capital K 70 | CB D09B ; # capital L 71 | CC D09C ; # capital M 72 | CD D09D ; # capital N 73 | CE D09E ; # capital O 74 | CF D09F ; # capital P 75 | 76 | D0 D0A0 ; # capital R 77 | D1 D0A1 ; # capital S 78 | D2 D0A2 ; # capital T 79 | D3 D0A3 ; # capital U 80 | D4 D0A4 ; # capital F 81 | D5 D0A5 ; # capital KH 82 | D6 D0A6 ; # capital TS 83 | D7 D0A7 ; # capital CH 84 | D8 D0A8 ; # capital SH 85 | D9 D0A9 ; # capital SHCH 86 | DA D0AA ; # capital hard sign 87 | DB D0AB ; # capital Y 88 | DC D0AC ; # capital soft sign 89 | DD D0AD ; # capital E 90 | DE D0AE ; # capital YU 91 | DF D0AF ; # capital YA 92 | 93 | E0 D0B0 ; # small a 94 | E1 D0B1 ; # small b 95 | E2 D0B2 ; # small v 96 | E3 D0B3 ; # small g 97 | E4 D0B4 ; # small d 98 | E5 D0B5 ; # small ye 99 | E6 D0B6 ; # small zh 100 | E7 D0B7 ; # small z 101 | E8 D0B8 ; # small i 102 | E9 D0B9 ; # small j 103 | EA D0BA ; # small k 104 | EB D0BB ; # small l 105 | EC D0BC ; # small m 106 | ED D0BD ; # small n 107 | EE D0BE ; # small o 108 | EF D0BF ; # small p 109 | 110 | F0 D180 ; # small r 111 | F1 D181 ; # small s 112 | F2 D182 ; # small t 113 | F3 D183 ; # small u 114 | F4 D184 ; # small f 115 | F5 D185 ; # small kh 116 | F6 D186 ; # small ts 117 | F7 D187 ; # small ch 118 | F8 D188 ; # small sh 119 | F9 D189 ; # small shch 120 | FA D18A ; # small hard sign 121 | FB D18B ; # small y 122 | FC D18C ; # small soft sign 123 | FD D18D ; # small e 124 | FE D18E ; # small yu 125 | FF D18F ; # small ya 126 | } 127 | -------------------------------------------------------------------------------- /source_codes/ub/zz_daemon/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "exe.h" 8 | 9 | char *sys_path = "/sys/kernel/zz_sys/etx_value"; 10 | 11 | const unsigned long targets[] = {0x7ffff7fa1abb, 0x7ffff7de6487, 0x7ffff7df274e, 0x7ffff7de4fae, 0x7ffff7fa1437, 0x007ffff7fa76ca, 0x07ffff7ed116a, 0x007ffff7e5232f}; 12 | 13 | unsigned long records[1024] = {}; 14 | int cnts = 0; 15 | 16 | int compile_count = 0; 17 | 18 | int in_targets(unsigned long ip, int pid){ 19 | for(int i =0;i< sizeof(targets)/sizeof(unsigned long);i++){ 20 | if(ip == targets[i]){ 21 | return 1; 22 | } 23 | } 24 | return 0; 25 | } 26 | 27 | int in_records(unsigned long ip, int pid){ 28 | for(int i=0; i 0){ 87 | fp = fopen(sys_path, "wb"); 88 | pkt.status_code = (rest_len <= max_pay? 0: -1); 89 | to_copy_len = rest_len <= max_pay? rest_len: max_pay; 90 | memcpy(o_buf, &pkt, sizeof(pkt)); 91 | memcpy(o_buf + sizeof(pkt), i_buf + pkt.offset, to_copy_len); 92 | rest_len -= to_copy_len; 93 | pkt.offset += to_copy_len; 94 | printf("."); 95 | fwrite(o_buf, 1, sizeof(pkt) + to_copy_len, fp); 96 | fclose(fp); 97 | } 98 | } 99 | 100 | void check(){ 101 | int len, total_len, sz = sizeof(struct exe_info); 102 | struct exe_info* exe; 103 | FILE *fp; 104 | char cmd[1024], buffer[4096*256]; 105 | 106 | len = read_sys(buffer); 107 | exe = (struct exe_info*) buffer; 108 | 109 | for(int i =0;iRIP, exe->pid)){ 112 | if(!in_records(exe->RIP, exe->pid)){ 113 | printf("#### warning: syscall address %p is not in the white-list, it will not be boosted ####\n", (void *)exe->RIP); 114 | records[cnts] = (unsigned long)exe->RIP; 115 | cnts ++; 116 | } 117 | continue; 118 | } 119 | 120 | if(exe->status_code == 0){ 121 | continue; 122 | } 123 | if(exe->status_code == un_init){ 124 | sprintf(cmd, "mkdir -p ./%p && cp -rf ./asm/ ./%p/",(void*)exe->RIP, (void*)exe->RIP); 125 | printf("%5d %p Initialization",exe->pid, (void*)exe->RIP); 126 | }else if (exe->status_code == call_miss){ 127 | sprintf(cmd,"echo %p >> ./%p/asm/callee_table.txt", (void*)exe->tgt_addr, (void*)exe->RIP); 128 | printf("%5d %p Missing Call at: %p",exe->pid, (void*)exe->RIP, (void*)exe->tgt_addr); 129 | }else if(exe->status_code == ij_miss){ 130 | sprintf(cmd, "echo '%p %p' >> ./%p/asm/ij_table.txt", (void*)exe->jump_from, (void*)exe->tgt_addr, (void*)exe->RIP); 131 | printf("%5d %p Indirect Jump at %p %p",exe->pid, (void*)exe->RIP, (void*)exe->jump_from, (void*)exe->tgt_addr); 132 | }else{ 133 | printf("%5d %p Unrecognized Code %d",exe->pid, (void*)exe->RIP, exe->status_code); 134 | continue; 135 | } 136 | if(cmd[0] && !cmd_history(cmd)){ 137 | printf(" Compiling"); 138 | system(cmd); 139 | compile(exe->pid, (void*) exe->RIP); 140 | }else{ 141 | printf(" Compile saved"); 142 | } 143 | 144 | write_sys(exe->pid, exe->RIP); 145 | printf("\n"); 146 | } 147 | } 148 | 149 | int main(){ 150 | system("rm -rf 0x*"); 151 | while(1){ 152 | check(); 153 | usleep(100*1000); 154 | } 155 | } 156 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/special_inst.py: -------------------------------------------------------------------------------- 1 | from miasm.expression.expression import ExprMem, ExprId, ExprInt, ExprLoc, ExprOp 2 | from assist import * 3 | from normal import * 4 | from disassem import * 5 | 6 | special_instruction = ['NOP', 'CALL', 'RET', 'POP', 'PUSH', 'LEAVE', 'PUSHF', 'POPF', 'ENDBR64', 'SYSCALL', 'INVLPG'] 7 | 8 | def process_jump(name, line, arg, offset, db, reg_map): 9 | ret_str = '' 10 | if isinstance(arg, ExprLoc): 11 | ret_str += release_conflict(reg_map) 12 | ret_str += make_inst(name, line.arg2str(arg, 0, db) ) 13 | elif isinstance(arg, ExprMem): 14 | ret_str = conflict_resolve(reg_map, set(['T2'])) 15 | ret_str += process_normal('MOV', [ExprId('RT2', 64), arg], offset, reg_map) 16 | ret_str += process_jump(name, line, ExprId('RT2', 64), offset, db, reg_map) 17 | elif isinstance(arg, ExprId): 18 | ret_str += release_conflict(reg_map) 19 | dst_tgt = 'R' + reverse_reg(reg_map, arg) 20 | if dst_tgt != 'R14': 21 | ret_str += make_inst('MOV', ['R14', dst_tgt]) 22 | ret_str += make_inst(name, [ 'ij_'+hex(offset)[2:]]) 23 | else: 24 | print('Warning: Unresolved args used by' + name ) 25 | return ret_str 26 | 27 | def special_inst_dispatch(line, args, offset, db, reg_map, block_end): 28 | ret_str = '' 29 | name = get_inst_name(line) 30 | if name == 'ENDBR64' or line.name =='NOP': 31 | ret_str += 'NOP\n' 32 | ret_str += release_conflict(reg_map, block_end) 33 | elif name == 'CALL': 34 | ret_str += conflict_resolve(reg_map, set(['T2'])) 35 | ret_str += process_normal('MOVABS', [ExprId('RT2', 64), ExprInt(offset, 64)], offset, reg_map) 36 | ret_str += process_push(ExprId('RT2', 64), offset, reg_map) 37 | ret_str += process_jump('JMP', line, args[0], offset, db, reg_map) 38 | elif name == 'PUSH': 39 | ret_str += process_push(args[0], offset, reg_map) 40 | ret_str += release_conflict(reg_map, block_end) 41 | elif name == 'POP': 42 | ret_str += process_pop(args[0], offset, reg_map) 43 | ret_str += release_conflict(reg_map, block_end) 44 | elif name == 'RET': 45 | ret_str += conflict_resolve(reg_map, set(['T2'])) 46 | ret_str += process_pop(ExprId('RT2', 64), offset, reg_map) 47 | ret_str += process_jump('JMP', line, ExprId('RT2', 64), offset, db, reg_map) 48 | elif name == 'LEAVE': 49 | ret_str += process_normal('MOV', [ExprId('RSP', 64), ExprId('RBP', 64)], offset, reg_map) 50 | ret_str += process_pop(ExprId('RBP', 64), offset, reg_map) 51 | ret_str += release_conflict(reg_map, block_end) 52 | elif name == 'SYSCALL': 53 | ret_str += make_inst('MOVABS', ['R14', hex(offset-2)]) 54 | ret_str += make_inst('JMP', ['comp_syscall']) 55 | elif name == 'INVLPG': 56 | ret_str += make_inst('MOVABS', ['R14', hex(offset-2)]) 57 | ret_str += make_inst('JMP', ['ill_inst']) 58 | else: 59 | print('Warning: Unsopported sepcial op ' + name + '\n') 60 | return ret_str 61 | 62 | 63 | def process_push(arg, offset, reg_map): 64 | ret_str = '' 65 | ret_str += process_normal('LEA', [ExprId('RSP', 64),\ 66 | make_mem_dict(64,['RSP'], -1* arg.size/8) \ 67 | ], offset, reg_map) 68 | if not isinstance(arg, ExprMem): 69 | if isinstance(arg, ExprInt): 70 | arg = ExprInt(int(str(arg),16), 32) 71 | ret_str += process_normal('MOV' + im64_abs(arg), [\ 72 | make_mem_dict(arg.size, ['RSP']), arg], offset, reg_map) 73 | else: 74 | ret_str += conflict_resolve(reg_map, set(['T1'])) 75 | ret_str += process_normal('MOV', [ExprId('RT1', 64), arg], offset, reg_map) 76 | ret_str += process_normal('MOV', [make_mem_dict(64, ['RSP']), \ 77 | ExprId('RT1', 64)], offset, reg_map) 78 | release_tmp_conflict(reg_map) 