hw-sw-contracts / revizor Goto Github PK

View Code? Open in Web Editor NEW

40.0 40.0 5.0 515 KB

Fuzzer that searches for vulnerabilities like Spectre and Meltdown in CPUs

License: MIT License

Shell 5.13% Assembly 6.09% Python 74.12% Makefile 0.14% C 14.52%

fuzzing security spectre-vulnerability

revizor's People

Contributors

Stargazers

Watchers

Forkers

mguarnieri c0de3 brianfu vyyq easyymaker

revizor's Issues

Hyperthreading warning

I get the warning Hyperthreading is enabled! You may have false positives due to noise. even though hyperthreading is disabled on my system (cat /sys/devices/system/cpu/smt/control returns off).

Missing requirements

There appear to be a few additional requirements that are missing from the list in the README, such as mypy, iced-x86, and types-PyYAML.

Failed tests on Rocket Lake

Executing the ./runtests.sh script on a Rocket Lake system (Core i9-11900, kernel 5.11.0) leads to the following errors:

===== Type Checking with mypy =====

Success: no issues found in 1 source file

===== Unit Tests =====

test_x86_all_instructions (generators.X86RandomGeneratorTest) ... ok

----------------------------------------------------------------------
Ran 1 test in 0.046s

OK

===== Acceptance Tests =====

 ✓ Executor: Hardware tracing with F+R 
 ✗ Executor: Hardware tracing with P+P
   (in test file tests/acceptance.bats, line 19)
     `[[ "$output" == *"2305843009213693953"* ]]' failed
 ✗ Executor: Hardware tracing with E+R
   (in test file tests/acceptance.bats, line 26)
     `[[ "$output" == *"2305843009213693952"* ]]' failed
 ✗ Executor: Noise Level
   (in test file tests/acceptance.bats, line 50)
     `[ $output -lt 20 ]' failed
   F+R
   2
   P+R
   2
   E+R
   75
 ✓ Model and Executor are initialized with the same values 
 ✓ Model and Executor are initialized with the same FLAGS value 
 ✓ Fuzzing: Empty test case 
 ✓ Fuzzing: A sequence of NOPs 
 ✓ Fuzzing: A sequence of direct jumps 
 ✓ Fuzzing: A long in-reg test case 
 ✓ Fuzzing: A sequence of calls 
 ✓ Fuzzing: A sequence of valid loads (cache hits) 
 ✓ Fuzzing: A sequence of valid loads (cache misses) 
 ✓ Fuzzing: A sequence of valid stores (cache hits) 
 ✓ Fuzzing: An empty test case template 
 ✗ Detection: Spectre V1 - BCB load - P
   (in test file tests/acceptance.bats, line 142)
     `[[ "$output" = *"=== Violations detected ==="* ]]' failed
   
 ✓ Detection: Spectre V1 - BCB load - N 
 ✗ Detection: Spectre V1.1 - BCB store
   (in test file tests/acceptance.bats, line 156)
     `[[ "$output" = *"=== Violations detected ==="* ]]' failed
   
 ✗ Detection: Spectre V2 - BTI - P
   (in test file tests/acceptance.bats, line 163)
     `[[ "$output" = *"=== Violations detected ==="* ]]' failed
   
 ✗ Detection: Spectre V4 - SSBP - P
   (in test file tests/acceptance.bats, line 170)
     `[[ "$output" = *"=== Violations detected ==="* ]]' failed
   
 ✓ Detection: Spectre V4 - SSBP - N (patch off) 
 ✓ Detection: Spectre V4 - SSBP - N (patch on) 
 ✗ Detection: Spectre V5-ret
   (in test file tests/acceptance.bats, line 191)
     `[[ "$output" = *"=== Violations detected ==="* ]]' failed
   
 ✗ Detection: Nested misprediction
   (in test file tests/acceptance.bats, line 198)
     `[[ "$output" = *"=== Violations detected ==="* ]]' failed
   
 - Detection: MDS-SB (skipped)
 ✓ False Positive: Input-independent branch misprediction 
 ✗ Analyser: Priming
   (in test file tests/acceptance.bats, line 228)
     `[[ "$output" == *"Priming"* ]]' failed
   Starting at 22:49:24
   Abbreviations: 
    P-progress ; EC-effective input classes; EI-effective inputs; CO-coverage
    Pr-test cases required priming ; B-broken measurement ; V-violations
   
P: 0 [0%] | Normal execution            
   
   ================================ Statistics ===================================
   Test Cases: 1
   Inputs per test case: 100
   Coverage:
     Patterns: 0
     Fully covered: 0
     Longest uncovered: 0
     Effectiveness: 0.6
   Effectiveness: 
     Total Cls: 54.0
     Effective Cls: 34.0
   Required priming: 0
   Broken measurements: 0
   Violations: 0
   
   Duration: 0.6
   Finished at 22:49:24
 ✗ Model: ARCH-SEQ
   (in test file tests/acceptance.bats, line 236)
     `[[ "$output" = *"=== Violations detected ==="* ]]' failed
   
 ✓ Model: Rollback on LFENCE and spec. window 
 - Extended: False positives from generated samples (skipped)
 - Priming: False Positive due to small min_primer_size (skipped)

31 tests, 11 failures, 3 skipped

How to capture the violated inputs

Hi,

I have been playing with Revizor for a while, it works great!
I noticed that when a violation is spotted, Revizor halts and as a result of this, the latest generated.asm stores the violated test case.

My question: Is there any config option, arguments to capture also the pair or collection of violated inputs? If not, how would I capture these inputs and store them?

Right now, what I did to capture these inputs is to poke into the source code, at the part right after the violation is detected, print all the inputs to files, that is calling my function below:

    def log_violation(self, violation):
        name = 'violation'
        measurements = violation.measurements
        for i,ms in enumerate(measurements):
            with open("cex/" + str(i) + name + ".seed.in", "w") as f:
                f.write(str(ms.input_.seed))
            with open("cex/" + str(i) + name + ".datasize.in", "w") as f:
                f.write(str(ms.input_.data_size))
            with open("cex/" + str(i) + name + ".registerstart.in", "w") as f:
                f.write(str(ms.input_.register_start))

Many thanks in advance!

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.