├── .gitignore ├── .gitmodules ├── Dockerfile ├── Enclaves └── SimpleFuzzTest │ ├── App │ ├── App.cpp │ ├── App.h │ ├── TrustedLibrary │ │ └── Libcxx.cpp │ └── sgxerrorprinting.cpp │ ├── Enclave │ ├── Enclave.config.xml │ ├── Enclave.cpp │ ├── Enclave.edl │ ├── Enclave.h │ ├── Enclave.lds │ ├── Enclave_debug.lds │ ├── Enclave_private_test.pem │ └── TrustedLibrary │ │ ├── Libcxx.cpp │ │ └── Libcxx.edl │ ├── Makefile │ ├── enclave.signed.so │ ├── enclave.signed.so.layout │ ├── enclave.signed.so.mem │ ├── enclave.signed.so.mem.zst │ └── enclave.signed.so.tcs.txt ├── README.md ├── analyze_crashes.py ├── calculate-coverage.sh ├── display-struct.sh ├── display-structs.py ├── enclave-dumper-win ├── sgx_sign.exe └── sgx_sign_gdb.py ├── enclave-dumper ├── DumpReader.py ├── Makefile ├── extract.sh └── linux-sgx-sign.patch ├── initialize-target.sh ├── kafl ├── LICENSES │ ├── AGPL-3.0 │ ├── Apache-2.0 │ ├── BSD-2-Clause │ ├── GPL-2.0 │ └── MIT ├── README.md ├── install.sh ├── kAFL-Fuzzer │ ├── .gitignore │ ├── banner.txt │ ├── common │ │ ├── __init__.py │ │ ├── color.py │ │ ├── config.py │ │ ├── execution_result.py │ │ ├── log.py │ │ ├── qemu.py │ │ ├── qemu_aux_buffer.py │ │ ├── qemu_protocol.py │ │ ├── self_check.py │ │ └── util.py │ ├── debug │ │ ├── __init__.py │ │ └── core.py │ ├── dict │ │ ├── http_sys.dict │ │ └── vuln.dict │ ├── fuzzer │ │ ├── __init__.py │ │ ├── bitmap.py │ │ ├── communicator.py │ │ ├── core.py │ │ ├── native │ │ │ ├── Makefile │ │ │ └── bitmap.c │ │ ├── node.py │ │ ├── process │ │ │ ├── __init__.py │ │ │ ├── master.py │ │ │ └── slave.py │ │ ├── queue.py │ │ ├── scheduler.py │ │ ├── state_logic.py │ │ ├── statistics.py │ │ └── technique │ │ │ ├── __init__.py │ │ │ ├── arithmetic.py │ │ │ ├── bitflip.py │ │ │ ├── grimoire_inference.py │ │ │ ├── grimoire_mutations.py │ │ │ ├── havoc.py │ │ │ ├── havoc_handler.py │ │ │ ├── helper.py │ │ │ ├── interesting_values.py │ │ │ ├── radamsa.py │ │ │ ├── redqueen │ │ │ ├── __init__.py │ │ │ ├── cmp.py │ │ │ ├── colorize.py │ │ │ ├── encoding.py │ │ │ ├── hash_fix.py │ │ │ ├── hash_patch.py │ │ │ ├── mod.py │ │ │ ├── parser.py │ │ │ └── workdir.py │ │ │ ├── struct_recovery.py │ │ │ └── trim.py │ ├── info │ │ ├── __init__.py │ │ └── core.py │ ├── kafl_cov.py │ ├── kafl_debug.py │ ├── kafl_fuzz.py │ ├── kafl_gui.py │ ├── kafl_info.py │ ├── kafl_plot.py │ ├── kafl_user_prepare.py │ ├── proc_map_helper.py │ ├── redqueen_mut.py │ ├── seed │ │ ├── ext4 │ │ │ └── ext4.img │ │ ├── fat │ │ │ ├── fat_a │ │ │ ├── fat_b │ │ │ ├── fat_c │ │ │ ├── fat_d │ │ │ └── fat_e │ │ ├── kafl_vulntest │ │ │ └── seed_file │ │ ├── ntfs │ │ │ └── ntfs64 │ │ └── ntfs_win │ │ │ └── ntfs_header_64k │ ├── test.py │ └── tests │ │ ├── __init__.py │ │ ├── helper.py │ │ ├── test_deterministic.py │ │ ├── test_havoc_handler.py │ │ └── test_random.py ├── patches.old │ ├── 0001-fail-of-frontend-did-not-create-SHM-backing-files-of.patch │ ├── 0001-linux-kvm-starved.patch │ ├── 0002-qemu_starved_and_other.patch │ ├── auto_dict.patch │ ├── kvm │ │ ├── README.md │ │ ├── usermode_test │ │ │ ├── Makefile │ │ │ ├── support_test.c │ │ │ └── test.c │ │ ├── v5.4 │ │ │ ├── 0001-linux-5.4.34-kafl+redq.patch │ │ │ └── 0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch │ │ ├── v5.7 │ │ │ ├── 0001-linux-5.7.3-merged-kafl+redq.patch │ │ │ └── 0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch │ │ └── v5.8 │ │ │ ├── 0001-merged-kAFL-Redqueen-patch-to-KVM-VMX.patch │ │ │ └── 0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch │ └── qemu │ │ ├── v4.2.0 │ │ ├── 0001-Reworked-patch-from-https-github.com-RUB-SysSec-redq.patch │ │ ├── 0002-Add-support-for-x86_32-panic-kasan-handler.patch │ │ ├── 0003-kAFL-v2-frontend-requires-us-to-start-counting-at-0.patch │ │ ├── 0004-Convert-Qemu-printf-to-qemu_log-set-and-report-disas.patch │ │ ├── 0005-Check-fopen-return-code-do-not-write-to-inaccessible.patch │ │ ├── 0006-Add-missing-ifdef-to-compile-without-enable-redqueen.patch │ │ ├── 0007-Logging-Cleanup-messages-and-reduce-default-verbosit.patch │ │ ├── 0008-Fix-segfault-when-IPT-filtering-is-not-enabled.patch │ │ ├── 0009-fix-failing-assert-add-check-for-mmap-return.patch │ │ ├── 0010-turn-some-redqueen-printf-output-to-debug-only.patch │ │ ├── 0011-enable-i386-target-as-well.patch │ │ ├── 0012-read-guest-memory-on-PT-decode-when-more-likely-paged.patch │ │ ├── 0013-disable-debug-and-fuzz-opts.patch │ │ └── 0014-PT-decoder-fix-for-ICL-TGL.patch │ │ └── v5.0.0 │ │ ├── 0001-Reworked-patch-from-https-github.com-RUB-SysSec-redq.patch │ │ ├── 0002-Add-support-for-x86_32-panic-kasan-handler.patch │ │ ├── 0003-kAFL-v2-frontend-requires-us-to-start-counting-at-0.patch │ │ ├── 0004-Convert-Qemu-printf-to-qemu_log-set-and-report-disas.patch │ │ ├── 0005-Check-fopen-return-code-do-not-write-to-inaccessible.patch │ │ ├── 0006-Add-missing-ifdef-to-compile-without-enable-redqueen.patch │ │ ├── 0007-Logging-Cleanup-messages-and-reduce-default-verbosit.patch │ │ ├── 0008-Fix-segfault-when-IPT-filtering-is-not-enabled.patch │ │ ├── 0009-fix-failing-assert-add-check-for-mmap-return.patch │ │ ├── 0010-turn-some-redqueen-printf-output-to-debug-only.patch │ │ ├── 0011-enable-i386-target-as-well.patch │ │ ├── 0012-read-guest-memory-on-PT-decode-when-more-likely-paged.patch │ │ ├── 0013-disable-debug-and-fuzz-opts.patch │ │ └── 0014-PT-decoder-fix-for-ICL-TGL.patch ├── targets.old │ ├── kafl_user.h │ ├── linux_x86_64-userspace │ │ ├── .gitignore │ │ ├── compile.sh │ │ ├── initrd │ │ │ ├── .gitignore │ │ │ ├── pack.sh │ │ │ ├── run_vm.sh │ │ │ └── template │ │ │ │ ├── dev │ │ │ │ └── .gitkeep │ │ │ │ ├── etc │ │ │ │ ├── nsswitch.conf │ │ │ │ └── passwd │ │ │ │ ├── init │ │ │ │ ├── lib │ │ │ │ ├── i386-linux-gnu │ │ │ │ │ └── .gitkeep │ │ │ │ └── x86_64-linux-gnu │ │ │ │ │ └── .gitkeep │ │ │ │ ├── lib64 │ │ │ │ └── .gitkeep │ │ │ │ ├── proc │ │ │ │ └── .gitkeep │ │ │ │ ├── sbin │ │ │ │ ├── sys │ │ │ │ └── .gitkeep │ │ │ │ ├── tmp │ │ │ │ └── .gitkeep │ │ │ │ └── usr │ │ │ │ ├── bin │ │ │ │ └── sbin │ │ └── src │ │ │ ├── ld_preload_fuzz.c │ │ │ ├── ld_preload_info.c │ │ │ └── userspace_loader.c │ └── linux_x86_64 │ │ ├── .gitignore │ │ ├── compile.sh │ │ └── src │ │ ├── fuzzer │ │ ├── fs_fuzzer.c │ │ ├── hprintf_test.c │ │ ├── kafl_vuln_json.c │ │ └── kafl_vuln_test.c │ │ ├── info │ │ └── info.c │ │ └── loader │ │ ├── loader.c │ │ └── stage2_loader.c └── tools │ ├── display-structs.py │ └── mcat.py ├── native-sgx-runner ├── CMakeLists.txt ├── InputMutator.cpp ├── InputMutator.h ├── InputNode.hpp ├── NativeEnclave.cpp ├── NativeEnclave.h ├── buffer │ ├── Buffer.h │ ├── GuardedBuffer.cpp │ ├── GuardedBuffer.h │ ├── InEnclaveBuffer.h │ └── PartialEnclaveBuffer.h ├── libnyx.c ├── libnyx.h ├── main-generic.cpp ├── make-enclave-fuzz-target.sh └── sgx_types.h ├── packer ├── .gitignore ├── agents │ └── nyx.h ├── linux_initramfs │ ├── bzImage-linux-4.15-rc7 │ ├── pack.sh │ └── rootTemplate │ │ ├── bin │ │ ├── ash │ │ ├── base64 │ │ ├── bash │ │ ├── busybox │ │ ├── cat │ │ ├── catv │ │ ├── chattr │ │ ├── chgrp │ │ ├── chmod │ │ ├── chown │ │ ├── conspy │ │ ├── cp │ │ ├── cpio │ │ ├── cttyhack │ │ ├── date │ │ ├── dd │ │ ├── df │ │ ├── dmesg │ │ ├── dnsdomainname │ │ ├── dumpkmap │ │ ├── echo │ │ ├── ed │ │ ├── egrep │ │ ├── false │ │ ├── fatattr │ │ ├── fdflush │ │ ├── fgrep │ │ ├── file │ │ ├── fsync │ │ ├── getSyms │ │ ├── getopt │ │ ├── grep │ │ ├── gunzip │ │ ├── gzip │ │ ├── hostname │ │ ├── hush │ │ ├── ionice │ │ ├── iostat │ │ ├── ipcalc │ │ ├── kbd_mode │ │ ├── kill │ │ ├── ldconfig │ │ ├── linux32 │ │ ├── linux64 │ │ ├── ln │ │ ├── login │ │ ├── ls │ │ ├── lsattr │ │ ├── lzop │ │ ├── makemime │ │ ├── mkdir │ │ ├── mknod │ │ ├── mktemp │ │ ├── more │ │ ├── mount │ │ ├── mountpoint │ │ ├── mpstat │ │ ├── mt │ │ ├── mv │ │ ├── netstat │ │ ├── nice │ │ ├── pidof │ │ ├── ping │ │ ├── ping6 │ │ ├── pipe_progress │ │ ├── printenv │ │ ├── ps │ │ ├── pwd │ │ ├── reformime │ │ ├── rev │ │ ├── rm │ │ ├── rmdir │ │ ├── rpm │ │ ├── run-parts │ │ ├── scriptreplay │ │ ├── sed │ │ ├── setarch │ │ ├── setserial │ │ ├── sh │ │ ├── sleep │ │ ├── stat │ │ ├── stty │ │ ├── su │ │ ├── sync │ │ ├── tar │ │ ├── touch │ │ ├── true │ │ ├── umount │ │ ├── uname │ │ ├── usleep │ │ ├── vi │ │ ├── watch │ │ └── zcat │ │ ├── dev │ │ └── .empty │ │ ├── etc │ │ ├── group │ │ ├── localtime │ │ ├── nsswitch.conf │ │ ├── passwd │ │ └── shadow │ │ ├── init_template │ │ ├── lib32 │ │ ├── libasan.so.4 │ │ ├── libc.so.6 │ │ ├── libdl.so.2 │ │ ├── libgcc_s.so.1 │ │ ├── libm.so.6 │ │ ├── libpthread.so.0 │ │ ├── librt.so.1 │ │ └── libstdc++.so.6 │ │ ├── linuxrc │ │ ├── proc │ │ └── .empty │ │ ├── sbin │ │ ├── acpid │ │ ├── adjtimex │ │ ├── arp │ │ ├── blkid │ │ ├── blockdev │ │ ├── bootchartd │ │ ├── depmod │ │ ├── devmem │ │ ├── fbsplash │ │ ├── fdisk │ │ ├── findfs │ │ ├── freeramdisk │ │ ├── fsck │ │ ├── fsck.minix │ │ ├── fstrim │ │ ├── getty │ │ ├── halt │ │ ├── hdparm │ │ ├── hwclock │ │ ├── ifconfig │ │ ├── ifdown │ │ ├── ifenslave │ │ ├── ifup │ │ ├── init │ │ ├── insmod │ │ ├── ip │ │ ├── ipaddr │ │ ├── iplink │ │ ├── iproute │ │ ├── iprule │ │ ├── iptunnel │ │ ├── klogd │ │ ├── loadkmap │ │ ├── logread │ │ ├── losetup │ │ ├── lsmod │ │ ├── makedevs │ │ ├── mdev │ │ ├── mkdosfs │ │ ├── mke2fs │ │ ├── mkfs.ext2 │ │ ├── mkfs.minix │ │ ├── mkfs.vfat │ │ ├── mkswap │ │ ├── modinfo │ │ ├── modprobe │ │ ├── nameif │ │ ├── pivot_root │ │ ├── poweroff │ │ ├── raidautorun │ │ ├── reboot │ │ ├── rmmod │ │ ├── route │ │ ├── runlevel │ │ ├── setconsole │ │ ├── slattach │ │ ├── start-stop-daemon │ │ ├── sulogin │ │ ├── swapoff │ │ ├── swapon │ │ ├── switch_root │ │ ├── sysctl │ │ ├── syslogd │ │ ├── tunctl │ │ ├── udhcpc │ │ ├── uevent │ │ ├── vconfig │ │ ├── watchdog │ │ └── zcip │ │ ├── sys │ │ └── .empty │ │ ├── tmp │ │ └── .empty │ │ └── usr │ │ ├── bin │ │ ├── [ │ │ ├── [[ │ │ ├── awk │ │ ├── basename │ │ ├── beep │ │ ├── blkdiscard │ │ ├── bunzip2 │ │ ├── bzcat │ │ ├── bzip2 │ │ ├── cal │ │ ├── chpst │ │ ├── chrt │ │ ├── chvt │ │ ├── cksum │ │ ├── clear │ │ ├── cmp │ │ ├── comm │ │ ├── crontab │ │ ├── cryptpw │ │ ├── cut │ │ ├── dc │ │ ├── deallocvt │ │ ├── diff │ │ ├── dirname │ │ ├── dos2unix │ │ ├── du │ │ ├── dumpleases │ │ ├── eject │ │ ├── env │ │ ├── envdir │ │ ├── envuidgid │ │ ├── expand │ │ ├── expr │ │ ├── fgconsole │ │ ├── find │ │ ├── flock │ │ ├── fold │ │ ├── free │ │ ├── ftpget │ │ ├── ftpput │ │ ├── fuser │ │ ├── groups │ │ ├── hd │ │ ├── head │ │ ├── hexdump │ │ ├── hostid │ │ ├── id │ │ ├── install │ │ ├── ipcrm │ │ ├── ipcs │ │ ├── killall │ │ ├── last │ │ ├── ldd │ │ ├── less │ │ ├── logger │ │ ├── logname │ │ ├── lpq │ │ ├── lpr │ │ ├── lsof │ │ ├── lspci │ │ ├── lsusb │ │ ├── lzcat │ │ ├── lzma │ │ ├── lzopcat │ │ ├── man │ │ ├── md5sum │ │ ├── mesg │ │ ├── microcom │ │ ├── mkfifo │ │ ├── mkpasswd │ │ ├── nc │ │ ├── nmeter │ │ ├── nohup │ │ ├── nslookup │ │ ├── od │ │ ├── openvt │ │ ├── passwd │ │ ├── patch │ │ ├── pgrep │ │ ├── pkill │ │ ├── pmap │ │ ├── printf │ │ ├── pscan │ │ ├── pstree │ │ ├── pwdx │ │ ├── readlink │ │ ├── realpath │ │ ├── renice │ │ ├── reset │ │ ├── resize │ │ ├── rpm2cpio │ │ ├── runsv │ │ ├── runsvdir │ │ ├── rx │ │ ├── script │ │ ├── seq │ │ ├── setkeycodes │ │ ├── setsid │ │ ├── setuidgid │ │ ├── sha1sum │ │ ├── sha256sum │ │ ├── sha3sum │ │ ├── sha512sum │ │ ├── showkey │ │ ├── shuf │ │ ├── smemcap │ │ ├── softlimit │ │ ├── sort │ │ ├── split │ │ ├── strace │ │ ├── strings │ │ ├── sum │ │ ├── sv │ │ ├── tac │ │ ├── tail │ │ ├── tcpsvd │ │ ├── tee │ │ ├── telnet │ │ ├── test │ │ ├── tftp │ │ ├── time │ │ ├── timeout │ │ ├── top │ │ ├── tr │ │ ├── traceroute │ │ ├── traceroute6 │ │ ├── truncate │ │ ├── tty │ │ ├── ttysize │ │ ├── udpsvd │ │ ├── unexpand │ │ ├── uniq │ │ ├── unix2dos │ │ ├── unlink │ │ ├── unlzma │ │ ├── unlzop │ │ ├── unxz │ │ ├── unzip │ │ ├── uptime │ │ ├── users │ │ ├── uudecode │ │ ├── uuencode │ │ ├── vlock │ │ ├── volname │ │ ├── wall │ │ ├── wc │ │ ├── wget │ │ ├── which │ │ ├── who │ │ ├── whoami │ │ ├── whois │ │ ├── xargs │ │ ├── xz │ │ ├── xzcat │ │ └── yes │ │ ├── lib │ │ └── x86_64-linux-gnu │ │ │ └── libasan.so.2 │ │ ├── lib32 │ │ ├── libasan.so.2 │ │ ├── libgcc_s.so.1 │ │ ├── libpthread.so.2 │ │ └── libstdc++.so.6 │ │ └── sbin │ │ ├── add-shell │ │ ├── addgroup │ │ ├── adduser │ │ ├── arping │ │ ├── brctl │ │ ├── chat │ │ ├── chpasswd │ │ ├── chroot │ │ ├── crond │ │ ├── delgroup │ │ ├── deluser │ │ ├── dhcprelay │ │ ├── dnsd │ │ ├── ether-wake │ │ ├── fakeidentd │ │ ├── fbset │ │ ├── fdformat │ │ ├── ftpd │ │ ├── httpd │ │ ├── i2cdetect │ │ ├── i2cdump │ │ ├── i2cget │ │ ├── i2cset │ │ ├── ifplugd │ │ ├── inetd │ │ ├── killall5 │ │ ├── loadfont │ │ ├── lpd │ │ ├── nanddump │ │ ├── nandwrite │ │ ├── nbd-client │ │ ├── ntpd │ │ ├── popmaildir │ │ ├── powertop │ │ ├── rdate │ │ ├── rdev │ │ ├── readahead │ │ ├── readprofile │ │ ├── remove-shell │ │ ├── rtcwake │ │ ├── sendmail │ │ ├── setfont │ │ ├── setlogcons │ │ ├── svlogd │ │ ├── telnetd │ │ ├── tftpd │ │ ├── ubiattach │ │ ├── ubidetach │ │ ├── ubimkvol │ │ ├── ubirmvol │ │ ├── ubirsvol │ │ ├── ubiupdatevol │ │ └── udhcpd └── packer │ ├── .gitignore │ ├── common │ ├── __init__.py │ ├── color.py │ ├── config.py │ ├── debug.py │ ├── info.py │ ├── self_check.py │ └── util.py │ ├── compiler │ ├── .gitignore │ ├── Makefile │ ├── README.llvm │ ├── afl-clang-fast.c │ ├── afl-llvm-pass.so.cc │ ├── afl-llvm-rt.o.c │ ├── alloc-inl.h │ ├── android-ashmem.h │ ├── config.h │ ├── debug.h │ ├── test-instr.c │ └── types.h │ ├── fuzzer_configs │ └── .gitignore │ ├── help.txt │ ├── linux_x86_64-userspace │ ├── compile_32.sh │ ├── compile_64.sh │ ├── compile_loader.sh │ ├── compile_net_standalone.sh │ ├── src │ │ ├── htools │ │ │ ├── habort.c │ │ │ ├── hcat.c │ │ │ ├── hget.c │ │ │ └── hpush.c │ │ ├── ijon_extension.h │ │ ├── ld_preload_fuzz.c │ │ ├── ld_preload_info.c │ │ ├── libnyx.c │ │ ├── libnyx.h │ │ ├── loader.c │ │ ├── misc │ │ │ ├── crash_handler.c │ │ │ ├── crash_handler.h │ │ │ ├── harness_state.c │ │ │ ├── harness_state.h │ │ │ ├── struct_synth_report.c │ │ │ └── struct_synth_report.h │ │ ├── netfuzz │ │ │ ├── inject.c │ │ │ ├── run_dcmtk.sh │ │ │ ├── run_dnsmasq.sh │ │ │ ├── run_live555.sh │ │ │ ├── socket_cache.c │ │ │ ├── socket_cache.h │ │ │ ├── standalone_compile.sh │ │ │ ├── syscalls.c │ │ │ └── syscalls.h │ │ └── userspace_loader.c │ └── test.sh │ ├── nyx.ini │ ├── nyx_config_gen.py │ └── nyx_packer.py ├── run-example.sh ├── seeds └── abc ├── setup.sh └── struct_recovery.py /.gitignore: -------------------------------------------------------------------------------- 1 | *.so 2 | *.fuzz 3 | 4 | build/ 5 | liblibnyx_dummy.so 6 | 7 | fuzzer.log 8 | 9 | packer/linux_initramfs/init_debug_shell.cpio.gz 10 | packer/linux_initramfs/init.cpio 11 | packer/linux_initramfs/init.cpio.gz -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "QEMU-Nyx"] 2 | path = QEMU-Nyx 3 | url = https://github.com/nyx-fuzz/QEMU-Nyx.git 4 | [submodule "KVM-Nyx"] 5 | path = KVM-Nyx 6 | url = https://github.com/nyx-fuzz/KVM-Nyx.git 7 | [submodule "zydis"] 8 | path = zydis 9 | url = https://github.com/zyantific/zydis.git 10 | [submodule "enclave-dumper/linux-sgx-sign"] 11 | path = enclave-dumper/linux-sgx-sign 12 | url = https://github.com/intel/linux-sgx 13 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | RUN apt-get update 4 | RUN apt-get install -y git build-essential python2 python3 pkg-config libgtk-3-dev flex bison 5 | 6 | # Install capstone v4 for libxdc 7 | #WORKDIR /build 8 | #RUN git clone https://github.com/aquynh/capstone.git 9 | #WORKDIR /build/capstone 10 | #RUN git checkout v4 11 | #RUN make && make install 12 | 13 | # Install libxdc 14 | #WORKDIR /build 15 | #RUN git clone https://github.com/nyx-fuzz/libxdc.git 16 | #WORKDIR /build/libxdc 17 | #RUN make install 18 | 19 | WORKDIR /build 20 | RUN git clone https://github.com/nyx-fuzz/QEMU-Nyx.git 21 | WORKDIR /build/QEMU-Nyx 22 | RUN ./compile_qemu_nyx.sh lto 23 | 24 | WORKDIR /build 25 | RUN git clone --depth 1 --branch kvm-nyx-5.10.73 git@github.com:nyx-fuzz/kvm-nyx.git 26 | WORKDIR kvm-nyx 27 | RUN sh compile_kvm_nyx_standalone.sh 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/App/App.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | #include 5 | #define MAX_PATH FILENAME_MAX 6 | 7 | #include "sgx_urts.h" 8 | #include "App.h" 9 | #include "Enclave_u.h" 10 | 11 | #include 12 | 13 | #include "sgxerrorprinting.cpp" 14 | 15 | /* Global EID shared by multiple threads */ 16 | sgx_enclave_id_t global_eid = 0; 17 | 18 | int update = 0; 19 | sgx_launch_token_t token = {0}; 20 | 21 | int initialize_enclave(void) 22 | { 23 | sgx_status_t ret = SGX_ERROR_UNEXPECTED; 24 | 25 | /* Call sgx_create_enclave to initialize an enclave instance */ 26 | /* Debug Support: set 2nd parameter to 1 */ 27 | ret = sgx_create_enclave(ENCLAVE_FILENAME, SGX_DEBUG_FLAG, &token, &update, &global_eid, NULL); 28 | if (ret != SGX_SUCCESS) { 29 | print_error_message(ret); 30 | return -1; 31 | } 32 | 33 | return 0; 34 | } 35 | 36 | // ####################################################################################################### 37 | 38 | int main() 39 | { 40 | int32_t x; 41 | 42 | if (initialize_enclave() < 0) { 43 | return -1; 44 | } 45 | printf("Created enclave: %p\n", global_eid); 46 | x = fuzz_test("TEST", 5); 47 | printf("Ret: 0x%x\n", x); 48 | sgx_destroy_enclave(global_eid); 49 | 50 | return x; 51 | } 52 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/App/App.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2011-2017 Intel Corporation. All rights reserved. 3 | * 4 | * Redistribution and use in source and binary forms, with or without 5 | * modification, are permitted provided that the following conditions 6 | * are met: 7 | * 8 | * * Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * * Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in 12 | * the documentation and/or other materials provided with the 13 | * distribution. 14 | * * Neither the name of Intel Corporation nor the names of its 15 | * contributors may be used to endorse or promote products derived 16 | * from this software without specific prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 21 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 22 | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 23 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 24 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | * 30 | */ 31 | 32 | #ifndef _APP_H_ 33 | #define _APP_H_ 34 | 35 | #include 36 | //#include 37 | #undef FILENAME_MAX 38 | 39 | #include 40 | #include 41 | 42 | #include 43 | #include 44 | 45 | #include "sgx_error.h" /* sgx_status_t */ 46 | #include "sgx_eid.h" /* sgx_enclave_id_t */ 47 | 48 | 49 | #ifndef TRUE 50 | # define TRUE 1 51 | #endif 52 | 53 | #ifndef FALSE 54 | # define FALSE 0 55 | #endif 56 | 57 | #if defined(__GNUC__) 58 | #define TOKEN_FILENAME "enclave.token" 59 | #define ENCLAVE_FILENAME "enclave.signed.so" 60 | #endif 61 | 62 | extern sgx_enclave_id_t global_eid; /* global enclave id */ 63 | 64 | #if defined(__cplusplus) 65 | extern "C" { 66 | #endif 67 | 68 | int32_t fuzz_test(char* str, int str_len); 69 | 70 | 71 | #if defined(__cplusplus) 72 | } 73 | #endif 74 | 75 | #endif /* !_APP_H_ */ 76 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/App/TrustedLibrary/Libcxx.cpp: -------------------------------------------------------------------------------- 1 | #include "../App.h" 2 | #include "Enclave_u.h" 3 | 4 | int32_t fuzz_test(char* str, int str_len) { 5 | // int32_t e_ret; 6 | sgx_status_t ret = fuzz_ecall(global_eid, str, str_len); 7 | if(ret == SGX_SUCCESS) 8 | return 0; 9 | else 10 | return -1; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/Enclave/Enclave.config.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 0 4 | 0 5 | 0x40000 6 | 0x100000 7 | 1 8 | 1 9 | 0 10 | 0 11 | 0xFFFFFFFF 12 | 13 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/Enclave/Enclave.cpp: -------------------------------------------------------------------------------- 1 | #include "Enclave.h" 2 | #include "Enclave_t.h" /* print_string */ 3 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/Enclave/Enclave.edl: -------------------------------------------------------------------------------- 1 | enclave { 2 | from "TrustedLibrary/Libcxx.edl" import *; 3 | }; 4 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/Enclave/Enclave.h: -------------------------------------------------------------------------------- 1 | #ifndef _ENCLAVE_H_ 2 | #define _ENCLAVE_H_ 3 | 4 | #include 5 | #include 6 | 7 | //#if defined(__cplusplus) 8 | //extern "C" { 9 | //#endif 10 | // 11 | //#if defined(__cplusplus) 12 | //} 13 | //#endif 14 | 15 | #endif /* !