79 | return ret_str 80 | 81 | 82 | def process_pop(arg, offset, reg_map): 83 | ret_str = '' 84 | if not isinstance(arg, ExprMem): 85 | ret_str += process_normal('MOV', [arg, \ 86 | make_mem_dict(64, ['RSP'])], offset, reg_map) 87 | else: 88 | ret_str += conflict_resolve(reg_map, set(['T1'])) 89 | ret_str += process_normal('MOV', [ExprId('RT1', 64), \ 90 | make_mem_dict(64, ['RSP'])], offset, reg_map) 91 | ret_str += process_normal('MOV', [arg, ExprId('RT1', 64)], offset, reg_map) 92 | release_tmp_conflict(reg_map) 93 | 94 | ret_str += process_normal('LEA', [ExprId('RSP', 64),\ 95 | make_mem_dict(64,['RSP'], arg.size/8) ], offset, reg_map) 96 | return ret_str 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/normal.py: -------------------------------------------------------------------------------- 1 | from miasm.expression.expression import ExprMem, ExprId, ExprInt, ExprLoc, ExprOp 2 | from conflict import * 3 | from assist import * 4 | 5 | checked_regs = set() 6 | 7 | def check_mem_base_block_init(): 8 | global checked_regs 9 | checked_regs = set() 10 | 11 | def extract_reg(arg, regs): 12 | if isinstance(arg, dict): 13 | regs.update(arg['regs']) 14 | if arg['mul'] != []: 15 | regs.add(arg['mul'][1]) #To change 16 | elif isinstance(arg, ExprId): 17 | regs.add(arg) 18 | 19 | def get_mem_base(name, purified_args): 20 | to_check_regs = [] 21 | if name != 'LEA': 22 | for arg in purified_args: 23 | if isinstance(arg, dict): 24 | if len(arg['regs']) > 1: 25 | continue 26 | for reg in arg['regs']: 27 | rg = str(reg) 28 | if rg[-1] == 'P': # or rg[-1] == 'S': 29 | continue 30 | to_check_regs.append(reg) 31 | return to_check_regs 32 | 33 | def process_normal(name, args, offset, reg_map, can_check = False): 34 | purified_args = [] 35 | conflict_regs = set() 36 | regs = set() 37 | pre_inst = '' 38 | post_inst = '' 39 | check_inst = '' 40 | clob_flag = False 41 | for arg in args: 42 | arg= arg_purify(arg, offset) 43 | purified_args.append(arg) 44 | extract_reg(arg, regs) 45 | for reg in regs: 46 | extract_conflict_regs(reg, conflict_regs) 47 | 48 | global checked_regs 49 | to_check_regs = set(get_mem_base(name,purified_args)) - checked_regs 50 | 51 | if len(purified_args)>0 and isinstance(purified_args[0], ExprId): 52 | checked_regs.discard(purified_args[0]) 53 | checked_regs = checked_regs.union(to_check_regs) 54 | 55 | if(len(conflict_regs) >0): 56 | pre_inst = conflict_resolve(reg_map, conflict_regs, offset) 57 | purified_args = apply_map(purified_args, reg_map) 58 | to_check_regs = apply_map(to_check_regs, reg_map) 59 | release_IP(reg_map) 60 | post_inst = recover_stable(reg_map, conflict_regs) 61 | 62 | 63 | if len(to_check_regs) > 0 and not can_check: 64 | clob_flag = True 65 | check_inst += 'PUSHF\n' 66 | for reg in to_check_regs: 67 | if clob_flag: 68 | jmp_target = 'seg_error2' 69 | else: 70 | jmp_target = 'seg_error' 71 | 72 | check_inst += make_inst('SHL', [reg, 1]) + make_inst('SHR', [reg, 1]) 73 | if clob_flag: 74 | check_inst += 'POPF\n' 75 | 76 | if len(to_check_regs) > 1 or not can_check: 77 | check_inst = '' 78 | 79 | return pre_inst + check_inst + make_inst(name, purified_args) + post_inst 80 | 81 | def mem_addr(arg, res): 82 | if isinstance(arg, ExprOp): 83 | if arg._op == '+': 84 | for x in list(arg._args): 85 | mem_addr(x, res) 86 | elif arg._op == '*': 87 | if len(res['mul']) > 0: 88 | print('Warning: Multiple index') 89 | return 90 | if isinstance(arg._args[0], ExprId) and isinstance(arg._args[1], ExprInt): 91 | res['mul'].append(arg._args[1]) 92 | res['mul'].append(arg._args[0]) 93 | 94 | if(res['mul'][0]._arg % 2 == 1): 95 | res['mul'][0]._arg = res['mul'][0]._arg -1 96 | res['regs'].append(arg._args[0]) 97 | else: 98 | print('Warning: Index incorrect') 99 | else: 100 | print('Warning: Unresolved addressing op') 101 | elif isinstance(arg, ExprId): 102 | res['regs'].append(arg) 103 | elif isinstance(arg, ExprInt): 104 | res['im'] = arg 105 | else: 106 | print('Warning: Unresolved addressing args') 107 | 108 | def arg_purify(arg, offset): 109 | if isinstance(arg, ExprOp): 110 | print('Warning: Unresolved arg in arg_purify') 111 | return '' 112 | if isinstance(arg, ExprMem): 113 | res = {'sz':arg.size, 'regs':[], 'im':'','mul':[]} 114 | if arg.is_mem_segm(): 115 | res['regs'].append(ExprId('R' + str(arg._ptr.args[0]), 64)) 116 | arg = arg._ptr.args[1] 117 | else: 118 | arg = arg._ptr 119 | mem_addr(arg, res) 120 | return res 121 | elif isinstance(arg, ExprId): 122 | return arg 123 | elif isinstance(arg, ExprInt): 124 | return arg 125 | elif isinstance(arg, dict): 126 | return arg 127 | else: 128 | print('Warning: Unresolved args used by target', offset) 129 | -------------------------------------------------------------------------------- /source_codes/apps/io_file/common.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include "sys/time.h" 11 | #include // standard integer types, e.g., uint32_t 12 | #include // for signal handler 13 | #include // strerror() function converts errno to a text string for printing 14 | #include // for open() 15 | #include // errno support 16 | #include // assert() function 17 | #include // support for mmap() function 18 | #include // required for 1GiB page support in mmap() 19 | #include // for pow() function used in RAPL computations 20 | #include 21 | #include // for gettimeofday 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | 33 | 34 | /* 35 | !!! Change according to the specific CPU freq 36 | */ 37 | 38 | #define CPU_NUM 24 39 | #define CPU_HZ 2500000000.0 40 | 41 | /* Buffer */ 42 | #define Dot_Num 0x800000 43 | #define READ_ORDER 0 // 0:sequencen 1:fixed(very slow) 2: random 44 | 45 | /* For random read: depends on the file size*/ 46 | #define RAND_LIM (4UL) 47 | #define RAND_LIM_PAGE (RAND_LIM*1024UL*1024*1024) 48 | #define LIM_MAX (RAND_LIM*1024UL*1024*1024) 49 | /* The Files need big enough */ 50 | 51 | 52 | /* IO URING PARAMETERS*/ 53 | #define QD 512 54 | #define REG_SIZE 128 55 | #define AFF_CPU 10 56 | #define WAIT_DELAY 2000000 // ms 57 | 58 | /* the fast rand algorithm, 59 | modifyed from https://stackoverflow.com/questions/1640258/need-a-fast-random-generator-for-c 60 | */ 61 | static unsigned long x=123456789, y=362436069, z=521288629; 62 | static unsigned long inline fastrand(void) { 63 | // xorshf96 //period 2^96-1 64 | unsigned long t; 65 | x ^= x << 16; 66 | x ^= x >> 5; 67 | x ^= x << 1; 68 | 69 | t = x; 70 | x = y; 71 | y = z; 72 | z = t ^ x ^ y; 73 | return z; 74 | } 75 | 76 | // For convenience, a new global variable getted from 'argv' to control the buffer size. 77 | 78 | int buffer_size = 8; 79 | uint64_t rand_lim_page = 0; 80 | 81 | 82 | 83 | /* 84 | The summary 85 | */ 86 | static void summary(uint64_t total_gap){ 87 | puts(""); 88 | puts("=========Summary=========="); 89 | 90 | printf("Total rdtscp cycles: %ld\n", total_gap); 91 | double total_gap_time = total_gap/(double)CPU_HZ; 92 | printf("Total gap time:%lf (s)\n", total_gap_time); 93 | 94 | double av_time = total_gap_time/Dot_Num; 95 | double IOPS = (double)Dot_Num/total_gap_time; 96 | double Throughput = (Dot_Num* (double)buffer_size)/total_gap_time; // bytes / time 97 | 98 | printf("Average IO time: %.3les\n" , av_time); 99 | printf("IOPS: %15.2lf K\n", IOPS/1000); 100 | printf("Throughput(M/s, G/s): %lfM, %lfG\n", Throughput/1024.0/1024.0, Throughput/1024.0/1024.0/1024.0 ); 101 | } 102 | 103 | /* 104 | Next offset to read; 105 | */ 106 | static inline uint64_t next_pos(uint64_t pos){ 107 | switch(READ_ORDER){ 108 | case 0: 109 | return (pos + buffer_size) % LIM_MAX; 110 | case 1: 111 | return pos; 112 | case 2: 113 | return (fastrand()% rand_lim_page) * buffer_size; 114 | default: 115 | break; 116 | } 117 | return 0; 118 | } 119 | 120 | 121 | static inline uint64_t rdtscp() 122 | { 123 | uint64_t rax,rdx; 124 | asm volatile ( "rdtscp\n" : "=a" (rax), "=d" (rdx)::"%rcx","memory"); 125 | return (rdx << 32) | rax; 126 | } 127 | 128 | 129 | ssize_t read_write_syscall(int syscall_no, unsigned int fd, const void *buf, size_t size){ 130 | // syscall_no: 0,read; 1, write; 131 | ssize_t ret; 132 | asm volatile 133 | ( 134 | "syscall" 135 | : "=a" (ret) 136 | // EDI RSI RDX 137 | : "0"(syscall_no), "D"(fd), "S"(buf), "d"(size) 138 | : "rcx", "r11", "memory" 139 | ); 140 | return ret; 141 | } 142 | 143 | 144 | void attach_cpu(int cpu){ 145 | cpu_set_t mask; 146 | cpu_set_t get; 147 | int num=CPU_NUM; 148 | CPU_ZERO(&mask); 149 | CPU_SET(cpu, &mask); 150 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) 151 | { 152 | printf("warning: could not set CPU affinity, continuing...