microsoft
/
sca-fuzzer
зеркало из https://github.com/microsoft/sca-fuzzer.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

root: [docs] move quick start guide onto a separate page

This commit is contained in:
Oleksii Oleksenko 2024-07-29 15:56:28 +01:00
Родитель 4e275cf8a0
Коммит 6613940e8e
Не найден ключ, соответствующий данной подписи
6 изменённых файлов: 245 добавлений и 233 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

217
README.md
Просмотреть файл

@ -11,214 +11,13 @@ It tests CPUs against [Leakage Contracts](https://arxiv.org/abs/2006.03841) and
For more details, see our [Paper](https://dl.acm.org/doi/10.1145/3503222.3507729) (open access [here](https://arxiv.org/abs/2105.06872)), and the follow-up papers ([1](https://arxiv.org/pdf/2301.07642.pdf), [2](https://www.usenix.org/conference/usenixsecurity23/presentation/hofmann)).
## Installation
## Getting Started and Documentation
**Warning**:
Revizor runs randomly-generated code in kernel space.
This means that a misconfiguration (or a bug) can crash the system and potentially lead to data loss.
Make sure you're not running Revizor on a production machine, and that you have a backup of your data.
You can find a quick start guide at [Quick Start](https://microsoft.github.io/sca-fuzzer/quick-start/).
### 1. Requirements
For information on how to use Revizor, see [User Documentation](https://microsoft.github.io/sca-fuzzer/cli/).
* Architecture: Revizor supports Intel and AMD x86-64 CPUs.
We have experimental support for ARM CPUs (see `arm-port` branch) but it is at very early stages, so use it on your own peril.
* No virtualization: You will need a bare-metal OS installation.
Testing from inside a VM is not supported.
* OS: The target machine has to be running Linux v4.15 or later.
### 2. Python Package
The preferred installation method is using `pip` within a virtual environment.
The python version must be 3.9 or later.
```bash
sudo apt install python3.9 python3.9-venv
/usr/bin/python3.9 -m pip install virtualenv
/usr/bin/python3.9 -m virtualenv ~/venv-revizor
source ~/venv-revizor/bin/activate
pip install revizor-fuzzer
```
### 3. Executor
In addition to the Python package, you will need to build and install the executor, which is a kernel module.
```bash
# building a kernel module require kernel headers
sudo apt-get install linux-headers-$(uname -r) linux-headers-generic
# get the source code
git clone https://github.com/microsoft/sca-fuzzer.git
# build executor
cd sca-fuzzer/src/x86/executor
make uninstall # the command will give an error message, but it's ok!
make clean
make
make install
```
### 4. Download ISA spec
```bash
rvzr download_spec -a x86-64 --extensions ALL_SUPPORTED --outfile base.json
# Alternatively, use the following command to include system instructions;
# however, mind that testing these instructions may crash the system if misconfigured!
# rvzr download_spec -a x86-64 --extensions ALL_AND_UNSAFE --outfile base.json
```
### 5. Test the Installation
To make sure that the installation was successful, run the following command:
```bash
./tests/quick-test.sh
# The expected output is:
Detection: OK
Filtering: OK
```
If you see any other output, check if the previous steps were executed correctly.
If you still have issues, please [open an issue](https://github.com/microsoft/sca-fuzzer/issues).
### 6. (Optional) System Configuration
External processes can interfere with Revizor's measurements.
To minimize this interference, we recommend the following system configuration:
* Disable Hyperthreading (BIOS option);
* Disable Turbo Boost (BIOS option);
