
Sandsifter: x86 processor fuzzer - bellinom
https://github.com/xoreaxeaxeax/sandsifter
======
judge2020
Reveal talk at Blackhat showing this off:
[https://www.youtube.com/watch?v=KrksBdWcZgQ](https://www.youtube.com/watch?v=KrksBdWcZgQ)

~~~
artificial
Fascinating! Plus a very easy to follow presentation. Thanks for the link.

------
pkaye
Same guy who did the
[https://github.com/Battelle/movfuscator](https://github.com/Battelle/movfuscator)
which compiles programs into code with only the x86 MOV instruction.

------
infinity0
It seems this is the preferred URL:
[https://github.com/xoreaxeaxeax/sandsifter](https://github.com/xoreaxeaxeax/sandsifter)
\- for example the issue tracker is enabled, and has 45 issues, whereas the
other URL has the issue tracker disabled.

Can one of the admins fix?

~~~
dang
Ok, changed from
[https://github.com/Battelle/sandsifter](https://github.com/Battelle/sandsifter).

------
infinity0
Can anyone actually get this to compile? I failed last year, and it's still
failing:

    
    
        $ CFLAGS=-fPIC make clean all
        rm -f *.o injector
        cc -fPIC -c injector.c -o injector.o -Wall
        injector.c:321:93: warning: excess elements in array initializer
          .start={.bytes={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, .len=0},
                                                                                                     ^~~~
        injector.c:321:93: note: (near initialization for ‘total_range.start.bytes’)
        injector.c:322:91: warning: excess elements in array initializer
          .end={.bytes={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, .len=0},
                                                                                                   ^~~~
        injector.c:322:91: note: (near initialization for ‘total_range.end.bytes’)
        injector.c: In function ‘inject’:
        injector.c:778:2: warning: asm operand 15 probably doesn’t match constraints
          __asm__ __volatile__ ("\
          ^~~~~~~
        injector.c:778:2: error: impossible constraint in ‘asm’
        make: *** [Makefile:38: injector.o] Error 1
        2

~~~
rgovostes
Seems like using immediate values in inline assembly operands can be fragile
depending on what optimizations the compiler decides to apply. Try building
with -ftree-ter in your CFLAGS, as suggested by
[https://stackoverflow.com/a/11518308](https://stackoverflow.com/a/11518308)

~~~
infinity0
I figured it out, it's because Debian enables PIE and that somehow causes GCC
not to be able to satisfy its own rules for allowing inline-assembly to modify
%rsp to the value required by this program.

~~~
rgovostes
You ought to update your pull request, then! I'm not sure why they don't
accept regular issues.

~~~
sabas123
Because this github release was only for talk and he has since moved on
(albeit is still using it for other projects)

The sifter isn't terrible intresting it self but could use a lot of chances.
Like the ability to use multiple disassemblers. God that was such a pain to
hack that one together.

------
caf
The demonstration in Figure 7 of a program that executes a benign codepath on
QEMU but malicious on baremetal - and the benign codepath is what shows up in
the disassemblers they tested - is very neat.

~~~
pm215
Note that "provide an emulation of an x86 CPU that is sufficiently true to the
hardware that it is impossible for a guest program to distinguish it" is not a
goal of upstream QEMU -- in part because we don't think it's actually
possible. Don't trust TCG (pure-emulation) QEMU to contain a potentially-
malicious piece of code, either...

------
panic
I love the visual design of the UI. It looks like something out of a hacker
movie.

------
vectorEQ
this page fault trick to check insn len is awsome, this is such a good
technique!