\n"); 153 | } 154 | 155 | CPU_ZERO(&get); 156 | if (sched_getaffinity(0, sizeof(get), &get) == -1) 157 | { 158 | printf("warning: cound not get thread affinity, continuing...\n"); 159 | } 160 | for(int i=0; i< num; i++){ 161 | if(CPU_ISSET(i, &get)) 162 | printf("this thread is running on processor : %d\n",i); 163 | } 164 | 165 | } 166 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/disassem.py: -------------------------------------------------------------------------------- 1 | from miasm.analysis.machine import Machine 2 | from miasm.analysis.binary import Container 3 | from miasm.core.bin_stream import bin_stream_str 4 | from miasm.expression.expression import ExprMem, ExprId, ExprInt, ExprLoc 5 | import memread, translation 6 | 7 | import indirect_jump, conflict, assist, normal 8 | import os, signal, sys 9 | import time 10 | 11 | 12 | def dis_assem(PID, entry, need_count, debug=0): 13 | 14 | if need_count: 15 | # Get the target list 16 | total_count = 0 17 | count_targets = [] 18 | fp = open("/home/zz/zz_utrace/u_trace.txt", 'r') 19 | f_line = fp.readline() 20 | while f_line: 21 | count_targets.append(f_line[:-1]) 22 | f_line = fp.readline() 23 | fp.close() 24 | 25 | jump_table = dict() 26 | rets = memread.read(PID, entry, jump_table) #[chunk, start, targets] 27 | cfgs = [] 28 | 29 | ordering_bug_list = [0x2ce40, 0x2ce50, 0x4ffd0, 0x738d0] 30 | 31 | for r in rets: 32 | c = bin_stream_str(r[0], base_address = r[1]) 33 | machine = Machine('x86_64') 34 | mdis = machine.dis_engine(c) 35 | mdis.follow_call = False 36 | asmcfg = None 37 | job_done = set() 38 | 39 | for t in r[2]: 40 | if t - r[1] in ordering_bug_list: # To let buggy blocks first. MIASM bug 41 | asmcfg = mdis.dis_multiblock(t, asmcfg, job_done) 42 | print('MIASM ordering bug') 43 | 44 | for t in r[2]: 45 | if t - r[1] in ordering_bug_list: 46 | continue 47 | asmcfg = mdis.dis_multiblock(t, asmcfg, job_done) 48 | cfgs.append(asmcfg) 49 | 50 | 51 | block_dict = dict() 52 | db_dict = dict() 53 | for asmcfg in cfgs: 54 | for block in asmcfg.blocks: 55 | label = asmcfg.loc_db.pretty_str(block.loc_key) 56 | offset = int(label.split('_')[1], 16) 57 | block_dict[offset] = block 58 | db_dict[block] = asmcfg.loc_db 59 | 60 | missing_callees = indirect_jump.find(block_dict, db_dict, jump_table) 61 | 62 | f = open("./asm/jit.S","w") 63 | #f.write('MOV Stack_INST_CNT, 0\n') 64 | f.write('JMP loc_%x\n' % entry) 65 | 66 | 67 | 68 | for offset, block in sorted(block_dict.items()): 69 | db = db_dict[block] 70 | f.write('/*\n' + block.to_string(db) + '\n */ \n') #Comment source 71 | label = db.pretty_str(block.loc_key) 72 | 73 | if need_count: 74 | # Get the addr and judge whether to count 75 | count_flag = 0 76 | label_addr = "" 77 | if label[0] == 'l': 78 | label_addr = label[4:] 79 | elif label[0] == 'i': 80 | print("ij_:" + label) 81 | label_addr = label[3:] 82 | if label_addr in count_targets: 83 | count_flag = True 84 | count_targets.remove(label_addr) 85 | 86 | 87 | f.write(label+":\n") 88 | reg_map = conflict.block_init() 89 | 90 | len_block = len(block.lines) 91 | line_cnt = 0 92 | 93 | can_check = assist.check_flag_def_use(block.lines) 94 | normal.check_mem_base_block_init() 95 | 96 | for line in block.lines: 97 | 98 | if line.b == b'H\x8d\x14\x7f': 99 | line.args[1]._ptr._args[1]._arg = 3 100 | print('miasm bug at %x' % offset) 101 | 102 | if debug: 103 | f.write(assist.make_inst('MOV', ['Stack_RIPL', hex(offset % (1<<32))])) 104 | f.write(assist.make_inst('MOV', ['Stack_RIPH', hex(offset >>32)])) 105 | f.write('int3\n') 106 | offset = offset + line.l 107 | line_cnt = line_cnt + 1 108 | block_end = ( line_cnt == len_block) 109 | 110 | if need_count: 111 | # count line numbers after translation 112 | trans_str = translation.translate(line, offset, db, reg_map, block_end, can_check.pop()) 113 | if count_flag: 114 | total_count += len(trans_str.split('\n'))-1 115 | 116 | else: 117 | f.write(translation.translate(line, offset, db, reg_map, block_end, can_check.pop()) ) 118 | 119 | f.write('\n\n') 120 | if need_count: 121 | print("---------Total count : %d ------------" % total_count ) 122 | f.write( indirect_jump.make_jump_table(jump_table) ) 123 | f.write( indirect_jump.make_callee_table(missing_callees) ) 124 | 125 | f.close() 126 | os.system('gcc -c -fPIC ./asm/wrapper.S -o ./asm/jit.o && objcopy -O binary ./asm/jit.o ./asm/jit.bin') 127 | os.system('objdump -b binary -m i386:x86-64:intel -D ./asm/jit.bin > ./asm/bin.txt') 128 | 129 | 130 | 131 | if __name__ == "__main__": 132 | debug = 0 133 | pid = int(sys.argv[1]) 134 | entry = int(sys.argv[2],16) 135 | if len(sys.argv) > 3: 136 | debug = int(sys.argv[3]) 137 | need_count = 0 138 | dis_assem(pid, entry, need_count, debug) 139 | exit(0) 140 | -------------------------------------------------------------------------------- /source_codes/ub/zz_disassem/conflict.py: -------------------------------------------------------------------------------- 1 | from assist import * 2 | from miasm.expression.expression import ExprMem, ExprId, ExprInt, ExprLoc, ExprOp 3 | import copy 4 | 5 | special_regs=['IP', 'SP', 'BP', '15', '14', '13', '12', 'FS', 'GS', 'T1', 'T2'] 6 | stable_regs = ['T1', 'T2', 'SP', 'BP'] 7 | 8 | orig_stable_map = {'SP':'13', 'BP':'12'} 9 | #T2 for jump target 10 | #T1 for push/pop temp target 11 | 12 | sz2sfx = {64:'', 32:'d', 16:'w', 8:'b'} 13 | 14 | def block_init(): 15 | return {'15':'', '14':'', '13':'SP', '12':'BP'} 16 | 17 | def release_IP(reg_map): 18 | p = '' 19 | for k,v in reg_map.items(): 20 | if v == 'IP': 21 | p = k 22 | if p != '': 23 | reg_map[p] = '' 24 | 25 | def release_conflict(reg_map, block_end = True): 26 | if not block_end: 27 | return '' 28 | res = '' 29 | for k, v in reg_map.items(): 30 | if v == '' or v in stable_regs: 31 | continue 32 | if v != 'FS' and v != 'GS': 33 | res += make_inst('MOV', ['Stack_R'+ v, 'R'+k ]) 34 | return res 35 | 36 | def release_tmp_conflict(reg_map): 37 | p = [k for k,v in reg_map.items() if v != '' and v[0] == 'T'] 38 | for k in p: 39 | reg_map[k] = '' 40 | 41 | 42 | def extract_conflict_regs(reg, conflict_regs): 43 | key = str(reg) #Here we still have bugs 44 | possible_keys = [key[0:2]] 45 | if len(key) > 2: 46 | possible_keys.append(key[1:3]) 47 | for key in possible_keys: 48 | if key in special_regs: 49 | conflict_regs.add(key) 50 | 51 | 52 | 53 | def conflict_resolve(reg_map, conflict_regs, offset=0): 54 | resolved_regs = set([v for k, v in reg_map.items() if v != '']) #virtual 55 | idle_regs = set([k for k, v in reg_map.items() if v == '']) #physical 56 | 57 | possible_victims = set([k for k, v in reg_map.items() \ 58 | if v not in conflict_regs and v != '' and v not in stable_regs]) #physical 59 | 60 | possible_stable_victims = set(p for p,v in reg_map.items() \ 61 | if p not in conflict_regs and v in stable_regs and v[0] != 'T') #physical 62 | 63 | to_be_resolved = conflict_regs - resolved_regs 64 | 65 | if(len(to_be_resolved) > len(idle_regs) + len(possible_victims) + 2): 66 | print(hex(offset), 'Borrow stable regs to resolve reg conflict') 67 | 68 | resolve_inst = '' 69 | 70 | for v in to_be_resolved: 71 | if len(idle_regs) > 0: 72 | p = idle_regs.pop() 73 | elif len(possible_victims) > 0: 74 | p = possible_victims.pop() 75 | resolve_inst += make_inst('MOV',['Stack_R' + reg_map[p], 'R'+p]) 76 | else: #No way but borrow stable regs 77 | p = possible_stable_victims.pop() 78 | resolve_inst += make_inst('MOV',['Stack_R' + reg_map[p], 'R'+p]) 79 | 80 | if v == 'IP': 81 | resolve_inst += make_inst('MOVABS',['R'+p, hex(offset)]) 82 | elif v not in stable_regs: 83 | resolve_inst += make_inst('MOV',['R'+p, 'Stack_R'+v]) #Stable regs do not need swap in 84 | reg_map[p] = v 85 | return resolve_inst 86 | 87 | def recover_stable(reg_map, conflict_regs): 