- So the plan is to modify a Linux driver to see results more easily (once the fuzzing part works). So I tried to get a working environment where I can boot my modified Linux kernel in. My problem being, that I don’t necessarily want to create initrds and somehow want the modules to be inside the guest machine. And I do want modules because I don’t want to boot after I’ve changed a tiny bit of the code. So I debootstrapped onto the filesystem on the host and tried to run Qemu with that directory as virtual FAT drive:
sudo /opt/muelli/qemu/bin/qemu -monitor stdio -m 1G -kernel /opt/ubuntu/boot/vmlinuz-2.6.32-21-generic -initrd /opt/ubuntu/boot/initrd.img-2.6.32-21-generic -hda fat:ro:/opt/ubuntu/ -runas muelli
But it fails because the directory is too big.
I then debootstrapped into a fixed size container and for now I’m going with
/opt/muelli/qemu/bin/qemu-system-x86_64 -m 1G -smp 1 -hda /opt/ubuntu.img -snapshot -kernel ~/git/linux-2.6/arch/x86_64/boot/bzImage -append ‘root=/dev/sda’
But that doesn’t seem to work well, because the virtual machine just stops working. Attaching a debugger tells me that the qemu process basically stopped. Weird.
I basically followed these instructions but in order to make Eclipse index my Linux Kernel, I had to start it with-vmargs -Xmx1024M
.
But debugging the kernel is a bit hard because something with the protocol is weird. The suggested fix doesn’t help. - QEmu wouldn’t install windows 7 x86_64, because of a “wrong CPU” type of error. Fortunately, the STOP codes are well documented. Trying to install it on x86 is not possible. I booted the ISO for two days without any success.
- Found a good overview of USB classes per Windows Version. The USB classes themselves are not very well documented though. But in fairness, I haven’t read the 600+ pages spec yet.
- Spent ages trying to make
sscanf
split a string on a colon. Jeez, it’s horrible. I even thought about doing asystem("python -c 'mystring.split(':')'")
or so… Ended up usingstrtok
:
if (((speedstr = strtok(copy, ":")) == NULL) || ((filterfilename = strtok(NULL, "\0")) == NULL)) {
error_report();
else {} - gdb attached to a process crashed from eclipse. GDB also likes to crash if the remote server went down.
And listening to music with Rhythmbox is hard, too >.<
QEmu crashes if given a wrong kernel image. - Found Patents related to fuzzing, but Zotero won’t import those to my library.
- I had funny results with the filter: I replaced every “A” transmitted by a “B”. On the host, I created a file on a mass storage with 4KB “A”s. When “cat”ting the file from the guest, I saw “A”s. But copying the file in the guest resulted in the new file having all “B”s. I expected the “cat” showing all “B”s, too. And as far as I can see, the “A”s are actually replaced for the “cat”.
Tag: report
Practicum Status Update Week 5
- Implemented adding and removal of a filter. It works via the monitor or command line. And it does indeed seem to work:
Sorry for that video being so poorly embedded in this wordpress instance. You might want to try to download the video directly.So yeah, we can potentially filter USB packets by now, which allows us in-place fuzzing. But that’s cumbersome because we need to have a device attached to the host. So the goal must be to be able to do USB communication without a device being attached to the host but with a program that emulates the USB device in question.
- Of course I had problems to build Istanbul, the software I created the screencast with. Other stuff, including my IDE 🙁 just crashes, too…
- I used qemu to pass a usb device through to the guest. Hence the Linux on the host detached the device. I desperately tried make Linux reattach the device. I tried to use
ioctl()
withUSBDEVFS_CLAIMINTERFACE
but it didn’t really work. After spending many hours, I just unplugged and replugged the pendrive…
My code is pretty muchint interface = atoi(argv[1]); fd = open("/dev/bus/usb/002/006", O_RDWR); result = ioctl(fd, USBDEVFS_RELEASEINTERFACE, &interface); //result = ioctl(fd, USBDEVFS_CLAIMINTERFACE, &interface); printf("Result: %d, errno: %d %s\n", result, errno, strerror(errno));
and fails with Invalid Argument for RELEASE or for CLAIM with
-EINVAL
(Invalid Argument) or-ENOENT
(No such file or directory). I have no idea what I am doing wrong. So if you do, please tell me 😛
Oh, and these ioctls are not exported to Python I think. At least I couldn’t find the correct ioctl number forUSBDEVFS_CLAIMINTERFACE
without progamming a tiny C program to print it out for me. - Trying to test anything with QEmu is a pain though: It takes ages to boot anything with QEmu without KVM 🙁 It takes literally a whole night to boot into an Ubuntu installation CD.