_ENCLAVE_H_ */ 16 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/Enclave/Enclave.lds: -------------------------------------------------------------------------------- 1 | enclave.so 2 | { 3 | global: 4 | g_global_data_sim; 5 | g_global_data; 6 | enclave_entry; 7 | local: 8 | *; 9 | }; 10 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/Enclave/Enclave_debug.lds: -------------------------------------------------------------------------------- 1 | enclave.so 2 | { 3 | global: 4 | g_global_data_sim; 5 | g_global_data; 6 | enclave_entry; 7 | g_peak_heap_used; 8 | g_peak_rsrv_mem_committed; 9 | local: 10 | *; 11 | }; 12 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/Enclave/Enclave_private_test.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIG4gIBAAKCAYEAroOogvsj/fZDZY8XFdkl6dJmky0lRvnWMmpeH41Bla6U1qLZ 3 | AmZuyIF+mQC/cgojIsrBMzBxb1kKqzATF4+XwPwgKz7fmiddmHyYz2WDJfAjIveJ 4 | ZjdMjM4+EytGlkkJ52T8V8ds0/L2qKexJ+NBLxkeQLfV8n1mIk7zX7jguwbCG1Pr 5 | nEMdJ3Sew20vnje+RsngAzdPChoJpVsWi/K7cettX/tbnre1DL02GXc5qJoQYk7b 6 | 3zkmhz31TgFrd9VVtmUGyFXAysuSAb3EN+5VnHGr0xKkeg8utErea2FNtNIgua8H 7 | ONfm9Eiyaav1SVKzPHlyqLtcdxH3I8Wg7yqMsaprZ1n5A1v/levxnL8+It02KseD 8 | 5HqV4rf/cImSlCt3lpRg8U5E1pyFQ2IVEC/XTDMiI3c+AR+w2jSRB3Bwn9zJtFlW 9 | KHG3m1xGI4ck+Lci1JvWWLXQagQSPtZTsubxTQNx1gsgZhgv1JHVZMdbVlAbbRMC 10 | 1nSuJNl7KPAS/VfzAgEDAoIBgHRXxaynbVP5gkO0ug6Qw/E27wzIw4SmjsxG6Wpe 11 | K7kfDeRskKxESdsA/xCrKkwGwhcx1iIgS5+Qscd1Yg+1D9X9asd/P7waPmWoZd+Z 12 | AhlKwhdPsO7PiF3e1AzHhGQwsUTt/Y/aSI1MpHBvy2/s1h9mFCslOUxTmWw0oj/Q 13 | ldIEgWeNR72CE2+jFIJIyml6ftnb6qzPiga8Bm48ubKh0kvySOqnkmnPzgh+JBD6 14 | JnBmtZbfPT97bwTT+N6rnPqOOApvfHPf15kWI8yDbprG1l4OCUaIUH1AszxLd826 15 | 5IPM+8gINLRDP1MA6azECPjTyHXhtnSIBZCyWSVkc05vYmNXYUNiXWMajcxW9M02 16 | wKzFELO8NCEAkaTPxwo4SCyIjUxiK1LbQ9h8PSy4c1+gGP4LAMR8xqP4QKg6zdu9 17 | osUGG/xRe/uufgTBFkcjqBHtK5L5VI0jeNIUAgW/6iNbYXjBMJ0GfauLs+g1VsOm 18 | WfdgXzsb9DYdMa0OXXHypmV4GwKBwQDUwQj8RKJ6c8cT4vcWCoJvJF00+RFL+P3i 19 | Gx2DLERxRrDa8AVGfqaCjsR+3vLgG8V/py+z+dxZYSqeB80Qeo6PDITcRKoeAYh9 20 | xlT3LJOS+k1cJcEmlbbO2IjLkTmzSwa80fWexKu8/Xv6vv15gpqYl1ngYoqJM3pd 21 | vzmTIOi7MKSZ0WmEQavrZj8zK4endE3v0eAEeQ55j1GImbypSf7Idh7wOXtjZ7WD 22 | Dg6yWDrri+AP/L3gClMj8wsAxMV4ZR8CgcEA0fzDHkFa6raVOxWnObmRoDhAtE0a 23 | cjUj976NM5yyfdf2MrKy4/RhdTiPZ6b08/lBC/+xRfV3xKVGzacm6QjqjZrUpgHC 24 | 0LKiZaMtccCJjLtPwQd0jGQEnKfMFaPsnhOc5y8qVkCzVOSthY5qhz0XNotHHFmJ 25 | gffVgB0iqrMTvSL7IA2yqqpOqNRlhaYhNl8TiFP3gIeMtVa9rZy31JPgT2uJ+kfo 26 | gV7sdTPEjPWZd7OshGxWpT6QfVDj/T9T7L6tAoHBAI3WBf2DFvxNL2KXT2QHAZ9t 27 | k3imC4f7U+wSE6zILaDZyzygA4RUbwG0gv8/TJVn2P/Eynf76DuWHGlaiLWnCbSz 28 | Az2DHBQBBaku409zDQym3j1ugMRjzzSQWzJg0SIyBH3hTmnYcn3+Uqcp/lEBvGW6 29 | O+rsXFt3pukqJmIV8HzLGGaLm62BHUeZf3dyWm+i3p/hQAL7Xvu04QW70xuGqdr5 30 | afV7p5eaeQIJXyGQJ0eylV/90+qxjMKiB1XYg6WYvwKBwQCL/ddpgOdHJGN8uRom 31 | e7Zq0Csi3hGheMKlKbN3vcxT5U7MdyHtTZZOJbTvxKNNUNYH/8uD+PqDGNneb29G 32 | BfGzvI3EASyLIcGZF3OhKwZd0jUrWk2y7Vhob91jwp2+t73vdMbkKyI4mHOuXvGv 33 | fg95si9oO7EBT+Oqvhccd2J+F1IVXncccYnF4u5ZGWt5lLewN/pVr7MjjykeaHqN 34 | t+rfnQam2psA6fL4zS2zTmZPzR2tnY8Y1GBTi0Ko1OKd1HMCgcAb5cB/7/AQlhP9 35 | yQa04PLH9ygQkKKptZp7dy5WcWRx0K/hAHRoi2aw1wZqfm7VBNu2SLcs90kCCCxp 36 | 6C5sfJi6b8NpNbIPC+sc9wsFr7pGo9SFzQ78UlcWYK2Gu2FxlMjonhka5hvo4zvg 37 | WxlpXKEkaFt3gLd92m/dMqBrHfafH7VwOJY2zT3WIpjwuk0ZzmRg5p0pG/svVQEH 38 | NZmwRwlopysbR69B/n1nefJ84UO50fLh5s5Zr3gBRwbWNZyzhXk= 39 | -----END RSA PRIVATE KEY----- 40 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/Enclave/TrustedLibrary/Libcxx.cpp: -------------------------------------------------------------------------------- 1 | #include "../Enclave.h" 2 | #include "Enclave_t.h" 3 | 4 | void fuzz_ecall(char* buf, int str_len) { 5 | if(buf[0] == 'F') { 6 | if(buf[1] == 'U') { 7 | if(buf[2] == 'Z') { 8 | if(buf[3] == 'Z') { 9 | *(int*)0 = 0; 10 | } 11 | } 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/Enclave/TrustedLibrary/Libcxx.edl: -------------------------------------------------------------------------------- 1 | enclave { 2 | 3 | from "sgx_tstdc.edl" import sgx_oc_cpuidex; 4 | 5 | trusted { 6 | public void fuzz_ecall([in, size=str_len] char* str, int str_len); 7 | }; 8 | }; 9 | -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/enclave.signed.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/Enclaves/SimpleFuzzTest/enclave.signed.so -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/enclave.signed.so.layout: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/Enclaves/SimpleFuzzTest/enclave.signed.so.layout -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/enclave.signed.so.mem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/Enclaves/SimpleFuzzTest/enclave.signed.so.mem -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/enclave.signed.so.mem.zst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/Enclaves/SimpleFuzzTest/enclave.signed.so.mem.zst -------------------------------------------------------------------------------- /Enclaves/SimpleFuzzTest/enclave.signed.so.tcs.txt: -------------------------------------------------------------------------------- 1 | 0x16f000 2 | -------------------------------------------------------------------------------- /calculate-coverage.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | SGXFUZZ_ROOT=$(dirname "$(realpath "$0")") 4 | 5 | WORKDIR=$(realpath "$1") 6 | FUZZ_FOLDER=/tmp/$(basename "$WORKDIR")_fuzz_folder 7 | 8 | printf "Using:\t%s\n\t%s\n" "$WORKDIR" "$FUZZ_FOLDER" 9 | 10 | PY3=$SGXFUZZ_ROOT/venv-python3/bin/python3 11 | 12 | $PY3 /home/jwillbold/kafl/kAFL-Fuzzer/kafl_cov.py \ 13 | -sharedir "$FUZZ_FOLDER" \ 14 | -work_dir "$WORKDIR/sgx_workdir" \ 15 | -input "$WORKDIR/sgx_workdir" \ 16 | -initrd "$SGXFUZZ_ROOT/packer/linux_initramfs/init.cpio.gz" \ 17 | -kernel "$SGXFUZZ_ROOT/packer/linux_initramfs/bzImage-linux-4.15-rc7" \ 18 | -mem 1512 \ 19 | -trace \ 20 | -ip0 0-0 21 | -------------------------------------------------------------------------------- /display-struct.sh: -------------------------------------------------------------------------------- 1 | cd $1 2 | 3 | for i in {0..20}; do 4 | echo "ECALL " $i 5 | python3 ~/kafl/tools/display-structs.py sgx_workdir/ $i | uniq 6 | done 7 | 8 | cd .. 9 | -------------------------------------------------------------------------------- /enclave-dumper-win/sgx_sign.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/enclave-dumper-win/sgx_sign.exe -------------------------------------------------------------------------------- /enclave-dumper/Makefile: -------------------------------------------------------------------------------- 1 | all: sgx_sign 2 | 3 | linux-sgx-sign/: 4 | git submodule update --init $@ 5 | 6 | linux-sgx-sign/.PATCHED: linux-sgx-sign.patch | linux-sgx-sign/ 7 | git -C linux-sgx-sign/ apply --intent-to-add "../$<" 8 | touch "$@" 9 | 10 | linux-sgx-sign/sdk/sign_tool/SignTool/sgx_sign: linux-sgx-sign/.PATCHED 11 | $(MAKE) -C linux-sgx-sign/sdk/sign_tool/SignTool/ DEBUG=1 "CXXFLAGS=-DSE_SIM=1 -I../../../common/inc/internal/ -I../../../common/inc/ -I../../../psw/urts/ -g" CFLAGS=-g 12 | 13 | sgx_sign: linux-sgx-sign/sdk/sign_tool/SignTool/sgx_sign 14 | ln -rsfn linux-sgx-sign/sdk/sign_tool/SignTool/sgx_sign ./ 15 | 16 | clean: 17 | $(RM) -r linux-sgx-sign/ sgx_sign 18 | 19 | .PHONY: 20 | sgx_sign_rebuild: 21 | $(MAKE) -C linux-sgx-sign/sdk/sign_tool/SignTool/ DEBUG=1 "CXXFLAGS=-DSE_SIM=1 -I../../../common/inc/internal/ -I../../../common/inc/ -I../../../psw/urts/ -g" CFLAGS=-g clean 22 | $(MAKE) sgx_sign 23 | -------------------------------------------------------------------------------- /enclave-dumper/extract.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | BASE="$(dirname $0)" 4 | SIGNTOOL="$BASE/sgx_sign" 5 | 6 | enclave=$1 7 | shift 8 | out=extract.out 9 | dump=extract.dump 10 | 11 | if ! [[ -f $enclave && -r $enclave ]]; then 12 | echo "ERROR: Cannot open $enclave!" 13 | exit 1 14 | fi 15 | 16 | for f in "$out" "$dump" "$dump.mem" "$dump.layout"; do 17 | if [[ -e $f ]]; then 18 | echo "ERROR: '$f' exists" 19 | exit 1 20 | fi 21 | done 22 | 23 | echo "Running" "$($SIGNTOOL -version |& grep -oP "version \S+")" 24 | echo "Enclave:" "$enclave" 25 | echo "build with:" "$(strings "$enclave" | grep SGX_TSTDC_VERSION)" 26 | echo 27 | 28 | echo "--- SGX SIGN ---" 29 | $SIGNTOOL gendata -enclave "$enclave" -out "$out" "$@" | grep -vF '<' > "$dump" || { rm -f -- "$dump"; exit 1; } 30 | echo "--- SGX SIGN END ---" 31 | rm -f -- "$out" 32 | 33 | python "$BASE/DumpReader.py" "$dump" | tee "$enclave.tcs.txt" 34 | mv "$dump" "$enclave.dump" 35 | 36 | mv "$dump.mem" "$enclave.mem" 37 | mv "$dump.layout" "$enclave.layout" 38 | -------------------------------------------------------------------------------- /kafl/LICENSES/BSD-2-Clause: -------------------------------------------------------------------------------- 1 | Valid-License-Identifier: BSD-2-Clause 2 | SPDX-URL: https://spdx.org/licenses/BSD-2-Clause.html 3 | Usage-Guide: 4 | To use the BSD 2-clause "Simplified" License put the following SPDX 5 | tag/value pair into a comment according to the placement guidelines in 6 | the licensing rules documentation: 7 | SPDX-License-Identifier: BSD-2-Clause 8 | License-Text: 9 | 10 | Copyright (c) . All rights reserved. 11 | 12 | Redistribution and use in source and binary forms, with or without 13 | modification, are permitted provided that the following conditions are met: 14 | 15 | 1. Redistributions of source code must retain the above copyright notice, 16 | this list of conditions and the following disclaimer. 17 | 18 | 2. Redistributions in binary form must reproduce the above copyright 19 | notice, this list of conditions and the following disclaimer in the 20 | documentation and/or other materials provided with the distribution. 21 | 22 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 23 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 26 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 27 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 28 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 29 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 30 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 31 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32 | POSSIBILITY OF SUCH DAMAGE. 33 | -------------------------------------------------------------------------------- /kafl/LICENSES/MIT: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a 6 | copy of this software and associated documentation files (the "Software"), 7 | to deal in the Software without restriction, including without limitation 8 | the rights to use, copy, modify, merge, publish, distribute, sublicense, 9 | and/or sell copies of the Software, and to permit persons to whom the 10 | Software is furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 20 | FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 21 | DEALINGS IN THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | debug.log 3 | error.log 4 | kafl.ini 5 | fuzzer/native/bitmap.so 6 | tags 7 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/banner.txt: -------------------------------------------------------------------------------- 1 | __ __ ___ ________ 2 | / /_____ _________ ___ / / / | / ____/ / 3 | / //_/ _ \/ ___/ __ \/ _ \/ / / /| | / /_ / / 4 | / ,< / __/ / / / / / __/ / / ___ |/ __/ / /___ 5 | /_/|_|\___/_/ /_/ /_/\___/_/ /_/ |_/_/ /_____/ 6 | =================================================== (C) 2020 7 | 8 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/common/__init__.py -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/common/color.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 2 | # Copyright 2019-2020 Intel Corporation 3 | # 4 | # SPDX-License-Identifier: AGPL-3.0-or-later 5 | 6 | HPRINTF = '\033[95m' 7 | OKBLUE = '\033[94m' 8 | OKGREEN = '\033[92m' 9 | WARNING = '\033[0;33m' 10 | FAIL = '\033[91m' 11 | ENDC = '\033[0m' 12 | CLRSCR = '\x1b[1;1H' 13 | REALCLRSCR = '\x1b[2J' 14 | BOLD = '\033[1m' 15 | FLUSH_LINE = '\r\x1b[K' 16 | 17 | 18 | def MOVE_CURSOR_UP(num): 19 | return "\033[" + str(num) + "A" 20 | 21 | 22 | def MOVE_CURSOR_DOWN(num): 23 | return "\033[" + str(num) + "B" 24 | 25 | 26 | def MOVE_CURSOR_LEFT(num): 27 | return "\033[" + str(num) + "C" 28 | 29 | 30 | def MOVE_CURSOR_RIGHT(num): 31 | return "\033[" + str(num) + "D" 32 | 33 | 34 | HLINE = chr(0x2500) 35 | VLINE = chr(0x2502) 36 | VLLINE = chr(0x2524) 37 | VRLINE = chr(0x251c) 38 | LBEDGE = chr(0x2514) 39 | RBEDGE = chr(0x2518) 40 | HULINE = chr(0x2534) 41 | HDLINE = chr(0x252c) 42 | LTEDGE = chr(0x250c) 43 | RTEDGE = chr(0x2510) 44 | 45 | INFO_PREFIX = "[INFO] " 46 | ERROR_PREFIX = "[ERROR] " 47 | WARNING_PREFIX = "[WARNING] " 48 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/common/log.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 2 | # Copyright 2019-2020 Intel Corporation 3 | # 4 | # SPDX-License-Identifier: AGPL-3.0-or-later 5 | import codecs 6 | import logging 7 | import os 8 | import sys 9 | 10 | class FileFormatter(logging.Formatter): 11 | def __init__(self): 12 | super().__init__(fmt="%(asctime)s %(levelname)-8s [%(filename)s:%(lineno)s] %(msg)s") 13 | 14 | class StreamFormatter(logging.Formatter): 15 | def __init__(self): 16 | super().__init__(fmt="%(levelname)s \u001b[34;1m%(name)s\u001b[0m [%(filename)s:%(lineno)s] %(msg)s") 17 | 18 | def format(self, record): 19 | format_orig = self._style._fmt 20 | 21 | format_prefix = "" 22 | if record.levelno == logging.INFO: 23 | format_prefix = "INFO\t" 24 | elif record.levelno == logging.DEBUG: 25 | format_prefix = "\u001b[94mDBG\u001b[0m\t" 26 | elif record.levelno == logging.WARNING: 27 | format_prefix = "\u001b[0;33mWARN\u001b[0m\t" 28 | elif record.levelno == logging.ERROR: 29 | format_prefix = "\u001b[91mERR\u001b[0m\t" 30 | elif record.levelno == logging.CRITICAL: 31 | format_prefix = "\u001b[1m\u001b[31mCRTCL\u001b[0m\t" 32 | 33 | self._style._fmt = format_prefix + "[%(filename)s:%(lineno)s] %(msg)s" 34 | 35 | fmt = logging.Formatter.format(self, record) 36 | self._style._fmt = format_orig 37 | 38 | return fmt 39 | 40 | def init_logger(log_file_path, log_level=logging.INFO): 41 | sys.stdout = codecs.getwriter("utf-8")(sys.stdout.detach()) 42 | 43 | stream_handler = logging.StreamHandler(sys.stdout) 44 | stream_handler.setLevel(log_level) 45 | stream_formatter = StreamFormatter() 46 | stream_handler.setFormatter(stream_formatter) 47 | 48 | if not os.path.exists(log_file_path): 49 | os.makedirs(log_file_path) 50 | 51 | file_handler = logging.FileHandler(log_file_path + "/debug.log", mode="w+") 52 | file_handler.setLevel(logging.DEBUG) 53 | file_formatter = FileFormatter() 54 | file_handler.setFormatter(file_formatter) 55 | 56 | logging.basicConfig( 57 | level=logging.DEBUG, 58 | handlers=[ 59 | stream_handler, 60 | file_handler 61 | ] 62 | ) 63 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/common/qemu_protocol.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 2 | # Copyright 2019-2020 Intel Corporation 3 | # 4 | # SPDX-License-Identifier: AGPL-3.0-or-later 5 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/debug/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/debug/__init__.py -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/dict/vuln.dict: -------------------------------------------------------------------------------- 1 | # 2 | # kAFL dictionary for Vuln Driver 3 | # ------------------------------------------- 4 | # 5 | # Created by Sergej Schumilo 6 | # 7 | 8 | tag_result1="SERGEJ" 9 | tag_result2="KASAN" 10 | tag_result3="KERNELAFL" 11 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/fuzzer/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/fuzzer/__init__.py -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/fuzzer/native/Makefile: -------------------------------------------------------------------------------- 1 | bitmap.so: bitmap.c 2 | $(CC) --shared -fPIC -O3 -o $@ $^ 3 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/fuzzer/process/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/fuzzer/process/__init__.py -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/fuzzer/technique/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/fuzzer/technique/__init__.py -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/fuzzer/technique/redqueen/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/fuzzer/technique/redqueen/hash_patch.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 2 | # Copyright (C) 2019-2020 Intel Corporation 3 | # 4 | # SPDX-License-Identifier: AGPL-3.0-or-later 5 | 6 | """ 7 | I wonder what this does? 8 | """ 9 | 10 | class HashPatcher: 11 | def __init__(self): 12 | self.patched = set() 13 | self.blacklisted = set() 14 | 15 | def add_hash_candidate(self, mut): 16 | if mut.addr in self.blacklisted or mut.addr in self.patched: 17 | return 18 | self.patched.add(mut.addr) 19 | self.apply_patches() 20 | 21 | def blacklist_hash_candidate(self, addr): 22 | self.blacklisted.add(addr) 23 | if addr in self.patched: 24 | self.patched.remove(addr) 25 | self.apply_patches() 26 | 27 | def apply_patches(self): 28 | with open("/tmp/redqueen_whitelist", "w") as w: 29 | with open("/tmp/rq_patches", "w") as f: 30 | for addr in self.patched: 31 | hexaddr = hex(addr).rstrip("L").lstrip("0x") 32 | if hexaddr: 33 | w.write(hexaddr + "\n") 34 | f.write(hexaddr + "\n") 35 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/fuzzer/technique/redqueen/workdir.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 2 | # Copyright (C) 2019-2020 Intel Corporation 3 | # 4 | # SPDX-License-Identifier: AGPL-3.0-or-later 5 | 6 | """ 7 | Redqueen workdir/Qemu interface 8 | """ 9 | 10 | import os 11 | import shutil 12 | 13 | 14 | class RedqueenWorkdir: 15 | def __init__(self, qemu_id, config): 16 | self.base_path = config.argument_values['work_dir'] + "/redqueen_workdir_" + str(qemu_id) 17 | 18 | def init_dir(self): 19 | if os.path.exists(self.base_path): 20 | shutil.rmtree(self.base_path) 21 | os.makedirs(self.base_path) 22 | 23 | def redqueen(self): 24 | return self.base_path + "/redqueen_results.txt" 25 | 26 | def patches(self): 27 | return self.base_path + "/redqueen_patches.txt" 28 | 29 | def whitelist(self): 30 | return self.base_path + "/breakpoint_white.txt" 31 | 32 | def blacklist(self): 33 | return self.base_path + "/breakpoint_black.txt" 34 | 35 | def code_dump(self): 36 | return self.base_path + "/target_code_dump.img" 37 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/info/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/info/__init__.py -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/info/core.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 2 | # Copyright (C) 2019-2020 Intel Corporation 3 | # 4 | # SPDX-License-Identifier: AGPL-3.0-or-later 5 | 6 | import logging 7 | import os 8 | import time 9 | 10 | from common.log import init_logger 11 | from common.qemu import qemu 12 | from common.self_check import post_self_check 13 | from common.util import prepare_working_dir 14 | 15 | def start(config): 16 | 17 | work_dir = config.argument_values["work_dir"] 18 | if config.argument_values['v'] or config.argument_values["debug"]: 19 | init_logger(work_dir, logging.DEBUG) 20 | else: 21 | init_logger(work_dir) 22 | 23 | if not post_self_check(config): 24 | return -1 25 | 26 | if not prepare_working_dir(config): 27 | logging.error("Refuse to operate on existing work directory. Use --purge to override.") 28 | return 1 29 | 30 | logging.info("Dumping target addresses...") 31 | 32 | # TODO: use proper temp file or store to $work_dir 33 | if os.path.exists("/tmp/kAFL_info.txt"): 34 | os.remove("/tmp/kAFL_info.txt") 35 | 36 | q = qemu(0, config) 37 | q.start() 38 | q.shutdown() 39 | 40 | try: 41 | with open("/tmp/kAFL_info.txt", 'r') as f: 42 | print(f.read()) 43 | #os.remove("/tmp/kAFL_info.txt") 44 | except: 45 | pass 46 | 47 | return 0 48 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/kafl_debug.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 4 | # Copyright (C) 2019-2020 Intel Corporation 5 | # 6 | # SPDX-License-Identifier: AGPL-3.0-or-later 7 | 8 | """ 9 | Execute a given kAFL target with individual test inputs for purpose of debug/inspection. 