88 | inv_map = {v: k for k, v in reg_map.items()} 89 | ret_str = '' 90 | for v in stable_regs: 91 | if v[0] =='T': 92 | continue 93 | if v not in inv_map: 94 | p = orig_stable_map[v] 95 | ret_str += make_inst('MOV',['Stack_R' + reg_map[p], 'R'+p]) 96 | ret_str += make_inst('MOV',['R'+p, 'Stack_R'+v]) 97 | reg_map[p] = v 98 | return ret_str 99 | 100 | 101 | 102 | def apply_map(args, reg_map): 103 | processed = [] 104 | inv_map = {v: k for k, v in reg_map.items()} 105 | for arg in args: 106 | if isinstance(arg, dict): 107 | res = {'im':arg['im'], 'sz':arg['sz']} 108 | res['regs'] = apply_map(arg['regs'], reg_map) 109 | res['mul'] = apply_map(arg['mul'], reg_map) 110 | processed.append(res) 111 | elif isinstance(arg, ExprId): 112 | key = str(arg) 113 | if len(key) > 2: 114 | k1 = str(arg)[1:3] 115 | else: 116 | k1 = '' 117 | k2 = str(arg)[0:2]#Here bugs 118 | if k1 in special_regs: 119 | k1 = 'R' + inv_map[k1] + sz2sfx[arg.size] 120 | processed.append(ExprId(k1,arg.size)) 121 | elif k2 in special_regs: 122 | k2 = 'R' + inv_map[k2] + sz2sfx[arg.size] 123 | processed.append(ExprId(k2,arg.size)) 124 | else: 125 | processed.append(arg) 126 | else: 127 | processed.append(arg) 128 | return processed 129 | 130 | 131 | 132 | def reverse_reg(reg_map, arg): 133 | if isinstance(arg, ExprId): 134 | arg = str(arg)[1:3] 135 | elif isinstance(arg, str): 136 | arg = arg[1:3] 137 | else: 138 | print('Error, %s not a register'%str(arg)) 139 | 140 | if arg in special_regs: 141 | inv_map = {v: k for k, v in reg_map.items()} 142 | return inv_map[arg] 143 | return arg 144 | 145 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/mime.types: -------------------------------------------------------------------------------- 1 | 2 | types { 3 | text/html html htm shtml; 4 | text/css css; 5 | text/xml xml; 6 | image/gif gif; 7 | image/jpeg jpeg jpg; 8 | application/javascript js; 9 | application/atom+xml atom; 10 | application/rss+xml rss; 11 | 12 | text/mathml mml; 13 | text/plain txt; 14 | text/vnd.sun.j2me.app-descriptor jad; 15 | text/vnd.wap.wml wml; 16 | text/x-component htc; 17 | 18 | image/png png; 19 | image/svg+xml svg svgz; 20 | image/tiff tif tiff; 21 | image/vnd.wap.wbmp wbmp; 22 | image/webp webp; 23 | image/x-icon ico; 24 | image/x-jng jng; 25 | image/x-ms-bmp bmp; 26 | 27 | font/woff woff; 28 | font/woff2 woff2; 29 | 30 | application/java-archive jar war ear; 31 | application/json json; 32 | application/mac-binhex40 hqx; 33 | application/msword doc; 34 | application/pdf pdf; 35 | application/postscript ps eps ai; 36 | application/rtf rtf; 37 | application/vnd.apple.mpegurl m3u8; 38 | application/vnd.google-earth.kml+xml kml; 39 | application/vnd.google-earth.kmz kmz; 40 | application/vnd.ms-excel xls; 41 | application/vnd.ms-fontobject eot; 42 | application/vnd.ms-powerpoint ppt; 43 | application/vnd.oasis.opendocument.graphics odg; 44 | application/vnd.oasis.opendocument.presentation odp; 45 | application/vnd.oasis.opendocument.spreadsheet ods; 46 | application/vnd.oasis.opendocument.text odt; 47 | application/vnd.openxmlformats-officedocument.presentationml.presentation 48 | pptx; 49 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet 50 | xlsx; 51 | application/vnd.openxmlformats-officedocument.wordprocessingml.document 52 | docx; 53 | application/vnd.wap.wmlc wmlc; 54 | application/x-7z-compressed 7z; 55 | application/x-cocoa cco; 56 | application/x-java-archive-diff jardiff; 57 | application/x-java-jnlp-file jnlp; 58 | application/x-makeself run; 59 | application/x-perl pl pm; 60 | application/x-pilot prc pdb; 61 | application/x-rar-compressed rar; 62 | application/x-redhat-package-manager rpm; 63 | application/x-sea sea; 64 | application/x-shockwave-flash swf; 65 | application/x-stuffit sit; 66 | application/x-tcl tcl tk; 67 | application/x-x509-ca-cert der pem crt; 68 | application/x-xpinstall xpi; 69 | application/xhtml+xml xhtml; 70 | application/xspf+xml xspf; 71 | application/zip zip; 72 | 73 | application/octet-stream bin exe dll; 74 | application/octet-stream deb; 75 | application/octet-stream dmg; 76 | application/octet-stream iso img; 77 | application/octet-stream msi msp msm; 78 | 79 | audio/midi mid midi kar; 80 | audio/mpeg mp3; 81 | audio/ogg ogg; 82 | audio/x-m4a m4a; 83 | audio/x-realaudio ra; 84 | 85 | video/3gpp 3gpp 3gp; 86 | video/mp2t ts; 87 | video/mp4 mp4; 88 | video/mpeg mpeg mpg; 89 | video/quicktime mov; 90 | video/webm webm; 91 | video/x-flv flv; 92 | video/x-m4v m4v; 93 | video/x-mng mng; 94 | video/x-ms-asf asx asf; 95 | video/x-ms-wmv wmv; 96 | video/x-msvideo avi; 97 | } 98 | -------------------------------------------------------------------------------- /source_codes/apps/nginx/mime.types.default: -------------------------------------------------------------------------------- 1 | 2 | types { 3 | text/html html htm shtml; 4 | text/css css; 5 | text/xml xml; 6 | image/gif gif; 7 | image/jpeg jpeg jpg; 8 | application/javascript js; 9 | application/atom+xml atom; 10 | application/rss+xml rss; 11 | 12 | text/mathml mml; 13 | text/plain txt; 14 | text/vnd.sun.j2me.app-descriptor jad; 15 | text/vnd.wap.wml wml; 16 | text/x-component htc; 17 | 18 | image/png png; 19 | image/svg+xml svg svgz; 20 | image/tiff tif tiff; 21 | image/vnd.wap.wbmp wbmp; 22 | image/webp webp; 23 | image/x-icon ico; 24 | image/x-jng jng; 25 | image/x-ms-bmp bmp; 26 | 27 | font/woff woff; 28 | font/woff2 woff2; 29 | 30 | application/java-archive jar war ear; 31 | application/json json; 32 | application/mac-binhex40 hqx; 33 | application/msword doc; 34 | application/pdf pdf; 35 | application/postscript ps eps ai; 36 | application/rtf rtf; 37 | application/vnd.apple.mpegurl m3u8; 38 | application/vnd.google-earth.kml+xml kml; 39 | application/vnd.google-earth.kmz kmz; 40 | application/vnd.ms-excel xls; 41 | application/vnd.ms-fontobject eot; 42 | application/vnd.ms-powerpoint ppt; 43 | application/vnd.oasis.opendocument.graphics odg; 44 | application/vnd.oasis.opendocument.presentation odp; 45 | application/vnd.oasis.opendocument.spreadsheet ods; 46 | application/vnd.oasis.opendocument.text odt; 47 | application/vnd.openxmlformats-officedocument.presentationml.presentation 48 | pptx; 49 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet 50 | xlsx; 51 | application/vnd.openxmlformats-officedocument.wordprocessingml.document 52 | docx; 53 | application/vnd.wap.wmlc wmlc; 54 | application/x-7z-compressed 7z; 55 | application/x-cocoa cco; 56 | application/x-java-archive-diff jardiff; 57 | application/x-java-jnlp-file jnlp; 58 | application/x-makeself run; 59 | application/x-perl pl pm; 60 | application/x-pilot prc pdb; 61 | application/x-rar-compressed rar; 62 | application/x-redhat-package-manager rpm; 63 | application/x-sea sea; 64 | application/x-shockwave-flash swf; 65 | application/x-stuffit sit; 66 | application/x-tcl tcl tk; 67 | application/x-x509-ca-cert der pem crt; 68 | application/x-xpinstall xpi; 69 | application/xhtml+xml xhtml; 70 | application/xspf+xml xspf; 71 | application/zip zip; 72 | 73 | application/octet-stream bin exe dll; 74 | application/octet-stream deb; 75 | application/octet-stream dmg; 76 | application/octet-stream iso img; 77 | application/octet-stream msi msp msm; 78 | 79 | audio/midi mid midi kar; 80 | audio/mpeg mp3; 81 | audio/ogg ogg; 82 | audio/x-m4a m4a; 83 | audio/x-realaudio ra; 84 | 85 | video/3gpp 3gpp 3gp; 86 | video/mp2t ts; 87 | video/mp4 mp4; 88 | video/mpeg mpeg mpg; 89 | video/quicktime mov; 90 | video/webm webm; 91 | video/x-flv flv; 92 | video/x-m4v m4v; 93 | video/x-mng mng; 94 | video/x-ms-asf asx asf; 95 | video/x-ms-wmv wmv; 96 | video/x-msvideo avi; 97 | } 98 | -------------------------------------------------------------------------------- /source_codes/kernel_modify/common.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * common.c - C code for kernel entry and exit 4 | * Copyright (c) 2015 Andrew Lutomirski 5 | * 6 | * Based on asm and ptrace code by many authors. The code here originated 7 | * in ptrace.c and signal.c. 