ris3-lab / p2im Goto Github PK
View Code? Open in Web Editor NEWThis is the source code for P2IM paper (accepted to Usenix Security'20)
License: Other
This is the source code for P2IM paper (accepted to Usenix Security'20)
License: Other
Hello, I am studying and experimenting on P2IM.
I want to run firmware using P2IM.The error "KeyError:255" occurs in the me.py code. This means that the return value will be 0xff when QEMU is run as subprocess and it is not defined as the rv dictionary of me.py code. This results in an error.
What is the meaning of the return value of the QEMU, 0xff?
If I ignore this error and proceed, there is a myriad of rounds with the phrase "There is aup, run Me." (where the "Stage 2 returned to unexpected reasons!" part indicates a KeyError:255 error, and simply added 0xff to the dictionary not to print errors.)
And at the end, fuzzing does not proceed with the following error.
I proceeded with the firmware that added the mcu and startForkserver part, and I wonder how to solve the error.
I am trying to use the precompiled QEMU image to fuzz with P2IM and I am receiving the following error:
p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse: symbol lookup error: /home/circleci/p2im/qemu/precompiled_bin/librt.so.1: undefined symbol: __clock_nanosleep, version GLIBC_PRIVATE
I tried to recompile using the instructions from the repo, but the error persisted.
Unfortunately, fuzz.py and me.py are also failing due to this error.
Does anyone have a clue how to solve it?
I am trying to run P2IM with a precompiled firmware from the repo (the one named "Console"). I have followed the steps from the README and the command model_instantiation/fuzz.py -c $WORKING_DIR/fuzz.cfg
is triggering the following error:
cmd_me0: /root/p2im//model_instantiation/me.py -c /root/p2im/fuzzing/console/01/fuzz.cfg --run-num 0 --print-to-file
Change working dir to: 0/
CWD: /root/p2im/fuzzing/console/01/0
Redirect stdout to file named stdout
Traceback (most recent call last):
File "/root/p2im//model_instantiation/me.py", line 1146, in <module>
ret_val = stage1()
File "/root/p2im//model_instantiation/me.py", line 347, in stage1
ret_val = qemu_run(cmd, cfg.retry_num, stage)
File "/root/p2im//model_instantiation/me.py", line 188, in qemu_run
color_print(error_rv[stage][ret_val], "red")
KeyError: 1
Do you know what could be the cause for this?
I notice that the project has the .cfg file(such as Robot Debug.cfg).Does the Robot miss the .cfg file?
I use p2im to find some crashes. After running some crash file with run_fw.py script without '--debug', QEMU always prints 'Run of of input bytes' or 'illegal read at xxx'. Are these crash files really the input cause firmware to crash ?
I'm using utilities/coverage/cov.py to calculating fuzzing coverage,
but I notice that the cov.py only mkdirs at line 306 but not copy my test firmware into <working_dir/coverage>.
Then it check my firmware if it in <working_dir/coverage> at line 315.
Maybe we need some code likes
shutil.copyfile(cfg.firmware,cov_path+'/'+cfg.firmware)
at line 307 to make sure firmware can be check ?
It appears that models generated during fuzzing can exceed the limits enforced in peri-mod.c
23 hours into fuzzing the supplied gateway firmware, the number of paths found stopped growing. Rerunning any of the found crashes using the last peripheral model gives the error "error: too many events! Fail to load model from file" before execution of the firmware starts. The second to last peripheral model does trigger the crashes as expected.
Please let me know if you need a copy of any of the generated files.
Hi,Bo Feng
When I used p2im to run the 'p2im/externals/p2im-unit_tests/RIOT/USART', I found that there were thousands of paths pointing to the same unique crash in a short time. I was wondering whether there was the possibility of false positive.
Then this is the result of his run_fw.py. I want to ask this [Error] Run out of input bytes!
What does it mean and how can it be replicated on the real device (if this test routine is running on the real firmware)
This is the corresponding error location I found in the source code.'p2im/externals/p2im-unit_tests/RIOT/RIOT-ENV/cpu/stm32_common/periph/uart.c'
I found that he just happened to call an initialization of the DR register. In addition, if I comment out this sentence and recompile it to generate a new firmware for testing, he will display like that:
These problems do not occur on real firmware, but they often occur on test routines.