* Boot the kernel on a single core (add `-maxcpus=1` to [Linux boot parameters]((https://wiki.ubuntu.com/Kernel/KernelBootParameters))).
If you skip these steps, Revizor may produce false positives, especially if you use a low (sample size)[./docs/config.md) for measurements.
However, a large sample size (> 300-400) usually mitigates this issue.
## Quick Start
The following is an example of a simple fuzzing session with Revizor that will detect Spectre V1-like violations.
Create a configuration file `config.yaml` with the following content:
```yaml
# config.yaml
instruction_categories:
- BASE-BINARY # arithmetic instructions
- BASE-COND_BR # conditional branches
max_bb_per_function: 5 # up to 5 branches per test case
min_bb_per_function: 1
max_successors_per_bb: 2 # enable basic blocks with conditional branches
contract_observation_clause: loads+stores+pc # aka CT
contract_execution_clause:
- no_speculation # aka SEQ
```
Start the fuzzer:
```bash
rvzr fuzz -s base.json -i 50 -n 1000 -c config.yaml -w .
```
You will likely see a violation within a few minutes, as most modern CPUs implement branch prediction, which is a prerequisite for Spectre-like attacks, and so the contract `CT-SEQ` is likely to be violated.
```
================================ Violations detected ==========================
Contract trace:
18422470923634754929 (hash)
Hardware traces:
Input group 1: [7]
Input group 2: [57]
^..........................................^.............^^..^^. [500 | 0 ]
^....^...................................................^^..^^. [0 | 500 ]
```
You can find the violating test case as well as the violation report in the directory named `./violation-*/`.
It will contain an assembly file `program.asm` that surfaced a violation, a sequence of inputs `input_*.bin` to this program, and some details about the violation in `report.txt`.
## Command Line Interface
The fuzzer is controlled via a single command line interface `rvzr` (or `revizor.py` if you're running directly from the source tree).
It accepts the following arguments:
* `-s, --instruction-set PATH` - path to the ISA description file
* `-c, --config PATH` - path to the fuzzing configuration file
* `-n , --num-test-cases N` - number of test cases to be tested
* `-i , --num-inputs N` - number of input classes per test case. The number of actual inputs = input classes * inputs_per_class, which is a configuration option
* `-t , --testcase PATH` - use an existing test case instead of generating random test cases
* `--timeout TIMEOUT` - run fuzzing with a time limit [seconds]
* `-w` - working directory where the detected violations will be stored
For example, this command
```bash
rvzr fuzz -s base.json -n 100 -i 10 -c config.yaml -w ./violations
```
will run the fuzzer for 100 iterations (i.e., 100 test cases), with 10 inputs per test case.
The fuzzer will use the ISA spec stored in the `base.json` file, and will read the configuration from `config.yaml`. If the fuzzer finds a violation, it will be stored in the `./violations` directory.
See [docs](https://microsoft.github.io/sca-fuzzer/cli/) for more details.
## How To Fuzz With Revizor
The fuzzing process is controlled by a configuration file in the YAML format, passed via `--config` option. At the very minimum, this file should contain the following fields:
* `contract_observation_clause` and `contract_execution_clause` describe the contract that the CPU-under-test is tested against. See [this page](https://microsoft.github.io/sca-fuzzer/config/) for a list of available contracts. If you don't know what a contract is, Sec. 3 of [this paper](https://arxiv.org/pdf/2105.06872.pdf) will give you a high-level introduction to contracts, and [this paper](https://www.microsoft.com/en-us/research/publication/hardware-software-contracts-for-secure-speculation/) will provide a deep dive into contracts.