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | 37 | #define CREATE_TRACE_POINTS 38 | #include 39 | 40 | #ifdef CONFIG_CONTEXT_TRACKING 41 | /* Called on entry from user mode with IRQs off. */ 42 | __visible inline void enter_from_user_mode(void) 43 | { 44 | CT_WARN_ON(ct_state() != CONTEXT_USER); 45 | user_exit_irqoff(); 46 | } 47 | #else 48 | static inline void enter_from_user_mode(void) {} 49 | #endif 50 | 51 | static void do_audit_syscall_entry(struct pt_regs *regs, u32 arch) 52 | { 53 | #ifdef CONFIG_X86_64 54 | if (arch == AUDIT_ARCH_X86_64) { 55 | audit_syscall_entry(regs->orig_ax, regs->di, 56 | regs->si, regs->dx, regs->r10); 57 | } else 58 | #endif 59 | { 60 | audit_syscall_entry(regs->orig_ax, regs->bx, 61 | regs->cx, regs->dx, regs->si); 62 | } 63 | } 64 | 65 | /* 66 | * Returns the syscall nr to run (which should match regs->orig_ax) or -1 67 | * to skip the syscall. 68 | */ 69 | static long syscall_trace_enter(struct pt_regs *regs) 70 | { 71 | u32 arch = in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64; 72 | 73 | struct thread_info *ti = current_thread_info(); 74 | unsigned long ret = 0; 75 | u32 work; 76 | 77 | if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) 78 | BUG_ON(regs != task_pt_regs(current)); 79 | 80 | work = READ_ONCE(ti->flags); 81 | 82 | if (work & (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU)) { 83 | ret = tracehook_report_syscall_entry(regs); 84 | if (ret || (work & _TIF_SYSCALL_EMU)) 85 | return -1L; 86 | } 87 | 88 | #ifdef CONFIG_SECCOMP 89 | /* 90 | * Do seccomp after ptrace, to catch any tracer changes. 91 | */ 92 | if (work & _TIF_SECCOMP) { 93 | struct seccomp_data sd; 94 | 95 | sd.arch = arch; 96 | sd.nr = regs->orig_ax; 97 | sd.instruction_pointer = regs->ip; 98 | #ifdef CONFIG_X86_64 99 | if (arch == AUDIT_ARCH_X86_64) { 100 | sd.args[0] = regs->di; 101 | sd.args[1] = regs->si; 102 | sd.args[2] = regs->dx; 103 | sd.args[3] = regs->r10; 104 | sd.args[4] = regs->r8; 105 | sd.args[5] = regs->r9; 106 | } else 107 | #endif 108 | { 109 | sd.args[0] = regs->bx; 110 | sd.args[1] = regs->cx; 111 | sd.args[2] = regs->dx; 112 | sd.args[3] = regs->si; 113 | sd.args[4] = regs->di; 114 | sd.args[5] = regs->bp; 115 | } 116 | 117 | ret = __secure_computing(&sd); 118 | if (ret == -1) 119 | return ret; 120 | } 121 | #endif 122 | 123 | if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) 124 | trace_sys_enter(regs, regs->orig_ax); 125 | 126 | do_audit_syscall_entry(regs, arch); 127 | 128 | return ret ?: regs->orig_ax; 129 | } 130 | 131 | #define EXIT_TO_USERMODE_LOOP_FLAGS \ 132 | (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_UPROBE | \ 133 | _TIF_NEED_RESCHED | _TIF_USER_RETURN_NOTIFY | _TIF_PATCH_PENDING) 134 | 135 | static void exit_to_usermode_loop(struct pt_regs *regs, u32 cached_flags) 136 | { 137 | /* 138 | * In order to return to user mode, we need to have IRQs off with 139 | * none of EXIT_TO_USERMODE_LOOP_FLAGS set. Several of these flags 140 | * can be set at any time on preemptible kernels if we have IRQs on, 141 | * so we need to loop. Disabling preemption wouldn't help: doing the 142 | * work to clear some of the flags can sleep. 143 | */ 144 | while (true) { 145 | /* We have work to do. */ 146 | local_irq_enable(); 147 | 148 | if (cached_flags & _TIF_NEED_RESCHED) 149 | schedule(); 150 | 151 | if (cached_flags & _TIF_UPROBE) 152 | uprobe_notify_resume(regs); 153 | 154 | if (cached_flags & _TIF_PATCH_PENDING) 155 | klp_update_patch_state(current); 156 | 157 | /* deal with pending signal delivery */ 158 | if (cached_flags & _TIF_SIGPENDING) 159 | do_signal(regs); 160 | 161 | if (cached_flags & _TIF_NOTIFY_RESUME) { 162 | clear_thread_flag(TIF_NOTIFY_RESUME); 163 | tracehook_notify_resume(regs); 164 | rseq_handle_notify_resume(NULL, regs); 165 | } 166 | 167 | if (cached_flags & _TIF_USER_RETURN_NOTIFY) 168 | fire_user_return_notifiers(); 169 | 170 | /* Disable IRQs and retry */ 171 | local_irq_disable(); 172 | 173 | cached_flags = READ_ONCE(current_thread_info()->flags); 174 | 175 | if (!(cached_flags & EXIT_TO_USERMODE_LOOP_FLAGS)) 176 | break; 177 | } 178 | } 179 | 180 | /* Called with IRQs disabled. */ 181 | __visible inline void prepare_exit_to_usermode(struct pt_regs *regs) 182 | { 183 | struct thread_info *ti = current_thread_info(); 184 | u32 cached_flags; 185 | 186 | addr_limit_user_check(); 187 | 188 | lockdep_assert_irqs_disabled(); 189 | lockdep_sys_exit(); 190 | 191 | cached_flags = READ_ONCE(ti->flags); 192 | 193 | if (unlikely(cached_flags & EXIT_TO_USERMODE_LOOP_FLAGS)) 194 | exit_to_usermode_loop(regs, cached_flags); 195 | 196 | /* Reload ti->flags; we may have rescheduled above. */ 197 | cached_flags = READ_ONCE(ti->flags); 198 | 199 | fpregs_assert_state_consistent(); 200 | if (unlikely(cached_flags & _TIF_NEED_FPU_LOAD)) 201 | switch_fpu_return(); 202 | 203 | #ifdef CONFIG_COMPAT 204 | /* 205 | * Compat syscalls set TS_COMPAT. Make sure we clear it before 206 | * returning to user mode. We need to clear it *after* signal 207 | * handling, because syscall restart has a fixup for compat 208 | * syscalls. The fixup is exercised by the ptrace_syscall_32 209 | * selftest. 210 | * 211 | * We also need to clear TS_REGS_POKED_I386: the 32-bit tracer 212 | * special case only applies after poking regs and before the 213 | * very next return to user mode. 214 | */ 215 | ti->status &= ~(TS_COMPAT|TS_I386_REGS_POKED); 216 | #endif 217 | 218 | user_enter_irqoff(); 219 | 220 | mds_user_clear_cpu_buffers(); 221 | } 222 | 223 | #define SYSCALL_EXIT_WORK_FLAGS \ 224 | (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ 225 | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT) 226 | 227 | static void syscall_slow_exit_work(struct pt_regs *regs, u32 cached_flags) 228 | { 229 | bool step; 230 | 231 | audit_syscall_exit(regs); 232 | 233 | if (cached_flags & _TIF_SYSCALL_TRACEPOINT) 234 | trace_sys_exit(regs, regs->ax); 235 | 236 | /* 237 | * If TIF_SYSCALL_EMU is set, we only get here because of 238 | * TIF_SINGLESTEP (i.e. this is PTRACE_SYSEMU_SINGLESTEP). 239 | * We already reported this syscall instruction in 240 | * syscall_trace_enter(). 241 | */ 242 | step = unlikely( 243 | (cached_flags & (_TIF_SINGLESTEP | _TIF_SYSCALL_EMU)) 244 | == _TIF_SINGLESTEP); 245 | if (step || cached_flags & _TIF_SYSCALL_TRACE) 246 | tracehook_report_syscall_exit(regs, step); 247 | } 248 | 249 | /* 250 | * Called with IRQs on and fully valid regs. Returns with IRQs off in a 251 | * state such that we can immediately switch to user mode. 252 | */ 253 | __visible inline void syscall_return_slowpath(struct pt_regs *regs) 254 | { 255 | struct thread_info *ti = current_thread_info(); 256 | u32 cached_flags = READ_ONCE(ti->flags); 257 | 258 | CT_WARN_ON(ct_state() != CONTEXT_KERNEL); 259 | 260 | if (IS_ENABLED(CONFIG_PROVE_LOCKING) && 261 | WARN(irqs_disabled(), "syscall %ld left IRQs disabled", regs->orig_ax)) 262 | local_irq_enable(); 263 | 264 | rseq_syscall(regs); 265 | 266 | /* 267 | * First do one-time work. If these work items are enabled, we 268 | * want to run them exactly once per syscall exit with IRQs on. 269 | */ 270 | if (unlikely(cached_flags & SYSCALL_EXIT_WORK_FLAGS)) 271 | syscall_slow_exit_work(regs, cached_flags); 272 | 273 | local_irq_disable(); 274 | prepare_exit_to_usermode(regs); 275 | } 276 | 277 | #ifdef CONFIG_X86_64 278 | 279 | 280 | void(*zz_var)(struct pt_regs *, unsigned long ts); 281 | EXPORT_SYMBOL(zz_var); 282 | 283 | // void(*get_xdp_time)(u64 ts); 284 | // EXPORT_SYMBOL(get_xdp_time); 285 | 286 | 287 | __visible void do_syscall_64(unsigned long nr, struct pt_regs *regs) 288 | { 289 | struct thread_info *ti; 290 | unsigned long ts = ktime_get_boottime_ns(); 291 | enter_from_user_mode(); 292 | local_irq_enable(); 293 | ti = current_thread_info(); 294 | if (READ_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY) 295 | nr = syscall_trace_enter(regs); 296 | 297 | if (likely(nr < NR_syscalls)) { 298 | nr = array_index_nospec(nr, NR_syscalls); 299 | regs->ax = sys_call_table[nr](regs); 300 | #ifdef CONFIG_X86_X32_ABI 301 | } else if (likely((nr & __X32_SYSCALL_BIT) && 302 | (nr & ~__X32_SYSCALL_BIT) < X32_NR_syscalls)) { 303 | nr = array_index_nospec(nr & ~__X32_SYSCALL_BIT, 304 | X32_NR_syscalls); 305 | regs->ax = x32_sys_call_table[nr](regs); 306 | #endif 307 | } 308 | if(zz_var != NULL) 309 | (*zz_var)(regs, ts); 310 | syscall_return_slowpath(regs); 311 | } 312 | #endif 313 | 314 | #if defined(CONFIG_X86_32) || defined(CONFIG_IA32_EMULATION) 315 | /* 316 | * Does a 32-bit syscall. Called with IRQs on in CONTEXT_KERNEL. Does 317 | * all entry and exit work and returns with IRQs off. This function is 318 | * extremely hot in workloads that use it, and it's usually called from 319 | * do_fast_syscall_32, so forcibly inline it to improve performance. 