From owner-svn-ports-head@freebsd.org Sat Sep 30 15:13:35 2017 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D1CFE293AF; Sat, 30 Sep 2017 15:13:35 +0000 (UTC) (envelope-from rene@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 007017275D; Sat, 30 Sep 2017 15:13:34 +0000 (UTC) (envelope-from rene@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v8UFDX5e004847; Sat, 30 Sep 2017 15:13:33 GMT (envelope-from rene@FreeBSD.org) Received: (from rene@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v8UFDW0i004837; Sat, 30 Sep 2017 15:13:33 GMT (envelope-from rene@FreeBSD.org) Message-Id: <201709301513.v8UFDW0i004837@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rene set sender to rene@FreeBSD.org using -f From: Rene Ladan Date: Sat, 30 Sep 2017 15:13:32 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r450997 - in head/security: . sandsifter sandsifter/files X-SVN-Group: ports-head X-SVN-Commit-Author: rene X-SVN-Commit-Paths: in head/security: . sandsifter sandsifter/files X-SVN-Commit-Revision: 450997 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Sep 2017 15:13:35 -0000 Author: rene Date: Sat Sep 30 15:13:32 2017 New Revision: 450997 URL: https://svnweb.freebsd.org/changeset/ports/450997 Log: The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor's instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips. WWW: https://github.com/xoreaxeaxeax/sandsifter PR: 221132 Submitted by: rozhuk.im AT gmail.com Reviewed by: swills Added: head/security/sandsifter/ head/security/sandsifter/Makefile (contents, props changed) head/security/sandsifter/distinfo (contents, props changed) head/security/sandsifter/files/ head/security/sandsifter/files/patch-Makefile (contents, props changed) head/security/sandsifter/files/patch-injector.c (contents, props changed) head/security/sandsifter/files/patch-sifter.py (contents, props changed) head/security/sandsifter/pkg-descr (contents, props changed) head/security/sandsifter/pkg-message (contents, props changed) head/security/sandsifter/pkg-plist (contents, props changed) Modified: head/security/Makefile Modified: head/security/Makefile ============================================================================== --- head/security/Makefile Sat Sep 30 15:04:19 2017 (r450996) +++ head/security/Makefile Sat Sep 30 15:13:32 2017 (r450997) @@ -1119,6 +1119,7 @@ SUBDIR += samhain-client SUBDIR += samhain-server SUBDIR += sancp + SUBDIR += sandsifter SUBDIR += sasp SUBDIR += scamp SUBDIR += scanhill Added: head/security/sandsifter/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sandsifter/Makefile Sat Sep 30 15:13:32 2017 (r450997) @@ -0,0 +1,41 @@ +# $FreeBSD$ + +PORTNAME= sandsifter +PORTVERSION= 0.1 +CATEGORIES= security + +MAINTAINER= rene@FreeBSD.org +COMMENT= Processor fuzzer for x86 CPUs + +BUILD_DEPENDS= ${LOCALBASE}/include/capstone/capstone.h:devel/capstone3 +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}capstone>0:devel/py-capstone + +USES= gmake python localbase shebangfix + +ONLY_FOR_ARCH= amd64 i386 +ONLY_FOR_ARCH_RAESON=Designed for x86 + +USE_GITHUB= yes +GH_ACCOUNT= xoreaxeaxeax +GH_TAGNAME= dff63246fed84d90118441b8ba5b5d3bdd094427 +SHEBANG_FILES= sifter.py summarize.py + +OPTIONS_DEFINE= DOCS + +PORTDOCS= references/* + +do-install: + (cd ${WRKSRC} && ${COPYTREE_SHARE} gui ${STAGEDIR}${DATADIR}) + (cd ${WRKSRC} && ${COPYTREE_SHARE} pyutil ${STAGEDIR}${DATADIR}) + ${INSTALL_PROGRAM} ${WRKSRC}/injector ${STAGEDIR}${PREFIX}/bin + ${INSTALL_SCRIPT} ${WRKSRC}/sifter.py ${STAGEDIR}${DATADIR} + ${INSTALL_SCRIPT} ${WRKSRC}/summarize.py ${STAGEDIR}${DATADIR} + ${RLN} ${STAGEDIR}${DATADIR}/sifter.py ${STAGEDIR}${PREFIX}/bin/sifter + ${RLN} ${STAGEDIR}${DATADIR}/summarize.py ${STAGEDIR}${PREFIX}/bin/summarize + ${MKDIR} ${STAGEDIR}${DOCSDIR} + ${INSTALL_DATA} ${WRKSRC}/README.md ${STAGEDIR}${DOCSDIR} + +post-install-DOCS-on: + ${INSTALL_DATA} ${WRKSRC}/references/* ${STAGEDIR}${DOCSDIR} + +.include Added: head/security/sandsifter/distinfo ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sandsifter/distinfo Sat Sep 30 15:13:32 2017 (r450997) @@ -0,0 +1,3 @@ +TIMESTAMP = 1505751266 +SHA256 (xoreaxeaxeax-sandsifter-0.1-dff63246fed84d90118441b8ba5b5d3bdd094427_GH0.tar.gz) = 010d662705bb67035e3d6b93a0fbe0bcf7ab2b5ba93e6eb977eb614c7dec3691 +SIZE (xoreaxeaxeax-sandsifter-0.1-dff63246fed84d90118441b8ba5b5d3bdd094427_GH0.tar.gz) = 5284438 Added: head/security/sandsifter/files/patch-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sandsifter/files/patch-Makefile Sat Sep 30 15:13:32 2017 (r450997) @@ -0,0 +1,11 @@ +--- Makefile.orig 2017-07-27 19:17:30 UTC ++++ Makefile +@@ -32,7 +32,7 @@ + all: injector + + injector: injector.o +- $(CC) $(CFLAGS) $< -O3 -Wall -l:libcapstone.a -o $@ -pthread ++ $(CC) $(CFLAGS) $(LIBS) $(LDFLAGS) $< -Wall -l:libcapstone.a -o $@ -pthread + + %.o: %.c + $(CC) $(CFLAGS) -c $< -o $@ -Wall Added: head/security/sandsifter/files/patch-injector.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sandsifter/files/patch-injector.c Sat Sep 30 15:13:32 2017 (r450997) @@ -0,0 +1,107 @@ +--- injector.c.orig 2017-07-27 19:17:30 UTC ++++ injector.c +@@ -77,10 +77,24 @@ cs_insn *capstone_insn; + + /* 32 vs 64 */ + +-#if __x86_64__ +- #define IP REG_RIP ++#ifdef __linux__ ++# define PAGE_SIZE 4096 ++# define EFL gregs[REG_EFL] ++# if __x86_64__ ++# define IP gregs[REG_RIP] ++# else ++# define IP gregs[REG_EIP] ++# endif + #else +- #define IP REG_EIP ++# include ++ typedef cpuset_t cpu_set_t; ++# if __x86_64__ ++# define IP mc_rip ++# define EFL mc_rflags ++# else ++# define IP mc_eip ++# define EFL mc_eflags ++# endif + #endif + + /* leave state as 0 */ +@@ -155,7 +169,6 @@ state_t inject_state={ + /* x86/64 */ + + #define UD2_SIZE 2 +-#define PAGE_SIZE 4096 + #define TF 0x100 + + /* injection */ +@@ -293,6 +306,10 @@ ignore_op_t opcode_blacklist[MAX_BLACKLIST]={ + { "\xcd\x80", "int 0x80" }, + /* as will syscall */ + { "\x0f\x05", "syscall" }, ++ /* int 92 on FreeBSD triggers DTrace, which will trigger SIGSYS */ ++ { "\xcd\x92", "int 0x92" }, ++ /* int 93 on FreeBSD is used by Xen */ ++ { "\xcd\x93", "int 0x93" }, + /* ud2 is an undefined opcode, and messes up a length differential search + * b/c of the fault it throws */ + { "\x0f\xb9", "ud2" }, +@@ -850,7 +867,7 @@ void inject(int insn_size) + void state_handler(int signum, siginfo_t* si, void* p) + { + fault_context=((ucontext_t*)p)->uc_mcontext; +- ((ucontext_t*)p)->uc_mcontext.gregs[IP]+=UD2_SIZE; ++ ((ucontext_t*)p)->uc_mcontext.IP+=UD2_SIZE; + } + + void fault_handler(int signum, siginfo_t* si, void* p) +@@ -863,7 +880,7 @@ void fault_handler(int signum, siginfo_t* si, void* p) + + /* make an initial estimate on the instruction length from the fault address */ + insn_length= +- (uintptr_t)uc->uc_mcontext.gregs[IP]-(uintptr_t)packet-preamble_length; ++ (uintptr_t)uc->uc_mcontext.IP-(uintptr_t)packet-preamble_length; + + if (insn_length<0) { + insn_length=JMP_LENGTH; +@@ -880,9 +897,13 @@ void fault_handler(int signum, siginfo_t* si, void* p) + (signum==SIGSEGV||signum==SIGBUS)?