christoph/fail
1
Fork 0
Code Actions Packages Releases Activity

nanojpeg: detect rogue memory accesses

Browse Source 
git-svn-id: https://www4.informatik.uni-erlangen.de/i4svn/danceos/trunk/devel/fail@1801 8c4709b5-6ec9-48aa-a5cd-a96041d1645a
This commit is contained in:
hsc
2012-10-23 13:36:03 +00:00
parent 8de290f47d
commit c5304c0c31
2 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/experiments/nanojpeg/experiment.cc
View File

@ -83,11 +83,16 @@ bool NanoJPEGExperiment::run()
elfreader.getAddressByName("___TEXT_START__"); elfreader.getAddressByName("___TEXT_START__");
guest_address_t addr_text_end = guest_address_t addr_text_end =
elfreader.getAddressByName("___TEXT_END__"); elfreader.getAddressByName("___TEXT_END__");
guest_address_t addr_rodata_start =
elfreader.getAddressByName("___RODATA_START__");
guest_address_t addr_bss_end =
elfreader.getAddressByName("___BSS_END__");
guest_address_t addr_output_image_ptr = guest_address_t addr_output_image_ptr =
elfreader.getAddressByName("output_image"); elfreader.getAddressByName("output_image");
guest_address_t addr_output_image_size = guest_address_t addr_output_image_size =
elfreader.getAddressByName("output_image_size"); elfreader.getAddressByName("output_image_size");
log << "ELF symbols: text " << hex << addr_text_start << "-" << addr_text_end log << "ELF symbols: text " << hex << addr_text_start << "-" << addr_text_end
<< " rodata/data/bss " << addr_rodata_start << "-" << addr_bss_end
<< " output_image ptr @ " << addr_output_image_ptr << ", size @ " << addr_output_image_size << endl; << " output_image ptr @ " << addr_output_image_ptr << ", size @ " << addr_output_image_size << endl;
elfreader.~ElfReader(); elfreader.~ElfReader();
@ -171,6 +176,7 @@ bool NanoJPEGExperiment::run()
// possible outcomes: // possible outcomes:
// - trap, "crash" // - trap, "crash"
// - jump outside text segment // - jump outside text segment
// - memory access outside of DATA/BSS
// - (XXX unaligned jump inside text segment) // - (XXX unaligned jump inside text segment)
// - (XXX weird instructions?) // - (XXX weird instructions?)
// - reaches the end, PSNR can be calculated // - reaches the end, PSNR can be calculated
@ -193,6 +199,13 @@ bool NanoJPEGExperiment::run()
BPRangeListener ev_beyond_text(addr_text_end + 1, ANY_ADDR); BPRangeListener ev_beyond_text(addr_text_end + 1, ANY_ADDR);
simulator.addListener(&ev_below_text); simulator.addListener(&ev_below_text);
simulator.addListener(&ev_beyond_text); simulator.addListener(&ev_beyond_text);
// memory access outside of data/bss segment
MemAccessListener ev_mem_low(0x0, MemAccessEvent::MEM_READWRITE);
ev_mem_low.setWatchWidth(addr_rodata_start);
MemAccessListener ev_mem_high(addr_bss_end + 1, MemAccessEvent::MEM_READWRITE);
ev_mem_high.setWatchWidth(0xFFFFFFFFU - (addr_bss_end + 1));
simulator.addListener(&ev_mem_low);
simulator.addListener(&ev_mem_high);
BaseListener *ev = simulator.resume(); BaseListener *ev = simulator.resume();
// record latest IP regardless of result // record latest IP regardless of result
@ -229,6 +242,9 @@ bool NanoJPEGExperiment::run()
} else if (ev == &ev_below_text || ev == &ev_beyond_text) { } else if (ev == &ev_below_text || ev == &ev_beyond_text) {
log << "Result OUTSIDE" << endl; log << "Result OUTSIDE" << endl;
result->set_resulttype(result->OUTSIDE); result->set_resulttype(result->OUTSIDE);
} else if (ev == &ev_mem_low || ev == &ev_mem_high) {
log << "Result OUTSIDEMEM (EIP " << result->latest_ip() << ")" << endl;
result->set_resulttype(result->OUTSIDEMEM);
} else if (ev == &ev_trap) { } else if (ev == &ev_trap) {
log << dec << "Result TRAP #" << ev_trap.getTriggerNumber() << endl; log << dec << "Result TRAP #" << ev_trap.getTriggerNumber() << endl;
result->set_resulttype(result->TRAP); result->set_resulttype(result->TRAP);

2
src/experiments/nanojpeg/nanojpeg.proto
View File

@ -38,7 +38,7 @@ message NanoJPEGProtoMsg {
BROKEN = 2; BROKEN = 2;
TRAP = 3; TRAP = 3;
OUTSIDE = 4; OUTSIDE = 4;
DETECTED = 5; // unused for now OUTSIDEMEM = 5;
TIMEOUT = 6; TIMEOUT = 6;
UNKNOWN = 7; UNKNOWN = 7;
} }