320 | */ 321 | static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs) 322 | { 323 | struct thread_info *ti = current_thread_info(); 324 | unsigned int nr = (unsigned int)regs->orig_ax; 325 | 326 | #ifdef CONFIG_IA32_EMULATION 327 | ti->status |= TS_COMPAT; 328 | #endif 329 | 330 | if (READ_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY) { 331 | /* 332 | * Subtlety here: if ptrace pokes something larger than 333 | * 2^32-1 into orig_ax, this truncates it. This may or 334 | * may not be necessary, but it matches the old asm 335 | * behavior. 336 | */ 337 | nr = syscall_trace_enter(regs); 338 | } 339 | 340 | if (likely(nr < IA32_NR_syscalls)) { 341 | nr = array_index_nospec(nr, IA32_NR_syscalls); 342 | #ifdef CONFIG_IA32_EMULATION 343 | regs->ax = ia32_sys_call_table[nr](regs); 344 | #else 345 | /* 346 | * It's possible that a 32-bit syscall implementation 347 | * takes a 64-bit parameter but nonetheless assumes that 348 | * the high bits are zero. Make sure we zero-extend all 349 | * of the args. 350 | */ 351 | regs->ax = ia32_sys_call_table[nr]( 352 | (unsigned int)regs->bx, (unsigned int)regs->cx, 353 | (unsigned int)regs->dx, (unsigned int)regs->si, 354 | (unsigned int)regs->di, (unsigned int)regs->bp); 355 | #endif /* CONFIG_IA32_EMULATION */ 356 | } 357 | 358 | syscall_return_slowpath(regs); 359 | } 360 | 361 | /* Handles int $0x80 */ 362 | __visible void do_int80_syscall_32(struct pt_regs *regs) 363 | { 364 | enter_from_user_mode(); 365 | local_irq_enable(); 366 | do_syscall_32_irqs_on(regs); 367 | } 368 | 369 | /* Returns 0 to return using IRET or 1 to return using SYSEXIT/SYSRETL. */ 370 | __visible long do_fast_syscall_32(struct pt_regs *regs) 371 | { 372 | /* 373 | * Called using the internal vDSO SYSENTER/SYSCALL32 calling 374 | * convention. Adjust regs so it looks like we entered using int80. 375 | */ 376 | 377 | unsigned long landing_pad = (unsigned long)current->mm->context.vdso + 378 | vdso_image_32.sym_int80_landing_pad; 379 | 380 | /* 381 | * SYSENTER loses EIP, and even SYSCALL32 needs us to skip forward 382 | * so that 'regs->ip -= 2' lands back on an int $0x80 instruction. 383 | * Fix it up. 384 | */ 385 | regs->ip = landing_pad; 386 | 387 | enter_from_user_mode(); 388 | 389 | local_irq_enable(); 390 | 391 | /* Fetch EBP from where the vDSO stashed it. */ 392 | if ( 393 | #ifdef CONFIG_X86_64 394 | /* 395 | * Micro-optimization: the pointer we're following is explicitly 396 | * 32 bits, so it can't be out of range. 397 | */ 398 | __get_user(*(u32 *)®s->bp, 399 | (u32 __user __force *)(unsigned long)(u32)regs->sp) 400 | #else 401 | get_user(*(u32 *)®s->bp, 402 | (u32 __user __force *)(unsigned long)(u32)regs->sp) 403 | #endif 404 | ) { 405 | 406 | /* User code screwed up. */ 407 | local_irq_disable(); 408 | regs->ax = -EFAULT; 409 | prepare_exit_to_usermode(regs); 410 | return 0; /* Keep it simple: use IRET. */ 411 | } 412 | 413 | /* Now this is just like a normal syscall. */ 414 | do_syscall_32_irqs_on(regs); 415 | 416 | #ifdef CONFIG_X86_64 417 | /* 418 | * Opportunistic SYSRETL: if possible, try to return using SYSRETL. 419 | * SYSRETL is available on all 64-bit CPUs, so we don't need to 420 | * bother with SYSEXIT. 421 | * 422 | * Unlike 64-bit opportunistic SYSRET, we can't check that CX == IP, 423 | * because the ECX fixup above will ensure that this is essentially 424 | * never the case. 425 | */ 426 | return regs->cs == __USER32_CS && regs->ss == __USER_DS && 427 | regs->ip == landing_pad && 428 | (regs->flags & (X86_EFLAGS_RF | X86_EFLAGS_TF)) == 0; 429 | #else 430 | /* 431 | * Opportunistic SYSEXIT: if possible, try to return using SYSEXIT. 432 | * 433 | * Unlike 64-bit opportunistic SYSRET, we can't check that CX == IP, 434 | * because the ECX fixup above will ensure that this is essentially 435 | * never the case. 436 | * 437 | * We don't allow syscalls at all from VM86 mode, but we still 438 | * need to check VM, because we might be returning from sys_vm86. 439 | */ 440 | return static_cpu_has(X86_FEATURE_SEP) && 441 | regs->cs == __USER_CS && regs->ss == __USER_DS && 442 | regs->ip == landing_pad && 443 | (regs->flags & (X86_EFLAGS_RF | X86_EFLAGS_TF | X86_EFLAGS_VM)) == 0; 444 | #endif 445 | } 446 | #endif 447 | -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | *This is the code repository of "Userspace Bypass: Accelerating Syscall-intensive Applications".* 2 | 3 | License: GPL 4 | 5 | Author: [Zhe Zhou](https://www.y-droid.com/zhe/) 6 | 7 | 8 | --- 9 | ## Detailed Instructions 10 | #### Before Start: 11 | 1. **Software configuration** 12 | * Ubuntu [20.04.2](https://old-releases.ubuntu.com/releases/20.04.2/ubuntu-20.04.2-desktop-amd64.iso) with Kernel version 5.4.44 13 | * Python 3.8 & module: [miasm v0.1.3](https://github.com/cea-sec/miasm/releases/tag/v0.1.3) 14 | * gcc 9.4.0 15 | * (optional) Qemu 4.2.1(Debian 1:4.2-3ubuntu6.24) with KVM modules 16 | * *Use for virtual machine evaluation* 17 | 18 | * Redis 6.2.6 19 | * Nginx 1.20.0 20 | 2. **Hardware configuration** 21 | * Server machine: Intel Xeon Platinum 8175\*2, 192G memory, Samsung 980 pro NVMe SSD, and Mellanox Connectx-3 NIC. 22 | * Client machine: Intel Xeon Platinum 8260, 128G memory, and Mellanox Connectx-5 NIC. 23 | * *This is the hardware platform we use, not mandatory.* 24 | 3. **Change the kernel version to 5.4.44 and modify it. (Or just replace this three files from the /source_codes/kernel_modify)** 25 | 1. [Kernel 5.4.44](https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.4.44.tar.gz) can be downloaded here. 26 | 2. Patch the kernel using patch file in `source_codes/kernel_modify/linux-5.4.44.patch`. 27 | 1. Move the patch file into root directory of linux-5.4.44. 28 | 2. `patch -p1 < linux-5.4.44.patch` to patch the kernel. 29 | ##### If patching the kernel using the patch file, the next three steps on modify the kernel can be skipped. 30 | 3. Modify codes in "**linux-5.4.44/arch/x86/entry/common.c**" like this: 31 | ```c 32 | // Add this two line before do_syscall_64() function: 33 | void(*zz_var)(struct pt_regs *, unsigned long ts); 34 | EXPORT_SYMBOL(zz_var); 35 | 36 | // Change do_syscall_64() function as below: 37 | __visible void do_syscall_64(unsigned long nr, struct pt_regs *regs) 38 | { 39 | struct thread_info *ti; 40 | unsigned long ts = ktime_get_boottime_ns(); 41 | enter_from_user_mode(); 42 | local_irq_enable(); 43 | ti = current_thread_info(); 44 | if (READ_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY) 45 | nr = syscall_trace_enter(regs); 46 | 47 | if (likely(nr < NR_syscalls)) { 48 | nr = array_index_nospec(nr, NR_syscalls); 49 | regs->ax = sys_call_table[nr](regs); 50 | #ifdef CONFIG_X86_X32_ABI 51 | } else if (likely((nr & __X32_SYSCALL_BIT) && 52 | (nr & ~__X32_SYSCALL_BIT) < X32_NR_syscalls)) { 53 | nr = array_index_nospec(nr & ~__X32_SYSCALL_BIT, 54 | X32_NR_syscalls); 55 | regs->ax = x32_sys_call_table[nr](regs); 56 | #endif 57 | } 58 | if(zz_var != NULL) 59 | (*zz_var)(regs, ts); 60 | syscall_return_slowpath(regs); 61 | } 62 | ``` 63 | 4. Modify codes in "**linux-5.4.44/arch/x86/mm/fault.c**" like this: 64 | ```c 65 | // add in the beginning of no_context() 66 | int (*UB_fault_address_space)(unsigned long, struct task_struct *, unsigned long); 67 | ``` 68 | ```c 69 | // add just ahead of "#ifdef CONFIG_VMAP_STACK" 70 | UB_fault_address_space = (void*) kallsyms_lookup_name("UB_fault_address_space"); 71 | 72 | if(UB_fault_address_space){ 73 | int ret = UB_fault_address_space(address, tsk, regs->r13); 74 | /* 75 | * ret = 1 means UB_fault_address_space() 76 | * determins that this fault is caused by UB, 77 | * (in UDS SFI calling, R13 will be the Base address) 78 | * so we will handle that; 79 | */ 80 | if(ret==1){ 81 | /* 82 | * Return an error to UB; 83 | * firstly we lookup and call UB_SFI_error_handler() 84 | * it will return a fix_up function in the context 85 | */ 86 | unsigned long (*UB_SFI_error_handler)(int); 87 | unsigned long UB_error_return; 88 | 89 | UB_SFI_error_handler = (void*) kallsyms_lookup_name("UB_SFI_error_handler"); 90 | if(UB_SFI_error_handler){ 91 | UB_error_return = UB_SFI_error_handler(-0x200); // -0x200 means address access error; 92 | regs->ip = UB_error_return; 93 | return; 94 | } 95 | } 96 | } 97 | ``` 98 | 5. Modify codes in "**linux-5.4.44/arch/x86/mm/pageattr.c**" after function **set_memory_x()** like this: 99 | ```c 100 | int set_memory_x(unsigned long addr, int numpages) 101 | { 102 | if (!