I would be very grateful if I could receive your reply.
When I tried to run a unit test case ARDUINO-SAM3-ADC
, I got the following message:
qemu hangs(pid: 15668). seed input should not hang!
Can someone help me here?
in qemu.git/hw/arm/peri-mod.c peri-mod.c file,
it include ""peri-mod/peri-mod.h", but I can not
find this file,so what is the location of file peri-mod/peri-mod.h?
I use Keil v5, which uses ARMCC (ARM compiler ) to compile. It issues errors because of assembly codes
..\Src\afl_call.c(5): warning: #1207-D: unknown attribute "naked"
__attribute__ ((naked)) uint32_t aflCall(__attribute__ ((unused)) uint32_t a0, __attribute__ ((unused)) uint32_t a1, __attribute__ ((unused)) int32_t a2) {
..\Src\afl_call.c(11): error: #130: expected a "{"
__asm__ __volatile__ ("svc $0x3f\n\t"
..\Src\afl_call.c(11): warning: #174-D: expression has no effect
__asm__ __volatile__ ("svc $0x3f\n\t"
..\Src\afl_call.c(13): warning: #940-D: missing return statement at end of non-void function "aflCall"
}
..\Src\afl_call.c: 3 warnings, 1 error
So I change the assembly code to :
__asm("svc $0x3f\n\t"
"bx %lr\n\t");
Keil also failed to compile:
..\Src\afl_call.c(5): warning: #1207-D: unknown attribute "naked"
__attribute__ ((naked)) uint32_t aflCall(__attribute__ ((unused)) uint32_t a0, __attribute__ ((unused)) uint32_t a1, __attribute__ ((unused)) int32_t a2) {
..\Src\afl_call.c(11): error: #20: identifier "$0x3f" is undefined
__asm("svc $0x3f\n\t"
..\Src\afl_call.c(13): warning: #940-D: missing return statement at end of non-void function "aflCall"
}
..\Src\afl_call.c: 2 warnings, 1 error
So, is there any way to generate required firmware for fuzzing using ARMCC ?
I built the Steering_Control example firmware using thre command in README.md (although I had to install the needed arduino packages first):
# cd REPO/externals/p2im-real_firmware/Steering_Control
# ../deps/arduino-cli core install arduino:sam
# ../deps/arduino-cli lib install Servo
# ../deps/arduino-cli/arduino-cli compile -b arduino:sam:arduino_due_x_dbg *.ino --build-path `realpath ./build` -o firmware
Then created a fuzzing directory for the firmware.elf, and edited fuzz.cfg. When I run fuzz.py, qemu apparently hangs:
root@p2im:/workspace/fuzzing/Steering_Control/2# /root/p2im/model_instantiation/fuzz.py -c fuzz.cfg
Change working dir to: /workspace/fuzzing/Steering_Control/2
CWD: /workspace/fuzzing/Steering_Control/2
try our best to extract model w/o input
cmd_me0: /root/p2im/model_instantiation/me.py -c /workspace/fuzzing/Steering_Control/2/fuzz.cfg --run-num 0 --print-to-file
Change working dir to: 0/
CWD: /workspace/fuzzing/Steering_Control/2/0
Redirect stdout to file named stdout
extract model for each seed input
0.random.1
run f/w w/ seed input to check if there is aup
cmd_qemu: /root/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -aflFile /workspace/fuzzing/Steering_Control/2/inputs/random -board Arduino-Due -mcu SAM3X8E -image /workspace/fuzzing/Steering_Control/2/firmware.elf -pm-stage 3 -model-input /workspace/fuzzing/Steering_Control/2/0/peripheral_model.json -me-bin /root/p2im/model_instantiation/me.py -me-config /workspace/fuzzing/Steering_Control/2/fuzz.cfg
qemu hangs(pid: 32343). seed input should not hang!