10 | """ 11 | 12 | import os 13 | import sys 14 | 15 | import common.color 16 | from common.self_check import self_check 17 | from common.config import DebugConfiguration 18 | 19 | KAFL_ROOT = os.path.dirname(os.path.realpath(__file__)) + "/" 20 | KAFL_BANNER = KAFL_ROOT + "banner.txt" 21 | KAFL_CONFIG = KAFL_ROOT + "kafl.ini" 22 | 23 | def main(): 24 | 25 | with open(KAFL_BANNER) as f: 26 | for line in f: 27 | print(line.replace("\n", "")) 28 | 29 | print("<< " + common.color.BOLD + common.color.OKGREEN + 30 | sys.argv[0] + ": kAFL Debugger " + common.color.ENDC + ">>\n") 31 | 32 | if not self_check(KAFL_ROOT): 33 | return 1 34 | 35 | import debug.core 36 | cfg = DebugConfiguration(KAFL_CONFIG) 37 | return debug.core.start(cfg) 38 | 39 | 40 | if __name__ == "__main__": 41 | main() 42 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/kafl_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 4 | # Copyright (C) 2019-2020 Intel Corporation 5 | # 6 | # SPDX-License-Identifier: AGPL-3.0-or-later 7 | 8 | """ 9 | Launcher for Fuzzing with kAFL. Check fuzzer/core.py for more. 10 | """ 11 | 12 | import os 13 | import sys 14 | 15 | import common.color 16 | from common.config import FuzzerConfiguration 17 | from common.self_check import self_check 18 | 19 | KAFL_ROOT = os.path.dirname(os.path.realpath(__file__)) + "/" 20 | KAFL_BANNER = KAFL_ROOT + "banner.txt" 21 | KAFL_CONFIG = KAFL_ROOT + "kafl.ini" 22 | 23 | def main(): 24 | 25 | with open(KAFL_BANNER) as f: 26 | for line in f: 27 | print(line.replace("\n", "")) 28 | 29 | print("<< " + common.color.BOLD + common.color.OKGREEN + 30 | sys.argv[0] + ": Kernel Fuzzer " + common.color.ENDC + ">>\n") 31 | 32 | if not self_check(KAFL_ROOT): 33 | return 1 34 | 35 | import fuzzer.core 36 | cfg = FuzzerConfiguration(KAFL_CONFIG) 37 | return fuzzer.core.start(cfg) 38 | 39 | 40 | if __name__ == "__main__": 41 | main() 42 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/kafl_info.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 4 | # Copyright (C) 2019-2020 Intel Corporation 5 | # 6 | # SPDX-License-Identifier: AGPL-3.0-or-later 7 | 8 | """ 9 | Execute a kAFL target once, using a special "info" binary as agent. 10 | 11 | This is used in cases where we want to automatically extract some information 12 | from a target before proper fuzzing, e.g. the location of kernel modules in a VM 13 | snapshot. Perhaps this feature should be merged into kafl_debug.py. 14 | """ 15 | 16 | import os 17 | import sys 18 | 19 | import common.color 20 | from common.self_check import self_check 21 | from common.config import InfoConfiguration 22 | 23 | KAFL_ROOT = os.path.dirname(os.path.realpath(__file__)) + "/" 24 | KAFL_BANNER = KAFL_ROOT + "banner.txt" 25 | KAFL_CONFIG = KAFL_ROOT + "kafl.ini" 26 | 27 | def main(): 28 | 29 | with open(KAFL_BANNER) as f: 30 | for line in f: 31 | print(line.replace("\n", "")) 32 | 33 | print("<< " + common.color.BOLD + common.color.OKGREEN + 34 | sys.argv[0] + ": Agent Info Dumper " + common.color.ENDC + ">>\n") 35 | 36 | if not self_check(KAFL_ROOT): 37 | return 1 38 | 39 | import info.core 40 | cfg = InfoConfiguration(KAFL_CONFIG) 41 | return info.core.start(cfg) 42 | 43 | 44 | if __name__ == "__main__": 45 | main() 46 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/proc_map_helper.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | ip = int(sys.argv[1]) 4 | f = open("edges_uniq.lst", "r") 5 | s = f.read() 6 | lines = s.split('\n')[:-1] 7 | 8 | print(f"Searching for IP={ip}...") 9 | 10 | # from proc_maps 11 | # 555555554000-55555555e000 12 | # 55555575e000-55555575f000 13 | # 55555575f000-555555be3000 14 | fp = open("../dump/proc_maps.txt", "r") 15 | sp = fp.read() 16 | linesp = sp.split('\n')[:-1] 17 | 18 | ranges = [] 19 | labels = ["sgx", "sec", "text"] 20 | 21 | for linep in linesp: 22 | if "/tmp/target_executable" in linep: 23 | (start, end) = linep[:25].split('-') 24 | print(linep[:25].split('-')) 25 | ranges.append((int(start, 16), int(end, 16), labels.pop())) 26 | 27 | print(ranges) 28 | 29 | for line in lines: 30 | (start, end, count) = line.split(',') 31 | start = int(start, 16) 32 | end = int(end, 16) 33 | 34 | start_l = "unknown" 35 | end_l = "unknown" 36 | 37 | for (rs, re, rl) in ranges: 38 | if rs <= start < re: 39 | start_l = rl 40 | if rs <= end < re: 41 | end_l = rl 42 | 43 | print(f'{start_l:<8},{hex(start):<32} -> {end_l:<8},{hex(end)}') 44 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/redqueen_mut.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 4 | # Copyright (C) 2019-2020 Intel Corporation 5 | # 6 | # SPDX-License-Identifier: AGPL-3.0-or-later 7 | 8 | """ 9 | Validate Redqueen Input-to-State mutations 10 | """ 11 | 12 | import array 13 | import sys 14 | 15 | from fuzzer.technique.redqueen import parser 16 | from fuzzer.technique.redqueen.mod import RedqueenInfoGatherer 17 | 18 | info = RedqueenInfoGatherer() 19 | 20 | info.collected_infos_path = sys.argv[1] 21 | info.num_alternative_inputs = 2 22 | 23 | info.get_proposals() 24 | print("got %d mutations on %s" % (info.get_num_mutations(), sys.argv[1])) 25 | 26 | orig_input = open(sys.argv[1] + "/input_2.bin", "rb").read() 27 | print("Mutating : %s" % repr(orig_input)) 28 | 29 | 30 | def fake_execute(str, a, b): 31 | print("executing %s" % repr(str)) 32 | 33 | 34 | info.verbose = True 35 | default_info = {} 36 | info.run_mutate_redqueen(array.array("B", orig_input), fake_execute, default_info) 37 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/seed/ext4/ext4.img: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/ext4/ext4.img -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/seed/fat/fat_a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/fat/fat_a -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/seed/fat/fat_b: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/fat/fat_b -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/seed/fat/fat_c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/fat/fat_c -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/seed/fat/fat_d: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/fat/fat_d -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/seed/fat/fat_e: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/fat/fat_e -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/seed/kafl_vulntest/seed_file: -------------------------------------------------------------------------------- 1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 2 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/seed/ntfs/ntfs64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/ntfs/ntfs64 -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/seed/ntfs_win/ntfs_header_64k: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/ntfs_win/ntfs_header_64k -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Copyright (C) 2019-2020 Intel Corporation 4 | # SPDX-License-Identifier: AGPL-3.0-or-later 5 | 6 | """ 7 | This file offers an alternative/standalone entry point to tests/, e.g. 8 | to launch some benchmarks contained there. 9 | 10 | To execute all regular tests, run pytest inside kAFL-Fuzzer/ directory. 11 | """ 12 | 13 | from tests.test_random import * 14 | from tests.test_deterministic import * 15 | from tests.test_havoc_handler import * 16 | 17 | if __name__ == '__main__': 18 | 19 | print("\nRunning benchmarks... (use pytest -v to run actual tests!)\n") 20 | 21 | rand_main() 22 | deter_main() 23 | havoc_main() 24 | 25 | print("\nDone!") 26 | -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/tests/__init__.py -------------------------------------------------------------------------------- /kafl/kAFL-Fuzzer/tests/helper.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2020 Intel Corporation 2 | # SPDX-License-Identifier: AGPL-3.0-or-later 3 | 4 | """ 5 | Helper functions for kAFL tests 6 | """ 7 | 8 | def ham_weight(x): 9 | _x = bytearray(x) 10 | weight = 0 11 | for byte in _x: 12 | weight += bin(byte).count("1") 13 | return weight 14 | 15 | def ham_distance(a,b): 16 | return ham_weight(bytes(x ^ y for (x, y) in zip(a, b))) 17 | 18 | def bindiff(a,b): 19 | res = bytearray() 20 | for (x, y) in zip(a, b): 21 | r = bytearray([x^y]) 22 | if r != b'\x00': 23 | res += r 24 | return res 25 | -------------------------------------------------------------------------------- /kafl/patches.old/0001-fail-of-frontend-did-not-create-SHM-backing-files-of.patch: -------------------------------------------------------------------------------- 1 | From df49387240575e5fd1563c01822d2cd3e31fbde8 Mon Sep 17 00:00:00 2001 2 | From: Steffen Schulz 3 | Date: Fri, 3 Jul 2020 01:34:44 +0200 4 | Subject: [PATCH] fail of frontend did not create SHM backing files of expected 5 | size 6 | 7 | By failing here we force a synchronization with the frontend 8 | --- 9 | pt/interface.c | 10 ++++++---- 10 | pt/interface.h | 5 +++-- 11 | 2 files changed, 9 insertions(+), 6 deletions(-) 12 | 13 | diff --git a/pt/interface.c b/pt/interface.c 14 | index f077be6d..c5a8abab 100644 15 | --- a/pt/interface.c 16 | +++ b/pt/interface.c 17 | @@ -207,8 +207,9 @@ static int kafl_guest_create_memory_bar(kafl_mem_state *s, int region_num, uint6 18 | int fd; 19 | struct stat st; 20 | 21 | - fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO); 22 | - assert(ftruncate(fd, bar_size) == 0); 23 | + // abort if frontend failed to setup a sufficiently big SHM file 24 | + fd = open(file, O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO); 25 | + assert(fd != -1); 26 | stat(file, &st); 27 | QEMU_PT_DEBUG(INTERFACE_PREFIX, "new shm file: (max size: %lx) %lx", bar_size, st.st_size); 28 | 29 | @@ -236,8 +237,9 @@ static int kafl_guest_setup_bitmap(kafl_mem_state *s, uint32_t bitmap_size, Erro 30 | int fd; 31 | struct stat st; 32 | 33 | - fd = open(s->bitmap_file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO); 34 | - assert(ftruncate(fd, bitmap_size) == 0); 35 | + // abort if frontend failed to setup a sufficiently big SHM file 36 | + fd = open(s->bitmap_file, O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO); 37 | + assert(fd != -1); 38 | stat(s->bitmap_file, &st); 39 | assert(bitmap_size == st.st_size); 40 | ptr = mmap(0, bitmap_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); 41 | diff --git a/pt/interface.h b/pt/interface.h 42 | index 10709c6d..a66b6ef0 100644 43 | --- a/pt/interface.h 44 | +++ b/pt/interface.h 45 | @@ -13,8 +13,8 @@ 46 | 47 | #define INTEL_PT_MAX_RANGES 4 48 | 49 | -#define DEFAULT_KAFL_BITMAP_SIZE 0x10000 50 | -#define DEFAULT_EDGE_FILTER_SIZE 0x1000000 51 | +#define DEFAULT_KAFL_BITMAP_SIZE (64 << 10) 52 | +#define DEFAULT_EDGE_FILTER_SIZE ( 2 << 23) 53 | 54 | #define PROGRAM_SIZE (128 << 20) /* 128MB Application Data */ 55 | #define PAYLOAD_SIZE (128 << 10) /* 128KB Payload Data */ 56 | @@ -28,6 +28,7 @@ 57 | 58 | #define KAFL_PROTO_ACQUIRE 'R' 59 | #define KAFL_PROTO_RELEASE 'D' 60 | +#define KAFL_PROTO_STARVED 'd' 61 | 62 | #define KAFL_PROTO_RELOAD 'L' 63 | #define KAFL_PROTO_ENABLE_SAMPLING 'S' 64 | -- 65 | 2.25.1 66 | 67 | -------------------------------------------------------------------------------- /kafl/patches.old/0001-linux-kvm-starved.patch: -------------------------------------------------------------------------------- 1 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c 2 | index f4a5e1c1a..2b5ee4343 100644 3 | --- a/arch/x86/kvm/x86.c 4 | +++ b/arch/x86/kvm/x86.c 5 | @@ -7505,6 +7505,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu) 6 | break; 7 | case (KVM_EXIT_KAFL_RELEASE-KAFL_EXIT_OFFSET): 8 | vcpu->run->exit_reason = KVM_EXIT_KAFL_RELEASE; 9 | + vcpu->run->hypercall.args[0] = a1; 10 | break; 11 | case (KVM_EXIT_KAFL_SUBMIT_CR3-KAFL_EXIT_OFFSET): 12 | vcpu->run->exit_reason = KVM_EXIT_KAFL_SUBMIT_CR3; 13 | -------------------------------------------------------------------------------- /kafl/patches.old/kvm/README.md: -------------------------------------------------------------------------------- 1 | # vmx_pt Kernel Module 2 | 3 | ## Known Working Kernel Versions: 4 | 5 | * Linux-4.19.x 6 | * Linux-5.1.21 7 | * Linux-5.2.11 8 | * Linux-5.4.34 9 | * Linux-5.6.5 10 | * ... 11 | 12 | ## Supported CPUs 13 | 14 | Any Intel(R) Skylake or later CPU generation with Intel PT support should work. 15 | 16 | Note that Intel(R) Broadwell (predecessor to Skylake) is NOT supported due to 17 | HW limitations in its PT implementation. 18 | 19 | Confirmed to work: 20 | 21 | * Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) 22 | * Intel(R) Core(TM) i7-6700HQ CPU @ 2,60GHz (Skylake) 23 | * Intel(R) Core(TM) i5-7300U CPU @ 2.60GHz (Kaby Lake) 24 | * Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz (Kaby Lake) 25 | * Intel(R) Core(TM) i5-8600 CPU @ 3.10GHz (Coffee Lake) 26 | * Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz (Coffee Lake) 27 | * ... 28 | 29 | -------------------------------------------------------------------------------- /kafl/patches.old/kvm/usermode_test/Makefile: -------------------------------------------------------------------------------- 1 | all: test support_test 2 | -------------------------------------------------------------------------------- /kafl/patches.old/kvm/usermode_test/support_test.c: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Redqueen. 3 | * 4 | * Copyright 2019 Sergej Schumilo, Cornelius Aschermann 5 | * 6 | * SPDX-License-Identifier: GPL-2.0-or-later 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #define KVM_VMX_PT_SUPPORTED _IO(KVMIO, 0xe4) 22 | 23 | int main(){ 24 | int kvm, ret; 25 | 26 | kvm = open("/dev/kvm", O_RDWR | O_CLOEXEC); 27 | if (kvm == -1){ 28 | printf("ERROR: KVM is not loaded!\n"); 29 | exit(1); 30 | } 31 | 32 | ret = ioctl(kvm, KVM_VMX_PT_SUPPORTED, NULL); 33 | if (ret == -1){ 34 | printf("ERROR: KVM-PT is not loaded!\n"); 35 | exit(2); 36 | } 37 | if (ret == -2){ 38 | printf("ERROR: Intel PT is not supported on this CPU!\n"); 39 | exit(3); 40 | } 41 | printf("KVM-PT is ready!\n"); 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /kafl/patches.old/kvm/v5.4/0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch: -------------------------------------------------------------------------------- 1 | From 57fc01d5599c16cdd85268a8fb9801af4f45ae0e Mon Sep 17 00:00:00 2001 2 | From: Roman Lozko 3 | Date: Wed, 30 Jul 2020 00:00:00 +0000 4 | Subject: [PATCH] Set kAFL hypercall longmode properly; fix printk build 5 | warning 6 | 7 | --- 8 | arch/x86/kvm/vmx/vmx_pt.c | 2 +- 9 | arch/x86/kvm/x86.c | 1 + 10 | 2 files changed, 2 insertions(+), 1 deletion(-) 11 | 12 | diff --git a/arch/x86/kvm/vmx/vmx_pt.c b/arch/x86/kvm/vmx/vmx_pt.c 13 | index 1ed2e8fd2..a19f2b76a 100644 14 | --- a/arch/x86/kvm/vmx/vmx_pt.c 15 | +++ b/arch/x86/kvm/vmx/vmx_pt.c 16 | @@ -179,7 +179,7 @@ static void topa_reset(struct vcpu_vmx_pt *vmx_pt) 17 | { 18 | #ifdef DEBUG 19 | if (vmx_pt_get_data_size(vmx_pt) >= TOPA_MAIN_SIZE) 20 | - printk(KERN_WARNING "Main TOPA buffer exhausted! %x >= %x?\n", 21 | + printk(KERN_WARNING "Main TOPA buffer exhausted! %lx >= %x?\n", 22 | vmx_pt_get_data_size(vmx_pt), TOPA_MAIN_SIZE+TOPA_FALLBACK_SIZE); 23 | #endif 24 | 25 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c 26 | index ba958e8cd..5f062330d 100644 27 | --- a/arch/x86/kvm/x86.c 28 | +++ b/arch/x86/kvm/x86.c 29 | @@ -7602,6 +7602,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu) 30 | /* kAFL Hypercall interface */ 31 | if (nr == HYPERCALL_KAFL_RAX_ID) { 32 | int r = 0; 33 | + vcpu->run->hypercall.longmode = op_64_bit; 34 | switch(a0){ 35 | case (KVM_EXIT_KAFL_ACQUIRE-KAFL_EXIT_OFFSET): 36 | vcpu->run->exit_reason = KVM_EXIT_KAFL_ACQUIRE; 37 | -- 38 | 2.25.1 39 | 40 | -------------------------------------------------------------------------------- /kafl/patches.old/kvm/v5.7/0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch: -------------------------------------------------------------------------------- 1 | From 57fc01d5599c16cdd85268a8fb9801af4f45ae0e Mon Sep 17 00:00:00 2001 2 | From: Roman Lozko 3 | Date: Wed, 30 Jul 2020 00:00:00 +0000 4 | Subject: [PATCH] Set kAFL hypercall longmode properly; fix printk build 5 | warning 6 | 7 | --- 8 | arch/x86/kvm/vmx/vmx_pt.c | 2 +- 9 | arch/x86/kvm/x86.c | 1 + 10 | 2 files changed, 2 insertions(+), 1 deletion(-) 11 | 12 | diff --git a/arch/x86/kvm/vmx/vmx_pt.c b/arch/x86/kvm/vmx/vmx_pt.c 13 | index 1ed2e8fd2..a19f2b76a 100644 14 | --- a/arch/x86/kvm/vmx/vmx_pt.c 15 | +++ b/arch/x86/kvm/vmx/vmx_pt.c 16 | @@ -179,7 +179,7 @@ static void topa_reset(struct vcpu_vmx_pt *vmx_pt) 17 | { 18 | #ifdef DEBUG 19 | if (vmx_pt_get_data_size(vmx_pt) >= TOPA_MAIN_SIZE) 20 | - printk(KERN_WARNING "Main TOPA buffer exhausted! %x >= %x?\n", 21 | + printk(KERN_WARNING "Main TOPA buffer exhausted! %lx >= %x?\n", 22 | vmx_pt_get_data_size(vmx_pt), TOPA_MAIN_SIZE+TOPA_FALLBACK_SIZE); 23 | #endif 24 | 25 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c 26 | index ba958e8cd..5f062330d 100644 27 | --- a/arch/x86/kvm/x86.c 28 | +++ b/arch/x86/kvm/x86.c 29 | @@ -7602,6 +7602,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu) 30 | /* kAFL Hypercall interface */ 31 | if (nr == HYPERCALL_KAFL_RAX_ID) { 32 | int r = 0; 33 | + vcpu->run->hypercall.longmode = op_64_bit; 34 | switch(a0){ 35 | case (KVM_EXIT_KAFL_ACQUIRE-KAFL_EXIT_OFFSET): 36 | vcpu->run->exit_reason = KVM_EXIT_KAFL_ACQUIRE; 37 | -- 38 | 2.25.1 39 | 40 | -------------------------------------------------------------------------------- /kafl/patches.old/kvm/v5.8/0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch: -------------------------------------------------------------------------------- 1 | From 6a93040cfeacfab537c3bae6ee69a13d076e9c2b Mon Sep 17 00:00:00 2001 2 | From: Roman Lozko 3 | Date: Thu, 30 Jul 2020 00:00:00 +0000 4 | Subject: [PATCH 2/2] Set kAFL hypercall longmode properly; fix printk build 5 | warning 6 | 7 | --- 8 | arch/x86/kvm/vmx/vmx_pt.c | 2 +- 9 | arch/x86/kvm/x86.c | 1 + 10 | 2 files changed, 2 insertions(+), 1 deletion(-) 11 | 12 | diff --git a/arch/x86/kvm/vmx/vmx_pt.c b/arch/x86/kvm/vmx/vmx_pt.c 13 | index 1ed2e8fd2..a19f2b76a 100644 14 | --- a/arch/x86/kvm/vmx/vmx_pt.c 15 | +++ b/arch/x86/kvm/vmx/vmx_pt.c 16 | @@ -179,7 +179,7 @@ static void topa_reset(struct vcpu_vmx_pt *vmx_pt) 17 | { 18 | #ifdef DEBUG 19 | if (vmx_pt_get_data_size(vmx_pt) >= TOPA_MAIN_SIZE) 20 | - printk(KERN_WARNING "Main TOPA buffer exhausted! %x >= %x?\n", 21 | + printk(KERN_WARNING "Main TOPA buffer exhausted! %lx >= %x?