(__supported_pte_mask & _PAGE_NX)) 103 | return 0; 104 | 105 | return change_page_attr_clear(&addr, numpages, __pgprot(_PAGE_NX), 0); 106 | } 107 | // add this line: 108 | EXPORT_SYMBOL(set_memory_x); 109 | ``` 110 | 6. Then compile the kernel. 111 | [This](https://phoenixnap.com/kb/build-linux-kernel) is a short tutorial(steps 1-5) about how to compile linux kernel. (Tips: you can use multi-threads to compile the kernel to save time. In step 5: `make -j xx`, 'xx' on behalf of the threads you want for compiling. Or after step 4, use the script in `source_codes/scripts/compile_kernel/` to compile the kernel. The script needs to be moved in `linux-5.4.44/` directory.) 112 | A `.config` file in `source_codes/kernel_modify` is our config file when compile the kernel. Just use the default ubuntu 20.04.2 kernel compilation option is OK, this file is for reference only. 113 | 7. Modify the grub to start with the new kernel. 114 | 1. `grep menuentry /boot/grub/grub.cfg` check the option of the new kernel, like this: 115 | ``` c 116 | if [ x"${feature_menuentry_id}" = xy ]; then 117 | menuentry_id_option="--id" 118 | menuentry_id_option="" 119 | export menuentry_id_option 120 | menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-3ce46e7e-eb73-4980-b6da-c03947b8e717' { 121 | submenu 'Advanced options for Ubuntu' $menuentry_id_option 'gnulinux-advanced-3ce46e7e-eb73-4980-b6da-c03947b8e717' { 122 | menuentry 'Ubuntu, with Linux 5.15.0-69-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.15.0-69-generic-advanced-3ce46e7e-eb73-4980-b6da-c03947b8e717' { 123 | menuentry 'Ubuntu, with Linux 5.15.0-69-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.15.0-69-generic-recovery-3ce46e7e-eb73-4980-b6da-c03947b8e717' { 124 | menuentry 'Ubuntu, with Linux 5.8.0-43-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.8.0-43-generic-advanced-3ce46e7e-eb73-4980-b6da-c03947b8e717' { 125 | menuentry 'Ubuntu, with Linux 5.8.0-43-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.8.0-43-generic-recovery-3ce46e7e-eb73-4980-b6da-c03947b8e717' { 126 | -> menuentry 'Ubuntu, with Linux 5.4.44' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.44-advanced-3ce46e7e-eb73-4980-b6da-c03947b8e717' { 127 | menuentry 'Ubuntu, with Linux 5.4.44 (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.44-recovery-3ce46e7e-eb73-4980-b6da-c03947b8e717' { 128 | ``` 129 | 2. Here we want to use option `menuentry 'Ubuntu, with Linux 5.4.44'`. Modify grub to replace the boot kernel. 130 | 3. `sudo vim /etc/default/grub` and change the first line to `GRUB_DEFAULT="Advanced options for Ubuntu>Ubuntu, with Linux 5.4.44"` 131 | 4. `grub-install --version ` to check grub version. `sudo update-grub` or `sudo update-grub2` to update the grub for grub version < 2.0 or grub version >= 2.0. 132 | 8. After bootup, use `uname -r` command to check whether the kernel version has been changed. 133 | 134 | 139 | 140 | 141 | #### Overall Usage: 142 | 1. Disable the address randomization in `su`(`sudo su`) user. `echo 0 > /proc/sys/kernel/randomize_va_space` 143 | 2. Run the program to be boosted. 144 | 3. Find the potentially syscall address of the program: (Or just use the pre-hardcode address in `source_codes/ub/zz_daemon/main.c`, if it is changed, please add the new address in `source_codes/ub/zz_daemon/main.c`) 145 | * ***How to find syscall address:*** 146 | * Use `strace` to find the addresses of syscalls. e.g.: 147 | * `write` of redis: `sudo strace -ip xxx`, xxx is the pid of redis-server. (Here we need the redis-server is running, i.e., a redis-client program is running to communicate with the redis-server: one terminal run `./redis-server`, another terminal run `./redis-benchmark`.) 148 | * Then find the address of `write` and do step 4. 149 | 4. Modify codes in daemon program: `source_codes/ub/zz_daemon/main.c` 150 | ```c 151 | // add the syscall address in targets[] 152 | // redis -> write 153 | const unsigned long targets[] = {0x7ffff7e5232f}; 154 | ``` 155 | 5. Compile the daemon program using `make`. 156 | 6. Insert the kernel module in `ub/zz_lkm` folder: `sudo insmod zz_lkm.ko` and run the daemon program `sudo ./zz_daemon` in zz_daemon folder. 157 | 7. Run the program to be boosted and waiting for boost complete. 158 | 8. It will be printed in `dmesg` after every 500k syscalls are captured, check `dmesg` to find whether syscall has been boosted. 159 | 9. Finally, uninstall the module using `sudo rmmod zz_lkm`. 160 | * Every program needs to be boosted individually: re-insert the kernel module and re-run the daemon program. We give one script to run ub in `source_codes/ub/` named `start.sh`. If the syscall address is right, kernel module and daemon program have been compiled, just run `sudo ./start.sh` to start ub. 161 | 162 | To simplify the artifact, we also write several scripts to reduce the repetitive workload of client test. Please see `source/scripts/` folder, the usage of them are specified inside the scripts. 163 | 164 | ### Tips from the beginning: 165 | All the options with the tag '**(Optional: has been Pre-hardcode)**' can be bypassed. 166 | But if it cannot boost successful, please re-do the experiment from the **(Optional: has been Pre-hardcode)** step **OR** follow the instruction on [how to find syscall address](#strace). 167 | 168 | 169 | --------- 170 | ## I/O Micro-benchmark test (Paper Section 6.1): 171 | 1. Two sparated experiment: ssd disk read and memory read. 172 | 2. For **ssd disk** read test: 173 | 1. Codes lie in `source_codes/apps/io_file`. We have modified the `syscall_read` codes to have 11 times read function tests. The first time read test for the boost period, and the 10 times followed for evaluation. 174 | 2. Firstly, make a big file in toRead folder named test.file. We use `dd` to build a 2 Gbytes file, e.g., `dd if=/dev/zero of=test.file bs=1M count=2048` 175 | 3. Modify codes in `io_file/syscall_read.c`: 176 | * Make sure the `FILE_POS` is `1` 177 | * `WITH_SUM` parameter is corresponding to Table 3 in the paper. 178 | 4. `make` 179 | 5. **(Optional: has been Pre-hardcode)** `sudo ./syscall_read `, like `sudo ./syscall_read 1024` for 1024 bytes every read. `strace` to get the syscall address, now we support `pread64()` syscall. 180 | 6. **(Optional: has been Pre-hardcode)** Modify `ub/zz_daemon/main.c` and add syscall address in array `targets[]`. Re-compile the daemon program. 181 | 7. Insert the kernel module, and run the daemon program. 182 | 8. Run the `syscall_read` program `sudo ./syscall_read `. The boost period will happen in the first read function of the program(we repeat the read function 11 times.), and the 10 times followed will enjoy the boosting. 183 | 3. For **memory** read test: 184 | 1. The only difference is to build a file in `/dev/shm/` folder and modify `FILE_POS -> 0` in `apps/io_file/syscall_read.c`. 185 | 4. For **io_uring** test: 186 | 1. We use **fio 3.16** to test io_uring. `sudo apt install fio` 187 | 2. `sudo fio --name=/dev/shm/test.file --bs= --ioengine=io_uring --iodepth= --iodepth_batch_submit= --iodepth_batch_complete= --iodepth_batch_complete_min= --rw=read --direct=0 --size= --numjobs=1 --sqthread_poll=1 --runtime=240 --group_report` 188 | 3. To be fair, we set different batch sizes with different file sizes:(IO size - file size) 64-256MiB, 256-1GiB, 1024-8GiB, 4096-16GiB. 189 | 4. We also test different io_depth influences on memory read. The range is 2^(1 - 10), which corresponds to Fig 6 in the paper. 