* `instruction_categories` is a list of instruction types that will be tested. Effectively, Revizor uses this list to filter out instructions from `base.json` (the file you downloaded via `rvzr download_spec`).
For a full list of configuration options, see [docs](https://microsoft.github.io/sca-fuzzer/config/).
### Baseline Experiment
After a fresh installation, it is normally a good idea to do a quick test run to check that everything works ok.
For example, we can create a configuration file `config.yaml` with only simple arithmetic instructions. As this instruction set does not include any instructions that would trigger speculation on Intel or AMD CPUs (at least that we know of), the expected contract would be `CT-SEQ`:
```yaml
# config.yaml
instruction_categories:
- BASE-BINARY # arithmetic instructions
max_bb_per_function: 1 # no branches!
min_bb_per_function: 1
contract_observation_clause: loads+stores+pc # aka CT
contract_execution_clause:
- no_speculation # aka SEQ
```
Start the fuzzer:
```bash
rvzr fuzz -s base.json -i 50 -n 100 -c config.yaml -w .
```
This command should terminate with no violations.
### Full-Scale Fuzzing Campaign
To start a full-scale test, write your own configuration file (see description [here](docs/config.md) and an example config [here](demo/big-fuzz.yaml)), and launch the fuzzer.
Below is a example launch command, which will start a 24-hour fuzzing session, with 100 input classes per test case, and which uses [big-fuzz.yaml](demo/big-fuzz.yaml) configuration:
```shell
rvzr fuzz -s base.json -c demo/big-fuzz.yaml -i 100 -n 100000000 --timeout 86400 -w `pwd` --nonstop
```
If there is a violation, you can try to reproduce it with the following command:
```shell
rvzr reproduce -s base.json -c violation-<timestamp>/reproduce.yaml -t violation-<timestamp>/program.asm -i violation-<timestamp>/input_*.bin
```
If the violation is reproducible, it is useful to minimize it, so that it is easier to understand the root cause (note that minimization uses a different config file):
```shell
rvzr minimize -s base.json -c violation-<timestamp>/minimize.yaml -g violation-<timestamp>/program.asm -o violation-<timestamp>/minimized.asm -i 100 --num-attempts 10 --enable-simplification-pass
```
The result of minimization will be stored in `violation-<timestamp>/minimized.asm`.
If the result is still too complicated, try [other minimization passes](./docs/minimization.md).
The further analysis is manual; you can find an example in [this guide](fuzzing-guide.md).
For information on how to contribute to Revizor, see [CONTRIBUTING.md](CONTRIBUTING.md).
## Need Help with Revizor?
@ -226,11 +25,6 @@ If you find a bug in Revizor, don't hesitate to [open an issue](https://github.c
If something is confusing or you need help in using Revizor, we have a [discussion page](https://github.com/microsoft/sca-fuzzer/discussions).
## Documentation
For more details, see [the website](https://microsoft.github.io/sca-fuzzer/).
## Citing Revizor
To cite this project, you can use the following references:
@ -256,9 +50,6 @@ To cite this project, you can use the following references:
Jana Hofmann, Emanuele Vannacci, Cédric Fournet, Boris Köpf, and Oleksii Oleksenko. "[Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions.](https://www.usenix.org/conference/usenixsecurity23/presentation/hofmann)" in Proceedings of 32nd USENIX Security Symposium (USENIX Security), 2023.
## Contributing
See [CONTRIBUTING.md](CONTRIBUTING.md).
## Trademarks

