├── .gitignore
├── .gitmodules
├── Dockerfile
├── Enclaves
    └── SimpleFuzzTest
    │   ├── App
    │       ├── App.cpp
    │       ├── App.h
    │       ├── TrustedLibrary
    │       │   └── Libcxx.cpp
    │       └── sgxerrorprinting.cpp
    │   ├── Enclave
    │       ├── Enclave.config.xml
    │       ├── Enclave.cpp
    │       ├── Enclave.edl
    │       ├── Enclave.h
    │       ├── Enclave.lds
    │       ├── Enclave_debug.lds
    │       ├── Enclave_private_test.pem
    │       └── TrustedLibrary
    │       │   ├── Libcxx.cpp
    │       │   └── Libcxx.edl
    │   ├── Makefile
    │   ├── enclave.signed.so
    │   ├── enclave.signed.so.layout
    │   ├── enclave.signed.so.mem
    │   ├── enclave.signed.so.mem.zst
    │   └── enclave.signed.so.tcs.txt
├── README.md
├── analyze_crashes.py
├── calculate-coverage.sh
├── display-struct.sh
├── display-structs.py
├── enclave-dumper-win
    ├── sgx_sign.exe
    └── sgx_sign_gdb.py
├── enclave-dumper
    ├── DumpReader.py
    ├── Makefile
    ├── extract.sh
    └── linux-sgx-sign.patch
├── initialize-target.sh
├── kafl
    ├── LICENSES
    │   ├── AGPL-3.0
    │   ├── Apache-2.0
    │   ├── BSD-2-Clause
    │   ├── GPL-2.0
    │   └── MIT
    ├── README.md
    ├── install.sh
    ├── kAFL-Fuzzer
    │   ├── .gitignore
    │   ├── banner.txt
    │   ├── common
    │   │   ├── __init__.py
    │   │   ├── color.py
    │   │   ├── config.py
    │   │   ├── execution_result.py
    │   │   ├── log.py
    │   │   ├── qemu.py
    │   │   ├── qemu_aux_buffer.py
    │   │   ├── qemu_protocol.py
    │   │   ├── self_check.py
    │   │   └── util.py
    │   ├── debug
    │   │   ├── __init__.py
    │   │   └── core.py
    │   ├── dict
    │   │   ├── http_sys.dict
    │   │   └── vuln.dict
    │   ├── fuzzer
    │   │   ├── __init__.py
    │   │   ├── bitmap.py
    │   │   ├── communicator.py
    │   │   ├── core.py
    │   │   ├── native
    │   │   │   ├── Makefile
    │   │   │   └── bitmap.c
    │   │   ├── node.py
    │   │   ├── process
    │   │   │   ├── __init__.py
    │   │   │   ├── master.py
    │   │   │   └── slave.py
    │   │   ├── queue.py
    │   │   ├── scheduler.py
    │   │   ├── state_logic.py
    │   │   ├── statistics.py
    │   │   └── technique
    │   │   │   ├── __init__.py
    │   │   │   ├── arithmetic.py
    │   │   │   ├── bitflip.py
    │   │   │   ├── grimoire_inference.py
    │   │   │   ├── grimoire_mutations.py
    │   │   │   ├── havoc.py
    │   │   │   ├── havoc_handler.py
    │   │   │   ├── helper.py
    │   │   │   ├── interesting_values.py
    │   │   │   ├── radamsa.py
    │   │   │   ├── redqueen
    │   │   │       ├── __init__.py
    │   │   │       ├── cmp.py
    │   │   │       ├── colorize.py
    │   │   │       ├── encoding.py
    │   │   │       ├── hash_fix.py
    │   │   │       ├── hash_patch.py
    │   │   │       ├── mod.py
    │   │   │       ├── parser.py
    │   │   │       └── workdir.py
    │   │   │   ├── struct_recovery.py
    │   │   │   └── trim.py
    │   ├── info
    │   │   ├── __init__.py
    │   │   └── core.py
    │   ├── kafl_cov.py
    │   ├── kafl_debug.py
    │   ├── kafl_fuzz.py
    │   ├── kafl_gui.py
    │   ├── kafl_info.py
    │   ├── kafl_plot.py
    │   ├── kafl_user_prepare.py
    │   ├── proc_map_helper.py
    │   ├── redqueen_mut.py
    │   ├── seed
    │   │   ├── ext4
    │   │   │   └── ext4.img
    │   │   ├── fat
    │   │   │   ├── fat_a
    │   │   │   ├── fat_b
    │   │   │   ├── fat_c
    │   │   │   ├── fat_d
    │   │   │   └── fat_e
    │   │   ├── kafl_vulntest
    │   │   │   └── seed_file
    │   │   ├── ntfs
    │   │   │   └── ntfs64
    │   │   └── ntfs_win
    │   │   │   └── ntfs_header_64k
    │   ├── test.py
    │   └── tests
    │   │   ├── __init__.py
    │   │   ├── helper.py
    │   │   ├── test_deterministic.py
    │   │   ├── test_havoc_handler.py
    │   │   └── test_random.py
    ├── patches.old
    │   ├── 0001-fail-of-frontend-did-not-create-SHM-backing-files-of.patch
    │   ├── 0001-linux-kvm-starved.patch
    │   ├── 0002-qemu_starved_and_other.patch
    │   ├── auto_dict.patch
    │   ├── kvm
    │   │   ├── README.md
    │   │   ├── usermode_test
    │   │   │   ├── Makefile
    │   │   │   ├── support_test.c
    │   │   │   └── test.c
    │   │   ├── v5.4
    │   │   │   ├── 0001-linux-5.4.34-kafl+redq.patch
    │   │   │   └── 0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch
    │   │   ├── v5.7
    │   │   │   ├── 0001-linux-5.7.3-merged-kafl+redq.patch
    │   │   │   └── 0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch
    │   │   └── v5.8
    │   │   │   ├── 0001-merged-kAFL-Redqueen-patch-to-KVM-VMX.patch
    │   │   │   └── 0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch
    │   └── qemu
    │   │   ├── v4.2.0
    │   │       ├── 0001-Reworked-patch-from-https-github.com-RUB-SysSec-redq.patch
    │   │       ├── 0002-Add-support-for-x86_32-panic-kasan-handler.patch
    │   │       ├── 0003-kAFL-v2-frontend-requires-us-to-start-counting-at-0.patch
    │   │       ├── 0004-Convert-Qemu-printf-to-qemu_log-set-and-report-disas.patch
    │   │       ├── 0005-Check-fopen-return-code-do-not-write-to-inaccessible.patch
    │   │       ├── 0006-Add-missing-ifdef-to-compile-without-enable-redqueen.patch
    │   │       ├── 0007-Logging-Cleanup-messages-and-reduce-default-verbosit.patch
    │   │       ├── 0008-Fix-segfault-when-IPT-filtering-is-not-enabled.patch
    │   │       ├── 0009-fix-failing-assert-add-check-for-mmap-return.patch
    │   │       ├── 0010-turn-some-redqueen-printf-output-to-debug-only.patch
    │   │       ├── 0011-enable-i386-target-as-well.patch
    │   │       ├── 0012-read-guest-memory-on-PT-decode-when-more-likely-paged.patch
    │   │       ├── 0013-disable-debug-and-fuzz-opts.patch
    │   │       └── 0014-PT-decoder-fix-for-ICL-TGL.patch
    │   │   └── v5.0.0
    │   │       ├── 0001-Reworked-patch-from-https-github.com-RUB-SysSec-redq.patch
    │   │       ├── 0002-Add-support-for-x86_32-panic-kasan-handler.patch
    │   │       ├── 0003-kAFL-v2-frontend-requires-us-to-start-counting-at-0.patch
    │   │       ├── 0004-Convert-Qemu-printf-to-qemu_log-set-and-report-disas.patch
    │   │       ├── 0005-Check-fopen-return-code-do-not-write-to-inaccessible.patch
    │   │       ├── 0006-Add-missing-ifdef-to-compile-without-enable-redqueen.patch
    │   │       ├── 0007-Logging-Cleanup-messages-and-reduce-default-verbosit.patch
    │   │       ├── 0008-Fix-segfault-when-IPT-filtering-is-not-enabled.patch
    │   │       ├── 0009-fix-failing-assert-add-check-for-mmap-return.patch
    │   │       ├── 0010-turn-some-redqueen-printf-output-to-debug-only.patch
    │   │       ├── 0011-enable-i386-target-as-well.patch
    │   │       ├── 0012-read-guest-memory-on-PT-decode-when-more-likely-paged.patch
    │   │       ├── 0013-disable-debug-and-fuzz-opts.patch
    │   │       └── 0014-PT-decoder-fix-for-ICL-TGL.patch
    ├── targets.old
    │   ├── kafl_user.h
    │   ├── linux_x86_64-userspace
    │   │   ├── .gitignore
    │   │   ├── compile.sh
    │   │   ├── initrd
    │   │   │   ├── .gitignore
    │   │   │   ├── pack.sh
    │   │   │   ├── run_vm.sh
    │   │   │   └── template
    │   │   │   │   ├── dev
    │   │   │   │       └── .gitkeep
    │   │   │   │   ├── etc
    │   │   │   │       ├── nsswitch.conf
    │   │   │   │       └── passwd
    │   │   │   │   ├── init
    │   │   │   │   ├── lib
    │   │   │   │       ├── i386-linux-gnu
    │   │   │   │       │   └── .gitkeep
    │   │   │   │       └── x86_64-linux-gnu
    │   │   │   │       │   └── .gitkeep
    │   │   │   │   ├── lib64
    │   │   │   │       └── .gitkeep
    │   │   │   │   ├── proc
    │   │   │   │       └── .gitkeep
    │   │   │   │   ├── sbin
    │   │   │   │   ├── sys
    │   │   │   │       └── .gitkeep
    │   │   │   │   ├── tmp
    │   │   │   │       └── .gitkeep
    │   │   │   │   └── usr
    │   │   │   │       ├── bin
    │   │   │   │       └── sbin
    │   │   └── src
    │   │   │   ├── ld_preload_fuzz.c
    │   │   │   ├── ld_preload_info.c
    │   │   │   └── userspace_loader.c
    │   └── linux_x86_64
    │   │   ├── .gitignore
    │   │   ├── compile.sh
    │   │   └── src
    │   │       ├── fuzzer
    │   │           ├── fs_fuzzer.c
    │   │           ├── hprintf_test.c
    │   │           ├── kafl_vuln_json.c
    │   │           └── kafl_vuln_test.c
    │   │       ├── info
    │   │           └── info.c
    │   │       └── loader
    │   │           ├── loader.c
    │   │           └── stage2_loader.c
    └── tools
    │   ├── display-structs.py
    │   └── mcat.py
├── native-sgx-runner
    ├── CMakeLists.txt
    ├── InputMutator.cpp
    ├── InputMutator.h
    ├── InputNode.hpp
    ├── NativeEnclave.cpp
    ├── NativeEnclave.h
    ├── buffer
    │   ├── Buffer.h
    │   ├── GuardedBuffer.cpp
    │   ├── GuardedBuffer.h
    │   ├── InEnclaveBuffer.h
    │   └── PartialEnclaveBuffer.h
    ├── libnyx.c
    ├── libnyx.h
    ├── main-generic.cpp
    ├── make-enclave-fuzz-target.sh
    └── sgx_types.h
├── packer
    ├── .gitignore
    ├── agents
    │   └── nyx.h
    ├── linux_initramfs
    │   ├── bzImage-linux-4.15-rc7
    │   ├── pack.sh
    │   └── rootTemplate
    │   │   ├── bin
    │   │       ├── ash
    │   │       ├── base64
    │   │       ├── bash
    │   │       ├── busybox
    │   │       ├── cat
    │   │       ├── catv
    │   │       ├── chattr
    │   │       ├── chgrp
    │   │       ├── chmod
    │   │       ├── chown
    │   │       ├── conspy
    │   │       ├── cp
    │   │       ├── cpio
    │   │       ├── cttyhack
    │   │       ├── date
    │   │       ├── dd
    │   │       ├── df
    │   │       ├── dmesg
    │   │       ├── dnsdomainname
    │   │       ├── dumpkmap
    │   │       ├── echo
    │   │       ├── ed
    │   │       ├── egrep
    │   │       ├── false
    │   │       ├── fatattr
    │   │       ├── fdflush
    │   │       ├── fgrep
    │   │       ├── file
    │   │       ├── fsync
    │   │       ├── getSyms
    │   │       ├── getopt
    │   │       ├── grep
    │   │       ├── gunzip
    │   │       ├── gzip
    │   │       ├── hostname
    │   │       ├── hush
    │   │       ├── ionice
    │   │       ├── iostat
    │   │       ├── ipcalc
    │   │       ├── kbd_mode
    │   │       ├── kill
    │   │       ├── ldconfig
    │   │       ├── linux32
    │   │       ├── linux64
    │   │       ├── ln
    │   │       ├── login
    │   │       ├── ls
    │   │       ├── lsattr
    │   │       ├── lzop
    │   │       ├── makemime
    │   │       ├── mkdir
    │   │       ├── mknod
    │   │       ├── mktemp
    │   │       ├── more
    │   │       ├── mount
    │   │       ├── mountpoint
    │   │       ├── mpstat
    │   │       ├── mt
    │   │       ├── mv
    │   │       ├── netstat
    │   │       ├── nice
    │   │       ├── pidof
    │   │       ├── ping
    │   │       ├── ping6
    │   │       ├── pipe_progress
    │   │       ├── printenv
    │   │       ├── ps
    │   │       ├── pwd
    │   │       ├── reformime
    │   │       ├── rev
    │   │       ├── rm
    │   │       ├── rmdir
    │   │       ├── rpm
    │   │       ├── run-parts
    │   │       ├── scriptreplay
    │   │       ├── sed
    │   │       ├── setarch
    │   │       ├── setserial
    │   │       ├── sh
    │   │       ├── sleep
    │   │       ├── stat
    │   │       ├── stty
    │   │       ├── su
    │   │       ├── sync
    │   │       ├── tar
    │   │       ├── touch
    │   │       ├── true
    │   │       ├── umount
    │   │       ├── uname
    │   │       ├── usleep
    │   │       ├── vi
    │   │       ├── watch
    │   │       └── zcat
    │   │   ├── dev
    │   │       └── .empty
    │   │   ├── etc
    │   │       ├── group
    │   │       ├── localtime
    │   │       ├── nsswitch.conf
    │   │       ├── passwd
    │   │       └── shadow
    │   │   ├── init_template
    │   │   ├── lib32
    │   │       ├── libasan.so.4
    │   │       ├── libc.so.6
    │   │       ├── libdl.so.2
    │   │       ├── libgcc_s.so.1
    │   │       ├── libm.so.6
    │   │       ├── libpthread.so.0
    │   │       ├── librt.so.1
    │   │       └── libstdc++.so.6
    │   │   ├── linuxrc
    │   │   ├── proc
    │   │       └── .empty
    │   │   ├── sbin
    │   │       ├── acpid
    │   │       ├── adjtimex
    │   │       ├── arp
    │   │       ├── blkid
    │   │       ├── blockdev
    │   │       ├── bootchartd
    │   │       ├── depmod
    │   │       ├── devmem
    │   │       ├── fbsplash
    │   │       ├── fdisk
    │   │       ├── findfs
    │   │       ├── freeramdisk
    │   │       ├── fsck
    │   │       ├── fsck.minix
    │   │       ├── fstrim
    │   │       ├── getty
    │   │       ├── halt
    │   │       ├── hdparm
    │   │       ├── hwclock
    │   │       ├── ifconfig
    │   │       ├── ifdown
    │   │       ├── ifenslave
    │   │       ├── ifup
    │   │       ├── init
    │   │       ├── insmod
    │   │       ├── ip
    │   │       ├── ipaddr
    │   │       ├── iplink
    │   │       ├── iproute
    │   │       ├── iprule
    │   │       ├── iptunnel
    │   │       ├── klogd
    │   │       ├── loadkmap
    │   │       ├── logread
    │   │       ├── losetup
    │   │       ├── lsmod
    │   │       ├── makedevs
    │   │       ├── mdev
    │   │       ├── mkdosfs
    │   │       ├── mke2fs
    │   │       ├── mkfs.ext2
    │   │       ├── mkfs.minix
    │   │       ├── mkfs.vfat
    │   │       ├── mkswap
    │   │       ├── modinfo
    │   │       ├── modprobe
    │   │       ├── nameif
    │   │       ├── pivot_root
    │   │       ├── poweroff
    │   │       ├── raidautorun
    │   │       ├── reboot
    │   │       ├── rmmod
    │   │       ├── route
    │   │       ├── runlevel
    │   │       ├── setconsole
    │   │       ├── slattach
    │   │       ├── start-stop-daemon
    │   │       ├── sulogin
    │   │       ├── swapoff
    │   │       ├── swapon
    │   │       ├── switch_root
    │   │       ├── sysctl
    │   │       ├── syslogd
    │   │       ├── tunctl
    │   │       ├── udhcpc
    │   │       ├── uevent
    │   │       ├── vconfig
    │   │       ├── watchdog
    │   │       └── zcip
    │   │   ├── sys
    │   │       └── .empty
    │   │   ├── tmp
    │   │       └── .empty
    │   │   └── usr
    │   │       ├── bin
    │   │           ├── [
    │   │           ├── [[
    │   │           ├── awk
    │   │           ├── basename
    │   │           ├── beep
    │   │           ├── blkdiscard
    │   │           ├── bunzip2
    │   │           ├── bzcat
    │   │           ├── bzip2
    │   │           ├── cal
    │   │           ├── chpst
    │   │           ├── chrt
    │   │           ├── chvt
    │   │           ├── cksum
    │   │           ├── clear
    │   │           ├── cmp
    │   │           ├── comm
    │   │           ├── crontab
    │   │           ├── cryptpw
    │   │           ├── cut
    │   │           ├── dc
    │   │           ├── deallocvt
    │   │           ├── diff
    │   │           ├── dirname
    │   │           ├── dos2unix
    │   │           ├── du
    │   │           ├── dumpleases
    │   │           ├── eject
    │   │           ├── env
    │   │           ├── envdir
    │   │           ├── envuidgid
    │   │           ├── expand
    │   │           ├── expr
    │   │           ├── fgconsole
    │   │           ├── find
    │   │           ├── flock
    │   │           ├── fold
    │   │           ├── free
    │   │           ├── ftpget
    │   │           ├── ftpput
    │   │           ├── fuser
    │   │           ├── groups
    │   │           ├── hd
    │   │           ├── head
    │   │           ├── hexdump
    │   │           ├── hostid
    │   │           ├── id
    │   │           ├── install
    │   │           ├── ipcrm
    │   │           ├── ipcs
    │   │           ├── killall
    │   │           ├── last
    │   │           ├── ldd
    │   │           ├── less
    │   │           ├── logger
    │   │           ├── logname
    │   │           ├── lpq
    │   │           ├── lpr
    │   │           ├── lsof
    │   │           ├── lspci
    │   │           ├── lsusb
    │   │           ├── lzcat
    │   │           ├── lzma
    │   │           ├── lzopcat
    │   │           ├── man
    │   │           ├── md5sum
    │   │           ├── mesg
    │   │           ├── microcom
    │   │           ├── mkfifo
    │   │           ├── mkpasswd
    │   │           ├── nc
    │   │           ├── nmeter
    │   │           ├── nohup
    │   │           ├── nslookup
    │   │           ├── od
    │   │           ├── openvt
    │   │           ├── passwd
    │   │           ├── patch
    │   │           ├── pgrep
    │   │           ├── pkill
    │   │           ├── pmap
    │   │           ├── printf
    │   │           ├── pscan
    │   │           ├── pstree
    │   │           ├── pwdx
    │   │           ├── readlink
    │   │           ├── realpath
    │   │           ├── renice
    │   │           ├── reset
    │   │           ├── resize
    │   │           ├── rpm2cpio
    │   │           ├── runsv
    │   │           ├── runsvdir
    │   │           ├── rx
    │   │           ├── script
    │   │           ├── seq
    │   │           ├── setkeycodes
    │   │           ├── setsid
    │   │           ├── setuidgid
    │   │           ├── sha1sum
    │   │           ├── sha256sum
    │   │           ├── sha3sum
    │   │           ├── sha512sum
    │   │           ├── showkey
    │   │           ├── shuf
    │   │           ├── smemcap
    │   │           ├── softlimit
    │   │           ├── sort
    │   │           ├── split
    │   │           ├── strace
    │   │           ├── strings
    │   │           ├── sum
    │   │           ├── sv
    │   │           ├── tac
    │   │           ├── tail
    │   │           ├── tcpsvd
    │   │           ├── tee
    │   │           ├── telnet
    │   │           ├── test
    │   │           ├── tftp
    │   │           ├── time
    │   │           ├── timeout
    │   │           ├── top
    │   │           ├── tr
    │   │           ├── traceroute
    │   │           ├── traceroute6
    │   │           ├── truncate
    │   │           ├── tty
    │   │           ├── ttysize
    │   │           ├── udpsvd
    │   │           ├── unexpand
    │   │           ├── uniq
    │   │           ├── unix2dos
    │   │           ├── unlink
    │   │           ├── unlzma
    │   │           ├── unlzop
    │   │           ├── unxz
    │   │           ├── unzip
    │   │           ├── uptime
    │   │           ├── users
    │   │           ├── uudecode
    │   │           ├── uuencode
    │   │           ├── vlock
    │   │           ├── volname
    │   │           ├── wall
    │   │           ├── wc
    │   │           ├── wget
    │   │           ├── which
    │   │           ├── who
    │   │           ├── whoami
    │   │           ├── whois
    │   │           ├── xargs
    │   │           ├── xz
    │   │           ├── xzcat
    │   │           └── yes
    │   │       ├── lib
    │   │           └── x86_64-linux-gnu
    │   │           │   └── libasan.so.2
    │   │       ├── lib32
    │   │           ├── libasan.so.2
    │   │           ├── libgcc_s.so.1
    │   │           ├── libpthread.so.2
    │   │           └── libstdc++.so.6
    │   │       └── sbin
    │   │           ├── add-shell
    │   │           ├── addgroup
    │   │           ├── adduser
    │   │           ├── arping
    │   │           ├── brctl
    │   │           ├── chat
    │   │           ├── chpasswd
    │   │           ├── chroot
    │   │           ├── crond
    │   │           ├── delgroup
    │   │           ├── deluser
    │   │           ├── dhcprelay
    │   │           ├── dnsd
    │   │           ├── ether-wake
    │   │           ├── fakeidentd
    │   │           ├── fbset
    │   │           ├── fdformat
    │   │           ├── ftpd
    │   │           ├── httpd
    │   │           ├── i2cdetect
    │   │           ├── i2cdump
    │   │           ├── i2cget
    │   │           ├── i2cset
    │   │           ├── ifplugd
    │   │           ├── inetd
    │   │           ├── killall5
    │   │           ├── loadfont
    │   │           ├── lpd
    │   │           ├── nanddump
    │   │           ├── nandwrite
    │   │           ├── nbd-client
    │   │           ├── ntpd
    │   │           ├── popmaildir
    │   │           ├── powertop
    │   │           ├── rdate
    │   │           ├── rdev
    │   │           ├── readahead
    │   │           ├── readprofile
    │   │           ├── remove-shell
    │   │           ├── rtcwake
    │   │           ├── sendmail
    │   │           ├── setfont
    │   │           ├── setlogcons
    │   │           ├── svlogd
    │   │           ├── telnetd
    │   │           ├── tftpd
    │   │           ├── ubiattach
    │   │           ├── ubidetach
    │   │           ├── ubimkvol
    │   │           ├── ubirmvol
    │   │           ├── ubirsvol
    │   │           ├── ubiupdatevol
    │   │           └── udhcpd
    └── packer
    │   ├── .gitignore
    │   ├── common
    │       ├── __init__.py
    │       ├── color.py
    │       ├── config.py
    │       ├── debug.py
    │       ├── info.py
    │       ├── self_check.py
    │       └── util.py
    │   ├── compiler
    │       ├── .gitignore
    │       ├── Makefile
    │       ├── README.llvm
    │       ├── afl-clang-fast.c
    │       ├── afl-llvm-pass.so.cc
    │       ├── afl-llvm-rt.o.c
    │       ├── alloc-inl.h
    │       ├── android-ashmem.h
    │       ├── config.h
    │       ├── debug.h
    │       ├── test-instr.c
    │       └── types.h
    │   ├── fuzzer_configs
    │       └── .gitignore
    │   ├── help.txt
    │   ├── linux_x86_64-userspace
    │       ├── compile_32.sh
    │       ├── compile_64.sh
    │       ├── compile_loader.sh
    │       ├── compile_net_standalone.sh
    │       ├── src
    │       │   ├── htools
    │       │   │   ├── habort.c
    │       │   │   ├── hcat.c
    │       │   │   ├── hget.c
    │       │   │   └── hpush.c
    │       │   ├── ijon_extension.h
    │       │   ├── ld_preload_fuzz.c
    │       │   ├── ld_preload_info.c
    │       │   ├── libnyx.c
    │       │   ├── libnyx.h
    │       │   ├── loader.c
    │       │   ├── misc
    │       │   │   ├── crash_handler.c
    │       │   │   ├── crash_handler.h
    │       │   │   ├── harness_state.c
    │       │   │   ├── harness_state.h
    │       │   │   ├── struct_synth_report.c
    │       │   │   └── struct_synth_report.h
    │       │   ├── netfuzz
    │       │   │   ├── inject.c
    │       │   │   ├── run_dcmtk.sh
    │       │   │   ├── run_dnsmasq.sh
    │       │   │   ├── run_live555.sh
    │       │   │   ├── socket_cache.c
    │       │   │   ├── socket_cache.h
    │       │   │   ├── standalone_compile.sh
    │       │   │   ├── syscalls.c
    │       │   │   └── syscalls.h
    │       │   └── userspace_loader.c
    │       └── test.sh
    │   ├── nyx.ini
    │   ├── nyx_config_gen.py
    │   └── nyx_packer.py
├── run-example.sh
├── seeds
    └── abc
├── setup.sh
└── struct_recovery.py


