tools
/
out-of-tree
1
0
Fork 0
Code Releases Activity

Implements KPTI flag

timestamps
dump_stack() 2019-08-20 00:05:19 +00:00
parent 24b2123582
commit a08861cc19
Signed by: dump_stack
GPG Key ID: BE44DA8C062D87DC
5 changed files with 39 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGELOG.md
View File

@ -32,8 +32,8 @@
- Now debugging environment is automatically looking for debug - Now debugging environment is automatically looking for debug
kernel on the host system. kernel on the host system.
- Added ability to enable/disable kaslr/smep/smap for debugging by - Added ability to enable/disable kaslr/smep/smap/kpti for debugging
command line flags. by command line flags.
- New parameter `--threads=N` is added for `pew` and allows to - New parameter `--threads=N` is added for `pew` and allows to
specify maximum number of threads that will be used for parallel specify maximum number of threads that will be used for parallel
@ -47,7 +47,8 @@
- New command `pack` that perform tests in subdirectories. - New command `pack` that perform tests in subdirectories.
- Added ability to disable kaslr/smep/smap for in artifact definition. - Added ability to disable kaslr/smep/smap/kpti for in artifact
definition.
- Added ability to change amount of memory/CPUs and set qemu timeout - Added ability to change amount of memory/CPUs and set qemu timeout
in artifact definition (`.out-of-tree.toml`). in artifact definition (`.out-of-tree.toml`).

1
config/config.go
View File

@ -119,6 +119,7 @@ type Artifact struct {
DisableSmep bool DisableSmep bool
DisableSmap bool DisableSmap bool
DisableKaslr bool DisableKaslr bool
DisableKpti bool
} }
} }

22
debug.go
View File

@ -83,8 +83,8 @@ func interactive(q *qemu.System) (err error) {
} }
func debugHandler(kcfg config.KernelConfig, workPath, kernRegex, gdb string, func debugHandler(kcfg config.KernelConfig, workPath, kernRegex, gdb string,
dockerTimeout time.Duration, yekaslr, yesmep, yesmap, dockerTimeout time.Duration, yekaslr, yesmep, yesmap, yekpti,
nokaslr, nosmep, nosmap bool) (err error) { nokaslr, nosmep, nosmap, nokpti bool) (err error) {
ka, err := config.ReadArtifactConfig(workPath + "/.out-of-tree.toml") ka, err := config.ReadArtifactConfig(workPath + "/.out-of-tree.toml")
if err != nil { if err != nil {
@ -113,12 +113,10 @@ func debugHandler(kcfg config.KernelConfig, workPath, kernRegex, gdb string,
q.Memory = ka.Qemu.Memory q.Memory = ka.Qemu.Memory
} }
fmt.Printf("[*] SMP: %d CPUs\n", q.Cpus)
fmt.Printf("[*] Memory: %d MB\n", q.Memory)
q.SetKASLR(false) // set KASLR to false by default because of gdb q.SetKASLR(false) // set KASLR to false by default because of gdb
q.SetSMEP(!ka.Mitigations.DisableSmep) q.SetSMEP(!ka.Mitigations.DisableSmep)
q.SetSMAP(!ka.Mitigations.DisableSmap) q.SetSMAP(!ka.Mitigations.DisableSmap)
q.SetKPTI(!ka.Mitigations.DisableKpti)
if yekaslr { if yekaslr {
q.SetKASLR(true) q.SetKASLR(true)
@ -138,6 +136,12 @@ func debugHandler(kcfg config.KernelConfig, workPath, kernRegex, gdb string,
q.SetSMAP(false) q.SetSMAP(false)
} }
if yekpti {
q.SetKPTI(true)
} else if nokpti {
q.SetKPTI(false)
}
redgreen := func(name string, enabled bool) aurora.Value { redgreen := func(name string, enabled bool) aurora.Value {
if enabled { if enabled {
return aurora.BgGreen(aurora.Black(name)) return aurora.BgGreen(aurora.Black(name))
@ -146,10 +150,14 @@ func debugHandler(kcfg config.KernelConfig, workPath, kernRegex, gdb string,
return aurora.BgRed(aurora.Gray(name)) return aurora.BgRed(aurora.Gray(name))
} }
fmt.Printf("[*] %s %s %s\n", fmt.Printf("[*] %s %s %s %s\n",
redgreen("KASLR", q.GetKASLR()), redgreen("KASLR", q.GetKASLR()),
redgreen("SMEP", q.GetSMEP()), redgreen("SMEP", q.GetSMEP()),
redgreen("SMAP", q.GetSMAP())) redgreen("SMAP", q.GetSMAP()),
redgreen("KPTI", q.GetKPTI()))
fmt.Printf("[*] SMP: %d CPUs\n", q.Cpus)
fmt.Printf("[*] Memory: %d MB\n", q.Memory)
q.Debug(gdb) q.Debug(gdb)
coloredGdbAddress := aurora.BgGreen(aurora.Black(gdb)) coloredGdbAddress := aurora.BgGreen(aurora.Black(gdb))