190 | --- 191 | ### Redis test (Paper Section 6.2): 192 | 1. Redis version: [6.2.6](https://github.com/redis/redis/archive/refs/tags/6.2.6.tar.gz). Download and compile. 193 | 2. Bind the redis-server to a specific NIC and port in `config.conf` (find `bind` in `config.conf`). 194 | 3. **(Optional: has been Pre-hardcode)** Get the syscall address of redis-server. Here we only support syscall `write` of redis-server. Add the syscall address in `source_codes/ub/zz_daemon/main.c` and compile the daemon program. 195 | 4. Insert the kernel module then run the daemon program. 196 | 5. Run redis-server in `redis-6.2.6/src`: `./redis-server ../redis-conf`. 197 | 6. Run redis-client. In our environment, we use two servers and a pair of directly connected Mellonax Connectx-3/5 NIC to do the experiment. `./redis-benchmark -h -p -t get -n 1000000 -d 3 --threads 2`. The parameter `-t` specify the method, e.g., `get` or `set`, and `-d` means the data size value. 198 | 199 | ##### Tips of redis test: 200 | 1. We verify `-d` from $2^0$ to $2^{14}$. 201 | 2. Every `get` method test should start from a `set` test with a same `-d` parameter. 202 | 3. The boosting period may need 20-30s for redis, so the `-n` parameter needs to be large enough. The acceleration gets better as the benchmark runs longer. 203 | 4. After the boost complete, you can stop the benchmark and start a new benchmark test without boost again. 204 | 5. The redis-server and redis-client can run in the same machine. 205 | 6. Different hardware settings will get different results. 206 | 207 | #### F-Stack: 208 | 1. [F-Stack](https://github.com/F-Stack/f-stack/archive/refs/tags/v1.22.zip) 209 | 2. Use the F-Stack official tutorial to install and run. 210 | 3. Bind one NIC to DPDK. 211 | 4. The redis-6.2.6 is in `app` folder, compile and bind it to the DPDK NIC. 212 | 5. Start redis from F-Stack: `sudo redis-server --conf config.ini --proc-type=primary --proc-id=0 app/redis-6.2.6/redis.conf` 213 | 214 | ##### Tips of F-Stack: 215 | 1. Multi-NIC are needed for DPDK configuration. 216 | 2. If you use Mellanox NIC and the driver >= mlx4, then DPDK is supported originally. No DPDK NIC binding needed. 217 | 218 | ----- 219 | 220 | ### Nginx test (Paper Section 6.3): 221 | 1. Nginx version: 1.20.0. 222 | 2. [Install tutorial](http://nginx.org/en/docs/configure.html). `libpcre-dev` is needed. Configure options we used: `sudo ./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/lock/nginx.lock --modules-path=/usr/lib/nginx/module --with-http_gunzip_module --with-http_gzip_static_module` 223 | 3. `make && make install` 224 | 4. The nginx configuration files are in `source_codes/apps/nginx`, move them to `/etc/` folder `mv source_codes/apps/nginx /etc/`. The website files need to be put in `/var/www/html` and they can be accessed from the `8088` port. Using `dd` to make files of a specific size. i.e., `sudo dd if=/dev/zero of=4k.html bs=4K count=1` 225 | 5. Run `sudo nignx` to start nginx daemon program. Test whether it is working by `curl` or `wget`, e.g., `curl http://localhost:8088/4k.html`. 226 | 6. Do the benchmark by using [wrk](https://github.com/wg/wrk) from another machine. `./wrk -t8 -c1024 -d12 `. Here `-t8 -c1024 -d12` represent 8 threads, 1024 connection, and 12 seconds respectively. 227 | 7. **(Optional: has been Pre-hardcode)** `strace` the nginx-worker thread to find the syscall address. Now we support 5 syscalls acceleration: `openat, setsockopt, writev, sendfile, close`. Add addresses of these 5 syscalls in `source_codes/ub/zz_daemon/main.c`, and recompile the daemon program. 228 | 8. Insert the kernel module first, and then run the daemon program in root mode. 229 | 9. Run wrk from another machine(the same machine is also ok) and wait for the boost complete. The boost period may cost more than 3 minutes depending on the RPS, so the first boost needs a big number of wrk -d parameter. 230 | 10. After the acceleration is complete, stop wrk and continue to use `-d12` for testing. 231 | 232 | 233 | ##### Tips of nginx test: 234 | 1. Some syscalls gaps of nginx may be very large, so modify `syscall_short_th` and ` hot_caller_th` in `source_codes/ub/zz_lkm/stat.c` to capture them. Increasing `syscall_short_th` and reducing `hot_caller_th` can catch syscalls that execute slower and with longer intervals. 235 | 2. Modify `worker_processes` and `worker_cpu_affinity` in nginx configure files `etc/nginx/nginx.conf` can set nginx worker threads and affinity. (`worker_cpu_affinity` set core affinity in the binary bit map.) 236 | 1. `worker_cpu_affinity: 0010000000000000`: which means 16 cores in this machine, and bind the only one worker process to core `13`. 237 | 3. After changing the configuration, use `sudo nginx -s reload` to load the new config. 238 | 239 | ---- 240 | 241 | ## Raw socket test (Paper Section 6.4): 242 | 243 | #### Raw socket: 244 | 1. Two machine(client and server) are needed. Codes in `source_codes/apps/socket/udp` folder. 245 | 2. Client uses `send_upd.c` as the sender. Change the 'xxx' of `theirAddr.sin_addr.s_addr = inet_addr("xxx.xxx.xxx.xxx");` in `source_codes/apps/socket/send_udp.c` to one of the server NIC address. Use `gcc send_udp.c -o send_udp -lpthread` to compile the sender. Just use `./send_udp` to run. 246 | 3. Server needs to modify 'xxx' of `const char *opt = "xxx";` in `source_codes/apps/socket/udp/raw_socket_udp.c` to the real name of the chosen NIC. `make` to compile the server. Use `sudo ./sniff <0_OR_1>` to run. 0 or 1 means whether to do the calculation of the incoming packages. 247 | 4. **(Optional: has been Pre-hardcode)** Same as previous, use `strace` to get the syscall address after running these two programs. Here we support server's syscall `recvfrom()`. Then add its address in the daemon program. 248 | 5. Insert the kernel module, recompile the daemon program, and run. 249 | 6. Run the sender and receiver program again, waiting for the boost complete. 250 | 7. Here we also modify the receiver to have an 11 times socket read test. The first one is used for boosting period, and the 10 times followed for evaluation. 251 | 252 | 253 | #### eBPF: 254 | 1. `sudo apt install python3-bpfcc` and `sudo pip install bcc` 255 | 2. Two machine(client and server) are needed. Codes in `source_codes/apps/socket/bpf` folder. 256 | 3. Client uses `send_upd.c` as the sender. Change the 'xxx' of `theirAddr.sin_addr.s_addr = inet_addr("xxx.xxx.xxx.xxx");` in `source_codes/apps/socket/send_udp.c` to one of the server NIC address. Use `gcc send_udp.c -o send_udp -lpthread` to compile the sender. Just use `./send_udp` to run. 257 | 4. Server needs to modify 'xxx' of `device = "xxx"` in `source_codes/apps/socket/bpf/main.py` to the real name of the chosen NIC. 258 | 5. Just run `sudo python3 wrapper.py`. The script will output every 10 seconds. 259 | --- 260 | 261 | ## Tips 262 | 263 | 1. In most situations, turning on **KPTI** will have better performance gain. Newer processors may not be affected by the [Meltdown](https://meltdownattack.com/), so they are not affected by KPTI. 264 | 2. How to turn off KPTI: modify `GRUB_CMDLINE_LINUX_DEFAULT=""` line in `/etc/default/grub`, add `nopti` option inside the double quotation marks. Then update grub and reboot. 265 | 266 | ### Supported syscalls: 267 | 268 | Address are collected in our setting, please double check. 269 | 270 | If addresses update is needed, please follow the [instruction on how to find syscall address](#strace). 271 | 272 | | **Application** | **Syscalls** | **Address** | 273 | | ----------- | ---------- | ---------- | 274 | | **redis** | write | 0x7ffff7e5232f | 275 | | | | | 276 | | **nginx** | openat | 0x7ffff7fa1abb | 277 | | | setsockopt | 0x7ffff7df274e | 278 | | | writev | 0x7ffff7de6487 | 279 | | | sendfile | 0x7ffff7de4fae | 280 | | | close | 0x07ffff7fa1437 | 281 | | | | | 282 | | **raw socket** | recvfrom | 0x7ffff7fa76ca | 283 | | | | | 284 | | **read memory/file** | pread | 0x7ffff7ed116a| 285 | --------------------------------------------------------------------------------