/.gitignore:
--------------------------------------------------------------------------------
 1 | *.so
 2 | *.fuzz
 3 | 
 4 | build/
 5 | liblibnyx_dummy.so
 6 | 
 7 | fuzzer.log
 8 | 
 9 | packer/linux_initramfs/init_debug_shell.cpio.gz
10 | packer/linux_initramfs/init.cpio
11 | packer/linux_initramfs/init.cpio.gz


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
 1 | [submodule "QEMU-Nyx"]
 2 | 	path = QEMU-Nyx
 3 | 	url = https://github.com/nyx-fuzz/QEMU-Nyx.git
 4 | [submodule "KVM-Nyx"]
 5 | 	path = KVM-Nyx
 6 | 	url = https://github.com/nyx-fuzz/KVM-Nyx.git
 7 | [submodule "zydis"]
 8 | 	path = zydis
 9 | 	url = https://github.com/zyantific/zydis.git
10 | [submodule "enclave-dumper/linux-sgx-sign"]
11 | 	path = enclave-dumper/linux-sgx-sign
12 | 	url = https://github.com/intel/linux-sgx
13 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:22.04
 2 | 
 3 | RUN apt-get update
 4 | RUN apt-get install -y git build-essential python2 python3 pkg-config libgtk-3-dev flex bison
 5 | 
 6 | # Install capstone v4 for libxdc
 7 | #WORKDIR /build
 8 | #RUN git clone https://github.com/aquynh/capstone.git
 9 | #WORKDIR /build/capstone
10 | #RUN git checkout v4
11 | #RUN make && make install
12 | 
13 | # Install libxdc
14 | #WORKDIR /build
15 | #RUN git clone https://github.com/nyx-fuzz/libxdc.git
16 | #WORKDIR /build/libxdc
17 | #RUN make install
18 | 
19 | WORKDIR /build
20 | RUN git clone https://github.com/nyx-fuzz/QEMU-Nyx.git
21 | WORKDIR /build/QEMU-Nyx
22 | RUN ./compile_qemu_nyx.sh lto
23 | 
24 | WORKDIR /build
25 | RUN git clone --depth 1 --branch kvm-nyx-5.10.73 git@github.com:nyx-fuzz/kvm-nyx.git
26 | WORKDIR kvm-nyx
27 | RUN sh compile_kvm_nyx_standalone.sh
28 | 
29 | 
30 | 
31 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/App/App.cpp:
--------------------------------------------------------------------------------
 1 | #include <string.h>
 2 | 
 3 | #include <unistd.h>
 4 | #include <pwd.h>
 5 | #define MAX_PATH FILENAME_MAX
 6 | 
 7 | #include "sgx_urts.h"
 8 | #include "App.h"
 9 | #include "Enclave_u.h"
10 | 
11 | #include <errno.h>
12 | 
13 | #include "sgxerrorprinting.cpp"
14 | 
15 | /* Global EID shared by multiple threads */
16 | sgx_enclave_id_t global_eid = 0;
17 | 
18 | int update = 0;
19 | sgx_launch_token_t token = {0};
20 | 
21 | int initialize_enclave(void)
22 | {
23 |     sgx_status_t ret = SGX_ERROR_UNEXPECTED;
24 | 
25 |     /* Call sgx_create_enclave to initialize an enclave instance */
26 |     /* Debug Support: set 2nd parameter to 1 */
27 |     ret = sgx_create_enclave(ENCLAVE_FILENAME, SGX_DEBUG_FLAG, &token, &update, &global_eid, NULL);
28 |     if (ret != SGX_SUCCESS) {
29 |         print_error_message(ret);
30 |         return -1;
31 |     }
32 | 
33 |     return 0;
34 | }
35 | 
36 | // #######################################################################################################
37 | 
38 | int main()
39 | {
40 |     int32_t x;
41 | 
42 |     if (initialize_enclave() < 0) {
43 |         return -1;
44 |     }
45 |     printf("Created enclave: %p\n", global_eid);
46 |     x = fuzz_test("TEST", 5);
47 |     printf("Ret: 0x%x\n", x);
48 |     sgx_destroy_enclave(global_eid);
49 | 
50 |     return x;
51 | }
52 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/App/App.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
 3 |  *
 4 |  * Redistribution and use in source and binary forms, with or without
 5 |  * modification, are permitted provided that the following conditions
 6 |  * are met:
 7 |  *
 8 |  *   * Redistributions of source code must retain the above copyright
 9 |  *     notice, this list of conditions and the following disclaimer.
10 |  *   * Redistributions in binary form must reproduce the above copyright
11 |  *     notice, this list of conditions and the following disclaimer in
12 |  *     the documentation and/or other materials provided with the
13 |  *     distribution.
14 |  *   * Neither the name of Intel Corporation nor the names of its
15 |  *     contributors may be used to endorse or promote products derived
16 |  *     from this software without specific prior written permission.
17 |  *
18 |  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 |  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 |  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 |  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22 |  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 |  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 |  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 |  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 |  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 |  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 |  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 |  *
30 |  */
31 | 
32 | #ifndef _APP_H_
33 | #define _APP_H_
34 | 
35 | #include <assert.h>
36 | //#include <stdio.h>
37 | #undef FILENAME_MAX
38 | 
39 | #include <stdlib.h>
40 | #include <stdarg.h>
41 | 
42 | #include <sys/stat.h>
43 | #include <fcntl.h>
44 | 
45 | #include "sgx_error.h"       /* sgx_status_t */
46 | #include "sgx_eid.h"     /* sgx_enclave_id_t */
47 | 
48 | 
49 | #ifndef TRUE
50 | # define TRUE 1
51 | #endif
52 | 
53 | #ifndef FALSE
54 | # define FALSE 0
55 | #endif
56 | 
57 | #if   defined(__GNUC__)
58 | #define TOKEN_FILENAME   "enclave.token"
59 | #define ENCLAVE_FILENAME "enclave.signed.so"
60 | #endif
61 | 
62 | extern sgx_enclave_id_t global_eid;    /* global enclave id */
63 | 
64 | #if defined(__cplusplus)
65 | extern "C" {
66 | #endif
67 | 
68 | int32_t fuzz_test(char* str, int str_len);
69 | 
70 | 
71 | #if defined(__cplusplus)
72 | }
73 | #endif
74 | 
75 | #endif /* !_APP_H_ */
76 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/App/TrustedLibrary/Libcxx.cpp:
--------------------------------------------------------------------------------
 1 | #include "../App.h"
 2 | #include "Enclave_u.h"
 3 | 
 4 | int32_t fuzz_test(char* str, int str_len) {
 5 | //    int32_t e_ret;
 6 |     sgx_status_t ret = fuzz_ecall(global_eid, str, str_len);
 7 |     if(ret == SGX_SUCCESS)
 8 |         return 0;
 9 |     else
10 |         return -1;
11 | }
12 | 
13 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/Enclave/Enclave.config.xml:
--------------------------------------------------------------------------------
 1 | <!-- Please refer to User's Guide for the explanation of each field -->
 2 | <EnclaveConfiguration>
 3 |   <ProdID>0</ProdID>
 4 |   <ISVSVN>0</ISVSVN>
 5 |   <StackMaxSize>0x40000</StackMaxSize>
 6 |   <HeapMaxSize>0x100000</HeapMaxSize>
 7 |   <TCSNum>1</TCSNum>
 8 |   <TCSPolicy>1</TCSPolicy>
 9 |   <DisableDebug>0</DisableDebug>
10 |   <MiscSelect>0</MiscSelect>
11 |   <MiscMask>0xFFFFFFFF</MiscMask>
12 | </EnclaveConfiguration>
13 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/Enclave/Enclave.cpp:
--------------------------------------------------------------------------------
1 | #include "Enclave.h"
2 | #include "Enclave_t.h"  /* print_string */
3 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/Enclave/Enclave.edl:
--------------------------------------------------------------------------------
1 | enclave {
2 |     from "TrustedLibrary/Libcxx.edl" import *;
3 | };
4 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/Enclave/Enclave.h:
--------------------------------------------------------------------------------
 1 | #ifndef _ENCLAVE_H_
 2 | #define _ENCLAVE_H_
 3 | 
 4 | #include <stdlib.h>
 5 | #include <assert.h>
 6 | 
 7 | //#if defined(__cplusplus)
 8 | //extern "C" {
 9 | //#endif
10 | //
11 | //#if defined(__cplusplus)
12 | //}
13 | //#endif
14 | 
15 | #endif /* !_ENCLAVE_H_ */
16 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/Enclave/Enclave.lds:
--------------------------------------------------------------------------------
 1 | enclave.so
 2 | {
 3 |     global:
 4 |         g_global_data_sim;
 5 |         g_global_data;
 6 |         enclave_entry;
 7 |     local:
 8 |         *;
 9 | };
10 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/Enclave/Enclave_debug.lds:
--------------------------------------------------------------------------------
 1 | enclave.so
 2 | {
 3 |     global:
 4 |         g_global_data_sim;
 5 |         g_global_data;
 6 |         enclave_entry;
 7 |         g_peak_heap_used;
 8 |         g_peak_rsrv_mem_committed;
 9 |     local:
10 |         *;
11 | };
12 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/Enclave/Enclave_private_test.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIG4gIBAAKCAYEAroOogvsj/fZDZY8XFdkl6dJmky0lRvnWMmpeH41Bla6U1qLZ
 3 | AmZuyIF+mQC/cgojIsrBMzBxb1kKqzATF4+XwPwgKz7fmiddmHyYz2WDJfAjIveJ
 4 | ZjdMjM4+EytGlkkJ52T8V8ds0/L2qKexJ+NBLxkeQLfV8n1mIk7zX7jguwbCG1Pr
 5 | nEMdJ3Sew20vnje+RsngAzdPChoJpVsWi/K7cettX/tbnre1DL02GXc5qJoQYk7b
 6 | 3zkmhz31TgFrd9VVtmUGyFXAysuSAb3EN+5VnHGr0xKkeg8utErea2FNtNIgua8H
 7 | ONfm9Eiyaav1SVKzPHlyqLtcdxH3I8Wg7yqMsaprZ1n5A1v/levxnL8+It02KseD
 8 | 5HqV4rf/cImSlCt3lpRg8U5E1pyFQ2IVEC/XTDMiI3c+AR+w2jSRB3Bwn9zJtFlW
 9 | KHG3m1xGI4ck+Lci1JvWWLXQagQSPtZTsubxTQNx1gsgZhgv1JHVZMdbVlAbbRMC
10 | 1nSuJNl7KPAS/VfzAgEDAoIBgHRXxaynbVP5gkO0ug6Qw/E27wzIw4SmjsxG6Wpe
11 | K7kfDeRskKxESdsA/xCrKkwGwhcx1iIgS5+Qscd1Yg+1D9X9asd/P7waPmWoZd+Z
12 | AhlKwhdPsO7PiF3e1AzHhGQwsUTt/Y/aSI1MpHBvy2/s1h9mFCslOUxTmWw0oj/Q
13 | ldIEgWeNR72CE2+jFIJIyml6ftnb6qzPiga8Bm48ubKh0kvySOqnkmnPzgh+JBD6
14 | JnBmtZbfPT97bwTT+N6rnPqOOApvfHPf15kWI8yDbprG1l4OCUaIUH1AszxLd826
15 | 5IPM+8gINLRDP1MA6azECPjTyHXhtnSIBZCyWSVkc05vYmNXYUNiXWMajcxW9M02
16 | wKzFELO8NCEAkaTPxwo4SCyIjUxiK1LbQ9h8PSy4c1+gGP4LAMR8xqP4QKg6zdu9
17 | osUGG/xRe/uufgTBFkcjqBHtK5L5VI0jeNIUAgW/6iNbYXjBMJ0GfauLs+g1VsOm
18 | WfdgXzsb9DYdMa0OXXHypmV4GwKBwQDUwQj8RKJ6c8cT4vcWCoJvJF00+RFL+P3i
19 | Gx2DLERxRrDa8AVGfqaCjsR+3vLgG8V/py+z+dxZYSqeB80Qeo6PDITcRKoeAYh9
20 | xlT3LJOS+k1cJcEmlbbO2IjLkTmzSwa80fWexKu8/Xv6vv15gpqYl1ngYoqJM3pd
21 | vzmTIOi7MKSZ0WmEQavrZj8zK4endE3v0eAEeQ55j1GImbypSf7Idh7wOXtjZ7WD
22 | Dg6yWDrri+AP/L3gClMj8wsAxMV4ZR8CgcEA0fzDHkFa6raVOxWnObmRoDhAtE0a
23 | cjUj976NM5yyfdf2MrKy4/RhdTiPZ6b08/lBC/+xRfV3xKVGzacm6QjqjZrUpgHC
24 | 0LKiZaMtccCJjLtPwQd0jGQEnKfMFaPsnhOc5y8qVkCzVOSthY5qhz0XNotHHFmJ
25 | gffVgB0iqrMTvSL7IA2yqqpOqNRlhaYhNl8TiFP3gIeMtVa9rZy31JPgT2uJ+kfo
26 | gV7sdTPEjPWZd7OshGxWpT6QfVDj/T9T7L6tAoHBAI3WBf2DFvxNL2KXT2QHAZ9t
27 | k3imC4f7U+wSE6zILaDZyzygA4RUbwG0gv8/TJVn2P/Eynf76DuWHGlaiLWnCbSz
28 | Az2DHBQBBaku409zDQym3j1ugMRjzzSQWzJg0SIyBH3hTmnYcn3+Uqcp/lEBvGW6
29 | O+rsXFt3pukqJmIV8HzLGGaLm62BHUeZf3dyWm+i3p/hQAL7Xvu04QW70xuGqdr5
30 | afV7p5eaeQIJXyGQJ0eylV/90+qxjMKiB1XYg6WYvwKBwQCL/ddpgOdHJGN8uRom
31 | e7Zq0Csi3hGheMKlKbN3vcxT5U7MdyHtTZZOJbTvxKNNUNYH/8uD+PqDGNneb29G
32 | BfGzvI3EASyLIcGZF3OhKwZd0jUrWk2y7Vhob91jwp2+t73vdMbkKyI4mHOuXvGv
33 | fg95si9oO7EBT+Oqvhccd2J+F1IVXncccYnF4u5ZGWt5lLewN/pVr7MjjykeaHqN
34 | t+rfnQam2psA6fL4zS2zTmZPzR2tnY8Y1GBTi0Ko1OKd1HMCgcAb5cB/7/AQlhP9
35 | yQa04PLH9ygQkKKptZp7dy5WcWRx0K/hAHRoi2aw1wZqfm7VBNu2SLcs90kCCCxp
36 | 6C5sfJi6b8NpNbIPC+sc9wsFr7pGo9SFzQ78UlcWYK2Gu2FxlMjonhka5hvo4zvg
37 | WxlpXKEkaFt3gLd92m/dMqBrHfafH7VwOJY2zT3WIpjwuk0ZzmRg5p0pG/svVQEH
38 | NZmwRwlopysbR69B/n1nefJ84UO50fLh5s5Zr3gBRwbWNZyzhXk=
39 | -----END RSA PRIVATE KEY-----
40 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/Enclave/TrustedLibrary/Libcxx.cpp:
--------------------------------------------------------------------------------
 1 | #include "../Enclave.h"
 2 | #include "Enclave_t.h"
 3 | 
 4 | void fuzz_ecall(char* buf, int str_len) {
 5 |     if(buf[0] == 'F') {
 6 |         if(buf[1] == 'U') {
 7 |             if(buf[2] == 'Z') {
 8 |                 if(buf[3] == 'Z') {
 9 |                     *(int*)0 = 0;
10 |                 }
11 |             }
12 |         }
13 |     }
14 | }
15 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/Enclave/TrustedLibrary/Libcxx.edl:
--------------------------------------------------------------------------------
1 | enclave {
2 | 
3 |     from "sgx_tstdc.edl" import sgx_oc_cpuidex;
4 | 
5 |     trusted {
6 |         public void fuzz_ecall([in, size=str_len] char* str, int str_len);
7 |     };
8 | };
9 | 


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/enclave.signed.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/Enclaves/SimpleFuzzTest/enclave.signed.so


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/enclave.signed.so.layout:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/Enclaves/SimpleFuzzTest/enclave.signed.so.layout


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/enclave.signed.so.mem:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/Enclaves/SimpleFuzzTest/enclave.signed.so.mem


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/enclave.signed.so.mem.zst:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/Enclaves/SimpleFuzzTest/enclave.signed.so.mem.zst


--------------------------------------------------------------------------------
/Enclaves/SimpleFuzzTest/enclave.signed.so.tcs.txt:
--------------------------------------------------------------------------------
1 | 0x16f000
2 | 


--------------------------------------------------------------------------------
/calculate-coverage.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | SGXFUZZ_ROOT=$(dirname "$(realpath "$0")")
 4 | 
 5 | WORKDIR=$(realpath "$1")
 6 | FUZZ_FOLDER=/tmp/$(basename "$WORKDIR")_fuzz_folder
 7 | 
 8 | printf "Using:\t%s\n\t%s\n" "$WORKDIR" "$FUZZ_FOLDER"
 9 | 
10 | PY3=$SGXFUZZ_ROOT/venv-python3/bin/python3
11 | 
12 | $PY3 /home/jwillbold/kafl/kAFL-Fuzzer/kafl_cov.py \
13 |  -sharedir "$FUZZ_FOLDER" \
14 |  -work_dir "$WORKDIR/sgx_workdir" \
15 |  -input "$WORKDIR/sgx_workdir" \
16 |  -initrd "$SGXFUZZ_ROOT/packer/linux_initramfs/init.cpio.gz" \
17 |  -kernel "$SGXFUZZ_ROOT/packer/linux_initramfs/bzImage-linux-4.15-rc7" \
18 |  -mem 1512 \
19 |  -trace \
20 |  -ip0 0-0
21 | 


--------------------------------------------------------------------------------
/display-struct.sh:
--------------------------------------------------------------------------------
1 | cd $1
2 | 
3 | for i in {0..20}; do 
4 | 	echo "ECALL " $i
5 | 	python3 ~/kafl/tools/display-structs.py sgx_workdir/ $i | uniq
6 | done
7 | 
8 | cd ..
9 | 


--------------------------------------------------------------------------------
/enclave-dumper-win/sgx_sign.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/enclave-dumper-win/sgx_sign.exe


--------------------------------------------------------------------------------
/enclave-dumper/Makefile:
--------------------------------------------------------------------------------
 1 | all: sgx_sign
 2 | 
 3 | linux-sgx-sign/:
 4 | 	git submodule update --init $@
 5 | 
 6 | linux-sgx-sign/.PATCHED: linux-sgx-sign.patch | linux-sgx-sign/
 7 | 	git -C linux-sgx-sign/ apply --intent-to-add "../$<"
 8 | 	touch "$@"
 9 | 
10 | linux-sgx-sign/sdk/sign_tool/SignTool/sgx_sign: linux-sgx-sign/.PATCHED
11 | 	$(MAKE) -C linux-sgx-sign/sdk/sign_tool/SignTool/ DEBUG=1 "CXXFLAGS=-DSE_SIM=1 -I../../../common/inc/internal/ -I../../../common/inc/ -I../../../psw/urts/ -g" CFLAGS=-g
12 | 
13 | sgx_sign: linux-sgx-sign/sdk/sign_tool/SignTool/sgx_sign
14 | 	ln -rsfn linux-sgx-sign/sdk/sign_tool/SignTool/sgx_sign ./
15 | 
16 | clean:
17 | 	$(RM) -r linux-sgx-sign/ sgx_sign
18 | 
19 | .PHONY:
20 | sgx_sign_rebuild:
21 | 	$(MAKE) -C linux-sgx-sign/sdk/sign_tool/SignTool/ DEBUG=1 "CXXFLAGS=-DSE_SIM=1 -I../../../common/inc/internal/ -I../../../common/inc/ -I../../../psw/urts/ -g" CFLAGS=-g clean
22 | 	$(MAKE) sgx_sign
23 | 


--------------------------------------------------------------------------------
/enclave-dumper/extract.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | BASE="$(dirname $0)"
 4 | SIGNTOOL="$BASE/sgx_sign"
 5 | 
 6 | enclave=$1
 7 | shift
 8 | out=extract.out
 9 | dump=extract.dump
10 | 
11 | if ! [[ -f $enclave && -r $enclave ]]; then
12 |     echo "ERROR: Cannot open $enclave!"
13 |     exit 1
14 | fi
15 | 
16 | for f in "$out" "$dump" "$dump.mem" "$dump.layout"; do
17 |     if [[ -e $f ]]; then
18 |         echo "ERROR: '$f' exists"
19 |         exit 1
20 |     fi
21 | done
22 | 
23 | echo "Running" "$($SIGNTOOL -version |& grep -oP "version \S+")"
24 | echo "Enclave:" "$enclave"
25 | echo "build with:" "$(strings "$enclave" | grep SGX_TSTDC_VERSION)"
26 | echo
27 | 
28 | echo "--- SGX SIGN ---"
29 | $SIGNTOOL gendata -enclave "$enclave" -out "$out" "$@" | grep -vF '<' > "$dump" || { rm -f -- "$dump"; exit 1; }
30 | echo "--- SGX SIGN END ---"
31 | rm -f -- "$out"
32 | 
33 | python "$BASE/DumpReader.py" "$dump" | tee "$enclave.tcs.txt"
34 | mv "$dump" "$enclave.dump"
35 | 
36 | mv "$dump.mem" "$enclave.mem"
37 | mv "$dump.layout" "$enclave.layout"
38 | 


--------------------------------------------------------------------------------
/kafl/LICENSES/BSD-2-Clause:
--------------------------------------------------------------------------------
 1 | Valid-License-Identifier: BSD-2-Clause
 2 | SPDX-URL: https://spdx.org/licenses/BSD-2-Clause.html
 3 | Usage-Guide:
 4 |   To use the BSD 2-clause "Simplified" License put the following SPDX
 5 |   tag/value pair into a comment according to the placement guidelines in
 6 |   the licensing rules documentation:
 7 |     SPDX-License-Identifier: BSD-2-Clause
 8 | License-Text:
 9 | 
10 | Copyright (c) <year> <owner> . All rights reserved.
11 | 
12 | Redistribution and use in source and binary forms, with or without
13 | modification, are permitted provided that the following conditions are met:
14 | 
15 | 1. Redistributions of source code must retain the above copyright notice,
16 |    this list of conditions and the following disclaimer.
17 | 
18 | 2. Redistributions in binary form must reproduce the above copyright
19 |    notice, this list of conditions and the following disclaimer in the
20 |    documentation and/or other materials provided with the distribution.
21 | 
22 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
23 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
26 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
27 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 | POSSIBILITY OF SUCH DAMAGE.
33 | 


