gamozolabs/falkervisor_grilled_cheese gamozolabs/falkervisor_grilled_cheese

  • Stars
    star
    168
  • Rank 225,507 (Top 5 %)
  • Language
    C
  • License
    MIT License
  • Created about 6 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
gamozolabs/falkervisor_grilled_cheese
github

gamozolabs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Falkervisor (grilled_cheese)

Twitter

Follow me on Twitter, @gamozolabs Tweets go out before my reddit post spam, also I announce live streams there

See it in action

This was me using it to fuzz r2 back when this was under active development. This video should provide enough background to modify it for your own use.

https://www.youtube.com/watch?v=AqFMSI8e9Qo

History

This is the latest C version of my hypervisor and probably some of the best C code I've ever written (I've since switched to Rust, you should too). This was used roughly between 2015-2016, and replaced with a Rust version in late 2016.

Building

Make sure you have python, nasm, clang, and ld.lld in your path. Then just type python build.py. Use python build.py clean to clean.

It builds on Windows easily with the following (however there are no hard reqs on versions):

C:\dev\grilled_cheese>clang --version
clang version 7.0.0 (trunk)
Target: x86_64-pc-windows-msvc
Thread model: posix
InstalledDir: C:\Program Files\LLVM\bin

C:\dev\grilled_cheese>python --version
Python 3.6.5

C:\dev\grilled_cheese>nasm --version
NASM version 2.13.03 compiled on Feb  7 2018

C:\dev\grilled_cheese>ld.lld --version
LLD 7.0.0 (compatible with GNU linkers)

You might see some files with *.dc extensions. This because the build system builds any *.c file in the tree, thus to disable things I wasn't using I just threw a d in the extension.

Feature differences from brownie

See brownie here: https://github.com/gamozolabs/falkervisor_beta/

Improvements over brownie

  • It was written in C
  • Networking code was greatly improved
  • Kernel was portable to Intel (hypervisor not though)
  • DHCPv4 is used for getting an IP, no more hardcoded packets
  • Remote mapping of files
  • Generic VM support, designed to in theory support AMD, Intel, etc from one API
  • Many design features were made to reduce the chances of heisenbugs. Full page heap, full ASLR, strict mapping requirements really helped here
  • RSTATE error model allowed for human readable call stacks on errors without worrying about unwind info, symbols, or inlining.

Similarities to brownie

  • Performance is about the same, there isn't room for growth in either tools
  • Only supports x540 as a network device
  • UDP only for networking
  • Custom server for communicating over UDP

Cool features

Clang support

Early versions of my kernel used MSVC instead. Clang offers much better portability. By using clang and ld.lld this kernel is easily built on any system without special toolchain requirements. Further clang allows for inline assembly which is nice for kernel development, even though I keep usage to an absolute minimum.

Remote mapping

The remote mapping net_map_remote() allows for files to be mapped over the network and faulted in only when they are used. For VMs this is used to map the entire ~4 GiB snapshot. Combined with CoW, this meant that only pages that were ever touched during a fuzz case were present in memory, and only one copy. If memory was ever written during a fuzz case then this memory might be duplicated to each core.

Typically for a medium size target (1-2 second fuzz case maximum), this meant usually no more than 2-4 MiB was used per VM. Leading to running 64 4GiB VMs with using only a few hundred MiB of RAM!

Full ASLR

Every bit of every allocation is fully ASLRed. The kernel base and stacks are also fully ASLRed. This ASLR is 36-bits (meaning every bit that isn't a page offset is random). This means you'll get allocations in the 0xffff... range and the 0x0000... range.

Page heap

All allocations are page heaped, their addresses are fully deleted from page tables on free and overflows and underflows can only corrupt data inside the structure itself.

No identity/linear physical memory map

The machine I developed this for had 512 GiB of RAM. Most kernels have a linear mapping of ALL of physical memory somewhere in the kernel. When dealing with large amounts of memory this uses a huge amount of the virtual address space. This is not really a huge issue, however it makes it so there's a "decent chance" a random address might actually hit valid memory. This makes it possible for heisenbugs for things that "sometimes work".

Instead I use a design where the bootloader provides a 512-entry dynamic mapping mechanism. This consists of single page directory which is mapped at a random address. This means that using 4 KiB (PD) + 2 MiB of reserved page we are able to have a fast mechanism of accessing all physical memory. This greatly reduces the size of active addresses in the virtual address space, leaving more room for randomness and less chance of a random address hitting valid memory.

Performance is about 20% slower with this model over a linear mapping, which is really not that bad.

Generic VM model

The VM model was starting to be designed to be more generic. This was going to allow for an Intel hypervisor being added while still using the same API for managing both. In this version there are actually 2 VM models, one for AMD's SVM, and another using user-VM. User VM was a made up VM model that makes a semi-isolated guest by using ring3 rather than a whole VM itself. This was great for things like JITs which needed a unique address space but I wanted to support on Intel.

Rstate

You'll see that all error handling is done through RSTATES. This model allows for all errors to chain together the origin of the error all the way up to the top which paniced or handled it. This does not rely on symbols or unwind unwalking so it's much more simple. Further it works correctly regardless of optimization levels or inlining as the stack is managed in the C code itself. Getting clean errors out of this really helped keep code quality up and bug fix times to a minimum.