2
docs/cli.md
Просмотреть файл

@ -5,7 +5,7 @@ Command line arguments specify the mode of operation and set high-level paramete
Configuration files specify details of the fuzzing campaign (e.g., the target contract, generation parameters, etc).
This document describes the command-line interface.
For information on configuration files, see the [configuration documentation](configuration.md).
For information on configuration files, see the [configuration documentation](config.md).
## Modes

219
docs/quick-start.md Normal file
Просмотреть файл

@ -0,0 +1,219 @@
## Installation
**Warning**:
Revizor runs randomly-generated code in kernel space.
This means that a misconfiguration (or a bug) can crash the system and potentially lead to data loss.
Make sure you're not running Revizor on a production machine, and that you have a backup of your data.
### 1. Requirements
* Architecture: Revizor supports Intel and AMD x86-64 CPUs.
We have experimental support for ARM CPUs (see `arm-port` branch) but it is at very early stages, so use it on your own peril.
* No virtualization: You will need a bare-metal OS installation.
Testing from inside a VM is not supported.
* OS: The target machine has to be running Linux v4.15 or later.
### 2. Python Package
The preferred installation method is using `pip` within a virtual environment.
The python version must be 3.9 or later.
```bash
sudo apt install python3.9 python3.9-venv
/usr/bin/python3.9 -m pip install virtualenv
/usr/bin/python3.9 -m virtualenv ~/venv-revizor
source ~/venv-revizor/bin/activate
pip install revizor-fuzzer
```
### 3. Executor
In addition to the Python package, you will need to build and install the executor, which is a kernel module.
```bash
# building a kernel module require kernel headers
sudo apt-get install linux-headers-$(uname -r) linux-headers-generic
# get the source code
git clone https://github.com/microsoft/sca-fuzzer.git
# build executor
cd sca-fuzzer/src/x86/executor
make uninstall # the command will give an error message, but it's ok!
make clean
make
make install
```
### 4. Download ISA spec
```bash
rvzr download_spec -a x86-64 --extensions ALL_SUPPORTED --outfile base.json
# Alternatively, use the following command to include system instructions;
# however, mind that testing these instructions may crash the system if misconfigured!
# rvzr download_spec -a x86-64 --extensions ALL_AND_UNSAFE --outfile base.json
```
### 5. Test the Installation
To make sure that the installation was successful, run the following command:
```bash
./tests/quick-test.sh
# The expected output is:
Detection: OK
Filtering: OK
```
If you see any other output, check if the previous steps were executed correctly.
If you still have issues, please [open an issue](https://github.com/microsoft/sca-fuzzer/issues).
### 6. (Optional) System Configuration
External processes can interfere with Revizor's measurements.
To minimize this interference, we recommend the following system configuration:
* Disable Hyperthreading (BIOS option);
* Disable Turbo Boost (BIOS option);
* Boot the kernel on a single core (add `-maxcpus=1` to [Linux boot parameters]((https://wiki.ubuntu.com/Kernel/KernelBootParameters))).
If you skip these steps, Revizor may produce false positives, especially if you use a low (sample size)[./docs/config.md) for measurements.
However, a large sample size (> 300-400) usually mitigates this issue.
## Quick Start
The following is an example of a simple fuzzing session with Revizor that will detect Spectre V1-like violations.
Create a configuration file `config.yaml` with the following content:
```yaml
# config.yaml
instruction_categories:
- BASE-BINARY # arithmetic instructions
- BASE-COND_BR # conditional branches
max_bb_per_function: 5 # up to 5 branches per test case
min_bb_per_function: 1
max_successors_per_bb: 2 # enable basic blocks with conditional branches
contract_observation_clause: loads+stores+pc # aka CT
contract_execution_clause:
- no_speculation # aka SEQ
```
Start the fuzzer:
```bash
rvzr fuzz -s base.json -i 50 -n 1000 -c config.yaml -w .
```
You will likely see a violation within a few minutes, as most modern CPUs implement branch prediction, which is a prerequisite for Spectre-like attacks, and so the contract `CT-SEQ` is likely to be violated.
```
================================ Violations detected ==========================
Contract trace:
18422470923634754929 (hash)
Hardware traces:
Input group 1: [7]
Input group 2: [57]
^..........................................^.............^^..^^. [500 | 0 ]
^....^...................................................^^..^^. [0 | 500 ]
```
You can find the violating test case as well as the violation report in the directory named `./violation-*/`.
It will contain an assembly file `program.asm` that surfaced a violation, a sequence of inputs `input_*.bin` to this program, and some details about the violation in `report.txt`.