(uint32_t)(uintptr_t)si->si_addr:(uint32_t)-1 + }; + ++#ifdef __linux__ + memcpy(uc->uc_mcontext.gregs, fault_context.gregs, sizeof(fault_context.gregs)); +- uc->uc_mcontext.gregs[IP]=(uintptr_t)&resume; +- uc->uc_mcontext.gregs[REG_EFL]&=~TF; ++#else ++ memcpy(&uc->uc_mcontext, &fault_context, sizeof(fault_context)); ++#endif ++ uc->uc_mcontext.IP=(uintptr_t)&resume; ++ uc->uc_mcontext.EFL&=~TF; + } + + void configure_sig_handler(void (*handler)(int, siginfo_t*, void*)) +@@ -1341,7 +1362,13 @@ void pin_core(void) + cpu_set_t mask; + CPU_ZERO(&mask); + CPU_SET(config.core,&mask); +- if (sched_setaffinity(0, sizeof(mask), &mask)) { ++#ifdef __linux__ ++ if (sched_setaffinity(0, sizeof(mask), &mask)) ++#else ++ if (cpuset_setaffinity(CPU_LEVEL_WHICH, CPU_WHICH_PID, ++ -1, sizeof(mask), &mask)) ++#endif ++ { + printf("error: failed to set cpu\n"); + exit(1); + } +@@ -1439,7 +1466,7 @@ int main(int argc, char** argv) + null_p=mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + if (null_p==MAP_FAILED) { +- printf("null access requires running as root\n"); ++ printf("null access requires running as root, %i\n", errno); + exit(1); + } + } Added: head/security/sandsifter/files/patch-sifter.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sandsifter/files/patch-sifter.py Sat Sep 30 15:13:32 2017 (r450997) @@ -0,0 +1,44 @@ +--- sifter.py.orig 2017-09-22 12:42:26 UTC ++++ sifter.py +@@ -26,11 +26,12 @@ import argparse + import code + import copy + from ctypes import * ++import sysctl + +-INJECTOR = "./injector" ++INJECTOR = "injector" + arch = "" + +-OUTPUT = "./data/" ++OUTPUT = os.getenv("HOME") + "/.sandsifter/" + LOG = OUTPUT + "log" + SYNC = OUTPUT + "sync" + TICK = OUTPUT + "tick" +@@ -679,7 +680,7 @@ class Gui: + time.sleep(self.TIME_SLICE) + + def get_cpu_info(): +- with open("/proc/cpuinfo", "r") as f: ++ with open("/compat/linux/proc/cpuinfo", "r") as f: + cpu = [l.strip() for l in f.readlines()[:7]] + return cpu + +@@ -808,9 +809,16 @@ def main(): + if not os.path.exists(OUTPUT): + os.makedirs(OUTPUT) + ++ real_injector, errors = \ ++ subprocess.Popen( ++ ['which', INJECTOR], ++ stdout=subprocess.PIPE, ++ stderr=subprocess.PIPE ++ ).communicate() ++ real_injector = real_injector.replace('\n', '') # strip newline from shell output + injector_bitness, errors = \ + subprocess.Popen( +- ['file', INJECTOR], ++ ['file', real_injector], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE + ).communicate() Added: head/security/sandsifter/pkg-descr ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sandsifter/pkg-descr Sat Sep 30 15:13:32 2017 (r450997) @@ -0,0 +1,9 @@ +The sandsifter audits x86 processors for hidden instructions and +hardware bugs, by systematically generating machine code to search +through a processor's instruction set, and monitoring execution for +anomalies. Sandsifter has uncovered secret processor instructions from +every major vendor; ubiquitous software bugs in disassemblers, +assemblers, and emulators; flaws in enterprise hypervisors; and both +benign and security-critical hardware bugs in x86 chips. + +WWW: https://github.com/xoreaxeaxeax/sandsifter Added: head/security/sandsifter/pkg-message ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sandsifter/pkg-message Sat Sep 30 15:13:32 2017 (r450997) @@ -0,0 +1,5 @@ +*** ATTENTION *** + +Before using this tool you should do the following as root: +# sysctl security.bsd.map_at_zero=1 +# mount -t linprocfs linproc /compat/linux/proc Added: head/security/sandsifter/pkg-plist ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sandsifter/pkg-plist Sat Sep 30 15:13:32 2017 (r450997) @@ -0,0 +1,16 @@ +bin/injector +bin/sifter +bin/summarize +%%PORTDOCS%%%%DOCSDIR%%/README.md +%%PORTDOCS%%%%DOCSDIR%%/domas_breaking_the_x86_isa.pdf +%%PORTDOCS%%%%DOCSDIR%%/domas_breaking_the_x86_isa_wp.pdf +%%PORTDOCS%%%%DOCSDIR%%/sandsifter.gif +%%PORTDOCS%%%%DOCSDIR%%/screenshot.png +%%PORTDOCS%%%%DOCSDIR%%/summarizer.png +%%DATADIR%%/gui/__init__.py +%%DATADIR%%/gui/gui.py +%%DATADIR%%/pyutil/__init__.py +%%DATADIR%%/pyutil/colors.py +%%DATADIR%%/pyutil/progress.py +%%DATADIR%%/sifter.py +%%DATADIR%%/summarize.py