ris3-lab / p2im Goto Github PK

This is the source code for P2IM paper (accepted to Usenix Security'20)

License: Other

Makefile 0.36% C 93.19% Shell 1.55% C++ 0.82% PLpgSQL 0.01% HTML 0.01% JavaScript 0.01% Rich Text Format 0.01% Python 2.03% NSIS 0.04% Haxe 0.80% Objective-C 0.13% Assembly 0.54% Perl 0.40% GDB 0.01% GLSL 0.01% ASL 0.12%

p2im

p2im's People

Contributors

Stargazers

Watchers

p2im's Issues

KeyError:255, QEMU's return value is not found

Hello, I am studying and experimenting on P2IM.
I want to run firmware using P2IM.The error "KeyError:255" occurs in the me.py code. This means that the return value will be 0xff when QEMU is run as subprocess and it is not defined as the rv dictionary of me.py code. This results in an error.
What is the meaning of the return value of the QEMU, 0xff?

If I ignore this error and proceed, there is a myriad of rounds with the phrase "There is aup, run Me." (where the "Stage 2 returned to unexpected reasons!" part indicates a KeyError:255 error, and simply added 0xff to the dictionary not to print errors.)

And at the end, fuzzing does not proceed with the following error.
I proceeded with the firmware that added the mcu and startForkserver part, and I wonder how to solve the error.

QEMU image librt: undefined symbol: __clock_nanosleep

I am trying to use the precompiled QEMU image to fuzz with P2IM and I am receiving the following error:

p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse: symbol lookup error: /home/circleci/p2im/qemu/precompiled_bin/librt.so.1: undefined symbol: __clock_nanosleep, version GLIBC_PRIVATE

I tried to recompile using the instructions from the repo, but the error persisted.

Unfortunately, fuzz.py and me.py are also failing due to this error.

Does anyone have a clue how to solve it?

me.py error "Stage 1 returned due to unexpected reasons!"

I am trying to run P2IM with a precompiled firmware from the repo (the one named "Console"). I have followed the steps from the README and the command model_instantiation/fuzz.py -c $WORKING_DIR/fuzz.cfg is triggering the following error:

cmd_me0: /root/p2im//model_instantiation/me.py -c /root/p2im/fuzzing/console/01/fuzz.cfg --run-num 0 --print-to-file

Change working dir to: 0/
CWD: /root/p2im/fuzzing/console/01/0
Redirect stdout to file named stdout
Traceback (most recent call last):
  File "/root/p2im//model_instantiation/me.py", line 1146, in <module>
    ret_val = stage1()
  File "/root/p2im//model_instantiation/me.py", line 347, in stage1
    ret_val = qemu_run(cmd, cfg.retry_num, stage)
  File "/root/p2im//model_instantiation/me.py", line 188, in qemu_run
    color_print(error_rv[stage][ret_val], "red")
KeyError: 1

Do you know what could be the cause for this?

Robot(real firmware) can not be built in System Workbench for STM32.

I notice that the project has the .cfg file(such as Robot Debug.cfg).Does the Robot miss the .cfg file?

Crash Analysis

I use p2im to find some crashes. After running some crash file with run_fw.py script without '--debug', QEMU always prints 'Run of of input bytes' or 'illegal read at xxx'. Are these crash files really the input cause firmware to crash ?

When using cov.py, should I copy my firmware?

I'm using utilities/coverage/cov.py to calculating fuzzing coverage,
but I notice that the cov.py only mkdirs at line 306 but not copy my test firmware into <working_dir/coverage>.
Then it check my firmware if it in <working_dir/coverage> at line 315.

Maybe we need some code likes
shutil.copyfile(cfg.firmware,cov_path+'/'+cfg.firmware)
at line 307 to make sure firmware can be check ?

Generated model can fail validation when loaded

It appears that models generated during fuzzing can exceed the limits enforced in peri-mod.c

23 hours into fuzzing the supplied gateway firmware, the number of paths found stopped growing. Rerunning any of the found crashes using the last peripheral model gives the error "error: too many events! Fail to load model from file" before execution of the firmware starts. The second to last peripheral model does trigger the crashes as expected.

Please let me know if you need a copy of any of the generated files.

Encounter a problem: get qemu log when fuzzing and then can not find crash anymore

Hello, I change function "get_qemu_arg()" like follow, try to get firmware running log when fuzzing. After change, I can not get any crash in fuzzing. If I change back, I can find a crash.

Thanks for your help!!!

Need some help on 'Analyzing crashing'

Hi,Bo Feng
When I used p2im to run the 'p2im/externals/p2im-unit_tests/RIOT/USART', I found that there were thousands of paths pointing to the same unique crash in a short time. I was wondering whether there was the possibility of false positive.