--------------------------------------------------------------------------------
/kafl/LICENSES/MIT:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) <year> <copyright holders>
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a
 6 | copy of this software and associated documentation files (the "Software"),
 7 | to deal in the Software without restriction, including without limitation
 8 | the rights to use, copy, modify, merge, publish, distribute, sublicense,
 9 | and/or sell copies of the Software, and to permit persons to whom the
10 | Software is furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in
13 | all copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 | FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
21 | DEALINGS IN THE SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | debug.log
3 | error.log
4 | kafl.ini
5 | fuzzer/native/bitmap.so
6 | tags
7 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/banner.txt:
--------------------------------------------------------------------------------
1 |     __                        __   ___    ________
2 |    / /_____  _________  ___  / /  /   |  / ____/ /
3 |   / //_/ _ \/ ___/ __ \/ _ \/ /  / /| | / /_  / /
4 |  / ,< /  __/ /  / / / /  __/ /  / ___ |/ __/ / /___
5 | /_/|_|\___/_/  /_/ /_/\___/_/  /_/  |_/_/   /_____/
6 | =================================================== (C) 2020
7 | 
8 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/common/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/common/__init__.py


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/common/color.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
 2 | # Copyright 2019-2020 Intel Corporation
 3 | #
 4 | # SPDX-License-Identifier: AGPL-3.0-or-later
 5 | 
 6 | HPRINTF =    '\033[95m'
 7 | OKBLUE =     '\033[94m'
 8 | OKGREEN =    '\033[92m'
 9 | WARNING =    '\033[0;33m'
10 | FAIL =       '\033[91m'
11 | ENDC =       '\033[0m'
12 | CLRSCR =     '\x1b[1;1H'
13 | REALCLRSCR = '\x1b[2J'
14 | BOLD =       '\033[1m'
15 | FLUSH_LINE = '\r\x1b[K'
16 | 
17 | 
18 | def MOVE_CURSOR_UP(num):
19 |     return "\033[" + str(num) + "A"
20 | 
21 | 
22 | def MOVE_CURSOR_DOWN(num):
23 |     return "\033[" + str(num) + "B"
24 | 
25 | 
26 | def MOVE_CURSOR_LEFT(num):
27 |     return "\033[" + str(num) + "C"
28 | 
29 | 
30 | def MOVE_CURSOR_RIGHT(num):
31 |     return "\033[" + str(num) + "D"
32 | 
33 | 
34 | HLINE =  chr(0x2500)
35 | VLINE =  chr(0x2502)
36 | VLLINE = chr(0x2524)
37 | VRLINE = chr(0x251c)
38 | LBEDGE = chr(0x2514)
39 | RBEDGE = chr(0x2518)
40 | HULINE = chr(0x2534)
41 | HDLINE = chr(0x252c)
42 | LTEDGE = chr(0x250c)
43 | RTEDGE = chr(0x2510)
44 | 
45 | INFO_PREFIX =    "[INFO]    "
46 | ERROR_PREFIX =   "[ERROR]   "
47 | WARNING_PREFIX = "[WARNING] "
48 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/common/log.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
 2 | # Copyright 2019-2020 Intel Corporation
 3 | #
 4 | # SPDX-License-Identifier: AGPL-3.0-or-later
 5 | import codecs
 6 | import logging
 7 | import os
 8 | import sys
 9 | 
10 | class FileFormatter(logging.Formatter):
11 |     def __init__(self):
12 |         super().__init__(fmt="%(asctime)s %(levelname)-8s [%(filename)s:%(lineno)s] %(msg)s")        
13 | 
14 | class StreamFormatter(logging.Formatter):
15 |     def __init__(self):
16 |         super().__init__(fmt="%(levelname)s \u001b[34;1m%(name)s\u001b[0m [%(filename)s:%(lineno)s] %(msg)s")
17 | 
18 |     def format(self, record):
19 |         format_orig = self._style._fmt
20 | 
21 |         format_prefix = ""
22 |         if record.levelno == logging.INFO:
23 |             format_prefix = "INFO\t"
24 |         elif record.levelno == logging.DEBUG:
25 |             format_prefix = "\u001b[94mDBG\u001b[0m\t"
26 |         elif record.levelno == logging.WARNING:
27 |             format_prefix = "\u001b[0;33mWARN\u001b[0m\t"
28 |         elif record.levelno == logging.ERROR:
29 |             format_prefix = "\u001b[91mERR\u001b[0m\t"
30 |         elif record.levelno == logging.CRITICAL:
31 |             format_prefix = "\u001b[1m\u001b[31mCRTCL\u001b[0m\t"
32 | 
33 |         self._style._fmt = format_prefix + "[%(filename)s:%(lineno)s] %(msg)s"
34 | 
35 |         fmt = logging.Formatter.format(self, record)
36 |         self._style._fmt = format_orig
37 | 
38 |         return fmt
39 | 
40 | def init_logger(log_file_path, log_level=logging.INFO):
41 |     sys.stdout = codecs.getwriter("utf-8")(sys.stdout.detach())
42 | 
43 |     stream_handler = logging.StreamHandler(sys.stdout)
44 |     stream_handler.setLevel(log_level)
45 |     stream_formatter = StreamFormatter()
46 |     stream_handler.setFormatter(stream_formatter)
47 | 
48 |     if not os.path.exists(log_file_path):
49 |         os.makedirs(log_file_path)
50 | 
51 |     file_handler = logging.FileHandler(log_file_path + "/debug.log", mode="w+")
52 |     file_handler.setLevel(logging.DEBUG)
53 |     file_formatter = FileFormatter()
54 |     file_handler.setFormatter(file_formatter)
55 | 
56 |     logging.basicConfig(
57 |         level=logging.DEBUG,
58 |         handlers=[
59 |             stream_handler,
60 |             file_handler
61 |         ]
62 |     )
63 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/common/qemu_protocol.py:
--------------------------------------------------------------------------------
1 | # Copyright 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
2 | # Copyright 2019-2020 Intel Corporation
3 | #
4 | # SPDX-License-Identifier: AGPL-3.0-or-later
5 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/debug/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/debug/__init__.py


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/dict/vuln.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # kAFL dictionary for Vuln Driver
 3 | # -------------------------------------------
 4 | #
 5 | # Created by Sergej Schumilo <sergej@schumilo.com>
 6 | #
 7 | 
 8 | tag_result1="SERGEJ"
 9 | tag_result2="KASAN"
10 | tag_result3="KERNELAFL"
11 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/fuzzer/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/fuzzer/__init__.py


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/fuzzer/native/Makefile:
--------------------------------------------------------------------------------
1 | bitmap.so: bitmap.c
2 | 	$(CC) --shared -fPIC -O3 -o $@ $^
3 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/fuzzer/process/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/fuzzer/process/__init__.py


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/fuzzer/technique/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/fuzzer/technique/__init__.py


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/fuzzer/technique/redqueen/__init__.py:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/fuzzer/technique/redqueen/hash_patch.py:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
 2 | # Copyright (C) 2019-2020 Intel Corporation
 3 | #
 4 | # SPDX-License-Identifier: AGPL-3.0-or-later
 5 | 
 6 | """
 7 | I wonder what this does?
 8 | """
 9 | 
10 | class HashPatcher:
11 |     def __init__(self):
12 |         self.patched = set()
13 |         self.blacklisted = set()
14 | 
15 |     def add_hash_candidate(self, mut):
16 |         if mut.addr in self.blacklisted or mut.addr in self.patched:
17 |             return
18 |         self.patched.add(mut.addr)
19 |         self.apply_patches()
20 | 
21 |     def blacklist_hash_candidate(self, addr):
22 |         self.blacklisted.add(addr)
23 |         if addr in self.patched:
24 |             self.patched.remove(addr)
25 |             self.apply_patches()
26 | 
27 |     def apply_patches(self):
28 |         with open("/tmp/redqueen_whitelist", "w") as w:
29 |             with open("/tmp/rq_patches", "w") as f:
30 |                 for addr in self.patched:
31 |                     hexaddr = hex(addr).rstrip("L").lstrip("0x")
32 |                     if hexaddr:
33 |                         w.write(hexaddr + "\n")
34 |                         f.write(hexaddr + "\n")
35 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/fuzzer/technique/redqueen/workdir.py:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
 2 | # Copyright (C) 2019-2020 Intel Corporation
 3 | #
 4 | # SPDX-License-Identifier: AGPL-3.0-or-later
 5 | 
 6 | """
 7 | Redqueen workdir/Qemu interface
 8 | """
 9 | 
10 | import os
11 | import shutil
12 | 
13 | 
14 | class RedqueenWorkdir:
15 |     def __init__(self, qemu_id, config):
16 |         self.base_path = config.argument_values['work_dir'] + "/redqueen_workdir_" + str(qemu_id)
17 | 
18 |     def init_dir(self):
19 |         if os.path.exists(self.base_path):
20 |             shutil.rmtree(self.base_path)
21 |         os.makedirs(self.base_path)
22 | 
23 |     def redqueen(self):
24 |         return self.base_path + "/redqueen_results.txt"
25 | 
26 |     def patches(self):
27 |         return self.base_path + "/redqueen_patches.txt"
28 | 
29 |     def whitelist(self):
30 |         return self.base_path + "/breakpoint_white.txt"
31 | 
32 |     def blacklist(self):
33 |         return self.base_path + "/breakpoint_black.txt"
34 | 
35 |     def code_dump(self):
36 |         return self.base_path + "/target_code_dump.img"
37 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/info/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/info/__init__.py


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/info/core.py:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
 2 | # Copyright (C) 2019-2020 Intel Corporation
 3 | #
 4 | # SPDX-License-Identifier: AGPL-3.0-or-later
 5 | 
 6 | import logging
 7 | import os
 8 | import time
 9 | 
10 | from common.log import init_logger
11 | from common.qemu import qemu
12 | from common.self_check import post_self_check
13 | from common.util import prepare_working_dir
14 | 
15 | def start(config):
16 | 
17 |     work_dir = config.argument_values["work_dir"]
18 |     if config.argument_values['v'] or config.argument_values["debug"]:
19 |         init_logger(work_dir, logging.DEBUG)
20 |     else:
21 |         init_logger(work_dir)
22 | 
23 |     if not post_self_check(config):
24 |         return -1
25 | 
26 |     if not prepare_working_dir(config):
27 |         logging.error("Refuse to operate on existing work directory. Use --purge to override.")
28 |         return 1
29 | 
30 |     logging.info("Dumping target addresses...")
31 | 
32 |     # TODO: use proper temp file or store to $work_dir
33 |     if os.path.exists("/tmp/kAFL_info.txt"):
34 |         os.remove("/tmp/kAFL_info.txt")
35 | 
36 |     q = qemu(0, config)
37 |     q.start()
38 |     q.shutdown()
39 | 
40 |     try:
41 |         with open("/tmp/kAFL_info.txt", 'r') as f:
42 |             print(f.read())
43 |         #os.remove("/tmp/kAFL_info.txt")
44 |     except:
45 |         pass
46 | 
47 |     return 0
48 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/kafl_debug.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | #
 3 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
 4 | # Copyright (C) 2019-2020 Intel Corporation
 5 | #
 6 | # SPDX-License-Identifier: AGPL-3.0-or-later
 7 | 
 8 | """
 9 | Execute a given kAFL target with individual test inputs for purpose of debug/inspection.
10 | """
11 | 
12 | import os
13 | import sys
14 | 
15 | import common.color
16 | from common.self_check import self_check
17 | from common.config import DebugConfiguration
18 | 
19 | KAFL_ROOT = os.path.dirname(os.path.realpath(__file__)) + "/"
20 | KAFL_BANNER = KAFL_ROOT + "banner.txt"
21 | KAFL_CONFIG = KAFL_ROOT + "kafl.ini"
22 | 
23 | def main():
24 | 
25 |     with open(KAFL_BANNER) as f:
26 |         for line in f:
27 |             print(line.replace("\n", ""))
28 | 
29 |     print("<< " + common.color.BOLD + common.color.OKGREEN +
30 |             sys.argv[0] + ": kAFL Debugger " + common.color.ENDC + ">>\n")
31 | 
32 |     if not self_check(KAFL_ROOT):
33 |         return 1
34 | 
35 |     import debug.core
36 |     cfg = DebugConfiguration(KAFL_CONFIG)
37 |     return debug.core.start(cfg)
38 | 
39 | 
40 | if __name__ == "__main__":
41 |     main()
42 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/kafl_fuzz.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | #
 3 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
 4 | # Copyright (C) 2019-2020 Intel Corporation
 5 | #
 6 | # SPDX-License-Identifier: AGPL-3.0-or-later
 7 | 
 8 | """
 9 | Launcher for Fuzzing with kAFL. Check fuzzer/core.py for more.
10 | """
11 | 
12 | import os
13 | import sys
14 | 
15 | import common.color
16 | from common.config import FuzzerConfiguration
17 | from common.self_check import self_check
18 | 
19 | KAFL_ROOT = os.path.dirname(os.path.realpath(__file__)) + "/"
20 | KAFL_BANNER = KAFL_ROOT + "banner.txt"
21 | KAFL_CONFIG = KAFL_ROOT + "kafl.ini"
22 | 
23 | def main():
24 | 
25 |     with open(KAFL_BANNER) as f:
26 |         for line in f:
27 |             print(line.replace("\n", ""))
28 | 
29 |     print("<< " + common.color.BOLD + common.color.OKGREEN +
30 |             sys.argv[0] + ": Kernel Fuzzer " + common.color.ENDC + ">>\n")
31 | 
32 |     if not self_check(KAFL_ROOT):
33 |         return 1
34 | 
35 |     import fuzzer.core
36 |     cfg = FuzzerConfiguration(KAFL_CONFIG)
37 |     return fuzzer.core.start(cfg)
38 | 
39 | 
40 | if __name__ == "__main__":
41 |     main()
42 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/kafl_info.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | #
 3 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
 4 | # Copyright (C) 2019-2020 Intel Corporation
 5 | #
 6 | # SPDX-License-Identifier: AGPL-3.0-or-later
 7 | 
 8 | """ 
 9 | Execute a kAFL target once, using a special "info" binary as agent.
10 | 
11 | This is used in cases where we want to automatically extract some information
12 | from a target before proper fuzzing, e.g. the location of kernel modules in a VM
13 | snapshot. Perhaps this feature should be merged into kafl_debug.py.
14 | """
15 | 
16 | import os
17 | import sys
18 | 
19 | import common.color
20 | from common.self_check import self_check
21 | from common.config import InfoConfiguration
22 | 
23 | KAFL_ROOT = os.path.dirname(os.path.realpath(__file__)) + "/"
24 | KAFL_BANNER = KAFL_ROOT + "banner.txt"
25 | KAFL_CONFIG = KAFL_ROOT + "kafl.ini"
26 | 
27 | def main():
28 | 
29 |     with open(KAFL_BANNER) as f:
30 |         for line in f:
31 |             print(line.replace("\n", ""))
32 | 
33 |     print("<< " + common.color.BOLD + common.color.OKGREEN +
34 |             sys.argv[0] + ": Agent Info Dumper " + common.color.ENDC + ">>\n")
35 | 
36 |     if not self_check(KAFL_ROOT):
37 |         return 1
38 | 
39 |     import info.core
40 |     cfg = InfoConfiguration(KAFL_CONFIG)
41 |     return info.core.start(cfg)
42 | 
43 | 
44 | if __name__ == "__main__":
45 |     main()
46 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/proc_map_helper.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | 
 3 | ip = int(sys.argv[1])
 4 | f = open("edges_uniq.lst", "r")
 5 | s = f.read()
 6 | lines = s.split('\n')[:-1]
 7 | 
 8 | print(f"Searching for IP={ip}...")
 9 | 
10 | # from proc_maps
11 | # 555555554000-55555555e000
12 | # 55555575e000-55555575f000
13 | # 55555575f000-555555be3000
14 | fp = open("../dump/proc_maps.txt", "r")
15 | sp = fp.read()
16 | linesp = sp.split('\n')[:-1]
17 | 
18 | ranges = []
19 | labels = ["sgx", "sec", "text"]
20 | 
21 | for linep in linesp:
22 |     if "/tmp/target_executable" in linep:
23 |         (start, end) = linep[:25].split('-')
24 |         print(linep[:25].split('-'))
25 |         ranges.append((int(start, 16), int(end, 16), labels.pop()))
26 | 
27 | print(ranges)
28 | 
29 | for line in lines:
30 |     (start, end, count) = line.split(',')
31 |     start = int(start, 16)
32 |     end = int(end, 16)
33 | 
34 |     start_l = "unknown"
35 |     end_l = "unknown"
36 | 
37 |     for (rs, re, rl) in ranges:
38 |         if rs <= start < re:
39 |             start_l = rl
40 |         if rs <= end < re:
41 |             end_l = rl
42 | 
43 |     print(f'{start_l:<8},{hex(start):<32} -> {end_l:<8},{hex(end)}')
44 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/redqueen_mut.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | #
 3 | # Copyright (C) 2017-2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
 4 | # Copyright (C) 2019-2020 Intel Corporation
 5 | #
 6 | # SPDX-License-Identifier: AGPL-3.0-or-later
 7 | 
 8 | """
 9 | Validate Redqueen Input-to-State mutations
10 | """
11 | 
12 | import array
13 | import sys
14 | 
15 | from fuzzer.technique.redqueen import parser
16 | from fuzzer.technique.redqueen.mod import RedqueenInfoGatherer
17 | 
18 | info = RedqueenInfoGatherer()
19 | 
20 | info.collected_infos_path = sys.argv[1]
21 | info.num_alternative_inputs = 2
22 | 
23 | info.get_proposals()
24 | print("got %d mutations on %s" % (info.get_num_mutations(), sys.argv[1]))
25 | 
26 | orig_input = open(sys.argv[1] + "/input_2.bin", "rb").read()
27 | print("Mutating : %s" % repr(orig_input))
28 | 
29 | 
30 | def fake_execute(str, a, b):
31 |     print("executing %s" % repr(str))
32 | 
33 | 
34 | info.verbose = True
35 | default_info = {}
36 | info.run_mutate_redqueen(array.array("B", orig_input), fake_execute, default_info)
37 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/seed/ext4/ext4.img:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/ext4/ext4.img


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/seed/fat/fat_a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/fat/fat_a


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/seed/fat/fat_b:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/fat/fat_b


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/seed/fat/fat_c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/fat/fat_c


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/seed/fat/fat_d:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/fat/fat_d


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/seed/fat/fat_e:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/fat/fat_e


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/seed/kafl_vulntest/seed_file:
--------------------------------------------------------------------------------
1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/seed/ntfs/ntfs64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/ntfs/ntfs64


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/seed/ntfs_win/ntfs_header_64k:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/seed/ntfs_win/ntfs_header_64k


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/test.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | #
 3 | # Copyright (C) 2019-2020 Intel Corporation
 4 | # SPDX-License-Identifier: AGPL-3.0-or-later
 5 | 
 6 | """
 7 | This file offers an alternative/standalone entry point to tests/, e.g.
 8 | to launch some benchmarks contained there.
 9 | 
10 | To execute all regular tests, run pytest inside kAFL-Fuzzer/ directory.
11 | """
12 | 
13 | from tests.test_random import *
14 | from tests.test_deterministic import *
15 | from tests.test_havoc_handler import *
16 | 
17 | if __name__ == '__main__':
18 | 
19 |     print("\nRunning benchmarks... (use pytest -v to run actual tests!)\n")
20 | 
21 |     rand_main()
22 |     deter_main()
23 |     havoc_main()
24 | 
25 |     print("\nDone!")
26 | 


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/tests/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/kAFL-Fuzzer/tests/__init__.py


--------------------------------------------------------------------------------
/kafl/kAFL-Fuzzer/tests/helper.py:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2020 Intel Corporation
 2 | # SPDX-License-Identifier: AGPL-3.0-or-later
 3 | 
 4 | """
 5 | Helper functions for kAFL tests
 6 | """
 7 | 
 8 | def ham_weight(x):
 9 |     _x = bytearray(x)
10 |     weight = 0
11 |     for byte in _x:
12 |         weight += bin(byte).count("1")
13 |     return weight
14 | 
15 | def ham_distance(a,b):
16 |     return ham_weight(bytes(x ^ y for (x, y) in zip(a, b)))
17 | 
18 | def bindiff(a,b):
19 |     res = bytearray()
20 |     for (x, y) in zip(a, b):
21 |         r = bytearray([x^y])
22 |         if r != b'\x00':
23 |             res += r
24 |     return res
25 | 


--------------------------------------------------------------------------------
/kafl/patches.old/0001-fail-of-frontend-did-not-create-SHM-backing-files-of.patch:
--------------------------------------------------------------------------------
 1 | From df49387240575e5fd1563c01822d2cd3e31fbde8 Mon Sep 17 00:00:00 2001
 2 | From: Steffen Schulz <steffen.schulz@intel.com>
 3 | Date: Fri, 3 Jul 2020 01:34:44 +0200
 4 | Subject: [PATCH] fail of frontend did not create SHM backing files of expected
 5 |  size
 6 | 
 7 | By failing here we force a synchronization with the frontend
 8 | ---
 9 |  pt/interface.c | 10 ++++++----
10 |  pt/interface.h |  5 +++--
11 |  2 files changed, 9 insertions(+), 6 deletions(-)
12 | 
13 | diff --git a/pt/interface.c b/pt/interface.c
14 | index f077be6d..c5a8abab 100644
15 | --- a/pt/interface.c
16 | +++ b/pt/interface.c
17 | @@ -207,8 +207,9 @@ static int kafl_guest_create_memory_bar(kafl_mem_state *s, int region_num, uint6
18 |  	int fd;
19 |  	struct stat st;
20 |  	
21 | -	fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
22 | -	assert(ftruncate(fd, bar_size) == 0);
23 | +	// abort if frontend failed to setup a sufficiently big SHM file
24 | +	fd = open(file, O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
25 | +	assert(fd != -1);
26 |  	stat(file, &st);
27 |  	QEMU_PT_DEBUG(INTERFACE_PREFIX, "new shm file: (max size: %lx) %lx", bar_size, st.st_size);
28 |  	
29 | @@ -236,8 +237,9 @@ static int kafl_guest_setup_bitmap(kafl_mem_state *s, uint32_t bitmap_size, Erro
30 |  	int fd;
31 |  	struct stat st;
32 |  	
33 | -	fd = open(s->bitmap_file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
34 | -	assert(ftruncate(fd, bitmap_size) == 0);
35 | +	// abort if frontend failed to setup a sufficiently big SHM file
36 | +	fd = open(s->bitmap_file, O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
37 | +	assert(fd != -1);
38 |  	stat(s->bitmap_file, &st);
39 |  	assert(bitmap_size == st.st_size);
40 |  	ptr = mmap(0, bitmap_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
41 | diff --git a/pt/interface.h b/pt/interface.h
42 | index 10709c6d..a66b6ef0 100644
43 | --- a/pt/interface.h
44 | +++ b/pt/interface.h
45 | @@ -13,8 +13,8 @@
46 |  
47 |  #define INTEL_PT_MAX_RANGES			4
48 |  
49 | -#define DEFAULT_KAFL_BITMAP_SIZE	0x10000
50 | -#define DEFAULT_EDGE_FILTER_SIZE	0x1000000
51 | +#define DEFAULT_KAFL_BITMAP_SIZE	(64 << 10)
52 | +#define DEFAULT_EDGE_FILTER_SIZE	( 2 << 23)
53 |  
54 |  #define PROGRAM_SIZE				(128 << 20) /* 128MB Application Data */
55 |  #define PAYLOAD_SIZE				(128 << 10)	/* 128KB Payload Data */
56 | @@ -28,6 +28,7 @@
57 |  
58 |  #define KAFL_PROTO_ACQUIRE			'R'
59 |  #define KAFL_PROTO_RELEASE			'D'
60 | +#define KAFL_PROTO_STARVED			'd'
61 |  
62 |  #define KAFL_PROTO_RELOAD			'L'
63 |  #define KAFL_PROTO_ENABLE_SAMPLING	'S'
64 | -- 
65 | 2.25.1
66 | 
67 | 