No aup, don't run ME
launch fuzzer
cmd_afl: /root/p2im/afl/afl-fuzz -i /workspace/fuzzing/Steering_Control/2/inputs -o /workspace/fuzzing/Steering_Control/2/outputs -t 150+ -QQ -a /root/p2im/model_instantiation/me.py -b /workspace/fuzzing/Steering_Control/2/fuzz.cfg -c /workspace/fuzzing/Steering_Control/2/0/peripheral_model.json -T Steering_Control_2 -d /root/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -board Arduino-Due -mcu SAM3X8E -image /workspace/fuzzing/Steering_Control/2/firmware.elf -pm-stage 3 -aflFile @@
afl-fuzz 2.06b by <[email protected]>
[+] You have 2 CPU cores and 3 runnable tasks (utilization: 150%).
[*] Checking core_pattern...
[*] Setting up output directories...
[*] Scanning '/workspace/fuzzing/Steering_Control/2/inputs'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:random'...
[!] WARNING: Test case results in a hang (skipping)
[-] PROGRAM ABORT : All test cases time out, giving up!
Location : perform_dry_run(), afl-fuzz.c:2812
Using the run_fw.py script to attach a debugger, I see that code is looping in the delay() function, repeateadly calling GetTickCount() but the result is always 0, so delay never returns.
Is there a way to turn on the timer emulation, or should it be driven by an interrupt?
I'm using a Ubuntu 16.04 docker image, gcc-arm-none-eabi-10.3.2021 (objdump 2.36.1.20210621), and the precompiled qemu.
Hi @bofeng17
When I read and run fuzz.py ,
I don't understand what f/w w/
and aup
mean.
What are these?
color_print("run f/w w/ seed input to check if there is aup")
cmd_qemu = [cfg.qemu_bin, "-nographic", "-aflFile", seed,
"-board", cfg.board, "-mcu", cfg.mcu, "-image", cfg.img,
"-pm-stage", "3", "-model-input", args.model_if,
# options below are not used in no forkserver mode
"-me-bin", cfg.me_bin, "-me-config", args.config]
Hi, we tried to extend this work to support other boards and other firmware. The firmware we chose read files from the SD card. Now the fuzzing process did not work and we could not confirm the modification of the qemu source code to support other boards. Could you please let us know whether this work support SD card peripheral emulation or not? Thank you!
I've followed the instructions in build_qemu.md but once i execute the
WORK_FOLDER_PATH=
pwd/src ./build_scripts/build-qemu.sh --deb64 --no-strip
command i end up with the following output. I've seen other issues with similar docker problems that suggest running an update/upgrade in the container but it's not like i can open a shell in the container since it starts up executing that build script right away. Is there a solution?
Using "/media/sf_Masterarbeit/DICE-DMA-Emulation/p2im/qemu/src" as Work folder...
Helper script: "/media/sf_Masterarbeit/DICE-DMA-Emulation/p2im/qemu/src/scripts/build-helper.sh".
Script "./build_scripts/build-qemu.sh" started at Tue Aug 29 06:30:56 PM EDT 2023.
Running on Ubuntu 64-bits.
Checking host curl...
curl 7.85.0 (x86_64-pc-linux-gnu) libcurl/7.85.0 OpenSSL/3.0.5 zlib/1.2.11 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.3 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.49.0 librtmp/2.3
Checking host git...
git version 2.37.2
Checking Docker...
Docker version 24.0.5, build ced0996
Checking host automake...
automake (GNU automake) 1.16.5
Checking host patch...
GNU patch 2.7.6
Checking host tar...
tar (GNU tar) 1.34
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by John Gilmore and Jay Fenlason.
Checking host unzip...
UnZip 6.00 of 20 April 2009, by Debian. Original by Info-ZIP.
Checking host makeinfo...
texi2any (GNU texinfo) 6.8
================================================================================
Creating Debian 64-bits archive...
Running "build.sh" script inside "qemu-debian64-build" container, image "ilegeul/debian:8-gnuarm-gcc-x11-v4"...
Linux docker 5.19.0-46-generic #47-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 16 13:30:11 UTC 2023 x86_64 GNU/Linux
Checking automake...
automake (GNU automake) 1.14.1
Checking pkg-config...
0.28
Checking readelf...