Then this is the result of his run_fw.py. I want to ask this [Error] Run out of input bytes!
What does it mean and how can it be replicated on the real device (if this test routine is running on the real firmware)

This is the corresponding error location I found in the source code.'p2im/externals/p2im-unit_tests/RIOT/RIOT-ENV/cpu/stm32_common/periph/uart.c'

I found that he just happened to call an initialization of the DR register. In addition, if I comment out this sentence and recompile it to generate a new firmware for testing, he will display like that:

These problems do not occur on real firmware, but they often occur on test routines.
I would be very grateful if I could receive your reply.

Qemu hangs when running unit test

When I tried to run a unit test case ARDUINO-SAM3-ADC, I got the following message:

qemu hangs(pid: 15668). seed input should not hang!

Can someone help me here?

Can p2im only be used to test devices with source code?

Where to locate peri-mod/peri-mod.h

in qemu.git/hw/arm/peri-mod.c peri-mod.c file，
it include ""peri-mod/peri-mod.h"， but I can not
find this file，so what is the location of file peri-mod/peri-mod.h?

How to compile using ARMCC

I use Keil v5, which uses ARMCC (ARM compiler ) to compile. It issues errors because of assembly codes

..\Src\afl_call.c(5): warning:  #1207-D: unknown attribute "naked"
  __attribute__ ((naked)) uint32_t aflCall(__attribute__ ((unused)) uint32_t a0, __attribute__ ((unused)) uint32_t a1, __attribute__ ((unused)) int32_t a2) {
..\Src\afl_call.c(11): error:  #130: expected a "{"
      __asm__ __volatile__ ("svc $0x3f\n\t"
..\Src\afl_call.c(11): warning:  #174-D: expression has no effect
      __asm__ __volatile__ ("svc $0x3f\n\t"
..\Src\afl_call.c(13): warning:  #940-D: missing return statement at end of non-void function "aflCall"
  }
..\Src\afl_call.c: 3 warnings, 1 error

So I change the assembly code to :

   __asm("svc $0x3f\n\t"
           "bx %lr\n\t");

Keil also failed to compile:

..\Src\afl_call.c(5): warning:  #1207-D: unknown attribute "naked"
  __attribute__ ((naked)) uint32_t aflCall(__attribute__ ((unused)) uint32_t a0, __attribute__ ((unused)) uint32_t a1, __attribute__ ((unused)) int32_t a2) {
..\Src\afl_call.c(11): error:  #20: identifier "$0x3f" is undefined
      __asm("svc $0x3f\n\t"
..\Src\afl_call.c(13): warning:  #940-D: missing return statement at end of non-void function "aflCall"
  }
..\Src\afl_call.c: 2 warnings, 1 error

So, is there any way to generate required firmware for fuzzing using ARMCC ?

OSError: [Errno 8] Exec format error

Hi,I follow the steps but come with error while testing the real_firmware/Gateway
'Launching fuzzer'

I do it under Ubuntu 16.04 LTS,and use the pre-compiled QEMU binary

Steering Control stalls on round 0

I built the Steering_Control example firmware using thre command in README.md (although I had to install the needed arduino packages first):

# cd REPO/externals/p2im-real_firmware/Steering_Control
# ../deps/arduino-cli core install arduino:sam
# ../deps/arduino-cli lib install Servo
# ../deps/arduino-cli/arduino-cli compile -b arduino:sam:arduino_due_x_dbg *.ino --build-path `realpath ./build` -o firmware

Then created a fuzzing directory for the firmware.elf, and edited fuzz.cfg. When I run fuzz.py, qemu apparently hangs:

root@p2im:/workspace/fuzzing/Steering_Control/2# /root/p2im/model_instantiation/fuzz.py -c fuzz.cfg 
Change working dir to: /workspace/fuzzing/Steering_Control/2
CWD: /workspace/fuzzing/Steering_Control/2

try our best to extract model w/o input
cmd_me0: /root/p2im/model_instantiation/me.py -c /workspace/fuzzing/Steering_Control/2/fuzz.cfg --run-num 0 --print-to-file