- trying to work with a minimal operating system created by the following command on my Ubuntu box:
sudo ubuntu-vm-builder kvm lucid --addpkg openssh-server --addpkg screen --addpkg acpid --addpkg htop --addpkg cheese --flavour generic
- For the record: I build my QEmu with the following command
./configure --prefix=/opt/muelli/qemu/ --disable-strip --extra-cflags="-O0 -DDEBUG" --disable-docs --enable-io-thread --enable-attr --enable-kvm --disable-xen --target-list="i386-softmmu x86_64-softmmu" --enable-curses && make && make install
Practicum Status Update Week 4
Again, a small summary of my last week.
- Filed a couple of bugs that annoyed me. My favourite: My main monitor dies randomly. Let’s hope it’s not a hardware issue. That’d seriously put me back. In fact, it’s quite cumbersome to reanimate my monitor in the middle of a working session… Oh. And qemu crashes 🙁 That’s really unfortunate for me atm.
- Subscribed and quickly unsubscribed qemu-devel mailinglist. Way too noisy. Those low-level people don’t seem to like using bug tracker or smth like ReviewPad to submit patches. Very stressful.
- Enjoyed a long weekend in Hamburg including watching some Worldcup games
- Read through Qemu code and tried to grasp how things play together.
- Started to implement simple USB packet filter. spent ages resolving a logical error: I checked for retval != -23 whereas I should have checked for retval == -23 🙁
So I have exported a new command to the QEmu monitor. And we can even attach some logic to that new command:
Everything returns -1 at this stage though. So the actual implementation still needs to be done.
- It literally takes a whole night for me to boot anything with qemu though 🙁 That’s a real pain and I cannot work that way. My CPU is one of the few modern Intel CPUs that does not support hardware virtualisation 🙁 I need to think of a solution.
- I still don’t really have a timeline 😐
- Our deadline is on 2010-08-20 and we are supposed to hand in 3 hard copies and one soft copy. I wondering whether I have to go back to Dublin to hand my hard copies in.
Practicum Status Update Week 2 and 3
So I figured that we are supposed to write a blog during our practicum phase. Here I am.
- I missed the first official week, which was right after the exams anyway. I doubt anybody was able to do anything after the Biometrics exam.
- In the second week, I moved back to Germany. Slowly though: I attended LinuxTag and visited a friend…
- The third week began with some administrative stuff (i.e. taxes and care about a grant). I also almost finished running GNOME Foundation Board of Directors elections: Preliminary Result.
- More work related: I tried to updated from Fedora 12 to Fedora 13 (to get latest QEmu and tools). Didn’t work (as expected) out of the box. Encountered (and reported) a couple of annoying bugs. My favourite: The update tool tries to mount /boot and swap. But /boot is left unclean because the preupgrade tool apparently does a hard reboot (i.e. w/o unmounting the filesystems properly). And swap can’t be found by the upgrade tool (for whatever reason). In both cases the installer just stops working and reboots the machine (sic!), as opposed to just fsck /boot or continue w/o swap.
- Began to set up working environment: LaTeX Template, cloned qemu repository, looked a bit at QEmu code.
- Tried to install some Operating Systems to break. Microsoft didn’t let me.
- Read some stuff
- Filed two bugs against Zotero (my bibliography tool): One problem in fullscreen mode and one with proxied URLs.
- Went to a regulars’ table (for the first time after 9 month) and found out that one of them runs a company and they do USB security assessment atm. They are trying to make QEmu emulate a mass storage that returns a good file on the first read and a bad file (i.e. virus) on the second read. Sounded interesting, we’ll keep in touch and exchange details.
- Right now I’m missing kind of a plan for my work. I haven’t really structured my work or broken it up. So I’m trying to see how many weeks I actually have (I know that I’ll go at least to GUADEC, the annual GNOME conference, for one week. I might even be invited to GNOME.Asia in Taiwan…) and what I could possibly do in that time.
- I do have a high level idea of what needs to be done, i.e.
- Patch QEmu to pipe USB communication in and out,
- write some backend that uses these pipes to communicate with the guest,
- find a smart algorithm to create/modify fishy USB packets (i.e. try to understand how a webcam communicates and set funny values for resolution on purpose),
- try to exploit an Operating System (probably best to start off with a self-broken USB driver or application)
- I’ll try to have a roadmap by the beginning of the next week.