6
main.go
View File

@ -180,10 +180,12 @@ func main() {
yekaslr := debugCommand.Flag("enable-kaslr", "Enable KASLR").Bool() yekaslr := debugCommand.Flag("enable-kaslr", "Enable KASLR").Bool()
yesmep := debugCommand.Flag("enable-smep", "Enable SMEP").Bool() yesmep := debugCommand.Flag("enable-smep", "Enable SMEP").Bool()
yesmap := debugCommand.Flag("enable-smap", "Enable SMAP").Bool() yesmap := debugCommand.Flag("enable-smap", "Enable SMAP").Bool()
yekpti := debugCommand.Flag("enable-kpti", "Enable KPTI").Bool()
nokaslr := debugCommand.Flag("disable-kaslr", "Disable KASLR").Bool() nokaslr := debugCommand.Flag("disable-kaslr", "Disable KASLR").Bool()
nosmep := debugCommand.Flag("disable-smep", "Disable SMEP").Bool() nosmep := debugCommand.Flag("disable-smep", "Disable SMEP").Bool()
nosmap := debugCommand.Flag("disable-smap", "Disable SMAP").Bool() nosmap := debugCommand.Flag("disable-smap", "Disable SMAP").Bool()
nokpti := debugCommand.Flag("disable-kpti", "Disable KPTI").Bool()
bootstrapCommand := app.Command("bootstrap", bootstrapCommand := app.Command("bootstrap",
"Create directories && download images") "Create directories && download images")
@ -299,8 +301,8 @@ func main() {
err = genConfig(config.KernelExploit) err = genConfig(config.KernelExploit)
case debugCommand.FullCommand(): case debugCommand.FullCommand():
err = debugHandler(kcfg, *path, *debugKernel, *debugGDB, err = debugHandler(kcfg, *path, *debugKernel, *debugGDB,
*dockerTimeout, *yekaslr, *yesmep, *yesmap, *dockerTimeout, *yekaslr, *yesmep, *yesmap, *yekpti,
*nokaslr, *nosmep, *nosmap) *nokaslr, *nosmep, *nosmap, *nokpti)
case bootstrapCommand.FullCommand(): case bootstrapCommand.FullCommand():
err = bootstrapHandler() err = bootstrapHandler()
case logQueryCommand.FullCommand(): case logQueryCommand.FullCommand():

15
qemu/qemu-kernel.go
View File

@ -75,6 +75,7 @@ type System struct {
noKASLR bool noKASLR bool
noSMEP bool noSMEP bool
noSMAP bool noSMAP bool
noKPTI bool
// Timeout works after Start invocation // Timeout works after Start invocation
Timeout time.Duration Timeout time.Duration
@ -202,6 +203,10 @@ func (q System) cmdline() (s string) {
s += " nosmap" s += " nosmap"
} }
if q.noKPTI {
s += " nokpti"
}
return return
} }
@ -402,6 +407,11 @@ func (q *System) SetSMAP(state bool) {
q.noSMAP = !state q.noSMAP = !state
} }
// SetKPTI is changing KPTI state through kernel boot args
func (q *System) SetKPTI(state bool) {
q.noKPTI = !state
}
// GetKASLR is retrieve KASLR settings // GetKASLR is retrieve KASLR settings
func (q *System) GetKASLR() bool { func (q *System) GetKASLR() bool {
return !q.noKASLR return !q.noKASLR
@ -417,6 +427,11 @@ func (q *System) GetSMAP() bool {
return !q.noSMAP return !q.noSMAP
} }
// GetKPTI is retrieve KPTI settings
func (q *System) GetKPTI() bool {
return !q.noKPTI
}
// GetSSHCommand returns command for connect to qemu machine over ssh // GetSSHCommand returns command for connect to qemu machine over ssh
func (q System) GetSSHCommand() (cmd string) { func (q System) GetSSHCommand() (cmd string) {
addrPort := strings.Split(q.sshAddrPort, ":") addrPort := strings.Split(q.sshAddrPort, ":")