Change working dir to: 0/
CWD: /workspace/fuzzing/Steering_Control/2/0
Redirect stdout to file named stdout

extract model for each seed input
0.random.1
run f/w w/ seed input to check if there is aup
cmd_qemu: /root/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -aflFile /workspace/fuzzing/Steering_Control/2/inputs/random -board Arduino-Due -mcu SAM3X8E -image /workspace/fuzzing/Steering_Control/2/firmware.elf -pm-stage 3 -model-input /workspace/fuzzing/Steering_Control/2/0/peripheral_model.json -me-bin /root/p2im/model_instantiation/me.py -me-config /workspace/fuzzing/Steering_Control/2/fuzz.cfg

qemu hangs(pid: 32343). seed input should not hang!
No aup, don't run ME

launch fuzzer
cmd_afl: /root/p2im/afl/afl-fuzz -i /workspace/fuzzing/Steering_Control/2/inputs -o /workspace/fuzzing/Steering_Control/2/outputs -t 150+ -QQ -a /root/p2im/model_instantiation/me.py -b /workspace/fuzzing/Steering_Control/2/fuzz.cfg -c /workspace/fuzzing/Steering_Control/2/0/peripheral_model.json -T Steering_Control_2 -d /root/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -board Arduino-Due -mcu SAM3X8E -image /workspace/fuzzing/Steering_Control/2/firmware.elf -pm-stage 3 -aflFile @@

afl-fuzz 2.06b by <[email protected]>
[+] You have 2 CPU cores and 3 runnable tasks (utilization: 150%).
[*] Checking core_pattern...
[*] Setting up output directories...
[*] Scanning '/workspace/fuzzing/Steering_Control/2/inputs'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:random'...
[!] WARNING: Test case results in a hang (skipping)

[-] PROGRAM ABORT : All test cases time out, giving up!
         Location : perform_dry_run(), afl-fuzz.c:2812

Using the run_fw.py script to attach a debugger, I see that code is looping in the delay() function, repeateadly calling GetTickCount() but the result is always 0, so delay never returns.

Is there a way to turn on the timer emulation, or should it be driven by an interrupt?

I'm using a Ubuntu 16.04 docker image, gcc-arm-none-eabi-10.3.2021 (objdump 2.36.1.20210621), and the precompiled qemu.

What is the "aup" mean?

Hi @bofeng17

When I read and run fuzz.py ,
I don't understand what f/w w/ and aup mean.

What are these?

color_print("run f/w w/ seed input to check if there is aup")
        cmd_qemu = [cfg.qemu_bin, "-nographic", "-aflFile", seed,
          "-board", cfg.board, "-mcu", cfg.mcu, "-image", cfg.img,
          "-pm-stage", "3", "-model-input", args.model_if,
          # options below are not used in no forkserver mode
          "-me-bin", cfg.me_bin, "-me-config", args.config]

Dose p2im support the firmware that uses the SD card?

Hi, we tried to extend this work to support other boards and other firmware. The firmware we chose read files from the SD card. Now the fuzzing process did not work and we could not confirm the modification of the qemu source code to support other boards. Could you please let us know whether this work support SD card peripheral emulation or not? Thank you!

Docker Build Script Failed To Fetch

I've followed the instructions in build_qemu.md but once i execute the
WORK_FOLDER_PATH=pwd/src ./build_scripts/build-qemu.sh --deb64 --no-strip
command i end up with the following output. I've seen other issues with similar docker problems that suggest running an update/upgrade in the container but it's not like i can open a shell in the container since it starts up executing that build script right away. Is there a solution?

Using "/media/sf_Masterarbeit/DICE-DMA-Emulation/p2im/qemu/src" as Work folder...
Helper script: "/media/sf_Masterarbeit/DICE-DMA-Emulation/p2im/qemu/src/scripts/build-helper.sh".
Script "./build_scripts/build-qemu.sh" started at Tue Aug 29 06:30:56 PM EDT 2023.

Running on Ubuntu 64-bits.

Checking host curl...
curl 7.85.0 (x86_64-pc-linux-gnu) libcurl/7.85.0 OpenSSL/3.0.5 zlib/1.2.11 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.3 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.49.0 librtmp/2.3

Checking host git...
git version 2.37.2

Checking Docker...
Docker version 24.0.5, build ced0996

Checking host automake...
automake (GNU automake) 1.16.5

Checking host patch...
GNU patch 2.7.6

Checking host tar...
tar (GNU tar) 1.34
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by John Gilmore and Jay Fenlason.

Checking host unzip...
UnZip 6.00 of 20 April 2009, by Debian. Original by Info-ZIP.

Checking host makeinfo...
texi2any (GNU texinfo) 6.8

================================================================================
Creating Debian 64-bits archive...

Running "build.sh" script inside "qemu-debian64-build" container, image "ilegeul/debian:8-gnuarm-gcc-x11-v4"...