\n", 22 | vmx_pt_get_data_size(vmx_pt), TOPA_MAIN_SIZE+TOPA_FALLBACK_SIZE); 23 | #endif 24 | 25 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c 26 | index 44f470118..b05187674 100644 27 | --- a/arch/x86/kvm/x86.c 28 | +++ b/arch/x86/kvm/x86.c 29 | @@ -7695,6 +7695,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu) 30 | /* kAFL Hypercall interface */ 31 | if (nr == HYPERCALL_KAFL_RAX_ID) { 32 | int r = 0; 33 | + vcpu->run->hypercall.longmode = op_64_bit; 34 | switch(a0){ 35 | case (KVM_EXIT_KAFL_ACQUIRE-KAFL_EXIT_OFFSET): 36 | vcpu->run->exit_reason = KVM_EXIT_KAFL_ACQUIRE; 37 | -- 38 | 2.25.1 39 | 40 | -------------------------------------------------------------------------------- /kafl/patches.old/qemu/v4.2.0/0003-kAFL-v2-frontend-requires-us-to-start-counting-at-0.patch: -------------------------------------------------------------------------------- 1 | From 7df4993f6598cf695bbec7731e487e6c513c7d12 Mon Sep 17 00:00:00 2001 2 | From: Steffen Schulz 3 | Date: Sat, 28 Sep 2019 02:09:38 +0200 4 | Subject: [PATCH 03/11] kAFL v2 frontend requires us to start counting at 0 5 | 6 | --- 7 | pt.c | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/pt.c b/pt.c 11 | index b3088665..6e11c22e 100644 12 | --- a/pt.c 13 | +++ b/pt.c 14 | @@ -78,7 +78,7 @@ void pt_setup_bitmap(void* ptr){ 15 | void pt_reset_bitmap(void){ 16 | if(bitmap){ 17 | last_ip = 0ULL; 18 | - memset(bitmap, 0xff, kafl_bitmap_size); 19 | + memset(bitmap, 0x00, kafl_bitmap_size); 20 | } 21 | } 22 | 23 | -- 24 | 2.26.2 25 | 26 | -------------------------------------------------------------------------------- /kafl/patches.old/qemu/v4.2.0/0005-Check-fopen-return-code-do-not-write-to-inaccessible.patch: -------------------------------------------------------------------------------- 1 | From 478eefd412808c0f76243e191f7a0e4062718bfc Mon Sep 17 00:00:00 2001 2 | From: Steffen Schulz 3 | Date: Mon, 4 Nov 2019 17:39:12 +0100 4 | Subject: [PATCH 05/11] Check fopen() return code, do not write to inaccessible 5 | files (segfault) binary patch 6 | 7 | --- 8 | pt.c | 18 +++++++++++++----- 9 | 1 file changed, 13 insertions(+), 5 deletions(-) 10 | 11 | diff --git a/pt.c b/pt.c 12 | index 60f5751d..4f80dc19 100644 13 | --- a/pt.c 14 | +++ b/pt.c 15 | @@ -216,13 +216,21 @@ int pt_enable_ip_filtering(CPUState *cpu, uint8_t addrn, uint64_t ip_a, uint64_t 16 | 17 | #ifdef CREATE_VM_IMAGE 18 | FILE* pt_file = fopen(DECODER_MEMORY_IMAGE, "wb"); 19 | - fwrite(buf, sizeof(uint8_t), ip_b-ip_a, pt_file); 20 | - fclose(pt_file); 21 | + if (!pt_file) { 22 | + QEMU_PT_ERROR(CORE_PREFIX, "Error writing file %s)", DECODER_MEMORY_IMAGE); 23 | + } else { 24 | + fwrite(buf, sizeof(uint8_t), ip_b-ip_a, pt_file); 25 | + fclose(pt_file); 26 | + } 27 | 28 | FILE* rq_file = fopen(redqueen_workdir.target_code_dump, "wb"); 29 | - fwrite(&ip_a, sizeof(uint64_t), 1, rq_file); 30 | - fwrite(buf, sizeof(uint8_t), ip_b-ip_a, rq_file); 31 | - fclose(rq_file); 32 | + if (!rq_file) { 33 | + QEMU_PT_ERROR(CORE_PREFIX, "Error writing RQ file %s)", redqueen_workdir.target_code_dump); 34 | + } else { 35 | + fwrite(&ip_a, sizeof(uint64_t), 1, rq_file); 36 | + fwrite(buf, sizeof(uint8_t), ip_b-ip_a, rq_file); 37 | + fclose(rq_file); 38 | + } 39 | #endif 40 | 41 | 42 | -- 43 | 2.26.2 44 | 45 | -------------------------------------------------------------------------------- /kafl/patches.old/qemu/v4.2.0/0008-Fix-segfault-when-IPT-filtering-is-not-enabled.patch: -------------------------------------------------------------------------------- 1 | From b3332759b0c520e7032cd5e80cdfcb480e999f64 Mon Sep 17 00:00:00 2001 2 | From: Steffen Schulz 3 | Date: Fri, 15 Nov 2019 14:10:53 +0000 4 | Subject: [PATCH 08/11] Fix segfault when IPT filtering is not enabled 5 | 6 | --- 7 | pt/hypercall.c | 14 +++++++------- 8 | 1 file changed, 7 insertions(+), 7 deletions(-) 9 | 10 | diff --git a/pt/hypercall.c b/pt/hypercall.c 11 | index f48b9acb..842a90b6 100644 12 | --- a/pt/hypercall.c 13 | +++ b/pt/hypercall.c 14 | @@ -503,13 +503,13 @@ bool handle_hypercall_kafl_hook(struct kvm_run *run, CPUState *cpu){ 15 | CPUX86State *env = &cpux86->env; 16 | 17 | for(uint8_t i = 0; i < INTEL_PT_MAX_RANGES; i++){ 18 | - if (cpu->redqueen_state[i] && (env->eip >= cpu->pt_ip_filter_a[i]) && (env->eip <= cpu->pt_ip_filter_b[i])){ 19 | - handle_hook(cpu->redqueen_state[i]); 20 | - return true; 21 | - }else if (cpu->singlestep_enabled && ((redqueen_t*)cpu->redqueen_state[i])->singlestep_enabled){ 22 | - handle_hook(cpu->redqueen_state[i]); 23 | - return true; 24 | - } 25 | + if (cpu->redqueen_state[i]){ 26 | + if (((env->eip >= cpu->pt_ip_filter_a[i]) && (env->eip <= cpu->pt_ip_filter_b[i])) || 27 | + (cpu->singlestep_enabled && ((redqueen_t*)cpu->redqueen_state[i])->singlestep_enabled)){ 28 | + handle_hook(cpu->redqueen_state[i]); 29 | + return true; 30 | + } 31 | + } 32 | } 33 | return false; 34 | } 35 | -- 36 | 2.26.2 37 | 38 | -------------------------------------------------------------------------------- /kafl/patches.old/qemu/v4.2.0/0009-fix-failing-assert-add-check-for-mmap-return.patch: -------------------------------------------------------------------------------- 1 | From fd4fa993a6e27537f141b753f70269735b1e2546 Mon Sep 17 00:00:00 2001 2 | From: Steffen Schulz 3 | Date: Tue, 11 Feb 2020 13:26:01 +0100 4 | Subject: [PATCH 09/11] fix failing assert, add check for mmap() return 5 | 6 | assert() had sometimes failed. Cause seems to be mismatching 7 | workdir/program file size that is being picked up on concurrent 8 | qemu restart. Not sure at which point the file is expanded to expected 9 | size but smaller/equal max size should be fine(?) 10 | --- 11 | pt/interface.c | 12 +++++++++--- 12 | 1 file changed, 9 insertions(+), 3 deletions(-) 13 | 14 | diff --git a/pt/interface.c b/pt/interface.c 15 | index 0162a6b9..05f27dd3 100644 16 | --- a/pt/interface.c 17 | +++ b/pt/interface.c 18 | @@ -212,7 +212,7 @@ static int kafl_guest_create_memory_bar(kafl_mem_state *s, int region_num, uint6 19 | stat(file, &st); 20 | QEMU_PT_DEBUG(INTERFACE_PREFIX, "new shm file: (max size: %lx) %lx", bar_size, st.st_size); 21 | 22 | - assert(bar_size == st.st_size); 23 | + assert(bar_size >= st.st_size); 24 | ptr = mmap(0, bar_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); 25 | if (ptr == MAP_FAILED) { 26 | error_setg_errno(errp, errno, "Failed to mmap memory"); 27 | @@ -231,7 +231,7 @@ static int kafl_guest_create_memory_bar(kafl_mem_state *s, int region_num, uint6 28 | return 0; 29 | } 30 | 31 | -static void kafl_guest_setup_bitmap(kafl_mem_state *s, uint32_t bitmap_size){ 32 | +static int kafl_guest_setup_bitmap(kafl_mem_state *s, uint32_t bitmap_size, Error **errp){ 33 | void * ptr; 34 | int fd; 35 | struct stat st; 36 | @@ -241,7 +241,13 @@ static void kafl_guest_setup_bitmap(kafl_mem_state *s, uint32_t bitmap_size){ 37 | stat(s->bitmap_file, &st); 38 | assert(bitmap_size == st.st_size); 39 | ptr = mmap(0, bitmap_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); 40 | + if (ptr == MAP_FAILED) { 41 | + error_setg_errno(errp, errno, "Failed to mmap memory"); 42 | + return -1; 43 | + } 44 | pt_setup_bitmap((void*)ptr); 45 | + 46 | + return 0; 47 | } 48 | 49 | static void* kafl_guest_setup_filter_bitmap(kafl_mem_state *s, char* filter, uint64_t size){ 50 | @@ -286,7 +292,7 @@ static void pci_kafl_guest_realize(DeviceState *dev, Error **errp){ 51 | if(&s->chr) 52 | qemu_chr_fe_set_handlers(&s->chr, kafl_guest_can_receive, kafl_guest_receive, kafl_guest_event, NULL, s, NULL, true); 53 | if(s->bitmap_file) 54 | - kafl_guest_setup_bitmap(s, kafl_bitmap_size); 55 | + kafl_guest_setup_bitmap(s, kafl_bitmap_size, errp); 56 | 57 | for(uint8_t i = 0; i < INTEL_PT_MAX_RANGES; i++){ 58 | if(s->ip_filter[i][0] && s->ip_filter[i][1]){ 59 | -- 60 | 2.26.2 61 | 62 | -------------------------------------------------------------------------------- /kafl/patches.old/qemu/v4.2.0/0013-disable-debug-and-fuzz-opts.patch: -------------------------------------------------------------------------------- 1 | From 00173506947218945fed1a5666c5668ee001647f Mon Sep 17 00:00:00 2001 2 | From: Steffen Schulz 3 | Date: Sun, 2 Aug 2020 21:18:59 +0200 4 | Subject: [PATCH] disable debug and fuzz optimizations 5 | 6 | --- 7 | compile.sh | 4 +++- 8 | configure | 4 ++-- 9 | 2 files changed, 5 insertions(+), 3 deletions(-) 10 | 11 | diff --git a/compile.sh b/compile.sh 12 | index 1ba35365..deb16c93 100644 13 | --- a/compile.sh 14 | +++ b/compile.sh 15 | @@ -6,5 +6,7 @@ 16 | # 17 | # SPDX-License-Identifier: GPL-2.0-or-later 18 | # 19 | -./configure --target-list=i386-softmmu,x86_64-softmmu --enable-gtk --enable-vnc --enable-pt --enable-redqueen --disable-werror 20 | +./configure --target-list=i386-softmmu,x86_64-softmmu \ 21 | + --enable-gtk --enable-vnc --enable-pt --enable-redqueen \ 22 | + --disable-werror --disable-debug-info 23 | make -j8 24 | diff --git a/configure b/configure 25 | index 48bd5340..f6e8baef 100755 26 | --- a/configure 27 | +++ b/configure 28 | @@ -6100,9 +6100,9 @@ if test "$gcov" = "yes" ; then 29 | CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS" 30 | LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS" 31 | elif test "$fortify_source" = "yes" ; then 32 | - CFLAGS="-O3 -frename-registers -funroll-loops -frename-registers -mtune=native -g -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS" 33 | + CFLAGS="-O3 -mtune=native -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS" 34 | elif test "$debug" = "no"; then 35 | - CFLAGS="-O3 -frename-registers -funroll-loops -frename-registers -mtune=native $CFLAGS" 36 | + CFLAGS="-O3 -mtune=native $CFLAGS" 37 | fi 38 | 39 | if test "$have_asan" = "yes"; then 40 | -- 41 | 2.27.0 42 | 43 | -------------------------------------------------------------------------------- /kafl/patches.old/qemu/v5.0.0/0003-kAFL-v2-frontend-requires-us-to-start-counting-at-0.patch: -------------------------------------------------------------------------------- 1 | From 27f5d28733d51f18e32bc9fbf23743f377f6645f Mon Sep 17 00:00:00 2001 2 | From: Steffen Schulz 3 | Date: Sat, 28 Sep 2019 02:09:38 +0200 4 | Subject: [PATCH 03/11] kAFL v2 frontend requires us to start counting at 0 5 | 6 | --- 7 | pt.c | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/pt.c b/pt.c 11 | index b3088665..6e11c22e 100644 12 | --- a/pt.c 13 | +++ b/pt.c 14 | @@ -78,7 +78,7 @@ void pt_setup_bitmap(void* ptr){ 15 | void pt_reset_bitmap(void){ 16 | if(bitmap){ 17 | last_ip = 0ULL; 18 | - memset(bitmap, 0xff, kafl_bitmap_size); 19 | + memset(bitmap, 0x00, kafl_bitmap_size); 20 | } 21 | } 22 | 23 | -- 24 | 2.26.2 25 | 26 | -------------------------------------------------------------------------------- /kafl/patches.old/qemu/v5.0.0/0005-Check-fopen-return-code-do-not-write-to-inaccessible.patch: -------------------------------------------------------------------------------- 1 | From 41d3e240652631795a66802c86021bf1c4a55f3c Mon Sep 17 00:00:00 2001 2 | From: Steffen Schulz 3 | Date: Mon, 4 Nov 2019 17:39:12 +0100 4 | Subject: [PATCH 05/11] Check fopen() return code, do not write to inaccessible 5 | files (segfault) binary patch 6 | 7 | --- 8 | pt.c | 18 +++++++++++++----- 9 | 1 file changed, 13 insertions(+), 5 deletions(-) 10 | 11 | diff --git a/pt.c b/pt.c 12 | index 60f5751d..4f80dc19 100644 13 | --- a/pt.c 14 | +++ b/pt.c 15 | @@ -216,13 +216,21 @@ int pt_enable_ip_filtering(CPUState *cpu, uint8_t addrn, uint64_t ip_a, uint64_t 16 | 17 | #ifdef CREATE_VM_IMAGE 18 | FILE* pt_file = fopen(DECODER_MEMORY_IMAGE, "wb"); 19 | - fwrite(buf, sizeof(uint8_t), ip_b-ip_a, pt_file); 20 | - fclose(pt_file); 21 | + if (!pt_file) { 22 | + QEMU_PT_ERROR(CORE_PREFIX, "Error writing file %s)", DECODER_MEMORY_IMAGE); 23 | + } else { 24 | + fwrite(buf, sizeof(uint8_t), ip_b-ip_a, pt_file); 25 | + fclose(pt_file); 26 | + } 27 | 28 | FILE* rq_file = fopen(redqueen_workdir.target_code_dump, "wb"); 29 | - fwrite(&ip_a, sizeof(uint64_t), 1, rq_file); 30 | - fwrite(buf, sizeof(uint8_t), ip_b-ip_a, rq_file); 31 | - fclose(rq_file); 32 | + if (!rq_file) { 33 | + QEMU_PT_ERROR(CORE_PREFIX, "Error writing RQ file %s)", redqueen_workdir.target_code_dump); 34 | + } else { 35 | + fwrite(&ip_a, sizeof(uint64_t), 1, rq_file); 36 | + fwrite(buf, sizeof(uint8_t), ip_b-ip_a, rq_file); 37 | + fclose(rq_file); 38 | + } 39 | #endif 40 | 41 | 42 | -- 43 | 2.26.2 44 | 45 | -------------------------------------------------------------------------------- /kafl/patches.old/qemu/v5.0.0/0008-Fix-segfault-when-IPT-filtering-is-not-enabled.patch: -------------------------------------------------------------------------------- 1 | From d03e6be2cd619089cc3c6618de0987861e411261 Mon Sep 17 00:00:00 2001 2 | From: Steffen Schulz 3 | Date: Fri, 15 Nov 2019 14:10:53 +0000 4 | Subject: [PATCH 08/11] Fix segfault when IPT filtering is not enabled 5 | 6 | --- 7 | pt/hypercall.c | 14 +++++++------- 8 | 1 file changed, 7 insertions(+), 7 deletions(-) 9 | 10 | diff --git a/pt/hypercall.c b/pt/hypercall.c 11 | index f48b9acb..842a90b6 100644 12 | --- a/pt/hypercall.c 13 | +++ b/pt/hypercall.c 14 | @@ -503,13 +503,13 @@ bool handle_hypercall_kafl_hook(struct kvm_run *run, CPUState *cpu){ 15 | CPUX86State *env = &cpux86->env; 16 | 17 | for(uint8_t i = 0; i < INTEL_PT_MAX_RANGES; i++){ 18 | - if (cpu->redqueen_state[i] && (env->eip >= cpu->pt_ip_filter_a[i]) && (env->eip <= cpu->pt_ip_filter_b[i])){ 19 | - handle_hook(cpu->redqueen_state[i]); 20 | - return true; 21 | - }else if (cpu->singlestep_enabled && ((redqueen_t*)cpu->redqueen_state[i])->singlestep_enabled){ 22 | - handle_hook(cpu->redqueen_state[i]); 23 | - return true; 24 | - } 25 | + if (cpu->redqueen_state[i]){ 26 | + if (((env->eip >= cpu->pt_ip_filter_a[i]) && (env->eip <= cpu->pt_ip_filter_b[i])) || 27 | + (cpu->singlestep_enabled && ((redqueen_t*)cpu->redqueen_state[i])->singlestep_enabled)){ 28 | + handle_hook(cpu->redqueen_state[i]); 29 | + return true; 30 | + } 31 | + } 32 | } 33 | return false; 34 | } 35 | -- 36 | 2.26.2 37 | 38 | -------------------------------------------------------------------------------- /kafl/patches.old/qemu/v5.0.0/0013-disable-debug-and-fuzz-opts.patch: -------------------------------------------------------------------------------- 1 | From 489e1164e46a9023cfd4adab8774b47bda5ad06a Mon Sep 17 00:00:00 2001 2 | From: Steffen Schulz 3 | Date: Sun, 2 Aug 2020 21:23:44 +0200 4 | Subject: [PATCH] disable debug and fuzz optimizations 5 | 6 | --- 7 | compile.sh | 4 +++- 8 | configure | 4 ++-- 9 | 2 files changed, 5 insertions(+), 3 deletions(-) 10 | 11 | diff --git a/compile.sh b/compile.sh 12 | index 1ba35365..deb16c93 100644 13 | --- a/compile.sh 14 | +++ b/compile.sh 15 | @@ -6,5 +6,7 @@ 16 | # 17 | # SPDX-License-Identifier: GPL-2.0-or-later 18 | # 19 | -./configure --target-list=i386-softmmu,x86_64-softmmu --enable-gtk --enable-vnc --enable-pt --enable-redqueen --disable-werror 20 | +./configure --target-list=i386-softmmu,x86_64-softmmu \ 21 | + --enable-gtk --enable-vnc --enable-pt --enable-redqueen \ 22 | + --disable-werror --disable-debug-info 23 | make -j8 24 | diff --git a/configure b/configure 25 | index 2ddc696f..eb106528 100755 26 | --- a/configure 27 | +++ b/configure 28 | @@ -6266,9 +6266,9 @@ if test "$gcov" = "yes" ; then 29 | QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS" 30 | QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS" 31 | elif test "$fortify_source" = "yes" ; then 32 | - CFLAGS="-O3 -frename-registers -funroll-loops -frename-registers -mtune=native -g -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS" 33 | + CFLAGS="-O3 -mtune=native -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS" 34 | elif test "$debug" = "no"; then 35 | - CFLAGS="-O3 -frename-registers -funroll-loops -frename-registers -mtune=native $CFLAGS" 36 | + CFLAGS="-O3 -mtune=native $CFLAGS" 37 | fi 38 | 39 | if test "$have_asan" = "yes"; then 40 | -- 41 | 2.27.0 42 | 43 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/.gitignore: -------------------------------------------------------------------------------- 1 | bin/ 2 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/compile.sh: -------------------------------------------------------------------------------- 1 | # 2 | # This file is part of Redqueen. 3 | # 4 | # Copyright 2019 Sergej Schumilo, Cornelius Aschermann 5 | # Copyright 2020 Intel Corporation 6 | # 7 | # SPDX-License-Identifier: MIT 8 | # 9 | set -e 10 | 11 | SCRIPT_ROOT="$(dirname ${PWD}/${0})" 12 | 13 | if [[ "$OSTYPE" != "linux-gnu" ]]; then 14 | printf "\tError: Cannont compile linux userspace components on this plattform!\n\tPlease use Linux instead!\n" 15 | fi 16 | 17 | pushd $SCRIPT_ROOT 18 | 19 | printf "\tPrecompiling executables...\n" 20 | mkdir -p bin/ 21 | 22 | gcc -c -static -shared -O0 -m32 -Werror -fPIC src/ld_preload_info.c -o bin/ld_preload_info_32.o -ldl 23 | gcc -c -static -shared -O0 -m64 -Werror -fPIC src/ld_preload_info.c -o bin/ld_preload_info_64.o -ldl 24 | 25 | gcc -c -static -shared -O0 -m32 -Werror -fPIC src/ld_preload_fuzz.c -o bin/ld_preload_fuzz_32.o -ldl 26 | gcc -c -static -shared -O0 -m64 -Werror -fPIC src/ld_preload_fuzz.c -o bin/ld_preload_fuzz_64.o -ldl 27 | 28 | gcc -c -static -shared -O0 -m32 -Werror -fPIC -DASAN_BUILD src/ld_preload_fuzz.c -o bin/ld_preload_fuzz_32_asan.o -ldl 29 | gcc -c -static -shared -O0 -m64 -Werror -fPIC -DASAN_BUILD src/ld_preload_fuzz.c -o bin/ld_preload_fuzz_64_asan.o -ldl 30 | 31 | gcc -c -static -O0 -m32 -Werror src/userspace_loader.c -o bin/userspace_loader_32.o 32 | gcc -c -static -O0 -m64 -Werror src/userspace_loader.c -o bin/userspace_loader_64.o 33 | 34 | popd 35 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/.gitignore: -------------------------------------------------------------------------------- 1 | *.cpio.gz 2 | initrd/ 3 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/pack.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # This file is part of Redqueen. 4 | # 5 | # Copyright 2019 Sergej Schumilo, Cornelius Aschermann 6 | # Copyright 2020 Intel Corporation 7 | # 8 | # SPDX-License-Identifier: MIT 9 | # 10 | 11 | set -e 12 | 13 | SCRIPT_ROOT="$(dirname ${PWD}/${0})" 14 | DEST=${SCRIPT_ROOT}/initrd 15 | TEMP=${SCRIPT_ROOT}/template 16 | 17 | 18 | error_exit() { 19 | 20 | echo "Fatal error: $1" 21 | echo 22 | echo "Usage:" 23 | echo " $0 [other_agent]..." 24 | exit 25 | } 26 | 27 | test -d "$TEMP" || error_exit "Could not find initrd template in >>$TEMP<<" 28 | test -x "$DEST" && error_exit "Target directory >>$DEST<< already exists." 29 | 30 | # check arguments for optional output file 31 | OUTPUT_FILE="$1"; shift || error_exit "Missing argument " 32 | DEFAULT_AGENT="$1"; shift || error_exit "Missing argument " 33 | BUSYBOX=$(which busybox) || error_exit "Could not find busybox binary." 34 | 35 | touch -- "$OUTPUT_FILE" || error_exit "Failed accessing desired output file >>$OUTPUT_FILE<<." 36 | 37 | echo "[*] Creating target initrd at $DEST" 38 | cp -a "$TEMP" "$DEST" 39 | for lib in \ 40 | lib/ld-linux.so.2 \ 41 | lib64/ld-linux-x86-64.so.2 \ 42 | lib/x86_64-linux-gnu/libc.so.6 \ 43 | lib/x86_64-linux-gnu/libdl.so.2 \ 44 | lib/i386-linux-gnu/libc.so.6 \ 45 | lib/i386-linux-gnu/libdl.so.2; 46 | do 47 | cp -v "/$lib" "$DEST/$lib" 48 | done 49 | 50 | echo "[*] Adding desired agent(s)..." 51 | mkdir $DEST/target/ 52 | for agent in "$DEFAULT_AGENT" "$@"; do 53 | cp -v "$agent" "$DEST"/target/ || error_exit "Failed adding agent >>$agent<< to initrd." 54 | done 55 | 56 | TMPFILE=$(tempfile) 57 | 58 | pushd "$DEST" > /dev/null 59 | chmod 755 init 60 | cp $BUSYBOX bin/ && ./bin/busybox --install bin/ 61 | ln bin/busybox linuxrc 62 | find . -print0 | cpio --null -ov --format=newc 2> /dev/null | gzip -4 > "$TMPFILE" 2> /dev/null 63 | popd > /dev/null 64 | 65 | mv $TMPFILE $OUTPUT_FILE 66 | rm -f $TMPFILE 67 | 68 | [ -d "$DEST" ] && rm -rf "$DEST" 69 | 70 | echo "[*] Successfully created initrd at $OUTPUT_FILE" 71 | echo 72 | 73 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/run_vm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # This file is part of Redqueen. 4 | # 5 | # Copyright 2019 Sergej Schumilo, Cornelius Aschermann 6 | # SPDX-License-Identifier: MIT 7 | # 8 | 9 | # You can test the initramfs in Qemu like as shown below. 10 | # To run with the modified kAFL/Qemu, disable reload+snapshots. 11 | ./qemu-4.0.0/x86_64-softmmu/qemu-system-x86_64 \ 12 | -kernel /boot/vmlinuz-5.4.34-kAFL+ \ 13 | -initrd targets/linux_x86_64-initramfs/init_debug_shell.cpio.gz \ 14 | -serial mon:stdio -enable-kvm -m 500 -append "root=/dev/sda console=ttyS0" \ 15 | -nographic -device kafl,reload_mode=False,disable_snapshot=True 16 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/dev/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/dev/.gitkeep -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/etc/nsswitch.conf: -------------------------------------------------------------------------------- 1 | # /etc/nsswitch.conf 2 | # 3 | # Example configuration of GNU Name Service Switch functionality. 4 | # If you have the `glibc-doc-reference' and `info' packages installed, try: 5 | # `info libc "Name Service Switch"' for information about this file. 6 | 7 | passwd: compat 8 | group: compat 9 | shadow: compat 10 | 11 | hosts: files mdns4_minimal [NOTFOUND=return] dns 12 | networks: files 13 | 14 | protocols: db files 15 | services: db files 16 | ethers: db files 17 | rpc: db files 18 | 19 | netgroup: nis 20 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/etc/passwd: -------------------------------------------------------------------------------- 1 | root:x:0:0:root:/root:/bin/sh 2 | nobody:x:1000:1000:nobody:/nonexistent:/bin/sh 3 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # This file is part of Redqueen. 4 | # 5 | # Sergej Schumilo, 2019 6 | # Cornelius Aschermann, 2019 7 | # 8 | # This program is free software: you can redistribute it and/or modify 9 | # it under the terms of the GNU Affero General Public License as published by 10 | # the Free Software Foundation, either version 3 of the License, or 11 | # (at your option) any later version. 12 | # 13 | # This program is distributed in the hope that it will be useful, 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | # GNU Affero General Public License for more details. 17 | # 18 | # You should have received a copy of the GNU Affero General Public License 19 | # along with Redqueen. If not, see . 