hw-sw-contracts / revizor Goto Github PK
View Code? Open in Web Editor NEWFuzzer that searches for vulnerabilities like Spectre and Meltdown in CPUs
License: MIT License
Fuzzer that searches for vulnerabilities like Spectre and Meltdown in CPUs
License: MIT License
I get the warning Hyperthreading is enabled! You may have false positives due to noise.
even though hyperthreading is disabled on my system (cat /sys/devices/system/cpu/smt/control
returns off
).
There appear to be a few additional requirements that are missing from the list in the README, such as mypy, iced-x86, and types-PyYAML.
Executing the ./runtests.sh
script on a Rocket Lake system (Core i9-11900, kernel 5.11.0) leads to the following errors:
===== Type Checking with mypy =====
Success: no issues found in 1 source file
===== Unit Tests =====
test_x86_all_instructions (generators.X86RandomGeneratorTest) ... ok
----------------------------------------------------------------------
Ran 1 test in 0.046s
OK
===== Acceptance Tests =====
✓ Executor: Hardware tracing with F+R
✗ Executor: Hardware tracing with P+P
(in test file tests/acceptance.bats, line 19)
`[[ "$output" == *"2305843009213693953"* ]]' failed
✗ Executor: Hardware tracing with E+R
(in test file tests/acceptance.bats, line 26)
`[[ "$output" == *"2305843009213693952"* ]]' failed
✗ Executor: Noise Level
(in test file tests/acceptance.bats, line 50)
`[ $output -lt 20 ]' failed
F+R
2
P+R
2
E+R
75
✓ Model and Executor are initialized with the same values
✓ Model and Executor are initialized with the same FLAGS value
✓ Fuzzing: Empty test case
✓ Fuzzing: A sequence of NOPs
✓ Fuzzing: A sequence of direct jumps
✓ Fuzzing: A long in-reg test case
✓ Fuzzing: A sequence of calls
✓ Fuzzing: A sequence of valid loads (cache hits)
✓ Fuzzing: A sequence of valid loads (cache misses)
✓ Fuzzing: A sequence of valid stores (cache hits)
✓ Fuzzing: An empty test case template
✗ Detection: Spectre V1 - BCB load - P
(in test file tests/acceptance.bats, line 142)
`[[ "$output" = *"=== Violations detected ==="* ]]' failed
✓ Detection: Spectre V1 - BCB load - N
✗ Detection: Spectre V1.1 - BCB store
(in test file tests/acceptance.bats, line 156)
`[[ "$output" = *"=== Violations detected ==="* ]]' failed
✗ Detection: Spectre V2 - BTI - P
(in test file tests/acceptance.bats, line 163)
`[[ "$output" = *"=== Violations detected ==="* ]]' failed
✗ Detection: Spectre V4 - SSBP - P
(in test file tests/acceptance.bats, line 170)
`[[ "$output" = *"=== Violations detected ==="* ]]' failed
✓ Detection: Spectre V4 - SSBP - N (patch off)
✓ Detection: Spectre V4 - SSBP - N (patch on)
✗ Detection: Spectre V5-ret
(in test file tests/acceptance.bats, line 191)
`[[ "$output" = *"=== Violations detected ==="* ]]' failed
✗ Detection: Nested misprediction
(in test file tests/acceptance.bats, line 198)
`[[ "$output" = *"=== Violations detected ==="* ]]' failed
- Detection: MDS-SB (skipped)
✓ False Positive: Input-independent branch misprediction
✗ Analyser: Priming
(in test file tests/acceptance.bats, line 228)
`[[ "$output" == *"Priming"* ]]' failed
Starting at 22:49:24
Abbreviations:
P-progress ; EC-effective input classes; EI-effective inputs; CO-coverage
Pr-test cases required priming ; B-broken measurement ; V-violations
P: 0 [0%] | Normal execution
================================ Statistics ===================================
Test Cases: 1
Inputs per test case: 100
Coverage:
Patterns: 0
Fully covered: 0
Longest uncovered: 0
Effectiveness: 0.6
Effectiveness:
Total Cls: 54.0
Effective Cls: 34.0
Required priming: 0
Broken measurements: 0
Violations: 0
Duration: 0.6
Finished at 22:49:24
✗ Model: ARCH-SEQ
(in test file tests/acceptance.bats, line 236)
`[[ "$output" = *"=== Violations detected ==="* ]]' failed
✓ Model: Rollback on LFENCE and spec. window
- Extended: False positives from generated samples (skipped)
- Priming: False Positive due to small min_primer_size (skipped)
31 tests, 11 failures, 3 skipped
Hi,
I have been playing with Revizor for a while, it works great!
I noticed that when a violation is spotted, Revizor halts and as a result of this, the latest generated.asm stores the violated test case.
My question: Is there any config option, arguments to capture also the pair or collection of violated inputs? If not, how would I capture these inputs and store them?
--
Right now, what I did to capture these inputs is to poke into the source code, at the part right after the violation is detected, print all the inputs to files, that is calling my function below:
def log_violation(self, violation):
name = 'violation'
measurements = violation.measurements
for i,ms in enumerate(measurements):
with open("cex/" + str(i) + name + ".seed.in", "w") as f:
f.write(str(ms.input_.seed))
with open("cex/" + str(i) + name + ".datasize.in", "w") as f:
f.write(str(ms.input_.data_size))
with open("cex/" + str(i) + name + ".registerstart.in", "w") as f:
f.write(str(ms.input_.register_start))
Many thanks in advance!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.