Linux docker 5.19.0-46-generic #47-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 16 13:30:11 UTC 2023 x86_64 GNU/Linux

Checking automake...
automake (GNU automake) 1.14.1
Checking pkg-config...
0.28
Checking readelf...
GNU readelf (GNU Binutils for Debian) 2.25
Checking gcc...
gcc (Debian 4.9.2-10) 4.9.2
Checking patchelf...
patchelf 0.8
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libblkid-dev libdrm-dev uuid-dev
The following NEW packages will be installed:
  libblkid-dev libdrm-dev libmount-dev mesa-common-dev uuid-dev
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 939 kB of archives.
After this operation, 4548 kB of additional disk space will be used.
Err http://http.debian.net/debian/ jessie/main uuid-dev amd64 2.25.2-6
  404  Not Found
Err http://http.debian.net/debian/ jessie/main libblkid-dev amd64 2.25.2-6
  404  Not Found
Err http://http.debian.net/debian/ jessie/main libdrm-dev amd64 2.4.58-2
  404  Not Found
Err http://http.debian.net/debian/ jessie/main mesa-common-dev amd64 10.3.2-1+deb8u1
  404  Not Found
Err http://http.debian.net/debian/ jessie/main libmount-dev amd64 2.25.2-6
  404  Not Found
E: Failed to fetch http://http.debian.net/debian/pool/main/u/util-linux/uuid-dev_2.25.2-6_amd64.deb  404  Not Found

E: Failed to fetch http://http.debian.net/debian/pool/main/u/util-linux/libblkid-dev_2.25.2-6_amd64.deb  404  Not Found

E: Failed to fetch http://http.debian.net/debian/pool/main/libd/libdrm/libdrm-dev_2.4.58-2_amd64.deb  404  Not Found

E: Failed to fetch http://http.debian.net/debian/pool/main/m/mesa/mesa-common-dev_10.3.2-1+deb8u1_amd64.deb  404  Not Found

E: Failed to fetch http://http.debian.net/debian/pool/main/u/util-linux/libmount-dev_2.25.2-6_amd64.deb  404  Not Found

E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

can not run with RIOT network testcase

Hi, I run the p2im with RIOT gnrc_networking, gnrc_border_router and posix_sockets testcase but failed. Do you support the network fuzzing?

Cannot find the repo

Hi Bo, when I use the build_script to build the qemu, the following error appears:

Cloning '[email protected]:bofeng17/iot-fuzzer-qemu_mode.git'...
Cloning into 'qemu.git'....
ERROR: Repository not found.
fatal: Could not read from remote repository.

How to get the qemu log information, when afl is running.

Hello, I try to get the qemu log information, when afl is running. when I change the "cmd_afl_qemu" in fuzz.py, add "-d out_asm" at
the end of cmd_afl_qemu, the afl can not run and stop in perform_dry_run().
And I found there is a configuration option in fuzz.cfg, so I change the [qemu] log and add -D qemu.log, the program run and can not stop by creating new file like 0_ranom.xxx.
I try to catch the assembly code runned in every loop in AFL.
Thank you for hlep!!!!

Memory limit

I am using p2im in Ubuntu 16.05 LTS on VMWare.
The settings of VM are as below.
Memory 14.9GB Processors 4 Hard Disk 60GB
I used PLC from https://github.com/RiS3-Lab/p2im-real_firmware/tree/master/PLC and run with this code <repo_path>/model_instantiation/fuzz.py -c fuzz.cfg

This error occurs.

[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:

- The test case causes known crashes under normal working conditions. If
  so, please remove it. The fuzzer should be seeded with interesting
  inputs - but not ones that cause an outright crash.

- The current memory limit (2.00 GB) is too low for this program, causing
  it to die due to OOM when parsing valid files. To fix this, try
  bumping it up with the -m setting in the command line. If in doubt,
  try something along the lines of:

  ( ulimit -Sv $[2047 << 10]; /path/to/binary [...] <testcase )

  Tip: you can use http://jwilk.net/software/recidivm to quickly
  estimate the required amount of virtual memory for the binary. Also,
  if you are using ASAN, see docs/notes_for_asan.txt.

- Least likely, there is a horrible bug in the fuzzer. If other options
  fail, poke <[email protected]> for troubleshooting tips.

[-] PROGRAM ABORT : Test case 'id:000000,orig:random' results in a crash
     Location : perform_dry_run(), afl-fuzz.c:2781

To solve this problem, I typed this command
root@ubuntu:/home/aiden/p2im/fuzzing/PLC/5# ulimit -Sv $[2047 << 10]; /home/aiden/p2im/fuzzing/PLC/5/PLC.elf
Also this error occurs
bash: /home/aiden/p2im/fuzzing/PLC/5/PLC.elf: cannot execute binary file: Exec format error

Is there any way to make p2im recognize the 16 GB of memory allocated to the VM? or is there no other way to unlock the limit via ulimit -Sv?
/etc/security/limits.conf has already been modified.

ris3-lab / p2im Goto Github PK

p2im's People

Contributors

Stargazers

Watchers

Forkers

p2im's Issues

Recommend Projects

Recommend Topics

Recommend Org