## Command Line Interface
The fuzzer is controlled via a single command line interface `rvzr` (or `revizor.py` if you're running directly from the source tree).
It accepts the following arguments:
* `-s, --instruction-set PATH` - path to the ISA description file
* `-c, --config PATH` - path to the fuzzing configuration file
* `-n , --num-test-cases N` - number of test cases to be tested
* `-i , --num-inputs N` - number of input classes per test case. The number of actual inputs = input classes * inputs_per_class, which is a configuration option
* `-t , --testcase PATH` - use an existing test case instead of generating random test cases
* `--timeout TIMEOUT` - run fuzzing with a time limit [seconds]
* `-w` - working directory where the detected violations will be stored
For example, this command
```bash
rvzr fuzz -s base.json -n 100 -i 10 -c config.yaml -w ./violations
```
will run the fuzzer for 100 iterations (i.e., 100 test cases), with 10 inputs per test case.
The fuzzer will use the ISA spec stored in the `base.json` file, and will read the configuration from `config.yaml`. If the fuzzer finds a violation, it will be stored in the `./violations` directory.
See [docs](https://microsoft.github.io/sca-fuzzer/cli/) for more details.
## How To Fuzz With Revizor
The fuzzing process is controlled by a configuration file in the YAML format, passed via `--config` option. At the very minimum, this file should contain the following fields:
* `contract_observation_clause` and `contract_execution_clause` describe the contract that the CPU-under-test is tested against. See [this page](https://microsoft.github.io/sca-fuzzer/config/) for a list of available contracts. If you don't know what a contract is, Sec. 3 of [this paper](https://arxiv.org/pdf/2105.06872.pdf) will give you a high-level introduction to contracts, and [this paper](https://www.microsoft.com/en-us/research/publication/hardware-software-contracts-for-secure-speculation/) will provide a deep dive into contracts.
* `instruction_categories` is a list of instruction types that will be tested. Effectively, Revizor uses this list to filter out instructions from `base.json` (the file you downloaded via `rvzr download_spec`).
For a full list of configuration options, see [docs](https://microsoft.github.io/sca-fuzzer/config/).
### Baseline Experiment
After a fresh installation, it is normally a good idea to do a quick test run to check that everything works ok.
For example, we can create a configuration file `config.yaml` with only simple arithmetic instructions. As this instruction set does not include any instructions that would trigger speculation on Intel or AMD CPUs (at least that we know of), the expected contract would be `CT-SEQ`:
```yaml
# config.yaml
instruction_categories:
- BASE-BINARY # arithmetic instructions
max_bb_per_function: 1 # no branches!
min_bb_per_function: 1
contract_observation_clause: loads+stores+pc # aka CT
contract_execution_clause:
- no_speculation # aka SEQ
```
Start the fuzzer:
```bash
rvzr fuzz -s base.json -i 50 -n 100 -c config.yaml -w .
```
This command should terminate with no violations.
### Full-Scale Fuzzing Campaign
To start a full-scale test, write your own configuration file (see description [here](config.md) and an example config [here](https://github.com/microsoft/sca-fuzzer/tree/main/demo/big-fuzz.yaml)), and launch the fuzzer.
Below is a example launch command, which will start a 24-hour fuzzing session, with 100 input classes per test case, and which uses [big-fuzz.yaml](https://github.com/microsoft/sca-fuzzer/tree/main/demo/big-fuzz.yaml) configuration:
```shell
rvzr fuzz -s base.json -c demo/big-fuzz.yaml -i 100 -n 100000000 --timeout 86400 -w `pwd` --nonstop
```
If there is a violation, you can try to reproduce it with the following command:
```shell
rvzr reproduce -s base.json -c violation-<timestamp>/reproduce.yaml -t violation-<timestamp>/program.asm -i violation-<timestamp>/input_*.bin
```
If the violation is reproducible, it is useful to minimize it, so that it is easier to understand the root cause (note that minimization uses a different config file):
```shell
rvzr minimize -s base.json -c violation-<timestamp>/minimize.yaml -g violation-<timestamp>/program.asm -o violation-<timestamp>/minimized.asm -i 100 --num-attempts 10 --enable-simplification-pass
```
The result of minimization will be stored in `violation-<timestamp>/minimized.asm`.
If the result is still too complicated, try [other minimization passes](minimization.md).
The further analysis is manual; you can find an example in [this guide](fuzzing-guide.md).
## Need Help with Revizor?
If you find a bug in Revizor, don't hesitate to [open an issue](https://github.com/microsoft/sca-fuzzer/issues).
If something is confusing or you need help in using Revizor, we have a [discussion page](https://github.com/microsoft/sca-fuzzer/discussions).
## Documentation
For more details, see [the website](https://microsoft.github.io/sca-fuzzer/).