--------------------------------------------------------------------------------
/kafl/patches.old/0001-linux-kvm-starved.patch:
--------------------------------------------------------------------------------
 1 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
 2 | index f4a5e1c1a..2b5ee4343 100644
 3 | --- a/arch/x86/kvm/x86.c
 4 | +++ b/arch/x86/kvm/x86.c
 5 | @@ -7505,6 +7505,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
 6 |  				break;
 7 |  			case (KVM_EXIT_KAFL_RELEASE-KAFL_EXIT_OFFSET):
 8 |  				vcpu->run->exit_reason = KVM_EXIT_KAFL_RELEASE;
 9 | +				vcpu->run->hypercall.args[0] = a1;
10 |  				break;
11 |  			case (KVM_EXIT_KAFL_SUBMIT_CR3-KAFL_EXIT_OFFSET):
12 |  				vcpu->run->exit_reason = KVM_EXIT_KAFL_SUBMIT_CR3;
13 | 


--------------------------------------------------------------------------------
/kafl/patches.old/kvm/README.md:
--------------------------------------------------------------------------------
 1 | # vmx_pt Kernel Module
 2 | 
 3 | ## Known Working Kernel Versions:
 4 | 
 5 | * Linux-4.19.x
 6 | * Linux-5.1.21
 7 | * Linux-5.2.11
 8 | * Linux-5.4.34
 9 | * Linux-5.6.5
10 | * ...
11 | 
12 | ## Supported CPUs
13 | 
14 | Any Intel(R) Skylake or later CPU generation with Intel PT support should work.
15 | 
16 | Note that Intel(R) Broadwell (predecessor to Skylake) is NOT supported due to
17 | HW limitations in its PT implementation.
18 | 
19 | Confirmed to work:
20 | 
21 | * Intel(R) Core(TM) i5-6500   CPU @ 3.20GHz (Skylake)
22 | * Intel(R) Core(TM) i7-6700HQ CPU @ 2,60GHz (Skylake)
23 | * Intel(R) Core(TM) i5-7300U  CPU @ 2.60GHz (Kaby Lake)
24 | * Intel(R) Core(TM) i5-7500   CPU @ 3.40GHz (Kaby Lake)
25 | * Intel(R) Core(TM) i5-8600   CPU @ 3.10GHz (Coffee Lake)
26 | * Intel(R) Core(TM) i7-9700K  CPU @ 3.60GHz (Coffee Lake)
27 | * ...
28 | 
29 | 


--------------------------------------------------------------------------------
/kafl/patches.old/kvm/usermode_test/Makefile:
--------------------------------------------------------------------------------
1 | all: test support_test
2 | 


--------------------------------------------------------------------------------
/kafl/patches.old/kvm/usermode_test/support_test.c:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * This file is part of Redqueen.
 3 |  *
 4 |  * Copyright 2019 Sergej Schumilo, Cornelius Aschermann
 5 |  *
 6 |  * SPDX-License-Identifier: GPL-2.0-or-later
 7 |  */
 8 | 
 9 | #include <err.h>
10 | #include <fcntl.h>
11 | #include <linux/kvm.h>
12 | #include <stdint.h>
13 | #include <stdio.h>
14 | #include <stdlib.h>
15 | #include <string.h>
16 | #include <sys/ioctl.h>
17 | #include <sys/mman.h>
18 | #include <sys/stat.h>
19 | #include <sys/types.h>
20 | 
21 | #define KVM_VMX_PT_SUPPORTED	_IO(KVMIO,	0xe4)
22 | 
23 | int main(){
24 | 	int kvm, ret;
25 | 
26 | 	kvm = open("/dev/kvm", O_RDWR | O_CLOEXEC);
27 | 	if (kvm == -1){
28 | 		printf("ERROR: KVM is not loaded!\n");
29 | 		exit(1);
30 | 	} 
31 | 
32 | 	ret = ioctl(kvm, KVM_VMX_PT_SUPPORTED, NULL);
33 | 	if (ret == -1){
34 | 		printf("ERROR: KVM-PT is not loaded!\n");
35 | 		exit(2);
36 | 	}
37 | 	if (ret == -2){
38 | 		printf("ERROR: Intel PT is not supported on this CPU!\n");
39 | 		exit(3);
40 | 	}
41 | 	printf("KVM-PT is ready!\n");
42 | 	return 0;
43 | }
44 | 


--------------------------------------------------------------------------------
/kafl/patches.old/kvm/v5.4/0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch:
--------------------------------------------------------------------------------
 1 | From 57fc01d5599c16cdd85268a8fb9801af4f45ae0e Mon Sep 17 00:00:00 2001
 2 | From: Roman Lozko <lozko.roma@gmail.com>
 3 | Date: Wed, 30 Jul 2020 00:00:00 +0000
 4 | Subject: [PATCH] Set kAFL hypercall longmode properly; fix printk build
 5 |  warning
 6 | 
 7 | ---
 8 |  arch/x86/kvm/vmx/vmx_pt.c | 2 +-
 9 |  arch/x86/kvm/x86.c        | 1 +
10 |  2 files changed, 2 insertions(+), 1 deletion(-)
11 | 
12 | diff --git a/arch/x86/kvm/vmx/vmx_pt.c b/arch/x86/kvm/vmx/vmx_pt.c
13 | index 1ed2e8fd2..a19f2b76a 100644
14 | --- a/arch/x86/kvm/vmx/vmx_pt.c
15 | +++ b/arch/x86/kvm/vmx/vmx_pt.c
16 | @@ -179,7 +179,7 @@ static void topa_reset(struct vcpu_vmx_pt *vmx_pt)
17 |  {
18 |  #ifdef DEBUG
19 |  	if (vmx_pt_get_data_size(vmx_pt) >= TOPA_MAIN_SIZE)
20 | -		printk(KERN_WARNING "Main TOPA buffer exhausted! %x >= %x?\n",
21 | +		printk(KERN_WARNING "Main TOPA buffer exhausted! %lx >= %x?\n",
22 |  			   vmx_pt_get_data_size(vmx_pt), TOPA_MAIN_SIZE+TOPA_FALLBACK_SIZE);
23 |  #endif
24 |  
25 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
26 | index ba958e8cd..5f062330d 100644
27 | --- a/arch/x86/kvm/x86.c
28 | +++ b/arch/x86/kvm/x86.c
29 | @@ -7602,6 +7602,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
30 |  	/* kAFL Hypercall interface */
31 |  	if (nr == HYPERCALL_KAFL_RAX_ID) {
32 |  		int r = 0;
33 | +		vcpu->run->hypercall.longmode = op_64_bit;
34 |  		switch(a0){
35 |  			case (KVM_EXIT_KAFL_ACQUIRE-KAFL_EXIT_OFFSET):
36 |  				vcpu->run->exit_reason = KVM_EXIT_KAFL_ACQUIRE;
37 | -- 
38 | 2.25.1
39 | 
40 | 


--------------------------------------------------------------------------------
/kafl/patches.old/kvm/v5.7/0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch:
--------------------------------------------------------------------------------
 1 | From 57fc01d5599c16cdd85268a8fb9801af4f45ae0e Mon Sep 17 00:00:00 2001
 2 | From: Roman Lozko <lozko.roma@gmail.com>
 3 | Date: Wed, 30 Jul 2020 00:00:00 +0000
 4 | Subject: [PATCH] Set kAFL hypercall longmode properly; fix printk build
 5 |  warning
 6 | 
 7 | ---
 8 |  arch/x86/kvm/vmx/vmx_pt.c | 2 +-
 9 |  arch/x86/kvm/x86.c        | 1 +
10 |  2 files changed, 2 insertions(+), 1 deletion(-)
11 | 
12 | diff --git a/arch/x86/kvm/vmx/vmx_pt.c b/arch/x86/kvm/vmx/vmx_pt.c
13 | index 1ed2e8fd2..a19f2b76a 100644
14 | --- a/arch/x86/kvm/vmx/vmx_pt.c
15 | +++ b/arch/x86/kvm/vmx/vmx_pt.c
16 | @@ -179,7 +179,7 @@ static void topa_reset(struct vcpu_vmx_pt *vmx_pt)
17 |  {
18 |  #ifdef DEBUG
19 |  	if (vmx_pt_get_data_size(vmx_pt) >= TOPA_MAIN_SIZE)
20 | -		printk(KERN_WARNING "Main TOPA buffer exhausted! %x >= %x?\n",
21 | +		printk(KERN_WARNING "Main TOPA buffer exhausted! %lx >= %x?\n",
22 |  			   vmx_pt_get_data_size(vmx_pt), TOPA_MAIN_SIZE+TOPA_FALLBACK_SIZE);
23 |  #endif
24 |  
25 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
26 | index ba958e8cd..5f062330d 100644
27 | --- a/arch/x86/kvm/x86.c
28 | +++ b/arch/x86/kvm/x86.c
29 | @@ -7602,6 +7602,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
30 |  	/* kAFL Hypercall interface */
31 |  	if (nr == HYPERCALL_KAFL_RAX_ID) {
32 |  		int r = 0;
33 | +		vcpu->run->hypercall.longmode = op_64_bit;
34 |  		switch(a0){
35 |  			case (KVM_EXIT_KAFL_ACQUIRE-KAFL_EXIT_OFFSET):
36 |  				vcpu->run->exit_reason = KVM_EXIT_KAFL_ACQUIRE;
37 | -- 
38 | 2.25.1
39 | 
40 | 


--------------------------------------------------------------------------------
/kafl/patches.old/kvm/v5.8/0002-Set-kAFL-hypercall-longmode-properly-fix-printk-buil.patch:
--------------------------------------------------------------------------------
 1 | From 6a93040cfeacfab537c3bae6ee69a13d076e9c2b Mon Sep 17 00:00:00 2001
 2 | From: Roman Lozko <lozko.roma@gmail.com>
 3 | Date: Thu, 30 Jul 2020 00:00:00 +0000
 4 | Subject: [PATCH 2/2] Set kAFL hypercall longmode properly; fix printk build
 5 |  warning
 6 | 
 7 | ---
 8 |  arch/x86/kvm/vmx/vmx_pt.c | 2 +-
 9 |  arch/x86/kvm/x86.c        | 1 +
10 |  2 files changed, 2 insertions(+), 1 deletion(-)
11 | 
12 | diff --git a/arch/x86/kvm/vmx/vmx_pt.c b/arch/x86/kvm/vmx/vmx_pt.c
13 | index 1ed2e8fd2..a19f2b76a 100644
14 | --- a/arch/x86/kvm/vmx/vmx_pt.c
15 | +++ b/arch/x86/kvm/vmx/vmx_pt.c
16 | @@ -179,7 +179,7 @@ static void topa_reset(struct vcpu_vmx_pt *vmx_pt)
17 |  {
18 |  #ifdef DEBUG
19 |  	if (vmx_pt_get_data_size(vmx_pt) >= TOPA_MAIN_SIZE)
20 | -		printk(KERN_WARNING "Main TOPA buffer exhausted! %x >= %x?\n",
21 | +		printk(KERN_WARNING "Main TOPA buffer exhausted! %lx >= %x?\n",
22 |  			   vmx_pt_get_data_size(vmx_pt), TOPA_MAIN_SIZE+TOPA_FALLBACK_SIZE);
23 |  #endif
24 |  
25 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
26 | index 44f470118..b05187674 100644
27 | --- a/arch/x86/kvm/x86.c
28 | +++ b/arch/x86/kvm/x86.c
29 | @@ -7695,6 +7695,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
30 |  	/* kAFL Hypercall interface */
31 |  	if (nr == HYPERCALL_KAFL_RAX_ID) {
32 |  		int r = 0;
33 | +		vcpu->run->hypercall.longmode = op_64_bit;
34 |  		switch(a0){
35 |  			case (KVM_EXIT_KAFL_ACQUIRE-KAFL_EXIT_OFFSET):
36 |  				vcpu->run->exit_reason = KVM_EXIT_KAFL_ACQUIRE;
37 | -- 
38 | 2.25.1
39 | 
40 | 


--------------------------------------------------------------------------------
/kafl/patches.old/qemu/v4.2.0/0003-kAFL-v2-frontend-requires-us-to-start-counting-at-0.patch:
--------------------------------------------------------------------------------
 1 | From 7df4993f6598cf695bbec7731e487e6c513c7d12 Mon Sep 17 00:00:00 2001
 2 | From: Steffen Schulz <steffen.schulz@intel.com>
 3 | Date: Sat, 28 Sep 2019 02:09:38 +0200
 4 | Subject: [PATCH 03/11] kAFL v2 frontend requires us to start counting at 0
 5 | 
 6 | ---
 7 |  pt.c | 2 +-
 8 |  1 file changed, 1 insertion(+), 1 deletion(-)
 9 | 
10 | diff --git a/pt.c b/pt.c
11 | index b3088665..6e11c22e 100644
12 | --- a/pt.c
13 | +++ b/pt.c
14 | @@ -78,7 +78,7 @@ void pt_setup_bitmap(void* ptr){
15 |  void pt_reset_bitmap(void){
16 |  	if(bitmap){
17 |  		last_ip = 0ULL;
18 | -		memset(bitmap, 0xff, kafl_bitmap_size);
19 | +		memset(bitmap, 0x00, kafl_bitmap_size);
20 |  	}
21 |  }
22 |  
23 | -- 
24 | 2.26.2
25 | 
26 | 


--------------------------------------------------------------------------------
/kafl/patches.old/qemu/v4.2.0/0005-Check-fopen-return-code-do-not-write-to-inaccessible.patch:
--------------------------------------------------------------------------------
 1 | From 478eefd412808c0f76243e191f7a0e4062718bfc Mon Sep 17 00:00:00 2001
 2 | From: Steffen Schulz <steffen.schulz@intel.com>
 3 | Date: Mon, 4 Nov 2019 17:39:12 +0100
 4 | Subject: [PATCH 05/11] Check fopen() return code, do not write to inaccessible
 5 |  files (segfault) binary patch
 6 | 
 7 | ---
 8 |  pt.c | 18 +++++++++++++-----
 9 |  1 file changed, 13 insertions(+), 5 deletions(-)
10 | 
11 | diff --git a/pt.c b/pt.c
12 | index 60f5751d..4f80dc19 100644
13 | --- a/pt.c
14 | +++ b/pt.c
15 | @@ -216,13 +216,21 @@ int pt_enable_ip_filtering(CPUState *cpu, uint8_t addrn, uint64_t ip_a, uint64_t
16 |  
17 |  #ifdef CREATE_VM_IMAGE
18 |  	FILE* pt_file = fopen(DECODER_MEMORY_IMAGE, "wb");
19 | -	fwrite(buf, sizeof(uint8_t), ip_b-ip_a, pt_file);
20 | -	fclose(pt_file);
21 | +	if (!pt_file) {
22 | +		QEMU_PT_ERROR(CORE_PREFIX, "Error writing file %s)", DECODER_MEMORY_IMAGE);
23 | +	} else {
24 | +		fwrite(buf, sizeof(uint8_t), ip_b-ip_a, pt_file);
25 | +		fclose(pt_file);
26 | +	}
27 |  
28 |  	FILE* rq_file = fopen(redqueen_workdir.target_code_dump, "wb");
29 | -	fwrite(&ip_a, sizeof(uint64_t), 1, rq_file);
30 | -	fwrite(buf, sizeof(uint8_t), ip_b-ip_a, rq_file);
31 | -	fclose(rq_file);
32 | +	if (!rq_file) {
33 | +		QEMU_PT_ERROR(CORE_PREFIX, "Error writing RQ file %s)", redqueen_workdir.target_code_dump);
34 | +	} else {
35 | +		fwrite(&ip_a, sizeof(uint64_t), 1, rq_file);
36 | +		fwrite(buf, sizeof(uint8_t), ip_b-ip_a, rq_file);
37 | +		fclose(rq_file);
38 | +	}
39 |  #endif
40 |  
41 |  
42 | -- 
43 | 2.26.2
44 | 
45 | 


--------------------------------------------------------------------------------
/kafl/patches.old/qemu/v4.2.0/0008-Fix-segfault-when-IPT-filtering-is-not-enabled.patch:
--------------------------------------------------------------------------------
 1 | From b3332759b0c520e7032cd5e80cdfcb480e999f64 Mon Sep 17 00:00:00 2001
 2 | From: Steffen Schulz <steffen.schulz@intel.com>
 3 | Date: Fri, 15 Nov 2019 14:10:53 +0000
 4 | Subject: [PATCH 08/11] Fix segfault when IPT filtering is not enabled
 5 | 
 6 | ---
 7 |  pt/hypercall.c | 14 +++++++-------
 8 |  1 file changed, 7 insertions(+), 7 deletions(-)
 9 | 
10 | diff --git a/pt/hypercall.c b/pt/hypercall.c
11 | index f48b9acb..842a90b6 100644
12 | --- a/pt/hypercall.c
13 | +++ b/pt/hypercall.c
14 | @@ -503,13 +503,13 @@ bool handle_hypercall_kafl_hook(struct kvm_run *run, CPUState *cpu){
15 |      CPUX86State *env = &cpux86->env;
16 |  
17 |  	for(uint8_t i = 0; i < INTEL_PT_MAX_RANGES; i++){
18 | -		if (cpu->redqueen_state[i] && (env->eip >= cpu->pt_ip_filter_a[i]) && (env->eip <= cpu->pt_ip_filter_b[i])){
19 | -			handle_hook(cpu->redqueen_state[i]);
20 | -			return true;
21 | -		}else if (cpu->singlestep_enabled && ((redqueen_t*)cpu->redqueen_state[i])->singlestep_enabled){
22 | -			handle_hook(cpu->redqueen_state[i]);
23 | -			return true;
24 | -    }
25 | +		if (cpu->redqueen_state[i]){
26 | +			if (((env->eip >= cpu->pt_ip_filter_a[i]) && (env->eip <= cpu->pt_ip_filter_b[i])) ||
27 | +				(cpu->singlestep_enabled && ((redqueen_t*)cpu->redqueen_state[i])->singlestep_enabled)){
28 | +				handle_hook(cpu->redqueen_state[i]);
29 | +				return true;
30 | +			}
31 | +		}
32 |  	}
33 |  	return false;
34 |  }
35 | -- 
36 | 2.26.2
37 | 
38 | 


--------------------------------------------------------------------------------
/kafl/patches.old/qemu/v4.2.0/0009-fix-failing-assert-add-check-for-mmap-return.patch:
--------------------------------------------------------------------------------
 1 | From fd4fa993a6e27537f141b753f70269735b1e2546 Mon Sep 17 00:00:00 2001
 2 | From: Steffen Schulz <steffen.schulz@intel.com>
 3 | Date: Tue, 11 Feb 2020 13:26:01 +0100
 4 | Subject: [PATCH 09/11] fix failing assert, add check for mmap() return
 5 | 
 6 | assert() had sometimes failed. Cause seems to be mismatching
 7 | workdir/program file size that is being picked up on concurrent
 8 | qemu restart. Not sure at which point the file is expanded to expected
 9 | size but smaller/equal max size should be fine(?)
10 | ---
11 |  pt/interface.c | 12 +++++++++---
12 |  1 file changed, 9 insertions(+), 3 deletions(-)
13 | 
14 | diff --git a/pt/interface.c b/pt/interface.c
15 | index 0162a6b9..05f27dd3 100644
16 | --- a/pt/interface.c
17 | +++ b/pt/interface.c
18 | @@ -212,7 +212,7 @@ static int kafl_guest_create_memory_bar(kafl_mem_state *s, int region_num, uint6
19 |  	stat(file, &st);
20 |  	QEMU_PT_DEBUG(INTERFACE_PREFIX, "new shm file: (max size: %lx) %lx", bar_size, st.st_size);
21 |  	
22 | -	assert(bar_size == st.st_size);
23 | +	assert(bar_size >= st.st_size);
24 |  	ptr = mmap(0, bar_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
25 |  	if (ptr == MAP_FAILED) {
26 |  		error_setg_errno(errp, errno, "Failed to mmap memory");
27 | @@ -231,7 +231,7 @@ static int kafl_guest_create_memory_bar(kafl_mem_state *s, int region_num, uint6
28 |  	return 0;
29 |  }
30 |  
31 | -static void kafl_guest_setup_bitmap(kafl_mem_state *s, uint32_t bitmap_size){
32 | +static int kafl_guest_setup_bitmap(kafl_mem_state *s, uint32_t bitmap_size, Error **errp){
33 |  	void * ptr;
34 |  	int fd;
35 |  	struct stat st;
36 | @@ -241,7 +241,13 @@ static void kafl_guest_setup_bitmap(kafl_mem_state *s, uint32_t bitmap_size){
37 |  	stat(s->bitmap_file, &st);
38 |  	assert(bitmap_size == st.st_size);
39 |  	ptr = mmap(0, bitmap_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
40 | +	if (ptr == MAP_FAILED) {
41 | +		error_setg_errno(errp, errno, "Failed to mmap memory");
42 | +		return -1;
43 | +	}
44 |  	pt_setup_bitmap((void*)ptr);
45 | +
46 | +	return 0;
47 |  }
48 |  
49 |  static void* kafl_guest_setup_filter_bitmap(kafl_mem_state *s, char* filter, uint64_t size){
50 | @@ -286,7 +292,7 @@ static void pci_kafl_guest_realize(DeviceState *dev, Error **errp){
51 |  	if(&s->chr)
52 |  		qemu_chr_fe_set_handlers(&s->chr, kafl_guest_can_receive, kafl_guest_receive, kafl_guest_event, NULL, s, NULL, true);
53 |  	if(s->bitmap_file)
54 | -		kafl_guest_setup_bitmap(s, kafl_bitmap_size);
55 | +		kafl_guest_setup_bitmap(s, kafl_bitmap_size, errp);
56 |  
57 |  	for(uint8_t i = 0; i < INTEL_PT_MAX_RANGES; i++){
58 |  		if(s->ip_filter[i][0] && s->ip_filter[i][1]){
59 | -- 
60 | 2.26.2
61 | 
62 | 


--------------------------------------------------------------------------------
/kafl/patches.old/qemu/v4.2.0/0013-disable-debug-and-fuzz-opts.patch:
--------------------------------------------------------------------------------
 1 | From 00173506947218945fed1a5666c5668ee001647f Mon Sep 17 00:00:00 2001
 2 | From: Steffen Schulz <steffen.schulz@intel.com>
 3 | Date: Sun, 2 Aug 2020 21:18:59 +0200
 4 | Subject: [PATCH] disable debug and fuzz optimizations
 5 | 
 6 | ---
 7 |  compile.sh | 4 +++-
 8 |  configure  | 4 ++--
 9 |  2 files changed, 5 insertions(+), 3 deletions(-)
10 | 
11 | diff --git a/compile.sh b/compile.sh
12 | index 1ba35365..deb16c93 100644
13 | --- a/compile.sh
14 | +++ b/compile.sh
15 | @@ -6,5 +6,7 @@
16 |  #
17 |  # SPDX-License-Identifier: GPL-2.0-or-later
18 |  #
19 | -./configure --target-list=i386-softmmu,x86_64-softmmu --enable-gtk --enable-vnc --enable-pt --enable-redqueen --disable-werror
20 | +./configure --target-list=i386-softmmu,x86_64-softmmu \
21 | +	--enable-gtk --enable-vnc --enable-pt --enable-redqueen \
22 | +	--disable-werror --disable-debug-info
23 |  make -j8
24 | diff --git a/configure b/configure
25 | index 48bd5340..f6e8baef 100755
26 | --- a/configure
27 | +++ b/configure
28 | @@ -6100,9 +6100,9 @@ if test "$gcov" = "yes" ; then
29 |    CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
30 |    LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
31 |  elif test "$fortify_source" = "yes" ; then
32 | -  CFLAGS="-O3 -frename-registers -funroll-loops -frename-registers -mtune=native -g -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
33 | +  CFLAGS="-O3 -mtune=native -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
34 |  elif test "$debug" = "no"; then
35 | -  CFLAGS="-O3 -frename-registers -funroll-loops -frename-registers -mtune=native $CFLAGS"
36 | +  CFLAGS="-O3 -mtune=native $CFLAGS"
37 |  fi
38 |  
39 |  if test "$have_asan" = "yes"; then
40 | -- 
41 | 2.27.0
42 | 
43 | 


