diff --git a/src/experiments/l4-sys/campaign.cc b/src/experiments/l4-sys/campaign.cc index 5b1449c1..d03790c8 100644 --- a/src/experiments/l4-sys/campaign.cc +++ b/src/experiments/l4-sys/campaign.cc @@ -11,7 +11,7 @@ using namespace std; using namespace fail; char const * const results_csv = "l4sys.csv"; -char const *l4sys_output_result_strings[] = { "Unknown", "Done", "Incomplete", "Timeout", "Wrong output", "Error" }; +char const *l4sys_output_result_strings[] = { "Unknown", "No effect", "Incomplete execution", "Crash", "Silent data corruption", "Error" }; char const *l4sys_output_experiment_strings[] = { "Unknown", "GPR Flip", "RAT Flip", "IDC Flip", "ALU Instr Flip" }; char const *l4sys_output_register_strings[] = { "Unknown", "EAX", "ECX", "EDX", "EBX", "ESP", "EBP", "ESI", "EDI" }; diff --git a/src/experiments/l4-sys/experiment.cc b/src/experiments/l4-sys/experiment.cc index f841b7ce..70014b05 100644 --- a/src/experiments/l4-sys/experiment.cc +++ b/src/experiments/l4-sys/experiment.cc @@ -448,6 +448,11 @@ bool L4SysExperiment::run() { // do the logging logInjection(); } else if (exp_type == param->msg.RATFLIP) { + /* + TODO: provide information on the affected register + in param->msg.register and on its destination in + param->msg.details + */ ud_type_t which = UD_NONE; unsigned rnd = 0; Udis86 udis(injection_ip); diff --git a/src/experiments/l4-sys/manual.pdf b/src/experiments/l4-sys/manual.pdf index 3a43a2bd..c0bed8ab 100644 Binary files a/src/experiments/l4-sys/manual.pdf and b/src/experiments/l4-sys/manual.pdf differ diff --git a/src/experiments/l4-sys/manual.tex b/src/experiments/l4-sys/manual.tex index af13c0f1..81c0552d 100644 --- a/src/experiments/l4-sys/manual.tex +++ b/src/experiments/l4-sys/manual.tex @@ -206,6 +206,101 @@ exactly one experiment and exits. To complete your campaign, you should use the \texttt{client.sh} script in the \texttt{scripts} subdirectory of Fail*. +\section{Format of the result file} + +When the campaign is finished, the campaign server generates a report +file (by default called \texttt{l4sys.csv}) in a primitive CSV dialect. +The only syntax rules are that the columns are separated by commas, +that the respective data sets are separated by line breaks (\verb+\n+), +and that the cells do not contain line breaks or commas. + +This section lists and describes the columns in the report generated by +the campaign server, from left to right. + +\begin{enumerate} + \item \verb+exp_type+\\ + Names the experiment that generated the return data. + If it is none of the following, a writing error occurred: + \begin{itemize} + \item Unknown + \item GPR Flip + \item RAT Flip + \item IDC Flip + \item ALU Instr Flip + \end{itemize} + For \emph{Unknown}, a debug report should be provided. + If not, something went completely wrong, and you should + check the logs. + \item \verb+injection_ip+\\ + The instruction pointer of the fault injection + in lowercase hexadecimal notation. + Note that the injection happens right \emph{before} this + instruction. + \item \verb+register+\\ + When the fault injection experiment affects a general purpose register, + it is listed here. This column should have one of the following values; + if it does not, a writing error occurred: + \begin{enumerate} + \item Unknown + \item EAX + \item ECX + \item EDX + \item EBX + \item ESP + \item EBP + \item ESI + \item EDI + \end{enumerate} + \item \verb+instr_offset+\\ + The offset of the executed instruction, relative to either all executed + instructions or to all listed instructions in case you applied + a filter (see above). This offset includes multiple runs of the same + instruction. + For example, this is useful when you have loops in you program and + need a rough idea how many runs your loop had executed until + the injection. + \item \verb+injection_bit+\\ + The bit at which the injection was performed. This value is + only used in GPRFlip and IDCFlip. GPRFlip inverts the bit at + position \verb+injection_bit+ in the register, counted from the right. + IDCFlip inverts the bit at position \verb+injection_bit+ + of the current instruction, counted from the left. + \item \verb+resulttype+\\ + The result of the fault injection. + This column should have one of the following values; + if it does not, a writing error occurred: + \begin{enumerate} + \item Unknown + \item No effect + \item Incomplete execution + \item Crash + \item Silent data corruption + \item Error + \end{enumerate} + \item \verb+resultdata+\\ + The meaning of this field can vary for each experiment. At the moment, + all of the experiments use it to store the last instruction + pointer of the emulator (in decimal notation). + This information can be used to determine when a fault + turned into a failure. + \item \verb+output+\\ + The output on the EIA-232 serial line generated by the workload + program. Undisplayable or reserved characters are escaped in a + C conformant octal manner (e.g. \verb+\033+ for the Escape character). + \item \verb+details+\\ + This column provides various details on the experiment run, + which may help to + trace errors or to reconstruct the injected fault. + ALUInstrFlip uses this column to + provide the opcode of the new instruction. +\end{enumerate} + +\section{Known bugs} + +At the moment, RATFlip does not provide enough information +to reconstruct the injected fault +(see also the \texttt{TODO} in \texttt{experiment.cc}). + \section{To Be Continued} This is everything I consider important so far. If you still encounter