6
docs/registers.md
Просмотреть файл

@ -5,7 +5,7 @@ Below is a list of registers and their purpose.
## `R15`
Contains the base address of the UTILITY area in the [sandbox](./docs/sandbox.md).
Contains the base address of the UTILITY area in the [sandbox](sandbox.md).
If the test case does not enter a VM, the register value remains constant during the execution of the test cases.
Otherwise, the register value is updated to point to the UTILITY area of the currently active VM when the `switch_h2g` macro is called, and it is restored to the original value when the `switch_g2h` macro is called.
@ -14,7 +14,7 @@ The register is used by internal functions, such as the implementation of Prime+
## `R14`
Contains the base address of the current actor's [sandbox](./docs/sandbox.md) (namely, it points to the base of the actor's MAIN area).
Contains the base address of the current actor's [sandbox](sandbox.md) (namely, it points to the base of the actor's MAIN area).
At the beginning of the test case execution, the register is set to the base address of the MAIN area of the first actor (actor `main`). The register value is updated to point to the MAIN area of the currently active actor when a macro from the `landing_*` group of macros is called. It is also updated by the `fault_handler` macro.
@ -68,7 +68,7 @@ When a `measurement_end` macro is executed, the registers are updated with the f
## Other General Purpose Registers
The remaining registers (`rax`, `rcx`, `rdx`, `rsi`, `rdi`, `rflags`) are available for use in the test cases and can be modified freely.
A special case are `rsp` and `rbp`, which can be used in the test cases, but their values must always remain within the sandbox (see [Sandbox](./docs/sandbox.md)).
A special case are `rsp` and `rbp`, which can be used in the test cases, but their values must always remain within the sandbox (see [Sandbox](sandbox.md)).
## Vector Registers

8
mkdocs-overrides/home.html
Просмотреть файл

@ -49,7 +49,7 @@
.title p {
color: rgb(100, 100, 100);
font-weight: 400;
font-size: 20px;
font-size: 32px;
line-height: 32px;
}
@ -230,10 +230,10 @@
<div class="md-main__inner">
<div>
<!-- <h1 style="text-align:center; margin-bottom: 0pt;">Revizor</h1> -->
<p>Revizor is a security-oriented fuzzer for detecting information leaks in CPUs, such as <a href="https://meltdownattack.com/">Spectre and Meltdown</a>.
It tests CPUs against <a href="https://arxiv.org/abs/2006.03841">Leakage Contracts</a> and searches for unexpected leaks.</p>
<p style="color: black; margin-bottom: 0;">Uncover the hidden cost of CPU performance!</p>
<p style="font-size: 16px">With Revizor, you can automatically detect side channel information leaks in CPUs like Spectre and Meltdown, with no prior knowledge.</p>
<!-- <a href="#overview" title="Learn More" class="md-button learn">Learn More</a> -->
<a href="quick-start/" title="Get Started" class="md-button get-started">Get started</a>
<!-- <a href="quick-start/" title="Get Started" class="md-button get-started">Get started</a> -->
</div>
</div>
</div>

26
mkdocs.yml
Просмотреть файл

@ -3,7 +3,7 @@ site_name: Revizor
site_url: https://github.com/microsoft/sca-fuzzer
site_author: Microsoft
site_description: A security-oriented tool for detecting microarchitectural leaks in CPUs, such as Spectre and Meltdown.
copyright: 'Copyright &copy; 2023 Microsoft'
copyright: 'Copyright &copy; 2024 Microsoft'
repo_name: microsoft/sca-fuzzer
repo_url: https://github.com/microsoft/sca-fuzzer
@ -11,13 +11,10 @@ repo_url: https://github.com/microsoft/sca-fuzzer
theme:
name: material
custom_dir: mkdocs-overrides
font:
text: Roboto
code: Roboto Mono
palette:
primary: white
logo: assets/ms_icon.png
favicon: assets/ms_icon.png
palette:
primary: indigo
features:
- navigation.instant
- navigation.tabs
@ -42,11 +39,16 @@ markdown_extensions:
nav:
- Home: index.md
- Quick Start: quick-start.md
- Documentation:
- Installation: install.md
- How Revizor Works: how-revizor-works.md
- User Documentation:
- Command Line Interface: cli.md
- Configuration Files: config.md
- Development: development.md
- Fuzzing Guide: fuzzing-guide.md
- Configuration Options: config.md
- Fuzzing Guide: fuzzing-guide.md
- Minimization Passes: minimization.md
- Developer Documentation:
- Developer Guide: development.md
- How Revizor Works: how-revizor-works.md
- Architecture Overview: architecture.md
- Executor-related Topics:
- Register Allocation: registers.md
- Memory Layout: sandbox.md
# - Trophies: trophies.md