From 8a7ecdd936871a3d6d4a08d05678ca03c5539187 Mon Sep 17 00:00:00 2001 From: Tamas K Lengyel Date: Thu, 11 Jun 2020 11:40:28 -0600 Subject: [PATCH] Add README.md --- README | 1 + README.md | 239 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+) create mode 100644 README.md diff --git a/README b/README index e69de29..3389200 100644 --- a/README +++ b/README @@ -0,0 +1 @@ +See README.md \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..0f8cc71 --- /dev/null +++ b/README.md @@ -0,0 +1,239 @@ +# Memory Replay PoC for Xen Project* + +This project is intended to illustrate the harnessing required to perform +memory replay-based fuzzing through the Xen VMI API. The tool utilizes Xen VM +forks to perform the fuzzing. The tool records memory accesses made by a target +process within a VM and replays the previously recorded values to future memory +accesses. + +Code coverage information is collected purely for debugging purposes to verify +when new paths are triggered. Code coverage is implemented using Capstone to +dynamically disassemble the target code to locate the next control-flow +instruction. The instruction is breakpointed and when the breakpoint triggers, +MTF is activated to advance the VM ahead, then the processes is repeated again. + +This project is licensed under the terms of the MIT license + +# Setup instruction for Ubuntu: + +The following instructions have been mainly tested on Ubuntu 20.04. The actual +package names may vary on different distros/versions. You may also find +https://wiki.xenproject.org/wiki/Compiling_Xen_From_Source helpful if you run +into issues. + +# 1. Install dependencies +---------------------------------- +sudo apt install git build-essential libfdt-dev libpixman-1-dev libssl-dev \ + libsdl1.2-dev autoconf libtool xtightvncviewer tightvncserver x11vnc \ + libsdl1.2-dev uuid-runtime uuid-dev bridge-utils python3-dev liblzma-dev \ + libc6-dev wget git bcc bin86 gawk iproute2 libcurl4-openssl-dev bzip2 \ + libpci-dev libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \ + libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \ + libbz2-dev e2fslibs-dev ocaml libx11-dev bison flex ocaml-findlib \ + xz-utils gettext libyajl-dev libpixman-1-dev libaio-dev libfdt-dev \ + cabextract libglib2.0-dev autoconf automake libtool libjson-c-dev \ + libfuse-dev liblzma-dev autoconf-archive kpartx python3-pip gcc-7 \ + libsystemd-dev cmake snap + +# 2. Grab the project and all submodules +---------------------------------- +git clone git://xenbits.xen.org/people/tklengyel/memory-replay.git +cd memory-replay +git submodule update --init + +# 3. Compile & Install Xen +---------------------------------- +There had been some compiler issues with newer gcc's so set your gcc version to GCC-7: + +sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 7 + +Make sure the pci include folder exists at `/usr/include/pci`. In case it doesn't create a symbolic link to where it's installed at: + +sudo ln -s /usr/include/x86_64-linux-gnu/pci /usr/include/pci + +Now we can compile Xen: + +cd xen +echo XEN_CONFIG_EXPERT=y > .config +echo CONFIG_MEM_SHARING=y > xen/.config +./configure --disable-pvshim --enable-githttp +make -C xen olddefconfig +make -j4 dist-xen +make -j4 dist-tools +sudo su +make -j4 install-xen +make -j4 install-tools +echo "/usr/local/lib" > /etc/ld.so.conf.d/xen.conf +ldconfig +echo "none /proc/xen xenfs defaults,nofail 0 0" >> /etc/fstab +systemctl enable xen-qemu-dom0-disk-backend.service +systemctl enable xen-init-dom0.service +systemctl enable xenconsoled.service +echo "GRUB_CMDLINE_XEN_DEFAULT=\"console=vga hap_1gb=false hap_2mb=false\"" +update-grub +reboot + +Make sure to pick the Xen entry in GRUB when booting. You can verify you booted +into Xen correctly by running `xen-detect`. + +## 3.b Booting from UEFI + +If Xen doesn't boot from GRUB you can try to boot it from UEFI directly: + +mkdir -p /boot/efi/EFI/xen +cp /usr/lib/efi/xen.efi /boot/efi/EFI/xen +cp /boot/vmlinuz /boot/efi/EFI/xen +cp /boot/initrd.img /boot/efi/EFI/xen + +Gather your kernel boot command line from /proc/cmdline & paste the following +into /boot/efi/EFI/xen/xen.cfg: + + [global] + default=xen + + [xen] + options=console=vga hap_1gb=false