20 | # 21 | 22 | mount -t proc none /proc 23 | mount -t sysfs none /sys 24 | mount -t debugfs none /sys/kernel/debug 25 | mount -t devtmpfs none /dev 26 | mount -t tmpfs none /tmp 27 | chmod 777 / /tmp 28 | 29 | echo "7" > /proc/sys/kernel/printk 30 | echo "0" > /proc/sys/kernel/printk_ratelimit 31 | echo "19999999" > /proc/sys/kernel/printk_ratelimit_burst 32 | echo "1" > /proc/sys/kernel/panic_on_oops 33 | 34 | 35 | # set cmdline as script arguments, then eval() anything we recognize 36 | set -- $(cat /proc/cmdline) 37 | for arg in "$@"; do 38 | case "$arg" in 39 | kafl_agent=*) 40 | eval "$arg" 41 | ;; 42 | esac 43 | done 44 | 45 | # if kafl_agent points to valid executable, assume this is the intended target 46 | test -x "$kafl_agent" && exec $kafl_agent 47 | 48 | # fallback: launch option set by pack.sh 49 | /bin/sh /target/fuzz.sh 50 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/lib/i386-linux-gnu/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/lib/i386-linux-gnu/.gitkeep -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/lib/x86_64-linux-gnu/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/lib/x86_64-linux-gnu/.gitkeep -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/lib64/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/lib64/.gitkeep -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/proc/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/proc/.gitkeep -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/sbin: -------------------------------------------------------------------------------- 1 | bin -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/sys/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/sys/.gitkeep -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/tmp/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/tmp/.gitkeep -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/usr/bin: -------------------------------------------------------------------------------- 1 | ../bin/ -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/initrd/template/usr/sbin: -------------------------------------------------------------------------------- 1 | ../bin/ -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64-userspace/src/ld_preload_info.c: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Redqueen. 3 | * 4 | * Copyright 2019 Sergej Schumilo, Cornelius Aschermann 5 | * 6 | * SPDX-License-Identifier: MIT 7 | */ 8 | 9 | #define _GNU_SOURCE 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #include "../../kafl_user.h" 20 | 21 | int __libc_start_main(int (*main) (int,char **,char **), 22 | int argc,char **ubp_av, 23 | void (*init) (void), 24 | void (*fini)(void), 25 | void (*rtld_fini)(void), 26 | void (*stack_end)) { 27 | 28 | hprintf("LD_PRELOAD hprintf :)\n"); 29 | 30 | char filename[256]; 31 | void* info_buffer = mmap((void*)NULL, INFO_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 32 | memset(info_buffer, 0xff, INFO_SIZE); 33 | 34 | hprintf("LD_PRELOAD hprintf :)\n"); 35 | hprintf("Own pid is %d\n", getpid()); 36 | 37 | snprintf(filename, 256, "/proc/%d/maps", getpid()); 38 | hprintf("proc filename: %s\n", filename); 39 | 40 | FILE* f = fopen(filename, "r"); 41 | uint16_t len = fread(info_buffer, 1, INFO_SIZE, f); 42 | fclose(f); 43 | 44 | ((char*)info_buffer)[len] = '\0'; 45 | 46 | hprintf("Transfer data to hypervisor\n"); 47 | 48 | kAFL_hypercall(HYPERCALL_KAFL_INFO, (uintptr_t)info_buffer); 49 | 50 | return 0; 51 | } 52 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64/.gitignore: -------------------------------------------------------------------------------- 1 | bin/ 2 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64/src/fuzzer/hprintf_test.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Copyright (C) 2017 Sergej Schumilo 4 | 5 | This file is part of kAFL Fuzzer (kAFL). 6 | 7 | QEMU-PT is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU General Public License as published by 9 | the Free Software Foundation, either version 2 of the License, or 10 | (at your option) any later version. 11 | 12 | QEMU-PT is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU General Public License for more details. 16 | 17 | You should have received a copy of the GNU General Public License 18 | along with QEMU-PT. If not, see . 19 | 20 | */ 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include "kafl_user.h" 30 | 31 | int main(int argc, char** argv) 32 | { 33 | int kafl_vuln_fd; 34 | hprintf("Starting... %s\n", argv[0]); 35 | hprintf("Allocating buffer for kAFL_payload struct\n"); 36 | kAFL_payload* payload_buffer = mmap((void*)NULL, PAYLOAD_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 37 | hprintf("Memset kAFL_payload at address %lx (size %d)\n", (uint64_t) payload_buffer, PAYLOAD_SIZE); 38 | memset(payload_buffer, 0xff, PAYLOAD_SIZE); 39 | hprintf("Attempt to open vulnerable device file (%s)\n", "/proc/kafl_vuln"); 40 | kafl_vuln_fd = open("/proc/kafl_vuln", O_WRONLY | O_SYNC, 0); 41 | hprintf("Submitting buffer address to hypervisor...\n"); 42 | kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uint64_t)payload_buffer); 43 | hprintf("Submitting current CR3 value to hypervisor...\n"); 44 | kAFL_hypercall(HYPERCALL_KAFL_SUBMIT_CR3, 0); 45 | hprintf("Starting kAFL loop...\n"); 46 | while(1){ 47 | kAFL_hypercall(HYPERCALL_KAFL_NEXT_PAYLOAD, 0); 48 | kAFL_hypercall(HYPERCALL_KAFL_ACQUIRE, 0); 49 | hprintf("Injecting data...\n"); 50 | write(kafl_vuln_fd, payload_buffer->data, payload_buffer->size); 51 | hprintf("Injection finished...\n"); 52 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 53 | } 54 | return 0; 55 | } 56 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64/src/fuzzer/kafl_vuln_json.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Copyright (C) 2017 Sergej Schumilo 4 | 5 | This file is part of kAFL Fuzzer (kAFL). 6 | 7 | QEMU-PT is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU General Public License as published by 9 | the Free Software Foundation, either version 2 of the License, or 10 | (at your option) any later version. 11 | 12 | QEMU-PT is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU General Public License for more details. 16 | 17 | You should have received a copy of the GNU General Public License 18 | along with QEMU-PT. If not, see . 19 | 20 | */ 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include "kafl_user.h" 30 | 31 | /* printk support */ 32 | static inline uint64_t get_address(char* identifier) { 33 | FILE * fp; 34 | char * line = NULL; 35 | ssize_t read; 36 | ssize_t len; 37 | char *tmp; 38 | uint64_t address = 0x0; 39 | uint8_t identifier_len = strlen(identifier); 40 | 41 | fp = fopen("/proc/kallsyms", "r"); 42 | if (fp == NULL){ 43 | return address; 44 | } 45 | 46 | while ((read = getline(&line, &len, fp)) != -1) { 47 | if(strlen(line) > identifier_len && !strcmp(line + strlen(line) - identifier_len, identifier)){ 48 | address = strtoull(strtok(line, " "), NULL, 16); 49 | break; 50 | } 51 | } 52 | 53 | fclose(fp); 54 | if (line){ 55 | free(line); 56 | } 57 | return address; 58 | } 59 | 60 | 61 | int main(int argc, char** argv) 62 | { 63 | int kafl_vuln_fd; 64 | kAFL_payload* payload_buffer = mmap((void*)NULL, PAYLOAD_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 65 | memset(payload_buffer, 0xff, PAYLOAD_SIZE); 66 | kafl_vuln_fd = open("/proc/kafl_vuln_json", O_WRONLY | O_SYNC, 0); 67 | kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uint64_t)payload_buffer); 68 | kAFL_hypercall(HYPERCALL_KAFL_SUBMIT_CR3, 0); 69 | 70 | hprintf("printk: %lx\n", get_address("T printk\n")); 71 | kAFL_hypercall(HYPERCALL_KAFL_PRINTK_ADDR, get_address("T printk\n")); 72 | 73 | while(1){ 74 | kAFL_hypercall(HYPERCALL_KAFL_NEXT_PAYLOAD, 0); 75 | kAFL_hypercall(HYPERCALL_KAFL_ACQUIRE, 0); 76 | write(kafl_vuln_fd, payload_buffer->data, payload_buffer->size); 77 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 78 | } 79 | return 0; 80 | } 81 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64/src/fuzzer/kafl_vuln_test.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Copyright (C) 2017 Sergej Schumilo 4 | 5 | This file is part of kAFL Fuzzer (kAFL). 6 | 7 | QEMU-PT is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU General Public License as published by 9 | the Free Software Foundation, either version 2 of the License, or 10 | (at your option) any later version. 11 | 12 | QEMU-PT is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU General Public License for more details. 16 | 17 | You should have received a copy of the GNU General Public License 18 | along with QEMU-PT. If not, see . 19 | 20 | */ 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include "kafl_user.h" 30 | 31 | /* printk support */ 32 | static inline uint64_t get_address(char* identifier) { 33 | FILE * fp; 34 | char * line = NULL; 35 | ssize_t read; 36 | ssize_t len; 37 | char *tmp; 38 | uint64_t address = 0x0; 39 | uint8_t identifier_len = strlen(identifier); 40 | 41 | fp = fopen("/proc/kallsyms", "r"); 42 | if (fp == NULL){ 43 | return address; 44 | } 45 | 46 | while ((read = getline(&line, &len, fp)) != -1) { 47 | if(strlen(line) > identifier_len && !strcmp(line + strlen(line) - identifier_len, identifier)){ 48 | address = strtoull(strtok(line, " "), NULL, 16); 49 | break; 50 | } 51 | } 52 | 53 | fclose(fp); 54 | if (line){ 55 | free(line); 56 | } 57 | return address; 58 | } 59 | 60 | 61 | int main(int argc, char** argv) 62 | { 63 | int kafl_vuln_fd; 64 | kAFL_payload* payload_buffer = mmap((void*)NULL, PAYLOAD_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 65 | memset(payload_buffer, 0xff, PAYLOAD_SIZE); 66 | kafl_vuln_fd = open("/proc/kafl_vuln", O_WRONLY | O_SYNC, 0); 67 | kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uint64_t)payload_buffer); 68 | kAFL_hypercall(HYPERCALL_KAFL_SUBMIT_CR3, 0); 69 | 70 | hprintf("printk: %lx\n", get_address("T printk\n")); 71 | kAFL_hypercall(HYPERCALL_KAFL_PRINTK_ADDR, get_address("T printk\n")); 72 | 73 | while(1){ 74 | kAFL_hypercall(HYPERCALL_KAFL_NEXT_PAYLOAD, 0); 75 | kAFL_hypercall(HYPERCALL_KAFL_ACQUIRE, 0); 76 | write(kafl_vuln_fd, payload_buffer->data, payload_buffer->size); 77 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 78 | } 79 | return 0; 80 | } 81 | -------------------------------------------------------------------------------- /kafl/targets.old/linux_x86_64/src/loader/stage2_loader.c: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of kAFL. 3 | * 4 | * Copyright 2017-2019 Sergej Schumilo, Cornelius Aschermann 5 | * 6 | * SPDX-License-Identifier: MIT 7 | */ 8 | 9 | #define _GNU_SOURCE 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include "kafl_user.h" 24 | 25 | extern uint8_t _binary_target_start; 26 | extern uint8_t _binary_target_end; 27 | extern uint8_t _binary_target_size; 28 | 29 | extern uint32_t modules; 30 | extern uint8_t* module_address_start[]; 31 | extern uint8_t* module_address_end[]; 32 | extern char* module_name[]; 33 | 34 | static void copy_binary(char* name, char* path, void* start_address, void* end_address, bool load){ 35 | char* load_cmd; 36 | int payload_file; 37 | char* full_path; 38 | hprintf("<<%s>>\n", name); 39 | uint64_t size = end_address-start_address; 40 | hprintf("[!] binary (%s) is %d bytes in size...\n", name, size); 41 | asprintf(&full_path, "%s/%s", path, name); 42 | hprintf("[!] writing to \"%s\"\n", full_path); 43 | payload_file = open(full_path, O_RDWR | O_CREAT | O_SYNC, 0777); 44 | write(payload_file, (void*)start_address, size); 45 | hprintf("[*] write: %s\n", strerror(errno)); 46 | close(payload_file); 47 | hprintf("[*] close: %s\n\n", strerror(errno)); 48 | if(load){ 49 | asprintf(&load_cmd, "insmod %s/%s", path, name); 50 | hprintf("[*] exec: %s => %d\n", load_cmd, system(load_cmd)); 51 | } 52 | } 53 | 54 | static inline void load_programm(void* filepath){ 55 | int payload_file; 56 | char* newenviron[] = {NULL}; 57 | char* newargv[] = {filepath, NULL}; 58 | 59 | payload_file = open(filepath, O_RDONLY); 60 | fexecve(payload_file, newargv, newenviron); 61 | hprintf("%s failed\n", __func__); 62 | } 63 | 64 | int main(int argc, char** argv){ 65 | char va_space_result; 66 | int pid, fd; 67 | 68 | /* check if uid == 0 */ 69 | if(getuid()){ 70 | hprintf("Oops...no root creds?\n"); 71 | return 1; 72 | } 73 | hprintf("[*] getuid() == 0\n"); 74 | 75 | copy_binary("fuzzer", "/tmp", (void*)&_binary_target_start, (void*)&_binary_target_end, false); 76 | 77 | hprintf("Modules: %d\n", modules); 78 | for(uint32_t i = 0; i < modules; i++){ 79 | hprintf("%s\n", module_name[i]); 80 | copy_binary(module_name[i], "/tmp", (void*)module_address_start[i], (void*)module_address_end[i], true); 81 | } 82 | 83 | hprintf("DONE\n"); 84 | 85 | load_programm("/tmp/fuzzer"); 86 | hprintf("ERROR\n"); 87 | 88 | while(1){}; 89 | return 0; 90 | } 91 | -------------------------------------------------------------------------------- /kafl/tools/mcat.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Copyright 2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko 4 | # Copyright 2020 Intel Corporation 5 | # 6 | # SPDX-License-Identifier: AGPL-3.0-or-later 7 | 8 | """ 9 | Pretty-Pring msgpack files produced by kAFL 10 | """ 11 | 12 | import os 13 | import sys 14 | 15 | import msgpack 16 | from pprint import pprint 17 | 18 | sys.path.insert(0, os.path.dirname(os.path.realpath(__file__)) + "/../kAFL-Fuzzer/") 19 | from common.util import read_binary_file 20 | 21 | for arg in sys.argv[1:]: 22 | pprint(msgpack.unpackb(read_binary_file(arg), raw=False, strict_map_key=False)) 23 | -------------------------------------------------------------------------------- /native-sgx-runner/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.16) 2 | 3 | project(native-sgx-runner) 4 | set(CMAKE_CXX_STANDARD 20) 5 | 6 | set(source 7 | NativeEnclave.cpp 8 | buffer/GuardedBuffer.cpp 9 | InputNode.hpp 10 | ) 11 | 12 | if (DEFINED ENCLAVE_PATH) 13 | add_definitions(-DENCLAVE_PATH=${ENCLAVE_PATH}) 14 | endif () 15 | if (DEFINED TCS_PAGE) 16 | add_definitions(-DTCS_PAGE=${TCS_PAGE}) 17 | endif () 18 | if (DEFINED ENCLAVE_LAYOUT_PATH) 19 | add_definitions(-DENCLAVE_LAYOUT_PATH=${ENCLAVE_LAYOUT_PATH}) 20 | endif () 21 | if (DEFINED NO_VM_RELOAD) 22 | add_definitions(-DNO_VM_RELOAD=0${NO_VM_RELOAD}) 23 | endif () 24 | 25 | add_library(libnyx_dummy SHARED libnyx.c) 26 | add_executable(fuzz-generic main-generic.cpp ${source}) 27 | target_link_libraries(fuzz-generic PRIVATE libnyx_dummy) 28 | -------------------------------------------------------------------------------- /native-sgx-runner/InputMutator.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | #include "NativeEnclave.h" 5 | #include "InputNode.hpp" 6 | 7 | #ifndef NATIVE_SGX_RUNNER_INPUTMUTATOR_H 8 | #define NATIVE_SGX_RUNNER_INPUTMUTATOR_H 9 | 10 | enum MutatorStage { 11 | DETERMINISTIC, 12 | RANDOM, 13 | TESTCASE_BASED, 14 | }; 15 | 16 | class InputMutator { 17 | std::function post = [](InputNode&) {}; 18 | MutatorStage stage = DETERMINISTIC; 19 | 20 | static const int MAX_RND_TESTS = 100; 21 | int rnd_tests = MAX_RND_TESTS; 22 | 23 | std::vector base_testcase; 24 | int base_test_mutation_offset = 0; 25 | public: 26 | static void fillRandom(InputNode& in, uint64_t seed = 0); 27 | static void fillDeterministic(InputNode& in); 28 | 29 | void setPostProcess(std::function f) { post = std::move(f); } 30 | 31 | void setStageDeterministic() { stage = DETERMINISTIC; } 32 | void setStageRandom(int tests = MAX_RND_TESTS) { stage = RANDOM, rnd_tests = tests; } 33 | void setStageTestcase(std::vector testcase = {}) { stage = TESTCASE_BASED, base_test_mutation_offset = 0, base_testcase = std::move(testcase); } 34 | 35 | bool mutate(InputNode& in, uintptr_t fault); 36 | private: 37 | bool mutateFromBase(InputNode& in); 38 | }; 39 | 40 | 41 | #endif //NATIVE_SGX_RUNNER_INPUTMUTATOR_H 42 | -------------------------------------------------------------------------------- /native-sgx-runner/buffer/Buffer.h: -------------------------------------------------------------------------------- 1 | #ifndef NATIVE_SGX_RUNNER_BUFFER_H 2 | #define NATIVE_SGX_RUNNER_BUFFER_H 3 | 4 | #include 5 | 6 | class Buffer { 7 | protected: 8 | char* buf = nullptr; 9 | size_t len = 0; 10 | 11 | public: 12 | explicit Buffer() = default; 13 | virtual ~Buffer() = default; 14 | Buffer(const Buffer&) = delete; 15 | 16 | [[nodiscard]] virtual char* getBuf() const { return buf; } 17 | [[nodiscard]] virtual size_t getLen() const { return len; } 18 | 19 | virtual bool isInGuardPage(void* addr) const { return false; } 20 | virtual bool isReadable() const { return true; } 21 | 22 | [[nodiscard]] virtual bool resize(size_t new_len) = 0; 23 | [[nodiscard]] virtual bool set_data(size_t offset, const char* data, size_t data_len) { 24 | if (getLen() < offset + data_len) 25 | if (!resize(offset + data_len)) 26 | return false; 27 | if (data) 28 | memcpy(&buf[offset], data, data_len); 29 | else 30 | bzero(&buf[offset], data_len); 31 | return true; 32 | } 33 | }; 34 | 35 | #endif //NATIVE_SGX_RUNNER_BUFFER_H 36 | -------------------------------------------------------------------------------- /native-sgx-runner/buffer/GuardedBuffer.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include "GuardedBuffer.h" 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | #include 10 | extern "C" { 11 | #include "../libnyx.h" 12 | #include "../../packer/agents/nyx.h" 13 | } 14 | 15 | GuardedBuffer::GuardedBuffer(size_t new_len) { 16 | internal_size = new_len / PAGE_SIZE * PAGE_SIZE + PAGE_SIZE; 17 | if (new_len % PAGE_SIZE != 0) 18 | internal_size += PAGE_SIZE; 19 | 20 | internal_addr = mmap(nullptr, internal_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 21 | if(internal_addr == MAP_FAILED) 22 | kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, (uint64_t) &errno); 23 | // dprintf(2, "errno: %d\n", errno); 24 | assert(internal_addr != MAP_FAILED); 25 | assert(mprotect((void*) ((uintptr_t) internal_addr + internal_size - PAGE_SIZE), PAGE_SIZE, PROT_NONE) == 0); 26 | 27 | assert(resize(new_len)); 28 | } 29 | 30 | GuardedBuffer::~GuardedBuffer() { 31 | munmap(internal_addr, internal_size); 32 | } 33 | bool GuardedBuffer::resize(size_t new_len) { 34 | if (new_len > internal_size - PAGE_SIZE) 35 | return false; 36 | 37 | void* old_buf = buf; 38 | size_t old_len = len; 39 | 40 | len = new_len; 41 | buf = (char*) ((uintptr_t) internal_addr + internal_size - len - PAGE_SIZE); 42 | 43 | if (old_buf) 44 | memmove(buf, old_buf, old_len < len ? old_len : len); 45 | 46 | return true; 47 | } 48 | 49 | bool GuardedBuffer::isInGuardPage(void* addr) const { 50 | return (uintptr_t) internal_addr + internal_size - PAGE_SIZE <= (uintptr_t) addr && (uintptr_t) addr < (uintptr_t) internal_addr + internal_size; 51 | } 52 | -------------------------------------------------------------------------------- /native-sgx-runner/buffer/GuardedBuffer.h: -------------------------------------------------------------------------------- 1 | #ifndef NATIVE_SGX_RUNNER_GUARDEDBUFFER_H 2 | #define NATIVE_SGX_RUNNER_GUARDEDBUFFER_H 3 | 4 | #include 5 | #include 6 | 7 | #include "Buffer.h" 8 | 9 | #ifndef PAGE_SIZE 10 | #define PAGE_SIZE 0x1000 11 | #endif 12 | 13 | class GuardedBuffer : public Buffer { 14 | private: 15 | void* internal_addr = nullptr; 16 | size_t internal_size = 0; 17 | 18 | public: 19 | explicit GuardedBuffer(size_t new_len = sizeof(void*)); 20 | ~GuardedBuffer() override; 21 | 22 | bool isInGuardPage(void* addr) const override; 23 | 24 | [[nodiscard]] bool resize(size_t new_len) override; 25 | }; 26 | 27 | 28 | #endif //NATIVE_SGX_RUNNER_GUARDEDBUFFER_H 29 | -------------------------------------------------------------------------------- /native-sgx-runner/buffer/PartialEnclaveBuffer.h: -------------------------------------------------------------------------------- 1 | #ifndef NATIVE_SGX_RUNNER_PARTIALENCLAVEBUFFER_H 2 | #define NATIVE_SGX_RUNNER_PARTIALENCLAVEBUFFER_H 3 | 4 | #include 5 | #include 6 | 7 | #include "../NativeEnclave.h" 8 | #include "Buffer.h" 9 | 10 | #ifndef MAP_FIXED_NOREPLACE 11 | #define MAP_FIXED_NOREPLACE 0x10000 12 | #endif 13 | 14 | #define INENCLAVE_PART 1 15 | 16 | class PartialEnclaveBuffer : public Buffer { 17 | protected: 18 | void* internal_addr; 19 | bool readable; 20 | public: 21 | explicit PartialEnclaveBuffer(NativeEnclave* enclave, bool readable = true, size_t new_len = sizeof(void*)) : readable(readable) { 22 | assert(enclave); 23 | auto perm = PROT_READ | PROT_WRITE; 24 | if (!readable) 25 | perm = 0; 26 | internal_addr = mmap((void*) (enclave->getBase() - PAGE_SIZE), PAGE_SIZE, perm, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED_NOREPLACE, -1, 0); 27 | assert(resize(new_len)); 28 | } 29 | ~PartialEnclaveBuffer() override { 30 | munmap(internal_addr, PAGE_SIZE); 31 | }; 32 | 33 | bool isInGuardPage(void* addr) const override { 34 | return (uintptr_t) internal_addr + PAGE_SIZE + INENCLAVE_PART <= (uintptr_t) addr && (uintptr_t) addr < (uintptr_t) internal_addr + 2 * PAGE_SIZE; 35 | } 36 | 37 | bool isReadable() const override { return readable; } 38 | 39 | bool resize(size_t new_len) override { 40 | if (new_len > PAGE_SIZE) 41 | return false; 42 | 43 | const void* old_buf = buf; 44 | const size_t old_len = len; 45 | 46 | len = new_len; 47 | buf = (char*) ((uintptr_t) internal_addr + PAGE_SIZE - len + INENCLAVE_PART); 48 | 49 | if (new_len) 50 | memmove(buf, old_buf, old_len < (len - INENCLAVE_PART) ? old_len : (len - INENCLAVE_PART)); 51 | 52 | return true; 53 | }; 54 | 55 | bool set_data(size_t offset, const char* data, size_t data_len) override { 56 | if (getLen() < offset + data_len) { 57 | if (!resize(offset + data_len)) 58 | return false; 59 | } 60 | 61 | if (!readable) 62 | return true; // ignore write 63 | 64 | size_t copy_len = data_len; 65 | if (offset + data_len > len - INENCLAVE_PART) { 66 | copy_len = len - INENCLAVE_PART - offset; 67 | } 68 | 69 | if (data) 70 | memcpy(&buf[offset], data, copy_len); 71 | else 72 | bzero(&buf[offset], copy_len); 73 | return true; 74 | } 75 | }; 76 | 77 | 78 | #endif //NATIVE_SGX_RUNNER_PARTIALENCLAVEBUFFER_H 79 | -------------------------------------------------------------------------------- /native-sgx-runner/libnyx.