--------------------------------------------------------------------------------
/kafl/patches.old/qemu/v5.0.0/0003-kAFL-v2-frontend-requires-us-to-start-counting-at-0.patch:
--------------------------------------------------------------------------------
 1 | From 27f5d28733d51f18e32bc9fbf23743f377f6645f Mon Sep 17 00:00:00 2001
 2 | From: Steffen Schulz <steffen.schulz@intel.com>
 3 | Date: Sat, 28 Sep 2019 02:09:38 +0200
 4 | Subject: [PATCH 03/11] kAFL v2 frontend requires us to start counting at 0
 5 | 
 6 | ---
 7 |  pt.c | 2 +-
 8 |  1 file changed, 1 insertion(+), 1 deletion(-)
 9 | 
10 | diff --git a/pt.c b/pt.c
11 | index b3088665..6e11c22e 100644
12 | --- a/pt.c
13 | +++ b/pt.c
14 | @@ -78,7 +78,7 @@ void pt_setup_bitmap(void* ptr){
15 |  void pt_reset_bitmap(void){
16 |  	if(bitmap){
17 |  		last_ip = 0ULL;
18 | -		memset(bitmap, 0xff, kafl_bitmap_size);
19 | +		memset(bitmap, 0x00, kafl_bitmap_size);
20 |  	}
21 |  }
22 |  
23 | -- 
24 | 2.26.2
25 | 
26 | 


--------------------------------------------------------------------------------
/kafl/patches.old/qemu/v5.0.0/0005-Check-fopen-return-code-do-not-write-to-inaccessible.patch:
--------------------------------------------------------------------------------
 1 | From 41d3e240652631795a66802c86021bf1c4a55f3c Mon Sep 17 00:00:00 2001
 2 | From: Steffen Schulz <steffen.schulz@intel.com>
 3 | Date: Mon, 4 Nov 2019 17:39:12 +0100
 4 | Subject: [PATCH 05/11] Check fopen() return code, do not write to inaccessible
 5 |  files (segfault) binary patch
 6 | 
 7 | ---
 8 |  pt.c | 18 +++++++++++++-----
 9 |  1 file changed, 13 insertions(+), 5 deletions(-)
10 | 
11 | diff --git a/pt.c b/pt.c
12 | index 60f5751d..4f80dc19 100644
13 | --- a/pt.c
14 | +++ b/pt.c
15 | @@ -216,13 +216,21 @@ int pt_enable_ip_filtering(CPUState *cpu, uint8_t addrn, uint64_t ip_a, uint64_t
16 |  
17 |  #ifdef CREATE_VM_IMAGE
18 |  	FILE* pt_file = fopen(DECODER_MEMORY_IMAGE, "wb");
19 | -	fwrite(buf, sizeof(uint8_t), ip_b-ip_a, pt_file);
20 | -	fclose(pt_file);
21 | +	if (!pt_file) {
22 | +		QEMU_PT_ERROR(CORE_PREFIX, "Error writing file %s)", DECODER_MEMORY_IMAGE);
23 | +	} else {
24 | +		fwrite(buf, sizeof(uint8_t), ip_b-ip_a, pt_file);
25 | +		fclose(pt_file);
26 | +	}
27 |  
28 |  	FILE* rq_file = fopen(redqueen_workdir.target_code_dump, "wb");
29 | -	fwrite(&ip_a, sizeof(uint64_t), 1, rq_file);
30 | -	fwrite(buf, sizeof(uint8_t), ip_b-ip_a, rq_file);
31 | -	fclose(rq_file);
32 | +	if (!rq_file) {
33 | +		QEMU_PT_ERROR(CORE_PREFIX, "Error writing RQ file %s)", redqueen_workdir.target_code_dump);
34 | +	} else {
35 | +		fwrite(&ip_a, sizeof(uint64_t), 1, rq_file);
36 | +		fwrite(buf, sizeof(uint8_t), ip_b-ip_a, rq_file);
37 | +		fclose(rq_file);
38 | +	}
39 |  #endif
40 |  
41 |  
42 | -- 
43 | 2.26.2
44 | 
45 | 


--------------------------------------------------------------------------------
/kafl/patches.old/qemu/v5.0.0/0008-Fix-segfault-when-IPT-filtering-is-not-enabled.patch:
--------------------------------------------------------------------------------
 1 | From d03e6be2cd619089cc3c6618de0987861e411261 Mon Sep 17 00:00:00 2001
 2 | From: Steffen Schulz <steffen.schulz@intel.com>
 3 | Date: Fri, 15 Nov 2019 14:10:53 +0000
 4 | Subject: [PATCH 08/11] Fix segfault when IPT filtering is not enabled
 5 | 
 6 | ---
 7 |  pt/hypercall.c | 14 +++++++-------
 8 |  1 file changed, 7 insertions(+), 7 deletions(-)
 9 | 
10 | diff --git a/pt/hypercall.c b/pt/hypercall.c
11 | index f48b9acb..842a90b6 100644
12 | --- a/pt/hypercall.c
13 | +++ b/pt/hypercall.c
14 | @@ -503,13 +503,13 @@ bool handle_hypercall_kafl_hook(struct kvm_run *run, CPUState *cpu){
15 |      CPUX86State *env = &cpux86->env;
16 |  
17 |  	for(uint8_t i = 0; i < INTEL_PT_MAX_RANGES; i++){
18 | -		if (cpu->redqueen_state[i] && (env->eip >= cpu->pt_ip_filter_a[i]) && (env->eip <= cpu->pt_ip_filter_b[i])){
19 | -			handle_hook(cpu->redqueen_state[i]);
20 | -			return true;
21 | -		}else if (cpu->singlestep_enabled && ((redqueen_t*)cpu->redqueen_state[i])->singlestep_enabled){
22 | -			handle_hook(cpu->redqueen_state[i]);
23 | -			return true;
24 | -    }
25 | +		if (cpu->redqueen_state[i]){
26 | +			if (((env->eip >= cpu->pt_ip_filter_a[i]) && (env->eip <= cpu->pt_ip_filter_b[i])) ||
27 | +				(cpu->singlestep_enabled && ((redqueen_t*)cpu->redqueen_state[i])->singlestep_enabled)){
28 | +				handle_hook(cpu->redqueen_state[i]);
29 | +				return true;
30 | +			}
31 | +		}
32 |  	}
33 |  	return false;
34 |  }
35 | -- 
36 | 2.26.2
37 | 
38 | 


--------------------------------------------------------------------------------
/kafl/patches.old/qemu/v5.0.0/0013-disable-debug-and-fuzz-opts.patch:
--------------------------------------------------------------------------------
 1 | From 489e1164e46a9023cfd4adab8774b47bda5ad06a Mon Sep 17 00:00:00 2001
 2 | From: Steffen Schulz <steffen.schulz@intel.com>
 3 | Date: Sun, 2 Aug 2020 21:23:44 +0200
 4 | Subject: [PATCH] disable debug and fuzz optimizations
 5 | 
 6 | ---
 7 |  compile.sh | 4 +++-
 8 |  configure  | 4 ++--
 9 |  2 files changed, 5 insertions(+), 3 deletions(-)
10 | 
11 | diff --git a/compile.sh b/compile.sh
12 | index 1ba35365..deb16c93 100644
13 | --- a/compile.sh
14 | +++ b/compile.sh
15 | @@ -6,5 +6,7 @@
16 |  #
17 |  # SPDX-License-Identifier: GPL-2.0-or-later
18 |  #
19 | -./configure --target-list=i386-softmmu,x86_64-softmmu --enable-gtk --enable-vnc --enable-pt --enable-redqueen --disable-werror
20 | +./configure --target-list=i386-softmmu,x86_64-softmmu \
21 | +	--enable-gtk --enable-vnc --enable-pt --enable-redqueen \
22 | +	--disable-werror --disable-debug-info
23 |  make -j8
24 | diff --git a/configure b/configure
25 | index 2ddc696f..eb106528 100755
26 | --- a/configure
27 | +++ b/configure
28 | @@ -6266,9 +6266,9 @@ if test "$gcov" = "yes" ; then
29 |    QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS"
30 |    QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS"
31 |  elif test "$fortify_source" = "yes" ; then
32 | -  CFLAGS="-O3 -frename-registers -funroll-loops -frename-registers -mtune=native -g -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
33 | +  CFLAGS="-O3 -mtune=native -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
34 |  elif test "$debug" = "no"; then
35 | -  CFLAGS="-O3 -frename-registers -funroll-loops -frename-registers -mtune=native $CFLAGS"
36 | +  CFLAGS="-O3 -mtune=native $CFLAGS"
37 |  fi
38 |  
39 |  if test "$have_asan" = "yes"; then
40 | -- 
41 | 2.27.0
42 | 
43 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/.gitignore:
--------------------------------------------------------------------------------
1 | bin/
2 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/compile.sh:
--------------------------------------------------------------------------------
 1 | #
 2 | # This file is part of Redqueen.
 3 | #
 4 | # Copyright 2019 Sergej Schumilo, Cornelius Aschermann
 5 | # Copyright 2020 Intel Corporation
 6 | #
 7 | # SPDX-License-Identifier: MIT
 8 | #
 9 | set -e
10 | 
11 | SCRIPT_ROOT="$(dirname ${PWD}/${0})"
12 | 
13 | if [[ "$OSTYPE" != "linux-gnu" ]]; then
14 | 	printf "\tError: Cannont compile linux userspace components on this plattform!\n\tPlease use Linux instead!\n"
15 | fi
16 | 
17 | pushd $SCRIPT_ROOT
18 | 
19 | printf "\tPrecompiling executables...\n"
20 | mkdir -p bin/
21 | 
22 | gcc -c -static -shared -O0 -m32 -Werror -fPIC src/ld_preload_info.c -o bin/ld_preload_info_32.o -ldl
23 | gcc -c -static -shared -O0 -m64 -Werror -fPIC src/ld_preload_info.c -o bin/ld_preload_info_64.o -ldl
24 | 
25 | gcc -c -static -shared -O0 -m32 -Werror -fPIC src/ld_preload_fuzz.c -o bin/ld_preload_fuzz_32.o -ldl
26 | gcc -c -static -shared -O0 -m64 -Werror -fPIC src/ld_preload_fuzz.c -o bin/ld_preload_fuzz_64.o -ldl
27 | 
28 | gcc -c -static -shared -O0 -m32 -Werror -fPIC -DASAN_BUILD src/ld_preload_fuzz.c -o bin/ld_preload_fuzz_32_asan.o -ldl
29 | gcc -c -static -shared -O0 -m64 -Werror -fPIC -DASAN_BUILD src/ld_preload_fuzz.c -o bin/ld_preload_fuzz_64_asan.o -ldl
30 | 
31 | gcc -c -static -O0 -m32 -Werror src/userspace_loader.c -o bin/userspace_loader_32.o
32 | gcc -c -static -O0 -m64 -Werror src/userspace_loader.c -o bin/userspace_loader_64.o
33 | 
34 | popd
35 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/.gitignore:
--------------------------------------------------------------------------------
1 | *.cpio.gz
2 | initrd/
3 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/pack.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # This file is part of Redqueen.
 4 | #
 5 | # Copyright 2019 Sergej Schumilo, Cornelius Aschermann
 6 | # Copyright 2020 Intel Corporation
 7 | #
 8 | # SPDX-License-Identifier: MIT
 9 | #
10 | 
11 | set -e
12 | 
13 | SCRIPT_ROOT="$(dirname ${PWD}/${0})"
14 | DEST=${SCRIPT_ROOT}/initrd
15 | TEMP=${SCRIPT_ROOT}/template
16 | 
17 | 
18 | error_exit() {
19 | 
20 | 	echo "Fatal error: $1"
21 | 	echo
22 | 	echo "Usage:"
23 | 	echo "   $0 <output_initrd> <fuzz_agent> [other_agent]..."
24 | 	exit
25 | }
26 | 
27 | test -d "$TEMP" || error_exit "Could not find initrd template in >>$TEMP<<"
28 | test -x "$DEST" && error_exit "Target directory >>$DEST<< already exists."
29 | 
30 | # check arguments for optional output file
31 | OUTPUT_FILE="$1"; shift || error_exit "Missing argument <output_initrd>"
32 | DEFAULT_AGENT="$1"; shift || error_exit "Missing argument <fuzz_agent>"
33 | BUSYBOX=$(which busybox) || error_exit "Could not find busybox binary."
34 | 
35 | touch -- "$OUTPUT_FILE" || error_exit "Failed accessing desired output file >>$OUTPUT_FILE<<."
36 | 
37 | echo "[*] Creating target initrd at $DEST"
38 | cp -a "$TEMP" "$DEST"
39 | for lib in \
40 | 	lib/ld-linux.so.2 \
41 | 	lib64/ld-linux-x86-64.so.2 \
42 | 	lib/x86_64-linux-gnu/libc.so.6 \
43 | 	lib/x86_64-linux-gnu/libdl.so.2 \
44 | 	lib/i386-linux-gnu/libc.so.6 \
45 | 	lib/i386-linux-gnu/libdl.so.2;
46 | do
47 | 	cp -v "/$lib" "$DEST/$lib"
48 | done
49 | 
50 | echo "[*] Adding desired agent(s)..."
51 | mkdir $DEST/target/
52 | for agent in "$DEFAULT_AGENT" "$@"; do
53 | 	cp -v "$agent" "$DEST"/target/ || error_exit "Failed adding agent >>$agent<< to initrd."
54 | done
55 | 
56 | TMPFILE=$(tempfile)
57 | 
58 | pushd "$DEST" > /dev/null
59 | 	chmod 755 init
60 | 	cp $BUSYBOX bin/ && ./bin/busybox --install bin/
61 | 	ln bin/busybox linuxrc
62 | 	find . -print0 | cpio --null -ov --format=newc  2> /dev/null | gzip -4 > "$TMPFILE" 2> /dev/null
63 | popd > /dev/null
64 | 
65 | mv $TMPFILE $OUTPUT_FILE
66 | rm -f $TMPFILE
67 | 
68 | [ -d "$DEST" ] && rm -rf "$DEST"
69 | 
70 | echo "[*] Successfully created initrd at $OUTPUT_FILE"
71 | echo
72 | 
73 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/run_vm.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # This file is part of Redqueen.
 4 | #
 5 | # Copyright 2019 Sergej Schumilo, Cornelius Aschermann
 6 | # SPDX-License-Identifier: MIT
 7 | #
 8 | 
 9 | # You can test the initramfs in Qemu like as shown below.
10 | # To run with the modified kAFL/Qemu, disable reload+snapshots.
11 | ./qemu-4.0.0/x86_64-softmmu/qemu-system-x86_64 \
12 | 	-kernel /boot/vmlinuz-5.4.34-kAFL+ \
13 | 	-initrd targets/linux_x86_64-initramfs/init_debug_shell.cpio.gz \
14 | 	-serial mon:stdio -enable-kvm -m 500 -append "root=/dev/sda console=ttyS0" \
15 | 	-nographic -device kafl,reload_mode=False,disable_snapshot=True
16 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/dev/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/dev/.gitkeep


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/etc/nsswitch.conf:
--------------------------------------------------------------------------------
 1 | # /etc/nsswitch.conf
 2 | #
 3 | # Example configuration of GNU Name Service Switch functionality.
 4 | # If you have the `glibc-doc-reference' and `info' packages installed, try:
 5 | # `info libc "Name Service Switch"' for information about this file.
 6 | 
 7 | passwd:         compat
 8 | group:          compat
 9 | shadow:         compat
10 | 
11 | hosts:          files mdns4_minimal [NOTFOUND=return] dns
12 | networks:       files
13 | 
14 | protocols:      db files
15 | services:       db files
16 | ethers:         db files
17 | rpc:            db files
18 | 
19 | netgroup:       nis
20 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/etc/passwd:
--------------------------------------------------------------------------------
1 | root:x:0:0:root:/root:/bin/sh
2 | nobody:x:1000:1000:nobody:/nonexistent:/bin/sh
3 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/init:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | # 
 3 | # This file is part of Redqueen.
 4 | #
 5 | # Sergej Schumilo, 2019 <sergej@schumilo.de> 
 6 | # Cornelius Aschermann, 2019 <cornelius.aschermann@rub.de> 
 7 | # 
 8 | # This program is free software: you can redistribute it and/or modify
 9 | # it under the terms of the GNU Affero General Public License as published by
10 | # the Free Software Foundation, either version 3 of the License, or
11 | # (at your option) any later version.
12 | #
13 | # This program is distributed in the hope that it will be useful,
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 | # GNU Affero General Public License for more details.
17 | #
18 | # You should have received a copy of the GNU Affero General Public License
19 | # along with Redqueen.  If not, see <http://www.gnu.org/licenses/>.
20 | #
21 | 
22 | mount -t proc none /proc
23 | mount -t sysfs none /sys
24 | mount -t debugfs none /sys/kernel/debug
25 | mount -t devtmpfs none /dev
26 | mount -t tmpfs none /tmp
27 | chmod 777 / /tmp
28 | 
29 | echo "7" > /proc/sys/kernel/printk
30 | echo "0" >  /proc/sys/kernel/printk_ratelimit 
31 | echo "19999999" >  /proc/sys/kernel/printk_ratelimit_burst
32 | echo "1" > /proc/sys/kernel/panic_on_oops
33 | 
34 | 
35 | # set cmdline as script arguments, then eval() anything we recognize
36 | set -- $(cat /proc/cmdline)
37 | for arg in "$@"; do
38 | 	case "$arg" in
39 | 		kafl_agent=*)
40 | 			eval "$arg"
41 | 			;;
42 | 	esac
43 | done
44 | 
45 | # if kafl_agent points to valid executable, assume this is the intended target
46 | test -x "$kafl_agent" && exec $kafl_agent
47 | 
48 | # fallback: launch option set by pack.sh
49 | /bin/sh /target/fuzz.sh
50 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/lib/i386-linux-gnu/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/lib/i386-linux-gnu/.gitkeep


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/lib/x86_64-linux-gnu/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/lib/x86_64-linux-gnu/.gitkeep


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/lib64/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/lib64/.gitkeep


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/proc/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/proc/.gitkeep


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/sbin:
--------------------------------------------------------------------------------
1 | bin


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/sys/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/sys/.gitkeep


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/tmp/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/kafl/targets.old/linux_x86_64-userspace/initrd/template/tmp/.gitkeep


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/usr/bin:
--------------------------------------------------------------------------------
1 | ../bin/


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/initrd/template/usr/sbin:
--------------------------------------------------------------------------------
1 | ../bin/


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64-userspace/src/ld_preload_info.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * This file is part of Redqueen.
 3 |  *
 4 |  * Copyright 2019 Sergej Schumilo, Cornelius Aschermann
 5 |  *
 6 |  * SPDX-License-Identifier: MIT
 7 |  */
 8 | 
 9 | #define _GNU_SOURCE
10 | 
11 | #include <sys/mman.h>
12 | #include <dlfcn.h>
13 | #include <stdint.h>
14 | #include <sys/types.h>
15 | #include <unistd.h>
16 | #include <string.h>
17 | #include <stdlib.h>
18 | 
19 | #include "../../kafl_user.h"
20 | 
21 | int __libc_start_main(int (*main) (int,char **,char **),
22 | 		      int argc,char **ubp_av,
23 | 		      void (*init) (void),
24 | 		      void (*fini)(void),
25 | 		      void (*rtld_fini)(void),
26 | 		      void (*stack_end)) {
27 | 
28 |     hprintf("LD_PRELOAD hprintf :)\n");
29 | 
30 |     char filename[256];
31 |     void* info_buffer = mmap((void*)NULL, INFO_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
32 |     memset(info_buffer, 0xff, INFO_SIZE);
33 | 
34 |     hprintf("LD_PRELOAD hprintf :)\n");    
35 |   	hprintf("Own pid is %d\n", getpid());
36 | 
37 |   	snprintf(filename, 256, "/proc/%d/maps", getpid());
38 |   	hprintf("proc filename: %s\n", filename);
39 | 
40 |   	FILE* f = fopen(filename, "r");
41 |   	uint16_t len = fread(info_buffer, 1, INFO_SIZE, f);
42 |   	fclose(f);
43 | 
44 |   	((char*)info_buffer)[len] = '\0';
45 | 
46 |  	  hprintf("Transfer data to hypervisor\n");
47 | 
48 |     kAFL_hypercall(HYPERCALL_KAFL_INFO, (uintptr_t)info_buffer);
49 | 
50 |     return 0;
51 | }
52 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64/.gitignore:
--------------------------------------------------------------------------------
1 | bin/
2 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64/src/fuzzer/hprintf_test.c:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 | Copyright (C) 2017 Sergej Schumilo
 4 | 
 5 | This file is part of kAFL Fuzzer (kAFL).
 6 | 
 7 | QEMU-PT is free software: you can redistribute it and/or modify
 8 | it under the terms of the GNU General Public License as published by
 9 | the Free Software Foundation, either version 2 of the License, or
10 | (at your option) any later version.
11 | 
12 | QEMU-PT is distributed in the hope that it will be useful,
13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 | GNU General Public License for more details.
16 | 
17 | You should have received a copy of the GNU General Public License
18 | along with QEMU-PT.  If not, see <http://www.gnu.org/licenses/>.
19 | 
20 | */
21 | 
22 | #include <stdlib.h>
23 | #include <unistd.h>
24 | #include <stdint.h>
25 | #include <string.h>
26 | #include <stdio.h>
27 | #include <fcntl.h>
28 | #include <sys/mman.h>
29 | #include "kafl_user.h"
30 | 
31 | int main(int argc, char** argv)
32 | {
33 | 	int kafl_vuln_fd;
34 | 	hprintf("Starting... %s\n", argv[0]);
35 | 	hprintf("Allocating buffer for kAFL_payload struct\n");
36 | 	kAFL_payload* payload_buffer = mmap((void*)NULL, PAYLOAD_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
37 | 	hprintf("Memset kAFL_payload at address %lx (size %d)\n", (uint64_t) payload_buffer, PAYLOAD_SIZE);
38 | 	memset(payload_buffer, 0xff, PAYLOAD_SIZE);
39 | 	hprintf("Attempt to open vulnerable device file (%s)\n", "/proc/kafl_vuln");
40 | 	kafl_vuln_fd = open("/proc/kafl_vuln", O_WRONLY | O_SYNC, 0);
41 | 	hprintf("Submitting buffer address to hypervisor...\n");
42 | 	kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uint64_t)payload_buffer);
43 | 	hprintf("Submitting current CR3 value to hypervisor...\n");
44 | 	kAFL_hypercall(HYPERCALL_KAFL_SUBMIT_CR3, 0);
45 | 	hprintf("Starting kAFL loop...\n");
46 | 	while(1){
47 | 			kAFL_hypercall(HYPERCALL_KAFL_NEXT_PAYLOAD, 0);
48 | 			kAFL_hypercall(HYPERCALL_KAFL_ACQUIRE, 0); 
49 | 			hprintf("Injecting data...\n");
50 | 			write(kafl_vuln_fd, payload_buffer->data, payload_buffer->size);
51 | 			hprintf("Injection finished...\n");
52 | 			kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0);
53 | 	}
54 | 	return 0;
55 | }
56 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64/src/fuzzer/kafl_vuln_json.c:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 | Copyright (C) 2017 Sergej Schumilo
 4 | 
 5 | This file is part of kAFL Fuzzer (kAFL).
 6 | 
 7 | QEMU-PT is free software: you can redistribute it and/or modify
 8 | it under the terms of the GNU General Public License as published by
 9 | the Free Software Foundation, either version 2 of the License, or
10 | (at your option) any later version.
11 | 
12 | QEMU-PT is distributed in the hope that it will be useful,
13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 | GNU General Public License for more details.
16 | 
17 | You should have received a copy of the GNU General Public License
18 | along with QEMU-PT.  If not, see <http://www.gnu.org/licenses/>.
19 | 
20 | */
21 | 
22 | #include <stdlib.h>
23 | #include <unistd.h>
24 | #include <stdint.h>
25 | #include <string.h>
26 | #include <stdio.h>
27 | #include <fcntl.h>
28 | #include <sys/mman.h>
29 | #include "kafl_user.h"
30 | 
31 | /* printk support */
32 | static inline uint64_t get_address(char* identifier) {
33 |     FILE * fp;
34 |     char * line = NULL;
35 |     ssize_t read;
36 |     ssize_t len;
37 |     char *tmp;
38 |     uint64_t address = 0x0;
39 |     uint8_t identifier_len = strlen(identifier);
40 | 
41 |     fp = fopen("/proc/kallsyms", "r");
42 |     if (fp == NULL){
43 |         return address;
44 |     }
45 | 
46 |     while ((read = getline(&line, &len, fp)) != -1) {
47 |         if(strlen(line) > identifier_len && !strcmp(line + strlen(line) - identifier_len, identifier)){
48 |                 address = strtoull(strtok(line, " "), NULL, 16);
49 |                 break;
50 |         }
51 |     }
52 | 
53 |     fclose(fp);
54 |     if (line){
55 |         free(line);
56 |     }
57 |     return address;
58 | }
59 | 
60 | 
61 | int main(int argc, char** argv)
62 | {
63 | 	int kafl_vuln_fd;
64 | 	kAFL_payload* payload_buffer = mmap((void*)NULL, PAYLOAD_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
65 | 	memset(payload_buffer, 0xff, PAYLOAD_SIZE);
66 | 	kafl_vuln_fd = open("/proc/kafl_vuln_json", O_WRONLY | O_SYNC, 0);
67 | 	kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uint64_t)payload_buffer);
68 | 	kAFL_hypercall(HYPERCALL_KAFL_SUBMIT_CR3, 0);
69 | 
70 | 	hprintf("printk: %lx\n", get_address("T printk\n"));
71 |     kAFL_hypercall(HYPERCALL_KAFL_PRINTK_ADDR, get_address("T printk\n"));
72 | 
73 | 	while(1){
74 | 			kAFL_hypercall(HYPERCALL_KAFL_NEXT_PAYLOAD, 0);
75 | 			kAFL_hypercall(HYPERCALL_KAFL_ACQUIRE, 0); 
76 | 			write(kafl_vuln_fd, payload_buffer->data, payload_buffer->size);
77 | 			kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0);
78 | 	}
79 | 	return 0;
80 | }
81 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64/src/fuzzer/kafl_vuln_test.c:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 | Copyright (C) 2017 Sergej Schumilo
 4 | 
 5 | This file is part of kAFL Fuzzer (kAFL).
 6 | 
 7 | QEMU-PT is free software: you can redistribute it and/or modify
 8 | it under the terms of the GNU General Public License as published by
 9 | the Free Software Foundation, either version 2 of the License, or
10 | (at your option) any later version.
11 | 
12 | QEMU-PT is distributed in the hope that it will be useful,
13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 | GNU General Public License for more details.
16 | 
17 | You should have received a copy of the GNU General Public License
18 | along with QEMU-PT.  If not, see <http://www.gnu.org/licenses/>.
19 | 
20 | */
21 | 
22 | #include <stdlib.h>
23 | #include <unistd.h>
24 | #include <stdint.h>
25 | #include <string.h>
26 | #include <stdio.h>
27 | #include <fcntl.h>
28 | #include <sys/mman.h>
29 | #include "kafl_user.h"
30 | 
31 | /* printk support */
32 | static inline uint64_t get_address(char* identifier) {
33 |     FILE * fp;
34 |     char * line = NULL;
35 |     ssize_t read;
36 |     ssize_t len;
37 |     char *tmp;
38 |     uint64_t address = 0x0;
39 |     uint8_t identifier_len = strlen(identifier);
40 | 
41 |     fp = fopen("/proc/kallsyms", "r");
42 |     if (fp == NULL){
43 |         return address;
44 |     }
45 | 
46 |     while ((read = getline(&line, &len, fp)) != -1) {
47 |         if(strlen(line) > identifier_len && !strcmp(line + strlen(line) - identifier_len, identifier)){
48 |                 address = strtoull(strtok(line, " "), NULL, 16);
49 |                 break;
50 |         }
51 |     }
52 | 
53 |     fclose(fp);
54 |     if (line){
55 |         free(line);
56 |     }
57 |     return address;
58 | }
59 | 
60 | 
61 | int main(int argc, char** argv)
62 | {
63 | 	int kafl_vuln_fd;
64 | 	kAFL_payload* payload_buffer = mmap((void*)NULL, PAYLOAD_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
65 | 	memset(payload_buffer, 0xff, PAYLOAD_SIZE);
66 | 	kafl_vuln_fd = open("/proc/kafl_vuln", O_WRONLY | O_SYNC, 0);
67 | 	kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uint64_t)payload_buffer);
68 | 	kAFL_hypercall(HYPERCALL_KAFL_SUBMIT_CR3, 0);
69 | 
70 | 	hprintf("printk: %lx\n", get_address("T printk\n"));
71 |     kAFL_hypercall(HYPERCALL_KAFL_PRINTK_ADDR, get_address("T printk\n"));
72 | 
73 | 	while(1){
74 | 			kAFL_hypercall(HYPERCALL_KAFL_NEXT_PAYLOAD, 0);
75 | 			kAFL_hypercall(HYPERCALL_KAFL_ACQUIRE, 0); 
76 | 			write(kafl_vuln_fd, payload_buffer->data, payload_buffer->size);
77 | 			kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0);
78 | 	}
79 | 	return 0;
80 | }
81 | 