Probably some other cool stuff I forgot about

More Repositories

1

orange_slice

A research kernel and hypervisor attempting to get fully deterministic emulation with minimum performance cost
Rust
506
star
2

chocolate_milk

Pure Rust x86_64 bootloader and kernel
Rust
478
star
3

mesos

Binary coverage tool without binary modification for Windows
Rust
405
star
4

applepie

A hypervisor for fuzzing built with WHVP and Bochs
C++
361
star
5

mempeek

A command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory
Rust
217
star
6

fzero_fuzzer

A fast Rust-based safe and thead-friendly grammar-based fuzz generator
Rust
208
star
7

elfloader

An architecture-agnostic ELF file flattener for shellcode
Rust
207
star
8

cookie_dough

A fuzzing introspection tool
Rust
161
star
9

proc_mem_ida_loader

A /proc/mem IDA loader to snapshot a running process
Python
149
star
10

fuzz_with_emus

Why fuzzing with emulators is amazing
Rust
129
star
11

nginx_shitpost

Nginx 0-day on latest nginx
C
116
star
12

rv32i_jit

A super simple RV32i JIT, designed for ease of understanding and modification
C
76
star
13

lemonade

A debugger for Linux in Rust
Rust
76
star
14

falkervisor_beta

Assembly
75
star
15

basic_mutator

About as basic of a mutator as you can get, but it does the trick in most situations
Rust
55
star
16

slime_tree

Worst Android kernel fuzzer
Rust
43
star
17

falkhash

Exotic Shitty Hash Maybe
C
43
star
18

guifuzz

A GUI fuzzing application set up to fuzz calc.exe right now
Rust
36
star
19

riscv

A div-less, mul-less, atomic-less `rv64i` compiler toolchain using purely clang, musl, and compiler-rt
C
27
star
20

whylol

Shhh
Rust
27
star
21

adventures_in_fuzzing

Here's the slides and audio for a talk I did at NYU on the 13th of November 2018
27
star
22

init

A super simple /sbin/init for Linux which allows running one and only one program
Rust
22
star
23

vectorized_mmu

Snapshot of the vectorized MMU that lines up with the vectorized MMU blog
Rust
22
star
24

rust_mips_nt4

Rust development environment for MIPS on NT4
Rust
19
star
25

aflbench

An AFL scaling benchmarking tool
Python
18
star
26

flounder

Flounder is an old corpus collector I wrote, but it still works. Just need a Bing API key
Python
18
star
27

pdblister

Faster version of `symchk /om` for generating PDB manifests of offline machines
Rust
18
star
28

gamozolabs.github.io

Apparently this maybe blogs or something?
Ruby
16
star
29

fuzzyneural

A neural network using fuzzing-style feedback rather than back-propagation
Rust
16
star
30

vectorized_emulation_recon_2019

Gave a talk on Vectorized emulation at Recon Montreal 2019, here are the slides
16
star
31

cuddly_kangaroo

A static website generator that embeds all images as base64, and thus can be used with a single resource.
Rust
15
star
32

snuffles

A high-performance graphics API designed mainly for data visualization
Rust
15
star
33

hellscape

Playground for testing feedback
Assembly
14
star
34

helicopter_game

This is uhh, a "clone" of the helicopter game
Rust
13
star
35

canon_pixma_mx492

Reverse engineering project on stream
Rust
13
star
36

coverage_highlight

A very simple coverage highlighter for VIM
Python
12
star
37

freetype_harness

Definitely not for fuzzing
Rust
11
star
38

qemu_chrooter

Take a QEMU binary, copy the dependencies into a chroot
Rust
11
star
39

bridengroom

Windows Heap Loggin'
Rust
11
star
40

statusbar

A DWM status that shows the MPD playing song and the current datetime in milliseconds
Rust
10
star
41

libprocmem

A simple /proc/<pid>/{mem,maps} library for Rust
Rust
9
star
42

fuzztheory

A project for simulating fuzzing such that analysis can be done on coverage/feedback/scaling mechanisms
Rust
9
star
43

safecast

Safe casting in Rust!
Rust
7
star
44

ffmpegged

Uhh, trying to make encoding actually use cores
Rust
7
star
45

coff_nm

`nm` and `addr2line` but for DI "debug-info" COFF files
Rust
7
star
46

streamwrite

Benchmarking sequential i32 stores
Rust
6
star
47

teraflopter420

A helicoptor game engine with perf
Rust
6
star
48

bochs_determinism_test

Used to run 2 Bochs instances in lockstep to verify they do the same things
C++
5
star
49

noodle

A non-procedrual Rust serialization and deserialization library
Rust
4
star
50

fork_benchmarking

I get asked about this a lot
Rust
4
star
51

lossless_compression_tutorial

An old tutorial I wrote during class about 10 years ago. It's probably bad, don't use it.
3
star
52

server_simulator_2020

Simulates servers to find the best server to run for the cost
Rust
3
star
53

OnorineAutoCandy

An automated WoW chocolate addon
Lua
3
star
54

simple_slope_viewer

A basic 3d model viewer with a fly-based model. Designed for exploring WoW collision maps
Rust
2
star
55

font_test

Font test do not use ever
Rust
2
star
56

gamlang

Some ancient programming language I thought was a good idea
C
2
star
57

wow_priest_theorycraftin

Here we use supercomputers to optimize WoW characters, why not
Rust
1
star
58

onorine_jumps

A WoW addon for helping with doing tricky jumps and exploring
Lua
1
star
59

triangle_test

Testing triangles
Rust
1
star
60

ErannaAuctions

Dumping ground for auction data harvesting
Lua
1
star
61

FishingBuddy

The FishingBuddy addon for Classic WoW, but with per-hour stat tracking
Lua
1
star
62

speculation_data

Just some random data from an observed speculative session on Kaby Lake
Gnuplot
1
star
63

wow_classic_manatick_reversing

Trying to figure out exactly how mana ticks work in WoW vanilla
Lua
1
star