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "libnyx.h" 4 | 5 | void nyx_init(void) {} 6 | 7 | void ijon_max(uint8_t id, uint64_t value) {} 8 | void report_struct_synth_addrs(const char* addrs, size_t len) {} 9 | void report_crashing_addr(ucontext_t* context) {} 10 | -------------------------------------------------------------------------------- /native-sgx-runner/libnyx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | void nyx_init(void); 7 | void ijon_max(uint8_t id, uint64_t value); 8 | void report_struct_synth_addrs(const char* addrs, size_t len); 9 | void report_crashing_addr(ucontext_t* context); -------------------------------------------------------------------------------- /native-sgx-runner/make-enclave-fuzz-target.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eo pipefail 4 | 5 | ENCLAVE=$(realpath "$1") 6 | TCS=$(realpath "$2") 7 | 8 | BASE=$(dirname "$(realpath "$0")") 9 | LAYOUT=$(dirname "$ENCLAVE")/$(basename -s .mem "$ENCLAVE").layout 10 | 11 | if [[ $3 == "--no-reload" ]]; then 12 | echo "No VM reloading..." 13 | RELOAD="-DNO_VM_RELOAD=1 -DCMAKE_BUILD_TYPE=Debug" 14 | else 15 | RELOAD="-DNO_VM_RELOAD=0 -DCMAKE_BUILD_TYPE=Debug" 16 | fi 17 | 18 | rm -rf "$BASE/build" 19 | mkdir -p "$BASE/build" 20 | pushd "$BASE/build" 21 | cmake "-DENCLAVE_PATH=$ENCLAVE" "-DTCS_PAGE=$(head -1 "$TCS")" "-DENCLAVE_LAYOUT_PATH=$LAYOUT" $RELOAD .. && make fuzz-generic 22 | TARGET=$(realpath fuzz-generic) 23 | popd 24 | 25 | cp "$TARGET" "$(basename "$ENCLAVE")".fuzz 26 | -------------------------------------------------------------------------------- /packer/.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | -------------------------------------------------------------------------------- /packer/linux_initramfs/bzImage-linux-4.15-rc7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/bzImage-linux-4.15-rc7 -------------------------------------------------------------------------------- /packer/linux_initramfs/pack.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # This file is part of Redqueen. 4 | # 5 | # Sergej Schumilo, 2019 6 | # Cornelius Aschermann, 2019 7 | # 8 | # This program is free software: you can redistribute it and/or modify 9 | # it under the terms of the GNU Affero General Public License as published by 10 | # the Free Software Foundation, either version 3 of the License, or 11 | # (at your option) any later version. 12 | # 13 | # This program is distributed in the hope that it will be useful, 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | # GNU Affero General Public License for more details. 17 | # 18 | # You should have received a copy of the GNU Affero General Public License 19 | # along with Redqueen. If not, see . 20 | # 21 | 22 | set -e 23 | 24 | first_file() { 25 | \ls "$@" 2>/dev/null | head -1 26 | } 27 | 28 | cd ../packer/linux_x86_64-userspace/ 29 | sh compile_loader.sh 30 | cd - 31 | cp ../packer/linux_x86_64-userspace/bin64/loader rootTemplate/loader 32 | chmod +x rootTemplate/loader 33 | 34 | mkdir -p rootTemplate/lib/ rootTemplate/lib64/ rootTemplate/lib/i386-linux-gnu/ rootTemplate/lib/x86_64-linux-gnu/ 35 | 36 | # cp /lib/ld-linux.so.2 rootTemplate/lib/ld-linux.so.2 37 | cp /lib64/ld-linux-x86-64.so.2 rootTemplate/lib64/ld-linux-x86-64.so.2 38 | cp "$(first_file /lib/x86_64-linux-gnu/libdl.so.2 /lib64/libdl.so.2)" rootTemplate/lib/x86_64-linux-gnu/libdl.so.2 39 | # cp /lib/i386-linux-gnu/libdl.so.2 rootTemplate/lib/i386-linux-gnu/libdl.so.2 40 | cp "$(first_file /lib/x86_64-linux-gnu/libc.so.6 /lib64/libc.so.6)" rootTemplate/lib/x86_64-linux-gnu/libc.so.6 41 | 42 | # fix nasty nss bugs (getpwnam_r, ...) 43 | cp "$(first_file /lib/x86_64-linux-gnu/libnss_compat.so.2 /lib64/libnss_compat.so.2)" rootTemplate/lib/x86_64-linux-gnu/ 44 | 45 | cp -r "rootTemplate" "init" 46 | sed '/START/c\./loader' init/init_template > init/init 47 | chmod 755 "init/init" 48 | cd "init" 49 | 50 | find . -print0 | cpio --null -ov --format=newc | gzip -9 > "../init.cpio.gz" 51 | cd ../ 52 | rm -r ./init/ 53 | 54 | 55 | cp -r "rootTemplate" "init" 56 | sed '/START/c\sh' init/init_template > init/init 57 | chmod 755 "init/init" 58 | cd "init" 59 | 60 | find . -print0 | cpio --null -ov --format=newc | gzip -9 > "../init_debug_shell.cpio.gz" 61 | cd ../ 62 | rm -r ./init/ 63 | 64 | rm -r rootTemplate/lib/ 65 | rm -r rootTemplate/lib64/ 66 | rm rootTemplate/loader 67 | -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/ash: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/base64: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/bash: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/bin/bash -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/busybox: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/cat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/catv: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/chattr: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/chgrp: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/chmod: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/chown: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/conspy: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/cp: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/cpio: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/cttyhack: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/date: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/dd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/df: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/dmesg: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/dnsdomainname: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/dumpkmap: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/echo: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/ed: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/egrep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/false: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/fatattr: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/fdflush: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/fgrep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/file: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/bin/file -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/fsync: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/getSyms: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo START 3 | cat /proc/kallsyms 4 | echo END 5 | /sbin/poweroff -f 6 | -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/getopt: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/grep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/gunzip: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/gzip: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/hostname: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/hush: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/ionice: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/iostat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/ipcalc: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/kbd_mode: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/kill: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/ldconfig: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/bin/ldconfig -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/linux32: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/linux64: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/ln: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/login: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/ls: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/lsattr: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/lzop: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/makemime: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/mkdir: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/mknod: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/mktemp: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/more: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/mount: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/mountpoint: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/mpstat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/mt: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/mv: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/netstat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/nice: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/pidof: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/ping: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/ping6: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/pipe_progress: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/printenv: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/ps: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/pwd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/reformime: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/rev: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/rm: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/rmdir: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/rpm: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/run-parts: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/scriptreplay: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/sed: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/setarch: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/setserial: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/sh: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/sleep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/stat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/stty: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/su: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/sync: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/tar: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/touch: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/true: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/umount: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/uname: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/usleep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/vi: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/watch: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/bin/zcat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/dev/.empty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/dev/.empty -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/etc/group: -------------------------------------------------------------------------------- 1 | nogroup:x:65534: 2 | -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/etc/localtime: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/etc/localtime -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/etc/nsswitch.conf: -------------------------------------------------------------------------------- 1 | # /etc/nsswitch.conf 2 | # 3 | # Example configuration of GNU Name Service Switch functionality. 4 | # If you have the `glibc-doc-reference' and `info' packages installed, try: 5 | # `info libc "Name Service Switch"' for information about this file. 6 | 7 | passwd: compat 8 | group: compat 9 | shadow: compat 10 | 11 | hosts: files mdns4_minimal [NOTFOUND=return] dns 12 | networks: files 13 | 14 | protocols: db files 15 | services: db files 16 | ethers: db files 17 | rpc: db files 18 | 19 | netgroup: nis 20 | -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/etc/passwd: -------------------------------------------------------------------------------- 1 | root:x:0:0:root:/root:/bin/sh 2 | nobody:x:65534:65534:nobody:/nonexistent:/bin/false 3 | 4 | -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/etc/shadow: -------------------------------------------------------------------------------- 1 | nobody:*:18303:0:99999:7::: 2 | -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/init_template: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | mount -t proc none /proc 3 | mount -t sysfs none /sys 4 | mount -t debugfs none /sys/kernel/debug 5 | mount -t devtmpfs none /dev 6 | mount -t tmpfs none /tmp 7 | chmod 777 / /tmp 8 | 9 | chmod +x /loader 10 | 11 | echo "7" > /proc/sys/kernel/printk 12 | echo "0" > /proc/sys/kernel/printk_ratelimit 13 | echo "19999999" > /proc/sys/kernel/printk_ratelimit_burst 14 | echo "1" > /proc/sys/kernel/panic_on_oops 15 | 16 | # add user ubuntu / group ubuntu (nyx-net) 17 | addgroup ubuntu 18 | adduser --gecos "ubuntu" --disabled-password --ingroup ubuntu ubuntu 19 | echo "ubuntu:ubuntu" | chpasswd 20 | 21 | START 22 | #./loader 23 | #sh 24 | -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/lib32/libasan.so.4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libasan.so.4 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/lib32/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libc.so.6 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/lib32/libdl.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libdl.so.2 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/lib32/libgcc_s.so.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libgcc_s.so.1 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/lib32/libm.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libm.so.6 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/lib32/libpthread.so.0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libpthread.so.0 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/lib32/librt.so.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/librt.so.1 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/lib32/libstdc++.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libstdc++.so.6 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/linuxrc: -------------------------------------------------------------------------------- 1 | bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/proc/.empty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/proc/.empty -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/acpid: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/adjtimex: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/arp: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/blkid: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/blockdev: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/bootchartd: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/depmod: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/devmem: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/fbsplash: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/fdisk: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/findfs: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/freeramdisk: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/fsck: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/fsck.minix: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/fstrim: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/getty: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/halt: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/hdparm: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/hwclock: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/ifconfig: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/ifdown: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/ifenslave: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/ifup: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/init: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/insmod: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/ip: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/ipaddr: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/iplink: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/iproute: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/iprule: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/iptunnel: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/klogd: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/loadkmap: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/logread: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/losetup: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/lsmod: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/makedevs: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/mdev: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/mkdosfs: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/mke2fs: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/mkfs.ext2: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/mkfs.minix: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/mkfs.vfat: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/mkswap: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/modinfo: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/modprobe: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/nameif: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/pivot_root: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/poweroff: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/raidautorun: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/reboot: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/rmmod: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/route: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/runlevel: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/setconsole: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/slattach: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/start-stop-daemon: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/sulogin: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/swapoff: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/swapon: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/switch_root: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/sysctl: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/syslogd: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/tunctl: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/udhcpc: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/uevent: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/vconfig: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/watchdog: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sbin/zcip: -------------------------------------------------------------------------------- 1 | ../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/sys/.empty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/sys/.empty -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/tmp/.empty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/tmp/.empty -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/[: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/[[: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/awk: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/basename: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/beep: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/blkdiscard: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/bunzip2: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/bzcat: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/bzip2: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/cal: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/chpst: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/chrt: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/chvt: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/cksum: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/clear: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/cmp: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/comm: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/crontab: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/cryptpw: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/cut: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/dc: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/deallocvt: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/diff: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/dirname: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/dos2unix: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/du: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/dumpleases: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/eject: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/env: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/envdir: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/envuidgid: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/expand: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/expr: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/fgconsole: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/find: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/flock: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/fold: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/free: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/ftpget: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/ftpput: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/fuser: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/groups: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/hd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/head: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/hexdump: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/hostid: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/id: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/install: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/ipcrm: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/ipcs: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/killall: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/last: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/less: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/logger: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/logname: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/lpq: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/lpr: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/lsof: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/lspci: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/lsusb: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/lzcat: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/lzma: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/lzopcat: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/man: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/md5sum: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/mesg: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/microcom: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/mkfifo: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/mkpasswd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/nc: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/nmeter: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/nohup: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/nslookup: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/od: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/openvt: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/passwd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/patch: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/pgrep: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/pkill: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/pmap: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/printf: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/pscan: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/pstree: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/pwdx: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/readlink: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/realpath: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/renice: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/reset: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/resize: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/rpm2cpio: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/runsv: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/runsvdir: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/rx: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/script: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/seq: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/setkeycodes: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/setsid: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/setuidgid: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/sha1sum: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/sha256sum: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/sha3sum: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/sha512sum: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/showkey: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/shuf: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/smemcap: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/softlimit: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/sort: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/split: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/strace: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/bin/strace -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/strings: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/sum: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/sv: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/tac: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/tail: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/tcpsvd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/tee: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/telnet: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/test: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/tftp: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/time: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/timeout: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/top: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/tr: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/traceroute: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/traceroute6: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/truncate: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/tty: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/ttysize: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/udpsvd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/unexpand: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/uniq: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/unix2dos: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/unlink: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/unlzma: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/unlzop: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/unxz: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/unzip: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/uptime: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/users: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/uudecode: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/uuencode: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/vlock: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/volname: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/wall: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/wc: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/wget: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/which: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/who: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/whoami: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/whois: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/xargs: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/xz: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/xzcat: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/bin/yes: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/lib/x86_64-linux-gnu/libasan.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/lib/x86_64-linux-gnu/libasan.so.2 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/lib32/libasan.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/lib32/libasan.so.2 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/lib32/libgcc_s.so.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/lib32/libgcc_s.so.1 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/lib32/libpthread.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/lib32/libpthread.so.2 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/lib32/libstdc++.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/lib32/libstdc++.so.6 -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/add-shell: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/addgroup: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/adduser: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/arping: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/brctl: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/chat: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/chpasswd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/chroot: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/crond: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/delgroup: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/deluser: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/dhcprelay: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/dnsd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/ether-wake: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/fakeidentd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/fbset: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/fdformat: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/ftpd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/httpd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/i2cdetect: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/i2cdump: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/i2cget: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/i2cset: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/ifplugd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/inetd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/killall5: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/loadfont: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/lpd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/nanddump: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/nandwrite: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/nbd-client: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/ntpd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/popmaildir: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/powertop: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/rdate: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/rdev: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/readahead: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/readprofile: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/remove-shell: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/rtcwake: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/sendmail: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/setfont: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/setlogcons: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/svlogd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/telnetd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/tftpd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/ubiattach: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/ubidetach: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/ubimkvol: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/ubirmvol: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/ubirsvol: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/ubiupdatevol: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/linux_initramfs/rootTemplate/usr/sbin/udhcpd: -------------------------------------------------------------------------------- 1 | ../../bin/busybox -------------------------------------------------------------------------------- /packer/packer/.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | linux_x86_64-userspace/bin64/* 3 | nyx.ini 4 | -------------------------------------------------------------------------------- /packer/packer/common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/packer/common/__init__.py -------------------------------------------------------------------------------- /packer/packer/common/color.py: -------------------------------------------------------------------------------- 1 | HEADER = '\033[95m' 2 | OKBLUE = '\033[94m' 3 | OKGREEN = '\033[92m' 4 | WARNING = '\033[0;33m' 5 | FAIL = '\033[91m' 6 | ENDC = '\033[0m' 7 | CLRSCR = '\x1b[1;1H' 8 | REALCLRSCR = '\x1b[2J' 9 | BOLD = '\033[1m' 10 | FLUSH_LINE = '\r\x1b[K' 11 | 12 | 13 | def MOVE_CURSOR_UP(num): 14 | return "\033[" + str(num) + "A" 15 | 16 | 17 | def MOVE_CURSOR_DOWN(num): 18 | return "\033[" + str(num) + "B" 19 | 20 | 21 | def MOVE_CURSOR_LEFT(num): 22 | return "\033[" + str(num) + "C" 23 | 24 | 25 | def MOVE_CURSOR_RIGHT(num): 26 | return "\033[" + str(num) + "D" 27 | 28 | 29 | HLINE = unichr(0x2500) 30 | VLINE = unichr(0x2502) 31 | VLLINE = unichr(0x2524) 32 | VRLINE = unichr(0x251c) 33 | LBEDGE = unichr(0x2514) 34 | RBEDGE = unichr(0x2518) 35 | HULINE = unichr(0x2534) 36 | HDLINE = unichr(0x252c) 37 | LTEDGE = unichr(0x250c) 38 | RTEDGE = unichr(0x2510) 39 | 40 | INFO_PREFIX = "[INFO] " 41 | ERROR_PREFIX = "[ERROR] " 42 | WARNING_PREFIX = "[WARNING] " 43 | -------------------------------------------------------------------------------- /packer/packer/common/info.py: -------------------------------------------------------------------------------- 1 | 2 | import os, sys 3 | from common.color import BOLD, OKGREEN, ENDC 4 | 5 | def show_banner(banner_text): 6 | f = open(os.path.dirname(os.path.realpath(__file__)) + "/../help.txt") 7 | for line in f: 8 | print(line.replace("\n", "")) 9 | f.close() 10 | 11 | print("<< " + BOLD + OKGREEN + sys.argv[0] + ": " + str(banner_text) + " " + ENDC + ">>\n") 12 | -------------------------------------------------------------------------------- /packer/packer/compiler/.gitignore: -------------------------------------------------------------------------------- 1 | 2 | *.so 3 | *.o 4 | afl-clang-fast 5 | afl-clang-fast++ 6 | afl-clang-fast-firefox 7 | afl-clang-fast-firefox++ -------------------------------------------------------------------------------- /packer/packer/compiler/android-ashmem.h: -------------------------------------------------------------------------------- 1 | #ifdef __ANDROID__ 2 | #ifndef _ANDROID_ASHMEM_H 3 | #define _ANDROID_ASHMEM_H 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #if __ANDROID_API__ >= 26 12 | #define shmat bionic_shmat 13 | #define shmctl bionic_shmctl 14 | #define shmdt bionic_shmdt 15 | #define shmget bionic_shmget 16 | #endif 17 | #include 18 | #undef shmat 19 | #undef shmctl 20 | #undef shmdt 21 | #undef shmget 22 | #include 23 | 24 | #define ASHMEM_DEVICE "/dev/ashmem" 25 | 26 | static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { 27 | int ret = 0; 28 | if (__cmd == IPC_RMID) { 29 | int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); 30 | struct ashmem_pin pin = {0, length}; 31 | ret = ioctl(__shmid, ASHMEM_UNPIN, &pin); 32 | close(__shmid); 33 | } 34 | 35 | return ret; 36 | } 37 | 38 | static inline int shmget(key_t __key, size_t __size, int __shmflg) { 39 | (void) __shmflg; 40 | int fd, ret; 41 | char ourkey[11]; 42 | 43 | fd = open(ASHMEM_DEVICE, O_RDWR); 44 | if (fd < 0) 45 | return fd; 46 | 47 | sprintf(ourkey, "%d", __key); 48 | ret = ioctl(fd, ASHMEM_SET_NAME, ourkey); 49 | if (ret < 0) 50 | goto error; 51 | 52 | ret = ioctl(fd, ASHMEM_SET_SIZE, __size); 53 | if (ret < 0) 54 | goto error; 55 | 56 | return fd; 57 | 58 | error: 59 | close(fd); 60 | return ret; 61 | } 62 | 63 | static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) { 64 | (void) __shmflg; 65 | int size; 66 | void *ptr; 67 | 68 | size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); 69 | if (size < 0) { 70 | return NULL; 71 | } 72 | 73 | ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0); 74 | if (ptr == MAP_FAILED) { 75 | return NULL; 76 | } 77 | 78 | return ptr; 79 | } 80 | 81 | #endif /* !_ANDROID_ASHMEM_H */ 82 | #endif /* !__ANDROID__ */ 83 | -------------------------------------------------------------------------------- /packer/packer/compiler/test-instr.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2014 Google LLC All rights reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at: 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | 18 | /* 19 | american fuzzy lop - a trivial program to test the build 20 | -------------------------------------------------------- 21 | 22 | Written and maintained by Michal Zalewski 23 | */ 24 | 25 | #include 26 | #include 27 | #include 28 | 29 | int main(int argc, char** argv) { 30 | 31 | char buf[8]; 32 | 33 | if (read(0, buf, 8) < 1) { 34 | printf("Hum?\n"); 35 | exit(1); 36 | } 37 | 38 | if (buf[0] == '0') 39 | printf("Looks like a zero to me!\n"); 40 | else 41 | printf("A non-zero value? How quaint!\n"); 42 | 43 | exit(0); 44 | 45 | } 46 | -------------------------------------------------------------------------------- /packer/packer/fuzzer_configs/.gitignore: -------------------------------------------------------------------------------- 1 | default_config_kernel.ron 2 | default_config_vm.ron 3 | -------------------------------------------------------------------------------- /packer/packer/help.txt: -------------------------------------------------------------------------------- 1 | _ __ ______ 2 | / | / /_ ___ __ / ____/_ __________ ___ _____ 3 | / |/ / / / / |/_/ / /_ / / / /_ /_ / / _ \/ ___/ 4 | / /| / /_/ /> < / __/ / /_/ / / /_/ /_/ __/ / 5 | /_/ |_/\__, /_/|_| /_/ \__,_/ /___/___/\___/_/ 6 | /____/ 7 | =================================================== 8 | 9 | NYX: A feedback-driven general purpose ring 0, ring 3 and ring -1 fuzzer for x86 / x86-64 targets. 