--------------------------------------------------------------------------------
/kafl/targets.old/linux_x86_64/src/loader/stage2_loader.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * This file is part of kAFL.
 3 |  *
 4 |  * Copyright 2017-2019 Sergej Schumilo, Cornelius Aschermann
 5 |  *
 6 |  * SPDX-License-Identifier: MIT
 7 | */
 8 | 
 9 | #define _GNU_SOURCE 
10 | 
11 | #include <stdio.h>
12 | #include <string.h>
13 | #include <stdlib.h>
14 | #include <sys/mman.h>
15 | #include <unistd.h>
16 | #include <stdint.h>
17 | #include <sys/wait.h>
18 | #include <errno.h>
19 | #include <fcntl.h>
20 | #include <stdint.h>
21 | #include <stdbool.h>
22 | 
23 | #include "kafl_user.h"
24 | 
25 | extern uint8_t _binary_target_start;
26 | extern uint8_t _binary_target_end;
27 | extern uint8_t _binary_target_size;
28 | 
29 | extern uint32_t modules;
30 | extern uint8_t* module_address_start[];
31 | extern uint8_t* module_address_end[];
32 | extern char* module_name[];
33 | 
34 | static void copy_binary(char* name, char* path, void* start_address, void* end_address, bool load){
35 | 	char* load_cmd; 
36 | 	int payload_file;
37 | 	char* full_path;
38 | 	hprintf("<<%s>>\n", name);
39 | 	uint64_t size = end_address-start_address;
40 | 	hprintf("[!] binary (%s) is %d bytes in size...\n", name, size);
41 | 	asprintf(&full_path, "%s/%s", path, name);
42 | 	hprintf("[!] writing to \"%s\"\n", full_path);
43 | 	payload_file = open(full_path, O_RDWR | O_CREAT | O_SYNC, 0777);
44 | 	write(payload_file, (void*)start_address, size);
45 | 	hprintf("[*] write: %s\n", strerror(errno));
46 | 	close(payload_file);
47 | 	hprintf("[*] close: %s\n\n", strerror(errno));
48 | 	if(load){
49 | 		asprintf(&load_cmd, "insmod %s/%s", path, name);
50 | 		hprintf("[*] exec: %s => %d\n", load_cmd, system(load_cmd));
51 | 	}
52 | }
53 | 
54 | static inline void load_programm(void* filepath){
55 | 	int payload_file;
56 | 	char* newenviron[] = {NULL};
57 | 	char* newargv[] = {filepath, NULL};
58 | 
59 | 	payload_file = open(filepath, O_RDONLY);
60 | 	fexecve(payload_file, newargv, newenviron);
61 | 	hprintf("%s failed\n", __func__);
62 | }
63 | 
64 | int main(int argc, char** argv){
65 | 	char va_space_result;
66 | 	int pid, fd;
67 | 
68 | 	/* check if uid == 0 */
69 | 	if(getuid()){
70 | 	hprintf("Oops...no root creds?\n");
71 | 	return 1;
72 | 	}
73 | 	hprintf("[*] getuid() == 0\n");
74 | 
75 | 	copy_binary("fuzzer", "/tmp", (void*)&_binary_target_start, (void*)&_binary_target_end, false);
76 | 
77 | 	hprintf("Modules: %d\n", modules);
78 | 	for(uint32_t i = 0; i < modules; i++){
79 | 		hprintf("%s\n", module_name[i]);
80 | 		copy_binary(module_name[i], "/tmp", (void*)module_address_start[i], (void*)module_address_end[i], true);
81 | 	}
82 | 
83 | 	hprintf("DONE\n");
84 | 
85 | 	load_programm("/tmp/fuzzer");
86 | 	hprintf("ERROR\n");
87 | 
88 | 	while(1){};
89 | 	return 0;
90 | }
91 | 


--------------------------------------------------------------------------------
/kafl/tools/mcat.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | #
 3 | # Copyright 2019 Sergej Schumilo, Cornelius Aschermann, Tim Blazytko
 4 | # Copyright 2020 Intel Corporation
 5 | #
 6 | # SPDX-License-Identifier: AGPL-3.0-or-later
 7 | 
 8 | """
 9 | Pretty-Pring msgpack files produced by kAFL
10 | """
11 | 
12 | import os
13 | import sys
14 | 
15 | import msgpack
16 | from pprint import pprint
17 | 
18 | sys.path.insert(0, os.path.dirname(os.path.realpath(__file__)) + "/../kAFL-Fuzzer/")
19 | from common.util import read_binary_file
20 | 
21 | for arg in sys.argv[1:]:
22 |     pprint(msgpack.unpackb(read_binary_file(arg), raw=False, strict_map_key=False))
23 | 


--------------------------------------------------------------------------------
/native-sgx-runner/CMakeLists.txt:
--------------------------------------------------------------------------------
 1 | cmake_minimum_required(VERSION 3.16)
 2 | 
 3 | project(native-sgx-runner)
 4 | set(CMAKE_CXX_STANDARD 20)
 5 | 
 6 | set(source
 7 | 		NativeEnclave.cpp
 8 | 		buffer/GuardedBuffer.cpp
 9 | 		InputNode.hpp
10 | 		)
11 | 
12 | if (DEFINED ENCLAVE_PATH)
13 | 	add_definitions(-DENCLAVE_PATH=${ENCLAVE_PATH})
14 | endif ()
15 | if (DEFINED TCS_PAGE)
16 | 	add_definitions(-DTCS_PAGE=${TCS_PAGE})
17 | endif ()
18 | if (DEFINED ENCLAVE_LAYOUT_PATH)
19 | 	add_definitions(-DENCLAVE_LAYOUT_PATH=${ENCLAVE_LAYOUT_PATH})
20 | endif ()
21 | if (DEFINED NO_VM_RELOAD)
22 | 	add_definitions(-DNO_VM_RELOAD=0${NO_VM_RELOAD})
23 | endif ()
24 | 
25 | add_library(libnyx_dummy SHARED libnyx.c)
26 | add_executable(fuzz-generic main-generic.cpp ${source})
27 | target_link_libraries(fuzz-generic PRIVATE libnyx_dummy)
28 | 


--------------------------------------------------------------------------------
/native-sgx-runner/InputMutator.h:
--------------------------------------------------------------------------------
 1 | 
 2 | #include <utility>
 3 | 
 4 | #include "NativeEnclave.h"
 5 | #include "InputNode.hpp"
 6 | 
 7 | #ifndef NATIVE_SGX_RUNNER_INPUTMUTATOR_H
 8 | #define NATIVE_SGX_RUNNER_INPUTMUTATOR_H
 9 | 
10 | enum MutatorStage {
11 |     DETERMINISTIC,
12 |     RANDOM,
13 |     TESTCASE_BASED,
14 | };
15 | 
16 | class InputMutator {
17 |     std::function<void(InputNode&)> post = [](InputNode&) {};
18 |     MutatorStage stage = DETERMINISTIC;
19 | 
20 |     static const int MAX_RND_TESTS = 100;
21 |     int rnd_tests = MAX_RND_TESTS;
22 | 
23 |     std::vector<char> base_testcase;
24 |     int base_test_mutation_offset = 0;
25 | public:
26 |     static void fillRandom(InputNode& in, uint64_t seed = 0);
27 |     static void fillDeterministic(InputNode& in);
28 | 
29 |     void setPostProcess(std::function<void(InputNode&)> f) { post = std::move(f); }
30 | 
31 |     void setStageDeterministic() { stage = DETERMINISTIC; }
32 |     void setStageRandom(int tests = MAX_RND_TESTS) { stage = RANDOM, rnd_tests = tests; }
33 |     void setStageTestcase(std::vector<char> testcase = {}) { stage = TESTCASE_BASED, base_test_mutation_offset = 0, base_testcase = std::move(testcase); }
34 | 
35 |     bool mutate(InputNode& in, uintptr_t fault);
36 | private:
37 |     bool mutateFromBase(InputNode& in);
38 | };
39 | 
40 | 
41 | #endif //NATIVE_SGX_RUNNER_INPUTMUTATOR_H
42 | 


--------------------------------------------------------------------------------
/native-sgx-runner/buffer/Buffer.h:
--------------------------------------------------------------------------------
 1 | #ifndef NATIVE_SGX_RUNNER_BUFFER_H
 2 | #define NATIVE_SGX_RUNNER_BUFFER_H
 3 | 
 4 | #include <cstring>
 5 | 
 6 | class Buffer {
 7 | protected:
 8 |     char* buf = nullptr;
 9 |     size_t len = 0;
10 | 
11 | public:
12 |     explicit Buffer() = default;
13 |     virtual ~Buffer() = default;
14 |     Buffer(const Buffer&) = delete;
15 | 
16 |     [[nodiscard]] virtual char* getBuf() const { return buf; }
17 |     [[nodiscard]] virtual size_t getLen() const { return len; }
18 | 
19 |     virtual bool isInGuardPage(void* addr) const { return false; }
20 |     virtual bool isReadable() const { return true; }
21 | 
22 |     [[nodiscard]] virtual bool resize(size_t new_len) = 0;
23 |     [[nodiscard]] virtual bool set_data(size_t offset, const char* data, size_t data_len) {
24 |         if (getLen() < offset + data_len)
25 |             if (!resize(offset + data_len))
26 |                 return false;
27 |         if (data)
28 |             memcpy(&buf[offset], data, data_len);
29 |         else
30 |             bzero(&buf[offset], data_len);
31 |         return true;
32 |     }
33 | };
34 | 
35 | #endif //NATIVE_SGX_RUNNER_BUFFER_H
36 | 


--------------------------------------------------------------------------------
/native-sgx-runner/buffer/GuardedBuffer.cpp:
--------------------------------------------------------------------------------
 1 | 
 2 | #include "GuardedBuffer.h"
 3 | #include <sys/mman.h>
 4 | #include <cassert>
 5 | #include <cstdint>
 6 | #include <cstring>
 7 | 
 8 | #include <errno.h>
 9 | #include <stdio.h>
10 | extern "C" {
11 | #include "../libnyx.h"
12 | #include "../../packer/agents/nyx.h"
13 | }
14 | 
15 | GuardedBuffer::GuardedBuffer(size_t new_len) {
16 |     internal_size = new_len / PAGE_SIZE * PAGE_SIZE + PAGE_SIZE;
17 |     if (new_len % PAGE_SIZE != 0)
18 |         internal_size += PAGE_SIZE;
19 | 
20 |     internal_addr = mmap(nullptr, internal_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
21 |     if(internal_addr == MAP_FAILED)
22 |     kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, (uint64_t) &errno);
23 | //    dprintf(2, "errno: %d\n", errno);
24 |     assert(internal_addr != MAP_FAILED);
25 |     assert(mprotect((void*) ((uintptr_t) internal_addr + internal_size - PAGE_SIZE), PAGE_SIZE, PROT_NONE) == 0);
26 | 
27 |     assert(resize(new_len));
28 | }
29 | 
30 | GuardedBuffer::~GuardedBuffer() {
31 |     munmap(internal_addr, internal_size);
32 | }
33 | bool GuardedBuffer::resize(size_t new_len) {
34 |     if (new_len > internal_size - PAGE_SIZE)
35 |         return false;
36 | 
37 |     void* old_buf = buf;
38 |     size_t old_len = len;
39 | 
40 |     len = new_len;
41 |     buf = (char*) ((uintptr_t) internal_addr + internal_size - len - PAGE_SIZE);
42 | 
43 |     if (old_buf)
44 |         memmove(buf, old_buf, old_len < len ? old_len : len);
45 | 
46 |     return true;
47 | }
48 | 
49 | bool GuardedBuffer::isInGuardPage(void* addr) const {
50 |     return (uintptr_t) internal_addr + internal_size - PAGE_SIZE <= (uintptr_t) addr && (uintptr_t) addr < (uintptr_t) internal_addr + internal_size;
51 | }
52 | 


--------------------------------------------------------------------------------
/native-sgx-runner/buffer/GuardedBuffer.h:
--------------------------------------------------------------------------------
 1 | #ifndef NATIVE_SGX_RUNNER_GUARDEDBUFFER_H
 2 | #define NATIVE_SGX_RUNNER_GUARDEDBUFFER_H
 3 | 
 4 | #include <cstddef>
 5 | #include <cstdint>
 6 | 
 7 | #include "Buffer.h"
 8 | 
 9 | #ifndef PAGE_SIZE
10 | #define PAGE_SIZE 0x1000
11 | #endif
12 | 
13 | class GuardedBuffer : public Buffer {
14 | private:
15 |     void* internal_addr = nullptr;
16 |     size_t internal_size = 0;
17 | 
18 | public:
19 |     explicit GuardedBuffer(size_t new_len = sizeof(void*));
20 |     ~GuardedBuffer() override;
21 | 
22 |     bool isInGuardPage(void* addr) const override;
23 | 
24 |     [[nodiscard]] bool resize(size_t new_len) override;
25 | };
26 | 
27 | 
28 | #endif //NATIVE_SGX_RUNNER_GUARDEDBUFFER_H
29 | 


--------------------------------------------------------------------------------
/native-sgx-runner/buffer/PartialEnclaveBuffer.h:
--------------------------------------------------------------------------------
 1 | #ifndef NATIVE_SGX_RUNNER_PARTIALENCLAVEBUFFER_H
 2 | #define NATIVE_SGX_RUNNER_PARTIALENCLAVEBUFFER_H
 3 | 
 4 | #include <cstddef>
 5 | #include <sys/mman.h>
 6 | 
 7 | #include "../NativeEnclave.h"
 8 | #include "Buffer.h"
 9 | 
10 | #ifndef MAP_FIXED_NOREPLACE
11 | #define MAP_FIXED_NOREPLACE 0x10000
12 | #endif
13 | 
14 | #define INENCLAVE_PART 1
15 | 
16 | class PartialEnclaveBuffer : public Buffer {
17 | protected:
18 |     void* internal_addr;
19 |     bool readable;
20 | public:
21 |     explicit PartialEnclaveBuffer(NativeEnclave* enclave, bool readable = true, size_t new_len = sizeof(void*)) : readable(readable) {
22 |         assert(enclave);
23 |         auto perm = PROT_READ | PROT_WRITE;
24 |         if (!readable)
25 |             perm = 0;
26 |         internal_addr = mmap((void*) (enclave->getBase() - PAGE_SIZE), PAGE_SIZE, perm, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED_NOREPLACE, -1, 0);
27 |         assert(resize(new_len));
28 |     }
29 |     ~PartialEnclaveBuffer() override {
30 |         munmap(internal_addr, PAGE_SIZE);
31 |     };
32 | 
33 |     bool isInGuardPage(void* addr) const override {
34 |         return (uintptr_t) internal_addr + PAGE_SIZE + INENCLAVE_PART <= (uintptr_t) addr && (uintptr_t) addr < (uintptr_t) internal_addr + 2 * PAGE_SIZE;
35 |     }
36 | 
37 |     bool isReadable() const override { return readable; }
38 | 
39 |     bool resize(size_t new_len) override {
40 |         if (new_len > PAGE_SIZE)
41 |             return false;
42 | 
43 |         const void* old_buf = buf;
44 |         const size_t old_len = len;
45 | 
46 |         len = new_len;
47 |         buf = (char*) ((uintptr_t) internal_addr + PAGE_SIZE - len + INENCLAVE_PART);
48 | 
49 |         if (new_len)
50 |             memmove(buf, old_buf, old_len < (len - INENCLAVE_PART) ? old_len : (len - INENCLAVE_PART));
51 | 
52 |         return true;
53 |     };
54 | 
55 |     bool set_data(size_t offset, const char* data, size_t data_len) override {
56 |         if (getLen() < offset + data_len) {
57 |             if (!resize(offset + data_len))
58 |                 return false;
59 |         }
60 | 
61 |         if (!readable)
62 |             return true; // ignore write
63 | 
64 |         size_t copy_len = data_len;
65 |         if (offset + data_len > len - INENCLAVE_PART) {
66 |             copy_len = len - INENCLAVE_PART - offset;
67 |         }
68 | 
69 |         if (data)
70 |             memcpy(&buf[offset], data, copy_len);
71 |         else
72 |             bzero(&buf[offset], copy_len);
73 |         return true;
74 |     }
75 | };
76 | 
77 | 
78 | #endif //NATIVE_SGX_RUNNER_PARTIALENCLAVEBUFFER_H
79 | 


--------------------------------------------------------------------------------
/native-sgx-runner/libnyx.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include "libnyx.h"
 4 | 
 5 | void nyx_init(void) {}
 6 | 
 7 | void ijon_max(uint8_t id, uint64_t value) {}
 8 | void report_struct_synth_addrs(const char* addrs, size_t len) {}
 9 | void report_crashing_addr(ucontext_t* context) {}
10 | 


--------------------------------------------------------------------------------
/native-sgx-runner/libnyx.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | #include <stdint.h>
4 | #include <ucontext.h>
5 | 
6 | void nyx_init(void);
7 | void ijon_max(uint8_t id, uint64_t value);
8 | void report_struct_synth_addrs(const char* addrs, size_t len);
9 | void report_crashing_addr(ucontext_t* context);


--------------------------------------------------------------------------------
/native-sgx-runner/make-enclave-fuzz-target.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | set -eo pipefail
 4 | 
 5 | ENCLAVE=$(realpath "$1")
 6 | TCS=$(realpath "$2")
 7 | 
 8 | BASE=$(dirname "$(realpath "$0")")
 9 | LAYOUT=$(dirname "$ENCLAVE")/$(basename -s .mem "$ENCLAVE").layout
10 | 
11 | if [[ $3 == "--no-reload" ]]; then
12 |   echo "No VM reloading..."
13 |   RELOAD="-DNO_VM_RELOAD=1 -DCMAKE_BUILD_TYPE=Debug"
14 | else
15 |   RELOAD="-DNO_VM_RELOAD=0 -DCMAKE_BUILD_TYPE=Debug"
16 | fi
17 | 
18 | rm -rf "$BASE/build"
19 | mkdir -p "$BASE/build"
20 | pushd "$BASE/build"
21 | cmake "-DENCLAVE_PATH=$ENCLAVE" "-DTCS_PAGE=$(head -1 "$TCS")" "-DENCLAVE_LAYOUT_PATH=$LAYOUT" $RELOAD .. && make fuzz-generic
22 | TARGET=$(realpath fuzz-generic)
23 | popd
24 | 
25 | cp "$TARGET" "$(basename "$ENCLAVE")".fuzz
26 | 


--------------------------------------------------------------------------------
/packer/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | 


--------------------------------------------------------------------------------
/packer/linux_initramfs/bzImage-linux-4.15-rc7:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/bzImage-linux-4.15-rc7