GNU readelf (GNU Binutils for Debian) 2.25
Checking gcc...
gcc (Debian 4.9.2-10) 4.9.2
Checking patchelf...
patchelf 0.8
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libblkid-dev libdrm-dev uuid-dev
The following NEW packages will be installed:
libblkid-dev libdrm-dev libmount-dev mesa-common-dev uuid-dev
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 939 kB of archives.
After this operation, 4548 kB of additional disk space will be used.
Err http://http.debian.net/debian/ jessie/main uuid-dev amd64 2.25.2-6
404 Not Found
Err http://http.debian.net/debian/ jessie/main libblkid-dev amd64 2.25.2-6
404 Not Found
Err http://http.debian.net/debian/ jessie/main libdrm-dev amd64 2.4.58-2
404 Not Found
Err http://http.debian.net/debian/ jessie/main mesa-common-dev amd64 10.3.2-1+deb8u1
404 Not Found
Err http://http.debian.net/debian/ jessie/main libmount-dev amd64 2.25.2-6
404 Not Found
E: Failed to fetch http://http.debian.net/debian/pool/main/u/util-linux/uuid-dev_2.25.2-6_amd64.deb 404 Not Found
E: Failed to fetch http://http.debian.net/debian/pool/main/u/util-linux/libblkid-dev_2.25.2-6_amd64.deb 404 Not Found
E: Failed to fetch http://http.debian.net/debian/pool/main/libd/libdrm/libdrm-dev_2.4.58-2_amd64.deb 404 Not Found
E: Failed to fetch http://http.debian.net/debian/pool/main/m/mesa/mesa-common-dev_10.3.2-1+deb8u1_amd64.deb 404 Not Found
E: Failed to fetch http://http.debian.net/debian/pool/main/u/util-linux/libmount-dev_2.25.2-6_amd64.deb 404 Not Found
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
Hi, I run the p2im with RIOT gnrc_networking, gnrc_border_router and posix_sockets testcase but failed. Do you support the network fuzzing?
Hi Bo, when I use the build_script to build the qemu, the following error appears:
Cloning '[email protected]:bofeng17/iot-fuzzer-qemu_mode.git'...
Cloning into 'qemu.git'....
ERROR: Repository not found.
fatal: Could not read from remote repository.
Hello, I try to get the qemu log information, when afl is running. when I change the "cmd_afl_qemu" in fuzz.py, add "-d out_asm" at
the end of cmd_afl_qemu, the afl can not run and stop in perform_dry_run().
And I found there is a configuration option in fuzz.cfg, so I change the [qemu] log and add -D qemu.log, the program run and can not stop by creating new file like 0_ranom.xxx.
I try to catch the assembly code runned in every loop in AFL.
Thank you for hlep!!!!
I am using p2im in Ubuntu 16.05 LTS on VMWare.
The settings of VM are as below.
Memory 14.9GB Processors 4 Hard Disk 60GB
I used PLC from https://github.com/RiS3-Lab/p2im-real_firmware/tree/master/PLC
and run with this code <repo_path>/model_instantiation/fuzz.py -c fuzz.cfg
This error occurs.
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- The current memory limit (2.00 GB) is too low for this program, causing
it to die due to OOM when parsing valid files. To fix this, try
bumping it up with the -m setting in the command line. If in doubt,
try something along the lines of:
( ulimit -Sv $[2047 << 10]; /path/to/binary [...] <testcase )
Tip: you can use http://jwilk.net/software/recidivm to quickly
estimate the required amount of virtual memory for the binary. Also,
if you are using ASAN, see docs/notes_for_asan.txt.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[-] PROGRAM ABORT : Test case 'id:000000,orig:random' results in a crash
Location : perform_dry_run(), afl-fuzz.c:2781
To solve this problem, I typed this command
root@ubuntu:/home/aiden/p2im/fuzzing/PLC/5# ulimit -Sv $[2047 << 10]; /home/aiden/p2im/fuzzing/PLC/5/PLC.elf
Also this error occurs
bash: /home/aiden/p2im/fuzzing/PLC/5/PLC.elf: cannot execute binary file: Exec format error
Is there any way to make p2im recognize the 16 GB of memory allocated to the VM? or is there no other way to unlock the limit via ulimit -Sv?
/etc/security/limits.conf has already been modified.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.