10 | 11 | Sergej Schumilo 12 | Cornelius Aschermann 13 | 14 | Version: 1.0 (NYX) 15 | 16 | (C) 2021 17 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/compile_32.sh: -------------------------------------------------------------------------------- 1 | mkdir -p bin32/ 2 | 3 | if [ "$LEGACY_MODE" = "ON" ] 4 | then 5 | # old kAFL mode shared library 6 | gcc -shared -O0 -m32 -Werror -DLEGACY_MODE -fPIC src/ld_preload_fuzz.c -I../../agents -I$NYX_SPEC_FOLDER -o bin32/ld_preload_fuzz_legacy.so -ldl -Isrc 7 | else 8 | # latest and greatest nyx shared library 9 | gcc -shared -O0 -m32 -Werror -fPIC src/ld_preload_fuzz.c -I../../agents -I$NYX_SPEC_FOLDER -o bin32/ld_preload_fuzz.so -ldl -Isrc 10 | fi 11 | 12 | gcc -m32 src/libnyx.c -o bin32/libnyx.so -shared -fPIC -Wall -std=gnu11 -Wl,-soname,libnyx.so 13 | gcc -O0 -m32 -Werror src/htools/habort.c -I../../agents -o bin32/habort 14 | gcc -O0 -m32 -Werror src/htools/hcat.c -I../../agents -o bin32/hcat 15 | gcc -O0 -m32 -Werror src/htools/hget.c -I../../agents -o bin32/hget 16 | 17 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/compile_64.sh: -------------------------------------------------------------------------------- 1 | mkdir -p bin64/ 2 | 3 | if [ "$LEGACY_MODE" = "ON" ] 4 | then 5 | # old kAFL mode shared library 6 | gcc -shared -O0 -m64 -Werror -DLEGACY_MODE -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/misc/harness_state.c src/misc/struct_synth_report.c src/netfuzz/syscalls.c -I../../agents -o bin64/ld_preload_fuzz_legacy.so -ldl -lZydis -Isrc 7 | else 8 | # latest and greatest nyx shared library 9 | 10 | if [ "$NET_FUZZ" = "ON" ] 11 | then 12 | 13 | MODE="${UDP_MODE} ${CLIENT_MODE} ${DEBUG_MODE} ${STDOUT_STDERR_DEBUG}" 14 | echo "MODES => $MODE" 15 | 16 | clang -shared -g -O0 -m64 -Werror $MODE -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/misc/harness_state.c src/netfuzz/inject.c src/netfuzz/syscalls.c src/netfuzz/socket_cache.c -I../../agents -DNET_FUZZ -I$NYX_SPEC_FOLDER -o bin64/ld_preload_fuzz.so -ldl -Isrc 17 | 18 | #echo "NET FUZZ! FUCK YEAH!" 19 | #if [ "$UDP_MODE" = "ON" ] 20 | #then 21 | # clang -shared -g -O0 -m64 -Werror -DUDP_MODE -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/misc/harness_state.c src/netfuzz/inject.c src/netfuzz/syscalls.c src/netfuzz/socket_cache.c -I../../agents -DNET_FUZZ -I$NYX_SPEC_FOLDER -o bin64/ld_preload_fuzz.so -ldl -Isrc 22 | #else 23 | # 24 | # if [ "$CLIENT_MODE" = "ON" ] 25 | # then 26 | # clang -shared -g -O0 -m64 -Werror -DCLIENT_MODE -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/misc/harness_state.c src/netfuzz/inject.c src/netfuzz/syscalls.c src/netfuzz/socket_cache.c -I../../agents -DNET_FUZZ -I$NYX_SPEC_FOLDER -o bin64/ld_preload_fuzz.so -ldl -Isrc 27 | # else 28 | # clang -shared -g -O0 -m64 -Werror -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/misc/harness_state.c src/netfuzz/inject.c src/netfuzz/syscalls.c src/netfuzz/socket_cache.c -I../../agents -DNET_FUZZ -I$NYX_SPEC_FOLDER -o bin64/ld_preload_fuzz.so -ldl -Isrc 29 | # fi 30 | #fi 31 | else 32 | echo "YO" 33 | gcc -shared -O0 -m64 -Werror -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/netfuzz/syscalls.c src/misc/harness_state.c -I../../agents -I$NYX_SPEC_FOLDER -o bin64/ld_preload_fuzz.so -ldl -Isrc 34 | fi 35 | fi 36 | 37 | gcc -m64 src/libnyx.c -o bin64/libnyx.so -shared -fPIC -Wall -std=gnu11 -Wl,-soname,libnyx.so 38 | gcc -O0 -m64 -Werror src/htools/habort.c -I../../agents -o bin64/habort 39 | gcc -O0 -m64 -Werror src/htools/hcat.c -I../../agents -o bin64/hcat 40 | gcc -O0 -m64 -Werror src/htools/hget.c -I../../agents -o bin64/hget 41 | gcc -O0 -m64 -Werror src/htools/hpush.c -I../../agents -o bin64/hpush 42 | 43 | gcc -O0 -m64 -static -Werror src/loader.c -I../../agents -o bin64/loader 44 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/compile_loader.sh: -------------------------------------------------------------------------------- 1 | mkdir -p bin64/ 2 | gcc -O0 -m64 -static -Werror src/loader.c -I../../agents -o bin64/loader -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/compile_net_standalone.sh: -------------------------------------------------------------------------------- 1 | 2 | 3 | gcc -shared -fPIC -o inject.so -c src/netfuzz/inject.c src/netfuzz/socket_cache.c -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/htools/habort.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include "nyx.h" 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv){ 9 | char* error_message = NULL; 10 | int ret; 11 | 12 | if(!is_nyx_vcpu()){ 13 | printf("Error: NYX vCPU not found!\n"); 14 | return 0; 15 | } 16 | 17 | if(argc < 1){ 18 | printf("Usage: \n"); 19 | return 1; 20 | } 21 | 22 | if (argc == 2){ 23 | ret = asprintf(&error_message, "USER_ABORT called: %s", argv[1]); 24 | if (ret != -1) { 25 | kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, (uintptr_t)error_message); 26 | return 0; 27 | } 28 | } 29 | kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, (uintptr_t)"USER_ABORT called!"); 30 | return 0; 31 | } -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/htools/hcat.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include "nyx.h" 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv){ 9 | char buf[1024]; 10 | 11 | if(!is_nyx_vcpu()){ 12 | printf("Error: NYX vCPU not found!\n"); 13 | return 0; 14 | } 15 | 16 | if(argc != 1){ 17 | printf("Usage: \n"); 18 | return 1; 19 | } 20 | 21 | ssize_t received = 0; 22 | while((received = read(0, buf, sizeof(buf)-1))>0) { 23 | buf[1023] = 0; 24 | buf[received] = 0; 25 | 26 | hprintf("[hcat] %s", buf); 27 | memset(buf, 0, 1024); 28 | } 29 | return 0; 30 | } -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/htools/hget.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include "nyx.h" 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv){ 9 | 10 | if(!is_nyx_vcpu()){ 11 | printf("Error: NYX vCPU not found!\n"); 12 | return 0; 13 | } 14 | 15 | if(argc == 3){ 16 | void* stream_data = mmap((void*)NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 17 | 18 | FILE* f = NULL; 19 | 20 | 21 | uint64_t bytes = 0; 22 | uint64_t total = 0; 23 | 24 | do{ 25 | strcpy(stream_data, argv[1]); 26 | bytes = kAFL_hypercall(HYPERCALL_KAFL_REQ_STREAM_DATA, (uintptr_t)stream_data); 27 | 28 | #if defined(__x86_64__) 29 | if(bytes == 0xFFFFFFFFFFFFFFFFUL){ 30 | #else 31 | if(bytes == 0xFFFFFFFFUL){ 32 | #endif 33 | habort("Error: Hypervisor has rejected stream buffer (file not found)"); 34 | break; 35 | } 36 | 37 | if(f == NULL){ 38 | f = fopen(argv[2], "w+"); 39 | } 40 | 41 | fwrite(stream_data, 1, bytes, f); 42 | 43 | total += bytes; 44 | 45 | } while(bytes); 46 | 47 | hprintf("[hget] %"PRId64" bytes received from hypervisor! (%s)\n", total, argv[1]); 48 | 49 | if(f){ 50 | fclose(f); 51 | return 0; 52 | } 53 | return -1; 54 | 55 | } 56 | printf("Usage: \n"); 57 | return 0; 58 | } -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/htools/hpush.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #include "nyx.h" 17 | 18 | 19 | #define round_up(x, y) (((x) + (y) - 1) & ~((y) - 1)) 20 | 21 | void *mapfile(char *fn, uint64_t *size) 22 | { 23 | int fd = open(fn, O_RDONLY); 24 | if (fd < 0) 25 | return NULL; 26 | struct stat st; 27 | void *map = (void *)-1L; 28 | if (fstat(fd, &st) >= 0) { 29 | *size = (uint64_t)st.st_size; 30 | map = mmap(NULL, round_up(*size, sysconf(_SC_PAGESIZE)), 31 | PROT_READ|PROT_WRITE, 32 | MAP_PRIVATE, fd, 0); 33 | } 34 | close(fd); 35 | 36 | 37 | if(map){ 38 | void* copy = malloc(*size); 39 | memcpy(copy, map, st.st_size); 40 | munmap(map, round_up(*size, sysconf(_SC_PAGESIZE))); 41 | return copy; 42 | } 43 | return NULL; 44 | } 45 | 46 | static void dump_payload(void* buffer, size_t len, const char* filename){ 47 | static bool init = false; 48 | static kafl_dump_file_t file_obj = {0}; 49 | 50 | //printf("%s -> ptr: %p size: %lx - %s\n", __func__, buffer, len, filename); 51 | 52 | if (!init){ 53 | file_obj.file_name_str_ptr = (uintptr_t)filename; 54 | file_obj.append = 0; 55 | file_obj.bytes = 0; 56 | kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uintptr_t) (&file_obj)); 57 | init=true; 58 | } 59 | 60 | file_obj.append = 1; 61 | file_obj.bytes = len; 62 | file_obj.data_ptr = (uintptr_t)buffer; 63 | kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uintptr_t) (&file_obj)); 64 | } 65 | 66 | int main(int argc, char** argv){ 67 | char buf[256]; 68 | 69 | if(!is_nyx_vcpu()){ 70 | printf("Error: NYX vCPU not found!\n"); 71 | return 0; 72 | } 73 | 74 | if(argc != 2){ 75 | hprintf("Usage: \n"); 76 | return 1; 77 | } 78 | 79 | uint64_t size = 0; 80 | void* ptr = mapfile(argv[1], &size); 81 | 82 | if(ptr && size){ 83 | dump_payload(ptr, size, basename(argv[1])); 84 | } 85 | else{ 86 | hprintf("Error: File not found!\n"); 87 | } 88 | 89 | return 0; 90 | } -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/ijon_extension.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | 6 | #define ADD_PADDING(max, type) uint8_t type ## _padding [max - sizeof(type)] 7 | 8 | typedef struct interpeter_data_s{ 9 | uint32_t executed_opcode_num; 10 | bool ouf_of_data; 11 | /* ... */ 12 | } __attribute__((packed)) interpeter_data_t; 13 | 14 | 15 | typedef struct ijon_data_s{ 16 | uint64_t max_data[256]; 17 | } __attribute__((packed)) ijon_data_t; 18 | 19 | typedef struct ijon_trace_buffer_s{ 20 | interpeter_data_t interpreter_data; 21 | ADD_PADDING(2048, interpeter_data_t); 22 | 23 | /* 2k */ 24 | ijon_data_t ijon_data; 25 | } __attribute__((packed)) ijon_trace_buffer_t; 26 | 27 | extern ijon_trace_buffer_t* ijon_trace_buffer; 28 | 29 | 30 | void ijon_max(uint8_t id, uint64_t value); 31 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/ld_preload_info.c: -------------------------------------------------------------------------------- 1 | /* info */ 2 | #define _GNU_SOURCE 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include "kafl_user.h" 13 | 14 | int __libc_start_main(int (*main) (int,char **,char **), 15 | int argc,char **ubp_av, 16 | void (*init) (void), 17 | void (*fini)(void), 18 | void (*rtld_fini)(void), 19 | void (*stack_end)) { 20 | 21 | hprintf("LD_PRELOAD hprintf :)\n"); 22 | 23 | char filename[256]; 24 | void* info_buffer = mmap((void*)NULL, INFO_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 25 | memset(info_buffer, 0xff, INFO_SIZE); 26 | 27 | hprintf("LD_PRELOAD hprintf :)\n"); 28 | hprintf("Own pid is %d\n", getpid()); 29 | 30 | snprintf(filename, 256, "/proc/%d/maps", getpid()); 31 | hprintf("proc filename: %s\n", filename); 32 | 33 | FILE* f = fopen(filename, "r"); 34 | uint16_t len = fread(info_buffer, 1, INFO_SIZE, f); 35 | fclose(f); 36 | 37 | ((char*)info_buffer)[len] = '\0'; 38 | 39 | hprintf("Transfer data to hypervisor\n"); 40 | 41 | kAFL_hypercall(HYPERCALL_KAFL_INFO, (uintptr_t)info_buffer); 42 | 43 | return 0; 44 | } 45 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/libnyx.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "libnyx.h" 4 | 5 | void nyx_init(void){ 6 | } 7 | 8 | void ijon_max(uint8_t id, uint64_t value){ 9 | } 10 | void report_struct_synth_addrs(const char* addrs, size_t len) { } 11 | void report_crashing_addr(ucontext_t* context) { } -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/libnyx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | void nyx_init(void); 7 | void ijon_max(uint8_t id, uint64_t value); 8 | void report_struct_synth_addrs(const char* addrs, size_t len); 9 | void report_crashing_addr(ucontext_t* context); 10 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/misc/crash_handler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | void config_handler(void); 9 | void init_crash_handling(void); 10 | 11 | void set_struct_synth_addrs(const char* addrs, ssize_t len); 12 | 13 | /* test asan */ 14 | void fail(void); -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/misc/harness_state.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | 3 | #include 4 | #include 5 | #include "misc/harness_state.h" 6 | #include "netfuzz/syscalls.h" 7 | #include "nyx.h" 8 | 9 | //#define DEBUG_HARNESS_STATE 10 | 11 | static bool harness_state_ready = false; 12 | 13 | harness_state_t* get_harness_state(void){ 14 | static harness_state_t harness_state = {0}; 15 | if (!harness_state_ready){ 16 | harness_state_ready = true; 17 | set_harness_state(); 18 | } 19 | return &harness_state; 20 | } 21 | 22 | static bool early_check_env(const char* env){ 23 | char buffer [1024]; 24 | snprintf (buffer, 1024, "[ -z \"$%s\" ]", env); 25 | return !!system(buffer); 26 | } 27 | 28 | static bool check_env(const char* env){ 29 | bool ret = false; 30 | ret = !!real_getenv(env); 31 | if(!ret){ 32 | ret = early_check_env(env); 33 | } 34 | return ret; 35 | } 36 | 37 | void set_harness_state(void){ 38 | harness_state_t* state = get_harness_state(); 39 | 40 | state->fast_exit_mode = check_env("NYX_FAST_EXIT_MODE"); 41 | state->asan_executable = check_env("NYX_ASAN_EXECUTABLE"); 42 | state->legacy_file_mode = check_env("NYX_LEGACY_FILE_MODE"); 43 | state->net_fuzz_mode = check_env("NYX_NET_FUZZ_MODE"); 44 | state->afl_mode = check_env("NYX_AFL_PLUS_PLUS_MODE"); 45 | state->delayed_init = check_env("DELAYED_NYX_FUZZER_INIT"); 46 | state->pt_auto_addr_range_a = check_env("NYX_PT_RANGE_AUTO_CONF_A"); 47 | state->pt_auto_addr_range_b = check_env("NYX_PT_RANGE_AUTO_CONF_B"); 48 | 49 | if(real_getenv("NYX_NET_PORT")){ 50 | state->nyx_net_port = (uint16_t)strtol(real_getenv("NYX_NET_PORT"), NULL, 10); 51 | } 52 | else{ 53 | state->nyx_net_port = 0; 54 | } 55 | 56 | #ifdef DEBUG_HARNESS_STATE 57 | hprintf("fast_exit_mode: %d\n", state->fast_exit_mode); 58 | hprintf("asan_executable: %d\n", state->asan_executable); 59 | hprintf("legacy_file_mode: %d\n", state->legacy_file_mode); 60 | hprintf("net_fuzz_mode: %d\n", state->net_fuzz_mode); 61 | hprintf("afl_mode: %d\n", state->afl_mode); 62 | hprintf("delayed_init: %d\n", state->delayed_init); 63 | hprintf("pt_auto_addr_range_a: %d\n", state->pt_auto_addr_range_a); 64 | hprintf("pt_auto_addr_range_b: %d\n", state->pt_auto_addr_range_b); 65 | hprintf("NYX_NET_PORT: %d\n", state->nyx_net_port); 66 | #endif 67 | 68 | harness_state_ready = true; 69 | } 70 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/misc/harness_state.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | /* harness state */ 7 | typedef struct harness_state_s{ 8 | bool fast_exit_mode; 9 | bool asan_executable; 10 | bool legacy_file_mode; 11 | bool net_fuzz_mode; 12 | bool afl_mode; 13 | bool delayed_init; 14 | bool pt_auto_addr_range_a; 15 | bool pt_auto_addr_range_b; 16 | uint16_t nyx_net_port; 17 | } harness_state_t; 18 | 19 | harness_state_t* get_harness_state(void); 20 | void set_harness_state(void); 21 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/misc/struct_synth_report.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | //#include 5 | 6 | //greg_t get_crashing_addr(greg_t ip_reg); 7 | greg_t get_crashing_addr(gregset_t regs); 8 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/netfuzz/run_dcmtk.sh: -------------------------------------------------------------------------------- 1 | export DCMDICTPATH=/home/kafl/aflnet/dcmtk/dcmdata/data/dicom.dic 2 | cd ~/aflnet/dcmtk/build/bin 3 | LD_PRELOAD=../../..//hook/inject_debug.so ./dcmqrscp 4 | cd - 5 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/netfuzz/run_dnsmasq.sh: -------------------------------------------------------------------------------- 1 | cd ~/aflnet/dnsmasq/src 2 | LD_PRELOAD=../../hook/inject_debug.so ./dnsmasq 3 | cd - 4 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/netfuzz/run_live555.sh: -------------------------------------------------------------------------------- 1 | cd ../live555/ 2 | LD_PRELOAD=../hook/inject_debug.so ./testProgs/testOnDemandRTSPServer 1337 3 | cd - 4 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/netfuzz/socket_cache.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | uint16_t get_active_connections(void); 11 | bool connection_exists(uint16_t port); 12 | bool server_socket_exists(int socket); 13 | bool client_socket_exists(int socket); 14 | bool set_server_socket_to_connection(uint16_t port, int socket); 15 | bool set_client_socket_to_connection(uint16_t port, int socket); 16 | bool add_connection(uint16_t port); 17 | //int server_socket_to_client_socket(int socket); 18 | int set_select_fds(fd_set *set, fd_set *old_set); 19 | void disable_connection_by_server_socket(int socket); 20 | ssize_t real_send(int sockfd, const void *buf, size_t len, int flags); 21 | 22 | int server_socket_to_port(int socket); -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/netfuzz/standalone_compile.sh: -------------------------------------------------------------------------------- 1 | gcc -shared -fPIC -o inject.so inject.c syscalls.c socket_cache.c -ldl 2 | gcc -shared -fPIC -o inject_debug.so inject.c syscalls.c socket_cache.c -ldl -DDEBUG_MODE 3 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/src/netfuzz/syscalls.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | void init_syscall_fptr(void); 12 | 13 | ssize_t real_read(int fd, void* buf, size_t count); 14 | ssize_t real_write(int fd, const void *buf, size_t count); 15 | int real_select(int nfds, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, struct timeval *timeout); 16 | int real_listen(int sockfd, int backlog); 17 | int real_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen); 18 | int real_accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen, int flags); 19 | ssize_t real_recv(int sockfd, void *buf, size_t len, int flags); 20 | ssize_t real_recvfrom(int sockfd, void *buf, size_t len, int flags, struct sockaddr *src_addr, socklen_t *addrlen); 21 | ssize_t real_recvmsg(int sockfd, struct msghdr *msg, int flags); 22 | int real_poll(struct pollfd *fds, nfds_t nfds, int timeout); 23 | int real_close(int fd); 24 | int real_epoll_ctl(int epfd, int op, int fd, struct epoll_event *event); 25 | int real_epoll_wait(int epfd, struct epoll_event *events, int maxevents, int timeout); 26 | int real_bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen); 27 | ssize_t real_sendto(int sockfd, const void *buf, size_t len, int flags, const struct sockaddr *dest_addr, socklen_t addrlen); 28 | int real_dup(int fd); 29 | int real_dup2(int oldfd, int newfd); 30 | int real_dup3(int oldfd, int newfd, int flags); 31 | int real_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen); 32 | int real_getc(FILE *stream); 33 | void real__exit(int status); 34 | ssize_t real_readv(int fd, const struct iovec *iov, int iovcnt); 35 | ssize_t real_writev(int fd, const struct iovec *iov, int iovcnt); 36 | ssize_t real_preadv(int fd, const struct iovec *iov, int iovcnt, off_t offset); 37 | ssize_t real_pwritev(int fd, const struct iovec *iov, int iovcnt, off_t offset); 38 | char* real_getenv(const char *name); 39 | int real_getsockname(int sockfd, struct sockaddr *addr, socklen_t *addrlen); 40 | int real_getpeername(int sockfd, struct sockaddr *addr, socklen_t *addrlen); 41 | char *real_fgets(char *s, int size, FILE *stream); 42 | -------------------------------------------------------------------------------- /packer/packer/linux_x86_64-userspace/test.sh: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | #MODE=$TEST + $TEST2 6 | 7 | 8 | MODE="${TEST} ${TEST2}" 9 | 10 | echo $MODE -------------------------------------------------------------------------------- /packer/packer/nyx.ini: -------------------------------------------------------------------------------- 1 | [Packer] 2 | init_ramfs = ../linux_initramfs/init.cpio.gz 3 | kernel = ../linux_initramfs/bzImage-linux-4.15-rc7 4 | default_vm_hda = 5 | qemu-pt_path = QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64 6 | agents-folder = ./ 7 | nyx-interpreter-folder = ./ 8 | default_fuzzer_config_folder = ./fuzzer_configs/ 9 | default_vm_presnapshot = 10 | -------------------------------------------------------------------------------- /run-example.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -ex 4 | 5 | SGXFUZZ_ROOT=$(dirname "$(realpath "$0")") 6 | ENCLAVE_PATH="$SGXFUZZ_ROOT/Enclaves/SimpleFuzzTest" 7 | FUZZ_FOLDER=/tmp/sgxfuzz-fuzz-folder 8 | FUZZ_WORKDIR=/tmp/sgxfuzz-workdir 9 | 10 | if [[ ! -d "$SGXFUZZ_ROOT/native-sgx-runner" ]]; then 11 | echo "Invalid execution directory" 12 | exit 1 13 | fi 14 | 15 | if [[ -r "$SGXFUZZ_ROOT/kvm-nyx-release/kvm-intel.ko" ]]; then 16 | sudo rmmod kvm_intel || true 17 | sudo rmmod kvm || true 18 | sudo insmod "$SGXFUZZ_ROOT/kvm-nyx-release/kvm.ko" || true 19 | sudo insmod "$SGXFUZZ_ROOT/kvm-nyx-release/kvm-intel.ko" || true 20 | sudo chmod a+rw /dev/kvm 21 | fi 22 | 23 | # Build the enclave runner 24 | "$SGXFUZZ_ROOT/initialize-target.sh" SimpleFuzzTest Enclaves/SimpleFuzzTest/enclave.signed.so.mem 25 | 26 | cd "$(ls -d SimpleFuzzTest-T0-*/ | sort -r | head -1)" 27 | 28 | ./pack.sh 29 | 30 | ./fuzz.sh 31 | -------------------------------------------------------------------------------- /seeds/abc: -------------------------------------------------------------------------------- 1 | ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz 2 | -------------------------------------------------------------------------------- /struct_recovery.py: -------------------------------------------------------------------------------- 1 | kafl/kAFL-Fuzzer/fuzzer/technique/struct_recovery.py --------------------------------------------------------------------------------