--------------------------------------------------------------------------------
/packer/linux_initramfs/pack.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | # 
 3 | # This file is part of Redqueen.
 4 | #
 5 | # Sergej Schumilo, 2019 <sergej@schumilo.de> 
 6 | # Cornelius Aschermann, 2019 <cornelius.aschermann@rub.de> 
 7 | # 
 8 | # This program is free software: you can redistribute it and/or modify
 9 | # it under the terms of the GNU Affero General Public License as published by
10 | # the Free Software Foundation, either version 3 of the License, or
11 | # (at your option) any later version.
12 | #
13 | # This program is distributed in the hope that it will be useful,
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 | # GNU Affero General Public License for more details.
17 | #
18 | # You should have received a copy of the GNU Affero General Public License
19 | # along with Redqueen.  If not, see <http://www.gnu.org/licenses/>.
20 | #
21 | 
22 | set -e
23 | 
24 | first_file() {
25 | 	\ls "$@" 2>/dev/null | head -1
26 | }
27 | 
28 | cd ../packer/linux_x86_64-userspace/
29 | sh compile_loader.sh
30 | cd -
31 | cp ../packer/linux_x86_64-userspace/bin64/loader rootTemplate/loader
32 | chmod +x rootTemplate/loader
33 | 
34 | mkdir -p rootTemplate/lib/ rootTemplate/lib64/ rootTemplate/lib/i386-linux-gnu/ rootTemplate/lib/x86_64-linux-gnu/
35 | 
36 | # cp /lib/ld-linux.so.2 rootTemplate/lib/ld-linux.so.2
37 | cp /lib64/ld-linux-x86-64.so.2 rootTemplate/lib64/ld-linux-x86-64.so.2
38 | cp "$(first_file /lib/x86_64-linux-gnu/libdl.so.2 /lib64/libdl.so.2)" rootTemplate/lib/x86_64-linux-gnu/libdl.so.2
39 | # cp /lib/i386-linux-gnu/libdl.so.2 rootTemplate/lib/i386-linux-gnu/libdl.so.2
40 | cp "$(first_file /lib/x86_64-linux-gnu/libc.so.6 /lib64/libc.so.6)" rootTemplate/lib/x86_64-linux-gnu/libc.so.6
41 | 
42 | # fix nasty nss bugs (getpwnam_r, ...)
43 | cp "$(first_file /lib/x86_64-linux-gnu/libnss_compat.so.2 /lib64/libnss_compat.so.2)" rootTemplate/lib/x86_64-linux-gnu/
44 | 
45 | cp -r "rootTemplate" "init"
46 | sed '/START/c\./loader' init/init_template > init/init
47 | chmod 755 "init/init"
48 | cd "init"
49 | 
50 | find . -print0 | cpio --null -ov --format=newc | gzip -9 > "../init.cpio.gz" 
51 | cd ../
52 | rm -r ./init/
53 | 
54 | 
55 | cp -r "rootTemplate" "init"
56 | sed '/START/c\sh' init/init_template > init/init
57 | chmod 755 "init/init"
58 | cd "init"
59 | 
60 | find . -print0 | cpio --null -ov --format=newc | gzip -9 > "../init_debug_shell.cpio.gz" 
61 | cd ../
62 | rm -r ./init/
63 | 
64 | rm -r rootTemplate/lib/
65 | rm -r rootTemplate/lib64/
66 | rm rootTemplate/loader
67 | 


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/ash:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/base64:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/bash:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/bin/bash


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/busybox:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/cat:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/catv:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/chattr:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/chgrp:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/chmod:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/chown:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/conspy:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/cp:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/cpio:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/cttyhack:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/date:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/dd:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/df:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/dmesg:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/dnsdomainname:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/dumpkmap:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/echo:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/ed:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/egrep:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/false:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/fatattr:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/fdflush:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/fgrep:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/file:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/bin/file


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/fsync:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/getSyms:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | echo START
3 | cat /proc/kallsyms
4 | echo END
5 | /sbin/poweroff -f
6 | 


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/getopt:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/grep:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/gunzip:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/gzip:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/hostname:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/hush:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/ionice:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/iostat:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/ipcalc:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/kbd_mode:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/kill:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/ldconfig:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/bin/ldconfig


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/linux32:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/linux64:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/ln:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/login:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/ls:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/lsattr:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/lzop:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/makemime:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/mkdir:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/mknod:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/mktemp:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/more:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/mount:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/mountpoint:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/mpstat:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/mt:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/mv:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/netstat:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/nice:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/pidof:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/ping:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/ping6:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/pipe_progress:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/printenv:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/ps:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/pwd:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/reformime:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/rev:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/rm:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/rmdir:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/rpm:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/run-parts:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/scriptreplay:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/sed:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/setarch:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/setserial:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/sh:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/sleep:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/stat:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/stty:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/su:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/sync:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/tar:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/touch:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/true:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/umount:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/uname:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/usleep:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/vi:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/watch:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/bin/zcat:
--------------------------------------------------------------------------------
1 | busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/dev/.empty:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/dev/.empty


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/etc/group:
--------------------------------------------------------------------------------
1 | nogroup:x:65534:
2 | 


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/etc/localtime:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/etc/localtime


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/etc/nsswitch.conf:
--------------------------------------------------------------------------------
 1 | # /etc/nsswitch.conf
 2 | #
 3 | # Example configuration of GNU Name Service Switch functionality.
 4 | # If you have the `glibc-doc-reference' and `info' packages installed, try:
 5 | # `info libc "Name Service Switch"' for information about this file.
 6 | 
 7 | passwd:         compat
 8 | group:          compat
 9 | shadow:         compat
10 | 
11 | hosts:          files mdns4_minimal [NOTFOUND=return] dns
12 | networks:       files
13 | 
14 | protocols:      db files
15 | services:       db files
16 | ethers:         db files
17 | rpc:            db files
18 | 
19 | netgroup:       nis
20 | 


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/etc/passwd:
--------------------------------------------------------------------------------
1 | root:x:0:0:root:/root:/bin/sh
2 | nobody:x:65534:65534:nobody:/nonexistent:/bin/false
3 | 
4 | 


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/etc/shadow:
--------------------------------------------------------------------------------
1 | nobody:*:18303:0:99999:7:::
2 | 


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/init_template:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | mount -t proc none /proc
 3 | mount -t sysfs none /sys
 4 | mount -t debugfs none /sys/kernel/debug
 5 | mount -t devtmpfs none /dev
 6 | mount -t tmpfs none /tmp
 7 | chmod 777 / /tmp
 8 | 
 9 | chmod +x /loader
10 | 
11 | echo "7" > /proc/sys/kernel/printk
12 | echo "0" >  /proc/sys/kernel/printk_ratelimit 
13 | echo "19999999" >  /proc/sys/kernel/printk_ratelimit_burst
14 | echo "1" > /proc/sys/kernel/panic_on_oops
15 | 
16 | # add user ubuntu / group ubuntu (nyx-net)
17 | addgroup ubuntu
18 | adduser --gecos "ubuntu" --disabled-password --ingroup ubuntu ubuntu
19 | echo "ubuntu:ubuntu" | chpasswd
20 | 
21 | START
22 | #./loader
23 | #sh
24 | 


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/lib32/libasan.so.4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libasan.so.4


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/lib32/libc.so.6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libc.so.6


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/lib32/libdl.so.2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libdl.so.2


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/lib32/libgcc_s.so.1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libgcc_s.so.1


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/lib32/libm.so.6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libm.so.6


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/lib32/libpthread.so.0:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libpthread.so.0


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/lib32/librt.so.1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/librt.so.1


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/lib32/libstdc++.so.6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/lib32/libstdc++.so.6


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/linuxrc:
--------------------------------------------------------------------------------
1 | bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/proc/.empty:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/proc/.empty


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/acpid:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/adjtimex:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/arp:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/blkid:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/blockdev:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/bootchartd:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/depmod:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/devmem:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/fbsplash:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/fdisk:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/findfs:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/freeramdisk:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/fsck:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/fsck.minix:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/fstrim:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/getty:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/halt:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/hdparm:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/hwclock:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/ifconfig:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/ifdown:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/ifenslave:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/ifup:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/init:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/insmod:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/ip:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/ipaddr:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/iplink:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/iproute:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/iprule:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/iptunnel:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/klogd:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/loadkmap:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/logread:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/losetup:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/lsmod:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/makedevs:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/mdev:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/mkdosfs:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/mke2fs:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/mkfs.ext2:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/mkfs.minix:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/mkfs.vfat:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/mkswap:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/modinfo:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/modprobe:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/nameif:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/pivot_root:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/poweroff:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/raidautorun:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/reboot:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/rmmod:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/route:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/runlevel:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/setconsole:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/slattach:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/start-stop-daemon:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/sulogin:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/swapoff:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/swapon:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/switch_root:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/sysctl:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/syslogd:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/tunctl:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/udhcpc:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/uevent:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/vconfig:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/watchdog:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sbin/zcip:
--------------------------------------------------------------------------------
1 | ../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/sys/.empty:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/sys/.empty


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/tmp/.empty:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/tmp/.empty


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/[:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/[[:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/awk:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/basename:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/beep:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/blkdiscard:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/bunzip2:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/bzcat:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/bzip2:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/cal:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/chpst:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/chrt:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/chvt:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/cksum:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/clear:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/cmp:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/comm:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/crontab:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/cryptpw:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/cut:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/dc:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/deallocvt:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/diff:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/dirname:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/dos2unix:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/du:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/dumpleases:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/eject:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/env:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/envdir:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/envuidgid:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/expand:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/expr:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/fgconsole:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/find:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/flock:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/fold:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/free:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/ftpget:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/ftpput:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/fuser:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/groups:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/hd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/head:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/hexdump:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/hostid:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/id:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/install:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/ipcrm:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/ipcs:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/killall:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/last:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/less:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/logger:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/logname:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/lpq:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/lpr:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/lsof:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/lspci:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/lsusb:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/lzcat:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/lzma:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/lzopcat:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/man:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/md5sum:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/mesg:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/microcom:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/mkfifo:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/mkpasswd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/nc:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/nmeter:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/nohup:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/nslookup:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/od:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/openvt:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/passwd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/patch:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/pgrep:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/pkill:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/pmap:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/printf:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/pscan:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/pstree:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/pwdx:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/readlink:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/realpath:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/renice:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/reset:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/resize:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/rpm2cpio:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/runsv:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/runsvdir:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/rx:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/script:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/seq:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/setkeycodes:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/setsid:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/setuidgid:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/sha1sum:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/sha256sum:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/sha3sum:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/sha512sum:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/showkey:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/shuf:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/smemcap:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/softlimit:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/sort:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/split:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/strace:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/bin/strace


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/strings:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/sum:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/sv:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/tac:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/tail:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/tcpsvd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/tee:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/telnet:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/test:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/tftp:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/time:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/timeout:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/top:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/tr:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/traceroute:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/traceroute6:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/truncate:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/tty:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/ttysize:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/udpsvd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/unexpand:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/uniq:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/unix2dos:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/unlink:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/unlzma:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/unlzop:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/unxz:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/unzip:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/uptime:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/users:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/uudecode:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/uuencode:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/vlock:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/volname:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/wall:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/wc:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/wget:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/which:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/who:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/whoami:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/whois:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/xargs:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/xz:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/xzcat:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/bin/yes:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/lib/x86_64-linux-gnu/libasan.so.2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/lib/x86_64-linux-gnu/libasan.so.2


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/lib32/libasan.so.2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/lib32/libasan.so.2


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/lib32/libgcc_s.so.1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/lib32/libgcc_s.so.1


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/lib32/libpthread.so.2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/lib32/libpthread.so.2


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/lib32/libstdc++.so.6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/linux_initramfs/rootTemplate/usr/lib32/libstdc++.so.6


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/add-shell:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/addgroup:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/adduser:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/arping:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/brctl:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/chat:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/chpasswd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/chroot:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/crond:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/delgroup:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/deluser:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/dhcprelay:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/dnsd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/ether-wake:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/fakeidentd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/fbset:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/fdformat:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/ftpd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/httpd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/i2cdetect:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/i2cdump:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/i2cget:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/i2cset:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/ifplugd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/inetd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/killall5:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/loadfont:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/lpd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/nanddump:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/nandwrite:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/nbd-client:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/ntpd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/popmaildir:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/powertop:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/rdate:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/rdev:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/readahead:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/readprofile:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/remove-shell:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/rtcwake:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/sendmail:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/setfont:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/setlogcons:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/svlogd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/telnetd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/tftpd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/ubiattach:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/ubidetach:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/ubimkvol:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/ubirmvol:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/ubirsvol:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/ubiupdatevol:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/linux_initramfs/rootTemplate/usr/sbin/udhcpd:
--------------------------------------------------------------------------------
1 | ../../bin/busybox


--------------------------------------------------------------------------------
/packer/packer/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | linux_x86_64-userspace/bin64/*
3 | nyx.ini
4 | 


--------------------------------------------------------------------------------
/packer/packer/common/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uni-due-syssec/sgxfuzz/536ff89d2dd1516fb94e1da5666aa8e2fd87038c/packer/packer/common/__init__.py


--------------------------------------------------------------------------------
/packer/packer/common/color.py:
--------------------------------------------------------------------------------
 1 | HEADER = '\033[95m'
 2 | OKBLUE = '\033[94m'
 3 | OKGREEN = '\033[92m'
 4 | WARNING = '\033[0;33m'
 5 | FAIL = '\033[91m'
 6 | ENDC = '\033[0m'
 7 | CLRSCR = '\x1b[1;1H'
 8 | REALCLRSCR = '\x1b[2J'
 9 | BOLD = '\033[1m'
10 | FLUSH_LINE = '\r\x1b[K'
11 | 
12 | 
13 | def MOVE_CURSOR_UP(num):
14 |     return "\033[" + str(num) + "A"
15 | 
16 | 
17 | def MOVE_CURSOR_DOWN(num):
18 |     return "\033[" + str(num) + "B"
19 | 
20 | 
21 | def MOVE_CURSOR_LEFT(num):
22 |     return "\033[" + str(num) + "C"
23 | 
24 | 
25 | def MOVE_CURSOR_RIGHT(num):
26 |     return "\033[" + str(num) + "D"
27 | 
28 | 
29 | HLINE = unichr(0x2500)
30 | VLINE = unichr(0x2502)
31 | VLLINE = unichr(0x2524)
32 | VRLINE = unichr(0x251c)
33 | LBEDGE = unichr(0x2514)
34 | RBEDGE = unichr(0x2518)
35 | HULINE = unichr(0x2534)
36 | HDLINE = unichr(0x252c)
37 | LTEDGE = unichr(0x250c)
38 | RTEDGE = unichr(0x2510)
39 | 
40 | INFO_PREFIX = "[INFO]    "
41 | ERROR_PREFIX = "[ERROR]   "
42 | WARNING_PREFIX = "[WARNING] "
43 | 


--------------------------------------------------------------------------------
/packer/packer/common/info.py:
--------------------------------------------------------------------------------
 1 | 
 2 | import os, sys
 3 | from common.color import BOLD, OKGREEN, ENDC
 4 | 
 5 | def show_banner(banner_text):
 6 |   f = open(os.path.dirname(os.path.realpath(__file__)) + "/../help.txt")
 7 |   for line in f:
 8 |       print(line.replace("\n", ""))
 9 |   f.close()
10 | 
11 |   print("<< " + BOLD + OKGREEN + sys.argv[0] + ": " + str(banner_text) + " " + ENDC + ">>\n")
12 | 


--------------------------------------------------------------------------------
/packer/packer/compiler/.gitignore:
--------------------------------------------------------------------------------
1 | 
2 | *.so
3 | *.o
4 | afl-clang-fast
5 | afl-clang-fast++
6 | afl-clang-fast-firefox
7 | afl-clang-fast-firefox++


--------------------------------------------------------------------------------
/packer/packer/compiler/android-ashmem.h:
--------------------------------------------------------------------------------
 1 | #ifdef __ANDROID__
 2 | #ifndef _ANDROID_ASHMEM_H
 3 | #define _ANDROID_ASHMEM_H
 4 | 
 5 | #include <fcntl.h>
 6 | #include <linux/ashmem.h>
 7 | #include <linux/shm.h>
 8 | #include <sys/ioctl.h>
 9 | #include <sys/mman.h>
10 | 
11 | #if __ANDROID_API__ >= 26
12 | #define shmat bionic_shmat
13 | #define shmctl bionic_shmctl
14 | #define shmdt bionic_shmdt
15 | #define shmget bionic_shmget
16 | #endif
17 | #include <sys/shm.h>
18 | #undef shmat
19 | #undef shmctl
20 | #undef shmdt
21 | #undef shmget
22 | #include <stdio.h>
23 | 
24 | #define ASHMEM_DEVICE "/dev/ashmem"
25 | 
26 | static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
27 |   int ret = 0;
28 |   if (__cmd == IPC_RMID) {
29 |     int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
30 |     struct ashmem_pin pin = {0, length};
31 |     ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
32 |     close(__shmid);
33 |   }
34 | 
35 |   return ret;
36 | }
37 | 
38 | static inline int shmget(key_t __key, size_t __size, int __shmflg) {
39 |   (void) __shmflg;
40 |   int fd, ret;
41 |   char ourkey[11];
42 | 
43 |   fd = open(ASHMEM_DEVICE, O_RDWR);
44 |   if (fd < 0)
45 |     return fd;
46 | 
47 |   sprintf(ourkey, "%d", __key);
48 |   ret = ioctl(fd, ASHMEM_SET_NAME, ourkey);
49 |   if (ret < 0)
50 |     goto error;
51 | 
52 |   ret = ioctl(fd, ASHMEM_SET_SIZE, __size);
53 |   if (ret < 0)
54 |     goto error;
55 | 
56 |   return fd;
57 | 
58 | error:
59 |   close(fd);
60 |   return ret;
61 | }
62 | 
63 | static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
64 |   (void) __shmflg;
65 |   int size;
66 |   void *ptr;
67 | 
68 |   size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
69 |   if (size < 0) {
70 |     return NULL;
71 |   }
72 | 
73 |   ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0);
74 |   if (ptr == MAP_FAILED) {
75 |     return NULL;
76 |   }
77 | 
78 |   return ptr;
79 | }
80 | 
81 | #endif /* !_ANDROID_ASHMEM_H */
82 | #endif /* !__ANDROID__ */
83 | 


--------------------------------------------------------------------------------
/packer/packer/compiler/test-instr.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |   Copyright 2014 Google LLC All rights reserved.
 3 | 
 4 |   Licensed under the Apache License, Version 2.0 (the "License");
 5 |   you may not use this file except in compliance with the License.
 6 |   You may obtain a copy of the License at:
 7 | 
 8 |     http://www.apache.org/licenses/LICENSE-2.0
 9 | 
10 |   Unless required by applicable law or agreed to in writing, software
11 |   distributed under the License is distributed on an "AS IS" BASIS,
12 |   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 |   See the License for the specific language governing permissions and
14 |   limitations under the License.
15 | */
16 | 
17 | 
18 | /*
19 |    american fuzzy lop - a trivial program to test the build
20 |    --------------------------------------------------------
21 | 
22 |    Written and maintained by Michal Zalewski <lcamtuf@google.com>
23 | */
24 | 
25 | #include <stdio.h>
26 | #include <stdlib.h>
27 | #include <unistd.h>
28 | 
29 | int main(int argc, char** argv) {
30 | 
31 |   char buf[8];
32 | 
33 |   if (read(0, buf, 8) < 1) {
34 |     printf("Hum?\n");
35 |     exit(1);
36 |   }
37 | 
38 |   if (buf[0] == '0')
39 |     printf("Looks like a zero to me!\n");
40 |   else
41 |     printf("A non-zero value? How quaint!\n");
42 | 
43 |   exit(0);
44 | 
45 | }
46 | 


--------------------------------------------------------------------------------
/packer/packer/fuzzer_configs/.gitignore:
--------------------------------------------------------------------------------
1 | default_config_kernel.ron
2 | default_config_vm.ron
3 | 


--------------------------------------------------------------------------------
/packer/packer/help.txt:
--------------------------------------------------------------------------------
 1 |     _   __              ______                         
 2 |    / | / /_  ___  __   / ____/_  __________  ___  _____
 3 |   /  |/ / / / / |/_/  / /_  / / / /_  /_  / / _ \/ ___/
 4 |  / /|  / /_/ />  <   / __/ / /_/ / / /_/ /_/  __/ /    
 5 | /_/ |_/\__, /_/|_|  /_/    \__,_/ /___/___/\___/_/     
 6 |       /____/                                             
 7 | ===================================================
 8 | 
 9 | NYX: A feedback-driven general purpose ring 0, ring 3 and ring -1 fuzzer for x86 / x86-64 targets.
10 | 
11 | Sergej Schumilo		<sergej@schumilo.de>
12 | Cornelius Aschermann	<cornelius.aschermann@rub.de>
13 | 
14 | Version: 1.0 (NYX)
15 | 
16 | (C) 2021
17 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/compile_32.sh:
--------------------------------------------------------------------------------
 1 | mkdir -p bin32/
 2 | 
 3 | if [ "$LEGACY_MODE" = "ON" ]
 4 | then
 5 |   # old kAFL mode shared library
 6 |   gcc -shared -O0 -m32 -Werror -DLEGACY_MODE -fPIC src/ld_preload_fuzz.c -I../../agents  -I$NYX_SPEC_FOLDER -o bin32/ld_preload_fuzz_legacy.so -ldl -Isrc
 7 | else
 8 |   # latest and greatest nyx shared library
 9 |   gcc -shared -O0 -m32 -Werror -fPIC src/ld_preload_fuzz.c -I../../agents  -I$NYX_SPEC_FOLDER -o bin32/ld_preload_fuzz.so -ldl -Isrc
10 | fi
11 | 
12 | gcc -m32  src/libnyx.c -o bin32/libnyx.so -shared -fPIC -Wall -std=gnu11 -Wl,-soname,libnyx.so
13 | gcc -O0 -m32 -Werror src/htools/habort.c -I../../agents -o bin32/habort
14 | gcc -O0 -m32 -Werror src/htools/hcat.c -I../../agents -o bin32/hcat
15 | gcc -O0 -m32 -Werror src/htools/hget.c -I../../agents -o bin32/hget
16 | 
17 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/compile_64.sh:
--------------------------------------------------------------------------------
 1 | mkdir -p bin64/
 2 | 
 3 | if [ "$LEGACY_MODE" = "ON" ]
 4 | then
 5 |   # old kAFL mode shared library
 6 |   gcc -shared -O0 -m64 -Werror -DLEGACY_MODE -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/misc/harness_state.c src/misc/struct_synth_report.c src/netfuzz/syscalls.c -I../../agents -o bin64/ld_preload_fuzz_legacy.so -ldl -lZydis -Isrc
 7 | else
 8 |   # latest and greatest nyx shared library
 9 | 
10 |   if [ "$NET_FUZZ" = "ON" ]
11 |   then
12 | 
13 |     MODE="${UDP_MODE} ${CLIENT_MODE} ${DEBUG_MODE} ${STDOUT_STDERR_DEBUG}"
14 |     echo "MODES => $MODE"
15 | 
16 |     clang -shared -g -O0 -m64 -Werror $MODE -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/misc/harness_state.c src/netfuzz/inject.c src/netfuzz/syscalls.c src/netfuzz/socket_cache.c -I../../agents -DNET_FUZZ -I$NYX_SPEC_FOLDER -o bin64/ld_preload_fuzz.so -ldl -Isrc
17 | 
18 |     #echo "NET FUZZ! FUCK YEAH!"
19 |     #if [ "$UDP_MODE" = "ON" ]
20 |     #then
21 |     #  clang -shared -g -O0  -m64 -Werror -DUDP_MODE -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/misc/harness_state.c src/netfuzz/inject.c src/netfuzz/syscalls.c src/netfuzz/socket_cache.c -I../../agents -DNET_FUZZ -I$NYX_SPEC_FOLDER -o bin64/ld_preload_fuzz.so -ldl -Isrc
22 |     #else
23 |     #
24 |     #  if [ "$CLIENT_MODE" = "ON" ]
25 |     #  then
26 |     #    clang -shared -g -O0  -m64 -Werror -DCLIENT_MODE -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/misc/harness_state.c src/netfuzz/inject.c src/netfuzz/syscalls.c src/netfuzz/socket_cache.c -I../../agents -DNET_FUZZ -I$NYX_SPEC_FOLDER -o bin64/ld_preload_fuzz.so -ldl -Isrc
27 |     #  else
28 |     #    clang -shared -g -O0  -m64 -Werror -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/misc/harness_state.c src/netfuzz/inject.c src/netfuzz/syscalls.c src/netfuzz/socket_cache.c -I../../agents -DNET_FUZZ -I$NYX_SPEC_FOLDER -o bin64/ld_preload_fuzz.so -ldl -Isrc
29 |     #  fi
30 |     #fi
31 |   else
32 |     echo "YO"
33 |     gcc -shared -O0 -m64 -Werror -fPIC src/ld_preload_fuzz.c src/misc/crash_handler.c src/netfuzz/syscalls.c src/misc/harness_state.c -I../../agents  -I$NYX_SPEC_FOLDER -o bin64/ld_preload_fuzz.so -ldl -Isrc
34 |   fi
35 | fi
36 | 
37 | gcc -m64  src/libnyx.c -o bin64/libnyx.so -shared -fPIC -Wall -std=gnu11 -Wl,-soname,libnyx.so
38 | gcc -O0 -m64 -Werror src/htools/habort.c -I../../agents -o bin64/habort
39 | gcc -O0 -m64 -Werror src/htools/hcat.c -I../../agents -o bin64/hcat
40 | gcc -O0 -m64 -Werror src/htools/hget.c -I../../agents -o bin64/hget
41 | gcc -O0 -m64 -Werror src/htools/hpush.c -I../../agents -o bin64/hpush
42 | 
43 | gcc -O0 -m64 -static -Werror src/loader.c -I../../agents -o bin64/loader
44 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/compile_loader.sh:
--------------------------------------------------------------------------------
1 | mkdir -p bin64/
2 | gcc -O0 -m64 -static -Werror src/loader.c -I../../agents -o bin64/loader