hap_2mb=false + kernel=vmlinuz console=hvc0 earlyprintk=xen + ramdisk=initrd.img + +Create an EFI boot entry for it: + +efibootmgr -c -d /dev/sda -p 1 -w -L "Xen" -l "\EFI\xen\xen.efi" +reboot + +You may want to use the `-C` option above if you are on a remote system so you +can set only the next-boot to try Xen. This is helpful in case the system can't +boot Xen and you don't have remote KVM to avoid losing access in case Xen can't +boot for some reason. Use `efibootmgr --bootnext ` to try +boot Xen only on the next reboot. + +# 4. Create VM disk image +---------------------------------- +20GB is usually sufficient but if you are planning to compile the kernel from source you will want to increase that. + +dd if=/dev/zero of=vmdisk.img bs=1G count=20 + +# 5. Setup networking +---------------------------------- +sudo brctl addbr xenbr0 +sudo ip addr add 10.0.0.1/24 dev xenbr0 +sudo ip link set xenbr0 up +sudo echo 1 > /proc/sys/net/ipv4/ip_forward +sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +You might also want to save this as a script or add it to /etc/rc.local. See +https://www.linuxbabe.com/linux-server/how-to-enable-etcrc-local-with-systemd +for more details. + +# 6. Create VM +---------------------------------- +Paste the following as your domain config, for example into `debian.cfg`, tune it as you see fit. It's important the VM has only a single vCPU. + + name="debian" + builder="hvm" + vcpus=1 + maxvcpus=1 + memory=2048 + maxmem=2048 + hap=1 + boot="cd" + serial="pty" + vif=['bridge=xenbr0'] + vnc=1 + vnclisten="0.0.0.0" + vncpasswd='1234567' + usb=1 + usbdevice=['tablet'] + # Make sure to update the paths below! + disk=['file:/path/to/vmdisk.img,xvda,w', + 'file:/path/to/debian.iso,xvdc:cdrom,r'] + +Start the VM with: + +sudo xl create -V debian.cfg + +Follow the installation instructions in the VNC session. Configure the network +manually to 10.0.0.2 with a default route via 10.0.0.1 + +# 7. Grab the kernel's debug symbols & headers +---------------------------------- +On Debian systems you can install everything right away + +su - +apt update && sudo apt install linux-image-$(uname -r)-dbg \ + linux-headers-$(uname -r) + +On Ubuntu to install the Kernel debug symbols please follow the following +tutorial: https://wiki.ubuntu.com/Debug%20Symbol%20Packages + +From the VM copy `/usr/lib/debug/boot/vmlinux-$(uname -r)` and +`/boot/System.map-$(uname -r)` to your dom0, for example using scp. + +# 8. Build the kernel's debug JSON profile +--------------------------------- +Change the paths to match your setup + +sudo snap install --classic go +cd dwarf2json +go build +./dwarf2json linux --elf /path/to/vmlinux --system-map /path/to/System.map \ + > ~/debian.json +cd .. + +# 9. Compile & install Capstone +--------------------------------- +We use a more recent version from the submodule (4.0.2) then what most distros +ship by default. If your distro ships a newer version you could also just +install `libcapstone-dev`. + +cd capstone +mkdir build +cd build +cmake .. +make +make install +cd ../.. + +# 10. Compile & install LibVMI +--------------------------------- +cd libvmi +autoreconf -vif +./configure --disable-kvm --disable-bareflank --disable-file +make -j4 +sudo make install +cd .. + +Test that base VMI works with: +sudo vmi-process-list --name debian --json ~/debian.json + +# 11. Compile shredder +--------------------------------- +autoreconf -vif +./configure +make -j4 + +# 12. Use gdb to add the harness breakpoints to the target process +--------------------------------- +You can use a standard debugger to place the start and end harness breakpoints +to your target process. Or you can also add it via inline assembly: + +static inline void harness(void) +{ + asm ("int3"); +} + +You can insert the harness before and after the code segment you want to fuzz: + + harness(); + // code to test here + harness(); + +# 13. Start fuzzing +--------------------------------- +Start running shredder: +sudo ./shredder --domain debian --json-path /path/to/kernel.json --fuzz + +Execute the target application in the VM to start the fuzzing session. + +--------------------------------- +*Other names and brands may be claimed as the property of others -- 2.39.5