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/compile_net_standalone.sh:
--------------------------------------------------------------------------------
1 | 
2 | 
3 | gcc -shared -fPIC -o inject.so -c src/netfuzz/inject.c src/netfuzz/socket_cache.c 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/htools/habort.c:
--------------------------------------------------------------------------------
 1 | #define _GNU_SOURCE
 2 | #include <stdio.h>
 3 | #include <stdint.h>
 4 | #include "nyx.h"
 5 | #include <string.h>
 6 | #include <unistd.h>
 7 | 
 8 | int main(int argc, char** argv){
 9 |   char* error_message = NULL;
10 |   int ret;
11 | 
12 |   if(!is_nyx_vcpu()){
13 |     printf("Error: NYX vCPU not found!\n");
14 |     return 0;
15 |   }
16 | 
17 |   if(argc < 1){
18 |     printf("Usage: <habort>\n");
19 |     return 1;
20 |   }
21 | 
22 |   if (argc == 2){
23 |     ret = asprintf(&error_message, "USER_ABORT called: %s", argv[1]);
24 |     if (ret != -1) {
25 |       kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, (uintptr_t)error_message);
26 |       return 0;
27 |     }
28 |   }
29 |   kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, (uintptr_t)"USER_ABORT called!");
30 |   return 0;
31 | }


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/htools/hcat.c:
--------------------------------------------------------------------------------
 1 | 
 2 | #include <stdio.h>
 3 | #include <stdint.h>
 4 | #include "nyx.h"
 5 | #include <string.h>
 6 | #include <unistd.h>
 7 | 
 8 | int main(int argc, char** argv){
 9 |   char buf[1024];
10 | 
11 |   if(!is_nyx_vcpu()){
12 |     printf("Error: NYX vCPU not found!\n");
13 |     return 0;
14 |   }
15 | 
16 |   if(argc != 1){
17 |     printf("Usage: <hcat>\n");
18 |     return 1;
19 |   }
20 | 
21 |   ssize_t received = 0;
22 |   while((received = read(0, buf, sizeof(buf)-1))>0) {
23 |     buf[1023] = 0;
24 |     buf[received] = 0;
25 | 
26 |     hprintf("[hcat] %s", buf);
27 |     memset(buf, 0, 1024);
28 |   }
29 |   return 0;
30 | }


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/htools/hget.c:
--------------------------------------------------------------------------------
 1 | 
 2 | #include <stdio.h>
 3 | #include <stdint.h>
 4 | #include "nyx.h"
 5 | #include <string.h>
 6 | #include <inttypes.h>
 7 | 
 8 | int main(int argc, char** argv){
 9 | 
10 |   if(!is_nyx_vcpu()){
11 |     printf("Error: NYX vCPU not found!\n");
12 |     return 0;
13 |   }
14 | 
15 |   if(argc == 3){
16 |     void* stream_data = mmap((void*)NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
17 |     
18 |     FILE* f = NULL;
19 | 
20 | 
21 |     uint64_t bytes = 0;
22 |     uint64_t total = 0;
23 | 
24 |     do{
25 |       strcpy(stream_data, argv[1]);
26 |       bytes = kAFL_hypercall(HYPERCALL_KAFL_REQ_STREAM_DATA, (uintptr_t)stream_data);
27 | 
28 | #if defined(__x86_64__)
29 |       if(bytes == 0xFFFFFFFFFFFFFFFFUL){
30 | #else
31 |       if(bytes == 0xFFFFFFFFUL){
32 | #endif
33 |         habort("Error: Hypervisor has rejected stream buffer (file not found)");
34 |         break;
35 |       }
36 | 
37 |       if(f == NULL){
38 |         f = fopen(argv[2], "w+");
39 |       }
40 | 
41 |       fwrite(stream_data, 1, bytes, f);
42 | 
43 |       total += bytes;
44 | 
45 |     } while(bytes);
46 | 
47 |     hprintf("[hget] %"PRId64" bytes received from hypervisor! (%s)\n", total, argv[1]);
48 | 
49 |     if(f){
50 |       fclose(f);
51 |       return 0;
52 |     }
53 |     return -1;
54 | 
55 |   }
56 |   printf("Usage: <hget> <file> <out>\n");
57 |   return 0;
58 | }


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/htools/hpush.c:
--------------------------------------------------------------------------------
 1 | 
 2 | #include <stdio.h>
 3 | #include <stdint.h>
 4 | #include <fcntl.h>
 5 | #include <sys/types.h>
 6 | #include <sys/stat.h>
 7 | #include <unistd.h>
 8 | #include <sys/mman.h>
 9 | #include <stdbool.h>
10 | #include <stdlib.h>
11 | #include <time.h>
12 | #include <string.h>
13 | #include <libgen.h>
14 | #include <string.h>
15 | 
16 | #include "nyx.h"
17 | 
18 | 
19 | #define round_up(x, y) (((x) + (y) - 1) & ~((y) - 1))
20 | 
21 | void *mapfile(char *fn, uint64_t *size)
22 | {
23 | 	int fd = open(fn, O_RDONLY);
24 | 	if (fd < 0)
25 | 		return NULL;
26 | 	struct stat st;
27 | 	void *map = (void *)-1L;
28 | 	if (fstat(fd, &st) >= 0) {
29 | 		*size = (uint64_t)st.st_size;
30 | 		map = mmap(NULL, round_up(*size, sysconf(_SC_PAGESIZE)),
31 | 			   PROT_READ|PROT_WRITE,
32 | 			   MAP_PRIVATE, fd, 0);
33 | 	}
34 | 	close(fd);
35 | 
36 | 
37 |   if(map){
38 | 		void* copy = malloc(*size);
39 | 		memcpy(copy, map, st.st_size);
40 | 		munmap(map, round_up(*size, sysconf(_SC_PAGESIZE)));
41 | 		return copy;
42 | 	}
43 |   return NULL;
44 | }
45 | 
46 | static void dump_payload(void* buffer, size_t len, const char* filename){
47 |     static bool init = false;
48 |     static kafl_dump_file_t file_obj = {0};
49 | 
50 |     //printf("%s -> ptr: %p size: %lx - %s\n", __func__, buffer, len, filename);
51 | 
52 |     if (!init){
53 |         file_obj.file_name_str_ptr = (uintptr_t)filename;
54 |         file_obj.append = 0;
55 |         file_obj.bytes = 0;
56 |         kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uintptr_t) (&file_obj));
57 |         init=true;
58 |     }
59 | 
60 |     file_obj.append = 1;
61 |     file_obj.bytes = len;
62 |     file_obj.data_ptr = (uintptr_t)buffer;
63 |     kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uintptr_t) (&file_obj));
64 | }
65 | 
66 | int main(int argc, char** argv){
67 |   char buf[256];
68 | 
69 |   if(!is_nyx_vcpu()){
70 |     printf("Error: NYX vCPU not found!\n");
71 |     return 0;
72 |   }
73 | 
74 |   if(argc != 2){
75 |     hprintf("Usage: <hpush> <file>\n");
76 |     return 1;
77 |   }
78 | 
79 |   uint64_t size = 0;
80 |   void* ptr = mapfile(argv[1], &size);
81 | 
82 |   if(ptr && size){
83 |     dump_payload(ptr, size, basename(argv[1]));
84 |   }
85 |   else{
86 |     hprintf("Error: File not found!\n");
87 |   }
88 | 
89 |   return 0;
90 | }


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/ijon_extension.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <stdint.h>
 4 | 
 5 | 
 6 | #define ADD_PADDING(max, type) uint8_t type ## _padding [max - sizeof(type)]
 7 | 
 8 | typedef struct interpeter_data_s{
 9 |   uint32_t executed_opcode_num; 
10 |   bool ouf_of_data; 
11 |   /* ... */
12 | } __attribute__((packed)) interpeter_data_t;
13 | 
14 | 
15 | typedef struct ijon_data_s{
16 |   uint64_t max_data[256];
17 | } __attribute__((packed)) ijon_data_t;
18 | 
19 | typedef struct ijon_trace_buffer_s{
20 |   interpeter_data_t interpreter_data; 
21 |   ADD_PADDING(2048, interpeter_data_t);
22 | 
23 |   /* 2k */
24 |   ijon_data_t ijon_data;
25 | } __attribute__((packed)) ijon_trace_buffer_t;
26 | 
27 | extern ijon_trace_buffer_t* ijon_trace_buffer; 
28 | 
29 | 
30 | void ijon_max(uint8_t id, uint64_t value);
31 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/ld_preload_info.c:
--------------------------------------------------------------------------------
 1 | /* info */
 2 | #define _GNU_SOURCE
 3 | 
 4 | #include <sys/mman.h>
 5 | #include <dlfcn.h>
 6 | #include <stdint.h>
 7 | #include <sys/types.h>
 8 | #include <unistd.h>
 9 | #include <string.h>
10 | #include <stdlib.h>
11 | 
12 | #include "kafl_user.h"
13 | 
14 | int __libc_start_main(int (*main) (int,char **,char **),
15 | 		      int argc,char **ubp_av,
16 | 		      void (*init) (void),
17 | 		      void (*fini)(void),
18 | 		      void (*rtld_fini)(void),
19 | 		      void (*stack_end)) {
20 | 
21 |     hprintf("LD_PRELOAD hprintf :)\n");
22 | 
23 |     char filename[256];
24 |     void* info_buffer = mmap((void*)NULL, INFO_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
25 |     memset(info_buffer, 0xff, INFO_SIZE);
26 | 
27 |     hprintf("LD_PRELOAD hprintf :)\n");    
28 |   	hprintf("Own pid is %d\n", getpid());
29 | 
30 |   	snprintf(filename, 256, "/proc/%d/maps", getpid());
31 |   	hprintf("proc filename: %s\n", filename);
32 | 
33 |   	FILE* f = fopen(filename, "r");
34 |   	uint16_t len = fread(info_buffer, 1, INFO_SIZE, f);
35 |   	fclose(f);
36 | 
37 |   	((char*)info_buffer)[len] = '\0';
38 | 
39 |  	  hprintf("Transfer data to hypervisor\n");
40 | 
41 |     kAFL_hypercall(HYPERCALL_KAFL_INFO, (uintptr_t)info_buffer);
42 | 
43 |     return 0;
44 | }
45 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/libnyx.c:
--------------------------------------------------------------------------------
 1 |     #include <stdlib.h>
 2 |     #include <stdio.h>
 3 |     #include "libnyx.h"
 4 | 
 5 |     void nyx_init(void){
 6 |     }
 7 | 
 8 |     void ijon_max(uint8_t id, uint64_t value){
 9 |     }
10 |     void report_struct_synth_addrs(const char* addrs, size_t len) { }
11 |     void report_crashing_addr(ucontext_t* context) { }


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/libnyx.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <stdint.h>
 4 | #include <ucontext.h>
 5 | 
 6 | void nyx_init(void);
 7 | void ijon_max(uint8_t id, uint64_t value);
 8 | void report_struct_synth_addrs(const char* addrs, size_t len);
 9 | void report_crashing_addr(ucontext_t* context);
10 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/misc/crash_handler.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <stdbool.h>
 4 | #include <signal.h>
 5 | #include <unistd.h>
 6 | 
 7 | 
 8 | void config_handler(void);
 9 | void init_crash_handling(void);
10 | 
11 | void set_struct_synth_addrs(const char* addrs, ssize_t len);
12 | 
13 | /* test asan */
14 | void fail(void);


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/misc/harness_state.c:
--------------------------------------------------------------------------------
 1 | #define _GNU_SOURCE
 2 | 
 3 | #include <stdlib.h>
 4 | #include <dlfcn.h>
 5 | #include "misc/harness_state.h"
 6 | #include "netfuzz/syscalls.h"
 7 | #include "nyx.h"
 8 | 
 9 | //#define DEBUG_HARNESS_STATE
10 | 
11 | static bool harness_state_ready = false;
12 | 
13 | harness_state_t* get_harness_state(void){
14 |     static harness_state_t harness_state = {0}; 
15 |     if (!harness_state_ready){
16 |         harness_state_ready = true;
17 |         set_harness_state();
18 |     }
19 |     return &harness_state;
20 | }
21 | 
22 | static bool early_check_env(const char* env){
23 |     char buffer [1024];
24 |     snprintf (buffer, 1024, "[ -z \"$%s\" ]", env);
25 |     return !!system(buffer);
26 | }
27 | 
28 | static bool check_env(const char* env){
29 |     bool ret = false;
30 |     ret = !!real_getenv(env);
31 |     if(!ret){
32 |         ret = early_check_env(env);
33 |     }
34 |     return ret;
35 | }
36 | 
37 | void set_harness_state(void){
38 |     harness_state_t* state = get_harness_state();
39 | 
40 |     state->fast_exit_mode = check_env("NYX_FAST_EXIT_MODE");
41 |     state->asan_executable = check_env("NYX_ASAN_EXECUTABLE");
42 |     state->legacy_file_mode = check_env("NYX_LEGACY_FILE_MODE");
43 |     state->net_fuzz_mode = check_env("NYX_NET_FUZZ_MODE");
44 |     state->afl_mode = check_env("NYX_AFL_PLUS_PLUS_MODE");
45 |     state->delayed_init = check_env("DELAYED_NYX_FUZZER_INIT");
46 |     state->pt_auto_addr_range_a = check_env("NYX_PT_RANGE_AUTO_CONF_A");
47 |     state->pt_auto_addr_range_b = check_env("NYX_PT_RANGE_AUTO_CONF_B");
48 | 
49 |     if(real_getenv("NYX_NET_PORT")){
50 |         state->nyx_net_port = (uint16_t)strtol(real_getenv("NYX_NET_PORT"), NULL, 10);
51 |     }
52 |     else{
53 |         state->nyx_net_port = 0;
54 |     }
55 | 
56 | #ifdef DEBUG_HARNESS_STATE
57 |     hprintf("fast_exit_mode: %d\n", state->fast_exit_mode);
58 |     hprintf("asan_executable: %d\n", state->asan_executable);
59 |     hprintf("legacy_file_mode: %d\n", state->legacy_file_mode);
60 |     hprintf("net_fuzz_mode: %d\n", state->net_fuzz_mode);
61 |     hprintf("afl_mode: %d\n", state->afl_mode);
62 |     hprintf("delayed_init: %d\n", state->delayed_init);
63 |     hprintf("pt_auto_addr_range_a: %d\n", state->pt_auto_addr_range_a);
64 |     hprintf("pt_auto_addr_range_b: %d\n", state->pt_auto_addr_range_b);
65 |     hprintf("NYX_NET_PORT: %d\n", state->nyx_net_port);
66 | #endif
67 | 
68 |     harness_state_ready = true;
69 | }
70 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/misc/harness_state.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <stdbool.h>
 4 | #include <stdint.h>
 5 | 
 6 | /* harness state */
 7 | typedef struct harness_state_s{
 8 |     bool fast_exit_mode;
 9 |     bool asan_executable;
10 |     bool legacy_file_mode;
11 |     bool net_fuzz_mode;
12 |     bool afl_mode;
13 |     bool delayed_init;
14 |     bool pt_auto_addr_range_a;
15 |     bool pt_auto_addr_range_b;
16 |     uint16_t nyx_net_port;
17 | } harness_state_t;
18 | 
19 | harness_state_t* get_harness_state(void);
20 | void set_harness_state(void);
21 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/misc/struct_synth_report.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | #include <signal.h>
4 | //#include <sys/ucontext.h>
5 | 
6 | //greg_t get_crashing_addr(greg_t ip_reg);
7 | greg_t get_crashing_addr(gregset_t regs);
8 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/netfuzz/run_dcmtk.sh:
--------------------------------------------------------------------------------
1 | export DCMDICTPATH=/home/kafl/aflnet/dcmtk/dcmdata/data/dicom.dic
2 | cd ~/aflnet/dcmtk/build/bin
3 | LD_PRELOAD=../../..//hook/inject_debug.so ./dcmqrscp
4 | cd -
5 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/netfuzz/run_dnsmasq.sh:
--------------------------------------------------------------------------------
1 | cd ~/aflnet/dnsmasq/src
2 | LD_PRELOAD=../../hook/inject_debug.so ./dnsmasq
3 | cd -
4 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/netfuzz/run_live555.sh:
--------------------------------------------------------------------------------
1 | cd ../live555/
2 | LD_PRELOAD=../hook/inject_debug.so ./testProgs/testOnDemandRTSPServer 1337
3 | cd -
4 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/netfuzz/socket_cache.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <stdint.h>
 4 | #include <stdbool.h>
 5 | #include <sys/select.h>
 6 | #include <sys/time.h>
 7 | #include <sys/types.h>
 8 | #include <unistd.h>
 9 | 
10 | uint16_t get_active_connections(void);
11 | bool connection_exists(uint16_t port);
12 | bool server_socket_exists(int socket);
13 | bool client_socket_exists(int socket);
14 | bool set_server_socket_to_connection(uint16_t port, int socket);
15 | bool set_client_socket_to_connection(uint16_t port, int socket);
16 | bool add_connection(uint16_t port);
17 | //int server_socket_to_client_socket(int socket);
18 | int set_select_fds(fd_set *set, fd_set *old_set);
19 | void disable_connection_by_server_socket(int socket);
20 | ssize_t real_send(int sockfd, const void *buf, size_t len, int flags);
21 | 
22 | int server_socket_to_port(int socket);


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/netfuzz/standalone_compile.sh:
--------------------------------------------------------------------------------
1 | gcc -shared -fPIC -o inject.so inject.c syscalls.c socket_cache.c -ldl
2 | gcc -shared -fPIC -o inject_debug.so inject.c syscalls.c socket_cache.c -ldl -DDEBUG_MODE
3 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/src/netfuzz/syscalls.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <stdio.h>
 4 | #include <poll.h>
 5 | #include <unistd.h>
 6 | #include <sys/select.h>
 7 | #include <sys/types.h>
 8 | #include <sys/socket.h>
 9 | #include <sys/epoll.h>
10 | 
11 | void init_syscall_fptr(void);
12 | 
13 | ssize_t real_read(int fd, void* buf, size_t count);
14 | ssize_t real_write(int fd, const void *buf, size_t count);
15 | int real_select(int nfds, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, struct timeval *timeout);
16 | int real_listen(int sockfd, int backlog);
17 | int real_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
18 | int real_accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen, int flags);
19 | ssize_t real_recv(int sockfd, void *buf, size_t len, int flags);
20 | ssize_t real_recvfrom(int sockfd, void *buf, size_t len, int flags, struct sockaddr *src_addr, socklen_t *addrlen);
21 | ssize_t real_recvmsg(int sockfd, struct msghdr *msg, int flags);
22 | int real_poll(struct pollfd *fds, nfds_t nfds, int timeout);
23 | int real_close(int fd);
24 | int real_epoll_ctl(int epfd, int op, int fd, struct epoll_event *event);
25 | int real_epoll_wait(int epfd, struct epoll_event *events, int maxevents, int timeout);
26 | int real_bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
27 | ssize_t real_sendto(int sockfd, const void *buf, size_t len, int flags, const struct sockaddr *dest_addr, socklen_t addrlen);
28 | int real_dup(int fd);
29 | int real_dup2(int oldfd, int newfd);
30 | int real_dup3(int oldfd, int newfd, int flags);
31 | int real_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
32 | int real_getc(FILE *stream);
33 | void real__exit(int status);
34 | ssize_t real_readv(int fd, const struct iovec *iov, int iovcnt);
35 | ssize_t real_writev(int fd, const struct iovec *iov, int iovcnt);
36 | ssize_t real_preadv(int fd, const struct iovec *iov, int iovcnt, off_t offset);
37 | ssize_t real_pwritev(int fd, const struct iovec *iov, int iovcnt, off_t offset);
38 | char* real_getenv(const char *name);
39 | int real_getsockname(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
40 | int real_getpeername(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
41 | char *real_fgets(char *s, int size, FILE *stream);
42 | 


--------------------------------------------------------------------------------
/packer/packer/linux_x86_64-userspace/test.sh:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | 
 5 | #MODE=$TEST + $TEST2
 6 | 
 7 | 
 8 | MODE="${TEST} ${TEST2}"
 9 | 
10 | echo $MODE


--------------------------------------------------------------------------------
/packer/packer/nyx.ini:
--------------------------------------------------------------------------------
 1 | [Packer]
 2 | init_ramfs = ../linux_initramfs/init.cpio.gz
 3 | kernel = ../linux_initramfs/bzImage-linux-4.15-rc7
 4 | default_vm_hda = 
 5 | qemu-pt_path = QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64
 6 | agents-folder = ./
 7 | nyx-interpreter-folder = ./
 8 | default_fuzzer_config_folder = ./fuzzer_configs/
 9 | default_vm_presnapshot = 
10 | 


--------------------------------------------------------------------------------
/run-example.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | set -ex
 4 | 
 5 | SGXFUZZ_ROOT=$(dirname "$(realpath "$0")")
 6 | ENCLAVE_PATH="$SGXFUZZ_ROOT/Enclaves/SimpleFuzzTest"
 7 | FUZZ_FOLDER=/tmp/sgxfuzz-fuzz-folder
 8 | FUZZ_WORKDIR=/tmp/sgxfuzz-workdir
 9 | 
10 | if [[ ! -d "$SGXFUZZ_ROOT/native-sgx-runner" ]]; then
11 | 	echo "Invalid execution directory"
12 | 	exit 1
13 | fi
14 | 
15 | if [[ -r "$SGXFUZZ_ROOT/kvm-nyx-release/kvm-intel.ko" ]]; then
16 | 	sudo rmmod kvm_intel || true
17 | 	sudo rmmod kvm || true
18 | 	sudo insmod "$SGXFUZZ_ROOT/kvm-nyx-release/kvm.ko" || true
19 | 	sudo insmod "$SGXFUZZ_ROOT/kvm-nyx-release/kvm-intel.ko" || true
20 | 	sudo chmod a+rw /dev/kvm
21 | fi
22 | 
23 | # Build the enclave runner
24 | "$SGXFUZZ_ROOT/initialize-target.sh" SimpleFuzzTest Enclaves/SimpleFuzzTest/enclave.signed.so.mem
25 | 
26 | cd "$(ls -d SimpleFuzzTest-T0-*/ | sort -r | head -1)"
27 | 
28 | ./pack.sh
29 | 
30 | ./fuzz.sh
31 | 


--------------------------------------------------------------------------------
/seeds/abc:
--------------------------------------------------------------------------------
1 | ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
2 | 


--------------------------------------------------------------------------------
/struct_recovery.py:
--------------------------------------------------------------------------------
1 | kafl/kAFL-Fuzzer/fuzzer/technique/struct_recovery.py


--------------------------------------------------------------------------------